Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Securing Cisco
Network Devices
Version 1.0
Student Guide
Copyright 2005, Cisco Systems, Inc. All rights reserved.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax
numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica
Croatia Cyprus Czech Republic Denmark Dubai, UAE Finland France Germany Greece
Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia
Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania
Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland
Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe
Copyright 2005 Cisco Systems, Inc. All rights reserved. CCSP, the Cisco Square Bridge logo, Follow
Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live,
Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST,
BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo,
Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering
the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive,
GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,
LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar,
Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView
Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0501R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY
OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO
SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY,
NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING,
USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be
accurate, it falls subject to the disclaimer above.
Table of Contents
Course Introduction 1
Overview 1
Learner Skills and Knowledge 1
Course Goal and Objectives 2
Course Flow 3
Additional References 4
Cisco Glossary of Terms 4
Your Training Curriculum 5
Introduction to Network Security 1-1
Overview 1-1
Module Objectives 1-1
Planning a Secure Network 1-3
Overview 1-3
Objectives 1-3
The Need for Network Security 1-4
Network Security Challenges 1-7
Primary Network Threats and Attacks 1-10
Network Security Policy 1-14
The Network Security Process 1-17
Summary 1-22
Lesson Self-Check 1-23
Lesson Self-Check Answer Key 1-27
Mitigating Network Attacks 1-29
Overview 1-29
Objectives 1-29
Mitigating Physical and Environmental Threats 1-30
Reconnaissance Attacks and Mitigation 1-36
Access Attacks and Mitigation 1-43
Denial of Service Attacks and Mitigation 1-53
Worm, Virus, and Trojan Horse Attacks and Mitigation 1-60
Application Layer Attacks and Mitigation 1-64
Management Protocols and Vulnerabilities 1-67
Determining Network Vulnerabilities 1-72
Summary 1-73
Lesson Self-Check 1-75
Lesson Self-Check Answer Key 1-78
Introducing the Cisco Security Portfolio 1-79
Overview 1-79
Objectives 1-80
Introducing the Cisco Security Portfolio 1-81
Perimeter SecurityProducts and Solutions 1-83
Cisco IOS Firewall Highlights 1-89
Secure Connectivity VPNs Solutions 1-92
Secure ConnectivityThe Cisco VPN 3000 Series Concentrator 1-94
Secure ConnectivityCisco VPN-Enabled Routers 1-100
Secure ConnectivityVPN Product Positioning 1-104
Intrusion Prevention System Solutions 1-105
Network Intrusion Prevention System Solutions Cisco IPS Sensor Platforms 1-108
Host Intrusion Prevention System Solutions 1-111
Identity SolutionsCisco Secure Access Control Server 1-115
Network Admission Control 1-118
Security Management Solutions Security Management Center 1-120
Summary 1-123
Lesson Self-Check 1-124
Lesson Self-Check Answer Key 1-126
Building Cisco Self-Defending Networks 1-127
Overview 1-127
Objectives 1-128
Changing Threats and Challenges 1-129
Building a Self-Defending Network 1-134
Adaptive Threat Defense 1-138
Cisco PIX Security Appliance Software v7.0 1-141
Cisco DDoS Modules 1-146
Cisco Secure MARS and Security Auditor 1-148
Securing the Network Infrastructure with Cisco IOS Software Security Features 1-151
Self-Defending Network Endpoint Security Solutions 1-155
Cisco Integrated Security Portfolio 1-157
Summary 1-159
Lesson Self-Check 1-161
Lesson Self-Check Answer Key 1-164
Module Summary 1-167
Securing the Perimeter 2-1
Overview 2-1
Module Objectives 2-2
Securing Administrative Access to Cisco Routers 2-3
Overview 2-3
Objectives 2-3
Configuring Router Passwords 2-4
Setting a Login Failure Rate 2-18
Setting Timeouts 2-19
Setting Multiple Privilege Levels 2-20
Configuring Banner Messages 2-23
Summary 2-25
Lesson Self-Check 2-26
Lesson Self-Check Answer Key 2-27
Configuring AAA for Cisco Routers 2-29
Overview 2-29
Objectives 2-29
Introduction to AAA for Cisco Routers 2-30
Authenticate to a LAN 2-32
Authenticate Router Access 2-43
Configure AAA on Cisco Routers 2-45
Troubleshoot AAA on Cisco Routers 2-58
Summary 2-64
Lesson Self-Check 2-65
Lesson Self-Check Answer Key 2-67
Introducing the Cisco Secure Access Control Server for Windows Server 2-69
Overview 2-69
Objectives 2-70
Cisco Secure ACS Overview 2-71
AAA Server Functions and Concepts 2-74
Cisco Secure ACS and the AAA Client 2-75
AAA ProtocolsTACACS+ and RADIUS 2-76
Authentication 2-77
Authorization 2-81
Accounting 2-82
Device Administration 2-83
Summary 2-84
Lesson Self-Check 1-85
Lesson Self-Check Answer Key 1-87
ii Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Basic Services on the Cisco Secure ACS for Windows 2-89
Overview 2-89
Objectives 2-89
The Cisco Secure ACS GUI 2-90
Creating the First Administrator User Account 2-93
Configuring Administrator Policies 2-96
Setting Up Remote Access 2-100
Basic Configuration Tasks 2-101
User Interface Configuration 2-102
System Configuration 2-107
Summary 2-109
Lesson Self-Check 2-110
Lesson Self-Check Answer Key 2-112
Disabling Unused Cisco Router Network Services and Interfaces 2-113
Overview 2-113
Objectives 2-114
Routers Secure Networks 2-115
Vulnerable Router Services and Interfaces 2-119
Disabling Unnecessary Services and Interfaces 2-123
Disabling and Restricting Commonly Configured Management Services 2-136
Ensuring Path Integrity 2-140
Disabling Probes and Scans 2-142
Ensuring Terminal Access Security 2-145
Disabling Gratuitous and Proxy ARP 2-147
Disabling IP Directed Broadcast 2-149
Summary 2-150
Lesson Self-Check 2-151
Lesson Self-Check Answer Key 2-154
Mitigating Threats and Attacks with Access Lists 2-155
Overview 2-155
Objectives 2-155
Cisco Access Lists 2-156
Applying Access Lists to Router Interfaces 2-162
Using Traffic Filtering with Access Lists 2-165
Filtering Router Service Traffic 2-168
Filtering Network Traffic to Mitigate Threats 2-172
Mitigating DDoS with Access Control Lists 2-180
Combining Access Functions 2-186
Caveats 2-189
Summary 2-191
Lesson Self-Check 2-192
Lesson Self-Check Answer Key 2-193
Implementing Secure Management and Reporting 2-195
Overview 2-195
Objectives 2-195
Secure Management and Reporting Planning Considerations 2-196
Secure Management and Reporting Architecture 2-198
Configuring an SSH Server for Secure Management and Reporting 2-204
Using Syslog Logging for Network Security 2-207
Configuring Syslog Logging 2-211
SNMP Version 3 2-215
Configuring an SNMP Managed Node 2-222
Summary 2-230
Lesson Self-Check 2-231
Lesson Self-Check Answer Key 2-233
Copyright 2005, Cisco Systems, Inc. Securing Cisco Network Devices (SND) v1.0 iii
Securing Catalyst Switches 2-235
Overview 2-235
Objectives 2-235
Basic Switch Operation 2-236
Securing Network Access at Layer 2 2-238
Protecting Administrative Access to Switches 2-239
Protecting Access to the Management Port 2-242
Turning Off Unused Network Interfaces and Services 2-244
CAM Table Overflow Attacks 2-246
MAC Address Spoofing Attacks 2-251
Using Port Security to Prevent Attacks 2-252
Configuring Cisco Catalyst Switch Port Security 2-257
Summary 2-264
Lesson Self-Check 2-265
Lesson Self-Check Answer Key 2-266
Mitigating Layer 2 Attacks 2-267
Overview 2-267
Objectives 2-267
Mitigating VLAN Hopping Attacks 2-268
Preventing Spanning-Tree Protocol Manipulation 2-271
Mitigating ARP Spoofing with DAI 2-274
Defending Private VLANs 2-277
Layer 2 Security Best Practices 2-282
Summary 2-283
Lesson Self-Check 2-284
Lesson Self-Check Answer Key 2-285
Using Catalyst Switch Security Features 2-287
Overview 2-287
Objectives 2-288
Embedded Security Features in Cisco Catalyst Switches 2-289
Identity-Based Network Services 2-292
Access Control Lists 2-294
Port Security 2-300
Private VLAN 2-301
Private VLAN Edge 2-302
Rate-Limiting 2-304
Switched Port Analyzer for Intrusion Prevention Systems 2-305
Management Encryption 2-306
Activity: Problems and Solutions 2-308
Summary 2-317
Lesson Self-Check 2-318
Lesson Self-Check Answer Key 2-320
Module Summary 2-321
References 2-322
Cisco Security Appliances 3-1
Overview 3-1
Module Objectives 3-1
Introducing the Cisco PIX Security Appliance Series 3-3
Overview 3-3
Objectives 3-3
Firewall Technologies 3-4
PIX Security Appliance Overview 3-12
PIX Security Appliance Models 3-21
PIX Security Appliance Licensing 3-23
Summary 3-26
Lesson Self-Check 3-27
Lesson Self-Check Answer Key 3-28
iv Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring a Cisco PIX Security Appliance from the CLI 3-29
Overview 3-29
Objectives 3-29
PIX Security Appliance Access Modes 3-30
Configuring the PIX Security Appliance 3-36
Adaptive Security Algorithm Security Levels 3-48
Connection and Translation Tables 3-48
Basic PIX Security Appliance Operational Commands 3-51
Examining PIX Security Appliance Status 3-67
Summary 3-75
Lesson Self-Check 3-76
Lesson Self-Check Answer Key 3-78
Configuring a PIX Security Appliance with the Cisco PDM 3-79
Overview 3-79
Objectives 3-79
PDM Overview 3-80
PDM Operating Requirements 3-82
Microsoft Windows Requirements 3-85
SUN Solaris Requirements 3-85
Linux Requirements 3-86
General Guidelines 3-86
Prepare for the PDM 3-87
Configure the PIX Security Appliance Using the PDM 3-90
Summary 3-103
Lesson Self-Check 3-104
Lesson Self-Check Answer Key 3-106
Module Summary 3-107
References 3-107
Securing Networks with Host- and Network-Based IPS 4-1
Overview 4-1
Module Objectives 4-2
Introducing Intrusion Prevention Systems 4-3
Overview 4-3
Objectives 4-3
Intrusion Detection and Prevention Terminology 4-4
Intrusion Prevention Technologies 4-8
Network-Based Intrusion Prevention Systems 4-15
Host-Based Intrusion Prevention Systems 4-17
Cisco IPS Signatures 4-20
Cisco IPS Signature Engines 4-28
Cisco IPS Alarms 4-34
Cisco IPS Signature Engines 4-35
Cisco IPS Alarms 4-37
Summary 4-42
Lesson Self-Check 4-43
Lesson Self-Check Answer Key 4-46
Configuring the Sensor Using the IDM 4-47
Overview 4-47
Objectives 4-48
The Sensor Command Line Interface 4-49
User Accounts and Account Roles 4-52
CLI Command Modes 4-54
Sensor Setup and CLI Configuration Tasks 4-56
IDS Device Manager Overview 4-64
Configuring Network Settings 4-67
Copyright 2005, Cisco Systems, Inc. Securing Cisco Network Devices (SND) v1.0 v
Configuring Allowed Hosts 4-69
Setting the Time 4-71
Creating User Accounts 4-74
Configuring Interfaces 4-76
Restoring Default Settings 4-80
Summary 4-81
Lesson Self-Check 4-83
Lesson Self-Check Answer Key 4-85
Introducing the Cisco Security Agent 4-87
Overview 4-87
Objectives 4-88
The Cisco Security Agent 4-89
CSA Architecture 4-94
Attack and Interceptor Response 4-98
Selecting a Security Policy Model 4-99
Building a CSA Policy 4-101
Creating CSA Policy Rules 4-103
Summary 4-105
Lesson Self-Check 4-106
Lesson Self-Check Answer Key 4-108
Deploying HIPs with the CSA MC 4-109
Overview 4-109
Objectives 4-109
Introducing Cisco Security Agent Management Center 4-110
CSA MC Configuration Roadmap 4-113
The CSA MC Interface 4-114
Installing CSA on Host Devices 4-118
Creating Groups 4-128
Building an Agent Kit 4-136
Managing Hosts 4-142
Summary 4-148
Lesson Self-Check 4-149
Lesson Self-Check Answer Key 4-151
Module Summary 4-153
References 4-154
Building IPSec VPNs 5-1
Overview 5-1
Module Objectives 5-1
Introducing IPSec VPNs 5-3
Overview 5-3
Objectives 5-3
IPSec Overview 5-4
IPSec Critical Function 1Confidentiality 5-9
IPSec Critical Function 2Data Integrity 5-15
IPSec Critical Function 3Origin Authentication 5-18
IPSec Critical Function 4Anti-replay 5-23
IPSec Protocol Framework 5-24
IPSec Operation 5-31
Creating ISAKMP Policies for a Purpose 5-33
Defining ISAKMP Policy Parameters 5-33
Summary 5-41
Lesson Self-Check 5-42
Lesson Self-Check Answer Key 5-44
Building Cisco VPN Solutions 5-45
Overview 5-45
Objectives 5-45
Cisco IPSec VPNs 5-46
vi Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco VPN Software Client 5-54
Cisco VPN 3002 Hardware Client 5-58
Choosing a VPN Client 5-59
Certicom VPN Client Support 5-60
Cisco VPN Client Smartcard Support 5-61
Summary 5-62
Lesson Self-Check 5-63
Lesson Self-Check Answer Key 5-64
Completing the Quick Configuration of a Cisco VPN 3000 Series Concentrator 5-65
Overview 5-65
Objectives 5-65
Implementing a Remote Access VPN 5-66
Completing Quick Configuration of a Cisco VPN 3000 Series Concentrator 5-70
Cisco VPN 3000 Concentrator Series Manager GUI 5-84
Summary 5-86
Lesson Self-Check 5-87
Lesson Self-Check Answer Key 5-88
Configuring the Cisco VPN 3000 Series Concentrator for Remote Access 5-89
Overview 5-89
Objectives 5-90
Pre-shared Keys 5-91
User and Group Authentication 5-93
VPN Network Authentication 5-96
Activating Client Authentication 5-97
Configuring Base-Group Parameters 5-99
Configuring Base-Group IPSec Parameters 5-101
Configuring Base-Group Remote Access Parameters 5-103
Configuring Client Configuration Parameters 5-107
Configuring Client Split Tunneling Policy 5-109
Split DNS Server Configuration 5-116
Summary 5-118
Lesson Self-Check 5-119
Lesson Self-Check Answer Key 5-121
Configuring the Cisco VPN Software Client for Windows 5-123
Overview 5-123
Objectives 5-123
The VPN Software Client for Windows 5-124
Navigating the VPN Client User Interface 5-126
Using the Advanced Mode Menus 5-129
Using the Advanced Mode Tab Right Click Menus 5-134
Creating a New Connection 5-137
Preconfigure the Client for Remote Users 5-144
VPN Software Client Programs 5-147
Concentrator Connection Status 5-150
Summary 5-152
Lesson Self-Check 5-153
Lesson Self-Check Answer Key 5-154
Module Summary 5-155
References 5-155
Copyright 2005, Cisco Systems, Inc. Securing Cisco Network Devices (SND) v1.0 vii
SND
Course Introduction
Overview
This course provides an opportunity to learn about a broad range of the components embedded
in Cisco SAFE. You learn to recognize threats and vulnerabilities to networks and learn how to
implement basic mitigation measures..
Course Goal
Upon completing this course, you will be able to meet these objectives:
Describe network security vulnerabilities and how a security policy plus the Cisco security
product portfolio provide network security
Configure Layer 2 and 3 devices on the network perimeter with Cisco Catalyst switch
security features and Cisco IOS software
Configure a Cisco PIX Security Appliance to perform basic security operations on a
network
Secure a network with host- and network-based IPS.
2 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Course Flow
This topic presents the suggested flow of the course materials.
Course Flow
Lunch
P Module 2 Module 2 Module 3 Module 5
M Securing the Securing the PIX Security IPSec VPNs
Perimeter Perimeter Appliances
The schedule reflects the recommended structure for this course. This structure allows enough
time for the instructor to present the course information and for you to work through the lab
activities. The exact timing of the subject materials and labs depends on the pace of your
specific class.
Guard Network
File Server Cloud
Cisco Traffic
Anomaly Detector
VPN Concentrator
Router with
Firewall
Router
PIX Firewall
Right and Left
Sensor
Multilayer Switch,
Si
Si Si with and without Text
and Subdued
4 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Your Training Curriculum
This topic presents the training curriculum for this course.
www.cisco.com/go/certifications
© 2005 Cisco Systems, Inc. All rights reserved. * Recertification exam SND v1.08
You are encouraged to join the Cisco Certification Community, a discussion forum open to
anyone holding a valid Cisco Career Certification (such as Cisco CCIE®, CCNA®, CCDA®,
CCNP®, CCDP®, CCIP®, CCVP, or CCSP). It provides a gathering place for Cisco
certified professionals to share questions, suggestions, and information about Cisco Career
Certification programs and other certification-related topics. For more information, visit
www.cisco.com/go/certifications.
6 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Module 1
Introduction to Network
Security
Overview
The open nature of the Internet makes it increasingly important for growing businesses to pay
attention to the security of their networks. As companies begin to move more and more
business functions to the public network, they need to take precautions to ensure that the data is
not compromised or that the data does not end up in front of the wrong set of eyes.
Unauthorized network access by an outside hacker or disgruntled employee can wreak havoc
with your proprietary data, negatively affect company productivity, and stunt your ability to
compete. Unauthorized network access can also harm your relationships with customers and
business partners who may question your ability to protect their confidential information.
Module Objectives
Upon completing this module, you will be able to describe network security vulnerabilities and
how a security policy plus the Cisco security product portfolio provide network security. This
ability includes being able to meet these objectives:
Explain the need for increased network security and the need for policies for implementing
and maintaining network security in open networks
Explain the strategies used to mitigate network attacks
Describe the general features, purpose an benefits of the hardware and software
components of the Cisco security portfolio and solutions
Describe how the Disco Self-Defending Network strategy can be built by enhancing
existing network infrastructure with Cisco technologies, products and solutions
1-2 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 1
Overview
How important is it to have a strong network security policy? The 2004 E-Crime Watch survey
conducted among security and law enforcement executives by CSO magazine, in cooperation
with the United States Secret Service and the Carnegie Mellon University Software
Engineering Institutes CERT® Coordination Center, shows a significant number of
organizations reporting an increase in electronic crimes and network, system or data intrusions.
Forty-three percent of respondents report an increase in electronic crimes and intrusions versus
the previous year, and seventy percent report that at least one electronic crime or intrusion was
committed against their organization. Respondents say that electronic crime cost their
organizations approximately $666 million in 2003.
This lesson provides an overview of security issues, and a description of the need for a security
policy.
Objectives
Upon completing this lesson, you will be able to explain the need for increased network
security and the need for policies for implementing and maintaining network security in open
networks. This ability includes being able to meet these objectives:
Explain the need for increased network security and dynamic security policies
Describe the security challenges created by e-business needs, legal issues and government
policies
Describe the four general categories of security threats and the four primary attack
categories
Describe the purpose and content of a security policy
Explain the process of maintaining continuous security based on the four sections of the
security wheel
The Need for Network Security
This topic describes how sophisticated attack tools and open networks have generated an
increased need for network security and dynamic security policies.
Closed Network
Frame relay
X.25 leased
line
The easiest way to protect a network from outside attack is to close it off completely from the
outside world. A closed network provides connectivity only to trusted known parties and sites,
and does not allow a connection to public networks.
Because there is no outside connectivity, networks designed in this way can be thought of as
being safe from outside attack. However, internal threats still exist. The Computer Security
Institute (CSI) in San Francisco, California, estimates that between 60% and 80% of network
misuse comes from inside the enterprises where the misuse has taken place.
1-4 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Open Network
Mobile
and
Remote
Users Internet-based
Intranet (VPN)
Internet-based
Intranet (VPN)
Internet-based
Extranet (VPN)
Remote Remote
Site Site Partner
Mobile PSTN Site
and
Remote
Users
Today, corporate networks require access to the Internet and other public networks. Most
networks have several access points to public and private networks. Securing open networks
has become extremely important.
A report from the 2000 Computer Crime and Security Survey conducted by CSI with the
participation of the San Francisco Federal Bureau of Investigation (FBI) Computer Intrusion
Squad, provides an updated look at the impact of computer crime in the United States.
Based on responses from 503 computer security practitioners in U.S. corporations, government
agencies, financial institutions, medical institutions and universities, the findings of the "2002
Computer Crime and Security Survey" confirm that the threat from computer crime and other
information security breaches continues unabated and that the financial toll is mounting.
Highlights of the 2002 Computer Crime and Security Survey include the following:
Ninety percent of respondents (primarily large corporations and government agencies)
detected computer security breaches within the last twelve months.
Eighty percent acknowledged financial losses due to computer breaches.
Forty-four percent (223 respondents) were willing or able to quantify their financial losses.
These 223 respondents reported $455,848,000 in financial losses.
As in previous years, the most serious financial losses occurred through theft of proprietary
information (26 respondents reported $170,827,000) and financial fraud (25 respondents
reported $115,753,000).
For the fifth year in a row, more respondents (74%) cited their Internet connection as a
frequent point of attack than respondents who cited their internal systems as a frequent
point of attack (33%).
Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16%
acknowledged reporting intrusions to law enforcement.)
Packet Forging/
Spoofing
High
Stealth Diagnostics
Sophistication
Back Scanners
Doors
of Hacker Tools
Sniffers
Exploiting Known
Vulnerabilities Hijacking
Sessions
Disabling
Self-replicating Audits
Code
Password Technical
Cracking
Knowledge
Required
Password
Guessing
The figure illustrates how the increasing sophistication of hacking tools and decreasing skill
needed to use these tools have combined to pose increasing threats to open networks. With the
development of large open networks, security threats in the past 20 years have increased
significantly. Not only have hackers discovered more network vulnerabilities, but hacking tools
have become easier to use. Downloadable applications are now available that require little or no
hacking knowledge to implement. As well, troubleshooting applications intended for
maintaining and optimizing networks can, in the wrong hands, be used maliciously and pose
severe threats.
1-6 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Network Security Challenges
This topic describes the security challenges created by e-business needs, legal issues and
government policies.
As business and
management practices
become more open and
reliant on using
Internet-powered
initiatives and online
collaboration, network
security becomes a
fundamental part of
their survival in an
increasingly
competitive and
threatening world.
The overall security challenge is to find a balance between two important needs. On one side,
there is a growing need to open networks to support evolving business needs and support
freedom of information initiatives, and on the other side there is a growing need to protect
private, personal and strategic business information.
Security has moved to the forefront of network management and implementation. For the
survival of many businesses, it is necessary to allow open access to network resources and to
ensure that data and resources are as secure as possible. The increasing importance of e-
business and the need for private data to traverse potentially unsafe public networks increases
the need for the development and implementation of a corporate-wide network security policy.
Establishing a network security policy should be the first step in migrating a network to a
secure infrastructure.
The Internet has radically shifted expectations of a companys abilities to build stronger
relationships with customers, suppliers, partners, and employees. E-business challenges
companies to become more agile and competitive. The benefits of this challenge are new
applications for e-commerce, supply-chain management, customer care, workforce
optimization, and e-learningapplications that streamline and improve processes, speed up
turnaround times, lower costs, and increase user satisfaction.
As enterprise network managers open their networks to more users and applications, they also
expose these networks to greater risk. The result has been an increase in business security
requirements. Security must be included as a fundamental component of any e-business
strategy.
1-8 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Converging Dynamics
Three major dynamics have converged to heighten the need for network and system security.
These dynamics have raised the risks for organizations that are required to protect the privacy
of information or have a high political or brand profile. These dynamics are as follows:
There are new and pending laws in the United States and around the world that require
organizations to better protect the privacy of sensitive and personal information.
There is a growing level of terrorist and criminal activity directed at communications
networks and computer systems.
The increased use of Internet technology and connectivity around the world has made cyber
attacks and hacking much easier for a larger number of perpetrators.
Variety of Attacks
Internet
Internal
Exploitation
Dial-in
Exploitation
Without proper protection, any part of any network can be susceptible to attacks or
unauthorized activity. Routers, switches, and hosts can all be violated by professional hackers,
company competitors, or even internal employees. To determine the best ways to protect
against attacks, IT managers should understand the many types of attacks that can be instigated
and the damage that these attacks can cause to e-business infrastructures.
In the same CSI report sited earlier, respondents detected a wide range of attacks and abuses.
Examples of attacks and abuses are as follows:
Forty percent detected system penetration from the outside.
Forty percent detected denial of service attacks.
Seventy-eight percent detected employee abuse of Internet access privileges (for example,
downloading pornography or pirated software, or inappropriate use of e-mail systems).
Eighty-five percent detected computer viruses.
Thirty-eight percent of companies with websites suffered unauthorized access or misuse on
their websites within the last twelve months. Twenty-one percent said that they did not
know if there had been unauthorized access or misuse.
Twenty-five percent of those acknowledging attacks reported two to five incidents. Thirty-
nine percent reported ten or more incidents.
Seventy percent of those attacked reported vandalism. In 2000, this number was 64%.
Fifty-five percent reported denial of service. In 2000, this number was 60%.
Twelve percent reported theft of transaction information.
1-10 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Security Threat Categories
Threats to network security fall into the following four general categories:
Unstructured threats: These threats primarily consist of random hackers using common
tools such as malicious shell scripts, password crackers, credit card number generators, and
dialer daemons. Although hackers in this category may have malicious intent, many are
more interested in the intellectual challenge of cracking safeguards than in creating havoc.
Structured threats: These threats are created by hackers who are more highly motivated
and technically competent. Typically, such hackers act alone or in small groups to
understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting
businesses. These groups are often involved in the major fraud and theft cases reported to
law enforcement agencies. Occasionally, such hackers are hired by organized crime,
industry competitors, or state-sponsored intelligence collection organizations.
External threats: These threats consist of structured and unstructured threats originating
from an external source. These threats may have malicious and destructive intent, or they
may simply be errors that generate a threat.
Internal threats: These threats typically involve disgruntled former or current employees.
Although internal threats may seem more ominous than threats from external sources,
security measures are available for reducing vulnerabilities to internal threats and
responding when attacks occur.
We will take a much closer look at these attack types in the next lesson.
1-12 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Vulnerabilities and Exploits
A security policy is essentially a document summarizing how the corporation will use and
protect its computing and network resources.
A security policy can be as simple as an acceptable use policy for network resources, or it can
be several hundred pages in length and detail every element of connectivity and associated
policies.
Without a security policy, the availability of your network will be compromised. The policy
begins with assessing the risk to the network and building a response team. The policy also
requires implementing a security change management practice and a process for monitoring the
network for security violations. Finally, a review process to modify the existing policy and
adapt to lessons learned is required.
1-14 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Why Create a Security Policy?
Security policies provide many benefits and are worth the time and effort needed to develop
them. Computer security is now an enterprise-wide issue, and computing sites are expected to
conform to the network security policy. The following list describes important reasons for
developing a security policy:
Provides a general security framework for implementing network security
Defines what behavior is and is not allowed
Helps determine which tools and procedures are needed for the organization
It defines the roles and responsibilities of users and administrators
It informs user and administrators of their roles responsibilities
States consequences of misuse
Enables global security implementation and enforcement
Defines assets and how they are to be used to enhance security and reduce vulnerabilities
and threats
Defines a process for handling network security incidents
Provides a process for continuing review and enhancement of resulting network security
1-16 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
The Network Security Process
Cisco is serious about network security and about its implications for the critical infrastructures
on which developed nations depend. This topic explains the process of maintaining continuous
security based on the four sections of the security wheel.
Network security is a
continuous process built Secure
around a security policy:
Step 1: Secure
Step 2: Monitor Security
Improve Policy
Monitor
Step 3: Test
Step 4: Improve
Test
Before you can secure your network, however, you need to combine your understanding of
your users, the assets needing protection, and the network topology.
1-18 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Monitor Security
Detect violations to
the security policy.
Security
Involve system Improve Policy
Monitor
auditing and
real-time intrusion
detection.
Test
Validate the security
implementation in
Step 1: Secure.
To ensure that a network remains secure, it is important to monitor the state of security
preparation. Network vulnerability scanners can proactively identify areas of weakness, and
intrusion prevention systems can monitor and respond to security events as they occur. Using
security monitoring solutions, organizations can obtain unprecedented visibility into both the
network data stream and the security posture of the network.
Validate effectiveness
of the security policy
through system Improve Security
Policy
Monitor
auditing and
vulnerability scanning.
Test
Testing security is as important as monitoring. Without testing the security solutions in place, it
is impossible to know about new or existing attacks. The hacker community is an ever-
changing environment. You can test security yourself or you can outsource it to a third party
such as the Cisco Security Posture Assessment (SPA) group.
The Cisco SPA is a premium network vulnerability assessment that provides comprehensive
insight into the security posture of a customer network. The Cisco SPA is delivered by highly
expert Cisco Network Security Engineers (NSEs) and includes an operational, granular analysis
of large-scale, distributed service provider networks from the perspective of an outside
hacker.
1-20 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Improve Security
Monitoring and testing provides the data necessary to improve network security.
Administrators and engineers should use the information from the monitor and test phases to
make improvements to the security implementation as well as to adjust the security policy when
vulnerabilities and risks are identified.
Summary
The need for network security has increased as networks have become
more complex and interconnected.
E-business needs, legal issues and government policies help drive the
need for network security.
There are four types of security threats:
Structured
Unstructured
Internal
External
There are four primary attack categories:
Reconnaissance attacks
Access attacks
Denial of service attacks
Worms, viruses, and Trojan horses
Summary (Cont.)
1-22 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self-Check
Q1) What is the main threat to a closed network? (Source: The Need for Network Security)
A) a deliberate attack from outside
B) a deliberate or accidental attack from inside
C) misuse by customers
D) misuse by employees
Q2) In the recent past, what two events have conspired to increase the threats from
hackers? (Choose two.) (Source: The Need for Network Security)
A) Hacker tools require more technical knowledge to use.
B) Hacker tools have become more sophisticated.
C) The number of reported security threats has remained constant year-to-year.
D) Hacker tools require less technical knowledge to use.
Q3) According to the Computer Security Institute, what percent of networks have
experienced a security breach? (Source: The Need for Network Security)
A) 20 to 30 percent
B) 80 to 90 percent
C) 60 to 80 percent
D) 50 to 60 percent
E) 30 to 50 percent
Q4) What three major dynamics are converging to heighten the need for network security?
(Source: Network Security Challenges)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
_____ 2. an attack that may simply be the result of errors that generate a threat
_____ 3. an attack where random hackers use various common tools, such as
malicious shell scripts, password crackers, credit card number generators,
and dialer daemons
_____ 4. attacks where groups are involved in the fraud and theft cases reported to
law enforcement agencies
_____ 6. attacks by hackers who are more interested in the intellectual challenge of
cracking safeguards than in creating havoc
Q6) Describe four types of security attacks. (Source: Primary Network Threats and Attacks)
______________________________________________________________________
______________________________________________________________________
Q7) Describe five benefits of a security policy. (Source: Network Security Policy)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
1-24 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Q8) Describe three components of a security policy. (Source: Network Security Policy)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q9) According to the Site Security Handbook (RFC 2196) which of the following
statements defines a security policy? (Source: Network Security Policy)
A) A security policy is a formal statement of the rules by which people who are
given access to an organizations technology and information assets should
abide.
B) A security policy is a formal statement of the rules by which people who are
given access to an organizations technology and information assets must
abide.
C) A security policy is an informal statement of the rules by which people who are
given access to an organizations technology and information assets should
abide.
D) A security policy is an informal statement of the rules by which people who are
given access to an organizations technology and information assets must
abide.
Q10) Which section of a security policy specifies what technologies, equipment, or
combination of the two the company will use to ensure that only authorized individuals
have access to its data? (Source: Network Security Policy)
A) acceptable use policy
B) internet access policy
C) identification and authentication policy
D) remote access policy
E) statement of authority and scope
F) campus access policy
Q11) Which section of a Security Policy specifies how the company will create an incident
response team and the procedures it will use after and incident occurs? (Source:
Network Security Policy)
A) campus access policy
B) identification and authentication policy
C) remote access policy
D) incident handling procedure
E) internet access policy
F) acceptable use policy
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q14) Which of the following Cisco security wheel steps involve implementing security
devices with the intent to prevent unauthorized access to network systems? (Source:
The Network Security Process)
A) Improve
B) Test
C) Secure
D) Monitor
Q15) Which step of the Cisco security wheel would an IPS be used? (Source: The Network
Security Process)
A) Test
B) Secure
C) Monitor
D) Improve
Q16) In which step of the Cisco security wheel would you implement encryption
technologies like IPSec? (Source: The Network Security Process)
E) Monitor
F) Test
G) Improve
H) Implement
I) Change
J) Secure
1-26 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self-Check Answer Key
Q1) B
Q2) B, D
Q3) C
A) There are new and pending laws in the United States and around the world that require
organizations to better protect the privacy of sensitive and personal information
B) There is a growing level of terrorist and criminal activity being directed at communications
networks and computer systems
C) The increased use of Internet technology and connectivity around the world has made cyber
attacks and hacking much easier for a larger number of perpetrators
A) Reconnaissance attacks: An intruder attempts to discover and map systems, services, and
vulnerabilities.
B) Access attacks: An intruder attacks networks or systems to retrieve data, gain access, or escalate
access privileges.
C) Denial of service (DoS) attacks: An intruder attacks your network in a way that damages or
corrupts your computer system or denies you and others access to your networks, systems, or
services.
D) Worms, viruses, and Trojan horses: Malicious software is inserted onto a host in order to
damage a system, corrupt a system, replicate itself, or deny services or access to networks,
systems, or services.
Helps determine which tools and procedures are needed for the organization
Defines assets and how they are to be used to enhance security and reduce vulnerabilities and
threats
Provides a process for continuing review and enhancement of resulting network security
Q9) B
Q10) C
Q11) D
Q12) B
A) Authentication
B) Encryption
C) Firewalls
D) Vulnerability patching
Q14) C
Q15) C
Q16) F
1-28 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson 2
Overview
This lesson describes types of network attacks as well as provides some general strategies for
reducing vulnerabilities, and determining and mitigating common network attacks.
Objectives
Upon completing this lesson, you will be able to explain the strategies used to mitigate network
attacks. This ability includes being able to meet these objectives:
Mitigate hardware, environmental, electrical and maintenance-related security threats to
Cisco routers and switches
Describe the mitigation of reconnaissance attacks including packet sniffers, port scans, ping
sweeps and Internet information queries
Describe the mitigation of access attacks including password attacks, trust exploitation,
port redirection and man-in-the-middle attacks
Describe the mitigation of denial of service attacks including IP spoofing and distributed
denial of service attacks
Describe the mitigation of worm, virus and Trojan horse attacks
Describe the mitigation of application-layer attacks
Describe vulnerabilities in configuration management protocols and recommendations for
mitigating these vulnerabilities
Explain how the following tools are used to discover network vulnerabilities and threats:
GNU Netcat
Blues Port Scan
Ethereal
Microsoft Baseline Security Analyzer
Mitigating Physical and Environmental Threats
Improper and incomplete network device installation is an often-overlooked security threat,
which, if left unheeded, can have dire results. Software-based security measures alone cannot
prevent pre-meditated or even accidental network damage due to poor installations. This topic
discusses ways to identify and remedy insecure installations keeping in mind that some
physical security resolutions may be easily applied to some low-risk installations as well.
Headquarters
Mobile Worker
PSTN
Internet
SOHO
Before discussing how to secure Cisco network installations, it is important to make the
following distinction between low-risk and high-risk devices:
Low-risk devices: These devices are typically low-end, either small office or home office
(SOHO) devices. Examples of SOHO devices include the Cisco 800, the Cisco 900, the
Cisco 1700, the Cisco 1800 Series routers, and Cisco switches in environments where
access to the physical devices and cabling does not present a high-risk to the corporate
network. In these types of installations, it may be physically impossible and even too costly
to provide a locked wiring closet for physical device security. In these situations, the
information technology (IT) manager must make a decision on what devices can and cannot
be physically secured and at what risk.
High-risk (mission-critical) devices: These devices are typically found in larger offices or
corporate campuses where tens, hundreds, or even thousands of employees reside, or where
the same large numbers of employees remotely access corporate data. These devices are
usually Cisco routers, Cisco Catalyst switches, firewalls, and management systems used to
route and control large amounts of data, voice, and video traffic. These devices represent a
much higher security threat if physically accessed by disgruntled employees or impacted by
negative environmental conditions.
1-30 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Common Threats to Physical Installations
Hardware threats
Environmental threats
Electrical threats
Maintenance threats
Card Re ader
1-32 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Environmental Threat Mitigation
The following items should be used to limit environmental damage to Cisco network devices:
The room must be supplied with dependable systems for temperature and humidity control.
Always verify the recommended environmental parameters of the Cisco network
equipment with the supplied product documentation.
If possible, the room environmental parameters should be remotely monitored and alarmed.
The room must be free from electrostatic and magnetic interferences.
1-34 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Maintenance-Related Threat Mitigation
Limit maintenance-related
threats by:
Using neat cable runs
Labeling critical cables and
components
Using ESD procedures
Stocking critical spares
Controlling access to console
ports
Maintenance-related threats are a broad category that covers many items. The following general
rules should be adhered to in order to prevent these types of threats:
All equipment cabling should be clearly labeled and secured to equipment racks to prevent
accidental damage or disconnection, or incorrect termination.
Cable runs, raceways, or both should be used to traverse rack-to-ceiling or rack-to-rack
connections.
Always follow electrostatic discharge (ESD) procedures when replacing or working inside
Cisco router and switch devices.
Maintain a stock of critical spares for emergency use.
Do not leave a console connected to and logged into any console port. Always log off
administrative interfaces when leaving.
Always remember that no room is ever totally secure and should not be relied upon to be
the sole protector of device access. Once inside a secure room, there is nothing to stop an
intruder from connecting a terminal to the console port of a Cisco router or switch.
Reconnaissance Attacks
1-36 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Packet Sniffers
Host A Host B
Router A Router B
A packet sniffer is a software application that uses a network adapter card in promiscuous mode
to capture all network packets that are sent across a LAN. Packet sniffers can only work in the
same collision domain. Promiscuous mode is a mode in which the network adapter card sends
all packets received on the physical network wire to an application for processing.
Several network applications distribute network packets in clear text. Clear text is information
sent across the network that is not encrypted. Because the network packets are not encrypted,
they can be processed and understood by any application that can pick them off the network
and process them.
A network protocol specifies how packets are identified and labeled. The labels enable a
computer to determine whether a packet has been correctly forwarded to the intended
destination. Because the specifications for network protocols, such as TCP/IP, are widely
published, a third party can easily interpret the network packets and develop a packet sniffer.
Numerous freeware and shareware packet sniffers are available that do not require the user to
understand anything about the underlying protocols.
Note In an Ethernet LAN, promiscuous mode is a mode of operation in which every data packet
transmitted can be received and read by a network adapter. Promiscuous mode is the
opposite of nonpromiscuous mode. When a data packet is transmitted in nonpromiscuous
mode, all the LAN devices "listen to" the data to determine if the network address included in
the data packet is theirs.
Host A Host B
Router A Router B
The following techniques and tools can be used to mitigate packet sniffer attacks:
Authentication: Using strong authentication is a first option for defense against packet
sniffers. Strong authentication can be broadly defined as a method of authenticating users
that cannot easily be circumvented. A common example of strong authentication is one-
time passwords (OTPs).
An OTP is a type of two-factor authentication. Two-factor authentication involves using
something you have combined with something you know. Automated teller machines
(ATMs) use two-factor authentication. A customer needs both an ATM card and a personal
identification number (PIN) to make transactions. With OTPs you need a PIN and your
token card to authenticate to a device or software application. A token card is a hardware or
software device that generates new, seemingly random, passwords at specified intervals
(usually 60 seconds). A user combines that password with a PIN to create a unique
password that works only for one instance of authentication. If a hacker learns that
password by using a packet sniffer, the information is useless because the password has
already expired. Note that this mitigation technique is effective only against a sniffer
implementation that is designed to grab passwords. Sniffers deployed to learn sensitive
information (such as e-mail messages) will still be effective.
Switched infrastructure: This technique can be used to counter the use of packet sniffers
in your network environment. For example, if an entire organization deploys switched
Ethernet, hackers can gain access only to the traffic that flows on the specific port to which
they connect. A switched infrastructure obviously does not eliminate the threat of packet
sniffers, but it can greatly reduce their effectiveness.
Antisniffer tools: Software and hardware designed to detect the use of sniffers on a
network can be employed. Such software and hardware does not completely eliminate the
threat, but like many network security tools, they are part of the overall system. These
antisniffer tools detect changes in the response time of hosts to determine whether the hosts
are processing more traffic than their own traffic loads would indicate. One such network
security software tool called AntiSniff, is available from Security Software Technologies.
1-38 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Cryptography: Rendering packet sniffers irrelevant is the most effective method for
countering packet sniffers. Cryptography is even more effective than preventing or
detecting packet sniffers. If a communication channel is cryptographically secure, the only
data a packet sniffer detects is cipher text (a seemingly random string of bits) and not the
original message. The Cisco deployment of network-level cryptography is based on IPSec,
which is a standard method for networking devices to communicate privately using IP.
Other cryptographic protocols for network management include Secure Shell Protocol
(SSH) and Secure Sockets Layer (SSL).
As legitimate tools, port scan and ping sweep applications run a series of tests against hosts and
devices to identify vulnerable services that need to be attended to. The information is gathered
by examining IP addressing and port or banner data from both TCP and User Datagram
Protocol (UDP) ports.
In an illegitimate situation, a port scan can be a series of messages sent by someone attempting
to break into a computer to learn which computer network services (each service is associated
with a "well-known" port number) the computer provides. Port scanning can be an automated
scan of a range of TCP or UDP port numbers on a host to detect listening services. Port
scanning, a favorite computer hacker approach, provides information to the assailant as to
where to probe for weaknesses. Essentially, a port scan consists of sending a message to each
port, one at a time. The kind of response received indicates whether the port is used and can
therefore be probed for weakness.
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to
determine which of a range of IP addresses map to live hosts (computers). Whereas a single
ping will tell you whether one specified host computer exists on the network, a ping sweep
consists of ICMP echo-requests sent to multiple hosts. If a given address is live, it will return an
ICMP echo-reply. Ping sweeps are among the older and slower methods used to scan a
network. As an attack tool, a ping sweep sends ICMP (RFC 792) echo-requests ("pings") to a
range of IP addresses, with the goal of finding hosts that can be probed for vulnerabilities.
1-40 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Port Scan and Ping Sweep Attack
Mitigation
Workstation
with HIPS
IDS/IPS
Laptop
with HIPS
Port scanning and ping sweeping is not a crime and there is no way to stop it when a computer
is connected to the Internet. Accessing an Internet server opens a port, which opens a door to
the computer. However, there are ways to prevent damage to the system.
Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge routers.
However, network diagnostic data is lost. Port scans can easily be run without full ping sweeps;
they simply take longer because they need to scan IP addresses that might not be live.
Network-based intrusion prevention systems (IPS) and host-based intrusion prevention systems
(HIPS) can usually notify an administrator when a reconnaissance attack is under way. This
warning allows the administrator to better prepare for the coming attack or to notify the Internet
service provider (ISP) that is hosting the system launching the reconnaissance probe.
Discovering stealth scans requires kernel level work. IPSs compare incoming traffic to
signatures in their database. Signatures are characteristics of particular traffic patterns. A
signature that could be used for detecting port scans is "several packets to different destination
ports from the same source address within a short period of time". Another such signature could
be "SYN to a non-listening port".
The figure demonstrates how existing Internet tools can be used for network reconnaissance.
Domain name system (DNS) queries can reveal such information as who owns a particular
domain and what addresses have been assigned to that domain. Ping sweeps of the addresses
revealed by the DNS queries can present a picture of the live hosts in a particular environment.
After such a list is generated, port scanning tools can cycle through all well-known ports to
provide a complete list of all services running on the hosts discovered by the ping sweep.
Finally, the hackers can examine the characteristics of the applications that are running on the
hosts. This step can lead to specific information that is useful when the hacker attempts to
compromise that service.
IP address queries can reveal information such as who owns a particular IP address or range of
addresses and what domain is associated with them.
1-42 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Access Attacks and Mitigation
This topic describes the mitigation of access attacks including password attacks, trust
exploitation, port redirection and man-in-the-middle attacks.
Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and Web
services to gain entry to Web accounts, confidential databases, and other sensitive information.
Access attacks can consist of the following:
Password attacks
Trust exploitation
Port redirection
Man-in-the-middle attacks
Hackers implement
password attacks
using the following:
Brute-force attacks
Trojan horse programs
IP spoofing
Packet sniffers
Password attacks can be implemented using several methods, including brute-force attacks,
Trojan horse programs, IP spoofing, and packet sniffers. Although packet sniffers and IP
spoofing can yield user accounts and passwords, password attacks usually refer to repeated
attempts to identify a user account, password, or both. These repeated attempts are called
brute-force attacks.
Often a brute-force attack is performed using a program that runs across the network and
attempts to log in to a shared resource, such as a server. When an attacker gains access to a
resource, the attacker has the same access rights as the user whose account has been
compromised. If this account has sufficient privileges, the attacker can create a back door for
future access, without concern for any status and password changes to the compromised user
account.
1-44 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Password Attack Example
Just as with packet sniffer and IP spoofing attacks, a brute-force password attack can provide
access to accounts that can be used to modify critical network files and services. An example
that compromises your network integrity is when an attacker modifies the routing tables for
your network. By doing so, the attacker ensures that all network packets are routed to the
attacker before they are transmitted to their final destination. In such a case, an attacker can
monitor all network traffic, effectively becoming a man in the middle.
A big security risk lies in the fact that passwords are stored as clear text. To overcome the risks,
they should be encrypted. On most systems, passwords are run through an encryption algorithm
to generate a one-way hash. A one-way hash is a string of characters that cannot be reversed
into its original text. Most systems do not decrypt the stored password during authentication,
they store the one-way hash. During the login process, you supply an account and password,
and the password encryption algorithm generates a one-way hash. This hash is compared to the
hash stored on the system. If they are the same, it is assumed that the proper password was
supplied.
A password hash is the result of the password being passed through an algorithm. The hash is
not the encrypted password, but rather a result of the algorithm. The strength of the hash lies in
the fact that the hash value can only be recreated using the original user and password
information, and that it is impossible to retrieve the original information from the hash. This
strength makes hashes perfect for encoding passwords for storage. In granting authorization,
the hashes are calculated and compared, rather than the plain password.
The following are the two methods for computing passwords with L0phtCrack:
1-46 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Password Attack Mitigation
Hacker
User = psmith; Pat Smithson
Although it is not an attack in itself, trust exploitation refers to an individual taking advantage
of a trust relationship within a network.
An example of when a trust exploitation can take place is when a perimeter network is
connected to a corporate network. These network segments often house DNS, Simple Mail
Transfer Protocol (SMTP), and HTTP servers. Because these servers all reside on the same
segment, a compromise of one system can lead to the compromise of other systems if those
other systems in turn trust systems attached to the same network.
Another example of trust exploitation is a system on the outside of a firewall that has a trust
relationship with a system on the inside of a firewall. When the outside system is compromised,
the attacker can leverage that trust relationship to attack the inside network.
1-48 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Trust Exploitation Attack Mitigation
SystemA
User = psmith; Pat Smith
Hacker
is SystemB compromised
blocked by hacker
User = psmith; Pat Smith
Hacker
User = psmith; Pat Smithson
You can mitigate trust exploitation-based attacks through tight constraints on trust levels within
a network.
Systems on the outside of a firewall should never be absolutely trusted by systems on the inside
of a firewall. Such trust should be limited to specific protocols and, where possible, should be
validated by something other than an IP address.
Compromised
Host A
Source: A
Destination: B
Port: 23
Host B
Port redirection attacks are a type of trust exploitation attack that uses a compromised host to
pass traffic that would otherwise be dropped, through a firewall. Consider a firewall with three
interfaces and a host on each interface. The host on the outside can reach the host on the public
services segment (commonly referred to as a demilitarized zone [DMZ]) (Host A in this
example), but not the host on the inside (Host B in this example). The host on the public
services segment can reach the host on both the outside and the inside. If hackers are able to
compromise the public services segment host, they can install software to redirect traffic from
the outside host directly to the inside host. Though neither communication violates the rules
implemented in the firewall, the outside host has now achieved connectivity to the inside host
through the port redirection process on the public services host. An example of an application
that can provide this type of access is Netcat.
Netcat is a featured networking utility which reads and writes data across network connections,
using the TCP/IP protocol. Netcat is designed to be a reliable "back-end" tool that can be used
directly or that can easily be driven by other programs and scripts. At the same time, Netcat is a
feature-rich network debugging and exploration tool because it can create almost any kind of
connection that you would need and has several interesting built-in capabilities.
Port redirection can be mitigated primarily through the use of proper trust models that are
network specific. Assuming a system is under attack, a host-based IPS can help detect a hacker
and prevent installation of such utilities on a host.
1-50 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Man-in-the-Middle Attacks
Host A Host B
Data in clear text
Router A Router B
An example of a man-in-the-middle attack is when someone working for your ISP gains access
to all network packets transferred between your network and any other network. Man-in-the-
middle attackers take care not to disrupt traffic and thus set off alarms. Instead, they use their
position to stealthily extract information from the network.
A man-in-the-middle attack
can see only cipher text.
IPSec tunnel
Host A Host B
1-52 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Denial of Service Attacks and Mitigation
This topic describes the mitigation of denial of service attacks including IP spoofing and
distributed denial of service (DDoS) attacks.
DoS attacks are the most publicized form of attack, and are also among the most difficult to
completely eliminate. Even within the hacker community, DoS attacks are regarded as trivial
and considered bad form because they require so little effort to execute. Still, because of their
ease of implementation and potentially significant damage, DoS attacks deserve special
attention from security administrators. If you are interested in learning more about DoS attacks,
researching the methods employed by some of the better-known attacks can be useful. DoS
attacks can consist of the following:
IP spoofing
DDoS
IP spoofing is a technique used to gain unauthorized access to computers, whereby the intruder
sends messages to a computer with an IP address indicating that the message is coming from a
trusted host. To engage in IP spoofing, hackers must first use a variety of techniques to find an
IP address of a trusted host and then modify their packet headers to appear as though packets
are coming from that trusted host. Further, the attacker can engage other unsuspecting hosts to
also generate traffic that appears as though it too is coming from the trusted host, thus flooding
the network.
Routers determine the best route between distant computers by examining the destination
address. The originating address is ignored by routers. However, the destination machine uses
the originating address when it responds back to the source. In a spoofing attack, the intruder
sends messages to a computer indicating that the message has come from a trusted system. For
example, an attacker outside your network pretends to be a trusted computer, either by using an
IP address that is within the range of IP addresses for your network or by using an authorized
external IP address that your network trusts and provides specified resource access to. To be
successful, the intruder must first determine the IP address of a trusted system, and then modify
the packet headers so that it appears that the packets are coming from the trusted system. The
goal of the attack is to establish a connection that allows the attacker to gain root access to the
host and to create a backdoor entry path into the target system.
Normally, an IP spoofing attack is limited to the injection of data or commands into an existing
stream of data passed between a client and server application or a peer-to-peer network
connection. To enable bidirectional communication, the attacker must change all routing tables
to point to the spoofed IP address. Another approach the attacker could take is to simply not
worry about receiving any response from the applications. For example, if an attacker is
attempting to get a system to mail a sensitive file, application responses are unimportant.
If an attacker manages to change the routing tables to divert network packets to the spoofed IP
address, the attacker can receive all the network packets that are addressed to the spoofed
address and reply just as any trusted user can. Like packet sniffers, IP spoofing is not restricted
to people who are external to the network.
1-54 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
IP spoofing can also provide access to user accounts and passwords, or it can be used in other
ways. For example, an attacker can emulate one of your internal users in ways that prove
embarrassing for your organization. The attacker could send e-mail messages to business
partners that appear to have originated from someone within your organization. Such attacks
are easier when an attacker has a user account and password, but they are also possible when
simple spoofing attacks are combined with knowledge of messaging protocols.
The threat of IP spoofing can be reduced, but not eliminated, through the following measures:
Access control configuration: The most common method for preventing IP spoofing is to
properly configure access control. To reduce the effectiveness of IP spoofing, configure
access control to deny any traffic from the external network that has a source address that
should reside on the internal network. Note that this helps prevent spoofing attacks only if
the internal addresses are the only trusted addresses. If some external addresses are trusted,
this method is not effective.
Encryption: Another possible way to prevent IP spoofing is to encrypt all network traffic
to avoid source and destinations hosts from being compromised.
RFC 2827 filtering: You can prevent your network users from spoofing other networks
(and be a good Internet citizen at the same time) by preventing any outbound traffic on
your network that does not have a source address in your organization IP range. This
filtering denies any traffic that does not have the source address that was expected on a
particular interface. For example, if an ISP is providing a connection to the IP address
15.1.1.0/24, the ISP could filter traffic so that only traffic sourced from address 15.1.1.0/24
can enter the ISP router from that interface. Note that unless all ISPs implement this type of
filtering, its effectiveness is significantly reduced.
Additional authentication: The most effective method for mitigating the threat of IP
spoofing is the same as the most effective method for mitigating the threat of packet
sniffers eliminate its effectiveness. IP spoofing can function correctly only when devices
use IP address-based authentication; therefore, if you use additional authentication
methods, IP spoofing attacks are irrelevant. Cryptographic authentication is the best form
of additional authentication. However, when cryptographic authentication is not possible,
strong two-factor authentication using OTPs can also be effective.
1-56 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
DoS and DDoS Attacks
A DoS attack on a server sends extremely large volumes of requests over a network or the
Internet. These large volumes of requests cause the attacked server to dramatically slowdown.
Consequently, the attacked server becomes unavailable for legitimate access and use.
DoS attacks are different from most other attacks because they are not targeted at gaining
access to your network or the information on your network. These attacks focus on making a
service unavailable for normal use. This result is typically accomplished by exhausting some
resource limitation on the network or within an operating system or application. These attacks
require little effort to execute because they typically take advantage of protocol weaknesses or
because the attacks are carried out using traffic that would normally be allowed into a network.
DoS attacks are among the most difficult to completely eliminate because of the way they use
protocol weaknesses and native traffic to attack a network.
For all known DoS attacks, there are software fixes that system administrators can install to
limit the damage caused by the attacks. However, like viruses, new DoS attacks are constantly
being developed by hackers.
Agent
Systems
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-22
DDoS attacks are the next generation of DoS attacks on the Internet. This type of attack is
not new. UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP directed
broadcasts (also known as smurf attacks) are similar to DDos attacks; however but the scope of
the attack is new. Victims of DDoS attacks experience packet flooding from many different
sources, possibly spoofed IP source addresses that bring their network connectivity to a
grinding halt. In the past, the typical DoS attack involved a single attempt to flood a target host
with packets. With DDoS tools, an attacker can conduct the same attack using thousands of
systems.
In the figure, the hacker uses a terminal to scan for systems to hack. After handler systems are
accessed, the hacker installs software on these systems. This software attempts to scan for,
compromise, and infect agent systems. When the agent systems are accessed, the hacker then
loads remote control attack software to carry out the DDoS attack.
1-58 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
DoS and DDoS Attack Mitigation
When attacks involve specific network server applications, such as an HTTP server or an FTP
server, the attacker focuses on acquiring and keeping all the available connections supported by
that server open. This strategy effectively locks out valid users of the server or service.
DoS attacks can also be implemented using common Internet protocols, such as TCP and
ICMP. For example, Ping of Death and Teardrop attacks exploit limitations in the TCP/IP
protocols. While most DoS attacks exploit a weakness in the overall architecture of the system
being attacked rather than a software bug or security hole, some attacks compromise the
performance of your network by flooding the network with undesired, and often useless,
network packets and by providing false information about the status of network resources.
The threat of DoS attacks can be reduced through the following three methods:
Anti-spoof features: Proper configuration of anti-spoof features on your routers and
firewalls can reduce your risk. This configuration includes filtering at least to an RFC 2827
level. If hackers cannot mask their identities, they might not attack.
Anti-DoS features: Proper configuration of anti-DoS features on routers and firewalls can
help limit the effectiveness of an attack. These features often involve limits on the amount
of half-open TCP connections that a system allows at any given time.
Traffic rate limiting: An organization can implement traffic rate limiting with its ISP.
This type of filtering limits the amount of nonessential traffic that crosses network
segments at a certain rate. A common example is to limit the amount of ICMP traffic
allowed into a network because it is used only for diagnostic purposes. ICMP-based DDoS
attacks are common.
Viruses are malicious software that are attached to other programs and which execute a
particular unwanted function on a user workstation. A virus propagates itself by infecting other
programs on the same computer. Viruses can do serious damage, such as erasing files or erasing
an entire disk. They can also be a simple annoyance such as popping up a window that says
"Ha ha you are infected!" True viruses cannot spread to a new computer without human
assistance such as introducing an infected file on a floppy disc, or as an email attachment or
through file sharing.
A worm executes arbitrary code and installs copies of itself in the memory of the infected
computer. It can then infect other hosts from the infected computer. Like a virus, a worm is also
a program that propagates itself. Unlike a virus, a worm can spread itself automatically over the
network from one computer to the next. Worms are not clever or evil, they just take advantage
of automatic file sending and receiving features found on many computers.
Trojan horse is a general term, referring to programs that appear desirable, but actually contain
something harmful. For example, a downloaded game could erase files. The contents could also
hold a virus or a worm.
A Trojan horse can attack on three levels. A virus known as the Love Bug is an example of a
Trojan horse because it pretended to be a love letter when it actually carried a harmful program.
The Love Bug was a virus because it infected all image files on the attacked disk, turning them
into new Trojans. Finally, the Love Bug was worm because it propagated itself over the
Internet by hiding in the Trojan horses that it sent out using addresses in the attacked email
address book.
1-60 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Virus and Trojan Horse Attacks
Viruses and Trojan horse attacks can be contained through the effective use of antivirus
software at the user level and potentially at the network level. Antivirus software can detect
most viruses and many Trojan horse applications and prevent them from spreading in the
network. Keeping up-to-date with the latest developments in these sorts of attacks can also lead
to a more effective posture against these attacks. As new virus or Trojan horse applications are
released, enterprises need to keep up-to-date with the latest antivirus software and application
versions.
1. The enabling
vulnerability
2. Propagation
mechanism
3. Payload
Typically, worms are self-contained programs that attack a system and try to exploit
vulnerabilities in the target. Upon successful exploitation of the vulnerability, the worm copies
its program from the attacking host to the newly exploited system to begin the cycle again. A
virus normally requires a path to carry the virus code from one system to another. The vector
can be a word-processing document, an e-mail message, or an executable program. The key
element that distinguishes a computer worm from a computer virus is that human interaction is
required to facilitate the spread of a virus.
1-62 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Mitigating Worm Attacks
Worm attack mitigation requires diligence on the part of system and network administration
staff. Coordination between system administration, network engineering, and security
operations personnel is critical in responding effectively to a worm incident. The following are
the recommended steps for worm attack mitigation:
Containment: Contain the spread of the worm inside your network and within your
network. Compartmentalize parts of your network that have not been infected.
Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems.
Quarantine: Track down each infected machine inside your network. Disconnect, remove,
or block infected machines from the network.
Treatment: Clean and patch each infected system. Some worms may require complete
core system reinstallations to clean the system.
Typical incident response methodologies can be subdivided into six major categories. The
following categories are based on the network service provider security (NSP-SEC) incident
response methodology:
Preparation: Acquire the resources to respond.
Identification: Identify the worm.
Classification: Classify the type of worm.
Traceback: Trace the worm back to its origin.
Reaction: Isolate and repair the affected systems.
Post mortem: Document and analyze the process used for the future.
Application-Layer Attacks
1-64 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
attacks, which include Java applets and ActiveX controls, involve passing harmful
programs across the network and loading them through a user browser.
The following are some measures you can take to reduce your risks for application-layer
attacks:
Read operating system and network log files or have them analyzed. It is important to
review all logs and take action accordingly.
Subscribe to mailing lists that publicize vulnerabilities. Most application and operating
system vulnerabilities are published on the Web by various sources.
Keep your operating system and applications current with the latest patches. Always test
patches and fixes in a non-production environment. This practice prevents downtime and
keeps errors from being generated unnecessarily.
Use intrusion detection systems (IDS) or intrusion prevention systems (IPS) or both IDS
and IPS to scan for known attacks, monitor and log attacks, and ultimately prevent attacks.
Using these systems is essential to identifying security threats and mitigating some of these
threats. In most cases, mitigation can be done automatically.
1-66 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Management Protocols and Vulnerabilities
The protocols used to manage your network can be a source of vulnerability. This topic
describes vulnerabilities in configuration management protocols and recommendations for
mitigating these vulnerabilities.
Configuration Management
If the managed device does not support any of the recommended protocols, such as SSH and
SSL, Telnet (not recommended) may have to be used. Recall that Telnet was developed in an
era when security was not an issue. The network administrator should recognize that the data
within a Telnet session is sent as clear text and may be intercepted by anyone with a packet
sniffer located along the data path between the managed device and the management server.
The clear text may include important or sensitive information, such as the configuration of the
device itself, passwords, or other sensitive data.
Regardless of whether SSH, SSL or Telnet is used for remote access to the managed device,
access control lists (ACLs) should be configured to allow only management servers to connect
to the device. All attempts from other IP addresses should be denied and logged. RFC 3704
filtering at the ingress router should also be implemented to reduce the chance of an attacker
from outside the network spoofing the addresses of the management hosts.
Note RCF 3704 covers Ingress Filtering for Multihomed Networks. It updates RFC 2827.
1-68 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Management Protocols
SNMP is a network management protocol that can be used to retrieve information from a
network device (commonly referred to as read-only access) or to remotely configure parameters
on the device (commonly referred to as read-write access). SNMP uses passwords (called
community strings) within each message, as a very simple form of security. Unfortunately,
most implementations of SNMP on networking devices today send the community string in
clear text along with the message. Therefore, SNMP messages may be intercepted by anyone
with a packet sniffer located along the data path between the device and the management
server.
Syslog, which is information generated by a device that has been configured for logging, is sent
as clear text between the managed device and the management host. Syslog has no packet-level
integrity checking to ensure that the packet contents have not been altered in transit. An
attacker may alter syslog data in order to confuse a network administrator during an attack.
Trivial File Transfer Protocol (TFTP) is used for transferring configuration or system files
across the network. TFTP uses UDP for the data stream between the requesting host and the
TFTP server. As with other management protocols that send data in clear text, the network
administrator should recognize that the data within a TFTP session might be intercepted by
anyone with a packet sniffer located along the data path between the device and the
management server. Where possible, TFTP traffic should be encrypted within an IPSec tunnel
in order to reduce the chance of interception.
Network Time Protocol (NTP) is used to synchronize the clocks of various devices across a
network. Synchronization of the clocks within a network is critical for digital certificates and
for correct interpretation of events within syslog data. A secure method of providing clocking
for the network is for network administrators to implement their own master clocks for private
networks synchronized, via satellite or radio, to Coordinated Universal Time (UTC). However,
if network administrators do not wish to implement their own master clocks because of cost or
other reasons, clock sources are available for synchronization via the Internet.
1-70 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Management Protocol Bets Practices
SNMP recommendations:
Configure SNMP with only read-only community strings.
Set up access control on the device you wish to manage
Use SNMP Version 3 or above.
Logging recommendations:
Encrypt syslog traffic within an IPSec tunnel.
Implement RFC 2827 filtering.
Set up access control on the firewall.
TFTP recommendations:
Encrypt TFTP traffic within an IPSec tunnel.
NTP recommendations:
Implement your own master clock.
Use NTP Version 3 or above.
Set up access control that specifies which network devices are
allowed to synchronize with other network devices.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-33
The following are recommendations for the correct use of SNMP tools:
Configure SNMP with only read-only community strings.
Set up access control on the device you wish to manage via SNMP to allow access by only
the appropriate management hosts.
Use SNMP Version 3. This version provides secure access to devices through a
combination of authenticating and encrypting management packets over the network.
There are a number of the tools and techniques that you can use to find vulnerabilities in your
network. You will use some of these tools in the lab exercise for this lesson. Once you identify
the vulnerabilities, you can consider and implement mitigation steps as appropriate. The
following tools can be used to determine vulnerabilities:
Netcat is a featured networking utility that reads and writes data across network
connections using the TCP/IP protocol. Netcat is designed to be a reliable "back-end" tool
that can be used directly or can easily be driven by other programs and scripts. At the same
time, Netcat is a feature-rich network debugging and exploration tool because it can create
almost any kind of connection you would need and it has several interesting built-in
capabilities.
The Blues PortScan scans 300 ports per second on a NT or Windows 2000 machine.
Ethereal is used by network professionals around the world for troubleshooting, analysis,
software and protocol development, and education. Ethereal has all of the standard features
you would expect in a protocol analyzer, and several features not seen in any other product.
The Ethereal open source license allows talented experts in the networking community to
add enhancements. Ethereal runs on all popular computing platforms, including Unix,
Linux, and Windows.
Microsoft Baseline Security Analyzer (MBSA) is the free, best practices vulnerability
assessment tool for the Microsoft platform. MBSA is a tool designed for the IT
professional that helps with the assessment phase of an overall security management
strategy. MBSA includes a graphic and command line interface that can perform local or
remote scans of Windows systems.
1-72 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
It is very important to provide physical installation
security for enterprise network devices.
Packet sniffer attacks can be mitigated by authentication,
switched infrastructure, antisniffer tools, and
cryptography. Port scans and ping sweeps are mitigated
by turning off ICMP echo and echo reply and by
IDSs/IPSs at the network and host level.
Password attacks can be mitigated by restricting same
password use, disabling accounts after unsuccessful
logins, not using clear text passwords and using strong
passwords. Trust exploitation and port redirection are
mitigated by tight constraints on trust levels within a
network and by the use of proper trust models. Man in the
middle attacks can be mitigated through traffic
encryption.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-41
Summary (Cont.)
1-74 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) List the four common threats to Cisco network physical installations. (Source: Securing
Cisco Router Installations)
Q2) Which type of reconnaissance attack is best mitigated by using strong authentication
and cryptography? (Source: Reconnaissance Attacks and Mitigation)
A) packet sniffers
B) port scans
C) ping sweeps
D) Internet information queries
Q3) Which type of reconnaissance attack is mitigated by turning off ICMP echo and echo-
reply? (Source: Reconnaissance Attacks and Mitigation)
A) packet sniffers
B) port scans
C) ping sweeps
D) Internet information queries
Q4) Which of the following four attacks are classified as access attacks? (Choose four.)
(Source: Access Attacks and Mitigation)
A) port redirection
B) trust exploitation
C) password attacks
D) man-in-the-middle attacks
E) DDoS
F) Trojan horse
G) Love Bug
Q5) What are two methods for computing passwords with L0phtCrack? (Choose two.)
(Source: Access Attacks and Mitigation)
H) random access generator
I) dictionary cracking
J) brute force computation
K) password hashing
L) character duplication
Q6) Which type of attack is mitigated by encrypting traffic in an IPSec tunnel? (Source:
Access Attacks and Mitigation)
A) packet sniffers
B) password attack
C) man-in-the-middle attacks
D) Internet information queries
______________________________________________________________________
Q8) A virus can spread automatically through a network. (Source: Access Attacks and
Mitigation)
A) True
B) False
Q9) Encryption helps mitigate IP spoofing. (Source: Access Attacks and Mitigation)
A) True
B) False
Q10) Traffic rate limiting helps mitigate IP spoofing. (Source: Access Attacks and
Mitigation)
A) True
B) False
Q11) As a minimum, anti-spoofing configuration must meet the requirements of RFC 2827.
(Source: Access Attacks and Mitigation)
A) True
B) False
Q12) The Love Bug attack a not a virus, but a Trojan horse. (Source: Access Attacks and
Mitigation)
A) True
B) False
Q13) Trojan horse is a very specific term referring to a particular attack mechanism. (Source:
Access Attacks and Mitigation)
A) True
B) False
Q14) Worm containment includes tracking down each infected machine inside the network.
(Source: Access Attacks and Mitigation)
A) True
B) False
Q15) A hacker transmitting thousands of ICMP Pings from his PC to multiple target servers
is an example of a DDOS attack. (Source: Reconnaissance Attacks and Mitigation)
A) True
B) False
Q16) Why is telnet not a preferred configuration management protocol? (Source:
Management Protocols and Vulnerabilities)
A) It is slow.
B) It does not have a GUI.
C) It is not encrypted.
D) It is too easily spoofed.
1-76 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Q17) What techniques and tools does Cisco recommend you use to detect and prevent
reconnaissance attacks? (Choose 3) (Source: Reconnaissance Attacks and Mitigation)
A) access lists
B) cryptography
C) lock-and-key
D) authentication
E) CBAC
F) IDS
Q18) Which type of network attack occurs when an intruder attempts to discover and map
systems, services, and vulnerabilities? (Source: Reconnaissance Attacks and
Mitigation)
A) time of day attack
B) reconnaissance attacks
C) denial of service (DoS) attacks
D) access attacks
Q2) A
Q3) C
Q4) A, B, C, D
Q5) B,C
Q6) C
Q7) Although there are software fixes that system administrators can install to limit the damage caused by all
known DoS attacks, new DoS attacks are constantly being developed by hackers.
Q8) False
Q9) True
Q10) False
Q11) True
Q12) False
Q13) False
Q14) False
Q15) False
Q16) C
Q17) B, D and F
Q18) B
1-78 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson 3
Overview
The Cisco security portfolio offers a complete range of manageable solutions designed to
maintain the integrity of critical network information and extend the reach of network
resources. Integrated security solutions provide robust protection within a comprehensive
product line including routers and switches as well as firewalls, intrusion detection systems and
VPN access concentrators. Robust management tools provide complete control and visibility
into the integrated network infrastructure from the individual device level to the entire network.
This lesson introduces the Cisco security portfolio of solutions and products currently available
and installed across customer networks.
Objectives
Upon completing this lesson, you will be able to describe the general features, purpose and
benefits of the hardware and software components of the Cisco security portfolio and solutions.
This ability includes being able to meet these objectives:
Match the components of the Cisco security portfolio against Cisco security solution
offerings
Describe the security features of the Cisco PIX 500 Series of security appliances, Firewall
Services Module, VPN Accelerator card and the Cisco IOS Firewall
Describe how secure connectivity is provided by VPNs
Describe the security features and solutions provided by the Cisco VPN 3000 Series
concentrator
Describe the security features of Cisco VPN-enabled routers
Describe optimum product positioning for a range of VPN requirements
Describe how Cisco IPS sensors prevent intrusions
Describe the relative positioning of Cisco IDS/IPS sensor platforms
Describe the use and features of a HIPS and the CSA in network security
Describe the use of Cisco Secure ACSs to provide network security through identification
and authentication
Describe the functions of Cisco Network Admission Control
Describe the use of the Cisco IP Solution Center and the CiscoWorks VMS to provide
network security through management
1-80 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Introducing the Cisco Security Portfolio
This topic describes the components of the Cisco security portfolio in relation to Cisco security
solution offerings.
Intrusion Detection
Firewalls VPN and Prevention Authentication Management
Cisco PIX Cisco VPN Cisco IDS/IPS Sensors Cisco Secure CiscoWorks
Security Concentrators Access Control VMS
Host Intrusion
Appliances Server
Cisco PIX Prevention System
Security
Cisco PIX Security
Appliances
Appliances
Cisco IOS Cisco IOS Cisco IOS
Firewall VPN IDS
The goal of every network administrator must be to protect valuable data and network
resources from corruption and intrusion. Cisco security solutions provide the services necessary
to achieve this goal. Cisco offers a wide variety of security solutions built from a portfolio of
hardware and software products as shown in the Cisco Security Solutions table.
Secure connectivity: Secure Virtual private Cisco VPN 3000 Series concentrators
connectivity is provided by connectivity network (VPN)
to Cisco VPN gateway products using Cisco PIX Security Appliances
standard security protocols such as
IPSec and L2TP. Cisco IOS VPN
1-82 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Perimeter SecurityProducts and Solutions
This topic describes the security features of the Cisco PIX 500 Security Appliance Series,
Firewall Services Module, VPN Accelerator card and the Cisco IOS Firewall.
PIX 535
PIX 525
PIX 515E
Functionality
© 2005 Cisco Systems, Inc. All rights reserved. SND V1.01-5
The Cisco PIX 500 Series of security appliances scales to meet a range of requirements and
network sizes, and currently consists of five models.
The PIX 501 Security Appliance has an integrated 10/100BASE-T port (100BASE-T
option available in release 6.3) and an integrated four-port 10/100 switch.
The PIX 506E Security Appliance has dual integrated 10/100BASE-T ports (100BASE-T
option available in release 6.3 for the Cisco 506E Security Appliance only).
The PIX 515E Security Appliance supports single-port or four-port 10/100 Ethernet cards.
The PIX 525 Security Appliance supports single-port or four-port 10/100 Fast Ethernet and
Gigabit Ethernet.
The PIX 535 Security Appliance supports Fast Ethernet and Gigabit Ethernet.
The PIX 515E Security Appliance, the PIX 525 Security Appliance, and the PIX 535 Security
Appliance come with an integrated VPN Accelerator Card (VAC).
The PIX Security Appliance is secure right out of the box. Default settings allow all
connections from the inside interface access to the outside interface, and block all connections
from the outside interface to the inside interface. After a few installation procedures and an
initial configuration with six general commands, your PIX 500 Series of security appliance is
operational and protecting your network.
1-84 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Cisco PIX 500 Security Appliance Features
The FWSM is a multigigabit integrated firewall module for the Cisco Catalyst 6500 Series
switch and the Cisco 7600 Series router. It is fabric-enabled and capable of interacting with the
bus and the switch fabric. Based on Cisco PIX Security Appliance technology, FWSM provides
stateful firewall functionality in these switches and routers.
1-86 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Cisco PIX VPN Accelerator Cards
VAC VAC+
Offloads IPSec processes for demanding applications including large enterprise, complex, and high-
traffic environments
Fits in any Cisco PIX 515E Security Appliance, PIX 520 Security Appliance, PIX 525 Security
Appliance, or PIX 535 Security Appliance
100 Mbps of 3DES and SHA VAC+ delivers 2 to 4 times the throughput of
VAC
Requires PIX Software Version 5.3 or higher Requires PIX Software Version 6.3 or higher
Features: Features:
DES and 3DES encryption DES and 3DES encryption
Authentication Authentication
Tunneling Tunneling
AES encryption
The VAC and VAC+ provide high-performance tunneling and encryption services suitable for
site-to-site and remote-access applications. They are optimized to handle the repetitive but
voluminous mathematical functions required for IPSec. Offloading encryption functions to the
card not only improves IPSec encryption processing, but also maintains high-end firewall
performance.
The VAC and VAC+ fit in a PCI slot inside the PIX Security Appliance chassis. Both cards
feature Data Encryption Standard (DES) and Triple Data Encryption Standard (3DES)
encryption, plus authentication and tunneling. However, the VAC+ offers Advanced
Encryption Standard (AES) encryption. Detailed performance figures are provided later in this
course.
Cisco IOS software runs on more than 80 percent of Internet backbone routers, which makes
this software the most fundamental component of network infrastructure. Cisco IOS software-
based security offers the best solution for end-to-end Internet, intranet, and remote-access
network security. Refer to the Application Guidelines table to help choose the right Cisco
router for varied security environments.
Application Guidelines
Small or home offices Cisco UBR900 Series cable access routers, Cisco 800
Series, and 1700 Series routers
Branch and extranet environments Cisco 2600 Series, 3600 Series and 3700 Series
routers
VPN and WAN aggregation points or other Cisco 7100 Series, 7200 Series, 7400 Series, 7500
high-throughput environments Series and RSM Series routers
1-88 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Cisco IOS Firewall Highlights
These are some of the highlights of the Cisco IOS Firewall:
Stateful IOS Firewall inspection engine: This feature provides internal users with secure,
per-application-based access control for all traffic across perimeters, such as perimeters
between private enterprise networks and the Internet. This is also called Context-based
Access Control (CBAC).
Intrusion detection: Inline deep packet inspection service that provides real-time
monitoring, interception, and response to network misuse with a broad set of the most
common attack and information-gathering intrusion detection signatures. Supports 102
signatures.
Firewall voice traversal: This feature is provided by application-level intelligence of the
protocol as to the call flow and associated channels that are opened. Voice protocols that
are currently supported are H.323v2 and Session Initiation Protocol (SIP).
ICMP inspection: This feature allows responses to ICMP packets (for example, ping and
traceroute) originating from inside the firewall, while denying other ICMP traffic.
Authentication proxy: This requires users to authenticate when attempting to access
network resources via HTTP. The users specific network access profiles automatically
retrieved and applied from a RADIUS or TACACS+ server. The user profiles are active
only when there is active traffic from the authenticated users. Authentication Proxy can
alternatively be triggered by either Telnet or FTP since Cisco IOS Software Release
12.3(1),
Destination URL policy management: These include several mechanisms that support
local caching of previous requests, predetermined static URL permission and denial tables,
as well as use of external server databases provided by Websense Inc. and N2H2 Inc. This
is better known as URL Filtering.
Per user firewalls: This feature enables service providers to provide a managed firewall
solution in the broadband market by downloading unique firewalls, access control lists
(ACLs), and other settings on a per user basis, using the AAA server profile storage after
authentication.
Cisco IOS router and firewall provisioning: This feature provides no touch provisioning
of the router, version updates and security policies such as firewall rules.
Denial of service detection and prevention: This feature defends and protects router
resources against common attacks, checks packet headers, and drops suspicious packets.
Dynamic port mapping: This feature allows firewall-supported applications on
nonstandard ports.
Java applet blocking: This feature defends against unidentified, malicious Java applets.
VPNs, IPSec encryption, and quality of Service (QoS) support:
Operate with Cisco IOS software encryption, tunneling, and QoS features to secure
VPNs
Provide scalable encrypted tunnels on the router while integrating strong perimeter
security, advanced bandwidth management, intrusion detection, and service-level
validation
The Cisco IOS Firewall is standards based for interoperability
Real-time alerts: This feature logs alerts for denial-of-service attacks or other pre-
configured conditions. This is now configurable on a per-application, per-feature basis.
1-90 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Cisco IOS Firewall Enhancements with
Cisco IOS Software Release 12.3
I am email
traffic
honest!
Payload Port 25
Payload Port 80
Feature Benefit
HTTP Inspection Application level control to inspect port 80 tunneled
Engine traffic
Convergence of Cisco IOS Firewall and inline IPS
technologies
Control port 80 misuse by rogue applications
Example: Instant messaging and peer-to-peer applications
such as Kazaa
Email Inspection Control misuse of email protocols
Engine SMTP, ESMTP, IMAP, POP inspection engines
Advanced Application Provides protocol anomaly detection services
Inspection and Control
© 2005 Cisco Systems, Inc. All rights reserved. SND V1.01-10
With Cisco IOS Software Release 12.3, the Cisco IOS Firewall brings the following features:
HTTP Inspection Engine: The HTTP Inspection Engine discovers and enforces network
security policy governing the traversal of web and non-web traffic over TCP port 80. This
engine can identify data traffic in order to enforce policies governing use of the protocol,
use of HTTP commands, and URL lengths. The HTTP Inspection Engine enforces
application request policy by ensuring that malformed URLs used for exploiting buffer
overflows in web server applications are dropped. If it is against the security policy, the
HTTP Inspection Engine drops the packet, resets the connection and sends an alarm.
Email Inspection Engine: This enhancement to the Email Inspection Engine adds support
for POP3 and IMAP in addition to the existing support for SMTP and Extended Simple
Mail Transfer Protocol (ESMTP).
Advanced Application Inspection and Control: Advanced Application Inspection and
Control provides protocol anomaly detection services.
DMZ
VPN
Internal Routers and
Users Firewalls
Public Corporate Remote and Branch
Servers Offices
© 2005 Cisco Systems, Inc. All rights reserved. SND V1.01-11
1-92 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Three VPN Solutions
Home Office
VPN
POP Remote Access VPN:
Provides cost savings
With a Cisco VPN 3000 Series Concentrator, customers can vastly reduce their
communications expenditures by taking advantage of the latest VPN technology. These
concentrators are the only scalable platforms to offer field-swappable and customer-
upgradeable components. These components, called Scalable Encryption Processing (SEP)
modules, enable users to easily add capacity and throughput.
The Cisco VPN 3000 Series Concentrator includes models supporting a range of enterprise
customers, from small businesses with 100 or fewer remote-access users, to large organizations
with up to 10,000 simultaneous remote users. These concentrators provide businesses with
flexible, reliable, and high-performance remote-access solutions offering both IP Security
(IPSec) and Secure Sockets Layer (SSL)-based VPN connectivity on a single platform.
Cisco VPN 3000 Series Concentrators can be clustered to meet the demands of the largest
organizations. Clustering provides both scalability and a high level of resiliency. These
concentrators are available in both nonredundant and redundant configurations, allowing
customers to build the most robust, reliable, and cost-effective networks possible.
The Cisco VPN 3000 Series Concentrator provides the widest range of options, including
WebVPN (SSL VPN), Cisco VPN Client (IPSec VPN), Microsoft embedded clients, and the
Nokia Symbian client for wireless phones and personal digital assistants (PDAs). Secure,
1-94 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
remote connections can be established from an SSL-capable Web browser, an SSL VPN client,
or an IPSec VPN client, allowing for maximum flexibility and application access without the
need to deploy and manage separate devices.
Integrated Web-based management on Cisco VPN 3000 Series Concentrators provides a simple
interface to configure and monitor all remote-access users, providing ease of manageability
across both IPSec and SSL VPN environments.
IPSec-enabled NAC, is an industry initiative led by Cisco Systems that uses the network
infrastructure to enforce security policy compliance on all devices seeking to access network
computing resources. NAC features can be used in IPSec VPN deployments with the Cisco
VPN Client.
The VPN Client (version 4.x is shown in the figure) works with a Cisco VPN server to create a
secure connection, called a tunnel, between your computer and the private network. It uses the
Internet Key Exchange (IKE) and IPSec tunneling protocols to make and manage secure
connections. Some of the steps include:
Negotiating tunnel parametersaddresses, algorithms, lifetime, and so on.
Establishing tunnels according to the parameters.
Authenticating usersmaking sure users are who they say they are, by usernames, group
names and passwords, and X.509 digital certificates.
Establishing user access rightshours of access, connection time, allowed destinations,
allowed protocols, and so on.
Managing security keys for encryption and decryption.
Authenticating, encrypting, and decrypting data through the tunnel.
For example, to use a remote PC to read e-mail at your organization, you connect to the
Internet, then start the VPN Client and establish a secure connection through the Internet to
your organization's private network. When you open your e-mail, the Cisco VPN server uses
IPSec to encrypt the e-mail message. It then transmits the message through the tunnel to your
VPN Client, which decrypts the message so you can read it on your remote PC. If you reply to
the e-mail message, the VPN Client uses IPSec to process and return the message to the private
network through the Cisco VPN server.
1-96 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
The Cisco VPN Client supports Microsoft Windows 98, Windows Me, NT 4.0, 2000, XP;
Linux (Intel); Solaris (UltraSparc 32- and 64-bit); and Mac OS X, 10.1, and 10.2. The Cisco
VPN Client is compatible with all Cisco VPN products including:
Cisco VPN 3000 Series Concentrators
Cisco VPN 3000 Series Concentrator Software version 3.0 and higher
Cisco IOS Software Releases 12.2(8)T and higher
Cisco PIX Security Appliance Software version 6.0 and higher
Cable Modem
Home Office
Based on the unified VPN client framework, the Cisco VPN 3002 Hardware Client combines
the best features of a software client, including scalability and ease-of-deployment, with the
stability and independence of a hardware platform. The Cisco VPN 3002 Hardware Client
works with all operating systems and does not interfere with the operation of the PC because it
is a separate hardware appliance.
The Cisco VPN 3002 Hardware Client is a small, highly cost-effective appliance and is ideal
for organizations where thousands of remote end-users might be tunneling into corporate
networks from large numbers of geographically dispersed branch or home office sites.
For security and easy configuration, the Cisco VPN 3002 Hardware Client includes two modes:
Client and Network Extension. In Client mode, the VPN 3002 Hardware Client emulates the
operation of VPN client software. The stations behind the VPN 3002 Hardware Client are non-
routable (invisible to the central site) and acquire their IP addresses from a built-in DHCP
server. The VPN 3002 Hardware Client public port can acquire its IP address from an Internet
service provider (ISP) by using its DHCP client capability. In Network Extension mode, the
stations behind the VPN 3002 Hardware Client are fully routable because the VPN 3002
Hardware Client now uses a secure site-to-site connection with the central site.
1-98 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Remote Access Wireless VPN
Main Office
Cisco VPN 30xx
Internet
Aironet Client
Mobile
Certicom Aironet Client
Client Cisco VPN 3000 Client
© 2005 Cisco Systems, Inc. All rights reserved. SND V1.01-16
Remote access wireless VPN solutions are available for the VPN concentrator via the Cisco
Architecture for Voice, Video, and Integrated Data (AVVID) partner program. With Cisco
VPN Software Release 3.0, all Cisco VPN 3000 Series Concentrators support Elliptic Curve
Cryptography (ECC). This new Diffie-Hellman (DH) group allows for much faster processing
of keying information by devices with limited processing power such as PDAs and smart
phones. Cisco VPN 3000 Series Concentrators can now securely terminate tunnels from IP-
enabled wireless devices, allowing a whole new class of users to securely access enterprise
information while preserving the investment in VPN termination equipment in the enterprise
data center.
Site-to-site VPNs are alternative WAN infrastructures that are used to connect branch offices,
home offices, or business partner sites to all, or portions, of a company network. VPNs do not
inherently change private WAN requirements, such as support for multiple protocols, high
reliability, and extensive scalability, but instead meet these requirements more cost-effectively
and with greater flexibility. Site-to-site VPNs use the most pervasive transport technologies
available today, including the Internet or service providers IP networks, by employing
tunneling and encryption for data privacy and QoS for transport reliability.
1-100 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Ensured quality of latency-sensitive traffic
Deployment flexibility:
Interface flexibility for combined WAN and VPN or behind-edge VPN
Use as a standalone VPN device or as an integrated multi-function device
The Cisco 1800 Series, 2800 Series, and 3800 Series of ISRs incorporate hardware-based
encryption as a standard feature. Built-in, hardware-based encryption acceleration offloads the
VPN processes to provide increased VPN throughput with minimal impact on the router CPU.
If additional VPN throughput or scalability is required, optional VPN encryption advanced
integration modules (AIMs) are available. These routers also are offered as bundles with the
appropriate Cisco IOS software security images to enable a rich, integrated package of routing
and security.
The VPN Accelerator Module 2 (VAM2) is a single-width acceleration module that provides
high-performance, hardware-assisted tunneling and encryption services suitable for VPN
remote-access, site-to-site intranet, and extranet applications. The VAM2 also provides
platform scalability and security while working with all the services (security, QoS, firewall
and intrusion detection, service-level validation, and management) that are necessary for
successful VPN deployments. The VAM2 off-loads IPSec processing from the main processor,
and thus frees resources on the processor engines for other tasks.
1-102 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Scalable Site-to-Site VPN Router Solutions
Main Office
Branch
Office Internet
Site-to-site VPNs can be deployed using a wide variety of Cisco VPN routers. Cisco VPN
routers provide scalability through optional encryption acceleration. The Cisco VPN router
portfolio provides solutions for small office and home office (SOHO) access through central-
site VPN aggregation. SOHO solutions include platforms for fast-emerging cable and DSL-
access technologies.
Cisco provides VPN solutions for all network sizes. The information in the figure indicates the
platforms that can support each size of network most effectively. You can use this information
as a starting point to choose which device best fits your environment.
1-104 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Intrusion Prevention System Solutions
This topic describes how Cisco intrusion prevention systems (IPS) sensors prevent intrusions.
Business
Partner
Users Internet IPS
Complements the
firewall and VPN by
monitoring traffic for
Extranet IPS malicious activity.
Monitors partner
traffic where
trust is implied
but not assured. Corporate
Office Internet
The Cisco IPS is an enterprise-class, network-based intrusion protection system that is designed
to address the increased requirements for security visibility, denial of service (DoS) protection,
hacking detection, and e-commerce business defenses. The Cisco IPS family leads the market
in innovative security monitoring solutions. Sensor devices detect unauthorized activity such as
attacks by hackers by analyzing traffic in real time, which enables users to quickly respond to
security working breaches. When unauthorized activity is detected, Cisco IPS sensors can send
alarms to a management console with details of the activity, and can control other systems,
such as routers, to terminate the unauthorized sessions.
An intrusion detection system (IDS) detects attacks against a network, including attacks against
hosts and devices. When the sensor detects unauthorized activity it can send alarms to the
management console(s) with details of the activity. IDS can only respond after an attack is
detected. In the case of atomic attack, in which the malicious content is contained in a single
packet, the malicious packet can reach its target before a response action can be taken. Intrusion
detection is the ability to detect misuse, abuse, and unauthorized access to networked resources.
An IPS represents a significant advance over IDS. With the release of Cisco IPS version 5.0,
every packet (even the very first one) can be dropped before it can reach its target.
Older Cisco IDS sensors such as the Cisco IDS 4250 XL Sensor and the Cisco IDS 4215
Sensor provide detection. Newer Cisco IPS sensors such as Cisco IPS 4255 Sensor and Cisco
IPS 4240 Sensor, as well as current Cisco IOS software, can be deployed inline to provide
intrusion prevention, or in a promiscuous mode can tap network traffic, to provide
detection.
1-106 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Cisco IDS and IPS Active Defense Systems
Cisco provides a complete product portfolio that enables customers to implement and manage
active defense systems. The Cisco IDS and IPS products include the following:
Network sensors: These sensors provide dedicated intrusion detection and intrusion
prevention with the ability to monitor and protect network segments.
Switch sensors: These sensors are integrated into the switch fabric to provide seamless
intrusion detection.
Router sensors: These sensors provide intrusion detection for deployments that require
basic intrusion detection features.
Firewall sensors: These sensors provide intrusion detection for deployments that require
basic intrusion detection features.
Comprehensive management: These products provide robust system management and
monitoring.
1000
IDS 4250 XL
600
500
Catalyst 6500
IDSM-2
IPS 4255
250
IPS 4240
80
IDS 4215
Network Media
© 2005 Cisco Systems, Inc. All rights reserved. SND V1.01-24
The figure shows the relative positioning of the Cisco IDS/IPS 4200 Series sensors, the Cisco
Catalyst IDS Module, the Cisco IDS Network Module for access routers. Cisco IDS/IPS 4200
Series sensors can be placed on almost any segment of the enterprise wide network where
security visibility is required. They are critical components of the Cisco IPS solution. These
sensors work with other IDS/IPS components to protect data and the information infrastructure.
The Cisco IDS/IPS 4200 Series includes the following four products: Cisco IDS 4215 Sensor,
Cisco IPS 4240 Sensor, Cisco IPS 4255 Sensor, and Cisco IDS 4250-XL Sensor. This series
delivers a broad range of solutions that allows easy integration into many different
environments, including enterprise and service provider environments. Each sensor addresses
bandwidth requirements at one of several speeds, from 80 Mbps to gigabits per second.
The Cisco Catalyst 6500 Intrusion Detection System (IDSM-2) Services Module provides full-
featured intrusion protection in the core network fabric device.
The Network Module-Cisco IDS (NM-CIDS) can be installed in a Cisco 2600XM Series
router, a Cisco 2691 Router, a Cisco 3660 Router, or 3700 Series router to provide 45 Mbps of
full-featured intrusion protection services within the router.
The router sensor integrates intrusion detection into Cisco IOS software. A Cisco IOS IDS is
able to detect a limited subset of attacks compared to an IDS sensor appliance or IDSM-2.
Thus, it is appropriate for lower-risk environments.
1-108 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
The firewall sensor provides a focused set of IDS capabilities via a software solution integrated
into the Cisco PIX Security Appliance software.
While it is common practice to defend against head-end attacks by inspecting traffic and
installing firewalls, it is also critical to stop malicious traffic close to its entry point by
protecting the branch offices. Deploying inline Cisco IOS IPS at the branch enables gateways
to drop traffic, send an alarm, or reset the connection as needed, to stop attacking traffic at the
point of origination and quickly remove unwanted traffic from the network.
Cisco IOS IPS complements Cisco IOS Firewall and VPN solutions for superior threat
protection at all entry points into the network
The software and hardware requirements of a Cisco IOS software-based device performing
intrusion detection are as follows:
Cisco IDS Sensor Software: Cisco IOS Software Release 12.0(5)T and later
Cisco IPS Sensor Software: Cisco IOS Software Release 12.3(8)T and later
Hardware: Cisco 830 Series, 1700 Series, 2600 Series, 3600 Series, 7100 Series, 7200
Series, 7500 Series and ISR Series routers
1-110 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Host Intrusion Prevention System Solutions
This topic describes the use and features of host-based intrusion prevention system (HIPS) and
the Cisco Security Agent (CSA) in network security.
3. Requests are
allowed or denied
1. An application calls
for system
resources
Application Kernel
A HIPS audits host log files, host file systems, and resources. A significant advantage of HIPS
is that it can monitor operating system processes and protect critical system resources,
including files that may exist only on that specific host. A HIPS combines behavioral analysis
and signature filters. As well, a HIPS combines the best features of antivirus, network firewalls
and application firewalls in one package.
A simple form of HIPS is to enable system logging on the host and then analyze the logs.
However, this can be extremely labor intensive. Contemporary HIPS software requires CSA)
software to be installed on each host to monitor activity performed on and against the host.
CSA performs the intrusion detection analysis and protects the host.
Corporate
Network
Agent Application
Server
Agent
Firewall
Untrusted
Network
Agent
Agent Agent Agent
SMTP Agent Agent Agent
Server
WWW DNS
Console
Server Server
The figure illustrates a typical HIPS deployment. Agents are installed not only on publicly
accessible servers, corporate mail servers, and application servers, but also on user desktops.
The Agents report events to a central console server located inside the corporate firewall.
1-112 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
CSA Architecture
Alerts Events
SSL Security
Policy
CSA MC
The CSA defense-in-depth approach protects a system from attacks at the following layers:
Network
File system
Configuration
Execution space
Real-time correlation at agent and enterprise levels reduces false positives and allows
adaptability to new threats enterprise-wide and results in the following:
A multiple systems network scan within a configured time period to log network events.
Worm events on multiple systems cause all systems to quarantine the contaminated files.
NT event logs and virus scanner logs can be correlated across the enterprise.
1-114 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Identity SolutionsCisco Secure Access Control
Server
This topic describes the use of Cisco Secure Access Control Servers (ACS) to provide network
security through identification and authentication.
You can leverage the same Cisco Secure ACS access framework to control administrator access
and configuration for all network devices in your network that are enabled by RADIUS and
TACACS+. Advanced features of the Cisco Secure ACS include the following:
Automatic service monitoring
Database synchronization and importation of tools for large-scale deployments
Lightweight Directory Access Protocol (LDAP) user authentication support
User and administrative access reporting
Restrictions such as time of day and day of week
User and device group profiles
1-116 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Identity and Authentication
The following provide unified
control of user identity for the ACS OTP Hard and
enterprise: Server Soft Tokens
Cisco IOS routers VPN
VPNs Internet Clients
The Cisco Secure ACS is a high-performance, highly scalable, centralized user access control
framework. Cisco Secure ACS offers centralized command and control for all user
authentication, authorization, and accounting activities. Cisco Secure ACS also distributes
those controls to hundreds or thousands of access gateways in your network. Authentication
verifies user identity. Authorization configures integrity, such as user access rights. Accounting
assists with auditing by logging user activities.
NAC
Coalition of Market-Leading Vendors
NAC Solution: Leverages the
network to intelligently enforce
access privileges based on
endpoint security posture
Hosts
Policy Server
Attempting
Decision Focused on limiting damage from
Network
Points viruses and worms
Access
Policy (AAA) Vendor Limits network access to compliant,
Server Server trusted endpoints
Credentials
Credentials Credentials Credentials Restricts network access by
noncompliant devices
RADIUS
Supports multiple AV vendors and
Notification Access Cisco Security Agent
Comply?
Cisco Rights The ISR Security Bundles ship with
Trust NAC capability
Agent
Enforcement
In its initial phase, NAC enables Cisco routers to enforce access privileges when an endpoint
device enters a network. This decision can be based on information about the endpoint device
such as its current antivirus state and operating system patch level. Based on customer-defined
policy, the network decides and enforces the appropriate admission control decision: permit,
deny, quarantine, or restrict. Initially, NAC will support endpoints running Microsoft®
Windows NT, XP and 2000 operating systems. NAC is a unique approach to prevent
vulnerable and non-compliant hosts from impacting enterprise resilience, and it enables
customers to leverage their existing network and antivirus infrastructure.
The figure illustrates three of the following four components of the NAC system:
Endpoint Security Software (Antivirus client, Cisco Security Agent, Personal Firewall)
and the Cisco Trust Agent): The Cisco Trust Agent collects security state information from
multiple security software clients, such as antivirus clients, and communicates this
information to the connected Cisco network where access control decisions are enforced.
Then, application and operating system status, such as antivirus and operating system patch
levels or credentials, can be used to determine the appropriate network admission decision.
Cisco and NAC co-sponsors will integrate the Cisco Trust Agent with their security
software clients.
Network Access Devices: Network devices which enforce admission control policy
include routers, switches, wireless access points, and security appliances. These devices
1-118 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
demand host credentials and relay this information to policy servers where network
admission control decisions are made. Based on customer-defined policy, the network
enforces the appropriate admission control decision: permit, deny, quarantine, or restrict.
Policy Server: The policy server is responsible for evaluating the endpoint security
information relayed from network devices and determining the appropriate access policy to
apply. Cisco Secure ACS server, an authentication, authorization, and accounting RADIUS
server, is the foundation of the policy server system. This server may work in concert with
NAC co-sponsor application servers that provide deeper credential validation capabilities,
such as antivirus policy servers.
Management System: Cisco management solutions will provision the appropriate Cisco
NAC elements and provide monitoring and reporting operational tools. CiscoWorks
VPN/Security Management Solution (CiscoWorks VMS) and CiscoWorks Security
Information Manager Solution (CiscoWorks SIMS) form the basis for this capability. Cisco
NAC co-sponsors will provide management solutions for their endpoint security software.
Branch Office
DMZ Remote PIX
PIX Security
Appliance
Public
Corporate
Network Enterprise
Internet Telecommuter
Gateway Remote Access
CiscoWorks VMS 2.2 provides the security management for your overall security needs. It
includes the following applications, organized by functional area:
Firewall management: This application enables the large-scale deployment of Cisco
firewalls. Smart Rules is an innovative feature that allows a security policy to be
consistently applied to all firewalls. Smart Rules allows a user to define common rules
once, reducing configuration time and resulting in fewer administrative errors.
Network-based IDS (NIDS) management: This application offers efficient deployment of
hundreds of sensors using group profiles. Additionally, powerful signature management
helps to increase the accuracy and specificity of detection.
HIPS management: This application is scalable to thousands of endpoints per manager to
support large enterprise deployments. The open and extensible architecture offers the
capability to define and enforce security according to corporate policy. Offers "zero
update" prevention for known and unknown attacks.
1-120 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
VPN router management: This application provides functions for the setup and
maintenance of large deployments of VPN connections and Cisco IOS Firewalls on Cisco
routers and Cisco Catalyst 6000 IPSec VPN Service Modules.
Security monitoring: This application provides integrated monitoring to help
administrators have a comprehensive view of security across the network, with event
correlation to detect threats not apparent with individual events.
Performance monitoring: This application provides functions for monitoring and
troubleshooting services that contribute to enterprise network security.
VPN monitoring: This application allows network administrators to collect, store, and
view information on VPN connections for remote-access or site-to-site VPN terminations.
Operational management: This application allows network managers to build a complete
network inventory, report on hardware and software changes, and manage software updates
to multiple devices.
The figure summarizes the value proposition of VMS. Only VMS manages all components. No
competitor can make that claim.
1-122 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
The Cisco offers security portfolio encompasses the following:
Perimeter securityfirewalls
Secure connectivityVPNs
Intrusion detection and prevention
IdentityACS
Security managementCiscoWorks VMS
Summary (Cont.)
Cisco VPN optimized routers provide scalability, network
resiliency, bandwidth optimization, QoS and deployment flexibility.
Cisco VPN products meet the needs of a wide variety of client
needs.
Cisco IPS solutions include network, switch, router, and firewall
sensors as well as comprehensive management.
The four products in the Cisco IDS/IPS 4200 Sensor Series provide
solutions for a wide range of client needs.
CSA which consists of CSA MC, CSA software, and an
administration workstation.
ACS provides network security through identification and
authentication.
Cisco NAC leverages the network to intelligently enforce access
privileges based on endpoint security posture
The CiscoWorks VMS provide network security through
management.
Q1) Which three of the following products are suitable for branch office and extranet
environments? (Choose three.) (Source: Perimeter Security)
A) Cisco 800 Series router
B) Cisco 2800 Series ISR
C) Cisco 2600 Series router
D) Cisco 3600 Series router
E) Cisco 3800 Series ISR
F) Cisco Catalyst 6500 switch with FWSM
Q2) Per-application-based access control and CBAC are synonymous. (Source: Perimeter
Security)
A) True
B) False
Q3) The VPN Accelerator Card (VAC) allows a Cisco Catalyst 6500 Switch chassis to act
as a VPN router. (Source: Perimeter Security)
A) True
B) False
Q4) The PIX 515E Security Appliance supports Gigabyte Ethernet. (Source: Perimeter
Security)
A) True
B) False
Q5) A Cisco 7600 Series router can use the FWSM. (Source: Perimeter Security)
A) True
B) False
Q6) By definition, a perimeter can be established anywhere within a private network.
(Source: Perimeter Security)
A) True
B) False
Q7) The Cisco VPN Client is packaged with unlimited licensing in every Cisco VPN 3000
Series Concentrator. (Source: Secure Connectivity)
A) True
B) False
Q8) Only Cisco 3030 VPN Concentrators and above have redundancy options. (Source:
Secure Connectivity)
C) True
D) False
1-124 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Q9) Dual power supplies are optional on all Cisco 3000 VPN Series Concentrators.
(Source: Secure Connectivity)
A) True
B) False
Q10) An organization needing T3/E3 connectivity can effectively use a Cisco 3030 VPN
Concentrator. (Source: Secure Connectivity)
A) True
B) False
Q11) The Cisco VPN Client can be deployed on any Cisco IOS router or PIX Security
Appliance. (Source: Secure Connectivity)
A) True
B) False
Q12) Elliptic Curve Cryptography (ECC) allows Cisco VPN 3000 Series Concentrators to
securely terminate tunnels from IP-enabled wireless devices. (Source: Secure
Connectivity)
A) True
B) False
Q13) The VAM is designed to do IPSec processing. (Source: Secure Connectivity)
A) True
B) False
Q14) IPS responds after an attack. (Source: Intrusion Prevention System Solutions)
A) True
B) False
Q15) IPS capabilities are embedded in Cisco IOS software. (Source: Intrusion Prevention
System Solutions)
A) True
B) False
Q16) CSA is part of a Cisco HIPS solution. (Source: Intrusion Prevention System Solutions)
A) True
B) False
Q2) A
Q3) B: The VAC is used to enhance the VPN performance of the PIX 515, 520, 525, or 535 Security
Appliances.
Q4) B: Only the PIX 525 and 535 Security Appliances support Gigabyte Ethernet.
Q5) A
Q6) A
Q7) A
Q8) B
Q9) B: Dual power supplies are optional on the 3015, 3030 and 3060 models. They are standard on the 3080
model.
Q11) B: The client is deployed on Windows, Linux, Mac and Solaris platforms. It can be implemented across all
VPN concentrators, Cisco IOS routers and PIX security appliances.
Q12) A
Q13) A
Q16) A
1-126 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson 4
1-128 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Changing Threats and Challenges
This topic describes how changing threats and challenges demand a new approach to network
security.
Threat Evolution
Target and
Scope of Time from knowledge of vulnerability to release
of exploit is shrinking
Damage
Global
Seconds
Infrastructure The WAN Infrastructure must be
Impact Next Generation
an Intelligent Point of Defense
Infrastructure
hacking
Regional
Networks Minutes Flash threats
Massive worm
3rd Generation driven
DDoS
Multiple
Networks
Days Network DoS
Blended threat Damaging
(worm + virus+ payload
Weeks 2nd Generation
Macro viruses
trojan) viruses and
worms
Individual 1st Generation Turbo worms
Networks Email
Boot viruses Widespread
DoS system hacking
Limited
Individual hacking
Computer
The figure shows how the threats that organizations have faced have evolved over the past few
decades. As can be seen, the growth rate of vulnerabilities reported in operating systems and
applications is rising. The number and variety of viruses and worms that have appeared over
the past three years is daunting. Their rate of propagation is frightening. There have been
unacceptable levels of business outages and expensive remediation projects that consume staff,
time, and funds not originally budgeted for such tasks.
It can also be seen that blended threats are evolving. A blended threat uses multiple means of
propagation. They often have the characteristics of a virus in that they can attach themselves
parasitically to files to be delivered by email. They self-replicate across a network with worm-
like ability, and frequently search for, and exploit a system or application vulnerability, or
multiple vulnerabilities, to gain access to a host and deliver its payload. There is a view that
blended threats may be evolving into flash threats that may not only exploit new, unknown
vulnerabilities, but have the ability to propagate across the Internet in seconds, seriously
impacting the Internet on a global scale.
Also notice that trends are becoming regional and global in nature. Where attacks once
impacted single systems or one organization network, more recent attacks are impacting entire
regions. For example, attacks have expanded from individual denial of service (DoS) attacks
from a single attacker against a single target to large-scale distributed denial of service (DDoS)
attacks emanating from networks of compromised systems known as botnets
Treats are becoming persistent. Once started, attacks may appear in waves as infected systems
join the network. Being so complex and having so many end users (employees, vendors,
contractors), multiple types of endpoints (company desktop, home, server) and multiple types
of access (wired, wireless, virtual private network [VPN], dial), infections will be hard to
eradicate.
IM traffic 43%
Port 80 opens once closed
Port networks to partners through
Web enabled apps 55% 80 business-to-business extranets,
Web services 43% retail outlet connections, and
home-based employees.
Internet What was once controlled (trusted)
is now uncontrolled (untrusted).
Non-compliant devices are a
64 percent of enterprises have opened conduit for attack.
port 80 on their firewalls for their
growing web application traffic Multihomed devices (wireless and
requirements. mobile) have blurred the perimeter.
Source: Aug 2002 InfoWorld/Network Computing
survey of IT Professionals
The figure presents an example of the dilemma that network-dependant enterprises face in
todays business environments. Networks can no longer be secured by simply securing the
network perimeter. Businesses have consolidated their data centers, converged internal
networks, and embraced the Internet. Environments that were once self-contained and
controlled, are now open to partners through business-to-business extranets, retail outlet
connections, and home-based employees. The point is that by extending the corporate network
the trust boundary has extended across untrusted intermediate networks and into uncontrolled
environments.
The growing list of devices that access networks poses more problems. Many devices are
frequently not in compliance with corporate policies. Devices that are compliant frequently are
used to access other uncontrolled networks prior to connecting into the corporate network. As a
result, devices on these external networks can become conduits for attacks and related misuse.
Common application interfaces: The emergence of common application interfaces based
on messaging protocols such as Extensible Markup Language (XML) and Simple Object
Access Protocol (SOAP)-has been a boon to e-commerce and corporate productivity.
However, as with most new technologies, these new message protocols have introduced an
entirely new set of vulnerabilities and attack vectors with which corporations must contend.
Data that was once spread across multiple network protocols and could be fairly easily
filtered through firewall policies is now combined within a few, if not a single transport
protocol (such as HTTP on TCP port 80). As a result, much of the data that used to reside
in packet headers now resides in the packet payload. This creates significant processing
challenges that make it easier for an attacker to evade classic network defenses.
Security can hamper policy: Further, in order to meet corporate data confidentiality and
integrity requirements, more and more of this application-level traffic is now being
encrypted through the Secure Socket Layer/Transport Layer Security (SSL/TLS) and HTTP
Secure socket (HTTPS) protocols. A side effect of this trend is that it makes it much harder
for IT departments to enforce corporate access policies at the network edge because they
cannot inspect the packet payloads of those encrypted flows. Although many organizations
mistakenly assume that if they comply with regulations, their infrastructure is more secure,
this is frequently not the case. Following the law of unintended consequences, the very act
1-130 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
of creating compliance may introduce new vulnerabilities. For example, worms and viruses
may spread more effectively in a network supporting end-to-end VPNs, given that the
intermediate nodes have no visibility into the traversing traffic. Such traffic may carry
worms to sensitive corporate servers in a secure, encrypted packet. In addition to taking
longer to diagnose such an attack, these end-to-end VPNs can make it more difficult to
remediate the problem.
Blurred perimeters: Tied to the notion of a secure perimeter, the wireless and mobile
network within enterprises now supports laptop PCs, personal digital assistants (PDA), and
mobile phones that have more than one network connection. These multihomed hosts are
capable of establishing ad-hoc wireless networks to enable peer-to-peer communication. In
addition, packets can effectively be forwarded across devices at the application level. As a
result, where a network boundary begins and ends becomes much more ambiguous.
Corporations need to be able to extend a control point onto these mobile devices in order to
manage secure system and maintain network availability.
As a means of illustrating the seriousness of network vulnerabilities, consider the effects of the
SQL Slammer worm first seen on January 25, 2003. This information is from the Cooperative
Association for Internet Data Analysis and the University of California at San Diego.
SQL Slammer compromised 90 percent of vulnerable systems within the first ten-minutes, and
doubled in size every 8.5 seconds. Within the first three minutes, it achieved its maximum
scanning rate of over 55 million scans per second.
1-132 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Network Effects of the SQL Slammer Worm
This screen shot was taken during the height of the infection. It shows UUNet being hit very
hard by the worm. It also shows how InterNAP had difficulties peering with Qwest, Genuity,
and AT&T.
South Korea sustained the most damage with almost total loss of Internet service. Over 70
percent of South Korean households have Internet service.
Threat Defense
Appliance and Cisco IOS-based firewalls
Cisco Intrusion Detection and Prevention Systems
The Self-Defending Network strategy consists of three systems, or pillars, each with a specific
purpose. By using Cisco integrated security solutions, customers can leverage their existing
infrastructure to address potential threats to their network and protect their business. While
security risks are inherent in any network, customers can reduce their exposure and minimize
these risks by deploying four categories of overlapping and complementary security solutions:
Secure connectivity: Provides secure and scalable network connectivity, incorporating
multiple types of traffic. The examples shown in the figure were covered in previous
lessons.
Threat defense: Prevents and responds to network attacks and threats using network
services.
Trust and identity: Allows the network to intelligently protect endpoints using
technologies such as Network Admission Control (NAC), identity services and 802.1x.
1-134 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Evolving a Self-Defending Network
Most customers will not adopt all of the components of the Cisco Self-Defending Network at
one time, as it may be difficult to overhaul all of the required subsystems at once without
disrupting the integrity of the IT services. Some customers may hesitate to turn over security
controls to an automated system until they are confident that the system will operate
dependably.
The Cisco Self-Defending Network initiative deals with these concerns by first providing
products that can be usefully deployed independently of one another. Then it offers solutions
that link these products together to build effective subsystems. This approach to evolving a
Self-Defending Network is based on a combination of product development, product
acquisitions, systems development, and partnering.
The figure illustrates the evolution of the Self-Defending Network Strategy to date. Note that
while point products serve as good incubators for deploying cutting edge security technologies,
they are not by themselves integrated throughout the network fabric. Building network security
based solely on single-purpose appliances is no longer practical.
The Self-Defending Network is developed in three phases:
Phase 1Integrated security: The first phase of the Cisco Self-Defending Network
security strategy focuses on the need for integrated security, blending IP and security
technologies. This phase aims to distribute security technologies throughout every segment
of the network to enable every network element as a point of defense.
Phase 2Collaborative security systems: The next phase introduced the Network
Admission Control (NAC) industry initiative. This initiative is the first industry-wide effort
that increases the network ability to identify, prevent, and adapt to security threats. This
phase aims to enable the security technologies integrated throughout the network to operate
as a coordinated system. Network-wide collaboration among the services and devices
throughout the network is used to defeat attacks.
Phase 3Adaptive threat defense: This phase aims at deploying innovative and threat
defense technologies throughout the integrated security fabric of the network. The goal is
to enable more proactive response to threats with greater operational efficiency by
1-136 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Evolving a Self-Defending Network
This figure shows the product and technology building blocks of the Self-Defending Network
aligned with each of the development phases. Many of these were described in a previous
lesson. This lesson describes the most recent and evolving products, technologies and solutions.
The third phase of the Self-Defending Network strategy, called adaptive threat defense (ATD),
helps to further minimize network security risks by dynamically addressing threats at multiple
layers, which enables tighter control of network traffic, endpoints, users, and applications. ATD
also simplifies architectural designs and lowers operational costs. This innovative approach
combines security features, multilayer intelligence, application protection, network-wide
control and threat containment within high-performance solutions. ATD is a critical
advancement in the Cisco Self-Defending Network security strategy that helps customers
fortify their business systems.
The figure shows the technology components of ATD in terms of the building blocks that
converge to provide new services with new applications. Building blocks are:
Firewall services to provide the basis of access control and traffic inspection.
IPS and network antivirus services to provide application intelligence with the ability to
look at packet payloads.
Network intelligence to include all network services applicable to security including
network segmentation through VLANs, identity for user knowledge, QoS for controlling
use of bandwidth, routing for topological awareness, switch root and Netflow for global
traffic visibility. Virtualized fabric is virtualization of services so that they can be cost-
effectively deployed.
When these building blocks are put together, a new class of services can be integrated
throughout the network fabric. These new services include the following:
1-138 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Application security: Granular application inspection in firewalls, IDS and IPS
appliances. The ability to enforce appropriate application use policies such as. dont allow
users to use instant messaging (IM). Control of web traffic, including applications that
abuse port 80 (IM, peer-to-peer), as well as control of web services, such as XML
applications.
Anti-X defenses: Broad attack mitigation capabilities such as malware protection, anti-
virus, message security (antispam, antiphishing), antiDDoS, antiworm, etc. While these
technologies are interesting in and of themselves, Anti-X defenses are not just about
breadth of mitigation, but about distributing those mitigation points throughout key security
enforcement points in the network to stop attacks as far from their intended destination and
the core of the network as possible. Stopping an attack before it reaches the network core or
host greatly diminishes the damage it can cause and its chances of spreading further.
Network containment and control: Network intelligence and the virtualization of security
technologies provide the ability to layer sophisticated auditing, control, and correlation
capabilities to control and protect any networked element. Enables proactive response to
threats by aggregating and correlating security information, as well as protecting network
services such as VoIP and the device infrastructure (such as from installation of rogue
devices).
The table in the figure shows a number of recent product announcements in support of ADT.
This list is not all inclusive. New products and technologies are being announced almost on a
weekly basis.
You will have seen many of these products in previous lessons. This should reinforce the
ability to build the Self-Defending Network on existing products and technologies.
In the next topics, the newest products and technologies from Cisco will be presented.
1-140 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco PIX Security Appliance Software v7.0
This topic describes the firewall, application inspection and VPN enhancements of the PIX
Security Appliance Software version 7.0.
Web Security
Advanced HTTP firewall services
Controls actions that users can perform when accessing
websites
Peer-to-Peer X
Instant Msg Approved Access
HTTP Delete Port 80
Web Browsing
JPEG/EXE
X
Voice Security
Enhances security for next-generation converged networks
PIX Security Appliance Software version 7.0 brings a number of new features that provide
more control over applications. These new features are as follows:
Web security:
Advanced HTTP firewall services prevent web-based attacks and port 80 misuse
Controls peer-to-peer (KaZaA) to protect network capacity
Polices instant messaging to control usage, compliance and covert transmissions of
sensitive information.
These services give businesses control over what actions users can perform when accessing
websites:
Limits web server access to approved methods and commands to prevent
unauthorized changes
Filters Multipurpose Internet Mail Extension (MIME) type and validates content to
minimize risk of malware infection
Checks RFC protocol compliance for protocol anomaly detection
Voice security:
PIX Security Appliance Software version 7.0 enhances security for next-generation
converged networks.
Extends leading VoIP security with improved H.323, Session Initiation Protocol
(SIP), Media Gateway Control Protocol (MGCP), Real Time Streaming Protocol
(RTSP), and fragmentation/segmentation support.
1-142 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
PIX Software Version 7.0New Features
(Cont.)
PIX
Transparent Firewall
Existing Network
1-144 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
PIX Software Version 7.0New Features
(Cont.)
resiliency
Active-active failover for enhanced
resiliency and asymmetric routing
Active
support
Delivers new zero-downtime software
upgrade capability
Intelligent network integration
QoS traffic prioritization V VV V VV
Anti-X
Cisco DDoS Solutions
The DDoS appliance solution acquired from Riverhead Networks is now available as integrated
service modules for the Catalyst 6500 Series switch and 7600 Series router. This solution
detects and automatically defends against crippling distributed denial of service (DDoS) attacks
of all types.
Because DDoS attacks mimic valid transactions and may contain no embedded exploits, this
solution is based on behavioral anomaly recognition. Precision analysis enables blocking only
the attack packets while forwarding legitimate transactions, key to ensuring online business
continuity. High performance and incremental clustering is designed to counter the strongest
attacks in the largest environments.
These modules can be deployed directly by large enterprises and successfully as managed
DDoS services by AT&T, Sprint, Cable and Wireless (C&W) and many others service
providers.
1-146 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Integrated DDoS Protection:
Solution Overview
ISP
Anomaly Guard
Attack analysis and mitigation
Diverts traffic for on-demand Dynamic route
Line C ard Module
diversion
scrubbing
Anomaly
Dynamic filtering and Guard Supervisor
Engine 2
Module
antispoofing defenses or 720
integration
Zone
Scalability and reliability under
Lower total cost of operation attack
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-17
The Guard provides mitigation driven by an embedded anomaly recognition engine. It is not a
simple static filter and policy device, but can actually learn about network traffic and take
appropriate actions on the basis of what it has learned.
The Guard uses a traffic diversion technique that scrubs DDoS traffic while letting
legitimate traffic continue. The Guard has multiple layers of defense including dynamic
filters and active anti-spoofing, all driven by the anomaly engine to defend against all
types, combinations and morphing of DDoS attacks.
The Traffic Anomaly Detector monitors traffic and can alert the operator or activate the
Guard for its on-demand scrubbing.
In the topology in the figure the following can be seen:
The Detector module recognizes that a single zone, or set of servers, has come under attack.
The Guard module is automatically alerted and begins diversion using routing updates.
Both good and bad traffic is diverted for scrubbing. The traffic is not blackholed, and the
router is not used to differentiate good from bad traffic.
Traffic diversion is intra-chassis using BGP or other routing protocols.
Only traffic to the attacked zone is diverted thru the Guard module for scrubbing.
Legitimate traffic is forwarded using different mechanisms including VPN
routing/forwarding (VRF) or tunneling.
Network
and
after patching, putting out Security
fires, investigation and Event alarms, disconnected
remediation
produce the Noise events, false positives,
audit report network anomalies
Never Inefficient
Enough Costly Attack
Security Business Identification
Staff Dilemma and
Response
Mitigate
Attacks
un-prioritized blended
Compliance
Sarbox, HIPAA, GLBA, and Audit
attacks, day zero
FISMA, Basel II
due Mandates attacks, worms
and
care and process network issues
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-18
The Cisco Secure MARS is an appliance based all inclusive solution that provides unmatched
insight and control of your existing security deployment. A key component of the Cisco
security management lifecycle, Cisco Secure MARS empowers your security and network
organizations to identify, manage, and counter security threats. It leverages your existing
network and security investments to identify, isolate and recommend precision removal of
offending elements. It also helps maintain internal policy compliance and can be an integral
part of the overall regulatory compliance solution kit.
The problems faced by security and network administrators are as follows:
Security and network information overload
Poor attack and fault identification, prioritization, and response
Increased attack sophistication, velocity, and remediation costs
Meeting compliance and audit requirements
Moderate security staff and budgets
Abbreviations and acronyms used in the figure refer to the following regulatory requirements:
Sarbox: Sarbanes-Oxley
FISMA: Federal Information Security Management Act
GLBA: Gramm-Leach-Bliley Act
Basel II: Basel II Capital Accord
1-148 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco Secure MARS
Leverages existing investment to build
pervasive security
Correlates data from across the network:
Firewalls, routers, switches, NIDS, CSA
Syslog, SNMP, RDEP, SDEE, NetFlow,
endpoint event logs
Rapidly locates and mitigates attacks
Key Features:
Determines security incidents based on
device messages, events, and sessions
Incidents are topologically aware for
visualization and replay
Mitigation on L2 ports and L3 chokepoints
Efficiently scales for real-time use across the
enterprise
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-19
CS-MARS appliances help companies to readily and accurately identify and eliminate network
attacks while maintaining network compliance. CS-MARS has the following advantages:
CS-MARS accurately identifies, correlates, visualizes, prioritizes, investigates and reports
incidents and mitigates attacks in progress.
These appliances target government entities, small-to-medium businesses and enterprises,
offering turn-key installation and an easy-to-use interface covering a wide spectrum of
security devices.
CS-MARS collects events from firewalls, VPN concentrators, host and network intrusion
detection systems and system logs and correlates them with vulnerability assessment and
NetFlow data to detect anomalies.
CS-MARS can identify and mitigate threats in the network and significantly extends the
Cisco Self-Defending Network initiative.
The Cisco Security Auditor extends the Cisco portfolio of security management products by
providing security compliance auditing. Cisco Security Auditor provides new levels of security
assurance with cost-effective auditing of network infrastructure against corporate security
policies and industry best practices.
The Cisco Security Auditor eliminates common manual audit and implements a business-
centric, policy profile management model that allows customers to build high-level corporate
policies, while the application of those policies to specific network devices is offloaded to the
Security Auditor software.
The automated auditing capabilities of the software allow customers to eliminate costly manual
auditing operations for large scale networks, drastically reducing the time required to perform
an audit. Cisco Security Auditor also provides security improvement recommendations and
reporting that simplify the process of addressing network security vulnerabilities. This
capability allows management operations to effectively manage the risks related to their
network.
The product is built on scalable and generic auditing framework architecture to support the
audit of a large number of network instances. Cisco Security Auditor is an integral part of Cisco
full cycle security management solutions and provides security improvement recommendations
for the management solution to further enhance the security protection of customer networks.
The result is a powerful software solution that ensures organizational security compliance and
network availability, while increasing productivity and overall return on investment.
1-150 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Securing the Network Infrastructure with Cisco
IOS Software Security Features
This topic describes how to secure network infrastructure with Cisco IOS software security
features.
Internet Public
Services
Frame or ATM
Module WAN Module Corporate
Servers
FR/ATM
Recall that routers control access from network to network. They advertise networks, filter who
can use them, and are potentially an aid to a hacker. Consequently, router security is a critical
element in any security deployment. It is important for security professionals to be completely
up to date on current router documentation and possible threats to routers.
Internet Public
Services
Frame or ATM
Module WAN Module Corporate
Servers
FR/ATM
Similar to router considerations, both Layer 2 and Layer 3 switches have their own set of
security considerations. Unlike routers, not as much information is available about the security
risks in switches and what can be done to mitigate those risks. Most of the router security
techniques also apply to switches.
1-152 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Enhanced Cisco IOS Security Services
AutoSecure
Single command locks down routers to
NSA standards
Control-Plane Policing
Control-plane rate-limiting throttles the
amount of traffic forwarded to the route
processor in a given interval
Silent Mode:
Reduces hacker ability to reconnoiter the
network
Scavenger-class QoS
QoS and rate limiting ensures that
mission critical traffic gets through.
Maintains management traffic so IT
managers can place ACLs and track down
infections.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-23
1-154 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Self-Defending Network Endpoint Security
Solutions
This topic describes the features of Cisco Secure Desktop and Cisco Clean Access.
Post-Session Clean-Up:
Encrypted partition overwrite (not just
deletion) using DoD algorithm
Cache, history and cookie overwrite
File download and email attachment
overwrite Works with Desktop Guest Permissions
Auto-complete password overwrite No admin privileges required
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-24
The Cisco acquisition of Twingo Systems has provided a desktop security solution for Secure
Socket Layer (SSL) VPNs, and brings the same level of security provided by IPSec VPNs. The
core technology of this product, the Cisco Secure Desktop, removes sensitive security
information related to an SSL VPN connection at the close of the session. Cisco Secure
Desktop protects from exploitation of such information for host network or system penetration.
The Cisco Secure Desktop writes all data associated with the SSL VPN session to a single and
segregated part of the end systems hard drive. Cisco Secure Desktop provides a single location
for session clean-up and partitions the session from unsecured areas of the end system. The
Virtual Secure Desktop is transparent to the end user and users continue to have access to all of
the PC hardware and software resources.
The Cisco Secure Desktop software is integrated into the Cisco Web VPN solution on the Cisco
VPN 3000 Concentrator Series.
Cisco Clean
Access Manager
Cisco Clean
2. User Is Intranet
Redirected to a Login Page Access Server
Network
Clean Access validates
username and password and
also performs device and
network scans to assess
vulnerabilities on the device
Cisco Clean Access extends the offerings in Cisco Network Admission Control (NAC) to the
small-medium enterprise market where a turnkey solution is preferred. Like NAC, it is
designed to enforce endpoint policy compliance and enables organizations to intelligently
provide trusted access to "clean" endpoints.
Cisco Clean Access is a shrink-wrapped NAC solution that recognizes users, their devices
and roles. Cisco Clean Access evaluates the security posture of the endpoint and scans for
vulnerabilities and enforces policy in the network.
1-156 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco Integrated Security Portfolio
This topic describes the positioning of the Cisco integrated security portfolio.
Intrusion Detection
and Prevention
Systems Network sensor Router sensors Firewall sensor
A truly secure network requires multiple products and technologies that collaborate seamlessly
across platforms and integrate tightly with the network infrastructure. This figure illustrates the
full range of the Cisco integrated security portfolio. No single product or technology is able to
secure a network. There is no other vendor with such a diversity of platforms.
Cisco offers the broadest portfolio of integrated security products in the industry that are
designed to meet the requirements and diverse deployment models of any network and any
environment. These products include the following:
Cisco IOS platforms with integrated VPN and stateful firewall support for secure IP
connectivity
Cisco PIX Security Appliances with integrated VPN to ensure perimeter security and
access control
Cisco VPN Concentrator 3000 Series remote access VPN appliances for secure
telecommuter connectivity
Appliance-based network intrusion detection and protections systems (IDS/IPS) as well as
integrated network IDS/IPS for Cisco IOS routers and PIX Security Appliances
Endpoint protection software to protect servers and desktops from the damaging effects of
known and unknown threats
Cisco Secure Access Control Server to ensure that users have the proper authority to access
corporate resources
Security modules for the Cisco Catalyst 6500 Series switch and Cisco 7600 Series router
that provide security throughout the data center
Security management including Cisco Threat Response Technology to reduce false alarms,
analyze and escalate real attacks, and mitigate costly intrusions
The Cisco approach to security has evolved from a point product approach to this integrated
security approach. The figure illustrates the positioning of the Cisco security product portfolio
in the context of the Self-Defending Network.
1-158 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Summary
This topic summarizes what you learned in this lesson.
Summary
Summary
Q3) Describe the vulnerability stemming from the following sources: (Source: Changing
Threats and Challenges)
Source Vulnerability
Q4) Identify the goal of each phase in the evolution of the self-defended network and
identify the products and technologies associated with each phase. (Source: Building a
Self-Defending Network)
Phase Goal Products and Technologies
Phase I
Phase II
Phase III
Q7) Identify four typical traffic types accessing port 80 and identify the types of controlled
traffic a Cisco PIX Security Appliance Software version 7.0 will allow into a secure
network. (Source: Cisco PIX Security Appliance Software v7.0)
_________________________________________
D) _________________________________________
E) _________________________________________
F) _________________________________________
G) _________________________________________
H) _________________________________________
1-162 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Q8) Identify the four enhanced Cisco IOS security services and describe the key feature for
each. (Source: Securing the Network Infrastructure with Cisco IOS Software Security
Features)
IOS Security Service Feature
Q9) Describe the steps that the Cisco Clean Access solution uses to provide secure
admission control for small-medium business. (Source: Self-Defending Network
Endpoint Security Solutions)
Can search for and exploit a system or application vulnerability, or multiple vulnerabilities.
Q3) The following table identifies the security vulnerability stemming from the following sources:
Source Vulnerability
Common application Much of the data that used to reside in packet headers now
interfaces resides in the packet payload.
Wireless and mobile Multihomed hosts establish ad-hoc wireless networks enabling
network within peer-to-peer communication allowing packets to be forwarded
enterprises across devices at the application level.
Q4) The following table identifies the goal of each phase in the evolution of the a self-defended network and
identifies the products and technologies associated with each phase:
Phase Goal Products and Technologies
Phase II Collaborative security NAC, NFP, VoIP, wireless, and service virtualization
systems
Phase III Adaptive threat Application inspection and control, real-time worm,
defense virus, spyware prevention, P2P and IM control
Q5) B
Q6) The summary should touch on the following points:
Determines security incidents based on device messages, events, and sessions
1-164 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Q7) The four typical traffic types accessing port 80 and identifies the types of controlled traffic a PIX Security
Appliance Software version 7.0 will allow into a secure network.
A) Peer-to-Peer
B) HTTP Delete
C) Instant Msg
D) JPEG/EXE
E) approved Access
F) Web Browsing
Q8) The following table identifies the four enhanced Cisco IOS security services and describe the key feature
for each:
IOS Security Service Feature
1. End User Attempts to Access a Web Page Network access is blocked until end user
or Uses an Optional Client provides login information
1-166 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Module Summary
This topic summarizes the key points discussed in this module.
Module Summary
This module described the need for increased security in open networks. Because the frequency
and sophistication of the types of threats and attacks have increased significantly, strategies that
mitigate network attacks were described. The need for a security policy and the Cisco security
portfolio were described.
Overview
Globally networked businesses rely on networks to communicate with employees, customers,
partners, and suppliers. While immediate access to information and communication is an
advantage, it raises concerns about securityprotecting access to critical network resources.
Security policies are enforced at network perimeters. Network administrators need to know
who is accessing which resources and they need to establish clear perimeters to control that
access. An effective security policy balances accessibility with protection. A perimeter is more
than just the boundary between an internal network and the public Internet. You can put a
perimeter anywhere within a private network, or between your network and a partner network.
A solid perimeter security solution enables communications as defined by the security policy,
yet protects network resources from breaches or attacks. Perimeter security controls multiple
network entry and exit points, and increases user assurance by implementing multiple layers of
security.
The Cisco perimeter security solution provides several levels of perimeter security that can be
deployed throughout your network. The solution is highly flexible, and can be tailored to your
security policy. This module focuses on mitigating threats at Layers 2 and 3 using the security
features embedded in the Cisco Catalyst switch and Cisco IOS software. As well, basic aspects
of physical security are discussed.
Module Objectives
Upon completing this module, you will be able to configure Layer 2 and Layer 3 devices on the
network perimeter with Cisco Catalyst switch security features and Cisco IOS software. This
ability includes being able to meet these objectives:
Secure Cisco router physical installations and administrative access
Configure AAA implementation on a Cisco router
Describe how Cisco Secure ACS provides AAA services to network devices that function
as AAA clients
Configure basic administrative access, AAA clients, users and groups
Disable unused Cisco router network services and interfaces
Mitigate threats and attacks to Cisco perimeter routers by formatting and applying access
lists to filter traffic
Securely implement management and reporting features of syslog, SSH and SNMPv3
Explain how Layer 2 attacks can be mitigated
Explain how to mitigate attacks against network topologies and protocols
Describe how to use the security features embedded in Catalyst switches to mitigate
network threats
2-2 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 1
Securing Administrative
Access to Cisco Routers
Overview
This lesson shows you how to secure Cisco routers using proven methods for physically
securing the router, and protecting the router administrative interface. In order to practice what
you have learned, a hands-on lab exercise has been provided. In this lab exercise you will
configure secure access for a router administrative interface.
Objectives
Upon completing this lesson, you will be able to secure Cisco router physical installations and
administrative access. This ability includes being able to meet these objectives:
Configure passwords to secure administrative access to Cisco routers
Secure administrative access to Cisco routers by setting a login failure rate
Secure administrative access to Cisco routers by setting timeouts
Secure administrative access to Cisco routers by setting multiple privilege levels
Secure administrative access to Cisco routers by configuring banner messages
Configuring Router Passwords
This topic describes how to configure secure administrative access to Cisco routers by
configuring passwords. Configuring secure administrative access is an extremely important
security task. If an unauthorized person were to gain administrative access to a router, the
person could alter routing parameters, disable routing functions, or discover and gain access to
other systems in the network.
Boston
Console Port
Console
Strong passwords and similar secrets, such as SNMP community strings (SNMP community
strings will be described later in this course) are the primary defense against unauthorized
access to your router. The best way to handle most passwords is to maintain them on a
TACACS+ or RADIUS authentication server. However, almost every router needs a locally
configured password for privileged access, and may also have other password information in its
configuration file.
One way to perform initial router configuration tasks is to access the router console port with a
console. A console is a terminal that is connected to a router console port; it can either be a
dumb terminal or a PC running terminal emulation software. Consoles are only one of the ways
that network administrators can obtain administrative access to configure and manage routers.
Other ways to gain administrative access include: Telnet, HTTP/HTTPS, Secure Shell Protocol
SSH Protocol, Simple Network Management Protocol (SNMP), and the Cisco Security Device
Manager (SDM) feature.
The first step in securing Cisco router administrative access is to configure secure system
passwords. These passwords are either stored in the router itself (local) or on remote
authentication, authorization, and accounting (AAA) servers, such as the Cisco Secure Access
Control Server (ACS). This topic contains information on configuring local passwords only.
Password authentication using AAA is described later in this course.
2-4 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Password Creation Rules
When creating passwords for Cisco routers, always keep the following rules in mind:
Passwords can be 1 to 25 characters in length, but should have a minimum of ten
characters. Passwords may include the following:
any alphanumeric character,
A mix of uppercase and lowercase characters, and
symbols and spaces.
Passwords cannot have a number as the first character.
Passwords should not utilize dictionary words.
Password-leading spaces are ignored, but all spaces after the first character are not ignored.
You should decide when and how often the passwords should be changed.
You may want to add your own rules to this list, making your passwords even safer.
If you are working on a new router (from the factory) or an existing router that has been reset
(possibly using the Cisco password recovery procedure), you are prompted by the Cisco IOS
command-line interface (CLI) if you want to enter the initial configuration dialog. The figure
show provides a router configuration sample with this initial prompt.
Within the first few questions of the initial configuration dialog, several Cisco router password
requirements can be found:
The router enable secret password
The router enable password
The password used to access the router using virtual terminal (Telnet)
The enable secret password is used to enter enable mode (sometimes referred to as privileged or
privileged-EXEC mode). You can set the enable secret password by entering a password during
the initial configuration dialog (as shown in the figure), or by using the enable secret command
in global configuration mode. The enable secret password is always encrypted inside the router
configuration using a Message Digest 5 (MD5) hashing algorithm.
The enable password command is also used to enter enable mode but is a holdover from older
versions of Cisco IOS software. By default, the enable password is not encrypted in the router
configuration. Cisco decided to keep the older enable password command in later versions of
Cisco IOS software even though enable secret password is a safer way to store privileged-
EXEC passwords. The older command was kept in case the router is downgraded to a version
of Cisco IOS software that did not support enable secret password. The enable password
protects the privileged-EXEC.
The virtual terminal password is the line-level password entered when connecting to the router
using Telnet. You can set this password during the initial configuration dialog (as shown in the
figure) or by using the password command in vty line configuration mode.
2-6 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Password Minimum Length Enforcement
®±«¬»®ø½±²º·¹)#
Cisco IOS Software Release 12.3(1) and later allows administrators to set the minimum
character length for all router passwords using the security passwords global configuration
command. This command provides enhanced security access to the router by allowing you to
specify a minimum password length, which eliminates common passwords that are prevalent on
most networks, such as lab and cisco. This command affects user passwords, enable
passwords and secrets, and line passwords created after the command was executed. Existing
router passwords remain unaffected.
It is highly recommended that you set your minimum password length to at least 10 characters.
Never use a length of zero.
After this command is enabled, any attempt to create a new password that is less than the
specified length fails and results in an error message similar to the following:
п--©±®¼ ¬±± -¸±®¬ ó ³«-¬ ¾» ¿¬ ´»¿-¬ ï𠽸¿®¿½¬»®-ò п--©±®¼
½±²º·¹«®¿¬·±² º¿·´»¼ò
If you did not use the initial configuration dialog to configure your enable secret password, you
must use the enable secret command in global configuration mode as shown in the figure. The
enable secret command uses a one-way encryption hash based on MD5 (designated by the
number 5 in the figure sample configuration) and is considered irreversible by most
cryptographers. However, even this type of encryption is still vulnerable to brute force or
dictionary attacks.
If you forget the enable secret password, you have no alternative but to replace it using the
Cisco router password recovery procedure.
2-8 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configure the Console Port Line-Level
Password
®±«¬»®ø½±²º·¹÷ý
´·²» ½±²-±´» ð
Enters console line configuration mode
®±«¬»®ø½±²º·¹ó´·²»÷ý
´±¹·²
Enables password checking at login
®±«¬»®ø½±²º·¹ó´·²»÷ý
°¿--©±®¼ °¿--©±®¼
Sets the line-level password to password (for
example ConUser1)
Þ±-¬±²ø½±²º·¹÷ý ´·²» ½±² ð
Þ±-¬±²ø½±²º·¹ó´·²»÷ý ´±¹·²
Þ±-¬±²ø½±²º·¹ó´·²»÷ý °¿--©±®¼ ݱ²Ë-»®ï
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-8
By default, Cisco router console ports allow a hard BREAK signal (within 60 seconds of a
reboot) to interrupt the normal boot sequence and give the console user complete control of the
router. This is used for maintenance purposes, such as when running the Cisco router password
recovery procedure. Even though this hard BREAK sequence is, by default, available to
someone who has physical access to the router console port, it is still important to set a line-
level password for users who might try to gain console access remotely. The hard BREAK
sequence may be disabled using the no service password-recovery command described later.
Note If a router is configured with the no service password-recovery command, all access to
the ROMMON is disabled.
By default, the console port does not require a password for console administrative access.
However, you should always configure a console port line-level password. The figure
illustrates the steps (in global configuration mode) that are required to create a new line-level
password for the console.
Note Notice that the password is seen in clear text (unencrypted). Passwords left in clear text
pose a serious threat to router security.
Cisco routers support multiple Telnet sessions (up to five simultaneous sessions by default
more can be added), each serviced by a logical vty. By default, Cisco routers do not have any
line-level passwords configured for these vty. If you enable password checking, you must also
configure a vty password before attempting to access the router using Telnet. If you fail to
configure a vty password, and password checking is enabled for vty, you will encounter an
error message similar to the following:
Ì»´²»¬ ïðòðòïòî
Ì®§·²¹ ïðòðòïòî ›òò ±°»²
There are two ways to configure a vty password; the first way is to enter the password during
the initial configuration dialog, the second way is by using the password command in vty
configuration mode, as shown in the figure. Always configure passwords for all of the vty ports
in this manner.
In the example shown in the figure, vty 0 4 (logical vty 1 to vty 5) are configured
simultaneously to look for the password specified. Just like console line-level passwords, vty
passwords are, by default, shown as clear text (unencrypted) in the router configuration.
2-10 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
The following are a few more things to consider when securing Telnet connections to a Cisco
router:
If you fail to set an enable password for the router, you will not be able to access
privileged-EXEC mode using Telnet. Use either the enable password or enable secret
password command to set the enable password for your routers.
Telnet access should be limited only to specified systems by building a simple access
control list (ACL) that does the following:
Allows Telnet access from specific hosts only (allows certain IP addresses)
Blocks Telnet access from specific untrusted hosts (disallows certain IP addresses)
Ties the ACL to the VTY lines using the access-class command
The following is an example showing ACL 30 restricting Telnet access to host
10.0.1.1 and denying access from host 10.0.1.2 for vty 0 to 4:
Þ±-¬±²ø½±²º·¹÷ý ¿½½»--ó´·-¬ íð °»®³·¬ ïðòðòïòï
Þ±-¬±²ø½±²º·¹÷ý ¿½½»--ó´·-¬ íð ¼»²§ ïðòðòïòî
Þ±-¬±²ø½±²º·¹÷ý ´·²» ª¬§ ð ì
Þ±-¬±²ø½±²º·¹ó´·²»÷ý ¿½½»--ó½´¿-- íð ·²
You must configure passwords for all of the vty on the router. Remember that you can add
more vty to the router and these lines must be protected as well as the default 0 to 4 lines.
´·²» ¿«¨ ð
Enters auxiliary line configuration mode
®±«¬»®ø½±²º·¹ó´·²»÷ý
´±¹·²
Enables password checking at login for auxiliary
line connections
®±«¬»®ø½±²º·¹ó´·²»÷ý
°¿--©±®¼ °¿--©±®¼
Sets the line-level password to password
(for example NeverGessMeAux)
Þ±-¬±²ø½±²º·¹÷ý ´·²» ¿«¨ ð
Þ±-¬±²ø½±²º·¹ó´·²»÷ý ´±¹·²
Þ±-¬±²ø½±²º·¹ó´·²»÷ý °¿--©±®¼ Ò»ª»®Ù»--ӻ߫¨
By default, Cisco router auxiliary ports do not require a password for remote administrative
access. Administrators sometimes use this port to remotely configure and monitor the router
using a dialup modem connection.
Unlike console and vty passwords, the auxiliary password is not configured during the initial
configuration dialog and should be configured, as shown in the figure, using the password
command in auxiliary line configuration mode.
If you wish to turn off the EXEC process for a specified line such as on the aux port, use the no
exec command within the auxiliary line configuration mode.
Setting the auxiliary line-level password is only one of several steps you must complete when
configuring a router auxiliary port for remote dial-in access. The Configuring an Auxiliary
Line-Level Password table lists the steps and commands used when configuring an auxiliary
port.
2-12 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring an Auxiliary Line-Level Password
-»®ª·½» °¿--©±®¼ó»²½®§°¬·±²
Encrypts all clear text passwords in the router
configuration file
Þ±-¬±²ø½±²º·¹÷ý -»®ª·½» °¿--©±®¼ó»²½®§°¬·±²
Just like console and vty passwords, auxiliary passwords are not encrypted in the router
configuration. This is why it is important to use the service password-encryption command.
With the exception of the enable secret password, all Cisco router passwords are, by default,
stored in clear text form within the router configuration. View these passwords with the show
running-config command. Sniffers can also see these passwords if your Trivial File Transfer
Protocol (TFTP) server configuration files traverse an unsecured intranet or Internet
connection. If an intruder gains access to the TFTP server where the router configuration files
are stored, the intruder will be able to obtain these passwords.
A proprietary Cisco algorithm based on a Vigenere cipher (indicated by the number 7 when
viewing the configuration) allows the service password-encryption command to encrypt all
passwords (except the previously encrypted enable secret password) in the router configuration
file. This method is not as safe as MD5, which is used with the enable secret command, but
prevents casual discovery of the router line-level passwords.
After all of your passwords have been configured for the router, you should run the service
password-encryption command in global configuration mode, as shown in the figure.
2-14 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Enhanced Username Password Security
®±«¬»®ø½±²º·¹÷ý
«-»®²¿³» ²¿³» -»½®»¬ ¥Åðà °¿--©±®¼ ¤ ë »²½®§°¬»¼ó
-»½®»¬£
Uses MD5 hashing for better username password
security
Better than the type 7 encryption found in service
password-encryption command
Starting with Cisco IOS Software Release 12.0(18)S, system administrators can choose to use
an MD5 hashing mechanism to encrypt username passwords. MD5 hashing of passwords is a
much better encryption scheme than the standard type 7 encryption found in the service
password-encryption command. The added layer of MD5 encryption is useful in
environments in which the password crosses the network or is stored on a TFTP server.
MD5 hashing of Cisco IOS username passwords is accomplished with the username secret
command in global configuration mode. Administrators can choose to enter a clear text
password for MD5 hashing by the router (option 0), or they can enter a previously encrypted
MD5 secret (option 5). The syntax for the username secret command is as follows:
Note MD5 encryption is a strong encryption method that is not retrievable; therefore, you cannot
use MD5 encryption with protocols that require clear text passwords, such as Challenge
Handshake Authentication Protocol (CHAP).
By default, Cisco IOS routers allow a break sequence during power up, that forces the router
into ROMMON mode. Once the router is in ROMMON mode, anyone can choose to enter a
new enable secret password using the well-known Cisco password recovery procedure. This
procedure, if performed correctly, leaves the router configuration intact. This scenario presents
a potential security breach in that anyone who gains physical access to the router console port
can enter ROMMON, reset the enable secret password, and discover the router configuration.
This potential security breach can be mitigated using the no service password-recovery global
configuration command. The no service password-recovery command is a hidden Cisco IOS
command and has no arguments or keywords.
Caution If a router is configured with no service password-recovery command, all access to the
ROMMON is disabled. If the router Flash memory does not contain a valid Cisco IOS image,
you will not be able to use the ROMMON XMODEM command to load a new Flash image. In
order to repair the router, you must obtain a new Cisco IOS image on a Flash SIMM, or on a
PCMCIA card (3600 only). See Cisco.com for more information regarding backup Flash
images.
Once the no service password-recovery command is executed, the router boot sequence will
look similar to the following:
ͧ-¬»³ Þ±±¬-¬®¿°ô Ê»®-·±² ïïòíøî÷Èßìô ÎÛÔÛßÍÛ ÍÑÚÌÉßÎÛ øº½ï÷
ݱ°§®·¹¸¬ ø½÷ ïççç ¾§ ½·-½± ͧ-¬»³-ô ײ½ò
Ýîêðð °´¿¬º±®³ ©·¬¸ êëëíê Õ¾§¬»- ±º ³¿·² ³»³±®§
2-16 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Also, after the no service password-recovery command is executed, a show running
configuration command listing will contain the no service password-recovery statement as
shown here:
ÿ
ª»®-·±² ïîòð
-»®ª·½» ¬½°óµ»»°¿´·ª»-ó·²
-»®ª·½» ¬·³»-¬¿³°- ¼»¾«¹ ¼¿¬»¬·³» ´±½¿´¬·³» -¸±©ó¬·³»¦±²»
-»®ª·½» ¬·³»-¬¿³°- ´±¹ ¼¿¬»¬·³» ´±½¿´¬·³» -¸±©ó¬·³»¦±²»
-»®ª·½» °¿--©±®¼ó»²½®§°¬·±²
²± -»®ª·½» °¿--©±®¼ó®»½±ª»®§
ÿ
¸±-¬²¿³» Þ±-¬±²
Starting with Cisco IOS Software Release 12.3(1), system administrators can configure the
number of allowable unsuccessful login attempts using the security authentication failure
rate global configuration command, as shown in the figure.
When the number of failed login attempts reaches the configured rate, two events occur:
A TOOMANY_AUTHFAILS event message is sent by the router to the configured syslog
server.
A 15-second delay timer starts.
Once the 15-second delay has passed, the user may continue to attempt to log into the router.
The syntax for the security authentication failure rate command is as follows:
2-18 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Setting Timeouts
This topic describes how to secure administrative access to Cisco routers by setting timeouts.
By default, an administrative interface stays active (and logged on) for 10 minutes after the last
session activity. After that, the interface times out and logs out of the session. It is
recommended that you fine-tune these timers to limit the amount of time to within 2 or 3
minutes maximum.
You can adjust these timers using the exec-timeout command in line configuration mode for
each of the line types used.
Cisco routers enable you to configure various privilege levels for your administrators. Different
passwords can be configured to control who has access to the various privilege levels. This is
especially helpful in a help desk environment where certain administrators are allowed to
configure and monitor every part of the router (level 15) while other administrators may be
restricted to only monitoring (customized levels 2 to 14). The 16 levels (0 to 15) are defined in
the figure.
Privileges are assigned to levels 2 to 14 using the privilege command from global
configuration mode, as shown in the figure.
2-20 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
privilege mode {level level command | reset command}
Command Description
mode This command specifies the configuration mode. See the list after
this table for options for this argument.
command (Optional) This is the command for which you want to reset the
privilege level.
2-22 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Banner Messages
This topic describes how to secure administrative access to Cisco routers by configuring banner
messages.
®±«¬»®ø½±²º·¹÷ý
Banner messages should be used to warn would-be intruders that they are not welcome on your
network. Banners are very important especially from a legal perspective. Intruders have been
known to win court cases because they did not encounter appropriate warning messages when
accessing router networks.
Choosing what to place in your banner messages is extremely important and should be
reviewed by legal counsel before placing them on your routers. Never use the word welcome
or any other familiar greeting that may be misconstrued as an invitation to use the network.
Banners are disabled by default and must be explicitly enabled by the administrator. As shown
in the figure, use the banner command from global configuration mode to specify appropriate
messages.
³»--¿¹» This represents message text. You can include tokens in the form
$(token) in the message text. Tokens are replaced with the
corresponding configuration variable.
The following list contains valid tokens for use within the message section of the banner
command.
$(hostname): Displays the hostname for the router
$(domain): Displays the domain name for the router
$(line): Displays the vty or tty (asynchronous) line number
$(line-desc): Displays the description attached to the line
2-24 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
Q2) List the passwords that are, by default, shown as clear text (unencrypted) in the router
configuration. (Source: Configuring Router Passwords)
Q3) By default, Cisco router auxiliary ports do not require a password for remote
administrative access. (Source: Configuring router Passwords)
A) True
B) False
Q4) What is the default number of failed attempts and delay time before login can begin
again? (Source: Setting Timeouts)
Q5) What happens when the number of failed login attempts reaches the configured rate?
(Source: Setting Timeouts)
Q6) How long does an administrative interface stay active (and logged on) by default?
(Source: Setting Timeouts)
Q7) In the banner motd command, the motd stands for _____________________.
(Source: Configuring Banner Messages)
Q8) Which three of the following are recommended for mitigating electrical threats?
(Choose three.) (Source: Securing Cisco Router Installations)
A) Install backup generator systems for all router and switch devices.
B) Plan for regular UPS and generator testing.
C) Install UPS systems for mission- critical devices.
D) Use filtered power.
E) Install UPS systems on all devices.
2-26 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check Answer Key
Q1) The enable secret command
Q2) All Cisco router passwords are, by default, stored in clear text form except the enable secret password.
Q3) A
Q5) A TOOMANY_AUTHFAILS event message is sent by the router to the configured syslog server and a set
time delay timer begins.
Q6) 10 minutes
Q8) B, C, D
Overview
This lesson presents an introduction to implementing authentication, authorization and
accounting (AAA). To practice what you have learned, a hands-on lab exercise will follow the
lesson. In this lab exercise you will configure basic Cisco router authentication.
Objectives
Upon completing this lesson, you will be able to configure AAA implementation on a Cisco
router. This ability includes being able to meet these objectives:
Describe three ways that Cisco uses to implement AAA services for Cisco routers
Describe the methods of authentication that are used to provide remote access to a LAN
Describe the three general steps required to configure a Cisco perimeter router to perform
AAA using a local database for authentication
Configure AAA on Cisco perimeter routers using aaa commands
Troubleshoot AAA on a Cisco perimeter router using the debug aaa command
Introduction to AAA for Cisco Routers
This topic describes the three ways that Cisco uses to implement AAA services for Cisco
routers. AAA is used by router administrators and users who wish to access the corporate LAN
through dial-in or Internet connections.
Authentication
Who are you?
I am user student and my password validateme proves it.
Authorization
What can you do? What can you access?
User student can access host serverXYZ using Telnet.
Accounting
What did you do? How long did you do it?
How often did you do it?
User student accessed host serverXYZ using Telnet for 15
minutes.
AAA services provide a higher degree of scalability than the line-level and privileged-EXEC
authentication you have learned so far.
Unauthorized access in campus, dialup, and Internet environments creates the potential for
network intruders to gain access to sensitive network equipment and services. The Cisco AAA
architecture enables systematic and scalable access security.
Network and administrative access security in the Cisco environment, whether it involves
campus, dialup, or Internet access, is based on a modular architecture that has three functional
components; authentication, authorization, and accounting:
Authentication: Requires users and administrators to prove that they really are who they
say they are. Authentication is established using a username and password, challenge and
response, token cards, and other methods: I am user student and my password validateme
proves it.
Authorization: After authenticating the user and administrator, authorization services
decide which resources the user and administrator are allowed to access and which
operations the user and administrator are allowed to perform: User student can access host
serverXYZ using Telnet.
Accounting and auditing: Accounting records what the user and administrator actually
did, what they accessed, and how long they accessed it for accounting and auditing
purposes. Accounting keeps track of how network resources are used: User student
accessed host ServerXYZ using Telnet for 15 minutes.
2-30 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Implementing Cisco AAA
Remote Client Cisco Secure ACS
(Dialup Client) for Windows Server
NAS
PSTN/ISDN
Corporate
Console File Server
Remote Client
(VPN Client)
Internet
Cisco Secure ACS
Router Solution Engine
Cisco networking products support AAA access control using line passwords, a local security
database, or remote security server databases. A local security database is configured in the
router for a small group of network users using the username xyz password strongpassword
command. A remote security database is a separate server running an AAA security protocol,
providing AAA services for multiple network devices and large numbers of network users.
Cisco provides three ways of implementing AAA services for Cisco routers, network access
servers (NASs), and switch equipment, as shown in the figure:
Self-contained AAA: AAA services may be self-contained in the router or NAS itself (also
known as local authentication).
Cisco Secure ACS for Windows Server: AAA services on the router or NAS contact an
external Cisco Secure Access Control Server (ACS) for Windows system for user and
administrator authentication.
Cisco Secure ACS Solution Engine: AAA services on the router or NAS contact an
external Cisco Secure ACS Solution Engine for user and administrator authentication.
Remote Client
Perimeter
1
Router
2
3
If you have one or two NASs or routers providing access to your network for a limited number
of users, you may store username and password security information locally on the Cisco NASs
or routers. This is referred to as local authentication on a local security database. Local
authentication characteristics are as follows:
Used for small networks
Username and password are stored in the Cisco router
User authenticates against the local security database in the Cisco router
Does not require an external database
The system administrator must populate the local security database by specifying username
profiles for each user that might log in.
2-32 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Implementing Authentication Using
External Servers
Perimeter
Router Cisco Secure
1 ACS for
3
Windows Server
2
4
Cisco Secure
ACS Solution
Remote Client Engine
The problem with local implementations of AAA is that it does not scale well. Most corporate
environments have multiple Cisco routers and NASs with multiple router administrators and
hundreds or thousands of users needing access to the corporate LAN. Maintaining local
databases for each Cisco router and NAS for this size of network is just not feasible.
One or more Cisco Secure ACS systems (server or engine) can manage the entire user and
administrative access needs for an entire corporate network using one or more databases.
External AAA systems, such as the Cisco Secure ACS for Windows or Cisco Secure ACS
Solution Engine, communicate with Cisco routers and NASs using the Terminal Access
Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User
Service (RADIUS) protocols to implement AAA functions.
Router Network
Firewall Access
Server
TACACS+ and RADIUS are the two predominant security server protocols used by Cisco
firewalls, routers, and NASs for AAA. Cisco developed the Cisco Secure ACS Family of AAA
servers to support both TACACS+ and RADIUS.
The Cisco Secure ACS Family is a comprehensive and flexible platform for securing access to
the network. Cisco Secure ACS secures network access for the following:
Dialup access via Cisco access servers and routers
Router and switch console, auxiliary, and vty port administrative and network access
Cisco PIX Security Appliance access
Cisco Virtual Private Network (VPN) 3000 Series Concentrators (RADIUS only)
Cisco Secure ACS works closely with the NAS, router, VPN 3000 Concentrator, and PIX
Security Appliance to implement a comprehensive security policy via the AAA architecture.
Cisco Secure ACS also works with industry-leading token cards and servers.
The Cisco Secure ACS for Windows Server is easily managed via standard browsers, which
enables simple moves, adds, and changes to usernames, passwords, and network devices. Cisco
Secure ACS is implemented on Microsoft Windows 2000 Server platforms.
The Cisco Secure ACS Solution Engine performs many of the same functions as the Cisco
Secure ACS for Windows Server products, but in a single rack-unit (RU) mounted, dedicated
hardware platform.
2-34 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Authentication Methods and Ease of Use
Strongest
No username or password
Weak
Low Ease of use High
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-8
The most common method of user authentication is the use of usernames and passwords. These
methods range from weak to strong in authentication security. Simple authentication methods
use a database of usernames and passwords, while methods that are more complex use one-time
passwords (OTPs). Consider each of the methods listed in the figure from the bottom of the list
up:
No username or password: Some system administrators and users decide not to use the
username and password capabilities of their access devices. This is the least secure option.
A network intruder only has to discover the access method to gain access to the networked
system.
Username and password (static): Stays the same until changed by the system
administrator or user. Susceptible to playback attacks, eavesdropping, theft, and password
cracking programs.
Username and password (aging): Expires after a set time (usually 30 to 60 days) and
must be reset, usually by the user, before network access is granted. Susceptible to
playback attacks, eavesdropping, theft, and password cracking, but to a lesser degree than
static username and password pairs.
OTPs: A stronger method that provides the most secure username and password
authentication. Most OTP systems are based on a secret pass-phrase, which is used to
generate a list of passwords. They are only good for one login, and are therefore, not useful
to anyone who manages to eavesdrop and capture it. S/KEY is an OTP method developed
and trademarked by Bellcore, and is typically used for terminal logins. In S/KEY, the secret
pass-phrase is used to generate the first password, and each successive password is
generated from the previous one by encrypting it. A list of passwords is generated by the
S/KEY server software, and is distributed to users.
Token cards and soft tokens: Based on something you have (token card) and something
you know (token card personal identification number [PIN]). Token cards are typically
small electronic devices about the size and complexity of a credit card-sized calculator.
There are many token card vendors, and each has its own token card server. The PIN is
The authentication method should be chosen and implemented based on the guidelines
established in the network security policy.
2-36 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
AuthenticationRemote PC Username and
Password
Security
Network Server
Access Server
PSTN or ISDN
Windows
Remote PC
Username and password (TCP/IP PPP)
hash function
Sent in clear text over network
Server must support S/KEY
Security Server
Supports S/KEY
íðèîðîßè íðèîðîïï ßððíðîðï ðîðîðìíè
ðëððíðïÞ íïðÞíððç ðêðíëëðì ðêïíðîëë
ïÛïéðÜíç íçíïíðíî íîíïíéíð íêíìíéëß
ÝèìÜÚÞÝð ìÝéÞÜìÞï ÚéçÚÝîÛÜ íðßðîÛßì
S/KEY
S/KEY Passwords Workstation Password
(clear text)
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-10
Remote logins can allow passwords to be sent as clear text over networks. An eavesdropper
could capture passwords and use them to gain unauthorized access to systems. One way to
create passwords that can be safely sent over remote connections is to do what S/KEY does and
use a one-way hashing algorithm to create an OTP scheme.
S/KEY uses either Message Digest 4 (MD4) or MD5 (one-way hashing algorithms developed
by Ron Rivest) to create an OTP system. In this system, passwords are sent as clear text over
the network; however, after a password has been used, it is no longer useful to the
eavesdropper. The main advantage of S/KEY is that it protects against eavesdroppers without
modification of client software and imposes only marginal inconvenience to the users.
The S/KEY system involves three main pieces: the client, the host, and a password calculator.
The client is responsible for providing the login shell to the user. The shell does not contain any
persistent storage for password information. The host is responsible for processing the user
login request. The host stores the current OTP as well as the login sequence number in a file
and is responsible for providing the client with a seed value. The password calculator is a one-
way hashing function that creates an irreversible password. The network protocol between the
client and the host is completely independent of the scheme. Cisco Secure ACS supports
S/KEY authentication.
2-38 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
AuthenticationToken Cards and Servers
1. 2.
3. 4.
(OTP)
Another OTP authentication method that adds a new layer of security is accomplished with a
token card (or smart card) and a token server. Each token card, about the size of a credit card, is
programmed to a specific user and each user has a unique PIN that can generate a password
keyed strictly to the corresponding card. OTP authentication takes place between the specified
token server with a token card database and the user.
Token cards and servers generally work as shown in the figure and as described in the
following steps:
Step 1 The user generates an OTP with the token card that uses a security algorithm.
Step 2 The user enters the OTP into the authentication screen generated by the remote
client (in this example the Windows Dial-Up Networking screen).
Step 3 The remote client sends the OTP to the token server via the network and an
authenticating device, either directly or through the AAA server.
Step 4 The token server uses the same algorithm to verify that the password is correct and
authenticates the remote user.
Token cards are now implemented in software for installation on the remote client. SofToken,
which generates single-use passwords without the associated cost of a hardware token, is one
example of software token cards.
2-40 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
AAA ExampleAuthentication via PPP Link
PAP provides a simple method for the remote client to establish its identity using a two-way
handshake. The handshake is done only after initial PPP link establishment. After the link
establishment phase is complete, a username and password pair is repeatedly sent in clear text
by the peer to the authenticator until authentication is acknowledged or the connection is
terminated.
CHAP is used to periodically verify the identity of the peer using a three-way handshake. The
handshake is done upon initial link establishment, and may be repeated anytime after the link
has been established.
CHAP provides protection against playback attack by the peer using an incrementally changing
identifier and a variable challenge value. The use of repeated challenges is intended to limit the
time of exposure to any single attack. The authenticator is in control of the frequency and
timing of the challenges.
This authentication method depends upon a secret known only to the authenticator and that
remote client. The secret is not sent over the link. Although the authentication is only one-way,
by negotiating CHAP in both directions the same secret set may easily be used for mutual
authentication.
CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password
databases commonly available (such as the Windows 2000 SAM hive) cannot be used.
The ppp authentication ms-chap command used in Cisco IOS Software Release 11.3 and later
allows Cisco routers to define MS-CHAP authentication.
2-42 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Authenticate Router Access
This topic describes the three general steps that are required to configure a Cisco router to
perform AAA using a local database for authentication.
Telnet Host
LAN
Console
Router
Internet
It is important that you secure the interfaces of all your routers, particularly your network
access servers and Internet routers.
You must configure the router to secure administrative access and remote LAN network access
using AAA commands. The router access modes, port types, and AAA command elements are
compared in the Router Access table.
Router Access
Network Access
Access Type Modes Server Ports AAA Command Element
Remote Character TTY, vty, AUX, and login, exec, nasi connection,
administrative (line/exec mode) console arap, and enable commands
access
Remote network Packet (interface async, group-async ppp, network, and arap commands
access mode) BRI and PRI
The following are the three general steps required to configure the router for AAA:
2-44 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Configure AAA on Cisco Routers
This topic describes how to configure AAA on a Cisco peripheral router using aaa commands.
®±«¬»®ø½±²º·¹÷ý
¿¿¿ ²»©ó³±¼»´
The first step to configure a NAS or router to use the AAA process is to establish an AAA topic
in the configuration file using the aaa new-model command.
The aaa new-model command forces the router to override every other authentication method
previously configured for the router lines. If an administrative Telnet or console session is lost
while enabling AAA on a Cisco router, and no local AAA user authentication account and
method exists, the administrator will be locked out of the router. Therefore, it is important that
you configure a local database account, as shown in the figure.
Caution When using the Cisco IOS Software aaa new-model command, always provide for a local
login method. This provision guards against the risk of being locked out of a router should
the administrative session fail while you are in the process of enabling AAA.
Specifying the local authentication method enables you to re-establish your Telnet or console
session and use the locally defined authentication list to access the router. If you fail to do this,
and you become locked out of the router, physical access to the router is required (console
2-46 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
aaa authentication Commands
®±«¬»®ø½±²º·¹÷ý
The figure contains a complete listing of aaa authentication commands for Cisco IOS
Software Release 12.2 and later. It is important that you learn the following three commands
and how to implement them in an AAA environment:
The aaa authentication login command
The aaa authentication ppp command
The aaa authentication enable default command
After enabling AAA globally on the access server, you need to define the authentication
method lists and apply them to lines and interfaces. These authentication method lists are
security profiles that indicate the service, PPP, AppleTalk Remote Access Protocol (ARAP), or
NetWare Access Server Interface (NASI) or login and authentication method (local,
TACACS+, RADIUS, line, or enable authentication). Up to four authentication methods may
be applied to a line or interface. A good security practice is to have either local or enable
authentication as a last resort method to recover from a severed link to the chosen method
server.
Complete the following steps to define an authentication method list using the aaa
authentication command:
2-48 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
aaa authentication login Command
®±«¬»®ø½±²º·¹÷ý
To set AAA authentication at login use the aaa authentication login command in global
configuration mode, as shown in this figure.
The following is the syntax for the aaa authentication login command:
default Uses the listed authentication methods that follow this argument as the
default list of methods when a user logs in
list-name Character string used to name the list of authentication methods activated
when a user logs in
group radius: Uses the list of all RADIUS servers for authentication
group tacacs+: Uses the list of all TACACS+ servers for authentication
®±«¬»®ø½±²º·¹÷ý
To specify one or more AAA authentication methods for use on serial interfaces running PPP,
use the aaa authentication ppp command in global configuration mode, as shown in the
figure.
The following is the syntax for the aaa authentication ppp command:
default Uses the listed authentication methods that follow this argument as the
default list of methods when a user logs in
list-name Character string used to name the list of authentication methods activated
when a user logs in
krb5: Uses Kerberos 5 for authentication (can only be used for PAP
authentication)
2-50 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
aaa authentication enable default Command
®±«¬»®ø½±²º·¹÷ý
Use the aaa authentication enable default command in global configuration mode, as shown
in this figure, to enable AAA authentication to determine if a user can access the privileged
command level.
The following is the syntax for the aaa authentication enable default command:
The example in the figure creates an authentication list that first tries to contact a TACACS+
server. If no server can be found, AAA tries to use the enable password. If this attempt also
returns an error (because no enable password is configured on the server), the user is allowed
access with no authentication.
Refer to the AAA Authentication Method Table for a full description of the method
command element.
2-52 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Apply Authentication Commands to Lines
and Interfaces
As shown in the figure, authentication commands can be applied to router lines and interfaces.
Use the aaa authorization command in global configuration mode, as shown in the figure, to
set parameters that restrict administrative exec access to the routers or user access to the
network.
Refer to the AAA Authorization Command Table for a full description of the command
syntax.
2-54 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Command Element Description
default Uses the listed authentication methods that follow this argument
as the default list of methods for authorization
list-name This is the character string that is used to name the list of
authorization methods.
There is a provision for naming the authorization list after specifying the service just like there
is for naming an authentication list. Also the list of methods is not limited to a single method,
but may have up to four failing over methods listed, similar to what the aaa authentication
command provides.
Named authorization lists allow you to define different methods for authorization and
accounting and apply those methods on a per-interface or per-line basis.
To enable AAA accounting of requested services for billing or security purposes when you use
RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To
disable AAA accounting, use the no form of this command. Refer to the AAA Accounting
Command Syntax table for a description of the command syntax.
The first example in the figure defines a default command accounting method list, where
accounting services are provided by a TACACS+ security server, set for privilege level 15
commands with a stop-only restriction.
The second example defines a default auth-proxy accounting method list, where accounting
services are provided by a TACACS+ security server with a start-stop restriction. The aaa
accounting command activates authentication proxy accounting.
2-56 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
AAA Accounting Command Syntax
system Performs accounting for all system-level events not associated with users,
such as reloads
network Runs accounting for all network-related service requests, including Serial
Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs),
and AppleTalk Remote Access Protocol (ARAP)
exec This command element runs accounting for EXEC shell session. This
keyword might return user profile information such as what is generated by
the autocommand command.
connection Provides information about all outbound conections made from the network
access server, such as Telnet, local-area transport (LAT), TN3270, packet
assembler and disassembler (PAD), and rlogin
commands level This command element runs accounting for all commands at the specified
privilege level. Valid privilege level entries are integers from 0 to 15.
default Uses the listed accounting methods that follow this argument as the default
list of methods for accounting services
list-name Character string used to name the list of at least one of the accounting
methods
start-stop This command element sends a "start" accounting notice at the beginning
of a process and a "stop" accounting notice at the end of a process. The
"start" accounting record is sent in the background. The requested user
process begins regardless of whether the "start" accounting notice was
received by the accounting server.
stop-only Sends a "stop" accounting notice at the end of the requested user process
Use the following debug commands on your routers to trace AAA packets and monitor
authentication, authorization, or accounting activities:
The debug aaa authentication command displays debugging messages on authentication
functions.
The debug aaa authorization command displays debugging messages on authorization
functions.
The debug aaa accounting command displays debugging messages on accounting
functions.
2-58 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Troubleshooting AAA Using the debug aaa
authentication Command
To display information on AAA authentication, use the debug aaa authentication command in
privileged-EXEC command mode, as shown in the figure. Use the no debug aaa
authentication form of the command to disable this debug mode.
This figure contains debug output for a successful AAA authentication using a local database.
To display information on AAA authorization, use the debug aaa authorization command in
privileged-EXEC mode. Use the no debug aaa authorization form of the command to disable
this debug mode.
The figure displays sample output from the debug aaa authorization command where an exec
authorization for user carrel is performed. The output is interpreted as follows:
On the first line, the username carrel is authorized.
On the second and third lines, the attribute value (AV) pairs are authorized.
The debug output displays a line for each AV pair that is authorized.
The display indicates the authorization protocol used.
The final line in the display indicates the status of the authorization process, which, in this
case, has failed.
The aaa authorization command causes a request packet containing a series of AV pairs to be
sent to the TACACS daemon as part of the authorization process. The daemon responds in one
of the following three ways:
Accepts the request as is
Makes changes to the request
Refuses the request, thereby refusing authorization
The AV pairs associated with the debug aaa authorization command that may appear in the
debug output are described as follows:
service=arap: Authorization for the ARA protocol is being requested.
service=shell: Authorization for exec startup and command authorization is being
requested.
2-60 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
service=ppp: Authorization for PPP is being requested.
service=slip: Authorization for SLIP is being requested.
protocol=lcp: Authorization for Link Control Protocol (LCP) is being requested (lower
layer of PPP).
protocol=ip: Used with service=slip and service=ppp to indicate which protocol layer is
being authorized.
protocol=ipx: Used with service=ppp to indicate which protocol layer is being authorized.
protocol=atalk: Used with service=ppp or service=arap to indicate which protocol layer is
being authorized.
protocol=vines: Used with service=ppp for Virtual Integrated Network Service (VINES)
over PPP.
protocol=unknown: Used for undefined or unsupported conditions.
cmd=x: Used with service=shell, if cmd=NULL, this is an authorization request to start an
exec. If cmd is not NULL, this is a command authorization request and will contain the
name of the command being authorized (for example, cmd=telnet).
cmd-arg=x: Used with service=shell. When performing command authorization, the name
of the command is given by a cmd=x pair for each argument listed (for example, cmd-
arg=archie.sura.net).
acl=x: Used with service=shell and service=arap. For ARA, this pair contains an access list
number. For service=shell, this pair contains an access class number (for example, acl=2).
inacl=x: Used with service=ppp and protocol=ip. Contains an IP input access list for SLIP
or PPP/IP (for example, inacl=2).
outacl=x: Used with service=ppp and protocol=ip. Contains an IP output access list for
SLIP or PPP/IP (for example, outacl=4).
addr=x: Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that
the remote host should use when connecting via SLIP or PPP/IP (for example,
addr=172.30.23.11).
routing=x: Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to
the /routing flag in SLIP and PPP commands. Can either be true or false (for example,
routing=true).
timeout=x: Used with service=arap. The number of minutes before an ARA session
disconnects (for example, timeout=60).
autocmd=x: Used with service=shell and cmd=NULL. Specifies an autocommand to be
executed at exec startup (for example, autocmd=telnet yxz.com).
noescape=x: Used with service=shell and cmd=NULL. Specifies a noescape option to the
username configuration command. Can be either true or false (for example, noescape=true).
nohangup=x: Used with service=shell and cmd=NULL. Specifies a nohangup option to the
username configuration command. Can be either true or false (for example,
nohangup=false).
priv-lvl=x: Used with service=shell and cmd=NULL. Specifies the current privilege level
for command authorization as a number from 0 to 15 (for example, priv-lvl=15).
zonelist=x: Used with service=arap. Specifies an AppleTalk zonelist for ARA (for example,
zonelist=5).
2-62 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Troubleshooting AAA Using the debug aaa
accounting Command
To display information on accounting events as they occur, use the debug aaa accounting
privileged exec command, as shown in the figure. Use the no debug aaa accounting form of
the command to disable this debug mode. This figure displays sample output from the debug
aaa accounting command.
The information displayed by the debug aaa accounting command is independent of the
accounting protocol used to transfer the accounting information to a server. Use the debug
tacacs and debug radius protocol-specific commands to get more detailed information about
protocol-level issues.
You can also use the show accounting command to step through all active sessions and to print
all the accounting records for actively accounted functions. The show accounting command
enables you to display the active accounting events on the system. This command provides
systems administrators with a quick look at what is happening, and may also be useful for
collecting information in the event of data loss on the accounting server. The show accounting
command displays additional data on the internal state of the AAA security system if the debug
aaa accounting command is active as well.
Summary
Administrative and remote network access modes
can be secured with AAA.
Cisco router AAA configuration should follow
an orderly progression.
Use the aaa new-model command to add AAA
services to a Cisco router.
Use aaa commands to specify authentication,
authorization, and accounting processes and
methods.
Use debug aaa commands selectively to
troubleshoot AAA.
2-64 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Name the strongest authentication method. (Source: Introduction to AAA for Cisco
Routers)
Q2) List the three pieces of the S/KEY system. (Source: Introduction to AAA for Cisco
Routers)
Q3) Put the following three steps required to configure the router for AAA in the correct
order. Put the number 1, 2, or 3 in the space provided. (Source: Authenticate to a LAN)
_____ 1. Configure AAA on the router. _____
_____ 2. Secure access to privileged-EXEC and configuration mode on vty,
asynchronous, auxiliary and TTY ports. _____
_____ 3. Enable AAA globally on the router. _____
Q4) How can you guard against the risk of being locked out of a router should the
administrative session fail while you are in the process of enabling AAA? (Source:
Authenticate to a LAN)
Q5) What authentication method uses "something you have and something you know"?
(Source: Authenticate to a LAN)
A) token card
B) OTP
C) username and password (aging)
D) username and password (static)
_____ 3. This command forces the router to override every other authentication
method previously configured for the router lines.
_____ 4. In global configuration mode, this command specified one or more AAA
authentication methods for use on serial interfaces.
_____ 6. In global configuration mode, this command sets parameters that restrict
administrative access to the routers or user access to the network.
Q7) List the three debug commands used for troubleshooting AAA. (Source: Troubleshoot
AAA on Cisco Routers)
2-66 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self-Check Answer Key
Q1) Token cards or soft tokens using OTPs
Q5) A
Q7) debug aaa authorization, debug aaa authentication, debug aaa accounting
2-70 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco Secure ACS Overview
This topic describes the key features, concepts and purpose of Cisco Secure ACS for Windows
Server.
Time-consuming
VoIP
Difficult logistics
802.1x Switches
Device Administration
Access and privilege rights Wireless
options are limited
Non scalable
Telnet Admin
In the past, network security was relatively simple. Users were physically located within the
corporate campus and the networks were smaller. But now, the corporate networks can be
accessed using wireless interface cards or using the public ISP network and virtual private
networks (VPN). It is not uncommon for a wireless user to easily access the Internet and other
corporate resources through unsecured resources. The security challenges arising from this
expanded access are daunting. Many network administrators are unaware of vulnerabilities and
believe the deployment of authentication, authorization and accounting (AAA) services is too
time consuming, not scalable, or difficult to administer.
Most network access devices come with AAA type features embedded in their software. As a
simple example, Cisco IOS devices allow you to configure access control lists (ACLs) to
control access by host, protocol, interface, and so on. It is quite feasible for a network
administrator to configure each access device in a very small network individually and since
the administrative access needed to configure the devices is limited to a few individuals who
need complete access, simple enable password protection is often adequate. However, as
networks grow and become more geographically dispersed, configuring individual devices one
by one becomes impractical.
Access
Access
Desktop
Desktop File Control
Control Policy
File Policy
Internet Servers Server
Server Server
Servers Server
Desktop Workgroup
Workgroup Access Access
Switch
Switch Router Gateway
Router Point
PIX Security
Appliance
File
Notebook
Notebook Servers
Email
Email Corporate
Server
Server User
IPIPTelephone
Telephone
Most access devices have an embedded authentication, authorization and accounting (AAA or
triple A) client that defers AAA services to an AAA server. This configuration allows
centralization of access control for quick administration of access control changes for users and
devices on a global basis, and has the advantage of being very scalable. A centralized AAA
server allows for precise access control, even among the cadre of network administrators. For
example, selected administrators can have full administration rights on some routers but not all,
depending on policy.
When a user attempts to access the network or network devices through a device configured as
an AAA client, the AAA client forwards the user authentication request (username and
password) to the AAA server. The AAA server returns either a success or a failure response,
depending on the information in the server repository. Once the user is successfully
authenticated, the AAA server sends a set of session attributes (authorization) to the AAA
client to provide additional security and control of privileges for the user.
The Cisco Secure Access Control Server (ACS) for Windows Server combines all three AAA
activities on one device:
Authentication:
When a user seeks network access, the Network Access Device (NAD) challenges
the user for identity credentials such as a password or a token. NAD passes these
credentials to the Cisco Secure ACS for AAA analysis.
Cisco Secure ACS authenticates the credentials against a known database of users.
Cisco Secure ACS then applies the users corresponding access policy to the NAD.
Authorization:
The user is either denied access or authorized access to assigned resources on the
network allowed by policy.
Accounting:
Cisco Secure ACS accounting can then start monitoring and logging the network
activity of the user.
2-72 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco Secure ACS Components
Cisco Secure ACS for Windows provides a centralized identity networking solution and
simplified user management experience across all Cisco devices and security management
applications. Cisco Secure ACS helps to ensure enforcement of assigned policies by allowing
network administrators to control the following:
Who can log into the network
The privileges each user has in the network
Recorded security audit or account billing information
Access and command controls that are enabled for the administrator of each configuration
What is AAA?
2-74 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco Secure ACS and the AAA Client
Describe the interaction between Cisco Secure ACS and the AAA client.
.
AAA Protocols
RADIUS or TACACS+
RADIUS TACACS+
UDP connectionless TCP connection oriented
Encrypts only the passwords up
Full packet encryption
to 16 bytes
Cisco Secure ACS uses two distinct protocols for AAA services:
Remote Authentication Dial-In User Service (RADIUS) and
Terminal Access Controller Access Control System (TACACS+)
RADIUS is the industry standard for AAA support. It provides authentication and authorization
in a single step. When the user logs into the network, the NAS prompts the user for a username
and a password. The NAS then sends the request to the Cisco Secure ACS. The NAS may
include a request for access restrictions or per-user configuration information. The RADIUS
server returns a single response with authentication approval status and any related access
information available.
TACACS+ is the Cisco Systems proprietary AAA protocol that separates the authentication,
authorization, and accounting steps. This allows administrators to use separate authentication
solutions while still using TACACS+ for authorization and accounting. For example, if
additional authorization checking is needed, the access server can check with a TACACS+
server to determine whether the user is granted permission to use a particular command. This
provides greater control over the commands that can be executed on the access server and
decouples the authorization process from the authentication mechanism. As another example,
with TACACS+, it is possible to use Kerberos Protocol authentication and TACACS+
authorization and accounting. After an NAS passes authentication on a Kerberos server, it
requests authorization information from a TACACS+ server without having to re-authenticate
the NAS by using the TACACS+ authentication mechanism. The NAS informs the TACACS+
server that it has successfully passed authentication on a Kerberos server, and the server then
provides authorization information.
In the figure, the TACACS+ traffic example assumes that when a user Telnets to a router,
performs a command, and then exits the router, the login authentication, exec authorization,
command authorization, start-stop exec accounting, and command accounting are implemented
with TACACS+.
The RADIUS traffic example assumes that when a user Telnets to a router, performs a
command, and then exits the router (other management services are not available), the login
authentication, exec authorization, and start-stop exec accounting are implemented with
RADIUS.
2-76 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Authentication
This topic defines authentication as it applies to Cisco Secure ACS in terms of considerations,
user databases, protocol-database compatibility and basic and advanced password
configuration.
AAA Client
(Network Access Server) Cisco Secure ACS
The simplest form of authentication requires the user to provide a username and password. This
is a popular method for service providers because of its easy application by the client. The
disadvantage is that someone else can give this information to someone else, someone can
guess it, or someone can capture it. Simple unencrypted username and password is not a strong
authentication mechanism but can be sufficient for low authorization or privilege levels such as
Internet access.
When an AAA client receives the username and password, the information is forwarded to the
AAA server or Cisco Secure ACS system using either RADIUS or TACACS+. As previously
described, RADIUS and TACACS+ encrypt the password using different methods. However,
the password is in clear text between the user workstation and the AAA client.
Using a username and a password that is fixed for authentication is adequate for simple
network implementations, but as a rule, when more authorization privileges are granted to a
user, the stronger the authentication needs to be. More modern and secure authentication
methods such as Challenge Handshake Authentication Protocol (CHAP) and one-time
passwords (OTP) have been developed to provide stronger authentication.
Cisco Secure ACS supports a wide variety of authentication methods including:
Password Authentication Protocol (PAP): This method uses clear-text passwords (that is,
unencrypted passwords) and is the least sophisticated authentication protocol. If you are
using the Windows NT or Windows 2000 user database to authenticate users, you must use
PAP password encryption or Microsoft CHAP (MS-CHAP).
CHAP: This method uses a challenge-response mechanism with one-way encryption on
the response. CHAP enables the Cisco Secure ACS to negotiate downward from the most
secure to the least secure encryption mechanism, and it protects passwords transmitted in
Cisco Secure ACS also offers support for many password options including the following:
Single password for all authentication methods (ACSII, PAP, CHAP, MS-CHAP, and
ARAP): This is the easiest set-up, but since the ASCII and PAP password is clear text,
there is a chance that the CHAP password can be compromised.
Separate passwords for ASCII, PAP, CHAP, MS-CHAP, ARAP: This option is less
convenient for the end user (needs two passwords), but if the ASCI or PAP password is
compromised, the CHAP password can remain intact.
Inbound password: This option is most commonly used by Cisco Secure ACS users. This
feature will be described in more detail. Both RADIUS and TACACS+ support inbound
passwords.
Outbound password: The outbound password enables an AAA client to authenticate itself
to another AAA client or end-user client via outbound authentication. This feature will be
described in more detail. Only TACACS+ supports outbound passwords.
Token caching: This option caches the OTP token for limited time use in a second ISDN B
channel using the same OTP entered during original authentication. For greater security,
the B-Channel authentication request from the AAA client should include the OTP in the
username value (for example Fredpassword) while the password value contains an
ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then verify that the
token is still cached and validate the incoming password against either the single
ASCII/PAP/ARAP or separate CHAP/ARAP password, depending on the user
configuration.
Password aging: With this option, the password expires after a number of logins or days or
weeks, or some specified time period.
User changeable passwords: With Cisco Secure ACS, you can install a separate program
that enables users to change their passwords by using a web-based utility.
2-78 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Inbound and Outbound Password Options
Inbound passwords:
Most commonly used
supported by both TACACS+ and RADIUS
held internally to the Cisco Secure user database
not given to an external source if outbound password is
configured.
Outbound passwords:
Only supported by TACACS+
Can be used to forces a AAA client to be authenticated by
another AAA client and end-user client.
In addition to the basic password configurations listed above, Cisco Secure ACS supports the
following:
Inbound passwordsPasswords used by most Cisco Secure ACS users. Both TACACS+
and RADIUS protocols support inbound passwords. They are held internally to the Cisco
Secure user database and are not usually given up to an external source if an outbound
password has been configured.
Outbound passwordsThe TACACS+ protocol supports outbound passwords that can be
used, for example, when an AAA client has to be authenticated by another AAA client and
end-user client. Passwords from the Cisco Secure user database are then sent back to the
second AAA client and end-user client.
The TACACS+ SENDAUTH feature enables an AAA client to authenticate itself to another
AAA client or an end-user client via outbound authentication. The outbound authentication can
be PAP, CHAP, or ARAP. With outbound authentication, the Cisco Secure ACS password is
given out. By default, the user ASCII/PAP or CHAP/ARAP password is used, depending on
how this has been configured; however, we recommend that the separate SENDAUTH
password be configured for the user so that Cisco Secure ACS inbound passwords are never
compromised.
If you want to use outbound passwords and maintain the highest level of security, we
recommend that you configure users in the Cisco Secure user database with an outbound
password that is different from the inbound password.
The table in the figure illustrates the flexibility of Cisco Secure ACS authentication. The
network administrator has flexibility in the type of database to employ to store AAA
information.
Cisco Secure ACS includes its own database and can also leverage many external databases
containing user authentication information. In this latter case, Cisco Secure ACS maps the user
to an external database to centralize the information for authentication. Different levels of
security can be concurrently used with Cisco Secure ACS for varying customer security
requirements and policies. Not all the authentication protocols supported by Cisco Secure ACS
can be used with the external databases supported by Cisco Secure ACS.
2-80 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Authorization
This topic describes the authorization process and how it is related to authentication.
User Profile
AAA Client
(Network Access Server) Cisco Secure ACS
Once a user has been authenticated, Cisco Secure ACS sends the AAA client a user profile,
which contains policies that dictate what network services the user can access. Cisco Secure
ACS allows the administrator to customize authorization on an individual user or a user group.
Access can be differentiated by levels of security, access times, and services. For example,
logins can be configured to permit or deny access based on time-of-day and day-of-the-week.
Downloaded policies can also include ACLs on a per-user or per-group basis to restrict areas of
the network or limit certain services such as FTP.
Some additional Cisco Secure ACS authorization features include the ability to perform the
following:
Disable an account after a number of failed attempts or on a specific date
Limit the number of concurrent sessions for either a group or a user
Define usage quotas by duration or total number based on daily, weekly, or monthly
periods
It should be evident that to provide capabilities such as time restricted accounts throughout the
enterprise, without a centralized AAA server, would consume vast amounts of time. However,
with Cisco Secure ACS, access configuration becomes much less complicated and time-
consuming.
What the
user is doing?
AAA Client
(Network Access Server) Cisco Secure ACS
Once the user has been granted access to the network with certain privileges, the accounting
functions provided by the RADIUS and TACACS+ protocols allow the AAA clients to forward
relevant data for each user session to the Cisco Secure ACS. Depending on the configuration,
Cisco Secure ACS writes accounting records to either a comma-separated value (CSV) log file
or an Open DataBase Connectivity (ODBC) database. The logs are configured to capture as
much information as needed, but generally record information on session start and stop times,
AAA client messages by username, caller line identification, and duration of each session. The
log files can easily be exported into popular database and spreadsheet applications for billing,
security audits, and report generation.
2-82 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Device Administration
This topic explains how Cisco Secure ACS can be used for configuration and administrative
tasks.
As mentioned earlier in this lesson, AAA functionality within Cisco Secure ACS can be used
for two similar access functions: network access, and access to network devices for
administration and configuration. It was also mentioned that the TACACS+ protocol is better
suited for the later task because it has more features for user and command authorization.
Similar to network access, access to a device is controlled by an authentication dialog between
the AAA client (device to be accessed) and the Cisco Secure ACS server. Most network
administrators are familiar with logging into a device, providing the enable password, and
performing the functions they choose. With Cisco Secure ACS, different users can be given
different privileges even with device functions at the same privilege level.
To achieve this granularity of authorization, Cisco Secure ACS uses the concept of command
authorization sets (also known as device command sets [DCS]). For greatly enhanced
scalability and manageability of setting authorization restrictions for network administrators,
the Cisco Secure ACS DCS mechanism controls the authorization of each command on each
device per user, per group, or per network device group mapping. When TACACS+ command
authorization is enabled, each command executed by the authenticated user is sent by the AAA
client to Cisco Secure ACS for inclusion in the accounting logs.
Summary
Summary (Cont.)
2-84 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) What are the three components of the Cisco Secure ACS? (Choose three.) (Source:
Cisco Secure ACS Overview)
A) AAA server
B) access point
C) user database
D) VPN
E) antivirus client
F) AAA client
Q2) Which three of the following are characteristics of RADIUS? (Choose three.) (Source:
Cisco Secure ACS and the AAA Client)
A) full packet encryption
B) encrypts passwords up to 16 characters in length
C) combines authentication and authorization into one step
D) treats authentication, authorization and accounting separately
E) best suited for router management
F) works with Kerberos encryption
Q3) Which four of the following are characteristics of TACACS+? (Choose four.) (Source:
Cisco Secure ACS and the AAA Client)
A) full packet encryption
B) combines authentication and authorization into one step
C) TCP connection oriented
D) treats authentication, authorization and accounting separately
E) best suited for router management
F) works with Kerberos encryption
Q4) Passwords are in clear text between the user workstation and the AAA client. (Source:
Authentication)
A) True
B) False
Q5) CHAP uses a challenge-response mechanism with one-way encryption on the response.
(Source: Authentication)
A) True
B) False
Q6) CHAP provides OTP. (Source: Authentication)
A) True
B) False
Q7) As a security feature, Cisco Secure ASC provides single passwords for PAP and
CHAP. (Source: Authentication)
A) True
B) False
2-86 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check Answer Key
Q1) A, C and F
Q2) B, C and E
Q3) A, C, D and F
Q4) B
Q5) A
Q6) B
Q7) B
Q8) B
Objectives
Upon completing this lesson, you will be able to configure basic administrative access, AAA
clients, users and groups. This ability includes being able to meet these objectives.
Describe the layout of the Cisco Secure ACS interface
Describe how to configure the first administrator user account on Cisco Secure ACS
Describe how to configure administrator policies on the Cisco Secure ACS including
administrative access, session policy, and audit control policy
Describe how to set up the Cisco Secure ACS for remote administrator access
Describe how to configure external user databases, user interfaces and the system
Explain how the Interface Configuration task can be used to display or hide configuration
items
Describe how the System Configuration task is used to configure basic system parameters,
advanced system features, and basic system management tasks
The Cisco Secure ACS GUI
This topic describes the layout of the Cisco Secure ACS interface.
Access to Cisco Secure ACS is through a web browser client on the same machine as the Cisco
Secure ACS application. To access the Cisco Secure ACS interface, follow these steps:
Open a supported web browser on the Cisco Secure ACS local machine. Make sure a
supported web browser is properly configured. For example, Java and JavaScript must be
enabled.
Enter the following URL to access the ACS: http://<server IP address or host name or local
host or 127.0.0.1>:2002.
By default, ACS does not require authentication when accessed from a Web browser on the
server. At this point, no ACS administrators have been configured. The ACS desktop loads
immediately.
The Cisco Secure ACS interface allows you to configure a range of TCP ports to be used as the
HTTP port for administrative sessions. As shown in the diagram, the initial HTTP port for the
connection to the ACS was changed from 2002 to 4778. A different port for HTTP will be
selected for each administrative session.
Later in this lesson, we will describe how to configure the range of ports used for HTTP
administrative sessions.
The figure shows the opening screen for the upcoming lab exercise.
2-90 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco Secure ACS GUI
The Cisco Secure ACS GUI can be broken down into three main components: the navigation
menu, a left display area and a right display area. The major functions or tasks of Cisco Secure
ACS are organized on the left side of the Cisco Secure ACS interface in the navigation menu.
When one of these functions or configuration tasks is selected, the two display areas will
change. Notice that the function or configuration task selected is listed above the left display
area. Typically, the left display area displays other selectable subtasks or items to be
configured. The title bar of the display area indicates what to do with the display contents. The
right display area typically displays content sensitive help for the items displayed in the left
display area. The right display area can also display results of items selected in the left display
area or error messages for incorrect configurations. Scrolling to the bottom of the help display
reveals a Section Information button that when clicked displays the appropriate section of the
Cisco Secure ACS User Guide for the task selected from the navigation menu. Finally, the X
button in the upper-right corner of the desktop ends the administrative session.
Online documentation
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-5
The navigation bar is where the configuration of Cisco Secure ACS begins. Understanding
what items of Cisco Secure ACS can be configured by each function or task in the navigation
bar clarifies the use of Cisco Secure ACS. The following is a brief description of each Cisco
Secure ACS configuration task on the navigation menu. Each of these tasks will be discussed in
the remainder of this lesson.
User Setup: Use this menu item to create user profiles and to add to the Cisco Secure ACS
database (map a user to an authentication database, associate a user with a user group for
authorization, and configure any user specific authorizations).
Group Setup: Use this menu item to name groups and configure group authorizations.
Shared Profile Components: Use this menu item to develop reusable, shared sets of
authorization components and ease the authorization configuration for users and groups.
Create shared components for downloadable Cisco PIX access control lists (ACLs),
Network Access Restrictions (NARs), and Command Authorization sets.
Network Configuration: Use this menu item to create network device groups (optional),
add authentication, authorization, and accounting (AAA) clients and servers, map AAA
clients and servers to network device groups.
System Configuration: Use this menu item to configure database maintenance, IP pool
management, VoIP accounting, Cisco Secure ACS service control, logging features, date
format, and password validation.
Interface Configuration: Use this menu item to choose which features and options the
Cisco Secure ACS interface will display.
Administration Control: Use this menu item to create administrator users and define
administrative access, session, and audit policies.
External User Databases: Use this menu item to configure which external databases are to
be used, create an unknown user policy, and map user databases to a user group.
Reports and Activities: Use this menu item to view any enabled reports.
On-Line Documentation: Use this menu item to view the online documentation.
2-92 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Creating the First Administrator User Account
This topic describes how to configure the first administrator user account on the Cisco Secure
ACS.
Help on Administration
Control Buttons
To secure local access to Cisco Secure ACS and to allow for remote access to Cisco Secure
ACS, a Cisco Secure ACS administrator user must be created. The navigation menu button
descriptions on the previous page indicate that the Administration Control task is used to
complete this function.
The Administrative Control page displays a list of all the configured administrator accounts and
various task buttons that are used to add new Cisco Secure ACS administrators and to configure
various administrative policies. The right display area shows help descriptions for each of the
Administrative Control sub-tasks.
To add a new Cisco Secure ACS administrator, click the Add Administrator button.
Sub-task
Enter administrator ID
and password.
Help on Administrator
Grant this administrator Attributes
all privileges.
The Add Administrator configuration page asks for user input of the administrator: (account)
name and a password. The rest of the Add Administrator page allows for the configuration of
the privileges for this administrator. Administrators must be explicitly granted privileges to
administer user groups, as well as all other configuration activities associated with the functions
listed in the navigation bar. For some of these functions, privileges can also be granted at the
sub-task level. For this user, however, we wish to have at least one Cisco Secure ACS
administrator who has all privilegesa super user.
When you click the Grant All button in the Administrator Privileges display box, all privileges
are granted. This causes all groups listed in the left Available Groups box to be moved into the
Editable Groups box and for all other privileges to be granted. Granting all privileges allows
this administrator to perform all Cisco Secure ACS configuration functions.
Clicking the Submit button creates a new Cisco Secure ACS administrator and returns to the
Administrative Control display page. Clicking the Cancel button returns you to the main
Administrative Control display page without actually creating the administrator.
Note The Administrator Privileges listed will change based on what is selected in the Advanced
Options sub-task of the Interface Configuration function. Later in this lesson, we will revisit
adding administrators and discuss the Interface Configuration function.
You can edit a Cisco Secure ACS administrator account to change the privileges granted to the
administrator. Revoking all privileges effectively disables an administrator account. You
cannot change the name of an administrator account; however, you can delete an administrator
account and then create an account with the new name. Simply click the name of the
administrator account whose privileges you want to edit, and follow the prompts. When all the
changes have been made, click Submit to save the changes.
You can delete a Cisco Secure ACS administrator account when you no longer need it. We
recommend deleting any unused administrator accounts. Simply click the name of the
administrator account you wish to delete and click Delete. On confirmation, Cisco Secure ACS
2-94 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
deletes the account. The Administrators table on the Administration Control page no longer
lists the administrator account that you deleted.
Administrator Policies
Edit or delete an
administrative user.
The administrator policies can be configured by clicking the appropriate button from the main
Administrative Control display page. There are three administrator policy buttons: the Access
Policy button, the Session Policy button and the Audit Policy button. Note that the
administrator just configured is now displayed in the list of Cisco Secure ACS administrators.
To edit or delete administrators, select them from this list. Click on the appropriate button to
enter the configuration dialog page for each of these policies. Submitting the policy returns you
to this main Administrative Control display page.
2-96 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Access Policy
The Access Policy feature affects access to remote Cisco Secure ACS administration sessions.
You can limit remote administrator access by IP address and by the TCP port range used for
administrative sessions. Not all deployments of Cisco Secure ACS may want the system to be
accessed remotely for administration purposes. Therefore, use the Access Policy to determine
the rules for administrative access to the Cisco Secure ACS system.
Remote access to the Cisco Secure ACS can be limited to hosts with selected IP addresses. Use
the IP Address Filtering configuration box to determine the filtering criteria for permit or deny
access to the Cisco Secure ACS. IP Address Filtering is for the IP addresses listed in the IP
Address Ranges configuration box.
Note The IP address used for filtering is the one received by Cisco Secure ACS. This is crucial to
understand if either Network Address Translation (NAT) or proxy HTTP is implemented.
As previously mentioned, Cisco Secure ACS allocates the TCP port to be used for HTTP when
the administrator is granted access. The range of TCP ports to be used can be limited using the
HTTP Port Allocation configuration box. This limitation can help secure remote access to the
Cisco Secure ACS through a firewall.
Along with the account login information, the Administrative Access Policy can be used to
further refine secure access to the Cisco Secure ACS. Clicking the Submit button enforces the
newly configured access policies and returns to the main Administrative Control display page.
The Session Policy feature controls various aspects of the Cisco Secure ACS administrative
sessions. Session policies are used to help increase the security of the Cisco Secure ACS. When
initially installed, Cisco Secure ACS allows for automatic local login (no username or
password). Now that an administrator account with all privileges has been created, this
capability can be disabled to force all access to the Cisco Secure ACS to be authenticated.
Because leaving a Cisco Secure ACS administrative session unattended can be a recipe for
disaster, use the Session Policy to cease a session after a configurable amount of idle time.
Previously, the Access Policy configured a valid range of IP addresses to be used for remote
administrative access to the Cisco Secure ACS. The Cisco Secure ACS is by default configured
to send an error message for any access attempt made from a machine not in the valid range.
Uncheck this option in the Session Policy if no message is required. Finally, use the Session
Policy to lock out an administrator after a configurable number of failed login attempts.
Clicking the Submit button enforces the newly configured session policies and returns to the
main Administrative Control display page.
2-98 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Audit Policy
Parameters for
Administrator Audit
Reports
All activities performed by Cisco Secure ACS administrators are logged to an audit file. The
Audit Policy controls the time or amount of information in each file and the duration
maintained in the database. New audit files can be generated on a daily, weekly, monthly, or on
a configurable file size basis. Depending on which time option is selected, new daily files are
opened at 12:01 a.m. every day, new weekly files are opened at 12:01 a.m. every Sunday, and
monthly files are opened at 12:01 a.m. the first day of every month. Files can be maintained in
the directory based on a number of files, or on the age of the files. If the Manage Directory
check box is not checked, all logs are kept indefinitely. The Administrator Audit information
can be viewed by choosing Reports and Activities > Administrator Audit > filename.
Clicking the Submit button enforces the newly configured audit policies and returns to the main
Administrative Control display page.
Now that a Cisco Secure ACS administrator account and administrative policies have been
created, an administrator can remotely access Cisco Secure ACS from a host machine in the
valid IP address range defined in the Access Policy.
To remotely access Cisco Secure ACS follow these steps:
Open a supported web browser. Make sure a supported Web browser is properly
configured; for example, Java and JavaScript must be enabled.
Enter the following URL to access the Cisco Secure ACS: http ://<server IP address or
hostname>:2002.
At this point, you will receive the Login dialog as illustrated in the figure. Enter the Cisco
Secure ACS administrator account name and password and click Login.
The Cisco Secure ACS start page is now displayed. Notice that Cisco Secure ACS has assigned
a new TCP port for HTTP use for this session. This assignment is based on the range of ports to
be used for HTTP allocation as configured in the Access Policy.
2-100 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Basic Configuration Tasks
This topic describes how to configure external user databases, user interfaces and the system.
The overall goal of complete deployment planning is to ensure that the basic configuration
tasks need only be performed once. However, because of the flexibility of the Cisco Secure
ACS, Cisco Secure ACS administrators may find themselves returning to some of these
configuration tasks on a periodic basis to fine-tune their Cisco Secure ACS deployment.
Based on display dependencies, there is some logic to the listed order of the configuration tasks
in this section. The external databases are configured first because they drive some system
configuration tasks. The Interface Configuration task drives which configuration components
are displayed in most of the other Cisco Secure ACS configuration task screens. Finally, the
Configure Reports task was included here because it is actually configured from within the
System Configuration tasks of Cisco Secure ACS. The basic configuration tasks are as follows:
It is logical that the starting point is to configure any external user databases used for
authentication. For Cisco Secure ACS to communicate with the external databases, some
form of application programming interface (API) for communication with the external
database is required.
The Interface Configuration task is the next logical choice in the configuration progression
because it can be used to display or hide different configuration items in most other
functional configuration areas of the Cisco Secure ACS.
The System Configuration task is used to configure some basic system parameters
(Logging, Date Format Control, Password Validation, and so on), advanced system features
that depend on how ACS is to be deployed (ACS Certificate Setup, IP Pools Server, and so
on), and basic system management tasks (ACS Backup, ACS Service Management).
Interface Configuration
The Interface Configuration task is the next logical choice in the progression of configuring
Cisco Secure ACS because it can be used to display or hide different configuration items in
most other functional configuration areas of the Cisco Secure ACS. This feature enhances the
ease of use of the Cisco Secure ACS product by hiding those features that are not being used.
When selecting the Interface Configuration task from the navigation menu, the Cisco Secure
ACS administrator is presented with several options for controlling what is displayed on the
various configuration screens within the Cisco Secure ACS. There are four categories of
Interface Configuration options:
User Data
Terminal Access Controller Access Control System Plus (TACACS+)
RADIUS
Advanced Options
The RADIUS and TACACS+ options only appear after an AAA client has been configured to
use the security protocol.
Administrators should plan which configuration features they want to use prior to starting any
detailed configuration work. Returning to this section to turn on or off a feature could mean a
fair amount of reconfiguration.
It should be noted that disabling an option in the Interface Configuration task does not affect
anything except the display of that function in the Cisco Secure ACS interface. Configurations
made while an Interface Configuration option was active, remain in effect even when that
Interface Configuration option is turned off. Further, the interface still displays any option that
2-102 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
has non-default values, even if you have configured that option to be hidden. If you later delete
values associated with that option, Cisco Secure ACS then hides the option from the interface.
Choosing the User Data Configuration option enables you to add (or edit) up to five fields used
to record additional information on each user. The fields you define on the Configure User
Defined Fields page subsequently appear in the Supplementary User Information section at the
top of the User Setup page. For example, you could add the user company name, telephone
number, department, billing code, and so on. These fields are also available for inclusion in the
accounting logs.
Clicking the Submit button includes these fields in the User Setup configuration dialog.
2-104 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Interface ConfigurationAdvanced Options
Use the Advanced Options sub-task of the Interface Configuration task to choose which
configuration options to display for the various Cisco Secure ACS tasks, and to simplify their
configuration screens. The figure indicates which Cisco Secure ACS task displays will be
modified because of the selection of one of the Advanced Options. The Advanced Options can
be put into general areas of configuration including: various authorization parameters on either
a user or group level, the features of the Cisco Secure ACS network to use, logging options,
and specialized system configurations.
The Advanced Options features include the following:
Per-User TACACS+ and RADIUS Attributes: This option enables TACACS+ and
RADIUS attributes to be set at a per user level, in addition to being set at the group level.
User-Level NAR Sets: This option allows for named, IP-based and command-line
interface- (CLI) or dialed number identification service- (DNIS) based shared NARs to be
used on the User Setup page.
User-Level NARs: This option enables two sets of options for defining user-level: IP
based and CLI- or DNIS-based NARs on the User Setup page.
User-Level Downloadable ACLs: This option allows for shared downloadable ACLs to
be used on the User Setup page.
Default Time-of-Day and Day-of-Week Specification: This option enables the default
time-of-day and day-of-week access settings grid on the Group Setup page.
Group-Level Network Access Restriction Sets: This option allows for named, IP-based
and CLI- or DNIS-based shared NARs to be used on the Group Setup page.
Group-Level Network Access Restrictions: This option enables the two sets of options
for defining user-level, IP-based and CLI- or DNIS-based NARs on the Group Setup page.
Group-Level Downloadable ACLs: This option allows for shared downloadable ACLs to
be used on the Group Setup page.
When changes to the Advanced Options are complete you must click the Submit button to have
the changes take effect.
2-106 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
System Configuration
This topic describes how the System Configuration task is used to configure basic system
parameters, advanced system features, and basic system management tasks.
System Configuration
The System Configuration task is used to configure some basic system parameters (Logging,
Date Format Control, Password Validation, and so on), advanced system features (depending
on how ACS is to be deployed these features are: ACS Certificate Setup, IP Pools Server, and
so on), and basic system management tasks (ACS Backup, ACS Service Management). Thus,
what is actually selected for configuration on the System Configuration page depends on how
the ACS system is to be deployed and used.
Note Some of the options on this page may only be displayed if corresponding Interface
Configuration Advanced Options are enabled.
The following is a list of the System Configuration options. Most tasks are self explanatory to
configure, but for additional information consult the ACS User Guide or the online content
sensitive information displayed in the right display area of the ACS desktop. Some of these
options will be discussed in more detail in other sections of this lesson.
Service Control: This option opens the page from which you can stop or restart the ACS
services and configure the service log detail. Service Log configuration is discussed later in
this section.
Logging: This option configures various Cisco Secure ACS reports and customizes the
type of information that is logged. Logging configuration is discussed later in this lesson.
Date Format Control: This option configures the date format, either month/day/year or
day/month/year, for CSV files and Service Logs.
Password Validation: This option configures password parameters such as, password
length. Note that this option does not apply to administrator passwords, enable passwords,
or sendauth passwords.
2-108 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
______________________________________________________________________
2-110 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Q9) Although administrators can fine tune configurations after they have been completed, it
is recommended that the initial configuration of Cisco Secure ACS follows a sequence.
Arrange the following configuration tasks in the recommended order by placing a
number of 1 to 4 in the space provided. (Source: Basic Configuration tasks).
A) configure the Cisco Secure ACS logs _____
A) configure the user interfaces _____
B) configure the system _____
C) configure the external user databases _____
Q10) The RADIUS and TACACS+ configuration options only appear after an AAA client
has been configured to use the protocol. (Source: User Interface Configuration)
A) True
B) False
Q11) Supplementary User Information appears in the User Interface, but is actually entered
in the accounting logs. (Source: User Interface Configuration)
A) True
B) False
Q12) TACACS+ and RADIUS attributes can only be set at a group level. (Source: User
Interface Configuration)
A) True
B) False
Q13) You can use shared downloadable ACLs on the User Setup page. (Source: User
Interface Configuration)
A) True
B) False
Q14) You cannot use shared downloadable ACLs on the Group Setup page. (Source: User
Interface Configuration)
A) True
B) False
Q15) Users can be authenticated against which of the following? (Source: User Databases)
A) an internal database with specific user assignment
B) a token server
C) an external database with a specific user assignment
D) A and B
E) B and C
F) A and C
G) A, B and C
2-112 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 5
Overview
Cisco routers are initially deployed with services that are enabled by default.
This lesson concerns Cisco configuration settings that network administrators should consider
changing on their routers, especially on their border routers, to improve security. The lesson
presents basic configuration settings that are almost universally applicable in IP networks, and
a few unexpected things about which you should be aware.
The list is not exhaustive, nor can it be substituted for understanding on the part of the network
administrator; it is simply a reminder of some of the things that are sometimes forgotten. Only
commands that are important in IP networks are mentioned. Many of the services that can be
enabled in Cisco routers require careful security configuration. However, this lesson describes
services that are enabled by default, or that are almost always enabled by users, and that may
need to be disabled or reconfigured.
Consideration of these services is particularly important because some of the default settings in
Cisco IOS software are there for historical reasons; they made sense when they were chosen,
but would probably be different if new defaults were chosen today. Other defaults make sense
for most systems, but may create security exposures if they are used in devices that form part of
a network perimeter defense. Still other defaults are actually required by standards, but are not
always desirable from a security point of view.
This lesson describes ways to secure networks by shutting off unnecessary network services
and interfaces. To practice what you have learned, a lab exercise in the form of an open
discussion of the existing lab topology will follow.
Objectives
Upon completing this lesson, you will be able to disable unused Cisco router network services
and interfaces. This ability includes being able to meet these objectives:
Describe the purpose of each of the four basic router topologies
Identify the router services and interfaces that are vulnerable to network attacks
Explain how to disable the most vulnerable and unnecessary router services and interfaces
Explain how to disable and restrict commonly configured management services
Explain how to ensure path integrity by disabling ICMP mask redirects and IP source
routing
Explain how to disable probes and scans including finger service, ICMP masks,
unreachable messages, and ICMP mask replies and redirects
Explain how to ensure terminal access security by disabling IP identification
Explain how to disable gratuitous and proxy ARPs to mitigate DoS, DDoS, and man-in-
the-middle attacks
Explain how disable IP directed broadcast to mitigate DoS and DDoS attacks
2-114 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Routers Secure Networks
This topic describes the purpose of each of the four basic router topologies.
Corporate
(trusted)
Network
Untrusted Perimeter
Network (premises)
Router
Internet
The most basic routed network consists of a corporate LAN connected to the Internet using a
single perimeter router. The perimeter router is the first line of defense for an enterprise
network. This router must secure the corporate network (trusted network) from malicious
activity originating on the Internet (untrusted network). Installations of this type are typical of
small enterprises.
Corporate
(trusted)
Network
Untrusted Perimeter
Network (premises screening) Firewall
Router
Internet
Web
Server
DMZ
Mail
Server
Medium-sized networks typically use a firewall appliance behind the perimeter router. In this
scenario, the perimeter router provides basic packet filtering on packets destined for the
corporate network, while the firewall appliance, with its additional security features, performs
user authentication and more advanced packet filtering.
Firewall installations also facilitate the creation of demilitarized zones (DMZs) where hosts that
are commonly accessed from the Internet are placed.
2-116 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Perimeter Router with Integrated Firewall
Corporate
(trusted)
Network
Perimeter
Untrusted (firewall)
Network Router
Internet
Web
Server
DMZ
Mail
Server
Cisco IOS software offers an alternative to a firewall appliance by incorporating many firewall
features in the perimeter router itself. Although this option does not provide the same
performance and security features that a Cisco PIX Security Appliance offers, a router with an
integrated firewall feature set can solve most small-to-medium business perimeter security
requirements.
Corporate
(trusted)
Network
Internet
Web
Server
DMZ
Mail
Server
Finally, many medium-to-large sized enterprises use a combination of internal (local network)
routers and perimeter (premises) routers and firewall appliances. Internal routers provide
additional security to the network by screening traffic to various parts of the protected
corporate network. Virtual local area networks (VLANs) are also commonly implemented
within an enterprise network using Cisco Catalyst switches. Cisco Catalyst multilayer switches
containing their own security features can sometimes replace internal (local network) routers to
provide higher performance in VLAN architectures.
2-118 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Vulnerable Router Services and Interfaces
This topic describes the router services and interfaces that are vulnerable to network attacks.
Cisco routers support many network services that may not be required in certain enterprise
networks. The services listed in the figure have been chosen for their vulnerability to malicious
exploitation. These are the router services most likely to be used in network attacks. For ease of
learning, we have grouped them as follows:
Disabling unnecessary services and interfaces: These services and interfaces include:
Router interfaces: Limit unauthorized access to the router and the network by
disabling unused open router interfaces.
Bootp server: This service is enabled by default. This service allows a router to act
as a Bootp server for other routers. This service is rarely required and should be
disabled.
Cisco Discovery Protocol (CDP): This service is enabled by default. CDP is used
primarily to obtain protocol addresses of neighboring Cisco devices and discover the
platforms of those devices. CDP can also be used to show information about the
interfaces your router uses. CDP is media- and protocol-independent, and runs on
most Cisco-manufactured equipment, including routers, bridges, access servers,
switches, and phones. If not required, this service should be disabled globally or on
a per-interface basis.
Configuration auto-loading: This service is disabled by default. Auto-loading of
configuration files from a network server should remain disabled when not in use by
the router.
FTP server: This service is disabled by default. The FTP server enables you to use
your router as an FTP server for FTP client requests. Because it allows access to
2-120 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
IP source routing: This service is enabled by default. The IP protocol supports
source routing options that allow the sender of an IP datagram to control the route
that a datagram will take toward its ultimate destination, and generally the route that
any reply will take. These options can be exploited by an attacker to bypass the
intended routing path and security of the network. Also, some older IP
implementations do not process source-routed packets properly, and it may be
possible to crash machines running these implementations by sending datagrams
with source routing options. Disable this service when it is not required.
Disabling probes and scans: These measures include:
Finger service: This service is enabled by default. The finger protocol (port 79)
allows users throughout the network to get a list of the users currently using a
particular device. The information displayed includes the processes running on the
system, the line number, connection name, idle time, and terminal location. This
information is provided through the Cisco IOS software show users EXEC
command. Unauthorized persons can use this information for reconnaissance
attacks. Disable this service when it is not required.
ICMP unreachable notifications: This service is enabled by default. This service
notifies senders of invalid destination IP networks or specific IP addresses. This
information can be used to map networks and should be explicitly disabled on
interfaces to untrusted networks.
ICMP mask reply: This service is disabled by default. When enabled, this service
tells the router to respond to ICMP mask requests by sending ICMP mask reply
messages containing the interface IP address mask. This information can be used to
map the network, and this service should be explicitly disabled on interfaces to
untrusted networks.
Ensuring terminal access security: These measures include:
IP identification service: This service is enabled by default. The identification
protocol (specified in RFC 1413) reports the identity of a TCP connection initiator
to the receiving host. This data can be used by an attacker to gather information
about your network, and this service should be explicitly disabled.
TCP keepalives: This service is disabled by default. TCP keepalives help clean
up TCP connections where a remote host has rebooted or otherwise stopped
processing TCP traffic. Keepalives should be enabled globally to manage TCP
connections and prevent certain DoS attacks.
Disabling gratuitous and proxy Address Resolution Protocol (ARP): These measures
include:
Gratuitous ARP: This service is enabled by default. Gratuitous ARP is the main
mechanism used in ARP poisoning attacks. You should disable gratuitous ARPs on
each router interface unless this service is otherwise needed.
Proxy ARP: This service is enabled by default. This feature configures the router to
act as a proxy for Layer 2 address resolution. This service should be disabled unless
the router is being used as a LAN bridge.
Disabling IP directed broadcast: This service is enabled in Cisco IOS Software Releases
prior to Cisco IOS Software Release 12.0 and disabled in Cisco IOS Software Releases
12.0 or later. IP directed broadcasts are used in the common and popular smurf denial of
service (DoS) attack and other related attacks. This service should be disabled when not
required.
Leaving unused network services enabled increases the possibility of malicious exploitation of
those services. Turning off or restricting access to these services greatly improves network
security. While it is not required that you explain why many of these services pose the
vulnerabilities they do, you do need to know how and when they need to be disabled.
2-122 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Disabling Unnecessary Services and Interfaces
This topic describes how to disable the most vulnerable and unnecessary router services and
interfaces on your router.
Attack Austin1
Host
e0/0 e0/1
Internet
e0/2
᫬»®ø½±²º·¹ó·º÷ý
-¸«¬¼±©²
Unused open router interfaces invite unauthorized access to the router and the network. You
can limit this type of attack by administratively disabling the unused interfaces on all routers.
Always disable unused router interfaces using the shutdown command in interface
configuration mode as shown in the figure.
Once an interface is shutdown, the router requires administrative privileges to open (no shut)
the interface to enable the network connection.
Austin2
Austin1
Austin3:
Requests a
Austin3 Cisco IOS
Bootp image from
Austin1
request
Austin4
᫬»®ø½±²º·¹÷ý
²± ·° ¾±±¬° -»®ª»®
Globally disables the Bootp service for
this router
Bootstrap Protocol (BOOTP) is a UDP that enables a diskless workstation to discover its own
IP address and the IP address of a BOOTP server on the network. Bootstrap Protocol also
allows a file to be loaded into memory to boot the machine, which enables the workstation to
boot without requiring a hard or floppy disk drive. The protocol is defined by RFC 951.
Cisco routers use BOOTP to access copies of Cisco IOS software images on another Cisco
router running the BOOTP service. In this scenario, one Cisco router acts as a Cisco IOS server
that can download Cisco IOS software to other Cisco routers acting as a Bootstrap Protocol
client (bootpc). This service is rarely used, but when it is, it can allow the following to occur:
An attacker can use this service to download a copy of the router Cisco IOS software.
An attacker could exploit this service to perform DoS attacks against the router.
To disable the Bootp service, use the no ip bootp server command in global configuration
mode as shown in the figure.
2-124 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Disabling CDP
Austin2
Austin1
CDP requests
Austin3
᫬»®ø½±²º·¹÷ý
²± ½¼° ®«²
CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-
manufactured devices (routers, bridges, access servers, and switches) and allows network
management applications to discover Cisco devices that are neighbors of already known
devices. This service is enabled by default.
With CDP enabled, network management applications, such as CiscoWorks Campus Manager,
can learn the device type and the IP addresses of neighboring devices. This feature enables
applications to use the learned IP addresses to send queries to neighboring devices.
Attackers can use CDP during reconnaissance attacks to learn of neighboring devices, thus
discovering the network. For this reason, CDP should be disabled, either globally or on a per-
interface basis, when not required.
Disable CDP globally on the router using the no cdp run command in global configuration
mode as shown in the figure.
If you need to use CDP, restrict its use to only those interfaces that require it. Keep the global
setting enabled, but use the no cdp enable command in interface configuration mode to disable
it on a per-interface basis as shown here:
ß«-¬·²ìø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
ß«-¬·²ìø½±²º·¹ó·º÷ý ²± ½¼° »²¿¾´»
Austin1 Austin2
Austin3
AustinTFTP
Austin4
᫬»®ø½±²º·¹÷ý
²± ¾±±¬ ²»¬©±®µ ®»³±¬»ó«®´
²± ¾±±¬ ¸±-¬ ®»³±¬»ó«®´
᫬»®ø½±²º·¹÷ý
²± -»®ª·½» ½±²º·¹
ß«-¬·²ìø½±²º·¹÷ý ²± -»®ª·½» ½±²º·¹
Most Cisco routers are configured to load their Cisco IOS image and startup configuration from
local Flash memory. However, you may configure your Cisco routers to load their IOS
software image and startup configuration from a network server instead. Loading router images
and configurations across a network can be dangerous and should be considered only for fully
trusted networks (as in a stand-alone test network). This setting is disabled by default.
If network booting is enabled, it is recommended that you set your routers to obtain their
configurations from a local (trusted) source using the boot network remote-url or boot host
remote-url command in global configuration mode. Disable this setting when it is not required.
The router will attempt to load two configuration files.
The first is the network configuration file containing common commands that apply to all
routers on a network. Use the boot network command to identify the network
configuration file.
The second is the host configuration file containing commands that apply to a specific
router. Use the boot host command to identify the host configuration file.
Use the service config command to enable the loading of the specified configuration file at
reboot time. Without this command, the router ignores the boot host and boot network
command. Explicitly disable configuration auto-loading for a previously configured remote
host using the no boot network, no boot host and no service config commands in global
configuration mode as shown in the figure.
2-126 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
no boot network remote-url
ftp:[[[//[username[:password]@]location]/directory]/filename]
rcp:[[[//[username@]location]/directory]/filename]
tftp:[[[//location]/directory]/filename]
Austin2
Austin1
Austin3
ftp 16.1.1.15
Austin4 Connection
16.1.1.15 refused
᫬»®ø½±²º·¹÷ý
²± º¬°ó-»®ª»® »²¿¾´»
²± º¬°ó-»®ª»® ©®·¬»ó»²¿¾´»
The FTP server feature configures a router to act as an FTP server. FTP clients can copy files to
and from certain directories on the router. In addition, the router can perform many other
standard FTP server functions. This feature first became available in Cisco IOS Software
Release 11.3 AA.
FTP access to your routers can be used to gain access to the router file system and therefore can
be used to attack the network or the router itself. Unless your routers are being used as FTP
servers, you should always disable the FTP server feature.
Starting in Cisco IOS Software Release 12.3, the router FTP service is disabled by default using
the no ftp-server write-enable command. This can be seen in any Cisco IOS Software Release
12.3 or greater by using the show running-config command as shown here (this example
shows only a small portion of the show running-config command output):
ß«-¬·²ìý -¸±© ®«²²·²¹ó½±²º·¹
ÿ
ÿ
²± º¬°ó-»®ª»® ©®·¬»ó»²¿¾´»
ÿ
Routers operating with a Cisco IOS Software Release earlier than 12.3 should have their FTP
servers disabled using the no ftp-server enable command, as shown in the figure.
Routers operating with a Cisco IOS Software Release of 12.3 or later, where the FTP server has
been manually enabled, should have the FTP server disabled using the no ftp-server write-
enable command, as shown in the figure.
The no ftp-server enable and the no ftp-server write-enable commands have no arguments or
keywords.
2-128 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Disabling TFTP Server
Austin2
Austin1
Austin3
ftp 16.1.1.15
Austin4 Connection
16.1.1.15 refused
᫬»®ø½±²º·¹÷ý
²± ¬º¬°ó-»®ª»® º´¿-¸æ
TFTP is a simple form of the FTP. TFTP uses the UDP and provides no security features. TFTP
is often used by servers to boot diskless workstations, X-terminals, and routers.
The TFTP server feature configures a router to act as a TFTP server host. As a TFTP server
host, the router responds to TFTP Read Request messages by sending a copy of the system
image contained in ROM or one of the system images contained in Flash memory to the
requesting host. The TFTP Read Request message must use one of the filenames that are
specified in the configuration. This feature is disabled by default.
Flash memory can be used as a TFTP file server for other routers on the network. This feature
allows you to boot a remote router with an image that resides in the Flash server memory. Some
Cisco devices allow you to specify one of the various Flash memory locations (bootflash, slot0,
slot1, slavebootflash, slaveslot0, or slaveslot1) as the TFTP server.
TFTP access to your routers can be used to gain access to the router file system and therefore
can be used to attack the network or the router itself. Unless your routers are being used as
TFTP servers, you should always disable the TFTP server feature.
Note Disabling the TFTP server varies across different Cisco router product lines. Always consult
the configuration guide for your particular Cisco router model before continuing.
Disable the TFTP server for Flash memory using the no tftp-server flash: global configuration
command as shown in the figure.
flash: This specifies TFTP service of a file in Flash memory. Use flash:
to disable the TFTP server for all files in Flash memory.
filename1 Name of a file in Flash or in ROM that the TFTP server uses in
answering TFTP Read Requests
alias Specifies an alternate name for the file that the TFTP server uses
in answering TFTP Read Requests
filename2 This is the alternate name of the file that the TFTP server uses in
answering TFTP Read Requests. A client of the TFTP server can
use this alternate name in its Read Requests.
2-130 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Disabling NTP Service
Austin2
Austin1
NTP messages
Austin3
NTP Master
NTP messages
Austin4: Drop all
Austin4 NTP messages
e0/0
᫬»®ø½±²º·¹÷ý
²± ²¬°
ß«-¬·²ìø½±²º·¹÷ý ²± ²¬°
᫬»®ø½±²º·¹ó·º÷ý
²¬° ¼·-¿¾´»
NTP is an Internet standard protocol (built on top of TCP/IP) that assures accurate
synchronization to the millisecond of computer clock times in a network of computers. Based
on Coordinated Universal Time (UTC), NTP synchronizes client workstation clocks to the U.S.
Naval Observatory Master Clocks in Washington, DC and Colorado Springs CO. NTP runs as a
continuous background client program on a computer and sends periodic time requests to
servers, to obtain server time stamps, which are then used to adjust the client clock.
Corrupting the network time base is one way in which attackers subvert certain security
protocols, and for this reason, you should disable the NTP when it is not required. This service
is disabled by default.
To disable the NTP service globally, use the no ntp command in global configuration mode as
shown in the figure.
If you require NTP for some router interfaces but wish to prohibit its use on specific interfaces,
use the ntp disable interface configuration command as shown in the figure. Remember that
disabling the reception of NTP messages on a router interface does not prevent NTP messages
from traversing the router. Use an access list to keep NTP messages from traversing the router
interfaces.
If you need to use NTP, it is important that you consider the following:
Configure a trusted time source and configure all routers as part of an NTP hierarchy
(configure static NTP peer and NTP server addresses).
Use NTP authentication.
Houston1
Attack host
attempts to
connect to Austin1
Austin1 PAD. Austin2
Internet
IP IP
PAD
Austin1: IP
traffic onlyno
PAD required
᫬»®ø½±²º·¹÷ý
²± -»®ª·½» °¿¼
By default, the PAD service is enabled on most Cisco routers. This service is used to enable
X.25 connections between the routers and other network devices. One example of where the
PAD service is used is when a router must process traffic between a remote IP user and an X.25
host. In this scenario, the remote IP user communicates with the enterprise router PAD service,
which then performs any IP-to-X.25 protocol translation and X.25 message forwarding.
Once a connection to the router PAD service is established, an attacker could use the PAD
interface to cause disruptions to both route processing and device stability. Therefore, the PAD
service should be explicitly disabled when not required for X.25 network operations.
Disable the PAD service using the no service pad command in global configuration mode, as
shown in the figure.
The no service pad command has several arguments and keywords but they are not required to
disable the PAD service.
2-132 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Disabling Minor Services
᫬»®ø½±²º·¹÷ý
²± -»®ª·½» ¬½°ó-³¿´´ó-»®ª»®-
᫬»®ø½±²º·¹÷ý
²± -»®ª·½» «¼°ó-³¿´´ó-»®ª»®-
By default, Cisco devices through to Cisco IOS Software Release 11.3 offer the following
minor services:
Echo: Echoes back whatever you type. To test this service, issue the telnet a.b.c.d echo
command from a remote host.
Chargen: Generates a stream of ASCII data. To test this service, issue the telnet a.b.c.d
chargen command from a remote host.
Discard: Discards whatever you type. To test this service, issue the telnet a.b.c.d discard
command from a remote host.
Daytime: Returns system date and time if you have configured NTP or if you have set the
date and time manually. To test this service, issue the telnet a.b.c.d daytime command
from a remote host.
Small services are enabled by default in Cisco IOS Software Release prior to version 11.3 and
disabled in Cisco IOS Software Releases 11.3 and later. These services, especially their UDP
versions, can be used to launch DoS attacks and other attacks against the router that would
otherwise be prevented by packet filtering.
For example, an attacker might send a Domain Name System (DNS) packet that falsifies the
source address as a DNS server that would otherwise be unreachable by the attacker, and that
falsifies the source port to be the DNS service port (port 53). If such a packet were sent to the
Cisco router UDP echo port, the router would send a DNS packet to the server in question. No
outgoing access list checks would be applied to this packet, since it would be considered locally
generated by the router itself.
Although most abuses of the small services can be avoided or made less dangerous by using
anti-spoofing access lists, the services should almost always be disabled in any router that is
part of a firewall or that lies in a security-critical part of the network. Since the services are
rarely used, the best policy is usually to disable them on all routers of any description.
2-134 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Disabling MOP Service
Austin3 DEC-CPU1
e0/0 e0/1
Austin1
MOP enabled on e0/1
Internet
MOP allowed
Austin2
e0/0 e0/1 Attack host
(using MOP)
MOP disabled
on e0/1
MOP denied
᫬»®ø½±²º·¹ó·º÷ý
²± ³±° »²¿¾´»¼
The Digital Equipment Corporation MOP service is enabled, by default, on many Cisco router
interfaces. MOP presents a potential attack vector on the router and therefore should be
explicitly disabled at all interfaces that do not require it.
Disable the MOP service using the no mop enabled command in interface configuration mode,
as shown in the figure.
Disabling SNMP
SNMP
disallowed
The SNMP service allows a router to respond to remote SNMP queries and configuration
changes. If you plan to use SNMP, you should restrict which SNMP systems have access to the
routers using access lists. When you decide not to use SNMP for a router, you must make sure
that you complete several steps to ensure that SNMP is truly unavailable to an attacker.
Disabling the SNMP service alone does not fully protect the router. The default for this service
depends on the Cisco IOS software version.
The following steps should be completed on a Cisco router in order to fully disable SNMP
access to that router:
Step 1 Remove any existing SNMP community strings using the no snmp-server
community command in global configuration mode, as shown in the figure.
Step 2 Create an access list that explicitly denies all SNMP messages for this router.
2-136 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Step 3 Create a new, difficult-to-crack read-only SNMP community string, and make it
subject to the new access list you created in Step 2.
Step 4 Disable all SNMP trap functions using the no snmp-server enable traps command
in global configuration mode as shown in the figure.
Command Description
Step 5 Disable the SNMP system shutdown function using the no snmp-server system-
shutdown command in global configuration mode as shown in the figure. This
prevents an SNMP system-shutdown request (from an SNMP manager) from
resetting the Cisco SNMP agent on the router.
Step 6 Disable the SNMP service using the no snmp-server command in global
configuration mode as shown in the figure.
Austin2
Austin1
Austin3
http 16.1.1.15
Austin4 Connection
16.1.1.15 refused
᫬»®ø½±²º·¹÷ý
²± ·° ¸¬¬° -»®ª»®
Most Cisco IOS software releases support remote configuration and monitoring using HTTP. In
general, HTTP access is equivalent to interactive access to the router. The authentication
protocol used for HTTP is equivalent to sending a clear text password across the network. This
makes HTTP a relatively risky choice for use across the public Internet. This service is disabled
by default.
Note Several router management tools, such as the Cisco Security Device Manager (SDM), use
HTTP to access the router. Do not disable the router HTTP service if SDM, or another HTTP
dependent management system, is to be used to manage the router.
If Web-based administration is not required, disable the HTTP service using the no ip http
server command in global configuration mode as shown in the figure.
Note The latest versions of Cisco IOS crypto images support the use of a secure version of HTTP
called HTTPS. If your router Cisco IOS image and the Web-based manager both support
this feature, use HTTPS for Web-based administration of your routers instead of HTTP.
2-138 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Restricting DNS Service
Austin2
Austin1
Austing3: Do
not send DNS
Austin3 query
DNS1 Austin4: OK to
16.1.1.20 Austin4 sent DNS query
DNS
᫬»®ø½±²º·¹÷ý query
·° ²¿³»ó-»®ª»® -»®ª»®ó¿¼¼®»--ï
Å-»®ª»®ó¿¼¼®»--î›-»®ª»®ó¿¼¼®»--êÃ
ß«-¬·²ìø½±²º·¹÷ý ·° ²¿³»ó-»®ª»® ïêòïòïòîð
᫬»®ø½±²º·¹÷ý
²± ·° ¼±³¿·²ó´±±µ«°
ß«-¬·²íø½±²º·¹÷ý ²± ·° ¼±³¿·²ó´±±µ«°
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-21
By default, the Cisco router DNS lookup service sends name queries to the 255.255.255.255
broadcast address. Using this broadcast address should be avoided as it may allow an attacker
to emulate one of your DNS servers and respond to router queries with erroneous data.
This service is enabled by default. If your routers need to use this service, make sure that you
explicitly set the IP address of your DNS servers in the router configuration.
Set the DNS server IP addresses using the ip name-server command in global configuration
mode as shown in the figure.
Note Always disable the DNS lookup service when it is not in use.
Disable the DNS lookup service using the no ip domain-lookup command in global
configuration mode as shown in the figure.
᫬»®ø½±²º·¹ó·º÷ý
²± ·° ®»¼·®»½¬
ICMP is an extension to the IP defined by RFC 792. ICMP supports packets containing error,
control, and informational messages. The ping command, for example, uses ICMP to test an
Internet connection.
Cisco IOS software enables ICMP redirect messages by default. An ICMP redirect message
instructs an end node to use another, more efficient path to a particular destination. In a
properly functioning IP network, a router should send redirects only to hosts on its own local
subnets, end nodes should never send a redirect, and redirects should never be sent more than
one network hop away. However, an attacker may violate these rules.
It is a good idea to filter out incoming ICMP redirects at the input interfaces of any router that
lies at a border between administrative domains. You should also configure any access list that
is applied on the input side of a Cisco router interface to filter out all ICMP redirects. This
operation causes no operational impact in a correctly configured network.
This filtering prevents a router from ever processing or acting upon any ICMP redirect
messages and can prevent buffer overflow DoS attacks on routers running older Cisco IOS
images. It is still possible for attackers to exploit redirect vulnerabilities if their host is directly
connected to the same segment as a host that is under attack.
2-140 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Disabling IP Source Routing
᫬»®ø½±²º·¹÷ý
²± ·° -±«®½»ó®±«¬»
ß«-¬·²îø½±²º·¹÷ý ²± ·° -±«®½»ó®±«¬»
The IP protocol supports source routing options that allow the sender of an IP datagram to
control the route that a datagram takes toward its ultimate destination, and generally the route
that any reply takes on the return trip. These options are sometimes used for performing path
analysis and testing, but are rarely utilized during normal traffic patterns. Some older IP
implementations do not process source-routed packets properly, and it may be possible to crash
machines running these implementations by sending datagrams with source routing options.
Source routing is enabled in Cisco IOS software by default.
When a Cisco router is set with the no ip source-route command in global configuration mode,
IP packets that carry a source routing option are never forwarded. Use this command unless
you know that your network needs source routing.
Austin2
Austin1
Austin3
Connect 16.1.1.15
finger Austin4 Connection
16.1.1.15 refused
᫬»®ø½±²º·¹÷ý
²± ·° º·²¹»®
ß«-¬·²ìø½±²º·¹÷ý ²± ·° º·²¹»®
ß«-¬·²ìø½±²º·¹÷ý ²± -»®ª·½» º·²¹»®
ß«-¬·²ìø½±²º·¹÷ý »¨·¬
ß«-¬·²ìý ½±²²»½¬ ïêòïòïòïë º·²¹»®
Ì®§·²¹ ïêòïòïòïëô éç òòò
û ݱ²²»½¬·±² ®»º«-»¼ ¾§ ®»³±¬» ¸±-¬
Cisco routers provide an implementation of the finger service that is used to find out which
users are logged into a network device. Although this information is not usually sensitive, it can
sometimes be useful to an attacker for reconnaissance purposes. This service is enabled by
default.
Disable the finger service using the no ip finger or no service finger commands in global
configuration mode as shown in the figure.
Note The service finger command has been replaced by the ip finger command (introduced in
Cisco IOS Software Release 11.3). However, the service finger and no service finger
commands continue to function to maintain backward compatibility with Cisco IOS software
versions prior to Cisco IOS Software Release 11.3.
2-142 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Disabling ICMP Unreachable Messages
᫬»®ø½±²º·¹ó·º÷ý
²± ·° «²®»¿½¸¿¾´»
Attackers can use ICMP unreachable messages to map your network. These messages are
enabled in Cisco IOS software by default and should be disabled on all interfaces, especially
those interfaces connected to untrusted networks.
Austin1
Austin2
Internet
e0/0 e0/1
᫬»®ø½±²º·¹ó·º÷ý
²± ·° ³¿-µó®»°´§
Mask replies are disabled in Cisco IOS software by default. When mask replies are enabled, the
Cisco IOS software responds to ICMP mask requests by sending ICMP mask reply messages.
These messages can provide an attacker with critical network information in reconnaissance
attacks. Automatic replies should be disabled on all router interfaces, especially those pointing
to untrusted networks.
Disable IP mask replies using the no ip mask-reply command in interface configuration mode
as shown in the figure.
2-144 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Ensuring Terminal Access Security
This topic explains how to ensure terminal access security by disabling IP identification.
Disabling IP Identification
᫬»®ø½±²º·¹÷ý
²± ·° ·¼»²¬¼
ß«-¬·²îø½±²º·¹÷ý ²± ·° ·¼»²¬¼
Identification support allows you to query a TCP port for identification. This feature enables
RFC 1413, an unsecure protocol for reporting the identity of a client that is initiating a TCP
connection and a host responding to the connection.
With identification support, an attacker can connect to a TCP port on a host, issue a simple text
string to request information, and get back a simple text-string reply. No attempt is made to
protect against unauthorized queries. This service should be explicitly disabled.
Disable RFC 1413 identification using the no ip identd command in global configuration mode
as shown in the figure.
TCP TCP
connection connection
ACK ACK
ACK ACK
(tcp-keepalives-out) (tcp-keepalives-in)
᫬»®ø½±²º·¹÷ý
-»®ª·½» ¬½°óµ»»°¿´·ª»-ó·²
᫬»®ø½±²º·¹÷ý
-»®ª·½» ¬½°óµ»»°¿´·ª»-󱫬
By default, Cisco routers do not continually test whether a previously connected TCP endpoint
is still reachable. If one end of a TCP connection idles out or terminates abnormally (crashes,
reloads, and so on), the opposite end of the connection may still believe the session is available.
These orphaned sessions use up valuable router resources. Attackers have been known to
take advantage of this weakness to attack Cisco routers.
To remedy this situation, Cisco routers can be configured to send periodic keepalive messages
(one ACK per minute) to ensure that the remote end of a session is still available. If the remote
device fails to respond (with another ACK) within five minutes, the router clears the
connection. This action immediately frees router resources for other more important tasks.
Keepalives are important because they help guard against orphaned sessions.
Use the service tcp-keepalives-in command in global configuration mode to detect and delete
inactive incoming sessions as shown in the figure.
Use the service tcp-keepalives-out command in global configuration mode to detect and delete
inactive outgoing sessions initiated by the router as shown in the figure.
2-146 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Disabling Gratuitous and Proxy ARP
This topic explains how to disable gratuitous and proxy ARP to help mitigate man-in-the-
middle, DoS and distributed DoS (DDoS) attacks.
NAS1
PPP connection and IP
address negotiation
Gratuitous-ARP disabled
᫬»®ø½±²º·¹ó·º÷ý
²± ·° ¹®¿¬«·¬±«-ó¿®°-
ÒßÍïø½±²º·¹÷ý ²± ·° ¹®¿¬«·¬±«-ó¿®°-
Without prompting, a gratuitous ARP (gARP) message tells all hosts on a network segment, the
IP address to MAC address binding for that host. Unfortunately, a gARP can easily be spoofed.
Any device can pretend to be something it is not by sending out a gARP with its IP address.
This causes the endpoint to replace the MAC address of a legitimate network device with the
MAC address of the attacker in the ARP table of the target device. This can be a spoof of the
default router, by an adjacent server, or by another endpoint of the device with which the
device is attempting to communicate. This spoofing allows the attacker to assume a man-in-the-
middle position for eavesdropping, redirection, manipulation or a DoS attack.
By default, most Cisco routers send out a gratuitous gARP message whenever a client connects
and negotiates an IP address over a PPP connection. A gARP is the main mechanism used in
ARP poisoning attacks. You should disable gARPs unless they are otherwise needed.
Note Cisco routers generate a gARP transmission even when the client receives the address from
a local address pool.
Starting with Cisco IOS Software Release 11.3, system administrators can disable gratuitous
ARP transmissions using the no ip gratuitous-arps command in global configuration mode, as
shown in the figure.
Attack Austin1
Host
e0/0 e0/1
Internet
e0/2
Attempted Spoof
Proxy ARP
Disallowed
Proxy ARP
allowed on e0/2
᫬»®ø½±²º·¹ó·º÷ý
²± ·° °®±¨§ó¿®°
Proxy ARP enables a router to respond to ARP requests intended for another destination host.
By "faking" its identity, the router accepts responsibility for routing packets to the "real"
destination host.
When proxy ARP is enabled on a Cisco router, it allows that router to extend the network (at
Layer 2) across multiple interfaces (LAN segments). Cisco routers enable proxy ARP on all
interfaces by default.
Because proxy ARP allows the traversal of LAN segments, proxy ARP is only safe when used
between trusted LAN segments. Attackers can take advantage of the trusting nature of proxy
ARP by spoofing a trusted host and then intercepting packets. Because of this inherent security
weakness, you should always disable proxy ARP on router interfaces that do not require it,
especially those connected to untrusted networks.
Disable proxy ARP using the no ip proxy-arp command in interface configuration mode as
shown in the figure.
2-148 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Disabling IP Directed Broadcast
This topic explains how to disable IP directed broadcasts to mitigate DoS and DDoS attacks.
᫬»®ø½±²º·¹ó·º÷ý
²± ·° ¼·®»½¬»¼ó¾®±¿¼½¿-¬
IP directed broadcasts are a very common and popular smurf DoS and man-in-the-middle
attack technique. This service is enabled in Cisco IOS software versions prior to Cisco IOS
Software Releases 12.0 and disabled in Cisco IOS Software Releases 12.0 and later.
An IP directed broadcast is a datagram sent to the broadcast address of a subnet to which the
sending machine is not directly attached. The directed broadcast is routed through the network
as a unicast packet until it arrives at the target subnet where it is converted into a link-layer
broadcast. Because of the nature of IP addressing architecture, only the last router in the chain,
the one that is connected directly to the target subnet, can identify a directed broadcast.
Directed broadcasts are occasionally used for legitimate purposes, but such use is not common.
In a smurf attack, the attacker sends ICMP echo requests from a spoofed source address to a
directed broadcast address causing all the hosts on the target subnet to send replies to the
spoofed source. By sending a continuous stream of such requests, the attacker can create a huge
stream of replies to overwhelm the host whose address is being spoofed.
Summary
Routers are an integral and vulnerable part of a network
topology.
Many routers services and interfaces are enabled by default, and
vulnerable and should be secured.
Unnecessary router services and interfaces should be disabled.
Commonly configured management services that are not
required should be disabled.
Services that affect path integrity should be disabled.
Services that provide for probes and scans should be disabled.
IP identification should be disable to assure terminal access
security.
Man-in-the-middle attacks can be mitigated by disabling
gratuitous ARPs.
DoS and DDoS attacks can be mitigated by disabling proxy ARP
and IP directed broadcast.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-32
2-150 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Which command is used to disable CDP? (Source: Disabling Unnecessary Router
Services and Interfaces)
A) shutdown cdp
B) no cdp
C) no cdp server
D) no cdp run
Q2) Which two commands disable autoloading? (Choose two.) (Source: Disabling
Unnecessary Router Services and Interfaces)
A) no boot network
A) no service autoloading
B) no service config
C) no autoload config
Q3) Which command disables FTP with Cisco IOS software releases prior to Cisco IOS
Software Release 12.3? (Source: Disabling Unnecessary Router Services and
Interfaces)
A) no ftp-server write-enable
B) no ftp-server enable
Q4) Which service should be disabled to prevent a Cisco router from accessing a copy of a
Cisco IOS images on another Cisco router running the same protocol? (Source: Disable
Unnecessary Services and Interfaces)
A) CDP
B) bootp server
C) configuration autoloading
D) MOP
Q5) Which router service can be used to find out which users are logged into a network
device? (Source: Disable Probes and Scans)
E) identd
F) finger
G) show login
H) show line
Q6) Which service can attackers use during reconnaissance attacks to learn of neighboring
Cisco devices. (Source: Disable Unnecessary Services and Interfaces)
A) finger
B) configuration autoloading
C) CDP
D) IP source routing
Q8) Which of the following services requires five steps to completely disable access to the
router? (Source: Disable Commonly Configured Management Services)
A) SNMP service
B) HTTP service
C) DNS lookup service
D) TFTP service
E) FTP service
Q9) Which of the following services should not be disabled if a router management tool
such as the Cisco Security Device Manager (SDM) is used to manage the router?
(Source: Disable Commonly Configured Management Services)
A) SNMP service
B) HTTP service
C) DNS lookup service
D) TFTP service
E) FTP service
Q10) Which command is used to define an SNMP password? (Source: Disable Commonly
Configured Management Services)
A) snmp-server enable
B) snmpserver host
C) snmp-server community
D) snmp-server password
E) snmp-server manager
Q11) Which router command enables the sending of all types of SNMP traps? (Source:
Disable Commonly Configured Management Services)
A) snmp -server community
B) snmp-server enable informs
C) snmp-server enable traps snmp
D) snmp -server enable traps
Q12) What Cisco IOS software feature should be disabled to stop attackers from mapping
your network? (Source: Disable Probes and Scans)
2-152 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Q13) What service is used in the extremely common and popular smurf denial of service
attack and other related attacks? (Source: Mitigate DoS and DDoS attacks)
Q2) A and C
Q3) B
Q4) B
Q5) B
Q6) C
Q8) A
Q9) B
Q10) C
Q11) D
2-154 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson 6
Overview
This lesson describes how to mitigate threats and attacks to Cisco peripheral routers by
formatting and applying access control lists (ACLs) to filter traffic. ACLs provide packet
filtering at the router level and are used extensively at a firewall to protect internal networks
from the outside world. This lesson outlines the types of ACLs that are available and provides
guidelines that help create these ACLs. To practice what you have learned, a hands-on lab
exercise has been provided. In this lab exercise you will secure a Cisco peripheral router with
access lists.
Objectives
Upon completing this lesson, you will be able to mitigate threats and attacks to Cisco perimeter
routers by formatting and applying access lists to filter traffic. This ability includes being able
to meet these objectives:
Identify the types and formats of IP access lists that are used by routers to restrict access
and filter packets
Describe how to apply access lists to router interfaces
Explain the use of traffic filtering with access lists to mitigate threats in a network
Explain how to implement access lists to filter IP traffic destined for Telnet, SNMP and
RIP services
Explain how to implement access lists to mitigate threats
Explain how to configure router access lists to help reduce the effects of DDoS attacks
Describe how to combine many access list functions into two or three larger access lists
Explain some of the caveats to be considered when building access lists
Cisco Access Lists
This topic describes the types and formats of IP access lists that are used by routers to restrict
access and filter packets.
The Cisco ACL is probably the most commonly used object in Cisco IOS software. This ACL
is not only used for packet filtering (a type of firewall) but also for selecting types of traffic to
be analyzed, forwarded, or influenced in some way.
The access list is a group of statements. Each statement defines a pattern that would be found in
an IP packet. As each packet comes through an interface with an associated access list, the list
is scanned from top to bottom and in the exact order in which it was entered, for a pattern that
matches the incoming packet. A permit or deny rule associated with the pattern determines the
fate of that packet.
Cisco routers use access lists as packet filters to decide which packets can access a router
service or which packets can be allowed across an interface. Packets that are allowed across an
interface are called permitted packets. Packets that are not allowed across an interface are called
denied packets. Access lists contain one or more rules or statements that determine what data is
to be permitted or denied, or both permitted or denied, across an interface.
Access lists are designed to enforce one or more corporate security policies. For example, a
corporate security policy may allow only packets using source addresses from within the
trusted network to access the Internet. Once this policy is written, you can develop an access
list that includes certain statements which, when applied to a router interface, can implement
this policy.
Cisco router security depends strongly on well-written access lists to restrict access to router
network services, and to filtering packets as they traverse the router.
2-156 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Cisco routers support three types of IP access lists: standard, extended and enhances IP access
lists. The figure describes the following two types:
Standard IP access lists: A Standard Access List only allows you to permit or deny traffic
from specific IP addresses. The destination of the packet and the ports involved do not
matter. The example in the figure allows traffic from all addresses in the range 192.168.3.0
to 192.168.3.255
Extended IP access lists: An IP extended access list is a series of statements that are
created in global mode. This list can filter IP packets based on several attributes (protocol
type, source and IP address, destination IP address, source TCP or User Datagram Protocol
(UDP) ports, destination TCP or UDP ports, optional protocol type information for finer
granularity of control). The example shown in the figure configures ACL 101 to permit
traffic originating from any address on the 63.36.9.0/24 network to any destination host
port 80 (http). More on extended ACLs will be presented in this lesson.
Note Cisco IOS Software Release 11.1 introduced substantial changes to IP access lists. These
extensions are backward compatible. Migrating from a release earlier than the Cisco IOS
Software Release 11.1 to the current image will convert your access lists automatically.
However, previous Cisco IOS software releases are not forward compatible with these
changes. Therefore, if you save an access list with the current image and then use older
software, the resulting access list will not be interpreted correctly, and could cause severe
security problems. Save your old configuration file before booting Cisco IOS Software
Release 11.1 images.
Cisco routers also support enhanced access lists, which are designed to provide better security
for routers and their networks. These enhanced access lists are described as follows:
Dynamic: Dynamic access lists (also known as lock and key), create specific, temporary
openings in response to user authentication. The syntax for dynamic access lists is very
similar to extended access lists. Dynamic access lists are available starting in Cisco IOS
Software Release 11.1. Here is a simple example of using a dynamic access list:
A user originates a Telnet session with a router.
The router authenticates the user with a username and password lookup.
The router closes the Telnet session and creates a dynamic entry in the access list to
permit packets from the authenticated user source IP address.
Once the user closes the session, the dynamic entry is deleted.
Time-based: These access lists are simply numbered or named access lists that are
implemented based upon the time of day or the day of the week. These access lists make it
easier to implement changes to your routing plans for after hours, weekends, or for other
time and day related organizational events. Time-based access lists are available starting in
Cisco IOS Software Releases 12.0.
Reflexive: These access lists create dynamic entries for IP traffic on one interface of the
router based upon sessions originating from a different interface of the router. This
enhanced access list allows you to control connections on the untrusted side of a router
when a connection is initiated from the trusted side. These access lists are actually modified
extended IP named access lists. Reflexive access lists are available starting in Cisco IOS
Software Release 11.3.
Context-based access control (CBAC): Where reflexive access lists can only secure
single-channel applications like Telnet, CBAC can secure multichannel operations based on
upper-layer information. CBAC examines packets as they enter or leave router interfaces,
and determines which application protocols to allow. CBAC access lists are available
starting in Cisco IOS Software Release 12.0T as part of the firewall feature set.
2-158 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Identifying Access Lists
Prior to Cisco IOS Software Release 11.2, you had to assign a number to each ACL as it was
created. Since then, either a number or a name can identify Cisco access lists and the protocols
they filter.
Using numbered ACLs is an effective method on smaller networks with more homogeneously
defined traffic. Because each ACL type is limited to an assigned range of numbers, it easy to
determine the type of ACL you are using. There can be up to 99 standard IP ACLs ranging in
number from 1 to 99. The extended IP ACL number range is assigned from 100 to 199, and
2000 to 2699. The Access List Number and Type table lists the number range and the type of
associated access list.
Starting with Cisco IOS Software Release 11.2, you can identify access lists with an
alphanumeric string (a name) rather than a number. These named access lists will not be
recognized by any software release prior to Cisco IOS Software Release 11.2. Named access
lists allow you to configure more access lists in a router than if you were to use numbered
access lists alone. If you identify your access list with a name rather than a number, the mode
and command syntax are slightly different. Currently, only packet and route filters can use a
named list.
2-160 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Guidelines for Developing Access Lists
Before you start to develop any access lists, consider the following basic rules:
Guideline 1: Base your access lists on your security policy. Unless the access list is
anchored in a comprehensive security policy, you cannot be absolutely certain it will
effectively control access in the way access needs to e controlled.
Guideline 2: Write it out. Never sit down at a router and start to develop an access list
without first spending some time in design. The best access list developers suggest that you
write out a list of things you want the access list to accomplish. Starting with something as
simple as, This access list must block all Simple Network Management Protocol (SNMP)
access to the router except for the SNMP host at 16.1.1.15.
Guideline 3: Set up a development system. Whether you use your laptop PC or a
dedicated server, you need a place to develop and store your access lists. Word processors
or text editors of any kind are suitable, as long as you can save the files in ASCII text
format. Build yourself a library of your most commonly used access lists and use them as
sources for new files. Access lists can be pasted into the router running configuration
(requires console or Telnet access), or can be stored in a router configuration file. The
system you chose should support TFTP to make it easy to transfer any resulting
configuration files to the router.
Note Hackers love to gain access to router configuration development systems or TFTP servers
that store access lists. A hacker can discover a lot about your network from looking at these
easily read text files. For this reason, it is imperative that the system where you choose to
develop and store your router files be a secure system.
Guideline 4: Test. If possible, test your access lists in a secure environment before placing them into
production. Testing is a common sense approach to any router configuration changes. Most enterprises
maintain their own network test beds. While testing may appear to be an unnecessary cost, over time it can
save time and money.
Austin1
In s0/0 e0/0 In
Internet
Out Out
e0/1
In Out
Packet filtering access lists must be applied to a router interface to take effect. It is important to
note that access lists are applied to an interface based on the direction of the data flow as shown
in the figure. You can apply the list to incoming packets, (an "in" access list) or outgoing
packets (an "out" access list).
Inbound (in): The packet filtering access list applies to packets received on the router
interface.
Outbound (out): The packet filtering access list applies to packets transmitted out of the
router interface. For out access lists, you need to set up the filter only on the one outgoing
interface rather than on the individual incoming interfaces. This improves performance
because only the network you are protecting will force a lookup on the access list.
2-162 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Applying Access Lists to Interfaces
᫬»®ø½±²º·¹÷ý
Before applying a packet filtering access list to a router interface, make sure you know in which
direction it will filter.
Apply access lists to router interfaces using the ip access-group command in interface
configuration mode as shown in the figure.
R2
᫬»®ø½±²º·¹÷ý
¿½½»--ó´·-¬ ½±³°·´»¼
᫬»®ý
Access lists are normally searched sequentially to find a matching rule, and are ordered
specifically to take this factor into account. Because of increasing needs and requirements for
security filtering and packet classification, ACLs can expand to the point that searching the
ACL adds a significant amount of time and memory when packets are being forwarded. As
well, the time taken by the router to search the list is not always consistent, which adds a
variable latency to the packet forwarding. A high CPU load is necessary for searching an ACL
with several entries.
The Turbo ACL feature, supported by Cisco 7200 Series, 7500 Series and 12000 Series routers,
processes access lists into lookup tables. Packet headers are used to access these tables in a
small, fixed number of lookups, independent of the existing number of ACL entries. The
benefits of the Turbo ACL feature are:
For ACLs larger than 3 entries, the CPU load required to match the packet to the pre-
determined packet-matching rule is lessened. The CPU load is fixed, regardless of the size
of the ACL, which allows for larger ACLs without incurring additional CPU overhead
penalties. The larger the ACL, the greater the benefit.
The time taken to match the packet is fixed, so that latency of the packets are smaller
(significantly in the case of large ACLs) and more importantly, the time taken to match is
consistent, which allows better network stability and more accurate transit times.
If your router supports turbo ACLs, you should use the access-list compiled command in
global configuration mode as shown in the figure whenever you develop access lists with more
than three statements.
To view the status of your turbo access lists, use the show access-lists compiled command in
privileged EXEC mode as shown in the figure.
2-164 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Using Traffic Filtering with Access Lists
This topic explains the use traffic filtering with access lists to mitigate threats in a network.
Traffic Filtering
Corporate
Untrusted Perimeter (trusted)
Network (premises screening) Firewall Network
Router
Internet
Web
Server
DMZ
Mail
Server
To review, always apply the following general rules when deciding how to handle router
services, ports, and protocols:
Disable unused services, ports, or protocols: In the case where no one, including the router
itself, needs to use an enabled service, port, or protocol, disable that service, port, or
protocol.
Limit access to services, ports, or protocols: In the case where a limited number of users or
systems require access to an enabled router service, port, or protocol, limit access to that
service, port, or protocol using access control lists.
ACLs are important because they act as traffic filters between the corporate (trusted) network
and the Internet (untrusted network). Using access lists, the router enforces corporate security
policies by rejecting protocols and restricting port usage.
The Blocked Services table contains a list of common router services that can be used to
gather information about your network, or worse, can be used to attack your network. Unless
your network configuration specifically requires one of these services, they should not be
allowed to traverse the router. Use access lists to block these services inbound to the protected
network and outbound to the Internet.
systat 11 TCP
netstat 15 TCP
whois 43 TCP
bootp 67 UDP
tftp 69 UDP
subdup 93 TCP
The Deny Services table contains a listing of common services that reside either on the
corporate protected network or on the router itself. These services should be denied to untrusted
clients using access lists.
2-166 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Deny Services
finger 79 TCP
s0/0 R2
Corporate LAN
16.1.0.0/16 e0/1 Remote access LAN 16.2.1.0/24
e0/0
Remote Office LAN 16.1.1.2 16.2.1.1
9.0.0.0/8
R4 R1 Public Web Mail Admin
Internet Server Server Server User
e0/1 e0/0 e0/0 16.2.2.3 16.2.2.4 16.2.2.5 16.2.2.6
e0/1
9.2.1.1 9.1.1.1 16.2.0.10/24
16.1.1.1
R3
User 16.2.3.3
This figure shows the network topology referenced in the remainder of this lesson.
For the sake of clarity, the access lists contained in the following topics are depicted as
individual access lists. Generally, you would not build a succession on small access lists as we
will show. Most likely, you would build at least one access list for the outside router interface,
one for the inside router interface, and one or more access lists for general router use. Do not
attempt to combine the small examples shown here into these larger lists, as the statements tend
to contradict one another. A sample router configuration is shown at the end of this lesson that
details how these functions are combined into logical access lists.
2-168 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Telnet Service Filtering
Authentication
Server File Server User
16.2.1.2 16.2.1.4 16.2.1.3
s0/0 R2
Corporate LAN
16.1.0.0/16 e0/0 e0/1 Remote Access LAN 16.2.1.0/24
16.1.1.2 16.2.1.1
Telnet (vty) is typically used by systems administrators to remotely access the router console
for configuration and maintenance. You should restrict which hosts have access to the vty lines
of the router by using an access list statement as shown in the figure.
In this example, IP standard access list 90 allows only hosts 16.2.1.3 and 16.2.1.2 to access
router R2 using Telnet (port 23). All other hosts are denied Telnet access to R2. This access list
is also designed to log all successful and unsuccessful attempts to access R2 using Telnet.
Authentication
Server File Server User
16.2.1.2 16.2.1.4 16.2.1.3
s0/0 R2
Corporate LAN
16.1.0.0/16 e0/0 e0/1 Remote Access LAN 16.2.1.0/24
16.1.1.2 16.2.1.1
Because of the inherent lack of authentication in SNMPv1, this version of SNMP should be
used only on protected, internal networks. You should limit access to a router SNMP agent
using an access list statement as shown in the figure.
In the example, only the SNMP host with an IP address of 16.2.1.3 may access the router R2
SNMP agent. The access list further specifies that the SNMP host must use a community string
of snmp-host1.
Note The latest Cisco IOS software versions support SNMPv3, which offers more secure SNMP
operations. It is recommended that you implement SNMPv3 rather than older SNMP
versions whenever possible.
2-170 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
RIP Route Filtering
Corporate LAN
16.1.0.0/16
R1 Public Web Mail Admin
Internet Server Server Server
User
e0/0 16.2.2.3 16.2.2.4 16.2.2.5
e0/1 16.2.2.6
16.2.0.10/24 16.1.1.1
R3
Cisco routers share routing table update information to provide directions on where to route
traffic. Access lists should be used to limit which routes a router accepts (take in) or advertises
(send out) to its counterparts.
The example in the figure shows a standard IP access list as it is applied to the RIP routing
protocol, with process-id 1. In this example, router R1 does not advertise any routes of the
16.2.2.0 Demilitarized Zone (DMZ) network out interface e0/0.
R2
Access lists can be used to mitigate many threats including the following:
IP address spoofingInbound
IP address spoofingOutbound
Denial of service (DoS) TCP SYN attacksBlocking external attacks
DoS TCP SYN attacksUsing TCP Intercept
DoS Smurf attacks
Filtering ICMP messagesInbound
Filtering ICMP messagesOutbound
Filtering traceroute
As a rule, do not allow any IP packets containing the source address of any internal hosts or
networks, inbound to a private network. The figure shows access list 150 for router R2. In this
example, any packets containing the following IP addresses in their source field will be denied:
Denies any addresses from the internal 16.2.1.0 network
Denies any local host addresses (127.0.0.0/8)
Denies any reserved private addresses (RFC 1918)
Denies any addresses in the IP multicast address range (224.0.0.0/4)
This access list is applied inbound to the external interface (e0/0) of router R2.
2-172 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
IP Address Spoof MitigationOutbound
R2
Be a good citizen and prevent your network from being spoofed.
As a rule, you should not allow any outbound IP packets with a source address other than a
valid IP address of the internal network.
The example in the figure shows access list 105 for router R2. This access list permits only
those packets that contain source addresses from the 16.2.1.0/24 network and denies all others.
This access list is applied inbound to the inside interface (e0/1) of router R2.
Note Cisco routers running Cisco IOS Software Release 12.0 and later may use IP Unicast
Reverse Path Forwarding (RPF) verification as an alternative IP address spoof mitigation
mechanism.
R2
TCP SYN attacks involve sending large numbers of TCP SYN packets from a spoofed source
into the internal network, which results in the flooding of the TCP connection queues of the
receiving nodes.
The access list in the figure is designed to prevent inbound packets, with the SYN flag set, from
entering the router. However, the access list does allow TCP responses from the outside
network for TCP connections that originated on the inside network.
2-174 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
DoS TCP SYN Attack MitigationUsing
TCP Intercept
R2
TCP Intercept is a very effective tool for protecting internal network hosts from external TCP
SYN attacks.
TCP Intercept protects internal hosts from SYN flood attacks by intercepting and validating
TCP connection requests before they reach the hosts. Valid connections (those connections
established within the configured thresholds) are passed on to the host. Invalid connection
attempts are dropped.
Note Because TCP Intercept examines every TCP connection attempt, TCP Intercept can impose
a performance burden on your routers. Always test for any performance problems before
using TCP Intercept in a production environment.
R2
e0/0 e0/1
Remote Access LAN 16.2.1.0/24
16.1.1.2 16.2.1.1
Smurf attacks consist of large numbers of ICMP packets sent to a router subnet broadcast
address using a spoofed source IP address from that same subnet. Some routers may be
configured to forward these broadcasts to other routers in the protected network, and this
process causes performance degradation. The access list shown in the figure is used to prevent
this forwarding process and halt the smurf attack.
The access list in the figure blocks all IP packets originating from any host destined for the
subnet broadcast addresses specified (16.2.1.255 and 16.2.1.0).
Note Cisco IOS Software Releases 12.0 and later now have the no ip directed-broadcast feature
enabled by default, which prevents this type of ICMP attack. Therefore, you may not need to
build an ACL as shown here.
2-176 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Filtering ICMP MessagesInbound
R2
There are several types of ICMP message types that can be used against your network.
Programs use some of these messages; others are used for network management and so are
automatically generated by the router.
ICMP echo packets can be used to discover subnets and hosts on the protected network and can
also be used to generate DoS floods. ICMP redirect messages can be used to alter host routing
tables. Both ICMP echo and redirect messages should be blocked inbound by the router.
The access list statement shown in the figure blocks all ICMP echo and redirect messages. As
an added safety measure, this access list also blocks mask-request messages. All other ICMP
messages inbound to the 16.2.1.0/24 network are allowed.
R2
The following ICMP messages are required for proper network operation and should be
allowed outbound:
Echo: Allows users to ping external hosts
Parameter problem: Informs host of packet header problems
Packet too big: Required for packet maximum transmission unit (MTU) discovery
Source quench: Throttles down traffic when necessary
As a rule, you should block all other ICMP message types outbound.
The access list shown in the figure permits all of the required ICMP messages outbound while
denying all others.
2-178 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Filtering UDP Traceroute Messages
R2
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïîð ¼»²§ «¼° ¿²§ ¿²§ ®¿²¹» ííìðð íììðð ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïîð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïîï °»®³·¬ «¼° ïêòîòïòð ðòðòðòîëë ¿²§ ®¿²¹»
ííìðð íììðð ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïîï ·²
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïîï ±«¬
Îîø½±²º·¹ó·º÷ý »²¼
The Traceroute feature uses some of the ICMP message types to complete several tasks.
Traceroute displays the IP addresses of the routers that a packet encounters along it path (hops)
from source to destination. Attackers can use ICMP responses to the UDP traceroute packets to
discover subnets and hosts on the protected network.
As a rule, you should block all inbound and outbound traceroute UDP messages as shown in
the figure (UDP ports 33400 to 34400).
Client Client
Generally, routers cannot prevent all DDoS attacks, but they can help reduce the number of
occurrences by building access lists that filter known attack ports. The following pages explain
how to block DDoS agents including Trin00, Stacheldraht, Trinity v3 and SubSeven by
blocking selected ports. These access list rules are generally applied to inbound and outbound
traffic between the protected network and the Internet.
A DDoS attack compromises several hundred to several thousand hosts. The hosts are usually
Linux and SUN computers. However, the attack tools can be ported to other platforms as well.
The process of compromising a host and installing the tool is automated. A DoS attack
proceeds as follows:
Step 1 The attacker initiates a scan phase in which a large number of hosts (on the order of
100,000 or more) are probed for a known vulnerability.
Step 2 The attacker compromises the vulnerable hosts to gain access.
Step 3 The attacker installs the tool on each host.
Step 4 The attacker uses the compromised hosts for further scanning and compromises.
2-180 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Because an automated process is used, attackers can compromise and install the tool on a single
host in under 5 seconds and then several thousand hosts can be compromised in under an hour.
R2
Trin00 is a distributed SYN DoS attack. The attack method is a UDP flood. The Trinoo attack
sets up communications between clients, handlers and agents using the following ports:
1524 tcp
27665 tcp
27444 udp
31335 udp
The mitigation tactic for the Trin00 attack, as well as for the other DoS attacks considered in
this topic, is to block both interfaces in the in direction. The goal is to prevent infected outside
systems from sending messages to our network, and to prevent any infected internal systems
from sending messages out of our network to the vulnerable ports.
For example, in the figure, the command access-list 190 deny tcp any any eq 27665 log
translates to access list number 190 will deny any tcp traffic going from any network to any
network which has the port equivalent to 27665 and this will be logged.
If one wants to get specific as to the exact incoming and outgoing network, then those ports
need to be specified. For example, if the IP address of the inside network is 10.0.1.0 and we
want to block all traffic going from this inside network to the internet, the command would be
access-list 190 deny tcp 10.0.1.0 0.0.0.255 any eq 27665 log.
However, you must consider that blocking these ports may have an impact on regular network
users as they block some high port numbers that may be used by legitimate network clients.
You may wish to wait to block these port numbers until a particular threat presents itself.
2-182 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
DDoS Attack MitigationStacheldraht
R2
Stacheldraht is a DDoS tool appeared in the late summer of 1999 and combines features of
Trinoo and Tribe Flood Network (TFN). Stacheldraht also contains some advanced features,
such as encrypted attacker-master communication and automated agent updates. The possible
attacks are similar to those of TFN; namely, ICMP flood, SYN flood, UDP flood, and smurf
attacks.
A Stacheldraht attack sets up communication between clients, handlers and agents using the
following ports:
16660 tcp
65000 tcp
ICMP ECHO
ICMP ECHO REPLY
Note The ports listed above are the default ports for this tool. Use these ports for orientation and
example only, because the port numbers can easily be changed.
This figure shows an example that mitigates a Stacheldraht DDoS attack by blocking traffic on
the following ports:
TCP16660
TCP65000
R2
Trinity is capable of launching several types of flooding attacks on a victim site, including
UDP, fragment, SYN, RST, ACK, and other floods. Communication from the handler or
intruder to the agent is accomplished via Internet Relay Chat (IRC) or ICQ from AOL. Trinity
appears to use primarily port 6667 and also has a backdoor program that listens on TCP port
33270.
This figure shows an example that mitigates a Trinity v3 DDoS attack by blocking traffic on
the following ports:
TCP33270
TCP39168
2-184 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
DDoS Attack MitigationSubSeven
R2
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ ®¿²¹» êéïï êéïî ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ êééê ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ êêêç ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ îîîî ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ éððð ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïçð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïçð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Depending on the version, an attacker will try to exploit ports 1243, 1999, 2773, 2774, 6667,
6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, 54283. The figure shows an
example that mitigates a SubSeven DDoS attack by blocking traffic on the following ports:
TCPRange 6711 to 6712
TCP6776
TCP6669
TCP2222
TCP7000
s0/0 R2
Corporate LAN
16.1.0.0/16 e0/0 e0/1 Remote access LAN 16.2.1.0/24
Remote Office LAN 16.1.1.2 16.2.1.1
9.0.0.0/8
R4 R1 Public Web Mail Admin
Internet Server Server Server
User
e0/1 e0/0 e0/0 e0/1 16.2.2.3 16.2.2.4 16.2.2.5
16.2.2.6
9.2.1.1 9.1.1.1 16.2.0.10/24 16.1.1.1
R3
User 16.2.3.3
This is an example of a possible configuration for Router R2 in our reference network. This
partial configuration file contains several access lists that contain most of the access list
features already explained in this lesson. View this partial configuration as an example of how
to integrate multiple access list policies into a few main router access lists.
The following partial configuration file shows how to combine many access list functions into
two or three larger access lists.
ÿ
¸±-¬²¿³» Îî
ÿ
·²¬»®º¿½» Û¬¸»®²»¬ðñð
·° ¿¼¼®»-- ïêòïòïòî îëëòîëëòðòð
·° ¿½½»--ó¹®±«° ïîê ·²
ÿ
·²¬»®º¿½» Û¬¸»®²»¬ðñï
·° ¿¼¼®»-- ïêòîòïòï îëëòîëëòîëëòð
·° ¿½½»--ó¹®±«° ïîè ·²
ÿ
®±«¬»® ±-°º ìì
²»¬©±®µ ïêòïòðòð ðòðòîëëòîëë ¿®»¿ ð
²»¬©±®µ ïêòîòïòð ðòðòðòîëë ¿®»¿ ï
2-186 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
ÿ
ÿ ß½½»-- ´·-¬ èð ¿°°´·»- ¬± ÍÒÓÐ ¸±-¬- ¿´´±©»¼ ¬± ¿½½»-- ¬¸·- ®±«¬»®
²± ¿½½»--ó´·-¬ èð
¿½½»--ó´·-¬ èð °»®³·¬ ¸±-¬ ïêòîòïòî
¿½½»--ó´·-¬ èð °»®³·¬ ¸±-¬ ïêòîòïòí
ÿ
ÿ ß½½»-- ´·-¬ ïîê ¿°°´·»- ¬± ¬®¿ºº·½ º´±©·²¹ º®±³ »¨¬»®²¿´ ²»¬©±®µ- ¬±
¬¸»
ÿ ·²¬»®²¿´ ²»¬©±®µ ±® ¬± ¬¸» ®±«¬»® ·¬-»´º
²± ¿½½»--ó´·-¬ ïîê
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ïêòîòïòð ðòðòðòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ¸±-¬ ïêòïòïòî ¸±-¬ ïêòïòïòî ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ïîéòðòðòð ðòîëëòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ðòðòðòð ðòîëëòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ïðòðòðòð ðòîëëòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ïéîòïêòðòð ðòïëòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ïçîòïêèòðòð ðòðòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° îîìòðòðòð ïëòîëëòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ¿²§ ¸±-¬ ïêòîòïòîëë ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ¿²§ ¸±-¬ ïêòîòïòð ´±¹
¿½½»--ó´·-¬ ïîê °»®³·¬ ¬½° ¿²§ ïêòîòïòð ðòðòðòîëë »-¬¿¾´·-¸»¼
¿½½»--ó´·-¬ ïîê ¼»²§ ·½³° ¿²§ ¿²§ »½¸± ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·½³° ¿²§ ¿²§ ®»¼·®»½¬ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·½³° ¿²§ ¿²§ ³¿-µó®»¯«»-¬ ´±¹
¿½½»--ó´·-¬ ïîê °»®³·¬ ·½³° ¿²§ ïêòîòïòð ðòðòðòîëë
¿½½»--ó´·-¬ ïîê °»®³·¬ ±-°º ïêòïòðòð ðòðòîëëòîëë ¸±-¬ ïêòïòïòî
¿½½»--ó´·-¬ ïîê ¼»²§ ¬½° ¿²§ ¿²§ ®¿²¹» êððð êðêí ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ¬½° ¿²§ ¿²§ »¯ êêêé ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ¬½° ¿²§ ¿²§ ®¿²¹» ïîíìë ïîíìê ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ¬½° ¿²§ ¿²§ »¯ íïííé ´±¹
¿½½»--ó´·-¬ ïîê °»®³·¬ ¬½° ¿²§ »¯ îð ïêòîòïòð ðòðòðòîëë ¹¬ ïðîí
¿½½»--ó´·-¬ ïîê ¼»²§ «¼° ¿²§ ¿²§ »¯ îðìç ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ «¼° ¿²§ ¿²§ »¯ íïííé ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ «¼° ¿²§ ¿²§ ®¿²¹» ííìðð íììðð ´±¹
¿½½»--ó´·-¬ ïîê °»®³·¬ «¼° ¿²§ »¯ ëí ïêòîòïòð ðòðòðòîëë ¹¬ ïðîí
¿½½»--ó´·-¬ ïîê ¼»²§ ¬½° ¿²§ ®¿²¹» ð êëëíë ¿²§ ®¿²¹» ð êëëíë ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ «¼° ¿²§ ®¿²¹» ð êëëíë ¿²§ ®¿²¹» ð êëëíë ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ¿²§ ¿²§ ´±¹
ÿ
ÿ ß½½»-- ´·-¬ ïîè ¿°°´·»- ¬± ¬®¿ºº·½ º´±©·²¹ º®±³ ¬¸» ·²¬»®²¿´ ²»¬©±®µ
¬± »¨¬»®²¿´ ÿ ²»¬©±®µ- ±® ¬± ¬¸» ®±«¬»® ·¬-»´º
²± ¿½½»--ó´·-¬ ïîè
2-188 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Caveats
This topic explains some of the caveats to be considered when creating access lists.
Statement Caveat
Implicit deny all You may not see this statement but it does exist.
Standard access You may need to create extended access lists to
list limitation implement security policies.
Statement Access list statements are evaluated from top
evaluation order down so always consider the order of the
statements.
Order of access list Place more specific access list statements higher
statements in the access list.
Ensure statements at the top of the access list do
not negate any statements found lower in the list.
Directional filtering Always double-check the direction (inbound or
outbound) of data that your access list is filtering.
There are several caveats to consider when working with access lists:
Implicit deny all: All Cisco access lists end with an implicit deny all statement. Although
you may not actually see this statement in your access lists, they do exist.
Standard access list limitation: Because standard access lists are limited to packet
filtering on source addresses only, you may need to create extended access lists to
implement your security policies.
Statement evaluation order: Access list statements are evaluated in a sequential (top
down) order starting with the first entry in the list. This process means that it is very
important to consider the order in which you place statements in your access lists.
Specific statements: Certain access list statements are more specific than others and
therefore should be placed higher in the access list. For example; blocking all UDP traffic
at the top of the list negates the blocking of SNMP packets lower in the list. Care must be
taken that statements at the top of the access list do not negate any statements found lower
in the list.
Directional filtering: Cisco access lists have a directional filter that determines whether
they examine inbound packets (toward the interface) or outbound packets (away from the
interface). Always double-check the direction of data that your access list is filtering.
Statement Caveat
Modifying numbered Adding new statements may require a new
access lists access list to be created.
Special packets If filtering router generated packets is part of
the security policy, then they must be acted
upon by inbound access lists on adjacent
routers or through other router filter
mechanisms using ACLs.
Extended access list Always consider placing extended access lists
placement on routers as close as possible to the source
being filtered.
Standard access list Always place standard access lists as close to
placement the destination as possible.
Adding statements: New statements added to an existing access list are always appended
to the bottom of the access list. Because of the inherent top down statement evaluation
order of access lists, these new entries may render the access list unusable. In these cases, a
new access list must be created (with the correct statement ordering). Delete the old access
list and assign the new access list to the router interface.
Special packets: Router generated packets such as routing table updates, are not subject to
outbound access list statements on the source router. If filtering these types of packets is
part of your security policy, then they must be acted upon by inbound access lists on
adjacent routers or through other router filter mechanisms using ACLs.
Extended access list placement: Extended access lists that are placed on routers too far
from the source being filtered can adversely impact packets flowing to other routers and
interfaces. Always consider placing extended access lists on routers as close as possible to
the source being filtered.
Standard access list placement: Because standard access lists filter packets based on the
source address, placing these access lists too close to the source can adversely impact
packets destined to other destinations. Always place standard access lists as close to the
destination as possible.
2-190 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
Standard, extended, enhanced, named and numbered access lists
can be created.
There are basic and simple rules to be followed when creating
access lists.
Access lists must be applied based on the direction of the data
flow.
Access lists can be used to filter traffic to mitigate security
threats.
Access lists can be used to filter traffic and mitigate several
common threats.
Access lists can be used to mitigate DDoS attacks.
Many access list functions can be combined into two or three
larger access lists.
There are many caveats to be considered when creating access
lists.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-31
Q1) Which two of the following access list numbers represent a Standard IP access list?
(Choose two.) (Source: Cisco Access Lists)
A) 1 to 99
B) 100 to 199
C) 1300 to 1999
D) 2000 to 2699
Q2) Explain what the command statement access-list 10 permit 192.168.3.0 0.0.0.255
does. (Source: Cisco Access Lists)
Q3) Explain what the command statement access-list 101 permit tcp 63.36.9.0 0.0.0.255
any eq 80 does. (Source: Cisco Access Lists)
______________________________________________________________________
Q4) List the four types of enhanced access lists. (Source: Applying Access Lists to Router
Interfaces)
______________________________________________________________________
2-192 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self-Check Answer Key
Q1) A, C
Q2) This standard access list command statement allows traffic from all addresses in the range 192.168.3.0 to
192.168.3.255.
Q3) This extended access list command statement says that ACL 101 will permit traffic originating from any
address on the 63.36.9.0/24 network to any destination host port 80 (http).
Implementing Secure
Management and Reporting
Overview
This lesson describes how to securely implement the management and reporting features of
syslog, Secure Shell (SSH) and Simple Network Management Protocol version 3 (SNMPv3).
Objectives
Upon completing this lesson, you will be able to securely implement management and
reporting features of syslog, SSH and SNMPv3. This ability includes being able to meet these
objectives:
Describe the factors you must consider when planning the secure management and
reporting configuration of network devices
Describe the factors that affect the architecture of secure management and reporting in
terms of in-band and out-of-band information paths
Describe the steps used to configure an SSH server for secure management and reporting
Describe how the syslog function plays a key role in network security
Describe how to configure syslog on Cisco routers using syslog router commands
Describe the security features of SNMPv3
Describe how to configure SNMPv3 on a Cisco IOS router or switch
Secure Management and Reporting Planning
Considerations
This topic explains the factors you must consider when planning the secure management and
reporting configuration of network devices.
Configuring logging for your Cisco routers is a straightforward operation when your network
contains only a few Cisco routers. However, logging and reading information from hundreds of
devices can prove to be a challenging proposition and can raise the following important
questions.
Which logs are most important?
How do you separate important messages from mere notifications?
How do you ensure that logs are not tampered with in transit?
How do you ensure your time stamps match each other when multiple devices report the
same alarm?
What information is needed if log data is required for a criminal investigation?
How do you deal with the volume of messages that can be generated by a large network?
Securing administrative access and device configurations is also a straightforward operation for
smaller Cisco router networks. However, managing administrative access and device
configurations for many more devices can raise questions such as the following:
How do you securely manage many devices in many locations?
How can you track and troubleshoot changes on devices when attacks or network failures
occur?
2-196 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Each of these issues is specific to your needs. To identify the priorities of reporting and
monitoring, input from management as well as from the network and security teams is required.
The implemented security policy should also play a large role in answering these questions.
From a reporting standpoint, most networking devices can send syslog data that can be
invaluable when you are troubleshooting network problems or security threats. You can send
this data to your syslog analysis host from any device whose logs you wish to view. This data
can be viewed in real time or on demand and in scheduled reports. Depending on the device
involved, you can choose various logging levels to ensure that the correct amount of data is
sent to the logging device. You must also flag device log data within the analysis software to
permit granular viewing and reporting. For example, during an attack, the log data provided by
Layer 2 switches might not be as interesting as the data provided by the intrusion detection
system (IDS).
To ensure that log messages are time-synchronized to one another, clocks on hosts and network
devices must be synchronized. For devices that support it, Network Time Protocol (NTP)
provides a way to ensure that accurate time is kept on all devices. When you are dealing with
an attack, seconds matter, because it is important to identify the order in which a specified
attack occurred.
Syslog
Server
Cisco IOS
Firewall with
VPN
Access Encrypted In-Band
Control Network
Server Management (VPN) Production
Network
System
Admin
Host
The figure shows a management module with two network segments separated by a Cisco IOS
router that acts as a firewall and a virtual private network (VPN) termination device. The
segment outside the firewall connects to all the devices that require management. The segment
inside the firewall contains the management hosts themselves and the Cisco IOS routers that act
as terminal servers.
Information flow between management hosts and the managed devices can take two paths:
Out-of-band (OOB): Information flows within a network on which no production traffic
resides.
In-band: Information flows across the enterprise production network or the Internet (or
both).
The connection to the production network is only provided for selective Internet access, limited
in-band management traffic, and IPSec-protected management traffic from predetermined
hosts. In-band management occurs only when a management application itself does not
function out-of-band or when the Cisco device being managed does not physically have enough
interfaces to support the normal management connection. It is this latter case that employs
IPSec tunnels. The Cisco IOS firewall is configured to allow syslog information into the
management segment, as well as Telnet, SSH, and SNMP, if these services are first initiated by
the inside network.
Both management subnets operate under an address space that is completely separate from the
rest of the production network. This practice ensures that the management network is not
2-198 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
advertised by any routing protocols and it enables the production network devices to block any
traffic from the management subnets that appears on the production network links.
Any in-band management or Internet access occurs through a Network Address Translation
(NAT) process on the Cisco IOS router that translates the nonroutable management IP
addresses to previously determined production IP address ranges.
The management module provides configuration management for nearly all devices in the
network using two primary technologies:
Cisco IOS routers acting as terminal servers: The routers provide a reverse Telnet function
to the console ports on the Cisco devices throughout the enterprise.
Dedicated management network segment: More extensive management features (software
changes, content updates, log and alarm aggregation, and SNMP management) are
provided through the dedicated management network segment.
Because the management network has administrative access to nearly every area of the
network, it can be a very attractive target to hackers. The management module has been built
with several technologies designed to mitigate those risks. The first primary threat is a hacker
attempting to gain access to the management network itself. This threat can be mitigated only
through the effective deployment of security features in the remaining modules in the
enterprise. All the remaining threats assume that the primary line of defense has been breached.
To mitigate the threat of a compromised device, access control is implemented at the firewall,
and at every other possible device, to prevent exploitation of the management channel. A
compromised device cannot even communicate with other hosts on the same subnet because
private virtual local-area networks (VLANs) on the management segment switches force all
traffic from the managed devices directly to the Cisco IOS firewall, where filtering takes place.
Password sniffing reveals only useless information because of the one-time password (OTP)
environment. Use SNMPv3 where possible since SMNPv3 supports authentication and
encryption.
SNMP management has its own set of security needs. Keeping SNMP traffic on the
management segment allows the traffic to traverse an isolated segment when it pulls
management information from devices. In Cisco self-defending network topology, SNMP
management pulls information only from devices rather than being allowed to push changes.
To ensure management information is pulled, each device is configured with a read-only
string. You may configure SNMP read-write when using an OOB network, but be aware of
the increased security risk of a clear text string allowing modification of device configurations.
Proper aggregation and analysis of the syslog information is critical to the proper management
of a network. From a security perspective, syslog provides important information about security
violations and configuration changes. Depending on the device in question, different levels of
syslog information might be required. Having full logging with all messages sent might provide
too much information for an individual or syslog analysis algorithm to sort. Logging for the
sake of logging does not improve security.
Syslog Cisco
Server IOS
Firewall
with
Access VPN Encrypted In-Band
Control Network
Server Management (VPN) Production
Network
Network administrators need to securely manage all devices and hosts in the network. Logging
and reporting information flow from the devices to the management hosts, while content,
configurations, and new software, flow to the devices from the management hosts.
From an architectural perspective, providing OOB management of network systems is the best
first step in any management and reporting strategy. Devices should have a direct local
connection to such a network where possible, and where impossible (because of geographic or
system-related issues), the device should connect via a private encrypted tunnel over the
production network. Such a tunnel should be preconfigured to communicate only across the
specific ports required for management and reporting. The tunnel should also be locked down
so that only appropriate hosts can initiate and terminate tunnels.
OOB management is not always desirable. Often the decision depends on the type of
management application that you are running and the protocols that are required. For example,
consider a management tool whose goal is determining the reachability of all the devices on the
production network. If a critical link failed between two core switches, you would want this
management console to alert an administrator. If this management application is configured to
use an OOB network, it may never determine that the link has failed, because the OOB network
makes all devices appear to be attached to a single network. With management applications
such as these, it is preferable to run the management application in-band. In-band management
needs to be configured in as secure a manner as possible. Often in-band and OOB management
can be configured from the same management network, provided there is a firewall between the
management hosts and the devices needing management.
2-200 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
In-Band Management Considerations
When in-band management of a device is required, you should consider the following
questions:
What management protocols does the device support? Devices with IPSec should be
managed by simply creating a tunnel from the management network to the device. This
setup allows many insecure management protocols to flow over a single encrypted tunnel.
When IPSec is not possible because it is not supported on a device, other, less secure
options must be chosen. For configuration of the device, SSH or Secure Sockets Layer
(SSL) can often be used instead of Telnet to encrypt any configuration modifications made
to a device. These protocols can sometimes also be used to push and pull data to a device
instead of insecure protocols such as TFTP and FTP. Often, however, TFTP is required on
Cisco equipment to back up configurations or to update software versions. This fact leads
to the second question.
Does this management channel need to be active at all times? If not, temporary holes
can be placed in a firewall while the management functions are performed and then later
removed. This process does not scale with large numbers of devices, however, and should
be used sparingly, if at all, in enterprise deployments. If the channel needs to be active at all
times, such as with SNMP, the third question should be considered.
Do you really need this management tool? Often, SNMP managers are used on the inside
of a network to ease troubleshooting and configuration. However, SNMP should be treated
with the utmost care because the underlying protocol has its own set of security
vulnerabilities. If SNMP is required, consider providing read-only access to devices via
SNMP, and treat the SNMP community string with the same care you might use for a root
password on a critical UNIX host. Know that by introducing SNMP into your production
network, you are introducing a potential vulnerability into your environment. And finally,
if you do need the tool, use SNMPv3 authentication and encryption features.
The figure outlines guidelines for out-of-band and in-band management of the architecture.
As a general rule, OOB management is appropriate for large enterprise networks. In smaller
networks, in-band management is recommended as a means of achieving a more cost-effective
security deployment. In such architectures, management traffic flows in-band in all cases and is
made as secure as possible using tunneling protocols and secure variants to insecure
management protocols (for example, SSH is used whenever possible instead of Telnet).
To ensure that log messages are time-synchronized to one another, clocks on hosts and network
devices must be synchronized. For devices that support it, NTP provides a way to ensure that
accurate time is kept on all devices.
When you are dealing with an attack, seconds matter, because it is important to identify the
order in which a specified attack occurred.
NTP is used to synchronize the clocks of various devices across a network. Synchronization of
the clocks within a network is critical for digital certificates and for correct interpretation of
events within syslog data. A secure method of providing clocking for the network is for
network administrators to implement their own master clocks. The private network should then
be synchronized to Coordinated Universal Time (UTC) via satellite or radio. However, clock
sources are available that synchronize via the Internet for network administrators who do not
wish to implement their own master clocks because of cost or other reasons.
An attacker could attempt a denial of service (DoS) attack on a network by sending bogus NTP
data across the Internet in an attempt to change the clocks on network devices in such a manner
that digital certificates are considered invalid. Further, an attacker could attempt to confuse a
network administrator during an attack by disrupting the clocks on network devices. This
scenario would make it difficult for the network administrator to determine the order of syslog
events on multiple devices.
2-202 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
NTP version 3 and above supports a cryptographic authentication mechanism between peers.
The use of the authentication mechanism, as well as the use of access control lists (ACLs) that
specify which network devices are allowed to synchronize with other network devices, is
recommended to help mitigate such an attack.
The network administrator should weigh the cost benefits of pulling the clock time from the
Internet with the possible risk of doing so and allowing unsecured packets through the firewall.
Many NTP servers on the Internet do not require any authentication of peers. Therefore, the
network administrator must trust that the clock itself is reliable, valid, and secure. NTP uses
User Datagram Protocol (UDP) port 123.
ß«-¬·²îý ½±²º·¹ ¬
ß«-¬·²îø½±²º·¹÷ý ·° ¼±³¿·²ó²¿³» ½·-½±ò½±³
ß«-¬·²îø½±²º·¹÷ý ½®§°¬± µ»§ ¹»²»®¿¬» ®-¿
¹»²»®¿´óµ»§- ³±¼«´«- ïðîì
Í»°¬ îî ïíæîðæìëæ ûÍÍØóëóÛÒßÞÔÛÜæ ÍÍØ ïòë ¸¿- ¾»»²
»²¿¾´»¼
ß«-¬·²îø½±²º·¹÷ý ·° --¸ ¬·³»ó±«¬ ïîð
ß«-¬·²îø½±²º·¹÷ý ·° --¸ ¿«¬¸»²¬·½¿¬·±²ó®»¬®·»- ì
ß«-¬·²îø½±²º·¹÷ý ´·²» ª¬§ ð ì
ß«-¬·²îø½±²º·¹ó´·²»÷ý ²± ¬®¿²-°±®¬ ·²°«¬ ¬»´²»¬
ß«-¬·²îø½±²º·¹ó´·²»÷ý ¬®¿²-°±®¬ ·²°«¬ --¸
ß«-¬·²îø½±²º·¹ó´·²»÷ý »²¼
ß«-¬·²îý
Whenever possible, you should use SSH instead of Telnet to manage your Cisco routers. SSH
version 1 is supported in Cisco IOS Software Releases 12.1(1)T and later. SSH version 2 is
supported in Cisco IOS Software Releases 12.3(4)T and later. Cisco routers configured for SSH
act as SSH servers. You must provide an SSH client such as PuTTY, OpenSSH, or Tera Term
for the administrator workstation that you wish to use to configure and manage routers using
SSH.
Note Cisco routers operating at Cisco IOS Software Releases 12.1(3)T and later can act as SSH
clients as well as SSH servers. This means that you could initiate an SSH client-to-server
session from your router to a central SSH server system. SSH employs strong encryption to
protect the SSH client-to-SSH server session. Unlike Telnet, where anyone with a sniffer can
see exactly what you are sending and receiving to and from your routers, SSH encrypts the
entire session.
Complete the following tasks before configuring your routers for SSH server operations:
Ensure that the target routers are running an image from Cisco IOS Software Release
12.1(1)T or later and the IPSec feature set. Only Cisco IOS software images containing the
IPSec feature set support a SSH server.
Ensure that the target routers are configured for local authentication or authentication,
authorization and accounting (AAA) for username or password authentication or both.
Ensure that each of the target routers has a unique hostname.
2-204 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Ensure that each of the target routers is using the correct domain name of your network.
Complete the following steps to configure your Cisco router to support SSH server:
Step 1 Configure the IP domain name using the ip domain-name command in global
configuration mode as shown in the figure and in the following example:
ß«-¬·²îø½±²º·¹÷ý ·° ¼±³¿·²ó²¿³» ½·-½±ò½±³
Step 2 Generate keys to be used with SSH by generating the Rivest, Shamir, and Adleman
(RSA) keys using the crypto key generate rsa command in global configuration
mode as shown in the figure and in the following example:
ß«-¬·²îø½±²º·¹÷ý ½®§°¬± µ»§ ¹»²»®¿¬» ®-¿ ¹»²»®¿´óµ»§- ³±¼«´«-
ïðîì
Note It is recommended that you use a minimum key length of modulus 1024.
Step 3 To display the keys (Optional: Use the show cry key mypubkey rsa command to
display the generated keys.
Step 4 Configure the time that the router waits for the SSH client to respond using the ip
ssh time-out command in global configuration mode as shown in the figure and in
the following example:
ß«-¬·²îø½±²º·¹÷ý ·° --¸ ¬·³»ó±«¬ ïîð
Step 5 Configure the SSH retries using the ip ssh authentication-retries command in
global configuration mode as shown in the figure and in the following example:
ß«-¬·²îø½±²º·¹÷ý ·° --¸ ¿«¬¸»²¬·½¿¬·±²ó®»¬®·»- ì
Caution Be sure to disable Telnet transport input on all of the router vty lines or else the router will
continue to allow insecure Telnet sessions.
Step 6 Disable vty inbound Telnet sessions as shown in the figure and in the following
example:
ß«-¬·²îø½±²º·¹÷ý ´·²» ª¬§ ð ì
ß«-¬·²îø½±²º·¹ó´·²»÷ý ²± ¬®¿²-°±®¬ ·²°«¬ ¬»´²»¬
Step 7 Enable vty inbound SSH sessions as shown in the figure and in the following
example:
ß«-¬·²îø½±²º·¹ó´·²»÷ý ¬®¿²-°±®¬ ·²°«¬ --¸
ß«-¬·²îø½±²º·¹ó´·²»÷ý »²¼
ß«-¬·²îý
The SSH protocol is automatically enabled once you generate the SSH (RSA) keys as shown in
the figure. Once the keys are created, you may access the router SSH server using your SSH
client software.
The procedure for connecting to a Cisco router SSH server varies depending on the SSH client
application that you are using. Generally, the SSH client passes your username to the router
2-206 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Using Syslog Logging for Network Security
This topic describes how the syslog function plays a key role in network security.
Implementing a router logging facility is an important part of any network security policy.
Cisco routers can log information regarding configuration changes, access list violations,
interface status, and many other types of events. Cisco routers can direct log messages to
several different facilities. You should configure the router to send log messages to one or more
of the following:
Console: Console logging is used when modifying or testing the router while it is
connected to the console. Messages sent to the console are not stored by the router, and
therefore are not very valuable as security events.
Terminal lines: Enabled EXEC sessions can be configured to receive log messages on any
terminal lines. Similar to console logging, this type of logging is not stored by the router
and therefore is only valuable to the user on that line.
Memory buffer: You may direct a router to store log messages in router memory. Buffered
logging is a bit more useful as a security tool, but has the drawback of having events
cleared whenever the router is booted.
Simple Network Management Protocol (SNMP) traps: Certain router events may be
processed by the router SNMP agent and forwarded as SNMP traps to an external SNMP
host. This is a viable security logging facility, but requires the configuration and
maintenance of an SNMP system.
Syslog: Cisco routers can be configured to forward log messages to an external syslog
service. This service may reside on any number of servers, including Microsoft Windows
and UNIX-based systems. Syslog is the most popular message logging facility because this
facility provides long-term log storage capabilities and a central location for all router
messages.
User 16.2.3.3
Syslog is a de-facto standard for logging system events. As shown in the figure, syslog
implementations contain two types of systems:
Syslog servers: These systems are also known as log hosts. These systems accept and
process log messages from syslog clients.
Syslog clients: Syslog clients are router or other types of Cisco equipment that generate
and forward log messages to syslog servers.
Note Performing forensics on router logs can become very difficult if your router clocks are not
running the proper time. It is recommended that you use a NTP facility to ensure all of your
routers are operating at the correct time.
2-208 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Cisco Log Severity Levels
Cisco router log messages fall into one of eight levels as shown in the figure. The lower the
level number, the higher the severity level:
LOG_EMERG A panic condition normally broadcast to Cisco IOS software could not load
all users
LOG_NOTICE Conditions that are not error conditions, Interface changed state, up or down
but should possibly be handled specially
Note When entering logging levels in commands in Cisco IOS Software Releases11.3 and earlier,
you must specify the level name. Cisco IOS Software Releases 12.0 and later support using
both the level number or the level name or both the number and name.
Log Message
Name and
Time Stamp Severity Level
Message Text
Cisco router log messages contain the following three main parts:
Time stamp
Log message name and severity level
Message text
Note The log message name is not the same thing as a severity level name.
2-210 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Configuring Syslog Logging
This topic describes how to configure syslog on Cisco routers using syslog router commands.
Configuring Syslog
᫬»®ø½±²º·¹÷ý
᫬»®ø½±²º·¹÷ý
᫬»®ø½±²º·¹÷ý
Complete the following five steps to implement syslog on your Cisco routers:
Step 1 Configure log host(s): You must configure the router to send log messages to one or more
syslog servers (also known as log hosts). There is no maximum number of log hosts supported
by Cisco routers, but usually only one or two are needed. Log hosts are identified by their host
name or IP address.
Use the logging command in global configuration mode to set the destination (log) hosts as
shown in the figure.
Step 2 (Optional) Set the log severity (trap) level: This limits the logging of error messages sent to
syslog servers to only those messages at the specified level (default is severity level 6).
Use the logging trap command in global configuration mode to set the severity (trap) level as
shown in the figure.
Step 3 (Optional) Set the syslog facility: You must configure the syslog facility in which error
messages are sent. The eight commonly used syslog facility names for Cisco routers are local0
through local7 (default is facility local7).
Use the logging facility command in global configuration mode to set the syslog facility as
shown in the figure.
2-212 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Configuring Syslog (Cont.)
᫬»®ø½±²º·¹÷ý
´±¹¹·²¹ ±²
Step 4 (Optional) Set the source interface: By default, syslog messages are sent using the IP address
of the source interface. You should specify the source IP address of syslog packets, regardless
of the interface where the packets actually exit the router.
Use the logging source-interface command in global configuration mode to set the source
interface as shown in the figure.
Step 5 Enable logging: Make sure that the router logging process is enabled using the logging on
command in global configuration mode as shown in the figure.
User 16.2.3.3
This figure contains an example of configuring syslog for router R3 using the commands
previously described.
2-214 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
SNMP Version 3
This topic describes the security features of SNMPv3.
Managed Node
SNMP Agent
Managed Node
SNMP was developed to manage nodes (servers, workstations, routers, switches, hubs and
security appliances) on an IP network. All versions of SNMP are application layer protocols
that facilitate the exchange of management information between network devices. SNMP is
part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. SNMP
enables network administrators to manage network performance, find and solve network
problems, and plan for network growth.
SNMP versions 1 and 2 are based on three concepts: managers, agents, and the management
information base (MIB). In any configuration, at least one manager node runs SNMP
management software. Network devices that need to be managed, such as bridges, routers,
servers, and workstations, are equipped with an agent software module. The agent is
responsible for providing access to a local MIB of objects that reflects the resources and
activity at its node.
The SNMP manager can retrieve (get) information from the agent, or change (set) information
in the agent. Sets can change variables (settings, configuration) in the agent device or initiate
actions in devices. A reply to a set indicates the new setting in the device. For example, a set
can cause a router to reboot or send or to receive a configuration file.
The action of gets and sets are the vulnerabilities that open SNMP to attack.
SNMPv1 and v2 use a community string to access router SNMP agents. SNMP community
strings act like passwords. An SNMP community string is a text string used to authenticate
messages between a management station and an SNMP engine.
If the manager sends one of the correct read-only (RO) community strings, it can get
information but not set information in an agent
If the manager uses one of the correct read-write (RW) community strings, it can get or set
information in the agent
SNMP agents accept commands and requests only from SNMP systems using the correct
community string. By default, most SNMP systems use a community string of public. If you
configure your router SNMP agent to use this commonly known community string, anyone
with an SNMP system is able to read the router MIB. Because router MIB variables can point
to things like routing tables and other security-critical parts of the router configuration, it is
extremely important that you create your own custom SNMP community strings.
2-216 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
SNMP Security Models and Levels
Definitions:
Security modela security strategy used by the SNMP agent
Security levelthe permitted level of security within a security
model
Model Level Authentication What Happens
v1 noAuthNoPriv Community Authenticates with a community
String string match
v2c noAuthNoPriv Community Authenticates with a community
String string match
v3 noAuthNoPriv Username Authenticates with a user name
v3 authNoPriv MD5 or SHA Provides HMAC-MD5 or HMAC-SHA
algorithms for authentication
v3 authPriv MD5 or SHA Provides HMAC-MD5 or HMAC-SHA
algorithms for authentication
Provides DES 56-bit encryption in
addition to authentication based on
the CBC-DES (DES-56) standard
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-18
A combination of a security model and a security level will determine which security
mechanism is employed when handling an SNMP packet:
A security model is an authentication strategy that is set up for a user and the group in
which the user resides. Currently, Cisco IOS software supports three security models:
SNMPv1, SNMPv2c, and SNMPv3.
A security level is the permitted level of security within a security model. The security
level is a type of security algorithm performed on each SNMP packet. The three levels are:
noauth, auth, and priv. The noauth level authenticates a packet by a string match of the user
name. The auth level authenticates a packet by using either the Hashed Message
Authentication Codes with MD5 (RFC 2104) (HMAC MD5) or SHA algorithms. The priv
level authenticates a packet by using either the HMAC MD5 or SHA algorithms and
encrypts the packet using the Cipher Block Chaining- Data Encryption Standard(CBC-
DES) (DES-56) algorithm.
SNMP Version 3 (SNMPv3) adds security and remote configuration capabilities to the previous
versions. SNMPv3 provides three security model and security level options. The SNMP
Security Models and Levels table identifies what the combinations of security models and
levels mean.
2-218 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
SNMPv3 Architecture
Managed
Node
DES Encryption
SNMPv3 messages
NMS may be encrypted
to ensure privacy. Managed
Node
Managed
NMS
Node
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-19
In its natural evolution, the current version of SNMPv3, addresses the vulnerabilities of earlier
versions by including three important services: authentication, privacy, and access control.
SNMP
Application SNMP Entity
SNMP
MIB
Agent Managed Node
The concepts of separate SNMP Agents and SNMP Managers do not apply in SNMPv3. These
concepts have been combined into single SNMP entities. An SNMP entity consists of an SNMP
engine and SNMP applications. SNMP applications refer to internal applications within an
SNMP entity. These internal applications can generate SNMP messages, respond to received
SNMP messages, generate notifications, receive notifications, and forward messages between
SNMP entities.
Each managed node and the network management station (NMS) is a single entity. The
applications in each entity are as follows:
Managed Node SNMP Entities: The managed node SNMP entity includes an SNMP
agent and an SNMP MIB. The agent implements the SNMP protocol and allows a managed
node to provide information to the NMS and accept instructions from it. The MIB defines
the information that can be collected and used to control the managed node. Information
exchanged using SNMP takes the form of objects from the MIB.
Network Management Station SNMP Entities: The SNMP entity on a network
management station includes an SNMP manager and SNMP applications. The manager
implements the SNMP protocol and collects information from managed nodes and sends
instructions to them. The SNMP applications are software applications used by the network
administrator to manage the network.
2-220 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
SNMPv3 Features and Benefits
Features:
Message integrity: Ensures that a packet has not been tampered
with in-transit
Authentication: Determines that the message is from a valid
source
Encryption: Scrambles the contents of a packet to prevent it
from being seen by an unauthorized source
Benefits:
Data can be collected securely from SNMP devices without fear
of the data being tampered with or corrupted.
Confidential information, for example, SNMP Set command
packets that change a router configuration, can be encrypted to
prevent its contents from being exposed on the network.
The figure summarizes the features and benefits of SNMPv3. It is strongly recommended that
all network management use SNMPv3 over previous versions.
The figure lists the four configuration tasks that will be explained in this topic.
2-222 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Configuring the SNMP-Server EngineID
᫬»®ø½±²º·¹÷ý
To configure a name for either the local or remote SNMP engine on the router, use the snmp-
server engineID global configuration command. Use the no form of this command to remove a
specified SNMP group.
Parameter Purpose
ip-address (Optional) The IP address of the device that contains the remote copy of
SNMP
port (Optional) This is the socket number on the remote device that contains
the remote copy of SNMP. The default is 161.
᫬»®ø½±²º·¹÷ý
To configure a new SNMP group, or a table that maps SNMP users to SNMP views, use the
snmp-server group global configuration command. To remove a specified SNMP group, use
the no form of this command.
The first example shows how to define a group 'Johngroup using User Security Model (USM)
V3 and is using authentication but not privacy (encryption).
The second example shows how to define a group Bobgroup using USM V3 and using
authentication and privacy (encryption).
snmp-server group [groupname {v1 | v2c | v3{auth | noauth | priv}}] [read readview] [write
writeview] [notify notifyview] [access access-list]
Parameter Purpose
v2c (Optional) The second least secure of the possible security models. It allows for the
transmission of informs and counter 64, which allows for integers twice the width of what
is normally allowed.
read (Optional) The option that allows you to specify a read view
readview (Optional) A string (not to exceed 64 characters) that is the name of the view that
enables you only to view the contents of the agent
2-224 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Parameter Purpose
write (Optional) The option that allows you to specify a write view
writeview (Optional) A string (not to exceed 64 characters) that is the name of the view that
enables you to enter data and configure the contents of the agent
notify (Optional) The option that allows you to specify a notify view
notifyview (Optional) A string (not to exceed 64 characters) that is the name of the view that
enables you to specify a notify, inform, or trap
access (Optional) The option that enables you to specify an access list
access-list (Optional) A string (not to exceed 64 characters) that is the name of the access list
To configure a new user to an SNMP group, use the snmp-server user global configuration
command. To remove a user from an SNMP group, use the no form of the command .
The example shows how to define a user John, belonging the to group johngroup.
Authentication uses the password john2passwd and noPrivacy (no encryption) is applied.
Then, a user Bill, belonging to the group billgroup, is defined using the password
bill3passwd and Privacy (encryption) is applied.
snmp-server user username [groupname remote ip-address [udp-port port] {v1 | v2c | v3
[encrypted] [auth {md5 | sha} auth-password [priv des56 priv password]] [access access-list]
Parameter Purpose
username The name of the user on the host that connects to the agent
groupname (Optional) The name of the group to which the user is associated
ip-address (Optional) The IP address of the device that contains the remote copy of SNMP
port (Optional) This is A UDP port number that the host uses. The default is 162.
v2c (Optional) This is the second least secure of the possible security models. It allows for the
transmission of informs and counter 64, which allows for integers twice the width of what
is normally allowed.
2-226 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Parameter Purpose
encrypted (Optional) Specifies whether the password appears in encrypted format (a series of digits,
masking the true characters of the string)
auth- (Optional) A string (not to exceed 64 characters) that enables the agent to receive
password packets from the host
priv (Optional) The option that initiates a privacy authentication level setting session
priv (Optional) A string (not to exceed 64 characters) that enables the host to encrypt the
password contents of the message that it sends to the agent
access (Optional) The option that enables you to specify an access list
access-list (Optional) A string (not to exceed 64 characters) that is the name of the access list
There are several more snmp-server commands available to you that are described in the Cisco
IOS Software Command Reference at Cisco.com.
To configure the recipient of an SNMP trap operation, use the snmp-server host global
configuration command. To remove the specified host, use the no form of this command.
host The address of the recipient for which the traps are targeted
traps (Optional) Specifies the type of notification being sent should be a trap
informs (Optional) Specifies the type of notification being sent should be an inform
2c (Optional) This is the second least secure of the possible security models. It allows for the
transmission of informs and counter 64 which allows for integers twice the width of what
2-228 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Parameter Purpose
transmission of informs and counter 64, which allows for integers twice the width of what
is normally allowed.
community- This is a string that is used as the name of the community and it acts as a password by
string controlling access to the SNMP community. This string can be set using the snmp-server
host command, but it is recommended that you set the string using the snmp-server
community command before using the snmp-server host command.
port (Optional) This is a UDP port number that the host uses. The default is 162.
notification- Optional) This is the type of trap to be sent to the host. If no type is specified, all traps are
type sent. For a full list refer to the SNMPv3 Configuration Guide. some of the types of traps
are as follows:
Bgp: Sends Border Gateway Protocol (BGP) state change traps.
snmp: Sends Simple Network Management Protocol (SNMP) traps defined in RFC
1157.
syslog: Sends error message traps (Cisco Syslog MIB). Specify the level of
messages to be sent with the logging history level command.
Summary
2-230 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) What are some of the considerations when planning how to implement logging on a
network? (Source: Secure Management and Reporting Planning Considerations)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q2) Besides being able to securely manage devices on a network, what other security
concern should a network administrator have with respect to attacks or network failure?
(Source: Secure Management and Reporting Planning Considerations)
______________________________________________________________________
Q3) Label the following descriptions as either out-of-band or in-band. (Source: Secure
Management and Reporting Planning Considerations)
A) Information flows across the enterprise production network or the Internet (or
both). __________
B) Information flows within a network on which no production traffic resides.
__________
C) This type of management is recommended for devices in large enterprise
networks. __________
D) This type of management is recommended for devices in smaller networks
Q4) Label the following guidelines as applicable to in-band management or as applicable to
out-of-band management or as applicable to both? (Source: Secure Management and
Reporting Architecture)
A) IBM use IPSec when possible. __________
B) OOB provides highest level of security and mitigates the risk of passing
insecure management protocols over the production network management.
__________
C) Both keep clocks on hosts and network devices synchronized. __________
D) IBM use SSH or SSL instead of Telnet. __________
E) Both record changes and archive configurations. __________
Q5) What two types of systems are parts of a syslog implementation? (Source: Using
Syslog Logging for Network Security)
2-232 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self-Check Answer Key
Q1) The following questions should be considered when planning to implement logging on a network:
Which logs are most important?
How do you ensure that logs are not tampered with in transit?
How do you ensure your time stamps match each other when multiple devices report the same
alarm?
How do you deal with the volume of messages that can be generated by a large network?
Q2) Besides figuring out how to securely manage many devices in many locations, a network administrator
must also be able to track changes on devices to troubleshoot when attacks or network failures occur.
Q4) A- in-band management, B- out-of-band management, C- both in-band management and out-of-band
management, D- in-band management, E- both in-band and out-of-band management
Objectives
Upon completing this lesson, you will be able to explain how Layer 2 attacks can be mitigated.
This ability includes being able to meet these objectives:
Explain how basic switch operation opens networks to attack at Layer 2
Describe the basic steps in securing network access at Layer 2
Describe how to configure passwords to protect administrative access to switches
Describe how to protect the access to the management port on a switch
Explain why unused network interfaces and services should be disabled
Describe how an attacker can flood a switch
Describe how an attacker launches a MAC spoofing attack
Describe port security as a key step in defending networks from Layer 2 attacks
Describe how to configure port security on a Cisco Catalyst switch
Basic Switch Operation
This topic explains how basic switch operation opens networks to attack at Layer 2.
Host A Host B
Application Stream
Application Application
Presentation Presentation
Session Session
MAC Addresses
Data Link Data Link
Physical Links
Physical Physical
Unlike hubs, switches are able to regulate the flow of data between their ports by creating
instant networks that contain only the two end devices communicating with each other at that
moment in time. When data frames are sent by end systems, their source and destination
addresses are not changed throughout the switched domain. Switches maintain content-
addressable memory (CAM) lookup tables to track the source addresses located on the switch
ports. These lookup tables are populated by an address-learning process on the switch. If the
destination address of a frame is not known, or if the frame received by the switch is destined
for a broadcast or multicast address, the switch forwards the frame out all ports. With their
ability to isolate traffic and create instant networks, switches can be used to divide a physical
network into multiple logical or virtual LANs (VLANs), through the use of Layer 2 traffic
segmentation.
2-236 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
The Domino Effect
If one layer is hacked, communications are compromised without the other
layers being aware of the problem.
Security is only as strong as your weakest link.
When it comes to networking, Layer 2 can be a very weak link.
Application Stream
Application Application
Presentation Presentation
Session Session
Physical Links
Physical Physical
What is significant about Layer 2? As the data link layer in the OSI Model, it is one of seven
layers designed to work together but with autonomy. Layer 2 sits above the physical layer, but
below the network and transport layers. Layer 2 independence enables interoperability and
interconnectivity. However, from a security perspective, Layer 2 independence creates a
challenge because a compromise at one layer is not always known by the other layers. If the
initial attack comes in at Layer 2, the rest of the network can be compromised in an instant.
Network security is only as strong as your weakest linkand that may well be the data link
layer.
The first steps in defending against Layer 2 attacks is to ensure you configure every switch in
the network with basic security in mind. In this lesson, the first four of these steps will be
presented.
2-238 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Protecting Administrative Access to Switches
This topic describes how to configure passwords to protect administrative access to switches.
By default, Cisco IOS switches have two levels of access: User (Level 1) and Privileged (Level
15). The User level is typically accessed via Telnet or SSH connections to a switch or via the
console line on the switch. The Privileged level is typically accessed after the User level is
established.
Each level is usually configured with a password. Specific vulnerabilities associated with these
passwords include the following:
By default, a Cisco switch shows the passwords in plaintext for the following settings in the
configuration file: the enable password, the username password, the console line and the
virtual terminal lines. If an attacker collects the configuration file for the switch from the
network using a network analyzer, these passwords can then be used to access this system.
If the enable secret command is not used to set the enable password or the password on a
Cisco switch is weak, an attacker may be able to obtain privileged level access to retrieve or
to change information on the switch. Also, setting the same password for the enable
secret passwords on multiple switches provides a single point of failure because one
compromised switch endangers other switches.
Using the same password for both the enable secret and other settings on a switch allows
for potential compromise because the password for certain settings (for example, telnet)
may be in plaintext and can be collected on a network using a network analyzer. The
attacker who can collect passwords going to a switch may be able to gain privileged level
access at a later time.
Í©·¬½¸ø½±²º·¹÷ý
»²¿¾´» °¿--©±®¼
Using strong passwords is one of the first steps in defending switch configurations.
Unfortunately, user passwords in Cisco IOS configuration files are encrypted using a scheme
that is very weak by modern cryptographic standards. For that reason, the enable password
command should no longer be used.
Use the enable secret command for better security. The only instance in which the enable
password command might be tested is when the device is running in a boot mode that does not
support the enable secret command.
Configure an enable secret password on each Cisco switch.
2-240 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Password Guidelines
Passwords:
Should be at least eight characters long.
Do not use real words.
Mix letters, numbers and special characters.
Do not use a number for the first character of the password.
Administrators should:
Change passwords every 90 days.
Make sure the enable secret password is unique for each
switch.
Do not use enable secret passwords for anything else on the
switch.
Every switch has a management port called the console line (line con 0), that provides direct
administrative access to the switch. If the management port on the switch has settings that are
too permissive, then the switch is susceptible to attacks. The management port is a source of
vulnerability as follows:
A switch with a management port using a default user account allows an attacker to attempt
to make connections using one or more of the well-known default user accounts (for
example, administrator, root, security). To mitigate this threat, set up a unique account for
each administrator for access to the console line. Varying privilege levels from 0 to 15 can
be set on each administrator account. Privilege level 0 is the lowest level on Cisco switches
and allows a very small set of commands.
Bad passwords pose multiple vulnerabilities:
A missing or weak password allows an attacker to guess or crack the password and
then retrieve or change information on the switch.
Using the same password for the management port on multiple switches provides a
single point of network failure. The attacker who compromises one switch can then
compromise other switches.
Using the same password for the management port and other settings on a switch
allows for potential compromise. For example, the password for certain settings (for
example, telnet), may be in plaintext. These passwords can be collected on a network
using a network analyzer. The attacker who collects telnet passwords from network
traffic going to a switch may be able to access the switch management port at a later
time.
If the connections to a management port on a switch do not have a timeout period set or
have a large timeout period (greater than 9 minutes), then the connections are more
available for an attacker hijack.
2-242 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
A banner gives notice to anyone who connects to a switch that it is for authorized use only
and any use of the network will be monitored. Courts have dismissed cases against those
who have attacked systems without banners. Having no banner on a switch may lead to
legal or liability problems.
In terms of network design, use out-of-band management. This approach separates management
traffic from operational traffic preserving operational bandwidth.
Less is more.
Switches and routers can have a number of network services enabled. Many of these services
are typically not necessary for normal operation. Many services are enabled by default. Others
are sometimes left enabled when they are no longer necessary. Leaving unused network
services enabled increases the possibility of those services being maliciously exploited and
susceptible to information gathering or to network attacks.
The figure shows some basic considerations for turning off or restricting access to these
services greatly improves network security:
Remember that connections to many of the services on a switch are not encrypted, so an
attacker may be able to collect network traffic related to these services using a network
analyzer. The traffic may contain usernames, passwords or other configuration information
related to the switch.
Just like the management port, any other network service using a default user account,
allows an attacker to attempt to make connections using one or more of the well-known
default user accounts.
It should be self-evident that a network service set with no password, using a default
password or a weak password, presents a vulnerability. Setting the same password for the
network service on multiple switches provides a single point of failure. The attacker who
compromises one switch can compromise other switches.
Broad access that allows all systems or a large number of systems to connect to a network
service on a switch makes the switch vulnerable to attack.
As with the management port, all services should have a timeout to reduce hijack attempts.
2-244 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Shutting Down Interfaces
The figure shows examples of very basic uses of the port security command. The next few
examples will show more robust configuration scripts.
Secured ports restrict a port to a user-defined group of stations. When you assign secure
addresses to a secure port, the switch does not forward any packets with source addresses
outside the defined group of addresses. If you define the address table of a secure port to
contain only one address, the workstation or server attached to that port is guaranteed the full
bandwidth. As part of securing the port, you can also define the size of the address table for the
port.
A->B
B is unknown so
the switch will
flood the frame. MAC C
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-12
The Content Addressable Memory (CAM) table in a switch contains the MAC addresses
available on a given physical port of a switch and the associated VLAN parameters for each.
When a Layer 2 switch receives a frame, the switch looks in the CAM table for the destination
MAC address. If an entry exists for the MAC address in the CAM table, the switch forwards
the frame to the MAC address port designated in the CAM table. If the MAC address does not
exist in the CAM table, the switch acts like a hub and forwards the frame out every port on the
switch.
CAM table overflow attacks are sometimes referred to as MAC flooding attacks. To understand
the mechanism of a CAM table overflow attack, recall the basic operation of a switch.
In the figure, Host A sends traffic to Host B. The switch receives the frames and looks up the
destination MAC address in its CAM table. If the switch cannot find the destination MAC in
the CAM table, it then copies the frame and broadcasts it out every switch port.
2-246 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
CAM Learns MAC B is on Port 2
C drops the
packet
addressed to B.
MAC C
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-13
Host B receives the frame and sends a reply to Host A. The switch then learns that the MAC
address for Host B is located on Port 2 and writes that information into the CAM table.
Host C also receives the frame from Host A to Host B, but since the destination MAC address
of that frame is Host B, Host C drops that frame.
Port 2
Port 1
MAC A Port 3
CAM has
learned B is on
Port 2. MAC C does not see
traffic to MAC B MAC C
anymore.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-14
Now, any frame sent by Host A (or any other host) to Host B is forwarded to Port 2 of the
switch and not broadcast out every port.
The key to understanding how CAM overflow attacks work is to know that CAM tables are
limited in size. MAC flooding makes use of this limitation to bombard the switch with fake
source MAC addresses until the switch CAM table is full. The switch then enters into what is
known as a failopen mode, starts acting as a hub and broadcasts packets to all the machines
on the network. The attacker can now see all the frames sent from a victim host to another host
without a CAM table entry.
2-248 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Intruder Launches macof
MAC
MAC Port
Port
Bogus
addresses are XX
A 33
1
added to the YB 32
CAM table. CC 33 MAC B
Port 2
macof starts
Port 1 sending
unknown bogus
MAC A Port 3 MAC addresses.
Y->?
X is on Port Y is on Port
3 and CAM 3 and CAM
is updated. is updated. MAC C
Intruder runs macof
on MAC C.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-15
An attacker can use the normal operating characteristics of the switch to stop the switch in its
tracks.
MAC flooding can be performed using macof, a utility which comes with dsniffsuite.
Dsniff is a collection of tools for network auditing and penetration testing. A network intruder
can use the macof tool to flood the switch with a large number of invalid-source MAC
addresses until the CAM table fills up. When the CAM table is full, the switch floods all ports
with incoming traffic because it cannot find the port number for a particular MAC address in
the CAM table. The switch, in essence, acts like a hub.
Dsniff (macof) can generate 155,000 MAC entries on a switch per minute. Assuming a perfect
hash function, the CAM table will be completely filled after 131,052 (approx. 16,000 x 8)
entries. Depending on the switch, the maximum CAM table size will vary.
In the example shown in the figure, the macof program is running on the host with MAC
address C in the bottom right. This tool floods a switch with packets containing randomly
generated source and destination MAC and IP addresses. Over a short period of time the CAM
table in the switch fills up until it cannot accept new entries. When the CAM table fills up with
these invalid-source MAC addresses, the switch begins to forward all frames it receives to
every port.
MAC B is unknown so
the switch floods the
frame looking for MAC C
MAC B.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-16
As long as macof is left running, the CAM table on the switch will remain full. When this
happens the switch begins to broadcast all received packets out every port so that packets sent
from Host A to Host B are also broadcast out of Port 3 on the switch.
You will learn how to mitigate this threat later in this lesson.
2-250 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
MAC Address Spoofing Attacks
This topic explains how an attacker can spoof a MAC address to attack a network.
1 2 1 2
A B A B
MAC (A)
3 3
1 2 1 2
A B A B
DEST MAC: A
3 3
DEST MAC: A
In a MAC spoofing attack, the network attacker uses a known MAC address to attempt to make
the targeted switch forward frames destined for the remote host to the network attacker. By
sending a single frame with the source Ethernet address of another host, the network attacker
overwrites the CAM table entry so that the switch forwards packets destined for the host to the
network attacker. From then on, the host being spoofed does not receive any traffic until it
sends traffic to again reset the CAM table entry to point back to the original port.
This figure shows how MAC spoofing works:
Top left illustration on the figure: Under a normal operating environment, the switch has
learned that Host A is on Port 1, Host B is on Port 2, and Host C is on Port 3. The CAM
table reflects this situation.
Top right illustration on the figure: When under attack the network attacker causes Host B
to send a packet identifying itself using the IP address of Host B but the MAC address of
Host A.
Bottom left illustration on the figure: The switch now moves the location of Host A in its
CAM table from Port 1 to Port 2. Traffic from Host C destined to Host A is now visible to
Host B and is therefore compromised.
Bottom right illustration on the figure: To correct this situation, Host A must send out
traffic on the switch port for the switch to relearn the location of the Host A MAC address.
However, until that happens, the door is open to intruders.
You will learn how to mitigate this threat later in this lesson.
You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port
when the MAC address of the station attempting to access the port is different from any of the
MAC addresses specified for that port. Alternatively, you can use port security to filter traffic
destined to or received from a specific host based on the host MAC address.
By limiting the number of valid MAC addresses allowed on a port, the port security feature is
an effective mitigation against CAM table overflow and MAC address spoofing attacks. The
specifics on how to configure port security to mitigate these attacks is presented later in this
lesson.
2-252 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Port Security Fundamentals
A switch that does not provide port security allows an attacker to attach a system to an unused,
enabled port and to perform information gathering or attacks. A switch can be configured to act
like a hub, which means that every system connected to the switch can potentially view all
network traffic passing through the switch to all systems connected to the switch. Thus, an
attacker could collect traffic that contains usernames, passwords or configuration information
about the systems on the network.
Port security limits the number of valid Media Access Control (MAC) addresses allowed on a
port. All switch ports or interfaces should be secured before the switch is deployed. In this way
the security features are set or removed as required instead of adding and strengthening features
randomly or as the result of a security incident. Note that port security cannot be used for
dynamic access ports or destination ports for the Switched Port Analyzer. However, use port
security for active ports on the switch as much as possible.
You can use the port security feature to restrict input to an interface by limiting and identifying
MAC addresses of the end devices that are allowed to access the port. When you assign secure
MAC addresses to a secure port, the port does not forward packets with source addresses
outside the group of defined addresses. If you limit the number of secure MAC addresses to one
and assign a single secure MAC address to that port, the workstation attached to that port is
assured the full bandwidth of the port and only that workstation with that particular secure
MAC address can successfully connect to that switch port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is
reached, when the MAC address of a workstation attempting to access the port is different from
any of the identified secure MAC addresses, a security violation occurs.
After you have set the maximum number of secure MAC addresses on a port, the secure
addresses are included in an address table in one of these ways:
You can configure all secure MAC addresses by using the switchport port-security mac-
address mac_address interface configuration command when using a Cisco IOS Catalyst
switch.
You can configure the interface for one of these violation modes, based on the action taken if a
violation occurs:
Protect: When the number of secure MAC addresses reaches the limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number
of secure MAC addresses or increase the number of maximum allowable addresses. You
are not notified that a security violation has occurred.
Restrict: When the number of secure MAC addresses reaches the limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number
of secure MAC addresses or increase the number of maximum allowable addresses. In this
mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is
sent, a syslog message is logged, and the violation counter increments.
Shutdown: In this mode, a port security violation causes the interface to immediately
become error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a
syslog message, and increments the violation counter. When a secure port is in the error-
disabled state, you can bring it out of this state by entering the errdisable recovery cause
psecure-violation global configuration command, or you can manually re-enable it by
entering the shutdown and no shutdown interface configuration commands. Shutdown is
the default mode.
Using Port Security to Mitigate Attacks
The Security Violation Mode Actions table provides a summary of these modes.
Port
Security security
Violation Modecan:
Actions
block input to a port from unauthorized MAC
addresses Sends Displays Violation
Violation Traffic is Sends Syslog Error Counter Shuts
filter traffic to or from a specific host based on the
Mode Forwarded SNMP Trap Message Message Increments Down Port
host MAC address
Protect
Port No No No
security mitigates: No No No
2-254 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Port Security Configuration
Ports can be configured with the following types of secure MAC addresses:
Static secure MAC addresses: These addresses are manually configured by using the
switchport port-security mac-address mac-address interface configuration command,
stored in the address table, and added to the switch running configuration.
Dynamic secure MAC addresses: These addresses are dynamically configured, stored
only in the address table, and removed when the switch restarts.
Sticky secure MAC addresses: These addresses are dynamically configured, stored in the
address table, and added to the running configuration. The sticky secure MAC addresses do
not automatically become part of the configuration file, which is the startup configuration
used each time the switch restarts. If you save the sticky secure MAC addresses in the
configuration file, when the switch restarts, the interface does not need to relearn these
addresses. If you do not save the configuration, they are lost.
The figure shows the default port security values on a Cisco Catalyst switch. The next topic
shows you how to change these values to take full advantage of the port security feature.
2-256 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Cisco Catalyst Switch Port Security
This topic describes how to configure port security on a Cisco Catalyst switch.
The graphic lists the tasks required to configure port security on a Cisco Catalyst switch. The
Enabling Port Security with Cisco IOS Software Commands table provides a description of
the steps and commands required.
2-258 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Setting the Maximum Number of Devices on
a Port
A secure port can have from 1 to 132 associated secure addresses. After you have set the
maximum number of secure MAC addresses on a port, the secure addresses are included in an
address table in one of these ways:
You can configure all secure MAC addresses by using the switchport port-security mac-
address mac-address interface configuration command.
You can allow the port to dynamically configure secure MAC addresses with the MAC
addresses of connected devices.
You can configure a number of addresses and allow the rest to be dynamically configured.
Once the maximum number of secure MAC addresses is configured, they are stored in an
address table. To ensure that an attached device has the full bandwidth of the port, configure
the MAC address of the attached device and set the maximum number of addresses to one,
which is the default.
By limiting the number of devices that can connect to a secure port, you can provide dedicated
bandwidth to selected users. For example, if the size of the address table is set to one, the
attached device is guaranteed the full bandwidth of the port. As added security, once the
maximum number of devices has been set, unknown devices cannot connect to the port.
MAC addresses are gathered dynamically, with some switches supporting static entries and
sticky entries. Static entries are manually entered for each port (for example, switchport port-
security mac-address mac-address) and saved in the running configuration. Sticky entries are
similar to static entries except that they are dynamically learned. Existing dynamic entries are
converted to sticky entries when the switchport port-security mac-address sticky command
is issued for a port. These former dynamic entries are entered into the running configuration
using the command switchport port-security mac-address sticky mac-address. If the running
configuration is then saved to the startup configuration then these MAC addresses do not need
to be relearned on restart. Also, the maximum number of MAC addresses (for example, the
command switchport port-security maximum value) for the port can be set.
This figure shows how to enable port security on Fast Ethernet port 1 and to set the maximum
number of secure addresses to 50. The violation mode is the default, no static secure MAC
addresses are configured, and sticky learning is enabled.
2-260 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Verify the Configuration
2-262 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Network Attack Mitigation
Summary
Layer 2 vulnerabilities often escape attention because any security
structure is only as strong as its weakest link.
Five basic steps can mitigate Layer 2 attacks.
Use passwords to protect administrative access to switches.
Protect the management port by assigning unique accounts, strong
passwords, timeouts, banners and by using out-of-band
management.
Turn off unused network services and interfaces.
Limiting the number of valid MAC addresses allowed on a port
provides many benefits.
Configure port security with Cisco IOS software or Cisco Catalyst
switch commands.
Mitigate CAM table overflow attacks with Cisco IOS software or Cisco
Catalyst switch commands.
Configuring port security can prevent MAC address spoofing
attacks.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-28
2-264 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Match each of the following commands with the type of attack that the command will
mitigate by putting the letter of the command in the space provided beside each type of
attack. (Source: Mitigating CAM Table Overflow Attacks, Mitigating MAC Spoofing
Attacks)
A) arp timeout
B) set port security
_____ 1. CAM table overflow
_____ 2. Media Access Control (MAC) Address spoofing
Q2) Explain the role of the CAM table in switch security. (Source: Mitigating CAM Table
Overflow Attacks)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q3) What does the port security command provide? (Source: Mitigating MAC Address
Spoofing Attacks)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
2-266 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 9
Objectives
Upon completing this lesson, you will be able to explain how to mitigate attacks against
network topologies and protocols. This ability includes being able to meet these objectives:
Explain how to configure VLANs to mitigate VLAN hopping attacks
Explain how to prevent Spanning-Tree Protocol manipulation
Explain how to mitigate APR spoofing with Dyanamic ARP Inspection (DAI)
Explain how to configure ACL on the router to mitigate a private VLAN proxy attack
Explain how specific best practices that mitigate attacks on specific areas of Layer 2
hardware and software components
Mitigating VLAN Hopping Attacks
Along with MAC flooding attacks, virtual local area network (VLAN) hopping attacks are the
most problematic. This topic explains how to configure VLANs to mitigate VLAN hopping
attacks.
Rogue
Trunk Port
Trunk Port
The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports except
the ones that specifically require trunking.
2-268 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
VLAN Hopping by Double Tagging
Attacker
(VLAN 10) 20
802.1q, Frame Frame
Trunk
(Native VLAN = 10)
Note: This attack works only if the trunk has
the same native VLAN as the attacker Victim
The attacker sends double encapsulated 802.1Q frames. (VLAN 20)
The switch performs only one level of decapsulation.
Only unidirectional traffic is passed.
It works even if the trunk ports are set to off.
Note: There is no way to execute these attacks unless the switch is
misconfigured.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-4
The double tagging (or double encapsulated) VLAN hopping attack takes advantage of the way
the hardware on most switches operates. Most switches perform only one level of IEEE 802.1Q
decapsulation and allow an attacker, in specific situations, to embed a hidden .1Q tag inside the
frame, which allows the frame to go to a VLAN that the outer .1Q tag did not specify. An
important characteristic of the double encapsulated VLAN hopping attack is that it works even
if trunk ports are set to OFF.
The attack works as follows:
Step 1 The attacker sends a double-tagged 802.1q frame to the switch. The outer header has
the VLAN tag of the attacker and the native VLAN of the trunk port. (For the
purposes of this attack, assume VLAN 10.) The inner tag is the victim VLAN,
VLAN 20.
Step 2 The frame arrives on the switch, which looks at the first 4-byte 802.1q tag. The
switch sees that the frame is destined for VLAN 10 and sends it out on all VLAN 10
ports (including the trunk) since there is no CAM table entry. Remember that, at this
point, the second VLAN tag is still intact and was never inspected by the first
switch.
Step 3 The frame arrives at the second switch but has no knowledge that it was supposed to
be for VLAN 10. (Remember, native VLAN traffic is not tagged by the sending
switch as specified in the 802.1q spec.)
Step 4 The second switch looks at only the 802.1q tag (the former inner tag that the attacker
sent) and sees that the frame is destined for VLAN 20 (the victim VLAN). The
second switch sends the packet on to the victim port or floods it, depending on
whether there is an existing CAM table entry for the victim host.
The figure illustrates the attack. It is important to note that this attack is only unidirectional and
works only when the attacker and trunk port have the same native VLAN. Thwarting this type
of attack is not as easy as stopping basic VLAN hopping attacks. The best approach is to make
sure that the native VLAN of the trunk ports is different than the native VLAN of the user
ports.
To prevent VLAN hopping attack using double 802.1q encapsulation, the switch must look
further into the packet to determine whether more than one VLAN tag is attached to a given
frame. Unfortunately, the application-specific integrated circuits (ASICs) that are used by most
switches are only hardware optimized to look for one tag and then to switch the frame. The
issue of performance versus security requires administrators to balance their requirements
carefully.
Mitigating VLAN hopping attacks using double 802.1q encapsulation requires several
modifications to the VLAN configuration. One of the more important elements is to use
dedicated native VLAN for all trunk ports. This attack is easy to stop if you follow the best
practice that native VLANs for trunk ports should never be used anywhere else on the switch.
Also, disable all unused switch ports and place them in an unused VLAN.
Set all user ports to nontrunking mode by explicitly turning off Dynamic Trunk Protocol (DTP)
on those ports that can be used to mitigate VLAN hopping attack using switch spoofing.
Use the set trunk command to configure trunk ports and to add VLANs to the allowed VLAN
list for existing trunks. The example shown in the figure shows how to set Port 2 on Module 1
as a trunk port. The full command syntax is as follows:
-»¬ ¬®«²µ ³±¼ñ°±®¬ ¥±² ¤ ±ºº ¤ ¼»-·®¿¾´» ¤ ¿«¬± ¤ ²±²»¹±¬·¿¬»£Åª´¿²-Ã
Å·-´ ¤ ¼±¬ï¯ ¤ ²»¹±¬·¿¬»Ã
Use the set port arp-inspection command to set Address Recognition Protocol (ARP)
inspection thresholds on a per-port basis. If the number of packets exceeds the drop-threshold
rate, the excess packets are dropped. The excess packets are still counted toward the shutdown-
threshold rate. If the number of packets exceeds the shutdown-threshold rate, the port is shut
down. The full command syntax is as follows:
-»¬ °±®¬ ¿®°ó·²-°»½¬·±² ³±¼ñ°±®¬ ¼®±°ó¬¸®»-¸±´¼ ®¿¬» -¸«¬¼±©²ó
¬¸®»-¸±´¼ ®¿¬»
The example in the figure shows how to set the drop-threshold to 500 and the shutdown-
threshold to 1000 for port 2/1.
2-270 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Preventing Spanning-Tree Protocol Manipulation
This topic explains how to prevent STP manipulation.
STP Attack
F F
A F F
Root
F = Forwarding port
B = Blocking port
F F
B F
X B
Another attack against switches involves intercepting traffic by attacking the STP.
STP maintains a loop-free topology in a redundant Layer 2 infrastructure by identifying one
switch as a root bridge and blocking other redundant data paths. Upon bootup the switches
begin a process of determining a loop-free topology. The switches identify one switch as a root
bridge and block all other redundant data paths.
STP sends messages using Bridge Protocol Data Units (BPDUs) describing the configuration,
topology change notification (TCN) and topology change acknowledgment (TCA).
F B F FB
Root
By attacking the STP, the network attacker hopes to spoof the attacked system by acting as the
root bridge in the topology. The attacker broadcasts STP configuration or topology change
BPDUs in an attempt to force spanning-tree recalculations.
The BPDUs sent out by the attacker system announce that the attacking system has a lower
bridge priority which causes the attacker system to be elected as the root bridge. If successful,
the attacker PC receives the user frames as each frame flows through the attacker PC posing as
the root bridge.
The figure illustrates how a network attacker can use STP to change the topology of a network
so that it appears that the attacker host is a root bridge. By transmitting spoofed STP BPDU
packets, the attacker causes the switches to initiate STP recalculations that result in all traffic
between the two switches flowing through the attacker PC.
2-272 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Mitigating STP Attacks with bpdu-guard
and guard root
To mitigate STP manipulation, use the guard root command and the Cisco IOS bpduguard
command or the Cisco Catalyst switch bpdu-guard enhancement command to enforce the
placement of the root bridge in the network and to enforce the STP domain borders.
The root guard feature is designed to provide a way to enforce the root-bridge placement in the
network. Root guard must be enabled on all ports where the root bridge should not appear. If
the bridge receives superior STP BPDUs on a root guard enabled port, this port is moved to a
root-inconsistent STP state (effectively equal to listening state), and no traffic is forwarded
across this port.
The STP BPDU guard is designed to allow network designers to keep the active network
topology predictable. BPDU guard can be globally enabled and will disable any portfast port
that receives a BDPU message. Because these portfast ports are end user ports, there should be
no reason for BPDU messages to be sent to them. While a BPDU guard may seem unnecessary
since the administrator can set the bridge priority to zero, there is still no guarantee that it will
be elected as the root bridge. There may still be a bridge with priority zero and a lower bridge
ID. BPDU guard is best deployed towards user-facing ports to prevent rogue switch network
extensions by an attacker.
BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the
port upon BPDU reception if portfast is enabled on the port. This effectively denies devices
behind such ports to participate in STP. The port that is put into an error disable state requires
manual intervention to be re-enabled or error disable-timeout needs to be configured.
Root guard allows the device to participate in STP as long as the device does not try to become
the root. If root guard blocks the port, subsequent recovery is automatic, as soon as the
offending device stops sending superior BPDUs.
A B
C
Host HA Host HB
( IA, MA) ( IB, MB)
ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous
reply from a host even if an ARP request was not received. After the attack, all traffic from the
device under attack flows through the attacker computer and then to the router, switch, or host.
An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2
network by poisoning the ARP caches of systems connected to the subnet and by intercepting
traffic intended for other hosts on the subnet. The figure shows an example of ARP cache
poisoning.
Hosts A, B, and C are connected to the router on interfaces A, B and C, all of which are on the
same subnet. Their IP and MAC addresses are shown in parentheses. In this example, Host A
uses IP address IA and MAC address MA. When Host A needs to communicate to Host B at
the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB.
When the router and Host B receive the ARP request, they populate their ARP caches with an
ARP binding for a host with the IP address IA and a MAC address MA; for example, IP
address IA is bound to MAC address MA. When Host B responds, the router and Host A
populate their ARP caches with a binding for a host with the IP address IB and the MAC
address MB.
Host C can poison the ARP caches of the router, Host A, and Host B by broadcasting forged
ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of
MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC
address for traffic intended for IA or IB. This means that Host C intercepts that traffic. Because
Host C knows the true MAC addresses associated with IA and IB, it can forward the
intercepted traffic to those hosts by using the correct MAC address as the destination. Host C
has inserted itself into the traffic stream from Host A to Host B, which is the topology of the
classic man-in-the middle attack.
2-274 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Mitigating Man-in-the-Middle Attacks with
DAI
MAC or IP tracking built on DHCP Snooping
10.1.1.1
DAI Function:
Track Discovery
Track DHCP offer MAC or IP
Track subsequent ARPs for MAC or IP
The DAI feature of Cisco Catalyst switches stops ARP spoofing man-in-the-middle attacks.
Like DHCP Snooping, DAI uses the concept of trusted and untrusted ports to decide which
ARP packets need to be inspected. To do this, DAI intercepts all ARP packets and examines
them for proper MAC-to-IP bindings. This is done by using the DHCP binding table that was
built by enabling DHCP Snooping. If an ARP packet arrives on a trusted port, then no
examination is made. If it arrives on an untrusted port, the ARP is examined and compared
against the table. If gARPs or IP-to-MAC addresses change, the port can be locked down. As
well, ARP ACLs can be written for non-DHCP MAC or IP addresses to protect those devices.
In the figure, a user has an IP address of 10.1.1.2 and is connected to a gateway with IP
10.1.1.1. An intruder residing on an untrusted port sends a gARP in an attempt to reset IP-to-
MAC bindings so all traffic from 10.1.1.2 to the 10.1.1.1 default gateway goes to the attacker.
DAI examines the ARP packet and compares its information with the information in the switch
DHCP binding table. If there is no match, the ARP packet is dropped and the port is locked.
2-276 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Defending Private VLANs
This topic explains how to configure ACLs on the router to mitigate a private VLAN proxy
attack.
Promiscuous Port
Host 3 (Admin)
PVLANs allow you to segregate traffic at Layer 2 and turn a broadcast segment into a non-
broadcast multi-access-like segment. PVLANs provide Layer 2 isolation between ports within
the same broadcast domain.
There are three types of PVLAN ports:
Promiscuous: A promiscuous port can communicate with all interfaces, including the
isolated and community ports within a PVLAN.
Isolated: An isolated port has complete Layer 2 separation from the other ports within the
same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated
ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to
promiscuous ports.
Community: Community ports communicate among themselves and with their
promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in
other communities or isolated ports within their PVLAN.
The figure represents the private VLANs as different pipes that connect routers and hosts. The
pipe that bundles all the others is the primary VLAN blue, and the traffic on VLAN blue flows
from the routers to the hosts. The pipes internal to the primary VLAN are the secondary
VLANs marked in yellow and red. Traffic traveling on those pipes flows only from the hosts
towards the router.
In this topology, the promiscuous port can forward both primary and secondary VLANs.
Traffic that comes to a switch from a promiscuous port is able to go out on all the ports that
belong to the same primary VLAN. Traffic that comes to a switch from a port mapped to a
secondary VLAN (an isolated or a community VLAN) can be forwarded to a promiscuous port
2-278 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Private VLAN Proxy Attack
Attacker
PVLANs drop the packet.
Mac:A IP:1
Router
Mac:C IP:3
Victim
Mac:B IP:2
Promiscuous Port
Isolated Port
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-13
While private VLANs are a common mechanism used to restrict communications between
systems on the same logical IP subnet (same VLAN), they are not a fail proof mechanism.
Private VLANs work by limiting the following ports within a VLAN that can communicate
with other ports in the same VLAN:
Isolated ports within a VLAN can communicate only with promiscuous ports.
Community ports can communicate only with other members of the same community and
promiscuous ports.
Promiscuous ports can communicate with any port.
One network attack capable of bypassing the network security of private VLANs involves the
use of a proxy to bypass access restrictions to a private VLAN.
S:A1 D:B2
Router
Mac:C IP:3
Victim
Mac:B IP:2 The intended PVLAN security
is bypassed.
Private VLANs are subject to a proxy attack in which frames are forwarded to a host on the
network connected to a promiscuous port such as a router. In this figure, the network attacker
sends a packet with the source-IP and MAC address of their device, a destination IP address of
the target system, but a destination MAC address of the router. The switch forwards the frame
to the router switch port.
The router routes the traffic, rewrites the destination MAC address as that of the target, and
sends the packet back out. Now the packet has the proper format, as shown, and is forwarded to
the target system (Mac B, IP 2). This network attack allows only for unidirectional traffic,
because any attempt by the target to send traffic back is blocked by the private VLAN
configuration. If both hosts are compromised, static ARP entries that show that the victim
machines are reachable by the router MAC address could be used to allow bidirectional traffic.
This scenario is not a private VLAN vulnerability because all the rules of private VLANs were
enforced. However, the network security was bypassed.
2-280 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Network Attack Mitigation
Configure ACLs on the router port to mitigate private VLAN attacks. Configure an inbound
ACL on the router to stop all traffic from the local subnet to the same local subnet.
VACLs can also be used to help mitigate the effects of private VLAN attacks.
The figure provides an example of using ACLs on the router port. In this case, a server-farm
segment is 172.16.34.0/24. Configuring the ACLs on the default gateway as shown would
mitigate the private VLAN proxy attack.
The figure summarizes Layer 2 security best practices that have been described and explained
in the last two lessons. You should be able to explain how each of these suggestions will
mitigate attacks on specific areas of Layer 2 hardware and software components.
2-282 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
_____________________________________________________________________
______________________________________________________________________
Q3) What is the effect of using the root guard and bpdu-guard enhancement commands?
(Source: Preventing Spanning-Tree Protocol Manipulation)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
2-284 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check Answer Key
Q1) A-2, B-1, C-3
Q2) Mitigating VLAN hopping attacks requires several modifications to the VLAN configuration. One of the
more important elements is to use dedicated native VLAN for all trunk ports. Also, disable all unused
switch ports and place them in an unused VLAN. Set all user ports to nontrunking mode by explicitly
turning off DTP on those ports.
Q3) The root guard and the bpdu-guard enhancement commands enforce the placement of the root bridge in
the network and enforce the Spanning-Tree Protocol domain borders.
2-288 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Embedded Security Features in Cisco Catalyst
Switches
This topic shows how the security features embedded in Cisco Catalyst switches map to the
authentication, authorization, and accounting (AAA) requirements of a network.
LAN security is important. Research by the FBI and Computer Security Institute (CSI)
indicates that up to 60% of attacks are initiated on LANs as opposed to WANs. Clearly, a
balanced focus on the LAN portion of any security plan is required to provide an added layer of
protection. The Cisco Catalyst switch portfolio supports secure connectivity, perimeter security,
intrusion protection, identity services and security management as key elements in the SAFE
Blueprint.
LAN security problems can be solved by using features that support AAA.
2-290 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Scalable Network Security
Authentication:
Identity-based network services
Authorization:
Access control lists
Port security
Private VLAN edge
Rate limiting
SPAN for IPS
Accounting:
Management encryption
Cisco Catalyst switches offer integrated security solutions for networks of every size, without
compromising performance or complicating management. Embedded security matches each
AAA component.
Using 802.1x with Cisco enhancements allows you to limit access to network resources based
on the logon identity. User privileges remain the same, no matter how or where someone logs
onto the network. IBNS the most sophisticated type of security feature and it is recommended
for organizations that have mobile users logging on using various devices from different ports.
2-292 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Identity-Based Network Services (Cont.)
TACACS+ or
RADIUS
No
Invalid Username
Invalid Password
The figure shows the topology and process for IBNS. IBSN works as follows:
1. Each user logging onto the network must type in their name and password. Although the
switch does not permit the person to log on to the network yet, it does pass the password
and identify to an authentication server.
2. The Terminal Access Controller Access Control System Plus (TACACS+) or Remote
Authentication Dial-In User Service (RADIUS) server looks up the name and password to
determine its validity. The server also makes a note of which port and MAC address the
person is using to log on.
3. If the name and password are correct, the authentication server sends a message to the
switch to allow the person to proceed with the login process.
4. If the name and password are not correct, the server sends a message to the switch to block
that port. Once the port has been blocked, it cannot be opened until a correct name and
password have been received.
The communications from the client to the switch use Extensible Authentication Protocol over
local-area network (EAPOL) and the communications from the switch to the AAA server use
TACACS+ or RADIUS.
Access control lists (ACL) allow you to specify what parts of the network can be used by
whom. For example, within a school campus network, an ACL can be used so all students can
have network access only to the homework servers, teachers can have access to the servers with
the homework and the grades, and the principal can have access to all of the previous servers
plus the server with the payroll information.
ACLs can be applied by routed ports in Layer 3 capable Catalyst switches, by virtual LANs, by
time of day and by ports.
2-294 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Routed ACL
Router ACLs (RACL) control routed traffic between virtual LANs (VLANs) and are applied to
Layer 3 interfaces. You can apply one router ACL in each direction on an interface. RACLs
can be applied on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs, on
physical Layer 3 interfaces, and on Layer 3 EtherChannel interfaces.
Virtual LAN ACL (VACL), also known as VLAN maps can restrict users within a VLAN or
subnet to using only those resources available within their immediate networking domain.
VACLs are available on the Cisco Catalyst 3550, 3750 and 6500/6000 series switches running
Cisco Catalyst switch software version 5.3 or later. VACLs can be configured at Layer 2
without the need for a router (you only need a Policy Feature Card (PFC)). VACLs are
enforced at wire speed so there is no performance penalty in configuring VACLs. Since the
lookup of VACLs is performed in hardware, regardless of the size of the access list, the
forwarding rate remains unchanged.
2-296 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Time-Based ACLs
OK to use Server 1
Not OK to use Server 2
OK to use Server 3
Not OK to use Server 4
Time-based access control lists are very useful in organizations such as in schools where
groups of people come and go on a schedule. Time-based access control lists can be activated
before the students arrive and removed after they leave. This way, teachers can use the same
equipment, but access different resources. The Configuring Time-Based ACLs table
describes the commands used to configure a time-based ACL.
2 absolute [start time date] [end time date] In time-range configuration mode, this
and/or command specifies when the function
will start.
periodic days-of-the-week hh:mm to [days-of-
the-week] hh:mm
Internet
Port-based ACLs allow you to control traffic between ports by applying ACLs to ports on a
switch. The ACL monitors users or data streams between source and destination addresses for
specific ports. For example, in February 2003 a worm called the Slammer, attacked port 1434
(Microsoft-SQL-Monitor) in SQL servers and replicated itself to all other SQL servers. The
worm came from port 1434 and went to port 1434. An ACL set up to monitor outbound traffic
could stop outbound traffic from this port, or throttle it to a smaller, less damaging rate.
Port-based ACLs are applied on interfaces for inbound traffic only. These access lists are
supported on Layer 2 interfaces with:
Standard IP access lists using source addresses
Extended IP access lists using source and destination addresses and optional protocol type
information
MAC extended access lists using source and destination MAC addresses and optional
protocol type information
As with router ACLs, the switch examines ACLs associated with features configured on a
given interface and permits or denies packet forwarding based on how the packet matches the
entries in the ACL. However, ACLs can only be applied to Layer 2 interfaces in the inbound
direction.
2-298 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Notification of Intrusions
ACL logging:
Tracks ACL violations that Network
occur in a network; the user Administrator Alert!
MAC address can be obtained Unauthorized
to assist in tracking the user User Identified
location.
MAC address notification:
Alerts network administrators
if unauthorized users come
onto the network
Unauthorized
User
Network managers need a way to monitor who is using the network and where they are.
Media Access Control (MAC) address notification allows the network administrator to monitor
the MAC addresses that are learned by the switch and the MAC addresses that are aged-out and
removed from the content-addressable memory (CAM) in the switch.
ACL logging enables an informational logging message about the packet that matches the ACL
entry to be sent to the console. Logging is not supported for ACLs applied to Layer 2
interfaces.
Port Security
What port security does: Benefit:
Limits the number of MAC Ensures only approved users can
addresses that are able to connect log onto the network
to a switch and ensures only
approved MAC addresses are able Otherwise, any unauthorized
user with physical access can
to access the switch log into the network.
v
X
Invalid MAC Address
Recall that by using the Port Security feature, network managers can authorize selected MAC
addresses to use specified ports on a switch. This prevents unauthorized persons from logging
onto the network. Port security blocks input to an Ethernet, Fast Ethernet, or Gigabit Ethernet
port when the MAC address of the station attempting to access the port is different from any of
the MAC addresses specified for that port. An aging feature removes MAC addresses from the
switch after a specified time frame to allow other devices to connect to that port.
After you specify the maximum number of MAC addresses on a port, you can specify the
secure MAC address for the port manually or you can have the port dynamically configure the
MAC address of the connected devices. From an allocated number of maximum MAC
addresses on a port, you can either manually configure all, allow all to be autoconfigured, or
configure some manually and allow the rest to be autoconfigured. After addresses are manually
configured or autoconfigured, they are stored in non-volatile RAM (NVRAM) and maintained
after a reset.
After you allocate a maximum number of MAC addresses on a port, you can specify an age
time during which addresses on the specified port remain secure. After the age time expires, the
MAC addresses on the port become insecure. By default, all addresses on a port are secured
permanently.
In the event of a security violation, you can configure the port to go into shutdown mode or
restrictive mode. The shutdown mode is further configurable by specifying whether the port
will be permanently disabled or disabled for only a specified time. The default behavior during
a security violation is for the port to shut down permanently. The restrictive mode allows you to
configure the port to remain enabled during a security violation and drop only packets that are
coming in from insecure hosts.
2-300 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Private VLAN
This topic describes the function and benefit of the Private VLAN feature embedded in Cisco
Catalyst switches.
Private VLAN
work:
A common subnet is sub-
divided into multiple
private-VLANs. Hosts on
given Private VLAN can
only communicate with
default gateway
not with other hosts on
network.
Benefit:
Simplified mechanism x x x x
of traffic management Community Community Isolated
A B Ports
while conserving IP
Community VLAN
address space Primary VLAN
Community VLAN Isolated VLAN
Recall that private VLANs work by limiting which ports within a VLAN can communicate
with other ports in the same VLAN. Typically, private VLANs are deployed so that the hosts
on a given segment can communicate only with their default gateway and not the other hosts on
the network. For instance, if a Web server is compromised by Blaster, the server is not able to
initiate infection attempts to other devices in the same VLAN even though they exist in the
same network segment. This access control, carried out by assigning hosts to either an isolated
port or a community port, is an effective way to mitigate the effects of a single compromised
host. Isolated ports can communicate only with promiscuous ports (typically the router).
Community ports can communicate with the promiscuous port and other ports in the same
community.
Benefit:
Ensures privacy for
users on the same switch
and the same VLAN
The Private VLAN (PVLAN) Edge (protected port) feature is available on selected Cisco
Catalyst 2900 Series, Catalyst 3500 Series, and Catalyst 3700 Series switches. Briefly stated,
the PVLAN Edge feature can prevent the forwarding of traffic between ports on the same
switch. The PVLAN Edge feature differs in a number of ways from the Private VLAN feature,
but most significantly, the PVLAN Edge feature only has local significance to the switch itself,
as opposed to other devices in the network.
If there is a concern that neighbors on a switch might eavesdrop on the neighboring traffic, the
network manager can implement the PVLAN Edge feature to separate each user into their own
individual VLAN. This way, individual user traffic is kept private. This feature provides
security and isolation between ports on a switch, and ensures that traffic travels directly from
its entry point on an access port to the uplink on the switch, and cannot be redirected to another
access port. This implementation reduces the overhead on the switch, allowing larger Layer 2
networks to be built.
Because the PVLAN Edge feature only has local significance to the switch itself, there is no
isolation provided between two protected ports located on different switches. A protected port
does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a
protected port in the same switch. Traffic cannot be forwarded between protected ports at Layer
2; all traffic passing between protected ports must be forwarded through a Layer 3 device.
2-302 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Configuring Protected Ports
Default Gateway Default Gateway
x x x x x x x x
Isolated Ports
There are three types of PVLAN ports: promiscuous, isolated and community. These ports can
be defined across a number of switches in the network. The PVLAN Edge feature only allows a
port to be an isolated port or a promiscuous port. Isolated ports only communicate to the
promiscuous port(s) and have Layer 2 isolation from other isolated ports while promiscuous
ports communicate to all ports. Recall that the promiscuous port is a normal VLAN access port
with no forwarding restrictions imposed on it while the isolated port is a normal VLAN access
port with forwarding restrictions imposed on it. The PVLAN Edge feature has no community
port functionality to enable a group of ports to communicate among themselves and the
promiscuous port.
The Configuring Protected Ports table provides the steps and commands required to
configure protected ports.
Rate Limiting
What rate limiting does:
Allows network managers to set bandwidth thresholds for users and by
traffic type
Benefits:
Prevents the deliberate or accidental flooding of the network
Keeps traffic flowing smoothly
50 Mbps
Rate Limiting for
Network Different Classes of Users
Manager
10 Mbps
Teachers
2 Mbps Otherwise, there can be a
deliberate or accidental
Students
slowdown or freezing of
© 2005 Cisco Systems, Inc. All rights reserved.
the network. SND v1.02-18
Rate limiting (also referred to as traffic policing) controls the amount of bandwidth that each
user is allocated. Rate limiting is similar to putting an upper speed limit on a car. Rate limiting
ensures that no user can flood the network with too much traffic. Rate limiting also allows
important applications and users to maintain a minimum network priority, which is useful when
voice, video and data are all deployed on a single network.
Rate limiting enables you to assign a bandwidth restriction to a category of traffic, such as
ICMP, User Datagram Protocol (UDP), or specific connection types, as a means of limiting the
damage from a denial of service (DoS) or a distributed denial of service (DDoS) attack while
you are still working out a solution.
2-304 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Switched Port Analyzer for Intrusion Prevention
Systems
This topic describes the function and benefit of the Switched Port Analyzer (SPAN) for
intrusion prevention system (IPS) feature embedded in Cisco Catalyst switches.
IPS are tailored to monitor and track activities in a network. The Cisco Catalyst 3550 supports
SPAN enhancements that allow an IPS to take action if an intruder is detected.
SPAN is used to mirror traffic to another port where a probe or Cisco IPS sensor is connected.
When a Cisco IPS detects an intruder, the IPS can send out a TCP Reset that tears down the
intruder connection within the network, immediately removing the intruder from the network.
For example, if you connect a Cisco IPS sensor to a SPAN destination port, the IPS device can
send TCP Reset packets to close down the TCP session of a suspected attacker.
Additionally, the Catalyst 3550 Switch can complement this feature through features such as
MAC Address Notification. This feature sends an alert to a management station so that network
administrators know when and where users came onto the network and can take appropriate
actions. The DHCP Interface Tracker (Option 82) feature tracks where a user is physically
connected on a network by providing both switch and port identification to a DHCP server.
Management Encryption
Password and management traffic encryption is important if there are sophisticated users, who
are also pranksters, using the network. The vulnerabilities of Simple Network Management
Protocol (SNMP) can be repeatedly exploited to produce a DoS attack. SNMP version 3
(introduced in Cisco IOS Software Release 12.0(3)T) allows management traffic to be
encrypted and therefore mitigates these threats. Using encryption features guarantees that
management passwords and traffic are unreadable and unusable to anyone who views this
traffic.
While configuring SNMP is beyond the scope of this course, those familiar with SNMP
configuration can follow these steps used to setup four user groups, each with differing
privileges:
2-306 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Step 6 Define a group, groupone, using User Security Model (USM) V3 and having read
access on the v1default view (the default).
Step 7 Define a group, grouptwo, using USM V3 and having read access on the view
myview.
Step 8 Define a group, groupthree, using USM V3, having read access on the v1default
view (the default), and applying authentication.
Step 9 Define a group, groupfour, using USM V3, having read access on the v1default
view (the default), and applying authentication and privacy.
Step 10 Define a view, myview, that provides read access on the MIB-II and denies read
access on the private Cisco MIB.
Step 11 The show running command output gives additional lines for the group public,
because there is a community string read-only public that has been defined.
Step 12 The show running command output does not show the userthree.
Confidential
Plan
Problem:
Unauthorized users can
connect to the network and
download confidential
documents.
Unauthorized
User
Confidential
Solution: Plan
2-308 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Bringing Down the Network
Problem:
Attackers may try to bring down a
network by overloading a network
with requests and traffic.
Solution:
ACLs can be implemented and
violations can be logged to track
disruptions. DHCP Interface Tracker
can be used to track the location of Bringing down the
the user in the network by providing network
port and switch identification
information to a DHCP server which
can match the information to a
known MAC and IP address.
The figure shows how ACLs are used to prevent overloading the network.
Solution Alternative:
A Cisco Secure Access ACS Impersonation (Identity Spoofing)
along with 802.1x on the
switch supports strong Solution Alternative:
authentication capabilities Private VLAN Edge provides security and
(such as certificates and one isolation between ports on a switch, to ensure
time passwords) to prevent that traffic travels directly from its entry point
identity spoofing or theft. on an access port to the uplink on the switch,
to protect user information.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.02-23
The figure shows how a Cisco Secure Access Control Server (ACS) can be used to prevent
identity spoofing.
2-310 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Tracking Down Stolen Laptops
Problem:
Laptops are frequently stolen
due to their portable nature.
Solution:
MAC address notification
Alert
informs network administrators
when a user is using the
network and where they are;
this information can be used to
find the laptop.
The figure shows how MAC address notification can reduce laptop theft.
Problem:
Access to human
resources databases
should be limited to
managers.
HR employee
(Blue VLAN,
Solution: access to HR
HR Server 1:
Has confidential
Marketing
Server1) HR information
Use VLANs to specify employee
(Red VLAN;
which network resources No access to
the user may access. HR Server1)
Users are automatically
placed in the appropriate
VLAN no matter where
they log on.
You may want to differentiate among the people in your organization to determine who should
have access to what information. Some information, such as student or employee information
should only be viewed by a small number of people. Creating different VLANS allows you to
partition the network resources into either less or more sensitive areas. All employees can have
access to general information, but only a small number of people have authorization to view
specific information. For example, authorized users can have access to the network but with
User Registration Tool (URT) and Dynamic VLAN capabilities, the traffic can be segmented to
a specific VLAN. Marketing resources can be on a different VLAN than human resources and
finance can be on a different VLAN than engineering and so on.
2-312 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Keeping Neighbors Separated
Problem:
Neighbors on the same switch
can view each others traffic,
including logon identification
and passwords.
Solution:
Private VLAN edge
provides isolation between
ports and VLANS on a
switch, and ensures that
traffic travels directly from
its entry point to the uplink
on the switch.
Since users on the same switch can view each others traffic, you can use the PVLAN Edge
feature to ensure users on the same switch cannot eavesdrop.
Problem:
Users may try to bring down a
network by overloading a
network with requests and
traffic.
Solution:
Each user is limited to a certain
amount of bandwidth; no one
person can swamp the network.
The number of devices on any
one port is limited.
Network traffic will not over burden the switch if configurations limit the number of devices on
each port, and if the bandwidth allocated to users is restricted.
2-314 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Controlling Unauthorized Network
Expansion
Problem:
Individuals can add rogue or
unauthorized access hubs and
wireless access points.
Wireless AP
connects to
switch, but user
Solution: traffic cannot pass
The solution here is similar to the previous example. The aging function capability of the Port
Security feature, limits the number of concurrent MAC addresses on a port without preventing
different users from plugging into the port at different times.
Privacy
Solution: username: dan
password: grades (Using Encryption)
Encryption features
protect data by encrypting
administrative traffic such
as passwords and
configuration information. Unauthorized
$()^*&(*$^%@#r
$)(%&^$(*&a)t#> User
2-316 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
Summary (Cont.)
2-318 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Q4) What are the three types of secure MAC addresses that can be configured on a Cisco
Catalyst switch port? (Source: Port Security)
______________________________________________________________________
______________________________________________________________________
2-320 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Module Summary
This topic summarizes the key points discussed in this module.
Module Summary
References
For additional information, refer to these resources:
Cisco Systems Inc. Access Control Lists and IP Fragments.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949
b8.shtml.
Cisco Systems Inc. Configuring IP Access Lists.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080
0a5b9a.shtml.
Cisco Systems Inc. SAFE: Best Practices for Routing Protocols.
http://www.cisco.com/warp/public/cc/so/neso/vpn/prodlit/sfblp_wp.pdf.
Cisco Systems Inc. User Guide for Cisco Secure ACS for Windows Server Version 3.3,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_book0918
6a00802335e2.html.
2-322 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Module 3
Overview
The Cisco PIX Security Appliance plays a vital role in the Cisco strategy to use integrated
security to build a Self-Defending Network. From compact "plug-and-play" appliances for small
and home offices, to modular carrier-class gigabit appliances for enterprise and service-
provider environments, Cisco PIX Security Appliances provide robust, enterprise-class
integrated network security services that create a strong multilayered defense for fast-changing
network environments.
In this module you will learn basic configuration skills to prepare you for learning more about
the Cisco PIX Security Appliance in the future.
Module Objectives
Upon completing this module, you will be able to configure a Cisco PIX Security Appliance to
perform basic security operations on a network. This ability includes being able to meet these
objectives:
Describe firewall technology and features, including Cisco PIX Security Appliance models,
option cards and licenses
Configure the Cisco PIX Security Appliance features for secure network connectivity from
the CLI
Configure basic firewall settings using the PDM
3-2 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 1
Overview
In previous lessons, you have learned how to configure Cisco IOS firewall features on Cisco
routers. This lesson introduces the Cisco PIX Security Appliance family. The Cisco PIX
Security Appliance family offers purpose-built network devices that provide rich security
services including stateful inspection firewalls, virtual private networking (VPN) and intrusion
detection protection in a single platform. Using the Cisco Adaptive Security Algorithm (ASA)
and PIX operating system, the Cisco PIX Security Appliance family ensures that all the users
behind it are safe and secure from threats lurking on the Internet. Its powerful stateful
inspection firewall technology keeps track of the state of authorized user network requests and
prevents unauthorized network access. By leveraging the flexible access control capabilities of
the Cisco PIX Security Appliance family, administrators can also enforce customized policies
on network traffic traversing through the firewall.
The lesson will begin with an overview of three firewall technologies. The features and benefits
of the PIX Security Appliance will be presented, followed by details descriptions of each of the
current models. Practical guidelines for licensing software options will conclude the lesson.
Objectives
Upon completing this lesson, you will be able to describe firewall technology and features,
including Cisco PIX Security Appliance models, option cards, and licenses. This ability
includes being able to meet these objectives:
Describe the operational strengths and weaknesses of the three firewall technologies
Describe PIX Security Appliance technology and features
Describe the features of each PIX Security Appliance model
Explain licensing options for PIX Security Appliances
Firewall Technologies
This topic describes the operational strengths and weaknesses of the three firewall technologies.
What Is a Firewall?
DMZ
Network
Internet
Outside Inside
Network Network
As part of a computer network, a firewall is a set of related programs that enforces an access
control policy between two or more networks. A firewall works closely with a router program
to filter all network packets to determine whether to forward them toward their destination. In
principle, a firewall can be thought of as a pair of mechanisms: one mechanism blocks traffic,
and the other mechanism permits traffic. Specific firewall designs or concepts balance these
two functions, by either placing greater emphasis on blocking traffic or on permitting traffic.
They are often installed away from the rest of the network so that no incoming request can get
directly at private network resources.
Firewalls essentially implement an access control policy that must be defined before selecting a
particular firewall solution. Once deployed, the firewall enforces the policy on everything
behind it. The larger the network behind the firewall is, the more important the design.
There are a number of firewall screening methods. A simple one is to screen requests to make
sure they come from acceptable (previously identified) domain names and IP addresses. For
mobile users, firewalls allow remote access in to the private network by the use of secure logon
procedures and authentication certificates.
There are times that you may want remote users to have access to items on your network. For
example, if your network hosts a website, does online business, or offers FTP, you may want to
create a DMZ (Demilitarized Zone) separate from your protected network.
3-4 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Firewall Technologies
Good traffic
Bad traffic
Each technology has advantages and disadvantages and each one has a best fit role to play
depending on the needs of the security policy.
192.165.23.124
Internet
A packet filtering firewall selectively routes or drops IP packets based on information in the
network (IP) and transport (TCP/UDP) layer headers. They may be implemented on routers or
on dual-homed gateways (for example, a computer with two network interface cards).
A packet filter uses rules to accept or reject incoming (network communication) packets based
on source and destination IP addresses, source and destination port numbers, and packet type.
These rules can also be used to reject any packet from the outside that claims to come from an
address inside the network. Recall that each service relies on specific ports. By restricting
certain ports, you can restrict those services. For example, blocking port 25 for all user work
stations, prevents an infected workstation from broadcasting e-mail viruses across the Internet.
Any device that uses access control lists (ACL) can do packet filtering. Recall that ACLs are
probably the most commonly used objects in Cisco IOS router configuration. Not only are they
used for packet filtering firewalls, but they can also select specified types of traffic to be
analyzed, forwarded, or influenced in some way.
While packet filtering is fairly effective and transparent to users, there are disadvantages:
Packet filtering is susceptible to IP spoofing. Arbitrary packets can be sent that fit ACL
criteria and pass through the filter.
Packet filters do not filter fragmented packets well. Because fragmented IP packets carry
the TCP header in the first fragment and packet filters filter on TCP header information, all
non-first fragments are passed unconditionally. This process is based on the assumption
that the filter of the first fragment is accurately enforcing the policy.
Complex ACLs are difficult to implement and maintain correctly.
Some services cannot be filtered. For example, it is difficult to securely filter sessions that
use dynamic port negotiations without opening up access to a whole range of ports, which
in itself might be dangerous.
3-6 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Packet Filtering Example
12.23.34.x
access-list 101 applies to
outgoing traffic Mail Server
12.23.34.3
access-list 102 applies to
incoming traffic
X FTP Server
12.23.34.2
The figure shows a simple packet filter example using a Cisco router.
In most network topologies, the Ethernet interface connecting to the internal (inside) network
needs to be protected. The serial interface that connects to the Internet (outside) is unprotected.
In this example, the internal user addresses to protect are in the 12.23.34.x range (on the
Ethernet interface). The subnet mask is 255.255.255.0 making the IP address of the Ethernet 0
interface 12.23.34.1 255.255.255.0).
This particular network security policy allows everybody from the inside to access Internet
services on the outside. Therefore, all outgoing connections are accepted. The router only
checks packets coming from the Internet. Recall that the checking process tests access list rules
in order. Checking stops when the first match is found. There is an implicit deny rule at the end
of an access list that denies everything.
Proxy Server
1. Request
4. Repackaged Response
2. Repackaged Request
3. Response
Internet
A proxy server is a firewall device that examines packets at the application layer of the Open
Systems Interconnection (OSI) reference model. This device hides valuable data by requiring
users to communicate with a secure system by means of a proxy server. Users gain access to the
network by going through a process that establishes session state, user authentication, and
authorized policy. This means that users connect to outside services via application programs
(proxies) running on the gateway connecting to the outside unprotected zone.
3-8 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Proxy Server Firewall Device
Bindings Bindings
TCP TCP
IP IP Inside
Internet Network
Proxy services run at the application level of the network protocol stack for each different type
of service (for example FTP, HTTP, and so on). A proxy server firewall device controls how
internal users access the outside world (the Internet) and how Internet users access the internal
network. In some cases, the proxy blocks all outside connections and only allows internal users
to access the Internet. The only packets allowed back through the proxy are those that return
responses to requests from inside the firewall. In other cases, both inbound and outbound traffic
are allowed under strictly controlled conditions. This condition is like a virtual gap that exists
in the firewall between the inside and outside networks. The proxies bridge this gap by working
as agents for internal or external users.
Internet
Stateful Inspection
Stateful
session
flow table
Stateful packet filtering is the method used by the Cisco PIX Security Appliance. Stateful
packet filtering overcomes many of the disadvantages of proxy servers. Unlike static packet
filtering, which examines a packet based on the information in its header, stateful inspection
tracks each connection traversing all interfaces of the firewall and makes sure they are valid. A
stateful firewall may examine not just the header information but also the contents of the packet
up through the application layer in order to determine more about the packet than just
information about its source and destination.
For example, if an outside service is accessed, the stateful packet filter firewall remembers
certain details of that request. This remembering is called saving the state. Each time a
Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) connection is
established for inbound or outbound connections, the information is logged in a stateful session
flow table. When the outside system responds to your request, the firewall server compares the
received packets with the saved state to determine if they are allowed into the network.
The stateful session flow table contains the source and destination addresses, port numbers,
TCP sequencing information, and additional flags for each TCP or UDP connection associated
with that particular session. This information creates a connection object, and consequently, all
inbound and outbound packets are compared against session flows in the stateful session flow
table. Data is permitted through the firewall only if an appropriate connection exists to validate
its passage.
3-10 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
However, there is a major disadvantage to stateful filtering that must always be considered.
While stateful inspection provides speed and transparency, inside packets must make their way
to the outside network. This can potentially expose internal IP addresses to potential hackers.
Some firewall designs use stateful inspection and proxies together for added security.
The PIX Security Appliance provides integrated network security services including stateful
inspection via a firewall, protocol and application inspection, virtual private network (VPN),
in-line intrusion protection, multimedia and voice protocols support, cost-effective, and easy-
to-deploy. Some of the PIX Security Appliance product highlights are as follows:
Security, performance and reliability in purpose-built security appliances
State-of-the-art stateful inspection via a firewall using patented Adaptive Security
Algorithm (ASA)
Integrated protocol and application inspection engines that examine packet streams at
Layers 4 to Layer 7
User-based authentication of inbound and outbound connections
Robust VPN for secure site-to-site and remote access connections
Simple, web-based management with PIX Device Manager (PDM)
Redundancy support using the stateful failover capabilities that ensure resilient network
protection
Dynamic and static Network Address Translation (NAT) and Port Address Translation
(PAT)
Integrated intrusion detection guards against DoS attacks
Robust remote manageability using CiscoWorks Firewall Management Center,
Telnet/Secure Shell (SSH), Simple Network Management Protocol (SNMP) and syslog
3-12 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
PIX Operating SystemFinesse
Finesse, a Cisco proprietary operating system, is a non-UNIX, non-Windows NT, Cisco IOS
software-like operating system. Use of Finesse eliminates the risks associated with the general-
purpose operating systems. Finesse enables the PIX Security Appliance to deliver outstanding
performance with up to 500,000 simultaneous connectionsdramatically greater than any
UNIX-based firewall.
The heart of the PIX Security Appliance is the ASA. The ASA maintains the secure perimeters
between the networks controlled by the firewall. The stateful, connection-oriented ASA design
creates session flows based on source and destination addresses. The ASA randomizes TCP
sequence numbers, port numbers, and additional TCP flags before completion of the
connection. This function continually monitors return packets to ensure that they are valid, and
only allows one-way (inside to outside) connections without an explicit configuration for each
internal system and application. The randomizing of the TCP sequence numbers minimizes the
risk of a TCP sequence number attack. Because of the ASA, the PIX Security Appliance is less
complex and more robust than a packet filtering-designed firewall. The ASA uses a concept of
security levels to determine whether traffic can pass between two interfaces. The higher the
security level setting on an interface, the more trusted it is.
Recall that each time a TCP connection is established for inbound or outbound connections
through the PIX Security Appliance, the information about the connection is logged in a
stateful session flow table. For a session to be established, information about the connection
must match information stored in the table. With this methodology, the stateful filters work on
the connections, not the packets. This approach makes stateful packet filtering a more stringent
security method because sessions are immune to hijacking.
3-14 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
TCP InitializationInside to Outside
No. 4 172.30.0.50
connection counter.
172.30.0.50
No. 3
10.0.0.11 The PIX Firewall follows the 192.168.0.20
Adaptive Security
23 Algorithm: 23
Syn-Ack
Translation check Syn-Ack
TCP is a connection-oriented protocol. When a session from a more secure host inside the PIX
Firewall is started, the PIX Firewall creates an entry in the session state filter. The PIX Firewall
is able to extract network sessions from the network flow and actively verify their validity in
real time. This stateful filter maintains the state of each network connection and checks
subsequent protocol units against its expectations. When a TCP session is initiated through a
PIX Firewall, the PIX Firewall records the network flow and looks for an acknowledgement
from the device with which the host is trying to initiate communications. The PIX Firewall then
allows traffic to flow between the hosts involved in the connection based on the three-way
handshake.
When a TCP session is established over the PIX Firewall, the following happens:
Step 1 The first Internet Protocol (IP) packet from an inside host causes the generation of a translation
slot. The embedded TCP information is then used to create a connection slot in the PIX
Firewall.
IP Header
TCP Header
Step 5 The inside host completes the connection setup, the three-way handshake, with an ACK.
Step 6 The connection slot on the PIX Firewall is marked as connected, or active-established, and data
is transmitted. The embryonic counter is then reset for this connection.
3-16 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
PIX Cut-Through Proxy Operation
Cut-through proxy is a method of transparently verifying the identity of the users at the
firewall, and permitting or denying access to any TCP- or UDP-based applications. This
process is also known as user-based authentication of inbound or outbound connections. Unlike
a proxy server that analyzes every packet at the application layer of the OSI model, the PIX
Security Appliance first challenges a user at the application layer. After the user is
authenticated and the policy is checked, the PIX Security Appliance shifts the session flow to a
lower layer of the OSI model for dramatically faster performance. This allows security policies
to be enforced on a per-user-identification basis.
Connections must be authenticated with a user identification and password before they can be
established. The user identification and password is entered via an initial HTTP, HTTPS,
Telnet, or FTP connection. This method eliminates the price performance impact that UNIX
system-based firewalls impose in similar configurations, and allows a finer level of
administrative control over connections. The cut-through proxy method also leverages the
authentication and authorization services of the Cisco Secure Access Control Server (Cisco
Secure ACS).
Control Data
Data Control Port 2008 Port 2010
Port 20 Port 21 Data - Port 2010
Port 2010 OK
Data
Many corporations use the Internet for business transactions. To keep their internal networks
secure from potential threats from the Internet, they can implement firewalls on their internal
network. Even though these firewalls help protect the corporation internal network from
external threats, firewalls cause problems as well. For example, some of the protocols and
applications that the corporations use to communicate are not allowed through the firewalls.
For example, protocols need to negotiate FTP, HTTP, H.323, and SQL*Net connections to
dynamically assigned source or destination ports, or IP addresses, through the firewall.
A good firewall must inspect packets above the network layer and do the following as required
by the protocol or application:
Securely open and close negotiated ports or IP addresses for legitimate client-server
connections through the firewall.
Use NAT-relevant instances of an IP address inside a packet.
Use PAT-relevant instances of ports inside a packet.
Inspect packets for signs of malicious application misuse.
You can configure the Cisco PIX Security Appliance to allow the required protocols or
applications to securely pass through the firewall. This configuration keeps corporate internal
networks to remain secure while day-to-day business continues over the Internet.
3-18 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Web-Based PIX Management Solutions
The Cisco PIX Device Manager (PDM) and the Firewall Management Center (FWMC) are
browser-based configuration tools designed to help you set up, configure, and monitor your
Cisco PIX Security Appliance graphically, and without requiring an extensive knowledge of
the PIX Security Appliance command-line interface (CLI).
The PDM monitors and configures a single PIX Security Appliance. You can use the PDM to
create a new configuration and to monitor and maintain current PIX Security Appliances. You
can point your browser to more than one PIX Security Appliance and administer several PIX
Security Appliances from a single workstation.
CiscoWorks 2000 Management Center for Firewalls (Firewall MC) is a web-based interface for
configuring and managing multiple Cisco PIX Security Appliances. Firewall MC has a look
and feel similar to the PDM; however, with Firewall MC, you can configure multiple firewalls
instead of configuring only one at a time. Firewall MC centralizes and accelerates the
deployment and management of multiple PIX Security Appliances.
Internet
Secondary: Standby
PIX Security Appliance
Primary: Standby
Primary:Appliance
PIX Security Active
PIX Security Appliance
Internet
Secondary:
Secondary: Standby
Active
PIXSecurity
PIX Security Appliance
Appliance
Failover provides a redundancy mechanism for the PIX Security Appliance by allowing two
identical firewalls (hardware and software) to serve the same functionality. The active firewall
performs normal security functions, while the standby firewall acts as a monitor, and is ready to
take control should the active firewall fail.
The PIX Security Appliance can use a serial cable for short-distance failover or an Ethernet
cable for long-distance (LAN-based) failover. In both of these scenarios, the PIX Security
Appliance can be configured for stateful failover so that active connections remain when
failover occurs. When failover occurs, syslog messages that indicate the cause of the failure are
generated.
Note PIX Security Appliance models that support failover, include legacy models such as the
Cisco PIX 515 Security Appliance and the PIX 520 Security Appliance, which are not
featured in this course. Current models such as the PIX 515E Security Appliance, the PIX
525 Security Appliance, and the PIX 535 Security Appliance support failover.
3-20 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
PIX Security Appliance Models
This topic describes the features of each PIX Security Appliance model.
PIX 535
PIX 525
PIX 515E
Functionality
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03-19
The Cisco PIX 500 Security Appliance series scales to meet a range of requirements and
network sizes, and currently consists of the following five models:
The PIX 501 Security Appliance has an integrated 10/100BASE-T port (100BASE-T
option available in PIX Software Release 6.3) and an integrated four-port 10/100 switch.
The PIX 506E Security Appliance has dual integrated 10/100BASE-T ports (100BASE-T
option is only available in PIX Software Release 6.3).
The PIX 515E Security Appliance supports single-port or four-port 10/100 Ethernet cards.
The PIX 525 Security Appliance supports single-port or four-port 10/100 Fast Ethernet and
Gigabit Ethernet.
The PIX 535 Security Appliance supports Fast Ethernet and Gigabit Ethernet. The PIX
515E Security Appliance, 525, and 535 models come with an integrated Virtual Private
Network Accelerator (VAC) card.
Note Prior to PIX Security Appliance Software Release 6.3, the PIX 501 Security Appliance
outside interface and the PIX 506E Security Appliance outside and inside interfaces
operated at 10BASE-T. With the upgrade to software release 6.3, the PIX 501 Security
Appliance outside interface and PIX 506E Security Appliance outside and inside interfaces
can operate at 10/100BASE-T. To enable the speed change on the interface requires a
software upgrade only.
The Cisco PIX Security Appliance plays a vital role in the Cisco strategy to use integrated
security to build a Self-Defending Network. The PIX Security Appliance is secure right out
of the box. After a few installation procedures and an initial configuration of six general
commands, your PIX Security Appliance is operational and protecting your network. These
PIX Security Appliance commands enable connections from the inside interface access to the
outside interface, and block all connections from the outside interface to the inside interface.
3-22 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
PIX Security Appliance Licensing
This topic explains the licensing options for PIX Security Appliances.
These features apply to the PIX 515 Security Appliance, the PIX
515E Security Appliance, the PIX 525 Security Appliance and the
PIX 535 Security Appliance.
Current Cisco PIX Security Appliance licensing is based on a feature-based license key
system. The PIX Security Appliance license determines the level of service it provides, its
functions in a network, and the maximum number of interfaces and memory it can support. For
the PIX Security Appliance family, the following licensing is available:
PIX 501 Security Appliance: This model is provided with a 10-user, 50-user, or unlimited
user licenses in PIX Security Appliance Software Release 6.3. Each license allows up to a
specified number of concurrent source IP addresses from your internal network to traverse
the firewall. For instance, the 50-user license allows up to 50 concurrent source IP
addresses from your internal network to traverse the firewall. If a PIX 501 Security
Appliance requires more concurrent users to traverse the firewall, the following upgrade
user licenses are available: 10-user to 50-user, 10-user to unlimited, and 50-user to
unlimited licenses.
PIX 506E Security Appliance: This model is provided with a single, unlimited-user
license.
PIX 515E Security Appliance, PIX 525 Security Appliance and PIX 535 Security
Appliance: These models are available with the following basic license types:
Unrestricted: PIX Security Appliance platforms in an unrestricted license mode
allow installation and use of the maximum number of interfaces and RAM supported
by the platform. The unrestricted license supports failover.
Restricted: PIX Security Appliance platforms in a restricted license mode limit the
number of interfaces supported and the amount of RAM available within the system.
A restricted licensed firewall does not support a redundant system for failover
configurations.
Cisco supplies an activation key with a license. The activation key is based on the type of
license and the serial number of the PIX Security Appliance. To enable the license features,
enter the activation key into the PIX Security Appliance configuration and then reboot the PIX
Security Appliance. Upon reboot, the new license features should take effect.
Note An activation key is tied to a specific PIX Security Appliance, such as PIX Security
Appliance-serial number 12345678. An activation key is not specific to a particular PIX
Security Appliance software version.
3-24 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
VPN Encryption License
In addition to upgrading the PIX Security Appliance license, you may wish to add a data
encryption services, or increase the level of data encryption your PIX Security Appliance can
provide. You can fill out an online form at the PIX Security Appliance Software page on
Cisco.com to obtain a free 56-bit DES key. There is a separate form to install or upgrade to
168-bit 3DES and AES encryption. For failover configurations, the unrestricted and FO
firewalls each require their own unique corresponding DES or 3DES/AES license for failover
functionality.
Adding cryptographic services and upgrading your PIX Security Appliance license requires
obtaining and installing an activation key.
Summary
3-26 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Which firewall technology uses a special piece of software designed to relay
application-layer requests and responses between endpoints? (Source: Firewall
Technologies)
Q2) Which firewall technology statically defines sets of rules and access lists that determine
what traffic is permitted or denied from being routed across it by examining protocol
headers information up to the transport layer? (Source: Firewall Technologies)
Q3) Which of the following statements describes a problem with packet filtering
technology? (Source: Firewall Technologies)
A) Packet filtering technology requires deep packet inspections up to the
application layer.
B) Packet filtering requires complex ACLs, which are difficult to implement and
maintain correctly.
C) Packet filtering technology requires high CPU usages to support applications
that negotiate dynamic ports
D) Packet filtering technology requires high memory requirements to maintain the
state stable.
Q4) What is the name of the Cisco proprietary operating system used on Cisco PIX Security
Appliances? (Source: PIX Security Appliance Overview)
Q5) What is the name of the security algorithm used by Cisco PIX Security Appliances?
(Source: PIX Security Appliance Overview)
Q6) Name two browser-based configuration tools that can be used to set up, configure and
monitor a single Cisco PIX Security Appliance. (Source: PIX Security Appliance
Overview)
Q7) What are the three types of PIX Security Appliance license types? (Source: PIX
Security Appliance Licensing)
Q3) B
Q4) Finesse
Q6) PIX Device Manager (PDM) and Firewall Management Center (FWMC)
3-28 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson 2
Overview
The Cisco PIX Security Appliance contains a command set, based on Cisco IOS software
technologies, that provides four administrative access modes. The tasks and basic commands
needed to configure basic networking for the appliance in each mode will be described and
illustrated.
Setting the security levels in the Cisco Adaptive Security Algorithm will be described.
Adaptive Security Algorithm is the technology used by the PIX Security Appliance to provide
stateful packet inspection on traffic leaving the appliance. Finally, the tasks and commands
needed to make the PIX Security Appliance operational will be described. The lesson ends with
a lab exercise in configuring a PIX from the command-line interface (CLI).
Objectives
Upon completing this lesson, you will be able to configure the Cisco PIX Security Appliance
for secure network connectivity from the CLI. This ability includes being able to meet these
objectives:
Explain how to use the commands in each of the four PIX Security Appliance access
modes
Explain the basic tasks used to configure the PIX Security Appliance
Explain the levels and function of the Adaptive Security Algorithm
Explain the basic commands needed to make the PIX Security Appliance operational
Explain how to examine the status of the PIX Security Appliance
PIX Security Appliance Access Modes
This topic explains how to use the commands in each of the four PIX Security Appliance
access modes.
Access Modes
The PIX Security Appliance contains a command set based on Cisco IOS software, and
provides these four administrative access modes:
Unprivileged mode: This mode is available when you first access the PIX Security
Appliance. The > prompt is displayed. This mode provides a restricted and limited view of
PIX Security Appliance settings.
Privileged mode: This mode displays the # prompt and enables you to change the current
settings. Any unprivileged command also works in privileged mode.
Configuration mode: This mode displays the (config)# prompt and enables you to change
system configurations. All privileged, unprivileged, and configuration commands work in
this mode.
Monitor mode: This is a special mode that enables you to update the image over the
network or to perform password recovery. While in the monitor mode, you can enter
commands specifying the location of the TFTP server and the PIX Security Appliance
software image or password recovery binary file to download.
Within each access mode, you can abbreviate most commands down to the fewest unique
characters for a command. For example, you can enter the write t command statement to view
the configuration instead of entering the full command write terminal. You can enter en
instead of the enable command to start privileged mode.
Help information is available from the PIX Security Appliance command line by entering the
help command or entering a question mark (?) to list all commands. If you enter the help
command or enter a question mark (?) after a command (for example, route?), the command
3-30 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
syntax is listed. The number of commands listed when you enter a question mark (?) or the
help command differs by access mode. Unprivileged mode offers the least commands and
configuration mode offers the greatest number of commands. In addition, you can enter any
command by itself on the command line and then press Enter to view the command syntax.
Note You can create your configuration on a text editor and then cut and paste it into the
configuration. You can paste the configuration in one line at a time, or the entire
configuration at once. Always check your configuration after pasting large blocks of text to
be sure that everything has been copied.
°·¨º·®»©¿´´â
»²¿¾´» Å°®·ªÁ´»ª»´Ã
Enables you to enter other access modes
°·¨º·®»©¿´´ø½±²º·¹÷ý
When first accessing a PIX Security Appliance, the administrator is presented with the
pixfirewall> prompt in the unprivileged mode enabling you to view restricted settings. In a
previously configured PIX Security Appliance, the pixfirewall > prompt may be replaced with
a network specific host name prompt such as Paris> or London>. To get started with the PIX
Security Appliance, the first command you must know is the enable command. This command
provides entrance to the privileged access mode. After you enter the enable command, the PIX
Security Appliance prompts you for your privileged mode password. By default, a password is
not required, so you can press Enter at the password prompt, or you can create a password of
your choice. After you are in privileged mode, notice that the prompt has changed to ý.
The enable password command sets the privileged mode password. The password is case-
sensitive and can be from 3 to 16 alphanumeric characters long. Any character can be used
except a question mark (?), space, and colon (:).
If you create a password, write it down and store it in a manner consistent with your site
security policy. After you create this password, you cannot view it again because it is stored as
a Message Digest 5 (MD5) hash. The show enable password command lists the encrypted
form of the password. After passwords are encrypted, they cannot be reversed back to plain
text.
3-32 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Note An empty password is also changed into an encrypted string.
½±²º·¹«®» ¬»®³·²¿´
»¨·¬
Used to exit from an access mode
Use the configure terminal command to move from privileged mode to configuration mode.
As soon as you enter the configure terminal command, the prompt changes to (config)#.
Configuration mode enables you to change system configurations. Use the exit command or
quit command to exit and return to the previous mode.
3-34 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Changing the Host Name CLI Prompt
New_York
Server
Chicago
Server
Dallas
Server
°·¨º·®»©¿´´ø½±²º·¹÷ý
¸±-¬²¿³» ²»©²¿³»
In the configuration example in the figure, the PIX Security Appliance default host name label
is pixfirewall. In a network of multiple PIX Security Appliances, it may be advantageous to
assign a unique host name label to each PIX Security Appliance. To accomplish this, use the
hostname command. The hostname command changes the host name label on the prompts.
The host name can be up to 16 alphanumeric characters, and it can be uppercase and lowercase.
In the figure, the default host name label of pixfirewall is changed to chicago using the
hostname command. The syntax for the hostname command is as follows:
hostname newname
²»©²¿³» New host name for the PIX Security Appliance prompt
e2
Internet
e0 e1
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03-7
You can configure the PIX Security Appliance by entering commands from the configuration
mode on your console computer or terminal that are similar in context to those that you use
with Cisco routers. The following figures explain some of the basic PIX configuration
commands.
3-36 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Default Setup Dialog
When a nonconfigured PIX Security Appliance boots up, you are prompted to preconfigure it
through interactive prompts. If you press Enter to accept the default answer of yes, you are
presented with a series of prompts that lead you through the basic configuration steps. The
figure shows an example of how to respond to the prompts.
The setup dialog was designed to preconfigure the PIX Security Appliance to interact with the
Cisco PIX Device Manager (PDM). The PIX Security Appliance requires some
preconfiguration before PDM can connect to it. PDM is a GUI that can be used to configure
and monitor the PIX Security Appliance.
The setup dialog can also be accessed by entering the setup command. The following are the
prompts found in the setup dialog:
Enable Password: Specifies an enable password for this PIX Security Appliance
Clock (UTC): Sets the PIX Security Appliance clock to Universal Coordinated Time
(UTC)also known as Greenwich Mean Time (GMT)
Year: Specifies the current year, or defaults to the year stored in the host computer
Month: Specifies the current month, or defaults to the month stored in the host computer
Day: Specifies the current day, or defaults to the day stored in the host computer
Time: Specifies the current time in hh:mm:ss format, or defaults to the time stored in the
host computer
Inside IP address: The inside network interface IP address of the PIX Security Appliance
Inside network mask: A network mask that applies to the inside IP address
Host name: The host name that you want to display in the PIX Security Appliance CLI
prompt
Domain name: The Domain Name System (DNS) domain name of the network on which
the PIX Security Appliance runs; for example, example.com
At the end of the setup dialog, you are asked if you want to write the configuration to Flash
memory. If you answer yes, the configuration you just entered is saved to Flash memory. If you
answer no, the setup dialog repeats using the values already entered as the defaults for the
questions.
3-38 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
console timeout Command
TFTP Server
Console
Session
°·¨º·®»©¿´´ø½±²º·¹÷ý
By default, there is no timeout value for console session users. If a console user walks away
from an open session, the session remains open. Therefore, it may be prudent to configure an
idle timeout value in the PIX Security Appliance. If there is no activity for a predefined time,
the PIX Security Appliance ends the console session.
The console timeout command sets the timeout value for any authenticated, privileged mode,
or configuration mode user session when accessing the firewall console through a serial cable.
The default value is zero, which means no timeout; this , and no time out presents a security
risk. By setting the number to a nonzero number, the user is logged out after the specified
period of inactivity. This timeout does not alter the Telnet or Secure Shell Protocol (SSH
Protocol) timeouts; these access methods maintain their own timeout values.
motd
The banner command enables the administrator to define messages in the PIX Security
Appliance. There are three types of banner commands: exec, login, and motd. Each banner
command type is used as follows:
exec: Configures the system to display a banner before displaying the privilege mode
prompt
login: Configures the system to display a banner before the password login prompt when
accessing the firewall using telnet
motd: Configures the system to display a Message-of-the-Day banner (MOTD)
The banner command configures a banner to display for the option specified. The text string
consists of all characters following the first white space (space) until the end of the line
(carriage return or line feed). Spaces in the text are preserved. However, tabs cannot be entered
through the CLI. Multiple lines in a banner are handled by entering a new banner command for
each line that you wish to add. Each line is then appended to the end of the existing banner.
In the figure, the administrator wants to add a legal statement to the login process. The banner
command enables the administrator to preface all console sessions with the following
statement: Unauthorized access is not permitted. Violators will be prosecuted.
To replace a banner, use the no banner command before adding the new lines. The no banner
{exec |login | motd} command removes all the lines for the banner option specified. The no
banner command does not selectively delete text strings; therefore,. Therefore any text entered
at the end of the no banner command is ignored.
The show banner {motd | exec | login} command displays the specified banner option and all
the lines configured for it. If a banner option is not specified, all the banners are displayed.
3-40 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Viewing and Saving Your Configuration
There are two configuration memories in the PIX Security Appliance: running configuration
and startup configuration. The show running-config command displays the current
configuration in the PIX Security Appliance RAM on the terminal. Any changes made to the
PIX Security Appliance configuration are written into the running configuration. This is
volatile RAM. If the PIX Security Appliance looses power, or is rebooted, any changes to the
running configuration that were not previously saved are lost. You can also display the current
running configuration with the write terminal command.
The write memory command saves the current running configuration to the Flash memory
startup configuration. Using this command is the same as answering yes to the setup dialog
prompt asking if you wish to save the current configuration. When the configuration is written
to Flash memory, either you can view it with the show startup-config command or show
configure command.
Another useful command is show history, which displays previously entered commands. You
can examine commands individually with the Up Arrow key and the Down Arrow key or by
entering Ctrl-P to view previously entered lines or Ctrl-N to view the next line.
The write erase command clears the startup configuration. When you issue this command, you
are prompted to confirm if you want to erase the startup configuration. If you enter yes, the
startup configuration is erased. At this point, you can power cycle, or reboot the PIX Security
Appliance. The PIX Security Appliance reverts to the default configuration. You can copy the
running configuration to Flash memory by issuing the write memory command.
°·¨º·®»©¿´´ø½±²º·¹÷ý
©®·¬» »®¿-»
Clears the start-up configuration in Flash
memory
½¸·½¿¹± ý ©®·¬» »®¿-»
Û®¿-» Ð×È ½±²º·¹«®¿¬·±² ·² Ú´¿-¸ ³»³±®§á
Ž±²º·®³Ã
The write erase command clears the startup configuration. When you issue this command, you
are prompted to confirm if you want to erase the startup configuration. If you enter yes, the
startup configuration is erased. At this point, you can power cycle, or reboot the PIX Security
Appliance. The PIX Security Appliance reverts to the default configuration. You can copy the
running configuration to Flash memory by issuing the write memory command.
3-42 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Reload the Configuration
reload Command
°·¨º·®»©¿´´ø½±²º·¹÷ý
®»´±¿¼ Ų±½±²º·®³Ã
½¸·½¿¹± ý ®»´±¿¼
Ю±½»»¼ ©·¬¸ ®»´±¿¼áŽ±²º·®³Ã §
λ¾±±¬·²¹òòò
Ð×È Þ·±- Êîòéòò
The reload command reboots the PIX Security Appliance and reloads the configuration from
Flash memory. You are prompted with Proceed with reload? for confirmation before the
reload process begins. Any response other than no causes the reboot to occur.
Configuration changes not written to Flash memory are lost after reload. Before rebooting,
store the current configuration in Flash memory with the write memory command.
The noconfirm command option permits the PIX Security Appliance to reload without user
confirmation. The PIX Security Appliance does not accept abbreviations to the keyword
noconfirm.
If you wish to return the PIX Security Appliance back to the factory default configuration, use
the write erase command and the reload command. The write erase command clears the
startup configuration and reverts to the factory default parameters. The reload command
reboots the PIX Security Appliance using the startup configuration, which, in this case, is the
factory default configuration.
An administrator can back up or restore a PIX Security Appliance configuration. The write net
command stores the current configuration into a file on a TFTP server elsewhere in the
network. The configure net command restores the configuration from the server to the PIX
Security Appliance. To complete the backup or restore, the administrator must supply
information such as the IP address and the file pathname of the TFTP server.
½±²º·¹«®» ²»¬
°·¨º·®»©¿´´ø½±²º·¹÷ý
The write net command enables you to store the current configuration to a file on a TFTP
server elsewhere in the network. The configure net command merges the current running
configuration with the TFTP configuration stored at the IP address that you specify and from
the file that you name. To use the configure net and write net commands, you must specify
both the server IP address and the full path in the tftp-server command.
If you have an existing PIX Security Appliance configuration on a TFTP server and store a
shorter configuration with the same filename on the TFTP server, some TFTP servers will leave
some of the original configuration after the first end mark. This loss of configuration text
does not affect the PIX Security Appliance because the configure net command stops reading
when it reaches the first end mark; however, it may cause confusion if you view the
configuration and see extra text at the end of the configuration. This issue does not occur if you
are using Cisco TFTP Server version 1.1 for Microsoft Windows NT.
The example in the figure specifies the TFTP server address as 10.0.0.11 and the path to the file
test_config as pixfirewall/config. Because the interface where the TFTP server resides is not
specified, the inside interface is assumed. The write net command tells the PIX Security
Appliance to store the configuration in the test_config file.
The syntax for the write net command is write net [server_ip]:[filename], and the syntax for
the configure net command is configure net [server_ip]:[filename].
3-44 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
TFTP Server Parameters
tftp-server Command
°·¨º·®»©¿´´ø½±²º·¹÷ý
¬º¬°ó-»®ª»® Å·ºÁ²¿³»Ã ·°Á¿¼¼®»-- °¿¬¸
Rather than write the full server IP address and file pathname every time the configuration is
backed up or restored, the PIX Security Appliance enables the administrator to split the
command into two commands, the write net or config net commands and the tftp-server
command. The write net and config net commands back up the current configuration, and
restore a configuration from the TFTP server, respectively. The tftp-server command defines
the IP address and the file pathname of the TFTP server. The write net and config net
command relies on the server IP address and file pathname specified in the tftp-server
command. The information that you specify in the tftp-server command is appended to the
config net and write net commands. The more you specify of a file and pathname with the
tftp-server command, the less you need to specify with the config net and write net
commands. If you specify the IP address and full path and filename in the tftp-server
command, the config net and write net commands can be represented with a colon (:), as write
net : or config-net :.
The no tftp-server command disables access to the server, and the clear tftp-server command
removes the tftp-server command from your configuration. The show tftp-server command
lists the tftp-server command statements in the current configuration.
if_name This is the interface name on which the TFTP server resides. If
not specified, an internal interface is assumed. If you specify the
outside interface, a warning message informs you that the
outside interface is insecure.
path This is the path and filename of the configuration file. The format
for path differs by the type of operating system on the server. The
contents of the path are passed directly to the server without
interpretation or checking. The configuration file must exist on the
TFTP server. Many TFTP servers require the configuration file to
be world-writable to write to it and world-readable to read from it.
Note If you erase the configuration, you must reenable and set an IP address on the interface
connected to the TFTP server before the PIX Security Appliance can read a new
configuration from the TFTP server.
3-46 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Host Name-to-IP Address Mapping
name Command
bastionhost
172.16.0.2
.2
172.16.0.0
e2 .1 insidehost
10.0.0.0
10.0.0.11
e0 .1 e2 .11
°·¨º·®»©¿´´ø½±²º·¹÷ý
½¸·½¿¹±ø½±²º·¹÷ý ²¿³»-
½¸·½¿¹±ø½±²º·¹÷ý ²¿³» ïéîòïêòðòî ¾¿-¬·±²¸±-¬
½¸·½¿¹±ø½±²º·¹÷ý ²¿³» ïðòðòðòïï ·²-·¼»¸±-¬
Use of the name command enables you to configure a list of name-to-IP address mappings on
the PIX Security Appliance. This mapping allows the use of names in the configuration instead
of IP addresses. In the figure, the server and PC IP addresses are mapped to the names
bastionhost and insidehost. Bastionhost and insidehost can be used in place of an IP
address in any PIX Security Appliance command reference; for example, with the ping
command ping insidehost.
Allowable characters for the name are a to z, A to Z, 0 to 9, a hyphen (-), and an underscore (_).
The name cannot start with a number. If the name is over 16 characters long, the name
command fails. After the name is defined, it can be used in any PIX Security Appliance
command reference in place of an IP address. The names command enables the use of the
name command. The clear names command clears the list of names from the PIX Security
Appliance configuration. The no names command disables the use of the text names, but does
not remove them from the configuration. The show names command lists the name command
statements in the configuration.
Note Most commands can be removed or disabled by placing the word no in front of the
command. For example, the no form of the names command shown previously disables the
use of names.
The PIX uses Adaptive Security Algorithm to perform stateful packet inspection on traffic
leaving the firewall. The PIX uses a real-time, embedded operating system to track the
propriety of thousands of simultaneous connections. Adaptive Security Algorithm is a stateful
approach to security. Every inbound packet (the packet originating from a host on a less-
protected network and destined for a host on a more-protected network) is checked against the
Adaptive Security Algorithm and against connection state information in the PIX Security
Appliance memory.
Adaptive Security Algorithm allows one-way (outbound) connections with a minimum number
of configuration changes. An outbound connection is a connection originating from a host on a
more-protected interface and destined for a host on a less-protected network. Adaptive Security
Algorithm is always in operation. It monitors return packets to ensure they are valid. Adaptive
Security Algorithm actively randomizes the first TCP sequence number to minimize the risk of
TCP sequence number attacks.
3-48 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Adaptive Security Algorithm Security
Levels
Adaptive Security Algorithm uses a concept of security levels to
control traffic between interfaces.
DMZ Network
e2
Security level 50
Interface name = DMZ
e2
Internet
e0 e1
A PIX Security Appliance has a very simple mechanism to control traffic between interfaces.
The Adaptive Security Algorithm uses a concept of security levels to determine whether traffic
can pass between two interfaces. The higher the security level setting on an interface, the more
trusted it is.
The security level designates whether an interface is trusted (and more protected) or untrusted
(and less protected) relative to another interface. An interface is considered trusted in relation to
another interface if its security level is higher than the other interface security level, and is
considered untrusted in relation to another interface if its security level is lower than the other
interface security level.
The primary rule for security levels is that an interface with a higher security level can access
an interface with a lower security level. Conversely, an interface with a lower security level
cannot access an interface with a higher security level unless an access control list (ACL)
allows exceptions. Security levels range from 0 (lowest) to 100 (highest). As shown in the
figure, security level 100 is set behind the firewall, the inside network and security level 0 is
assigned outside the firewall. the outside network. In this example, the Demilitarized Zone
(DMZ) has been assigned a security level of 50.
Security level 100 This is the inside interface default setting for the PIX Security Appliance and
cannot be changed. Because 100 is the most trusted interface security level,
your corporate network should be set up behind it so that no one else can access
your network, unless they are specifically given permission, and so that every
device. Devices behind this interface can have access outside the corporate
network.
Security levels 1 to These security levels can be assigned to the perimeter interfaces connected to
99 the PIX Security Appliance. Security levels are assigned based on the type of
access that each device needs.
Security level 0 This is the outside interface default setting for the PIX Security Appliance and
cannot be changed. Because 0 is the least-trusted interface security level, you
should set your most untrusted network behind this interface so that it does not
have access to other interfaces unless it is specifically given permission. This
interface is usually used for Internet connections.
The Security Level Operation table summarizes the way that traffic flows through interfaces
assigned various security levels.
Situation Guideline
More secure interface to a Traffic originating from the inside interface of the PIX Security Appliance
less secure interface with a security level of 100 to the outside interface of the PIX Security
Appliance with a security level of 0 follows this rule:
Allow all IP-based traffic unless restricted by ACLs, authentication, or
authorization.
Less secure interface to a Traffic originating from the outside interface of the PIX Security
more secure interface Appliance with a security level of 0 to the inside interface of the PIX
Security Appliance with a security level of 100 follows this rule:
Between two interfaces with No traffic flows between two interfaces with the same security level.
the same security level
The figure shows a simple configuration with three different security levels assigned to three
ports. The Security Level Settings table summarizes the security level settings.
Relative Interface
Relationship for
Interface Pair Configuration Guidelines
Ethernet 2 (DMZ)
Interface
Outside security 0 to DMZ DMZ is considered Static routes and ACLs must be
security 50 trusted. configured to enable sessions
originated from the outside interface to
the DMZ interface.
Inside security 100 to DMZ DMZ is considered Global IP Address pools and Network
security 50 untrusted. Address Translation (NAT) are
configured to enable sessions
originated from the inside interface to
the DMZ interface. Static routes may
be configured for the DMZ interface to
ensure that service hosts have the
same source address.
Note The PIX Security Appliance can support up to ten interfaces depending on the model and
license.
3-50 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Basic PIX Security Appliance Operational
Commands
This topic explains the basic commands needed to make the PIX Security Appliance
operational.
nameif
interface
ip address
e2
nat Internet
e0 e1
global
route
The following are some of the primary configuration commands for the PIX Security
Appliance:
nameif: Assigns a name to each perimeter interface and specifies its security level
interface: Configures the type and capability of each perimeter interface
ip address: Assigns an IP address to each interface
nat: Shields IP addresses on the inside network from the outside network by performing
Network Address Translation.
global: Creates a pool of one or more IP addresses for use in NAT and port address
translation (PAT)
route: Defines a static or default route for an interface
The nameif command assigns a name to each interface on the PIX Security Appliance and
specifies its security level (except for the inside and outside PIX Security Appliance interfaces,
which are named by default). The first two interfaces have the default names inside and
outside. The inside interface has a default security level of 100; the outside interface has a
default security level of 0. In the figure, interface ethernet2 was assigned a name of DMZ with
a security level of 50. The syntax for the nameif command is as follows:
hardware_id This is the hardware name for the network interface that specifies
the slot location of the interface on the PIX Security Appliance
motherboard. For more information on PIX Security Appliance
hardware configuration, refer to the Cisco PIX Security Appliance
Hardware Installation Guide.
security_level This indicates the security level for the perimeter interface. Enter
a security level of sec1 to sec99.
3-52 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
interface Command
ethernet2
100full
e2
Internet
e0 e1
ethernet0 ethernet1
100full 100full
°·¨º·®»©¿´´ø½±²º·¹÷ý
The interface command identifies hardware, sets its hardware speed, and enables the interface.
The shutdown command option disables an interface. When you first install the PIX Security
Appliance, all interfaces are shut down by default. You must explicitly enable them by entering
the interface command without the shutdown command option. In the figure, interfaces e0, e1,
and e2 are set for 100-Mbps full-duplex communications.
hardware_id This specifies an interface and its slot location on the PIX
Security Appliance. This is the same variable that was used
during the nameif command.
Although the hardware speed is set to automatic speed sensing by default, it is recommended
that you specify the speed of the network interfaces. This enables the PIX Security Appliance
to operate in network environments that may include switches or other devices that do not
handle auto sensing correctly.
3-54 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Assign Interface IP Address
ip address Command
ethernet2
dmz
172.16.0.1
172.16.0.1 e2
Internet
e0 e1
°·¨º·®»©¿´´ø½±²º·¹÷ý
Each interface on the PIX Security Appliance must be configured with an IP address. Use the
ip address command for this purpose. If you make a mistake while entering this command,
reenter it with the correct information. The clear ip command resets all interface IP addresses
to no IP address. In the figure, the dmz interface is configured with an IP address of 172.16.0.1
and a mask of 255.255.255.0. The syntax for the ip address command is as follows:
if_name This describes the interface. This name is assigned by you, and
must be used in all future configuration references to the
interface.
°·¨º·®»©¿´´ø½±²º·¹÷ý
Instead of manually configuring an IP address on the PIX Security Appliance outside interface,
you can enable the PIX Security Appliance DHCP client feature to have the PIX Security
Appliance dynamically retrieve an IP address from a DHCP server. With the PIX Security
Appliance configured as a DHCP client, a DHCP server can configure the PIX Security
Appliance outside interface with an IP address, subnet mask, and, optionally, a default route.
Use the ip address dhcp command to enable this feature. In the figure, the PIX Security
Appliance is configured to receive an IP address on the outside interface via DHCP.
Use the show ip address dhcp command to view current information about your DHCP lease.
Reentering the ip address dhcp command with the ip address outside dhcp form enables you
to release and renew a DHCP lease from the PIX Security Appliance. The clear ip command
can also be used to release and renew the DHCP lease, but this clears the configuration of every
PIX Security Appliance interface. To delete the DHCP leased IP address from the outside
interface only, use the command clear ip address outside dhcp. The debug dhcpc packet |
detail | error command provides debugging tools for the DHCP client feature.
Command Description
·° ¿¼¼®»-- ·ºÁ²¿³» This command identifies addresses for network interfaces, and
·°Á¿¼¼®»-- Ų»¬³¿-µÃ enables you to set the number of times that the PIX Security
Appliance will poll for DHCP information.
3-56 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Command Description
·° ¿¼¼®»-- ±«¬-·¼» ¼¸½° Use this command to receive DHCP information from the ISP.
Å-»¬®±«¬»Ã Å®»¬®§
®»¬®§Á½²¬Ã outside: Specifies the interface from which the PIX Security
Appliance will poll for information
dhcp: Specifies that the PIX Security Appliance will use DHCP to
obtain an IP address
setroute: Tells the PIX Security Appliance to set the default route
using the default gateway parameter that the DHCP server
returns
½´»¿® ·° ¿¼¼®»-- ±«¬-·¼» The clear ip command stops all traffic through the PIX Security
¼¸½° Å-»¬®±«¬»Ã Å®»¬®§ Appliance unit.
®»¬®§Á½²¬Ã
Note The PIX Security Appliance DHCP client does not support failover configurations.
NAT
192.168.0.20 10.0.0.11
Internet
10.0.0.11
200.200.200.11
Outside Inside
Global Pool Local 10.0.0.4
Translation Table
192.168.0.20 10.0.0.11
NAT enables you to keep your internal IP addressesthose behind the PIX Security
Applianceunknown to external networks. NAT accomplishes this by translating the internal
IP addresses, which are not globally unique, into globally accepted IP addresses before packets
are forwarded to the external network. NAT is implemented in the PIX Security Appliance with
the nat and global commands.
When an outbound IP packet sent from a device on the inside network reaches a PIX Security
Appliance with NAT configured, the source address is extracted and compared to an internal
table of existing translations. If the device address is not already in the table, it is then
translated. A new entry is created for that device, and it is assigned an IP address from a pool of
global IP addresses. This global pool is configured with the global command. After this
translation, the table is updated and the translated IP packet is forwarded. After a user-
configurable timeout period (or the default of 3 hours), and if there have been no translated
packets for that particular IP address, the entry is removed from the table, and the global
address is freed for use by another inside device.
In the figure, host 10.0.0.11 starts an outbound connection. The PIX Security Appliance
translates the source address to 192.168.0.20. Packets from host 10.0.0.11 are seen on the
outside as having a source address of 192.168.0.20.
3-58 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
nat Command
Internet
10.0.0.11
X.X.X.X 10.0.0.11
NAT
10.0.0.4
°·¨º·®»©¿´´ø½±²º·¹÷ý
The first step in enabling NAT on a PIX Security Appliance is entering the nat command. The
nat command can specify dynamic translation for a single host or a range of hosts. The nat
command has two major components, nat_id and IP address or range of IP addresses. A nat_id
is a number from 1 to 2147483647 that specifies the hosts for dynamic address translation. The
dynamic addresses are chosen from a global address pool created with the global command.
The nat command nat_id number must match the nat_id number in the global command if you
want to use that specific global pool of IP addresses for the dynamic address translation.
For example, the nat (inside) 1 10.0.0.0 255.255.255.0 command means that all outbound
connections from a host within the specified network, 10.0.0.0/24, can pass through the PIX
Security Appliance (with address translation). The nat (inside) 1 10.0.0.11 255.255.255.255
command means that only outbound connections originating from the inside host 10.0.0.11 are
translated as the packet passes through the PIX Security Appliance. You can use 0.0.0.0 to
allow all hosts to be translated. The 0.0.0.0 can be abbreviated as 0. As shown in the example,
all inside hosts making outbound connections with the nat (inside) 1 0.0.0.0 0.0.0.0 command
are translated. The nat_id identifies the global address pool the PIX Security Appliance uses for
the dynamic address translation.
nat_id A number greater than zero (0) that specifies the global address
pool you want to use for dynamic address translation
Set a small value for slower systems, and a higher value for
faster systems. The default is 0, which allows unlimited
embryonic connections.
3-60 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
global Command
Internet
10.0.0.11
192.168.0.20 10.0.0.11
NAT
°·¨º·®»©¿´´ø½±²º·¹÷ý
10.0.0.4
In a PIX Security Appliance configuration, there may be more than one global pool configured.
Each outbound NAT is associated with a NAT ID. Each global pool has a corresponding NAT
ID. The PIX uses the NAT IDnat id of the outbound IP packet to identify which global pool of
addresses to from which to select a translation IP address. The NAT ID of the outbound packet
must match the NAT ID of the global pool. The PIX Security Appliance assigns addresses from
the designated global pool starting from the low end to the high end of the range specified in
the global command. The pool of global IP addresses is configured with the global command.
In the figure, host 10.0.0.11 starts an outbound connection. The NAT ID of the outbound
packet is 1. In this instance, a global IP address pool of 192.168.0.20-254 is also identified with
a NAT ID of 1. The PIX assigns an IP address of 192.168.0.20. It is the lowest available IP
address of the range specified in the global command. Packets from host 10.0.0.11 are seen on
the outside as having a source address of 192.168.0.20. The syntax for the global command is
as follows:
if_name Describes the external network interface name where you will use
the global addresses
nat_id Identifies the global pool and matches it with its respective nat
command
If the nat command is used, the companion command, global, must be configured to define the
pool of translated IP addresses.
Use the no global command to delete a global entry; for example, no global (outside) 1
192.168.1.20 192.168.1.254 netmask 255.255.255.0.
Note The PIX Security Appliance uses the global addresses to assign a virtual IP address to an
internal NAT address. After adding, changing, or removing a global statement, use the clear
xlate command to make the IP addresses available in the translation table.
3-62 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configure a Static Route
route Command
Default Route Static Route
Internet
10.0.1.11
192.168.0.1 10.0.0.102
°·¨º·®»©¿´´ø½±²º·¹÷ý 10.0.1.4
Use the route command to enter a static route for an interface. To enter a default route, set
ip_address and netmask to 0.0.0.0, or the shortened form of 0. In the figure, a route command
with the IP address of 0.0.0.0 identifies the command as the default route. The PIX transmits all
destination packets not listed in its routing table out the outside interface to the router at IP
address 192.168.0.1.
Create static routes to access specific networks beyond the locally connected networks. The
effect of a static route is like stating to send a packet to the specified network, give it to this
router. For example, in the figure, the PIX Security Appliance sends all packets destined to the
10.0.1.0 255.255.255.0 network out the inside interface to the router at IP address 10.0.0.102.
This was accomplished by using the following static route command: route inside 10.0.1.0
255.255.255.0 10.0.0.102 1. The router knows how to route the packet to the destination
network of 10.0.1.0.
If you are not sure, enter 1. Your WAN administrator can supply
this information or you can use a traceroute command to obtain
the number of hops. The default is 1 if a metric is not specified.
All routes entered using the route command are stored in the configuration when it is saved.
You can use the IP address of one of the PIX Security Appliance interfaces as the gateway
address. If this is done, the PIX Security Appliance broadcasts an Address Resolution Protocol
(ARP) request for the MAC address of the destination IP address in the packet instead of
broadcasting a request for the MAC address of the gateway IP address.
3-64 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Inside-to-Outside Configuration Example
ethernet2 - 100full
Interface name - dmz
172.16.6.0 Security level - 50
IP address - 172.16.6.1
.1
192.168.6.0 10.0.6.0 10.1.6.0
Internet .2 .1 .1
ethernet0 - 100full ethernet1 - 100full
Interface name - outside Interface name - inside
Security level - 0 Security level - 100
IP address - 192.168.6.2 IP address - 10.0.6.1
©®·¬» ¬»®³·²¿´
·²¬»®º¿½» »¬¸»®²»¬ð ïð𺫴´
·²¬»®º¿½» »¬¸»®²»¬ï ïð𺫴´
·²¬»®º¿½» »¬¸»®²»¬î ïð𺫴´
²¿³»·º »¬¸»®²»¬ð ±«¬-·¼» -»½«®·¬§ð
²¿³»·º »¬¸»®²»¬ï ·²-·¼» -»½«®·¬§ïðð
²¿³»·º »¬¸»®²»¬î ¼³¦ -»½«®·¬§ëð
·° ¿¼¼®»-- ±«¬-·¼» ïçîòïêèòêòî îëëòîëëòîëëòð
·° ¿¼¼®»-- ·²-·¼» ïðòðòêòï îëëòîëëòîëëòð
·° ¿¼¼®»-- ¼³¦ ïéîòïêòêòï îëëòîëëòîëëòð
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03-28
The figure shows the initial part of a basic PIX Security Appliance configuration. There are
three basic configuration commands in the example: interface, nameif, and ip address. Using
the interface command, each of the interfaces is set for 100-Mbps full-duplex communications;
ethernet0 and ethernet1 are set for their default name configuration (for example, nameif
ethernet0 outside security0). Using the nameif command, the additional interface, ethernet2,
is configured as follows: nameif ethernet2 dmz security50. The last command is the ip
address command. Each of the three interfaces is assigned an IP address and subnet mask; for
example, ip address outside 192.168.6.2 255.255.255.0.
In this figure, four features are configured, host names-to-ip-address mapping, NAT, and static
routes. The host name feature allows the administrator to define the PIX CLI prompt, chicago.
The administrator can apply a name to any of the hosts; for example, name 10.1.6.11
insidehost. The global and nat commands enable the dynamic NAT feature in the PIX Security
Appliance. In the example, outbound packets from any inside host, 0.0.0.0 0.0.0.0, are
translated to one of the global pool IP addresses, 192.168.6.20192.168.6.254. The last
command is the route command. In the example, a default route to the router at IP address
192.168.6.1 is added. The hosts on the 10.1.6.0 network by default cannot be reached by the
PIX Security Appliance. To access these devices, a static route to the router at IP address
10.0.6.102 is defined. Any PIX packets bound for the 10.1.6.0 network are forwarded to the
router at IP address 10.0.6.102.
3-66 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Examining PIX Security Appliance Status
This topic explains the basic show commands needed to examine the status of the PIX Security
Appliance.
The command syntax and sample scripts for these commands are illustrated in the figures:
show conn
show nat
show global
show xlate
-¸±© ½±²²
Displays all active connections
½¸·½¿¹±ø½±²º·¹÷ý -¸±© ½±²²
ê ·² «-»ô ê ³±-¬ «-»¼
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðì ·¼´» ðæððæðð Þ§¬»-
ïïíçï º´¿¹- ËØ®×Ñ
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðë ·¼´» ðæððæðð Þ§¬»- íéðç
º´¿¹- ËØ®×Ñ
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðê ·¼´» ðæððæðï Þ§¬»- îêèë
º´¿¹- ËØ®×Ñ
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðé ·¼´» ðæððæðï Þ§¬»- îêèí
º´¿¹- ËØ®×Ñ
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðí ·¼´» ðæððæðð Þ§¬»-
ïëïçç º´¿¹- ËØ®×Ñ
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðè ·¼´» ðæððæðð Þ§¬»- îêèè
º´¿¹- ËØ®×Ñ
ËÜÐ ±«¬ ïçîòïëðòëðòéðæîì ·² ïðòíòíòìæïìðî ·¼´» ðæðïæíð º´¿¹- ¼
ËÜÐ ±«¬ ïçîòïëðòëðòéðæîí ·² ïðòíòíòìæïíçé ·¼´» ðæðïæíð º´¿¹- ¼
ËÜÐ ±«¬ ïçîòïëðòëðòéðæîî ·² ïðòíòíòìæïíçë ·¼´» ðæðïæíð º´¿¹- ¼
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03-31
In this example, host 10.3.3.4 on the inside has accessed a web site at 204.31.17.41. The global
address on the outside interface is 192.150.50.70. The flags indicate that the first five TCP
connections are up (U), for HTTP (H), in use (r), and that data has gone in and out. The last
three UDP connections are in dump (clean up) state.
3-68 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
show interface Command
The show interface command enables you to view network interface information. This is one
of the first commands that you should use when trying to establish connectivity.
The following are explanations of the information that is displayed after entering the show
interface command:
Ethernet: Indicates that you have used the interface command to configure the interface.
The statement indicates whether the interface is inside or outside, and whether the interface
is available (up) or not available (down).
Line protocol up: A working cable is plugged into the network interface.
Line protocol down: Either the cable plugged into the network interface is incorrect, or it
is not plugged into the interface connector.
Network interface type: This identifies the network interface.
Interrupt vector: The PIX Security Appliance uses interrupts to get Token Ring
information, but polls Ethernet cards. For that reason, it is acceptable for interface cards to
have the same interrupts.
MAC address: Intel cards begin with i and 3Com cards begin with 3c.
Maximum transmission unit (MTU): This is the maximum packet size, in bytes, that a
particular interface can handle.
Packets input: This indicates that packets are being received in the PIX Security
Appliance.
Packets output: This indicates that packets are being sent from the PIX Security
Appliance.
Line duplex status: This indicates whether the PIX Security Appliance is running either
full duplex (simultaneous packet transmission) or half duplex (alternating packet
transmission).
The following are explanations of the show interface command output that can indicate
interface problems:
No buffer: This indicates that the PIX Security Appliance is out of memory or slowed
down because of heavy traffic and cannot keep up with the received data.
Runts: These are packets with less information than expected.
Giants: These are packets with more information than expected.
Cycle redundancy check (CRC): This indicates packets that contain corrupted data
(checksum error).
Frame errors: This indicates framing errors.
Ignored and aborted errors: This information is provided for future use, but is not
currently checked; the PIX Security Appliance does not ignore or abort frames.
Underruns: This is shown when the PIX Security Appliance is overwhelmed and cannot
get data to the network interface card fast enough.
Overruns: This is shown when the network interface card is overwhelmed and cannot
buffer received information before more needs to be sent.
Unicast rpf drops: This is shown when packets sent to a single network destination using
reverse path forwarding are dropped.
Output errors: (Maximum collisions) This indicates the number of frames not transmitted
because the configured maximum number of collisions was exceeded. This counter should
only increment during heavy network traffic.
Collisions: (Single and multiple collisions) This indicates the number of messages
retransmitted because of an Ethernet collision. This usually occurs on an overextended
LAN when the Ethernet or transceiver cable is too long, there are more than two repeaters
between stations, or there are too many cascaded multiport transceivers. A packet that
collides is counted only once by the output packets.
Interface resets: This indicates the number of times that an interface has been reset. If an
interface is unable to transmit for 3 seconds, the PIX Security Appliance resets the interface
to restart transmission. During this interval, the connection state is maintained. An interface
reset can also happen when an interface is looped back or shut down.
Babbles: This indicates that the transmitter has been on the interface longer than the time
taken to transmit the largest frame. This counter is unused.
Late collisions: This indicates the number of frames that were not transmitted because a
collision occurred outside the normal collision window. A late collision is a collision that is
detected late in the transmission of the packet. Normally, these should never happen. When
two Ethernet hosts try to talk at once, they should collide early in the packet and both back
off, or the second host should see that the first one is talking and wait.
If you get a late collision, a device is jumping in and trying to send packets on the Ethernet
while the PIX Security Appliance is partly finished sending the packet. The PIX Security
Appliance does not resend the packet, because it may have freed the buffers that held the
first part of the packet. This is not a real problem because networking protocols are
designed to cope with collisions by resending packets. However, late collisions indicate that
3-70 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
a problem exists in your network. Common problems are large repeated networks and
Ethernet networks running beyond the specification.
Deferred: This indicates the number of frames that were deferred before transmission
because of activity on the link.
Lost carrier: This indicates the number of times that the carrier signal was lost during
transmission.
No carrier: This counter is unused.
Input queue: This is the input (receive) hardware and software queue.
Hardware: (Current and maximum blocks) This is the number of blocks currently
present on the input hardware queue, and the maximum number of blocks previously
present on that queue.
Software: (Current and maximum blocks) This is the number of blocks currently
present on the input software queue, and the maximum number of blocks previously
present on that queue.
Output queue: This is the output (transmit) hardware and software queue.
Hardware: (Current and maximum blocks) This is the number of blocks currently
present on the output hardware queue, and the maximum number of blocks
previously present on that queue.
Software: (Current and maximum blocks) This is the number of blocks currently
present on the output software queue, and the maximum number of blocks
previously present on that queue.
Note The following counters are only valid for Ethernet interfaces: output errors, collisions,
interface resets, babbles, late collisions, deferred, lost carrier, and no carrier.
Note Starting with PIX Security Appliance software version 6.0(1), FDDI, PIX Security Appliance
Private Link 2 (PL2), and Token Ring interfaces are not supported.
Internet
10.0.0.11
X.X.X.X 10.0.0.X
NAT
10.0.0.4
°·¨º·®»©¿´´ý
-¸±© ²¿¬
Use the show nat command to display a single host or range of hosts to be translated. In the
figure, all hosts on the 10.0.0.0/24 network are translated when traversing the PIX Security
Appliance. The NAT ID is 1.
3-72 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
show global Command
Internet
10.0.0.11
10.0.0.X
Global Pool
192.168.0.20-192.168.0.254
10.0.0.4
°·¨º·®»©¿´´ý
-¸±© ¹´±¾¿´
Displays the pool of global addresses
The show global command displays the global pool (or pools) of addresses configured in the
PIX Security Appliance. In the figure, there is currently one pool configured. The pool is
configured on the outside interface. The pool has an IP address range of 192.168.0.20 to
192.168.0.254. The NAT ID is 1.
Internet
10.0.0.11
192.168.0.20 10.0.0.11
Outside Inside
Global Pool Local
Xlate table 10.0.0.4
192.168.0.20 10.0.0.11
°·¨º·®»©¿´´ý
-¸±© ¨´¿¬»
Displays the contents of the translation slots
The show xlate command displays the contents of the translation slot. In the figure, the number
of currently used translations is 1 with a maximum count of 1. The current translation is a local
IP address of 10.0.0.11 to a global IP address of 192.168.0.20.
3-74 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
Summary (Cont.)
Q1) Which PIX Security Appliance access mode is available when the # prompt is
displayed? (Source: PIX Security Appliance Access Modes)
A) unprivileged mode
B) restricted mode
C) configuration mode
D) shutdown mode
E) privileged mode
F) monitor mode
Q2) Which PIX Security Appliance access mode is available when the > prompt is
displayed? (Source: PIX Security Appliance Access Modes)
A) unprivileged mode
B) restricted mode
C) configuration mode
D) shutdown mode
E) privileged mode
F) monitor mode
Q3) Which of the following commands is used to move from the privileged mode to the
configuration mode? (Source: PIX Security Appliance Access Modes)
A) enable configuration
B) configure terminal
C) enable
D) wr mem
Q4) What is the default console idle timeout value for the PIX Security Appliance? (Source:
Configuring the Firewall)
A) zero
B) 10 seconds
C) 20 seconds
D) 30 seconds
Q5) Which of the following security levels is the default setting for the outside interface of
the PIX Security Appliance? (Source: Adaptive Security Algorithm Security Levels)
A) level 100
B) level 0
C) levels 1 to 99
Q6) What is the default security level of the inside interface for a PIX Security Appliance?
(Source: Adaptive Security Algorithm Security Levels)
A) 50
B) 0
C) 100
D) 110
3-76 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Q7) Which of the following primary configuration commands for the PIX Security
Appliance creates a pool of one or more IP addresses for use in NAT and PAT?
(Source: Basic PIX Security Appliance Operational Commands)
A) nameif
B) interface
C) ip address
D) nat
E) global
F) route
Q8) Which of the following primary configuration commands for the PIX Security
Appliance can specify translation for a single host or a range of hosts and shields IP
addresses on the inside network from the outside network? (Source: Basic PIX Security
Appliance Operational Commands)
A) nameif
B) interface
C) ip address
D) nat
E) global
F) route
Q9) Which of the following output from a show interface command indicates that a packet
has been received with less information than expected? (Source: Examining PIX
Security Appliance Status)
A) no buffer
B) runts
C) giants
D) cycle redundancy check
E) underruns
F) overruns
Q10) Which of the following output from a show interface command indicates that the PIX
Security Appliance is overwhelmed and cannot get data to the network interface card
fast enough? (Source: Examining PIX Security Appliance Status)
A) no buffer
B) runts
C) giants
D) cycle redundancy check
E) underruns
F) overruns
Q2) A
Q3) B
Q4) A
Q5) B
Q6) C
Q7) E
Q8) D
Q9) B
Q10) E
3-78 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 3
Overview
Even administrators familiar with Cisco IOS software find that configuration of PIX Security
Appliance from the console is a challenging daunting task. Security may suffer if the PIX
Security Appliance is not configured properly because of a lack of command-line interface
(CLI) skills. Cisco has provided the PIX Device Manager (PDM) so that complex
configuration, management, and monitoring tasks can be configured in a secure manner from a
browser. This lesson will show you how to use the PDM so you can complete the tasks in the
following lab exercise.
Objectives
Upon completing this lesson, you will be able to configure basic firewall settings using the
PDM. This ability includes being able to meet these objectives:
Describe the features and limitations of the PDM
Describe the PIX Security Appliance, browser and platform requirements for the PDM
Explain how to set up the PIX Security Appliance to use the PDM
Describe the layout, options and purpose of the Startup Wizard and the PDM Home
window
PDM Overview
This topic describes the features and limitations of the PDM.
What Is PDM?
Internet
SSL Secure Tunnel
The PDM is a browser-based configuration tool designed to help you set up, configure, and
monitor your Cisco PIX Security Appliance graphically, without requiring an extensive
knowledge of the PIX Security Appliance CLI.
The PDM monitors and configures a single PIX Security Appliance. You can use the PDM to
create a new configuration and to monitor and maintain current PIX Security Appliances. You
can point your browser to more than one PIX Security Appliance and administer several PIX
Security Appliances from a single workstation.
Note The PDM can also be used to configure and monitor the Firewall Services Module (FWSM)
on a Cisco Catalyst 6500 Switch.
3-80 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
PDM Features
The PDM has the following features:
Works with PIX Security Appliance Software Release 6.0 and
higher
Operates on the PIX 500 Series of security appliances
Implemented in Java to provide robust, real-time monitoring.
Runs on a variety of platforms
Does not require a plug-in software installation
Comes preloaded into Flash memory on new PIX Security
Appliances running versions 6.0 and higher
Works with SSL to ensure secure communication with the PIX
Security Appliance
The PDM is secure, versatile, easy to use, works with PIX 500 Series Security Appliances, and
runs on a variety of platforms.
The PDM enables you to securely configure and monitor your PIX Security Appliance
remotely. Its ability to work with the Secure Socket Layer (SSL) protocol ensures that
communication with the PIX Security Appliance is secure, and because it is implemented in
Java, it is able to provide robust, real-time monitoring.
The PDM works with PIX Security Appliance Software Version 6.0 and higher and comes
preloaded into Flash memory on new PIX Security Appliances running Software Version 6.x
and higher. If you are upgrading from a previous version of the PIX Security Appliance, you
can download PDM from Cisco and then copy it to the PIX Security Appliance via TFTP.
The PDM runs on Microsoft Windows, Sun Solaris, and Linux platforms and requires no plug-
ins or complex software installations. The PDM applet uploads to your workstation when you
access the PIX Security Appliance from your browser.
A PIX Security Appliance must meet the following requirements to run PDM:
Note New PIX Security Appliances that contain version 6.0 also have a preinstalled Data
Encryption Standard (DES) activation key. If you are using a new PIX Security Appliance,
you have all the requirements discussed in this topic and you can continue to the next topic.
You must have an activation key that enables DES or the more secure Triple-Data
Encryption Standard (3DES), which PDM requires for support of the SSL protocol. If your
PIX Security Appliance is not enabled for DES, you can have a new activation key sent to
you by completing the form at the following web site: http://www.cisco.com/kobayashi/sw-
center/internet/pix-56bit-license-request.shtml.
Verify that your PIX Security Appliance meets all requirements listed in the release notes
for the PIX Security Appliance software version you are using.
Verify that your PIX Security Appliance hardware model, PIX Security Appliance software
version, and PDM version are compatible. Refer to the PDM Version table to ensure
compatibility. You can download PIX Security Appliance software and the PDM software
from the following web site: http://www.cisco.com/cgi-bin/tablebuild.pl/pix.
3-82 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
PDM Version
PDM Version PIX Security Appliance PIX Security Appliance Model Number
Software Version
2.1 6.2 501, 506, 506E, 515, 515E, 520, 525, 535
3.0 6.3 501, 506, 506E, 515, 515E, 520, 525, 535
You must have at least 8 MB of Flash memory on the PIX 501 Security Appliance and the
PIX 506 Security Appliance or PIX 506E Security Appliance.
You must have at least 16 MB of Flash memory on the PIX 515 Security Appliance or PIX
515E Security Appliance, the PIX 520 Security Appliance, the PIX 525 Security
Appliance, and the PIX 535 Security Appliance.
Ensure that your configuration is less than 100 KB (approximately 1,500 lines).
Configurations over 100 KB cause PDM performance degradation.
To access the PDM from a browser, you must meet the following requirements:
JavaScript and Java must be enabled. If these are not enabled, the PDM helps you enable
them. If you are using Microsoft Internet Explorer, your Java Development Kit (JDK)
version should be 1.1.4 or higher. To check which version you have, launch PDM. In the
main PDM menu, click Help > About Cisco PIX Device Manager. When the About PDM
information window opens, it displays your browser specifications in a table, including
your JDK version. If you have an older JDK version, you can use the latest Java Virtual
Machine (JVM) to enable Java to run on your computer. Download the product named
Virtual Machine from Microsoft to obtain this capability.
Browser support for SSL must be enabled. The supported versions of Internet Explorer and
Netscape Navigator support SSL without requiring additional configuration.
3-84 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Supported Platforms
Microsoft Windows
Sun Solaris
Linux
The PDM can operate in browsers running on Microsoft Windows, SUN Solaris, or Linux
operating systems.
Note The use of virus checking software may dramatically increase the time required to start
PDM. This is especially true for Netscape Communicator on any Microsoft Windows platform
or Windows 2000 running any browser.
Linux Requirements
The following requirements apply to the use of PDM with Linux:
Red Hat Linux 7.0, 7.1, 7.2, or 7.3 or 8.0 running the GNOME or KDE 2.0 desktop
environment
Netscape Communicator 4.7x on Red Hat 7.x. or Mozilla 1.0.1 on Red Hat 8.0
At least 128 MB of RAM
A 1024 x 768 pixel display with at least 256 colors
General Guidelines
The following are a few general guidelines for workstations running PDM:
You can run several PDM sessions on a single workstation. The maximum number of PDM
sessions you can run varies depending on your workstation resources such as memory,
CPU speed, and browser type.
The time required to download the PDM applet can be greatly affected by the speed of the
link between your workstation and the PIX Security Appliance. A minimum 56-kbps link
speed is required; however, 384 kbps or higher is recommended. After the PDM applet is
loaded on your workstation, the link speed impact on PDM operation is negligible.
The use of virus-checking software may dramatically increase the time required to start the
PDM. This is especially true for Netscape Communicator on any Windows platform or
Windows 2000 running any browser.
Note If your workstation resources are running low, you should close and reopen your browser
before launching PDM.
3-86 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Prepare for the PDM
This topic explains how to set up the PIX Security Appliance to use the PDM.
The PIX Security Appliance must be configured with the following information before you can
install or use the PDM. Either you can preconfigure a new PIX Security Appliance through the
interactive prompts, which appear after the PIX Security Appliance boots, or you can enter the
commands covered in the previous lesson.
If you are installing the PDM on a PIX Security Appliance with an existing configuration, you
may need to restructure your configuration from the PIX Security Appliance CLI before
installing PDM in order to obtain full PDM capability. There are certain commands that PDM
does not support in a configuration. If these commands are present in your configuration, you
will only have access to the Monitoring tab. This is because PDM handles each PIX Security
Appliance command in one of the following ways, each of which is explained in detail in the
document PDM Support for PIX Security Appliance CLI Commands on Cisco.com:
Parse and allow changes (supported commands)
Parse and only permit access to the Monitoring tab (unsupported commands)
Parse without allowing changes (commands PDM does not understand but handles without
preventing further configuration)
Only display in the unparsable command list (commands PDM does not understand but
handles without preventing further configuration)
An unconfigured PIX Security Appliance starts in an interactive setup dialog to enable you to
perform the initial configuration required to use the PDM. You can also access the setup dialog
by entering the setup command at the configuration mode prompt.
The dialog asks for several responses, including the inside IP address, network mask, host
name, domain name and PDM host. The host name and domain name are used to generate the
default certificate for the SSL connection.
The example in the figure shows how to respond to the setup command prompts. Pressing the
Enter key instead of entering a value at the prompt accepts the default value within the
brackets. You must fill in any fields that show no default values, and change default values as
necessary. After the configuration is written to Flash memory, your PIX Security Appliance is
ready to start the PDM.
Note The clock must be set for the PDM to generate a valid certification. Set the PIX Security
Appliance clock to Universal Coordinated Time (UCT) (also known as Greenwich Mean Time
(GMT)).
The following list explains each prompt in the setup dialog (prompts are in bold):
Enable password: This prompt enables you to specify an enable password for this PIX
Security Appliance.
UTC: Accurate system time is essential for monitoring, problem diagnosis, and forensics.
This prompt enables you to set the PIX Security Appliance clock to Universal Coordinated
Time, which is also known as Greenwich Mean Time.
Year [system year]: This prompt enables you to specify the current year, or return
to the default year stored in the host computer.
Month [system month]: This prompt enables you to specify the current month, or
return to the default month stored in the host computer.
3-88 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Day [system day]: This prompt enables you to specify the current day, or return to
the default day stored in the host computer.
Time [system time]: This prompt enables you to specify the current time in
hh:mm:ss format, or return to the default time stored in the host computer.
Inside IP address: The Inside IP address will be the interface that resides on the
protected network. Generally, this is a private address that is translated when traversing the
PIX to the outside network.
Inside network mask: A network mask that applies to the inside IP address. Use
0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.
Host name: The hostname you want to display in the PIX Security Appliance
command line prompt.
Domain name: The DNS domain name of the network on which the PIX Security
Appliance runs (for example, cisco.com).
IP address of host running PIX Device Manager: This is the IP address on which PDM
connects to the PIX Security Appliance. The address entered here will be the only host that
can access the PDM until additional addresses are specified. Under most circumstances, it
is recommended that only addresses on the internal network be allowed access to the PDM.
The PIX, however, will allow hosts or networks from any interface to access the PDM if it
is configured to do so.
Use this configuration and write to Flash: At this point, the PIX CLI will give a
summary of the information that has been entered and give the option to use the
summarized configuration and save it to flash memory. This prompt is the same as the
write memory command. If the answer is yes, the inside interface is enabled and the
requested configuration is written to Flash memory. If the user answers anything else, the
setup dialog repeats using the values already entered as the defaults for the questions.
Startup Wizard
The PDM Startup Wizard is an easy way to begin the process of configuring your PIX Security
Appliance. The wizard steps you through such tasks as the following:
Enabling the PIX Security Appliance interfaces
Assigning IP addresses to the interfaces
Configuring a host name and password
Configuring Point-to-Point Protocol over Ethernet (PPPoE)
Configuring Auto Update
Configuring Network Address Translation (NAT) and Port Address Translation (PAT)
Configuring the DHCP server
You can run the Startup Wizard at any time by choosing Tools > Startup Wizard.
3-90 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
PDM Home Window
Main Toolbar
Device Interface
Information Status
VPN Status
Traffic
System Status
Resources
The PDM Home window enables the administrator to view important PIX Security Appliance
information such as the status of the interfaces, the version running, licensing information, and
performance. Many of the details available on the PDM Home window are available elsewhere
in the PDM, but the Home window provides a useful and quick way to see how the PIX
Security Appliance is running. All information on the Home window is updated every ten
seconds, except for the Device Information. The administrator can access the Home window
any time by clicking the Home button on the main toolbar.
PDM consists
of five major
configuration areas:
Access Rules
Translation Rules
VPN
Hosts/Networks
System Properties
The following five PDM tabs enable you to configure various aspects of the product:
Access Rules: Shows your entire network security policy
Translation Rules: Enables you to view all the address translation rules applied to your
network
VPN: Enables you to create VPNs using IPSec
Hosts/Networks: Enables you to view, edit, add to, or delete from the list of hosts and
networks defined for the selected interface
System Properties: Enables you to configure many aspects of the PIX Security Appliance
3-92 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Access Rules Tab
From the Access Rules tab, you can view, edit, add, and delete ACLs and bind
them to interfaces. You can also create service groups and view, enable, or
disable Java and ActiveX filtering.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03-13
The Access Rules tab shows your entire network security policy expressed in rules. This tab
includes a panel for Access Rules, as well as for authentication, authorization and accounting
(AAA) Rules and Filter Rules. When you click the Access Rules option button, this tab lets you
define access control lists (ACLs). You can control the access of a specific host or network to
another host or network, including the protocol or port that can be used, if this feature is
supported by the PIX Security Appliance.
This tab also enables you to define AAA rules, and filter rules for ActiveX and Java. The
configuration edits you perform on the Access Rules tab are captured by the PDM but are not
sent to the PIX Security Appliance until you click Apply. This applies to all configuration
performed with the PDM, including those performed in the Translation Rules tab, the
Hosts/Networks tab, and the System Properties tab. Always click Apply to send your
configuration edits to the PIX Security Appliance. Also, remember, it is very important to save
your configuration to Flash memory by choosing File > Write Configuration to Flash from the
main menu or clicking the Save icon in the toolbar.
Note You can also use the Access Rules tab to create object groups and apply them to ACLs.
From the Translation Rules tab, you can view, edit, create, and delete static and
dynamic address translation rules.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03-14
The Translation Rules tab lets you view all the address translation rules or NAT exemption
rules applied to your network. Before you can designate access and translation rules for your
network, you must first define each host or server for which a rule will apply by clicking the
Hosts/Networks tab.
When you are working in either the Access Rules tab window or the Translation Rules tab
window, you can access the task menus used for modifying rules three ways:
The PDM toolbar
The Rules menu
Right-clicking anywhere in the rules table
Note The order in which you apply translation rules can affect the way the rules operate. The PDM
lists the static translations first and then the dynamic translations. When processing NAT, the
PIX Security Appliance first translates the static translations in the order they are configured.
You can use the Insert Before or Insert After command from the Rules menu to determine
the order in which static translations are processed. Because dynamically translated rules
are processed on a best-match basis, the option to insert a rule before or after a dynamic
translation is disabled.
The Manage Global Address Pools window enables you to create global address pools to be
used by NAT. From this window, you can also view or delete existing global pools. You can
access the Manage Global Address Pools window from the Manage Pools button on the
Translation Rules tab.
Remember that it is necessary to run NAT even if you have routable IP addresses on your
secure networks. This is a unique feature of the PIX Security Appliance. You can do this by
translating the IP address to itself on the outside.
3-94 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
VPN Tab
From the VPN tab, you can create site-to-site or remote access VPNs.
From the Hosts/Networks tab, you can view, edit, add, or delete hosts, networks,
and network groups.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03-16
The PDM requires that you define any host or network that you intend to use in ACLs and
translation rules. These hosts or networks are organized below the interface from which they
are reachable. When defining either type of rule, you can reference a host or network by
clicking the Browse button in the appropriate add or edit rule window. Additionally, you can
reference the host or network by name if a name is defined for that host or network. It is
recommended that you name all hosts and networks.
In addition to defining the basic information for these hosts or networks, you can define route
settings and translation rules (NAT) for any host or network. You can also configure route
settings in the Static Route panel on the System Properties tab and translation rules on the
Translation Rules tab. These different configuration options accomplish the same results. The
Hosts/Networks tab provides another view to modify these settings on a per host and per
network basis.
The information provided in this window enables the basic identification information for that
host or network. This includes values for the IP address, netmask, interface, and name of the
host or network. The PDM uses the name and IP address and netmask pair to resolve references
to this host or network in the source and destination conditions of access rules and in translation
rules. The PDM uses the interface value to apply access and translation rules that reference this
host or network to the correct interface. The interface delivers network packets to the host or
network; therefore, it enforces the rules that reference that host or network.
3-96 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
System Properties Tab
From the System Properties
tab, you can configure such
features as the following:
Interfaces
Failover
Routing
User accounts for
command authorization
DHCP server
Privilege level for
command authorization
Logging
AAA
URL filtering
Remote management
Intrusion detection
Turbo ACLs
Multicast
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03-17
The System Properties tab enables you to configure many aspects of the PIX Security
Appliance, including the following:
Interfaces: In addition to their names, the Interfaces panel displays and enables you to edit
additional configuration information required for each interface. You can configure a PIX
Security Appliance interface with a static IP address, VLAN ID, or you can configure it to
use DHCP or PPPoE.
Note Your configuration edits are captured by the PDM but not sent to the PIX Security Appliance
until the Apply to PIX button is clicked.
Failover: This section enables you to enable, disable, and configure serial and LAN-based
failover and stateful failover.
Routing: The routing panel is divided into the following four sections dealing with
different routing configurations:
Routing Information Protocol (RIP)
Static routes
Proxy Address Resolution Protocols (ARPs)
Open Shortest Path First (OSPF)
DHCP Services: The DHCP Services panel enables you to configure the PIX Security
Appliance as a DHCP server or configure the PIX Security Appliance as a DHCP relay
agent. You cannot configure both simultaneously on the same PIX Security Appliance.
PIX Administration Users: This panel enables you to create local user accounts.
PIX Administration: This panel contains the following sections:
Device
Password
3-98 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Remote shell protocol (RSH)
Real-Time Streaming Protocol (RTSP)
Session Initiation Protocol (SIP) over TCP
SIP over UDP
Skinny
SMTP
SQL*Net
Anti-Spoofing
Fragment
TCP Options
Timeouts
Turbo Access Rules
Multicast: This panel has three sections:
Stub Multicast Routing
IGMP
MRoute
History Metrics: This panel enables the PIX Security Appliance to keep a history of many
statistics, which can be displayed by the PDM through the Monitoring tab.
Note If PDM History Metrics is not enabled, the only view available in the Monitoring tab is the
"Real-time" view. PDM History Metrics is enabled by default.
The Monitoring
button enables you
to monitor per-
interface statistics,
such as packet
counts and bit
rates, for each
enabled interface
on the PIX Security
Appliance.
Many different items can be monitored using thePDM, including but not limited to the
following:
PDM log
Secure Shell (SSH) sessions
Telnet console settings
PDM users
VPN statistics
System performance graphs
Connection graphs
Interface graphs
3-100 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Interface Graphs Panel
The Interface
Graphs panel
enables you to
monitor
per-interface
statistics, such as
bit rates, for each
enabled interface
on the PIX Security
Appliance.
The Interface Graphs panel enables you to monitor per-interface statistics, such as packet
counts and bit rates, for each enabled interface on the PIX Security Appliance.
The list of graphs available is the same for every interface. Each graph can be viewed as a line
graph and in table form. Each graph can also be viewed with different time horizons.
Note If an interface is not enabled using the Interfaces panel under the System Properties panel,
no graphs will be available for that interface.
The following tasks can be performed from the Tools and Options drop down menus:
If you want to preview any commands generated by any panel before they are sent to the
PIX Security Appliance, choose Options > Preferences > Preview Commands Before
Sending to PIX.
If you want to enter CLI commands to be sent to the PIX Security Appliance, choose Tools
> Command Line Interface to enter CLI commands.
If you want to access the ping tool from the tools menu, choose Tool > Ping.
3-102 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
Q1) Which of the following operating systems requires 356 MB or RAM in order to
operate? (Source: PDM Operating Requirements)
A) Microsoft Windows
B) SUN Solaris
C) Linux
Q2) Which six of the following tasks does the PDM Startup Wizard help you with? (Choose
six.) (Source: Configure the PIX Security Appliance Using the PDM)
A) writing the configuration to Flash memory
B) enabling the PIX Security Appliance interfaces
C) assigning IP addresses to the interfaces
D) assigning the DNS domain name of the network on which the PIX Security
Appliance runs
E) configuring a hostname and password
F) configuring PPPoE
G) setting the PIX Security Appliance clock to UCT
H) configuring NAT and PAT
I) configuring the DHCP server
Q3) Which of the following sections of the PDM Home window displays CPU and memory
usage? (Source: Configure the PIX Security Appliance Using the PDM)
A) Main toolbar
B) Device Information
C) VPN Status
D) System Resources Status
E) Interface Status Interface
F) Traffic Status
Q4) Which of the following five tabs on the PDM enables you to configure many aspects of
the PIX Security Appliance? (Source: Configure the PIX Security Appliance Using the
PDM)
A) Access Rules
B) Translation Rules
C) VPN
D) Hosts/Networks
E) System Properties
Q5) Which of the following five tabs on the PDM enables you to define AAA and filter
rules? (Source: Configure the PIX Security Appliance Using the PDM)
A) Access Rules
B) Translation Rules
C) VPN
D) Hosts/Networks
E) System Properties
3-104 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Q6) PDM History Metrics is enabled by default. (Source: Configure the PIX Security
Appliance Using the PDM)
A) True
B) False
Q7) When are no interface graphics available on the Interface Graphics Panel? (Source:
Configure the PIX Security Appliance Using the PDM)
Q2) B, C ,E, F, H, G
Q3) D
Q4) E
Q5) A
Q6) A
Q7) If an interface is not enabled using the Interfaces panel under the System Properties panel, no graphs will
be available for that interface.
3-106 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Module Summary
This topic summarizes the key points discussed in this module.
Module Summary
References
For additional information, refer to these resources:
Cisco Systems Inc. Cisco PIX Firewall Configuration Guide, Version 6.0.
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_
guide_book09186a0080143567.html.
Overview
In technology environments, Internet worms and viruses can spread across the world in a matter
of minutes. Without the luxury of time to react, the network must possess the ability to
instantaneously recognize and mitigate these threats. A networking architecture paradigm shift
is required to defend against these fast moving attacks. It is no longer possible to contain these
intrusions at a few points in the network. Intrusion prevention is required throughout the entire
network to detect and stop an attack at every ingress and egress point in the network. The only
scalable and cost effective way to accomplish this is by integrating intrusion prevention
systems (IPS) into the access points of the network.
IPS detect inappropriate, incorrect, or anomalous activity originating outside a network, and
then take action to prevent damage. Systems that operate on a host to detect malicious activity
on that host are called host-based intrusion prevention systems (HIPS), and systems that
operate on network data flows are called network-based IPS.
With the increasing complexity of security threats, achieving efficient network intrusion
security is critical to maintaining a high level of operational effectiveness. Cisco has designed
host- and network-based IPS to protect data and information infrastructure. This module
provides an introduction to Cisco IPS the products and technologies.
Module Objectives
Upon completing this module, you will be able to secure a network with host- and network-
based IPS. This ability includes being able to meet these objectives:
Describe the underlying IDS and IPS technology embedded in the Cisco IDS/IPS solution
Complete basic sensor configuration tasks using the IDM
Describe the features and functions of the Cisco Security Agent
Manage host-based intrusion prevention policies across the network with the CSA MC
4-2 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 1
Introducing Intrusion
Prevention Systems
Overview
This lesson introduces intrusion detection systems (IDS) and intrusion prevention systems
(IPS). The features and functions of the technologies and components is described. Attention is
paid to the way in which signatures are used in mitigating attacks and the processes that are
initiated when a signature is triggered.
Objectives
Upon completing this lesson, you will be able to describe the underlying IDS and IPS
technology embedded in the Cisco IDS/IPS solution. This ability includes being able to meet
these objectives:
Define commonly used terms associated with intrusion detection and prevention
Explain IPS technologies, attack responses and monitoring options
Describe the features of network-based IPS
Describe the features of a HIPS
Describe the characteristics and function of Cisco IPS signatures
Describe how Cisco IPS sensors use signature engines to tune and create signatures
Describe how various alarm levels are triggered by Cisco IPS signatures
Describe the features of Cisco IPS Sensor Software version 5.0
Explain the factors to consider when selecting and deploying Cisco IDS/IPS sensors
Intrusion Detection and Prevention Terminology
This topic provides definitions and explanations for commonly used terms associated with
intrusion detection and prevention.
A sensor captures network packets with one of its own interfaces, then reassembles and
compares this data against a rule set that indicates typical intrusion activity. The syslog traffic
is sent to UDP port 514, and is analyzed by the Sensor intrusion detection engine.
When a Cisco IDS analyzes network data, it looks for patterns of misuse. Patterns can be as
simple as an attempt to access a specific port on a specific host, or as complex as sequences of
operations distributed across multiple hosts over an arbitrary period of time. The first type of
pattern is termed an atomic pattern; the second, a composite pattern.
A Cisco IDS searches for patterns of misuse by examining either the data portion or the header
portion of network packets. Content-based attacks derive from the data portion, and context-
based attacks derive from the header portion.
An IDS detects attacks against a network, including attacks against hosts and devices. When a
sensor detects unauthorized activity it sends alarms to the management console(s) along with
details of the activity. An IDS can only respond after an attack is detected. In the case of an
atomic attack where malicious content is contained in a single packet, the malicious packet can
reach its target before a response action can be taken. Intrusion detection is the ability to detect
misuse, abuse, and unauthorized access to networked resources.
An IPS represents a significant advance over IDS. Older Cisco IDS sensors such as the Cisco
IDS 4250 XL Sensor and the Cisco IDS 4215 Sensor, provide intrusion detection. Newer Cisco
IPS Sensors such as the Cisco IPS 4255 Sensor and the Cisco IPS 4240 Sensor, as well as
current Cisco IOS software, can be deployed inline to provide intrusion prevention. By default,
the monitoring interface of a Cisco IPS sensor works in promiscuous mode, which means that it
4-4 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
monitors all traffic on the local network through a network device that captures traffic for the
sensor.
In contrast to a sensor in promiscuous mode, an inline sensor processes packets as they flow
through the network data forwarding path and can make the decision to forward or drop packets
based on what is detected. An inline sensor is, therefore, an IPS. Inline IPS provides an added
level of protection from worms and atomic attacks where malicious content is contained in a
single packet.
The term intrusion protection is often used in a generic sense, and although some Cisco
literature still refers to intrusion protection, the term can be confusing and should be avoided.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-5
Signatures and Signature Algorithms
The term "signature" in this lesson refers to a set of conditions that when met, indicate some
type of intrusion event is occurring or has occurred.
Cisco IDS and IPS use over a hundred signatures to detect patterns of misuse in network traffic
to identify of the most common attacks. Simple signatures check the value of a header field.
More complex signatures may track the state of a connection or perform extensive protocol
analysis on the traffic. Cisco IDS/IPS signatures provide the ability to customize embedded
signatures as well as to write new signatures to meet specific threats. This ability will be
described later in this lesson.
4-6 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
IDS/IPS Alarms
A network IDS/IPS signature is a pattern in traffic that indicates an intrusion attempt has
occurred. Signatures are configured manually or automatically in IDS/IPS devices. The ability
of IDS/IPS products to accurately detect an attack or a policy violation and generate an alarm is
critical to its functionality.
Note A false negative should only be considered a software bug if the IDS/IPS has a signature
that has been designed to detect the offending traffic.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-7
Intrusion Prevention Technologies
This topic explains IPS technologies, attack responses and monitoring options.
Among the many vendors of IDS and IPS, there is marked variation on what constitutes a
network intrusion. This variation has led to many confusing claims by vendors about the best
methodologies and solutions. Cisco IPS sensors use a blend of detection technologies, which
are described in this lesson.
4-8 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Profile-Based Intrusion Detection
Profile-based intrusion detection generates an alarm when activity on the network goes outside
the profile. Anomaly-based signatures are typically geared to look for network traffic that
deviates from what is seen "normally". With anomaly detection, profiles are created for each
user or user group on your system. Examples of user and network activity are used to build
profiles of normal activity. These profiles are then used as a baseline to define normal user and
network activity. For example, a web server farm would typically generate web traffic using
HTTP. A profile could be created to monitor web traffic. Another example is a network
segment where the users are helpdesk technicians. The help desk technician primary function is
to monitor e-mail requests. A profile could be created to monitor mail traffic using Simple Mail
Transfer Protocol (SMTP).
The problem with this method of intrusion detection is that users do not feel a responsibility to
follow a profile. Humans do not consistently keep to a normal pattern; consequently, what may
be defined as normal activity today might not be normal activity tomorrow. There is too much
variation in the way users act on the network for this type of detection to be effective. For
example, some help desk technicians may access the web or telnet to systems in order to
troubleshoot problems. Based on the profile created, this type of network activity would trigger
alarms, which are likely to be benign.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-9
Signature-Based Intrusion Detection
Signature-based intrusion detection is less prone to false positives when detecting unauthorized
activity. A signature is a set of rules pertaining to typical intrusion activity. Highly skilled
network engineers research known attacks and vulnerabilities and develop signatures to detect
these attacks and vulnerabilities. These attack signatures encompass specific traffic or activity
based on known intrusive activity.
A pattern matching approach looks for a fixed sequence of bytes in a single packet. As its name
suggests, it is a fairly rigid but simple to employ approach. In most cases, the pattern is
matched against a packet only if the suspect packet is associated with a particular service or,
more precisely, destined to or from a particular port. For example, a signature might be based
on a simple pattern-matching approach such as this:
׺ 䬸» °¿½µ»¬ ·- ×Ðªì ¿²¼ ÌÝÐâ ¿²¼ 䬸» ¼»-¬·²¿¬·±² °±®¬ ·- îîîîâ ¿²¼
䬸» °¿§´±¿¼ ½±²¬¿·²- ¬¸» -¬®·²¹ •º±±Œâ ¬¸»² 亷®» ¿² ¿´¿®³âò
A Cisco IPS implements signatures that can look at every packet going through the network
and generate alarms when necessary. A Cisco IPS generates alarms when a specific pattern of
traffic is matched or a signature is triggered. You can configure a Cisco IPS to exclude
signatures and modify signature parameters to work optimally in your network environment.
4-10 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Protocol Analysis
Signature-based intrusion detection uses signatures based on values in IP, TCP, User Datagram
Protocol (UDP) and Internet Control Message Protocol (ICMP), headers. Protocol analysis-
based intrusion detection is similar but it performs a more in-depth analysis of the protocols
specified in the packets. A deeper analysis examines the payloads within TCP and UDP
packets, which contain other protocols. For example, a protocol such as Domain Name System
(DNS) is contained within TCP or UDP, which itself is contained within IP.
The first step is to decode the packet IP header information and determine whether the payload
contains TCP, UDP or another protocol. For example, if the payload is TCP, then some of the
TCP header information within the IP payload is processed before the TCP payload is accessed
(DNS data for example). Similar actions are mapped for other protocols.
Protocol analysis requires that the IPS sensor knows how various protocols work so that it can
more closely analyze the traffic of those protocols to look for suspicious or abnormal activity.
For each protocol, the analysis is based not only on protocol standards, particularly the RFCs,
but also on how things are implemented in the real world. Many implementations violate
protocol standards, so it is very important that signatures reflect common and accepted practice
rather than the RFC-specified ideal: otherwise false positives and negatives can occur. Protocol
analysis techniques trigger an alert when the traffic does not meet the expected protocol
operations.
For example, assume an attack has been launched against a server. The attacker sends an IP
packet with a protocol type, which, according to an RFC, should not contain any data in the
payload. A protocol analysis-based IPS detects the attack based on the knowledge of the
protocol and sets off an alarm.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-11
IPS Attack Response Options
4-12 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
IPS Monitoring Options
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-13
Network-Based vs. Host-Based IPS
Host-Based IPS
Network-Based IPS
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-12
The figure shows how network-based IPS and HIPS complement one another. While network-
based IPS focuses on detecting buffer overflows, attacks on Web servers, network
reconnaissance, and DoS attacks, HIPS focuses on application and host resource protection.
4-14 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Network-Based Intrusion Prevention Systems
This topic describes the features of network-based IPS.
Network-based IPS involves the deployment of monitoring devices, or sensors, throughout the
network to capture and analyze the traffic. Sensors detect malicious and unauthorized activity
in real time and can take action when required. Sensors are deployed at designated network
points that enable security managers to monitor network activity while it is occurring,
regardless of the location of the target of the attack.
Network-based IPS sensors are usually tuned for intrusion detection analysis. The underlying
operating system of the platform on which the HIPS software is mounted is stripped of
unnecessary network services, and essential services are secured. The hardware includes the
following components:
Network interface card (NIC): Network-based IPS must be able to connect into any
network (Ethernet, Fast Ethernet, Gigabit Ethernet, Token Ring, and Fiber Distributed Data
Interface (FDDI) are common.)
Processor: Intrusion detection requires CPU power to perform intrusion detection protocol
analysis and pattern matching.
Memory: Intrusion detection analysis is memory intensive. Memory directly impacts the
ability of a network-based IPS to efficiently and accurately detect an attack.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-15
Network-Based IPS Deployment
Corporate
Network
Sensor
Sensor Firewall
Router
Untrusted
Network
Sensor
Management WWW DNS
Server Server Server
Network-based IPS gives security managers real-time security insight into their networks
regardless of network growth. Additional hosts can be added to protected networks without
needing more sensors. When new networks are added, additional sensors are easy to deploy.
Additional sensors are only required when their rated traffic capacity is exceeded, when their
performance does not meet current needs or when a revision in security policy or network
design requires additional sensors to help enforce security boundaries.
The figure illustrates a typical network-based IPS deployment. Sensors are deployed at network
entry points that protect critical network segments. The network segments have internal and
external corporate resources. The sensors report to a central management and monitoring server
located inside the corporate firewall.
4-16 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Host-Based Intrusion Prevention Systems
This topic describes the features of a HIPS.
HIPS Features
A HIPS audits host log files, host file systems, and resources. A significant advantage of HIPS
is that it can monitor operating system processes and protect critical system resources,
including files that may exist only on that specific host. HIPS combines behavioral analysis and
signature filters. HIPS can also combine the best features of anti-virus, network firewalls and
application firewalls in one package.
A simple form of HIPS enables system logging and log analysis on the host. However, this
approach can be extremely labor intensive. Contemporary HIPS software requires Cisco
Security Agent (CSA) software to be installed on each host to monitor activity performed on
and against the host. The CSA performs the intrusion detection analysis and protects the host.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-17
HIPS Operation
Recall that HIPS operates by detecting attacks occurring on a host on which it is installed. HIPS
works by intercepting operating system and application calls, securing the operating system and
application configurations, validating incoming service requests, and analyzing local log files
for after-the-fact suspicious activity.
HIPS uses rules based on a combination of known attack signatures and a detailed knowledge
of the operating system and specific applications running on the host. These rules enable HIPS
to determine abnormal or out-of-bound activity and therefore prevent the host from executing
commands that do not fit the correct behavior of the operating system or application.
HIPS improves the security of hosts and servers by using rules that control operating system
and network stack behavior. Processor control limits activity such as buffer overflows, registry
updates, writes to the system directory, and the launching of installation programs. Regulation
of network traffic can help ensure that the host does not participate in accepting or initiating
FTP sessions, can rate-limit when a DoS attack is detected, or can keep the network stack from
participating in a DoS attack.
Because HIPS does not rely solely on the signatures of known attacks to provide protection, it
also protects servers against unknown attacks by non-standard detecting behaviors.
4-18 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Cisco HIPS Deployment
Corporate
Network
Application
Agent Server
Agent Firewall
Untrusted
Network
The figure illustrates a typical HIPS deployment. Agents are installed not only on publicly
accessible servers, corporate mail servers, and application servers, but also on user desktops.
The Agents report events to a central console server located inside the corporate firewall.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-19
Cisco IPS Signatures
This topic describes the characteristics and function of Cisco IPS signatures.
Signature Characteristics
A signature is a set of rules that network-based IPS and HIPS use to detect typical intrusive
activity, such as DoS attacks. As sensors scan network packets, they use signatures to detect
known attacks and respond with actions that you define.
The sensor compares its list of signatures to network activity. When it finds a match, the sensor
takes action. A sensor enables you to modify existing signatures and define new ones.
4-20 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
built-in signatures are based on known attacks, but some provide information about your
sensor. For example, signature 993 (Missed Packet Count) alerts you if the sensor is
dropping packets. This signature also tells the percentage dropped to help you tune the
traffic level you are sending to the sensor. If the alarms show that there are no dropped
packets or a very small percentage of dropped packets, the sensor is able to monitor the
quantity of traffic being sent. If you see signature 993 alerts with a high percentage of
dropped packets, your sensor is oversubscribed. If signature 993 is firing with 100 percent
packet loss, the sensor is not generating alarms and there is a problem. If you have the most
recent version, contact the Cisco Technical Assistance Center (TAC) to report the problem.
Tuning built-in signatures: You can tune built-in signatures by adjusting several signature
parameters. Built-in signatures that have been modified are called tuned signatures. You
can also create new signatures, which are called custom signatures.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-21
Signature Features
4-22 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Sensor Signature Examples
The figure lists some examples of some of the methods that signatures use to identify certain
types of attack.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-23
Regular Expressions Syntax
You can configure IDS and IPS signatures from the command-line interface (CLI). Regular
expressions are text patterns used for string matching. They are strings that contain a mix of
plain text and special characters to indicate what should be matched. For example, if you are
looking for a numeric digit, the regular expression to search for is "[0-9]". The brackets indicate
that the character being compared should match any one of the characters enclosed within the
bracket. The dash (-) between 0 and 9 indicates that it is a range from 0 to 9. Therefore, this
regular expression will match any character from 0 to 9. To search for a specific special
character, you must use a backslash before the special character. For example, the single
character regular expression "\*" matches a single asterisk.
Regular expressions (regex) constitute a powerful and flexible notational language that allows
you to describe text in IDS and IPS signatures. In the context of pattern matching, regular
expressions allow a succinct description of almost any arbitrary pattern.
The Regex Expressions table lists the IDS and IPS regular expressions syntax.
Regex Expressions
4-24 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Metacharacter Name Description
[a-z] Character range class Any character listed inclusively in the range
\NNN Escaped octal character Matches the character with the octal code NNN
(where 0<=N<=8)
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-25
Examples of Regex Patterns
Regex Patterns
Hacker Hacker
4-26 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Signature Responses
Cisco IPS signatures can take one or all of the following actions when triggered:
TCP reset: Terminates the TCP session between the source of an attack and the target host
IP log: Logs subsequent IP packets from the source of an attack
Block: Initiates the blocking of IP traffic from the source of an attack, either a block on the
host or the connection
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-27
Cisco IPS Signature Engines
This topic describes how Cisco IPS sensors use signature engines to tune and create signatures.
Engine Overview
Cisco IPS signature engines enable the network security administrator to tune and create
signatures unique to their network environment. Each signature is created using a signature
engine specifically designed for the type of traffic being monitored. A signature engine is a
component of the sensor that supports a category of signatures. An engine is composed of a
parser and an inspector. Each engine has a set of legal parameters that have allowable ranges or
sets of values.
4-28 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Categories and Uses
There are several general categories of Cisco IPS signature engines, each with a particular use.
The use and selection of signature engines is dependent on several variables. The Signature
Engines table provides a list of engine categories and a description of the use of each engine.
Signature Engines
Atomic This engine category is used to perform per-packet inspection. The Atomic engines
support signatures that trigger alarms based on the analysis of a single packet.
Service Used when services with Layer 5, 6, and 7 require protocol analysis
State.String Used for state-based and regular expression-based pattern inspection and alarming
functionality for TCP streams
String Used for regular expression-based pattern inspection and alarm functionality for multiple
transport protocols including TCP, UDP, and ICMP
Trojan Used to detect BackOrifice Trojan horse traffic and Tribal Flood Network 2000 (TFN2K)
Trojan or distributed denial of service (DDoS) traffic
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-29
Engine Parameters
An engine parameter is a name and value pair. The name is defined by each engine. The value
has limits that are defined by the engine so that only values falling in a particular range are
valid. The parameter name is constant across all signatures in a particular engine, but the value
can be different for the various signatures in an engine group.
4-30 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Master and Local Parameters
Cisco IPS signature engines have master and local signature parameters. Master parameters are
common to most signatures and exist in most signature engines. Local signature parameters are
engine specific. For example, the local signature parameter IcmpCode exists in the
Atomic.ICMP signature engine, and the local signature parameter IPOption exists in the
Atomic.IPOptions signature engine.
The Master Signature Parameter table provides the value and description of each master
signature parameter.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-31
Master Signature Value Description
Parameters
AlarmThrottle FireOnce: Sends the first alarm and This technique is used to limit alarm
then deletes the inspector firings.
FireAll: Sends all alarms
Summarize: Sends an
IntervalSummary alarm
GlobalSummarize: Sends a
GlobalSummary alarm
AlarmTraits 0 to 65535 These are user-defined traits that further
describe the signature.
4-32 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Master Signature Value Description
Parameters
SIGID 993 to 19999: The range for default This defines the numeric value assigned
signatures to the signature.
20000 to 50000: The range for
custom signatures
SigName <string> This defines the alphanumeric name
assigned to the signature.
WantFrag TRUE: Only fragmented packets This controls the inspection of fragmented
trigger an alarm packets.
FALSE: Only non-fragmented
packets trigger an alarm
<blank>: Fragmented and non-
fragmented IP traffic trigger an
alarm
The FlipAddr parameter is useful in situations in which the traffic that triggers the signature is
return traffic from the target system (the system being attacked). Normally, the traffic that
triggers a signature originates from the attacker IP address, so the source IP address in the
resulting alarm is that of the attacker. However, some signatures rely on return traffic from the
target to determine whether an attack is taking place. For example, ResetPortSweep looks for
the target sending back multiple resets from various ports to determine that a port sweep is
taking place. Without the FlipAddr parameter, the source address in the resulting alarm would
be that of the target. Setting the FlipAddr parameter to true causes the alarm to display the
correct attacker and target addresses.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-33
Cisco IPS Alarms
This topic describes how various alarm levels are triggered by Cisco IPS signatures.
Alarm Overview
A Cisco IPS signature will be assigned one of the following severity levels:
Informational: Activity that triggered the signature is not considered an immediate threat,
but the information provided is useful information.
Low: Abnormal network activity was detected that could be perceived as malicious, but an
immediate threat is not likely.
Medium: Abnormal network activity was detected that could be perceived as malicious,
and an immediate threat is likely.
High: Attacks used to gain access or cause a DoS were detected, and an immediate threat is
extremely likely.
4-34 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Cisco IPS Sensor Software Version 5.0
This topic describes the features of Cisco IPS Sensor Software version 5.0.
1000
IDS 4250 XL
600
500
Catalyst 6500
IDSM-2
IPS 4255
250
IPS 4240
80
IDS 4215
45
IDS Network
Module
10/100/1000 TX 10/100 TX 10/100/1000 TX 10/100/1000 TX or
Switched 1000 1000 SX
1000 SX
Network Media
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-29
Recall that the Cisco IDS/IPS portfolio includes the Cisco IDS/IPS 4200 Sensor family,
modules for the Cisco Catalyst 6500 switch and Cisco 7600 router, Cisco IDS Network Module
for the Cisco 2600 Series, 3600 Series, and 3700 Series routers, as well as the router sensor
embedded in Cisco IOS software solution and the firewall sensor embedded in PIX Security
Appliance software. Together, these products provide network managers with a wide range of
IDS/IPS solution options.
IDS capabilities are available using Cisco Sensor software version 4.2, Cisco IOS versions 12.0
and higher, and PIX Security Appliance Software versions 5.2 and later.
IPS capabilities are available using Cisco Sensor software version 5.0, and Cisco IOS versions
12.3 and higher.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-35
Cisco IPS Sensor Software v5.0
Public Services Segment
MAIN CAMPUS
Attacker
Cisco IPS Software version 5.0 is a significant and feature packed software release anchored to
new and existing Cisco IDS products by in-line intrusion prevention functionality. This new
software allows users to stop worms and viruses (among other threat types) at ingress.
Additionally, IPS Software version 5.0 allows users to turn on more prevention actions on a
broader range of threats without the risk of dropping legitimate traffic. This release includes
more than 20 major new features that provide key enhancements to attack prevention, advanced
application control, extensions to threat classification, and critical high availability
considerations.
Cisco IPS Software version 5.0 has been developed to meet ever increasing security threats.
What worked in the past is no longer sufficient to meet present threats. It is no longer
considered good enough to simply react to attacks. Solutions must be automated and proactive.
Standalone security devices do not provide the same degree of critical protection as integrated
security services in the network infrastructure. Integrated devices can enable centralized
monitoring, management, and control to facilitate a coordinated response. New devices can be
used throughout the network to provide multiple layers of defense. New security solutions have
moved away from individual security products or services that operate independently from one
another, to layered and integrated models that operate as part of a cohesive security system.
Cisco IPS Software version 5.0 provides the ability to link endpoint security solutions with
network-based solutions and services.
4-36 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Deploying Cisco IDS/IPS Sensors
This topic explains the factors to consider when selecting and deploying a Cisco IDS/IPS
sensor.
Organizational, financial, and technical factors affect the decisions made when selecting
sensors for a Cisco IDS/IPS solution. For the purposes of this discussion, the focus is on the
technical factors to consider when selecting sensors for a Cisco IDS/IPS solution. The
following are the technical factors to consider when selecting sensors:
Network media: Sensor selection is affected by the network media and environment. Cisco
IDS/IPS sensor network interface cards range from Ethernet to Gigabit Ethernet.
Intrusion detection analysis performance: The performance for the sensors is rated by
the number of bits per second that can be captured and accurately analyzed. Cisco IDS/IPS
sensor performance ranges from 45 Mbps to 1000 Mbps.
Network environment: Cisco IDS/IPS sensors are suited for networks that have network
speeds ranging from 10/100BASE-T Ethernet to Gigabit Ethernet.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-37
Sensor Deployment Considerations
Number of sensors
Sensor placement
Management and monitoring options
External sensor communications
Deploying a Cisco IDS/IPS solution requires a well thought-out design. The following are the
important design issues to take into consideration:
Your network topology: Knowledge of your network topology helps you determine how
many IDS/IPS appliances are required, the hardware configuration for each IDS/IPS
appliance (for example, the size and type of network interface cards), and how many
IDS/IPS management workstations are needed. The IDS/IPS appliance monitors all traffic
across a given network segment. Given these facts, you should consider all the connections
to the network that you want to protect. Before you deploy and configure your IDS/IPS
appliances, you should understand the following about your network:
The size and complexity of your network
Connections between your network and other networks, including the Internet
The amount and type of network traffic on your network
Sensor placement: It is recommended that sensors be placed at those network entry and
exit points that provide sufficient intrusion detection coverage. Determine the type of
location you have in order to determine which segments of the network you want to
monitor. Keep in mind that each IDS/IPS appliance maintains a security policy configured
for the segment it is monitoring. The security policies can be standard across the
organization or unique for each IDS/IPS appliance. You may consider changing your
network topology to force traffic across a given monitored network segment. There are
always operational trade-offs when going through this process. The result should be a
rough idea of the number of IDS/IPS appliances required to protect the desired network.
You can place an IDS/IPS appliance in front of or behind a firewall. Each position has its
benefits and drawbacks. These benefits and drawbacks are discussed later in this lesson.
Management and monitoring options: Review the management and monitoring options
described earlier to select those most appropriate for your network. Keep in mind that the
number of sensors that you deploy is directly correlated to the type of management console
you select. The recommended sensor-to-IDS Event Viewer (IEV) ratio is 5:1. For the
Management Center for IDS/IPS Sensors (IDS MC), the ratio is 300:1.
4-38 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
External sensor communication: Traffic on the communication port between sensors and
external systems must be allowed through firewalls to ensure functionality. The Managing
or Monitoring Ports table shows the ports used by the various management and
monitoring applications for communications with sensors.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-39
Deploying Sensors
Business CTREliminates false alarms,
Extranet Partner escalates real attacks, and aids Internet protection
protection remediation of costly intrusions Complements firewalls
(NIPS)Monitors and VPNs by
partner traffic
Users monitoring traffic for
where trust is malicious activity
implied but not
assured
Corporate
Data Office
Center
Internet
As you examine your network topology to determine how many IDS/IPS appliances are
required, consider all the network connections you want to protect. As illustrated in the figure,
locations that need to be protected generally fall into five basic categories:
Internet protection: A sensor between your perimeter gateway and the Internet
complements the firewall and virtual private network (VPN) by monitoring traffic for
malicious activity.
Extranet protection: A sensor between your network and extranet connections, such as
connections with a business partner, monitors traffic where trust is implied but not assured.
Intranet and internal protection: Sensors on your intranet protect data centers and critical
systems from internal threats.
Remote access protection: A sensor on your remote access network hardens perimeter
control by monitoring remote access users.
Server farm protection: Companies are deploying Internet servers on their Demilitarized
Zone (DMZ) networks. These servers offer Internet services such as Web access, Domain
Name System (DNS), FTP, and Simple Mail Transfer Protocol (SMTP). Cisco Security
Agents (CSAs) are installed on these servers. The Cisco Security Agent Management
Center (CSA MC) is installed on an internal network.
In addition, customers are increasingly challenged by false alarms. Cisco Threat Response
(CTR), technology can reduce false alarms by up to 95 percent, escalate real attacks, and
eliminate costly intrusions. Using unique intelligent threat investigation techniques, CTR
conducts detailed, "just-in-time" system investigations, to capture forensic evidence and
automate manual processes of intrusion investigation for fast and cost-effective results.
A complete Cisco IPS includes the installation of a network-based IPS and host-based IPS
(HIPS). Network-based IPS sensors are installed at network entry points to provide broader
coverage, and HIPS Agents are installed on critical network servers.
4-40 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-41
Summary
This topic summarizes the key points discussed in this lesson.
Summary
Summary (Cont.)
4-42 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Explain the difference between a false positive alarm and a false negative alarm using
an example. (Source: Intrusion Prevention Terminology)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q2) Explain the difference between a true positive alarm and a true negative alarm. (Source:
Intrusion Prevention Terminology)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q3) What three network attack detection methodologies are embedded in Cisco IPS
signatures? (Choose three.) (Source: Intrusion Prevention Technologies)
A) signature-based detection
B) host-based detection
C) protocol analysis intrusion detection
D) pattern matching
E) profile-based intrusion detection
F) network-based detection
Q4) Which one of the following needs statistical user and network profiles? (Source:
Intrusion Prevention Technologies)
A) profile-based intrusion detection
B) signature-based intrusion detection
C) protocol analysis intrusion detection
D) protocol analysis intrusion prevention
Q5) Which of the following is also called misuse detection or pattern matching? (Source:
Intrusion Prevention Technologies)
A) profile-based intrusion detection
B) signature-based intrusion detection
C) signature-based intrusion prevention
D) protocol analysis intrusion detection
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-43
Q6) Describe the advantage of network-based IPS. (Source: Network-Based Intrusion
Prevention)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q8) Match the following engine categories with its use by putting the letter of the category
in the blank provided before the description of its use. (Source Cisco IPS Signature
Engines)
A) Atomic
B) Flood
C) Service
D) String
E) Sweep
F) OTHER
G) State String
_____ 1. This engine category is used to group generic signatures so common
parameters may be changed.
_____ 6. This engine category is used for state-based and regular expression-based
pattern inspection and alarming functionality for TCP streams
_____ 7. This engine category is used when services with Layer 5, 6, and 7 require
protocol analysis
4-44 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Q9) What signature characteristic can a sensor signature use to address a connection attempt
from a reserved IP address? (Source: IPS Signatures)
Q10) What signature characteristic can a sensor signature use to address email containing a
particular virus? (Source: IPS Signatures)
Q11) What signature characteristic can a sensor signature use to address a DNS buffer
overflow attempt contained in the payload of a query? (Source: IPS Signatures)
Q12) What signature characteristic can a sensor signature use to address a DoS attack on a
POP3 server caused by issuing the same command thousands of times? (Source: IPS
Signatures)
Q13) What signature characteristic can a sensor signature use to address a file access attack
on an FTP server by issuing file and directory commands to it without first logging in?
(Source: IPS Signatures)
Q14) Describe the new features of Cisco IPS Sensor Software version 5.0. (Source: Cisco
IPS Sensor Software version 5.0)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-45
Lesson Self-Check Answer Key
Q1) A false positive occurs when the IPS generates an alarm from normal traffic or a benign action. One
example of a false positive is when an IDS raises a SYN flood alarm because it sees a large number of
SYN packets directed at a busy web server and mistakenly concludes it is under attack. Another example
of a false positive would be an IDS raising a SMTP Wiz attack alarm when it observes the string
DEBUG in the body of an SMTP message. A false negative is a situation in which a signature is not
fired when offending traffic is detected. An example of a false negative might be the failure of an IDS to
detect a web-server buffer directory traversal attack because the attacker developed a previously unknown
way of obscuring the filename that is being requested. Another example might result from the failure of an
IDS to capture all the packets necessary to accurately reassemble an attack action due either to network
load or changes in routing topology.
Q2) A true positive is a situation in which a signature is fired properly when offending traffic is detected and
an alarm is generated. A true negative is a situation in which a signature is not fired when non-offending
traffic is captured and analyzed.
Q3) A, C, E
Q4) A
Q5) B
Q6) A network-based IPS has the benefit of easily seeing and coordinating attacks that are occurring across the
entire network. Seeing the attacks against the entire network gives a clear indication of the extent to which
it is being attacked. Furthermore, because the monitoring system is only examining traffic from the
network, it does not have to support every type of operating system that is used on the network.
Q7) HIPS provides an incomplete network picture and must be configured to support multiple operating
systems. By examining information only at the local host level, HIPS has difficulty constructing an
accurate network picture or coordinating the events happening across your entire network. Also, HIPS
needs to run on every system in the network. This requires verifying support for all of the different
operating systems used
Q9) This is easily identified by checking the source address field in an IP header to ensure it is not a reserved
address.
Q10) The IPS can compare the subject of each email to the subject associated with known virus-laden email
messages, or it can look for a specific attachment.
Q11) By parsing the DNS fields and checking their length, the sensor can identify buffer overflow attacks using
a DNS field. Another approach might be to look for exploit shell code sequences in the payload.
Q12) A simple signature for this attack keeps track of how many times the command is issued and sends an alert
when that number exceeds the set threshold.
Q13) A state-tracking signature could be developed which would monitor FTP traffic for a successful login and
would alert if certain commands were issued before the user had authenticated properly.
Q14) IPS Sensor Software version 5.0 allows users to stop worms and viruses (among other threat types) at
ingress. Additionally, IPS Sensor Software version 5.0 allows users to turn on more prevention actions on
a broader range of threats without the risk of dropping legitimate traffic. This release includes more than
20 major new features that provide key enhancements to attack prevention, advanced application control,
extensions to threat classification, and critical high availability considerations.
Q15) The IDS appliance does not detect traffic that is internal to the network. An internal attacker taking
advantage of vulnerabilities in network services would remain undetected by the external IDS appliance.
4-46 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-47
Lesson 2
4-48 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
The Sensor Command Line Interface
This topic describes the features and functions of the CLI.
CLI Overview
The CLI for Cisco IDS Sensor Software version 4.1 and IPS Sensor Software version 5.0
provides a user interface that enables you to access the sensor through Telnet, Secure Shell
Protocol (SSH Protocol), and serial interface connections. Use an SSH version 1.5 client to
access the CLI over the network. The IPS/IDS Sensor Software CLI resembles the Cisco IOS
Software CLI, but it has fewer Cisco IOS configuration commands than Cisco IOS Software. It
also has additional configuration modes and commands.
The Cisco IPS/IDS Sensor Software CLI features the following components:
Help: Entering ? after the command displays command help. Help only displays
commands available in the current mode.
Tab completion: If you are unsure of the complete syntax for a command, enter a portion
of the command and press Tab to complete the command. If multiple commands match for
tab completion, nothing is displayed. The terminal repeats the line you entered. Only
commands available in the current mode are displayed by tab completion.
Command abbreviation: The CLI recognizes shortened forms of many common
commands. You have to enter only enough characters for the sensor to recognize the
command as unique. For example, entering sh ver executes the show version command.
Command recall: Pressing the Up Arrow or Down Arrow keys or Ctrl-P recalls the
commands entered in a mode. Help and tab complete requests are not reported in the recall
list.
User interactive prompts: The CLI displays user interactive prompts when the system
displays a question and waits for user input. The default input is displayed within brackets.
Pressing Enter accepts the default input.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-49
The CLI is not case sensitive, but it does echo the text exactly as you entered it. The following
steps provide an example:
4-50 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Using the CLI to Complete Tasks
The CLI allows you to use commands depending on the user role and command mode:
User role: The CLI for Cisco IDS Sensor Software version 4.1 supports three user roles:
administrator, operator, and viewer. The privilege levels for each role are different;
therefore, the menus and available commands vary for each role.
Command mode: Each command mode provides access to a subset of commands.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-51
User Accounts and Account Roles
This topic describes how functions are assigned to user accounts according to account roles.
Users access a sensor by logging in to a user account. User accounts are created on the sensor.
Management consoles may maintain user accounts independently from sensors. In other words,
you can create and log in to accounts that exist only on a management console. The sensor
allows multiple local user accounts to be created.
4-52 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
User Account Roles
Role Functions
Administrators Add users and assign passwords
Enable and disable control of physical interfaces and
interface groups
Assign physical sensing interfaces to interface groups
Modify the list of hosts allowed to connect to the sensor as
configuring or viewing agents
Modify sensor address configuration
Tune signatures
Assign virtual sensor configuration to interface groups.
Manage routers
Operators Modify their passwords
Tune signatures
Manage routers
Viewers Modify their passwords
User accounts have roles that determine the operations that the user is allowed to perform. For
example, an administrative user can perform all of the operations on a sensor, while a user with
a viewer role can only view events and some sensor configuration information. The following
roles can be assigned to an account:
Administrator: A user that can perform all operations on the sensor.
Operator: A user that can perform all viewing and some administrative operations on a
sensor.
Viewer: A user that can perform all viewing operations, such as viewing events and
viewing some configuration files. The only administrative operation available to users with
the viewer role is setting their own passwords.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-53
CLI Command Modes
This topic describes the subsets of commands to which each command modes provides access.
The CLI supports the following command modes. Each command mode provides access to a
subset of commands.
Privileged EXEC mode: EXEC mode is the first level of the CLI. You enter EXEC mode
by logging in to the CLI. EXEC mode is denoted by the prompt sensor#.
Global configuration mode: Global configuration mode is the second level of the CLI.
You enter global configuration mode by first logging in to the CLI and then entering the
configure terminal command. Global configuration mode is denoted by the prompt
sensor(config)#.
Interface command-control configuration mode: Interface command-control
configuration mode is a third-level CLI mode. You enter interface command-control
configuration mode by first entering global configuration mode and then entering the
interface command-control command. Interface command-control configuration mode is
denoted by the prompt sensor(config-if)#.
Interface group configuration mode: Interface group configuration is a third-level CLI
mode. You enter interface group configuration mode by first entering global configuration
mode and then entering the interface group <number> command where number is the
group number. Interface group configuration mode is denoted by the prompt sensor(config-
ifg)#.
Interface sensing configuration mode: Interface sensing configuration is a third-level CLI
mode. You enter interface sensing configuration mode by first entering global
configuration mode and then enter the interface sensing <name> command where name is
the logical interface name. Interface sensing configuration mode is denoted by the prompt
sensor(config-ifs)#.
4-54 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Service mode: Service mode is a generic command mode used to edit a service
configuration. A service is a related set of functionality provided by an IDS application. An
IDS application may provide more than one service. You enter service mode by first
entering global configuration mode and then entering the service <serviceName>
command where serviceName identifies the actual service you are trying to access. Service
mode is denoted by the prompt sensor(config-<serviceName>)#.
Virtual sensor configuration mode: Virtual sensor configuration is a third-level CLI
mode. You enter virtual sensor configuration mode by first entering global configuration
mode and then entering the service virtual-sensor-configuration command followed by
the logical virtual sensor configuration name. Currently, the only allowed name is
virtualSensor. Virtual sensor configuration mode is denoted by the prompt sensor(config-
vsc)#.
Alarm channel configuration mode: Alarm channel configuration is a third-level CLI
mode. You enter alarm channel configuration mode by first entering global configuration
mode and then entering the service alarm-channel-configuration command followed by
the logical alarm channel configuration name. Currently, the only allowed name is
virtualAlarm. Alarm channel configuration mode is denoted by the prompt sensor(config-
acc)#.
Tune micro engines mode: Tune micro engines is a fourth-level CLI mode. You enter
tune micro engines mode by first entering virtual sensor configuration mode and then
entering the tune-micro-engines command Tune micro engines mode is denoted by the
prompt sensor(config-vsc-virtualSensor)#.
Tune alarm channel: Tune alarm channel is a fourth-level CLI mode. You enter tune
alarm channel mode by first entering alarm channel configuration mode and then entering
the tune-alarm-channel command. Tune alarm channel mode is denoted by the prompt
sensor(config-acc-virtualAlarm)#.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-55
Sensor Setup and CLI Configuration Tasks
This topic describes the purpose of sensor setup and CLI configuration tasks.
The figure lists the key configuration tasks you can complete from the CLI:
Log in to the sensor: The methods used to get administrative access to the sensor will be
explained.
Initialize the sensor: After you have installed the sensors on your network, you must
initialize them using the setup command.
Assign and enable sensing interfaces: An interface group provides a way to group
sensing interfaces into one logical virtual sensor. Only interface group 0, is supported.
Depending on the configuration of your sensor, you may need to assign the sensing
interface to interface group 0 and enable the interface. You can add or delete interfaces
from the group from the configuration mode using the interface group command. This
step is automatic in Cisco IPS Software version 5.0.
Create a service account: You can create a service account for TAC to use during
troubleshooting. Although more than one user can have access to the sensor, only one user
can have service privileges on a sensor. The service account is for support purposes only.
Change a password: The password command updates the password on the local sensor.
You can also use this command to change the password for an existing user or to reset the
password for a locked account.
Add a user: You can add a new user, set the privilege level (administrator, operator,
viewer) and set the password for the new user. Use the username command to create users
on the local system. Use the no form of this command to remove a user from the system.
The username command provides username and password authentication for login
purposes only. You cannot use this command to remove a user who is logged in to the
system.
4-56 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Remove a user: You can delete a user and thus prevent access to the sensor with the no
username command.
Add trusted hosts: You can identify hosts (trusted hosts) that are allowed to connect to the
sensor with the service host command.
Add known hosts to the SSH known hosts list: You must add hosts to the SSH known
hosts list so that the sensor can recognize the hosts that it can communicate with through
SSH. These hosts are SSH servers that the sensor needs to connect to for upgrades and file
copying, and other hosts, such as Cisco routers, Cisco PIX Security Appliances, and Cisco
Catalyst switches. To add a host to the SSH known hosts list, use the ssh host-key
command.
Configure the sensor to use a Network Time Protocol (NTP) server as its time source:
The sensor requires a consistent time source. We recommend that you use an NTP server.
Configure the sensor to use the NTP server as its time source from the service host mode.
Configure a Cisco router to be an NTP server: The sensor requires an authenticated
connection with an NTP server if it is going to use the NTP server as its time source. The
sensor supports only the Message Digest 5 (MD5) hash algorithm for key encryption. It is
recommended that you activate a Cisco router to act as an NTP server and use its internal
clock as the time source.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-57
Initializing the Sensor for Management
Access
Once you have installed the sensors on your network, you must initialize them using the setup
command. The sensors must be initialized before the IDM can be used.
You can gain management access to a sensor using any of the following methods:
Console port: This method requires the use of the RS-232 cable provided with the sensor
and a terminal emulation program such as HyperTerminal.
Monitor and keyboard: This method requires connecting a monitor and a keyboard
directly to the sensor.
Telnet: This method requires an IP address that has been assigned to the command and
control interface via the CLI setup command. Telnet must be enabled to allow Telnet
access. Telnet is disabled by default.
Secure Shell (SSH): This method uses a supported SSH client and requires an IP address
that has been assigned to the command and control interface via the CLI setup command.
The SSH server in the sensor is enabled by default.
HTTPS: This method uses a supported web browser and requires an IP address that has
been assigned to the command and control interface via the CLI setup command. HTTPS
is enabled by default but can be disabled.
4-58 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Sensor Initialization Tasks
Sensor initialization tasks are completed using an interactive dialog initiated by the setup
command. The tasks are as follows:
Assign a name to the sensor
Assign an IP address and a subnet mask to the command and control interface
Assign a default route
Enable or disable the Telnet server
Specify the web server port
Add and remove access control list (ACL) entries that specify which hosts are allowed to
connect to the sensor
Set the date and time
Note If you later change the sensor IP address, you will need to generate a self-signed X.509
certificate. This certificate is needed by HTTPS communications.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-59
setup Command
Most of the initialization tasks are accomplished using the sensor setup command. The CLI
walks you through configuring the host name, IP address, netmask, gateway, and
communications options. After you enter the setup command, the default settings are
displayed. Pressing the Spacebar and answering yes to the next question allows you to
continue.
4-60 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuration Dialog
The figure shows the configuration dialog presented by setup. The configuration dialog is a
series of interactive prompts that enables you to configure the following settings:
Host name: The host name is a case-sensitive character string of up to 256 characters.
Numbers, _ and - are valid, but spaces are not acceptable. The default is sensor.
IP address: An IP address is a 32-bit address written as four octets separated by periods,
X.X.X.X, where X is 0 to 255. The default is 10.1.9.201.
Netmask: The netmask is a 32-bit address written as four octets separated by periods,
X.X.X.X, where X is 0 to 255. The default for a Class C address is 255.255.255.0.
Default gateway: The default gateway is the default router IP address for the appliance.
The default is 10.1.9.1.
Telnet server status: You can disable or enable Telnet services. The default is disabled.
Web server port: The web server port is the TCP port used by the web server (1 to
65535). The default is 443. If you change the web server port, you must specify the port in
the URL address of your browser in the format https://sensor_ ip_address: port (for
example, https://10.1.9.201:1040), when you connect to the IDM.
Network access lists: The network access list specifies hosts and networks that are allowed
to access the sensor. If you answer yes when prompted to modify the network access list,
the current access list entries are displayed. You are then prompted to delete entries from
the current list. Enter the number corresponding to the entry you want to delete. Repeat this
step until you have deleted all the entries that you want to delete from the access list. The
access list entries contain a default network address entry, 10.0.0.0/255.0.0.0. Remove this
entry, and modify the access list to suit your network. Pressing Enter without entering a
number retrieves the Permit prompt, which enables you to enter addresses of hosts or
networks allowed to access the sensor. Enter the IP address to add only a single host to the
list. Enter the IP address and netmask to add a network address to the list. Repeat this step
until you have entered all the addresses you want to add to the access list. Pressing Enter at
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-61
this point without entering a number retrieves the prompt to modify the system clock
settings.
System clock settings: Answering yes when prompted to modify the system clock settings
enables you to configure NTP, summer time settings, and the system time zone.
System date and time: If you answer yes when prompted to modify the system date and
time, the local date prompt is displayed. Enter the date in the format YYYY-MM-DD.
When presented with the local time prompt, enter the time in 24-hour format.
After you respond to the system clock settings prompt, your configuration appears with three
options. If you select [2] to save your configuration, you are prompted to modify the system
date and time. The three options are as follows:
[0]: Go to the command prompt without saving this config.
[1]: Return back to the setup without saving this config.
[2]: Save this configuration and exit setup.
4-62 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Assign and Enable Interfaces
After the setup is complete, interfaces must be assigned and enabled. Cisco IDS/IPS Sensor
Software version 4.1 and version 5.0 use the setup command for initialization. However, in
IDS Sensor Software version 4.1, you must configure interfaces after running setup. In IPS
Sensor Software version 5.0, interface configuration is included in the setup command
interactive prompts.
You do not need to enable all interfaces. Enable only those interfaces that you want to use.
Each sensor has only one command and control interface, but you can configure up to five
monitoring interfaces depending on the type of sensor you have. Multiple interfaces enable
simultaneous protection of up to five different network subnets, which is like having five
sensors in a single appliance.
All monitoring interfaces use the same configuration. There is only one virtualSensor, so no
mapping of virtualSensor configurations to interfaces is required.
A monitoring interface must be part of Interface Group 0 and must be enabled. Sensors with
factory-installed Cisco IDS Sensor Software version 4.1 are shipped with all monitoring
interfaces added to Interface Group 0 and disabled. You must enable the monitoring interfaces
in order for the sensor to monitor your networks. Upgrades from IDS Software version 4.0 to
4.1 may leave some interfaces enabled that are not assigned to a group. Either disable these
interfaces or add them to Group 0 to prevent inconsistencies in reporting to the sensor.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-63
IDS Device Manager Overview
This topic describes feature of the IDM version 4.1.
A Cisco IDS network sensor appliance can be managed via the IDM. IDM is a web-based tool
that resides on your sensor and enables you to configure and manage the sensor. IDM is
accessed securely via Secure Sockets Layer (SSL) and Transport Layer Security (TLS) using a
Netscape or Internet Explorer web browser. Because IDM resides on your sensor, it can only
manage one sensor at a time. It is best suited for small-scale sensor deployments where there
are no more than five sensors.
Note Cisco IPS sensors running Cisco IPS Software version 5.0 use IPS Device Manager (IDM)
version 5.0.
4-64 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
IDM Features and Benefits
IDM enables you to securely manage sensors remotely from any workstation that has a
compatible web browser. The graphical user interface (GUI) was designed to simplify sensor
configuration tasks.
IDM enables you to complete the following from a remote station:
Re-start the sensor
Power down the sensor
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-65
IDS Manager Interface
Path Bar
Sub-area Information
Toolbar
Bar Window
Table of
Contents
Area Bar
Content
Area
The IDM GUI provides you with an intuitive approach to configuring sensors. The GUI has the
following sections:
Path Bar: This section displays the current selection. In the figure, the path selected is
Configuration > Sensing Engine.
Area Bar: This section lists the available sensor configuration items. The available sensor
configuration items are Device, Configuration, Monitoring, and Administration. Each
configuration item has sub-options, which are listed in the sub-area bar.
Sub-area Bar: This section lists the available sensor configuration sub-options for the item
selected from the area bar. In the figure, the available configuration options are Sensing
Engine, Blocking, Auto Update, and Restore Defaults.
Table of Contents (TOC): This section lists the available options for the item selected
from the sub-area bar. In the figure, the TOC displays the options for the Sensing Engine.
Toolbar: This section lists the available user functions. The available user functions are
Logout, Help, NSDB, and About.
Content Area: This section displays the information associated with the option selected or
an action associated with a user function.
Information Window: This area displays a description or instructions associated with the
option selected.
4-66 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Network Settings
This topic explains how to configure network settings using the IDM.
Sensor Device
Setup tab
Network Enable
TLS/SSL
Default
Route
Reset
Apply to
Sensor
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-17
After you use the setup command to initialize the sensor, the parameter values appear on the
Network Settings page in the IDM. If you need to change these parameters, you can do so from
the Network Settings page. However, changing the network settings may disrupt your
connection to the sensor and force you to reconnect.
Only a user with administrator privileges can configure the network settings of the sensor. The
communication parameters of a sensor can be changed by choosing Device > Sensor Setup >
Network. When the Network Settings panel appears, you can configure the following settings:
Sensor Name: The sensor name is a case-sensitive character string up to 256 characters.
Numbers, underscores (_) and dashes (-) are valid, but spaces are not acceptable.
IP Address: This setting is the IP address of the sensor.
Netmask: This setting is the netmask for the sensor.
Default Route: This setting is the default route IP address for the sensor.
Enable TLS/SSL: This setting enables TLS and SSL in the web server when this box is
checked. This option is enabled by default. TLS and SSL are protocols that enable
encrypted communications between a web browser and a web server. When TLS/SSL is
enabled, you connect to the IDM using https://sensor_ip_address. If you disable TLS/SSL,
connect to the IDM using http://sensor_ip_address: port_number.
Web Server Port: This setting is the TCP port used by the web server (1 to 65535).
Use Default Ports: This setting enables the web server to use the default port when this
box is checked You can enter a TCP port to be used by the web server in the Web Server
Port field or you can check this check box to use the default port. The default port for http
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-67
is 80. The default port for https is 443. If you change the web server port, you must specify
the port in the URL address of your browser when you connect to the IDM.
After you have made the necessary configuration entries, you can save and apply your changes
by clicking the Apply to Sensor button. The Reset button allows you to reset the form.
4-68 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Allowed Hosts
This topic explains how configure allowed hosts using the IDM.
Sensor
Setup
Allowed
Hosts Delete
Reset
Select
All
Deselect
Add Edit
All
You can give a host or network permission to access the sensor through the network by adding
the host or network as an allowed host. In order to use management and monitoring hosts, you
must add them as allowed hosts. Otherwise, they are not able to communicate with the sensor.
By default, only hosts on the 10.0.0.0 network are permitted access. If you delete the default
network and you do not add any hosts to the list, no hosts are permitted.
You can add, edit, or delete allowed hosts by choosing Device > Sensor Setup > Allowed
Hosts. The Allowed Hosts page provides the following options:
Select All: Enables you to select all host and network entries simultaneously
Deselect All: Enables you to deselect all host and network entries simultaneously
Add: Enables you to access the Adding page, where you can add allowed hosts
Edit: Enables you to edit the IP addresses and netmasks of specific hosts
Delete: Enables you to delete hosts from the allowed list
Reset: Enables you to reset the form
Caution When adding, editing, or deleting allowed hosts, make sure that you do not delete the IP
address used for remote management of the sensor.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-69
Configuring Allowed Hosts (Cont.)
IP
Address
Netmask
Apply to
Cancel Reset
Sensor
If you choose Add from the Allowed Hosts page, the Adding page appears. This page enables
you to enter the following settings for the allowed host:
IP Address: The IP address of the host that you are permitting to access the sensor
Netmask: The netmask of the network or host that you are permitting to access the sensor
If you want to reset the form, click the Reset button; otherwise, click Apply to Sensor to save
and apply your changes. The Allowed Hosts page appears again with the host information that
you entered.
4-70 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Setting the Time
This topic explains how to set the time using the IDM.
Time
Settings
Standard
Time Zone
NTP Server
Apply Time
to Sensor Reset
You can define the time, time zone, and daylight savings time (DST) for the sensor by choosing
Device > Sensor Setup > Time. The Time Settings page enables you to configure the following
settings:
Time Settings:
– Time: Enter the current time in hh:mm:ss format. Time indicates the time on the local
host. To see the current time, click the Refresh button. If you accidentally specify the
incorrect time, stored events will have the wrong time stamp and you must clear the
events.
– Date: Enter the current date in the format mm:dd:yyyy. The Date indicates the date on
the local host.
Standard Time Zone:
– Zone Name: Enter the local time zone to be displayed when summer time is not in
effect. The default value is Universal Coordinated Time (UTC).
– UTC Offset: Enter the offset in minutes from UTC (in the format mm). The default
value is 0.
NTP Server:
– Server IP: Enter the Network Time Protocol (NTP) server IP address if you are using
an NTP server to set the sensor time. If you define an NTP server, the sensor time is set
by the NTP server, and the command-line interface (CLI) clock set command will
produce an error. However, you can still set the time zone and daylight saving time
parameters.
– Key: Enter the NTP server key value if you specified an NTP server.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-71
– Key ID: Enter the NTP server key identify, (a value from 1 to 4294967295) if you
specified an NTP server.
Daylight Savings Time:
– Enabled: Choose the Enabled check box to enable daylight saving time (DST, or
summer time). The default is Off.
– DST Zone Name: The name of the zone (1 to 32 characters of text) to be displayed
when summer time is in effect.
– Offset: The number of minutes to add during the summer time in mm format. The
default is 60 minutes.
– Start Time: The time (in hh:mm format) to apply the summer time setting. The default
is 02:00.
– Stop Time: The time (in hh:mm format) to remove the summer time setting. The
default is 02:00.
Daylight Savings Time Duration
– Recurring: Click the Recurring radio button to indicate that summer time should start
and end on the specified days every year. The default is Off.
– Start Week/Day/Month: The week, day, and month of the year to apply summer time.
The defaults are 1, Sunday, April. Use the drop-down menus to choose the week, day,
and month.
– End Week/Day/Month: The week, day, and month of the year to remove summer time.
The defaults are last, Sunday, October. Use the drop-down menus to choose the week,
day, and month.
– Date: Click the Date radio button to indicate that summer time should start on a
specific date.
– Start: The month, date, and year to start summer time. Use the drop-down menu to
choose the month. Enter the date and year in the format mm:hh:yyyy.
– End: The month, date, and year to stop summer time. Use the drop-down menu to
choose the month. Enter the date and year in the format mm:hh:yyyy.
When you have entered the appropriate settings, you can click the Apply to Sensor button to
save the settings; otherwise reset the form, by clicking the Reset button.
Note Cisco IDS Software version 4.1 has been evaluated against the Intrusion Detection System
Protection Profile, version 1.4, February 4, 2002, using the Common Criteria Evaluation and
Validation Scheme found at http://niap.nist.gov/cc-scheme/. In the evaluated configuration,
the sensor uses internal resources for time setting and timekeeping. You cannot use an NTP
server. See Common Criteria Evaluated Configuration for more information.
If you set the time incorrectly when you first configure the options in the Time page, your
stored events will have the incorrect time because they are stamped with the time the event was
created. The eventStore time stamp is always based on UTC. If during the original sensor setup,
you set the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m., when you do correct
the error, the corrected time will be set backwards. Consequently, new events could have times
older than old events.
For example, if during the initial setup, you configure the sensor as central time with daylight
saving time enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 CDT and
has an offset from UTC of -5 hours (01:04:37 UTC, the next day). A week later at 9:00 a.m.,
you discover the error: the clock shows 21:00:23 CDT. You then change the time to 9:00 a.m.,
and now the clock shows 09:01:33 Central Daylight Time (CDT). Because the offset from UTC
4-72 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
has not changed, it requires that the UTC time now be 14:01:33 UTC, which creates the time
stamp problem.
To insure the integrity of the time stamp on the event records, you must clear the event archive
of the older events by using the clear events command from the CLI.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-73
Creating User Accounts
This topic explains how to create user accounts using the IDM.
Device
Tab
Delete
Sensor
Setup
Users Reset
Select Deselect
Add Edit
All All
Create and remove users from the local sensor by choosing Device > Sensor Setup > Users.
The Users page displays all currently configured user accounts. If you click Add in the Users
page, the Adding page appears. The Adding page enables you to add a user.
4-74 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Creating User Accounts (Cont.)
User
Name
Password
Password
Again
User Apply to
Cancel Reset
Role Sensor
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-75
Configuring Interfaces
This topic explains how to configure interfaces using the IDM.
Device
Tab
Sensing
Engine
You can enable an interface only if the interface belongs to an interface group. You will receive
the following error message if you attempt to enable an interface that is not part of a group:
̸·- ±°»®¿¬·±² ·- ·´´»¹¿´ ¾»½¿«-» ·²¬»®º¿½»ô ·²¬ðô ¼±»- ²±¬ ¾»´±²¹ ¬±
¿² ·²¬»®º¿½» ¹®±«°ò
An interface group provides a way to group monitoring interfaces into one logical
virtualSensor. Only Group 0 is supported. Multiple monitoring interfaces can be assigned to the
interface group at any given time, but you cannot assign the command and control interface to
the interface group.
Note Interface 0 (int0) on the Cisco IDS-4250-XL Sensor cannot be a monitoring interface
because it is used to send TCP resets.
You can add an interface to an interface group and enable an interface group by choosing
Configuration > Sensing Engine > Interface Groups. The Interface Groups page appears with
the following information displayed:
Group Number: This number specifies the logical number associated with the group. You
must use 0 for current IDS software versions.
Virtual Sensor: This item specifies the virtualSensor assigned to this group. You must use
virtualSensor for current IDS software versions. Only one virtualSensor is supported.
Alarm Channel: This item specifies the Alarm Channel assigned to this group. You must
use alarmChannel for current IDS software versions. Only one Alarm Channel is
supported.
4-76 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Sensing Interfaces: This item specifies the interfaces that belong to the group. There is no
default.
Enabled: This item defines whether the group is enabled or disabled. The default is Yes.
You can enable or disable the interface group by checking the check box next to the group and
then clicking the Enable or Disable button. Add interfaces to an interface group by checking the
check box next to the group and then clicking the Edit button. If you click the Edit button, the
Editing page appears.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-77
Configuring the Interfaces (Cont.)
Group
Number
Virtual Alarm
Sensor Channel
Reset
Sensing Apply to
Cancel
Interfaces Sensor
In the Editing page, you can choose one or more sensing interfaces to add to the group. For
current IDS software versions, the only option you can edit is the Sensing Interfaces option. To
choose multiple interfaces, press the Ctrl key while choosing each additional interface.
Choosing the command and control interface results in an invalid configuration. Do not choose
the command and control interface as a sensing interface. The command and control interface is
interface 1 (int1) on most sensors; however, it is int0 on the router network module.
You can reset the form by clicking the Reset button; otherwise, click the Apply to Sensor
button to save and apply your changes. When you click the Apply to Sensor button, the
following message is displayed:
ݱ²º·¹«®¿¬·±² «°¼¿¬» ·² °®±¹®»--ò ̸·- °¿¹» ©·´´ ¾» «²¿ª¿·´¿¾´» º±® ¿
º»© ³·²«¬»-ò
You can display the Interface Groups page and view any changes you made by choosing
Configuration > Sensing Engine > Interface Groups.
4-78 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring the Interfaces (Cont.)
Reset
To enable sensing interfaces, choose Configuration > Sensing Engine > Interfaces. The Sensing
Interface page lists the known interfaces and allows you to enable or disable them. The
following information is displayed:
The interface name
The device name
Whether the interface is enabled or disabled
Whether the interface is command and control or monitoring (sniffing)
Which type of interface it is (SX, TX)
To enable or disable an interface, check the check box next to the interface and click the Enable
button or click the Disable button. While the configuration is taking place the following
message is displayed:
ݱ²º·¹«®¿¬·±² «°¼¿¬» ·- ·² °®±¹®»--ò ̸·- °¿¹» ©·´´ ¾» «²¿ª¿·´¿¾´» º±®
¿ º»© ³·²«¬»-ò
When configuration is complete, the Sensing Interface page reappears and the changes are
displayed.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-79
Restoring Default Settings
This topic explains how to restore default settings using the IDM.
Configuration Restore
Tab Defaults
Apply to
Sensor
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-26
You can restore the default configuration to your sensor. Restoring the default configuration
removes the current application settings and restores the default settings. Your network settings
also return to the defaults and you immediately lose connection to IDM and the CLI. The
following settings, however, are not reset:
User accounts
Passwords
Time
If you need to restore the default configuration, choose Configuration > Restore Defaults.
When the Restore Defaults page appears, click the Apply to Sensor button to restore the sensor
to the default configuration.
4-80 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
Summary (Cont.)
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-81
4-82 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Which of the following user account roles is a special role that allows the user to log
into a native, operating system shell rather than a CLI shell? (Source: User Accounts
and Account Roles)
A) administrator
B) operator
C) viewer
D) service
Q2) Which two of the following methods of gaining management access to a sensor require
an IP address and are enabled by default. (Choose two.) (Source: Sensor Initialization)
A) HTTPS
B) Secure Shell
C) Telnet
D) monitor and keyboard
E) console port
Q3) What four tasks can be completed using the CLI? (Source: CLI Command Modes)
______________________________________________________________________
Q4) Which five of the following CLI modes is a third level CLI mode? (Choose five.)
(Source: CLI Command Modes)
A) Privileged EXEC
B) Global configuration
C) Interface command-control configuration
D) Interface group configuration
E) Interface sensing configuration
F) Service
G) Virtual sensor configuration
H) Alarm channel configuration
I) Tune micro engines
J) Tune alarm channel
Q5) Which of the following CLI modes is where initializing the sensor and displaying
system settings are performed? (Source: CLI Command Modes)
A) Privileged EXEC
B) Global configuration
C) Interface command-control configuration
D) Interface group configuration
E) Interface sensing configuration
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-83
Q6) Which of the following CLI modes is where creating user accounts and reimaging the
application partition are performed? (Source: CLI Command Modes)
A) Privileged EXEC
B) Global configuration
C) Interface command-control configuration
D) Interface group configuration
E) Interface sensing configuration
Q7) Which of the following CLI modes is where you reset signature settings to the default
configuration? (Source: CLI Command Modes)
A) Privileged EXEC
B) Global configuration
C) Virtual sensor configuration
D) Alarm channel configuration
Q8) The eventStore time stamp is always based on CDT (Source: Setting the Time)
A) True
B) False
Q9) There is only one command and control interface for each sensor. (Source: Configuring
Interfaces)
A) True
B) False
Q10) You can enable an interface only if the interface belongs to an interface group. (Source:
Configuring Interfaces)
A) True
B) False
Q11) When you restore the default configuration, the user account, passwords and time will
need to be reset. (Source: Restoring the Default Settings)
Step 3 True
C) False
4-84 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check Answer Key
Q1) D
Q2) A, B
Q3) Sensor initialization tasks, configuration tasks, administrative tasks, and troubleshooting
Q4) C, D, E, G, H
Q5) A
Q6) B
Q7) C
Q8) B
Q9) A
Q10) A
Q11) B
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-85
4-86 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 3
Overview
Cisco Security Agent (CSA) provides threat protection for server and desktop computing
systems. It helps to reduce operational costs by identifying, preventing, and eliminating known
and unknown security threats. Cisco Security Agent acts like a personal firewall and host-based
intrusion prevention systems (HIPS), providing many firewall and HIPS features including the
following:
Intrusion detection and prevention of attacks from recognized and unrecognized locations
Port blocking at inbound and outbound vulnerable ports
Buffer overflow prevention against known and unknown buffer overflow attacks
Protection against worm attacks and other suspicious email content
Application masquerade prevention and blockage of application DLL injections
Creation of an active content sandbox to isolate Java, JavaScript and ActiveX applications
utilized in potential web-based attacks
Vigilant application activity tracking that controls which application versions can run
Correlation of the local and global activities of applications
This lesson introduces the CSA and describes how you can create rules and policies to deploy
all of its features.
Objectives
Upon completing this lesson, you will be able to describe the features and functions of the
Cisco Security Agent This ability includes being able to meet these objectives:
Describe the operation, function, positioning, endpoint security functions and features of
the CSA
Describe how the behavior-based architecture of the CSA and its INCORE technology
work to deny malicious activity before damage can be done
Match the response mechanism of each of the four CSA interceptor types to the probe,
penetrate, persist and propagate phases of an attack
Describe the two models for developing a security policy in terms of how they address
specific security threats
Describe the five steps taken to build a CSA policy
Explain how to create rules to match each level of interception
4-88 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
The Cisco Security Agent
This topic describes the operation, function, positioning, endpoint security functions and
features of the CSA.
ping addresses
scan ports
guess passwords Subject to Mutation
guess mail users
mail attachments
buffer overflows
activeX controls
11 Probe network installs
compressed messages
22 Penetrate backdoors
Cisco
Prevents 33 Persist create new files
modify existing files
4 Propagate weaken registry security settings
mail copy of attack
install new services
5 Paralyze web connection
register trap doors
IRC
delete files FTP
modify files infect file shares
drill security hole
crash computer
denial of service Fairly Stable
steal secrets
The CSA provides threat protection for server and desktop computing systems. These
components are also known as endpoints. The CSA identifies and prevents malicious behavior,
thereby eliminating known and unknown ("Day Zero") security risks and reducing operational
costs. The CSA aggregates and extends multiple endpoint security functions by providing host
intrusion prevention, distributed firewall capabilities, malicious mobile code protection,
operating system integrity assurance, and audit log consolidationall within a single product.
Because the CSA analyzes behavior rather than relying on signature matching, it provides
robust protection, which further reduces operational costs.
As recent high-visibility attacks like Code Red and the Structured Query Language (SQL)
Slammer worm have shown, traditional technologies are limited in their abilities to combat the
effects of new and evolving attacks. Customers require host security that protects throughout all
stages of an attack and that provides important protection against new and unknown threats.
Assaults on network systems typically go through stages. Cisco recognizes that only a layered
approach is effective against security breaches that can occur at any stage. The CSA proactively
defends against damage to a host, throughout all stages of the attack, whereas other
technologies provide early-stage protection and only then when a signature is known. The
Cisco Security Agent is specifically designed to protect against new attacks where there is no
known signature.
All threats and attacks follow the same logical progression. The five phases of this progression
are as follows:
Probe phase: The attacker identifies vulnerable targets in this phase. The goal of this phase
is to find computers that can be subverted. Internet Control Message Protocol (ICMP) ping
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-89
scans are used to map networks, and application port scans identify operating systems and
vulnerable software. Passwords can be obtained through social engineering, a dictionary
attack, a brute-force attack, or network sniffing.
Penetrate phase: In this phase, exploit code is transferred to the vulnerable target. The
goal of this phase is to get the target to execute the exploit code via an attack vector like a
buffer overflow, ActiveX or Common Gateway Interface (CGI) vulnerabilities, or an e-
mail virus.
Persist phase: Once an exploit has been successfully launched into memory, the exploit
code tries to persist on the target system. The goal of this phase is to ensure that the
attacker code is running and available to the attacker even if the system reboots. The
exploit code achieves this goal by modifying system files, making registry changes,
installing new code, and so forth.
Propagate phase: After establishing a beachhead in the organization, the attacker attempts
to extend the attack to other targets. This phase looks for vulnerable neighboring machines.
Propagation vectors would include e-mailing copies of the attack to other systems,
uploading files to other systems using file shares or FTP services, active web connections,
and file transfers via Internet Relay Chat (IRC).
Paralyze phase: This is the phase in which actual damage is done to the system. Files can
be erased, systems can be crashed, information can be stolen, and DDoS attacks can be
launched.
As shown in the figure, there is a major dividing line between the penetrate phase and the
persist phase. The first two phases are subject to mutation with the attack footprint continually
changing. They are also subject to being hidden from defenses using evasion techniques
including the Unicode encoding of web strings or overlapping packet fragments. Since attack
identification at the penetrate phase requires a certain amount of interpretation in how the target
computer handles network packets, it tends to be a large generator of false alarms.
The last three stages, in contrast, are highly stable over time. There are a limited number of
malicious activities that an attacker can complete. They can modify the operating system, add a
new user account, open up an outgoing network connection, and delete files. This list has
remained remarkably stable over long time periods. For example, the Morris Worm of 1988 did
the same types of damage as the NIMDA Worm of 2001. Also, because modification of
operating system binaries is highly remarkable and unusual, it is much easier to identify attacks
accurately at these stages.
The unfortunate lesson here is that if you try to identify attacks at the early stages of the
process, each attack will look different, and you will be caught in an update race. If you look
for attacks in the final three stages of the process, attacks will look very similar to what has
been seen over the past 15 years. The best hope for true proactive security is by focusing in
depth
4-90 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco Security Agent Positioning
SSL Events
Administration
Workstation
The CSA is deployed as shown in the figure. There are two components in a CSA deployment:
The Cisco Security Agent Management Center (CSA MC) allows the administrator to
divide network hosts into groups by function and security requirements, and then to
configure security policies for those groups. The CSA MC can maintain a log of security
violations and send alerts via e-mail or pager. The CSA MC includes a web server, a
configuration database, and a web-based user interface.
The CSA software that is installed in the host systems (for example, workstations, laptops,
servers, and so on) across the network. This software continually monitors local system
activity and analyzes the operations of that system. The CSA takes proactive action to
block attempted malicious activity and polls the CSA MC at configurable intervals for
policy updates.
CSA is administered from any workstation connecting securely to the CSA MC using a Secure
Sockets Layer (SSL)-enabled web interface.
When an application needs access to system resources, the application makes an operating
system call to the kernel. The CSA intercepts these operating system calls and compares them
to the cached security policy. If the request does not violate policy, the request is passed to the
kernel for execution.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-91
CSA Aggregates Multiple Endpoint Security
Functions
Conventional
Distributed Conventional
CSA Firewall HIDS
Desktop and laptop protection X X
Block incoming network requests X X
The CSA delivers the protection of both conventional distributed firewalls and conventional
host-based intrusion prevention systems (HIPS). The following are examples of these two
functions:
Port scan detection: The CSA network-wide correlation provides unique functionality in
the detection of distributed port scans. Low-level port scans are used by hackers to
systematically scan single ports to map a network. For example, server 1 would be scanned
on port 1, server 2 on port 2, and so on. When these scans occur, each Agent reports the
activity to the CSA MC. By correlating events from distributed Agents, the CSA MC is
able to discern that a distributed port scan is taking place.
Malicious application detection and prevention: The CSA can also catch new Trojan
horse attacks by looking for actions commonly exhibited by Trojans. These actions include
writing into the address space of other processes making themselves invisible in the process
table, monitoring keystrokes to capture passwords, and receiving User Datagram Protocol
(UDP) packets on high-numbered ports. The CSA prevents the executable file from
executing its intrusion.
The CSA also complements traditional desktop antivirus software. For example, in the case of
an e-mail worm attack, the CSA may detect the malicious nature of the worm only after a
sequence of file, network, registry, or COM operations has occurred on at least one host. Once
detection has occurred, a report of an event is sent to the CSA MC. The CSA MC detects and
stops the malicious code at other servers and desktops by correlating the events sent from the
various distributed Agents. A policy telling all Agents not to open the offending file is created,
thus quarantining that file and preventing further damage. The result is that you are then faced
with only a few desktop machines that need to be rebuilt, rather than a whole network.
Note A personal firewall is a standalone product; a distributed firewall refers to a firewall on hosts
that are centrally managed. In both types of firewalls, the functionality occurs on the end
nodes.
4-92 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco Security Agent Features
Active protection
Protects applications and operating systems against known and unknown
attacks
Provides preventive protection against entire classes of attacks including port
scans, buffer overflows, Trojan Horses, malformed packets, and e-mail worms
Uses behavior-based technology to provide "Zero Update" prevention for known
and unknown attacks
Prevents access to server resources before unauthorized activity occurs
Centralized Management
Automatic and transparent Agent deployment to up to 5000 endpoints
Active update capabilitiesSecurity policy and software updates
propagated to Agents without operator intervention
5 to 10 percent Agent CPU overhead
The Cisco HIPS, CSA, complements the Cisco Network-based intrusion detection system by
protecting the integrity of applications and operating systems. The CSA blocks malicious
activity before damage is done. It protects against attacks including SYN floods, port scans,
buffer overflows, Trojan horses, and malformed packets. The CSA also protects against worm
attacks such as Code Red, which targets Web servers, SirCam, which targets corporate
desktops, and Nimda, which targets both. By focusing on the behavior of applications, the CSA
protects not only against known attacks such as those mentioned but also against new attacks
for which there is no known signature.
The CSA MC installation automatically builds Agent kits, so it is not necessary to log in to the
CSA MC to deploy Agents to servers or workstations. Agent kits can be deployed to up to
5,000 Agent hosts by user logon scripts, software deployment products, e-mail distribution of a
web link to an Agent kit, or software image replication. In the event that identical software
images are distributed, the CSA MC automatically ensures that each new Agent is registered
with a unique identifier.
Because the CSA offers the option for Agent kits to install silently and transparently to end
users, no end-user interaction is required. Users do not have to answer any questions, and users
cannot bypass the installation. Agents automatically register with the CSA MC after
installation, so configuration is also transparent to the end user.
Agents communicate with the CSA MC via Secure Sockets Layer (SSL) for rules updates with
no user intervention. When Agents poll into the CSA MC at a configurable time interval, any
change to the security policy is automatically propagated. Software updates are also
automatically propagated to the Agents without the need for operator intervention.
CSA events can be reported to the Cisco Security Monitor, which is a tool that captures, stores,
views, correlates, and reports on events.
The CSA does not inspect content; therefore it has a negligible impact on performance.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-93
CSA Architecture
This topic describes how the behavior-based architecture of the CSA and its INCORE
technology work to deny malicious activity before damage can be done.
Behavior-Based Architecture
Reference Desktop/Server
Windows and Solaris platforms Model Suite
Shim
The CSA behavior-based technology has application visibility because it resides at the kernel
level within the operating system. When an application attempts an operation, the CSA checks
the operation against the security policy for that application and makes a real-time decision to
allow or to deny the operation. Administrators can create custom policies and modify the
default CSA policies in the CSA MC. False positives are reduced because the CSA makes real-
time decisions within the context of overall application behavior.
The Intercept Correlate Rules Engine (INCORE) architecture intercepts all system calls to file,
network, Component Object Model (COM), and registry sources and then applies intelligence
to correlate the behaviors of such system calls to the security policy. This correlation and
understanding of an application behavior is what allows the software to prevent new intrusions.
INCORE enables the CSA to act as an intrusion detection and prevention agent, a file integrity
monitoring agent, and an application sandbox. (Sandboxing is a technique that prevents access
to server resources not specifically allowed by the operating system or application.)
The CSA is a HIPS that intercepts all operation system (OS), file system, configuration,
registry, and network requests to impede malicious activity. The system inserts shims into an
OS that intercept OS service requests and compares them against corporate policy. The shims
pass allowable requests to the OS for servicing and deny non-allowable requests.
The CSA also provides a network shim for monitoring traffic coming into the host. If the
network shim identifies a port scan, it might deny a response to that scan.
4-94 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
INCORE Technology
When an application needs access to system resources, the application makes an OS call to the
kernel. INCORE intercepts these OS calls, and compares them with a cached policy (this policy
was centrally defined on the CSA MC and downloaded by the agent when the agent polled the
CSA MC). INCORE correlates this particular OS call with others made by that application or
process, and correlates these events to detect malicious activity. If the request does not violate
policy, it is passed to the kernel for execution. If the request violates policy, it is blocked (not
passed to the kernel), an appropriate error message is passed back to the application, and an
alert is generated and sent from the agent to the CSA MC.
INCORE provides many different security capabilities using the following four types of
interceptors:
File system interceptor: All file read or write requests are intercepted and allowed or
denied based on the security policy.
Network interceptor: Network driver interface specification (NDIS) changes are
controlled and network connections are cleared through the security policy by port and IP
address pairs. The number of network connections allowed with a specified time can also
be limited to prevent denial of service (DoS) attacks.
Configuration interceptor: Read or write requests to the registry on Windows or to rc
files on UNIX are intercepted. Because modification of OS configuration is highly unusual,
it is tightly controlled by the CSA.
Execution space interceptor: This interceptor deals with maintaining the integrity of each
application dynamic run-time environment. Requests to write to memory not owned by the
requesting application are detected and blocked by this interceptor. Attempts by one
application to inject code, such as a shared library or dynamic link library (DLL), into
another are also detected and blocked. Buffer overflow attacks are detected by this
interceptor as well. The result is that not only is the integrity of dynamic resources, such as
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-95
the file system and configuration, preserved, but the integrity of highly dynamic resources
such as memory and network I/O is also preserved.
4-96 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
CSA Interceptor Functionality
Execution
Network File System Configuration
Security Application Space
Interceptor Interceptor Interceptor
Interceptor
Distributed Firewall X
Host Intrusion Detection X X
Application Sandbox X X X
Network Worm Prevention X X
File Integrity Monitor X X
By intercepting communications between applications and the underlying system, the CSA
combines the functionality of the following traditional security approaches:
Distributed firewall: The network interceptor does the duties of a host firewall.
HIDS: The network interceptor teams with the execution space interceptor to provide the
alerting capability of a HIDS with the proactive enforcement of a security policy.
Application sandbox: An application sandbox is an execution space where suspect
programs can be run with less than normal access to system resources. This security service
is provided by a combination of the file system, configuration, and the execution space
interceptors.
Network worm prevention: The network and execution space interceptors provide Day
Zero worm prevention without a need for updates.
File integrity monitor: The file system and configuration interceptors act as a file integrity
monitor.
The default policies preconfigured on the CSA implement all of these security features.
Customers can easily create or change policies, but the default policies provide all of these
protections at once.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-97
Attack and Interceptor Response
This topic matches the response mechanism of each of the four CSA interceptor types to the
probe, penetrate, persist and propagate phases of an attack.
Persist phase:
Install new code
Modify configuration
Network
File system interceptor
Server
Propagate phase: Network interceptor
Attack other targets Configuration interceptor
Execution space interceptor
Paralyze phase:
Erase files
Crash system
Steal data
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.04-10
Malicious attacks come in thousands of varieties and new attacks are constantly being devised
to exploit newly discovered vulnerabilities. However, their basic goals have remained nearly
constant over time.
There are significant differences between the attack mechanisms used at the probe and
penetrate phases and attack mechanisms used at the persist phase. Because consistently
identifying attacks at the early phases of a newly developed exploit can be nearly impossible,
the CSA focuses on providing proactive security by controlling access to system resources.
This approach avoids the race to update defenses to keep up with the latest exploit and protects
hosts even on Day Zero of a new attack. For example, the Nimda and Slammer worms did
millions of dollars in damage to enterprises in the first day of their appearance, before updates
were even available, but the CSA stopped these attacks without any updates by identifying their
behavior as malicious.
When an application attempts to write to a file, make registry changes, or access system
resources in any way, it must make an OS call to the kernel. The CSA provides complete
enforcement of your security policy by policing these requests from applications to the kernel.
The CSA intercepts OS calls and compares them with a cached policy that is centrally defined
on the CSA MC. If the request does not violate policy, it is passed to the kernel for execution.
However, if the request does violate policy, it is blocked. An alert is then generated by the host
CSA and sent to the CSA MC.
By controlling behavior at the OS call level, the CSA blocks attacks at the persist, propagate,
and paralyze phases without the constant updates required at the probe and penetrate phases.
4-98 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Selecting a Security Policy Model
This topic describes two models for developing a security policy in terms of how they address
specific security threats.
Security Policy
Security Policy Action
Model
Permissive Deny malicious actions and allow
all other actions
Restrictive Allow required actions and deny
all other actions
A corporate security policy should temper business concerns with security concerns. This
policy should allow the user community to access required resources, while protecting that
community from the dangers those resources can introduce. To achieve this goal, it is crucial to
have in place, a carefully planned network security policy that safeguards valuable
organizational resources and information.
Before configuring your policies, it is important to understand which network resources and
services you want to protect and which threats concern you most. The first step in planning a
security policy is identifying the resources that your user community requires to do business.
Resources could include specific applications, protocols, network servers, and web servers.
Collect this information and use it to design the main features of your policy.
Caution To maintain the integrity of the preconfigured policies shipped with the CSA MC, it is
recommended that you do not change them. If you are using preconfigured policies but want
to edit them slightly to meet the needs of your own site, you should instead create a new
policy and add that policy to the preconfigured group policy.
As you determine the network resources that are required by your user community, you can
identify some of the threats posed to those resources. For example, while putting together a
security plan, you might find it beneficial to limit access to some resources based on various
parameters such as traffic direction and allowed file types.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-99
After examining past breaches of security, you could determine that e-mail attachments and
Internet file downloads pose the greatest threat to your network. In this case, you would want to
develop policies to diminish the danger of accessing these particular resources. Your security
plan should then incorporate policies for commonly used services such as HTTP, Post Office
Protocol Version 3 (POP3), Internet Message Access Protocol (IMAP) for e-mail, and FTP.
You could take two approaches to enforcing your security plan, depending on the immediacy of
any perceived threats and your basic corporate philosophy toward security. Both approaches are
equally valid. For example, you might choose to enforce known good behaviors and selectively
add targeted restrictions. This approach would be a more permissive security model because it
facilitates uptime, but it may be less secure. Conversely, you could decide to shut everything
down and then slowly add targeted permissions. This approach is far more restrictive and some
legitimate requests could be rejected. However, this approach may be suitable for highly
secured environments. You could also use both approaches, and choose the approach that is
suited to different groups.
4-100 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Building a CSA Policy
This topic describes each of the five steps taken to build a CSA policy.
Once you know how an application works, you can begin forming a policy to protect that
application. There are five general areas that you need to address for each resource you are
protecting. By addressing the security needs of these five areas, you can configure a
well-formed policy to protect the resources that you are targeting.
When you are building a policy to protect a designated resource, refer to the following steps to
help you address each resource area:
Protect the application executables
Restrict the application processes
Protect application specific data
Permit network access as required
Protect application registry keys
You must prevent writing to the application executables themselves to maintain the integrity of
the executables. The only time that an executable should change is when you are upgrading the
application. This type of rule would prevent a Trojan from naming itself netscape.exe to
disguise itself as the Netscape executable.
Dictate what applications can and cannot do. For example, you will likely want specific
applications to write only to their own file types. To restrict an application, you must determine
the type of files needed by the application, and then restrict the application to accessing those
files only. This type of rule would prevent a buffer overrun from compromising a running
application and damaging other components on the system.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-101
When applications are invoked, they often spawn other processes as part of the action that they
are performing. It may be desirable to place different restrictions on spawned processes.
Therefore, when you analyze an application in preparation for writing rules, the CSA MC gives
you the option of including or excluding child processes created by the original application.
You can also restrict the child processes of an application and create a rule to address only
those processes.
Restrict access to specified data by other applications. For server policies, you will want to
protect information in certain directories on the server, allowing restricted access to specific
files and blocking all outside access to other files. To correctly formulate this rule, you must
examine which other applications (if any) need to access the application data. This type of rule
would keep certain applications from retrieving sensitive data from a server, such as credit card
information or a password file.
If an application requires network connectivity, you should only enable specifically required
network services. Components that are network visible are especially vulnerable to attacks. It
is important to control what these network-accessible applications (and their spawned
processes) can do.
Restrict access to sensitive application-specific registry keys. You want to allow the specific
application to write to its own registry keys, but prevent all other applications from writing to
those registry keys.
As your security plan evolves, you can refine your policies, making them more or less granular
to keep pace with the needs of your user community. Your network system security depends on
your implementing security policies carefully, and checking to see that they work as intended.
4-102 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Creating CSA Policy Rules
This topic explains how to create rules to match each level of interception.
Rules are the foundation of your security policies. Creation of each rule type requires you to
enter information specifying the desired behavior. Use the following guidelines when
developing rules:
Use file access control rules to allow or deny the operations (read, write) that the selected
applications can perform on files. Consider your needs as follows:
The action you are allowing or denying
The application attempting to access the file
The operation (read, write) attempting to act on the file
Use network access rules to control access to specified network services according to the
following:
The action that you are allowing or denying
The application that is attempting to access the service or address
The direction (client, server) of the communication
The service that a system is attempting to use
The address of the system with which to communicate
Use registry access control rules (Windows only) to allow or deny writing to specified
registry keys by selected applications according to:
The action that you are allowing or denying
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-103
The application that is attempting to write to the registry keys and values
Use Component Object Model (COM) component access control rules (Windows only) to
allow or deny access to specified COM components by selected applications according to:
The action that you are allowing or denying
The application that is accessing the COM component
Other types of policies shipped with the CSA MC provide event correlation and heuristic
features that can be enabled on a per-group basis. Examples of these features are: port scan
detection, SYN flood protection, the prevention of predictable TCP sequence numbers, and the
blocking of malformed IP packets.
4-104 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
CSA provides threat protection for endpoints. Attacks progress
through five logical phases. The two components in a CSA
deployment are the CSA and the CSA MC.
CSA behavior-based technology and INCORE architecture
eliminates known and unknown security risks before damage
can be done.
CSA uses file system, network, registry and execution space
interceptors to stop malicious activity.
Interceptors respond to each of the probe, penetrate, persist and
propagate phases of an attack.
Security policies can be developed by balancing permissive and
restrictive models according to the threat.
CSA policies are built following a best practice methodology.
Rules are created to meet the requirements of each interception
level.
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.04-14
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-105
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Describe the difference in stability between the first two phases and the last three
phases in a network attack. (Source: The Cisco Security Agent)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q2) What are the two components in a CSA deployment? (Source: The Cisco Security
Agent)
Q3) Which five of the following security functions are provided by the CSA but not by a
conventional distributed firewall? (Choose five.) (Source: The Cisco Security Agent)
A) detect or prevent malicious applications
B) block incoming network requests
C) block outgoing network requests
D) stateful packet analysis
E) detect or prevent unauthorized file modification
F) detect or block network DoS attacks
G) desktop and laptop protection
H) detect or prevent known buffer overflows
I) detect or prevent unknown buffer overflows
J) detect or block port scans
K) operating system lockdown
Q4) Which six of the following security functions are provided by the CSA but not by a
conventional HIDS? (Choose six.) (Source: The Cisco Security Agent)
A) detect or prevent malicious applications
B) block incoming network requests
C) block outgoing network requests
D) stateful packet analysis
E) detect or prevent unauthorized file modification
F) detect or block network DoS attacks
G) desktop and laptop protection
H) detect or prevent known buffer overflows
I) detect or prevent unknown buffer overflows
J) detect or block port scans
K) operating system lockdown
4-106 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Q5) What four types of interceptors does INCORE use to provide security? (Source: CSA
Interceptors)
______________________________________________________________________
Q6) Describe three approaches can you take to enforce a security plan? (Source: Selecting
Security Policy Models)
______________________________________________________________________
______________________________________________________________________
Q7) Which of the following access rules would guide a policy regarding the network
service a system is attempting to use? (Source: Creating CSA Policy Rules)
A) file access
B) network access
C) registry
D) Windows COM components
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-107
Lesson Self-Check Answer Key
Q1) The first two phases are subject to mutation with the attack footprint continually changing. They are also
subject to being hidden from defenses using evasion techniques including the Unicode encoding of web
strings or overlapping packet fragments. The last three stages, in contrast, are highly stable over time.
There are a limited number of malicious activities that an attacker can complete.
Q3) A, E, H, I, K
Q4) B, C, D, F, G, J
Q5) File system interceptor, network interceptor, configuration or registry interceptor, and execution space
interceptor.
Q6) Permissive security model: You might choose to enforce known good behaviors and selectively add
targeted restrictions. This approach would be a more permissive security model.
Restrictive security model: You could decide to shut everything down and then slowly add targeted
permissions. This approach is far more restrictive and some legitimate requests could be rejected, but it
may be suitable for highly secured environments.
Both models: You could use both approaches, choosing the approach suited to different groups.
Q7) B
4-108 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 4
Overview
The Cisco Security Agent Management Center (CSA MC) is one of many components of
CiscoWorks VPN/Security Management Solution (VMS). CSA MC provides a central means
of defining and distributing policies, providing software updates, and maintaining
communications to the Cisco Security Agent (CSA) distributed across your network.
This topic describes how to use the CSA MC to build, distribute and manage CSA.
Objectives
Upon completion of this lesson, you will be able to manage host-based intrusion prevention
policies across the network with the CSA MC. This ability includes being able to meet these
objectives:
Describe the function and supporting architecture of the CSA MC
Describe how CSA MC is configured across a network
Explain how to use the CSA MC interface to configure and administer the CSA database
Describe how to install the CSA on host devices
Explain how groups are created to ease host management and security policy deployment
Explain how to build an Agent kit for a newly created group
Explain how to manage hosts by modifying group membership
Introducing Cisco Security Agent Management
Center
This topic describes the function and supporting architecture of the CSA MC.
The CSA MC provides all management functions for all Agents in a centralized manner, from
the CiscoWorks VMS platform. The CSA MC role-based, Web browser manage from
anywhere access makes it easy for administrators to create Agent software distribution
packages, create or modify security policies, monitor alerts, or generate reports. Since the CSA
MC ships with more than 20 fully configured default policies, administrators find it easy to
deploy thousands of Agents across the enterprise. The manager also allows customers to deploy
Agents in IDS Mode (promiscuous) where intrusive activity is alerted but not blocked.
CSA MC offers simple but powerful customization capabilities and includes a tuning wizard
that allows administrators to quickly fit default policies to their environment. Administrators
can easily modify rules or create entirely new rules to meet custom needs and requirements. To
aid audit compliance requirements, an explain rules feature prints out a description of what
specified rules or policies do.
Agents are deployed to servers and desktops directly from CSA MC, and are controlled and
updated from there. Each Agent operates autonomously if communications with the CSA MC
is not possible. For example, if a remote laptop user has not yet connected via the VPN the
Agent continues to enforce the security policy. All security alerts are cached by the Agent and
uploaded to the manager when communications are restored.
4-110 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
CSA MC Architecture
Report
Generator
Web
Browser
Database
Server
SSL
Configuration
Manager
The CSA MC architectural model consists of a central management center that maintains a
database of policies and system nodes, all of which have CSA software installed on their
desktops and servers. When Agents register with the CSA MC, the CSA MC checks its
configuration database for a record of the system. When the system is found and authenticated,
the CSA MC deploys a configured policy for that particular system or grouping of systems. The
CSA software now continually monitors local system activity and polls the CSA MC for policy
updates at configurable intervals. The CSA software also sends triggered event alerts to the
CSA MC global event manager. The global event manager examines system event logs, and
based on that examination, may trigger an alert notification to the administrator or cause the
Agent to take a particular action.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-111
Product Deployment
CSA MC
Network Administrator
with Web Browser
4-112 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
CSA MC Configuration Roadmap
This topic describes how CAS MC is configured across a network.
Step Details
Install CSA MC Installation includes both CSA MC and CSA kit creation features.
Create groups These groups remain empty until the agents register. Use these
group classifications when creating agent kits. Agents download
kits for their specific group.
Build and distribute agent kits Build kits according to the groups you have configured. Provide
the URL to the host systems instructing them to download kits for
their specific group(s).
Configure policies Create rules and use them to build policies. Configure a common
variable to use for creating rules.
Attach policies to groups Policies are configured by combining access control rules and/or
system correlation rules under a common name. That policy name
is then attached to a group of hosts and it uses the rules that
comprise the policy to control the actions that are allowed and
denied on those hosts.
Generate rules Make a final check of all modifications and launch the generate
tool.
A review of the configuration road map helps develop an understanding of the CSA MC
operation. The figure illustrates the CSA MC configuration roadmap.
There are several elements you must configure to create the policies that are distributed to the
Agents. First, you must configure host groups and create CSA kits. Once Agents are installed
on systems throughout your network, they register with CSA MC. Once this occurs they are
automatically placed into their assigned groups. When you generate rules, Agents receive the
policies intended for them.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-113
The CSA MC Interface
This topic explains how to use the CSA MC interface to configure and administer the CSA
database.
CSA MC Interface
All Cisco Security Agent policies are configured and deployed through the CSA MC web-
based user interface. CSA MC also provides a reporting tool to generate reports with varying
views of network health and status. The HTML web-based user interface allows an
administrator to access CSA MC from any machine running a web browser and that is
connected to the Internet. The CSA MC provides a menu bar for easy navigation among the
administrator configuration task items. Configuration items are displayed in drop-down menus
that appear when you move the mouse over a category in the menu bar. When you click on an
item, the properties and status for that item are displayed.
CSA MC supports editing of the database by multiple administrators. The CSA MC also
provides role-based administration, allowing some administrators to edit configurations while
others can only monitor status. All changes to the database are logged. The logged information
includes a summary description of the modification, the time the changes were made, and the
identity of the administrator who made the changes.
The CSA MC supports editing of the database by multiple administrators. Administrators must
identify themselves and authenticate to CiscoWorks before they can access any CSA MC
configuration data. The CSA MC web-based user interface provides secure access to the
database from anywhere on the network. Again, all changes are logged.
4-114 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Menu Bar
The menu bar at the top of the CSA MC window provides links to all configuration windows
and list views. Arrows indicate that there are subcategories that you can choose. The
subcategories appear when you move the mouse over the main item. The configuration options
available from each menu bar item are as follows:
Monitor: This list provides tools for viewing system status and log files. You can also set
alerts and alert parameters from here.
Systems: This list lets you configure the groups where Agent host systems are placed when
they register with the CSA MC.
Configuration: This list allows you to access most of the windows you need to configure
your policies for Agents. This list provides links to the rule windows you use to develop
your policies, as well as links to application classes and variables. Variables such as file
sets and network addresses are the building blocks for policies. Variables are accessible
from the cascading menu that appears when you move your mouse over the Variables
option in the Configuration drop-down list.
Maintenance: This list lets you build Agent kits, import and export configuration files,
distribute software updates, and back up your database configuration. When you move your
mouse over the Export/Import and Software Updates options, you can choose further
options from the cascading menus that appear.
Reports: This list lets you generate reports by categories such as event severity level, by
the group or groups that generated the event, or by individual host systems.
Profiler: This list lets you configure analysis jobs for the purpose of analyzing applications
and creating policies.
Search: Use this list options to search for a specific configuration item in the CSA MC
database. You can specify a search of Hosts, Groups, Policies, Rules, Variables,
Application Classes, or All, by choosing one of those options from the Search drop-down
list. Each option has its own search criteria.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-115
CSA MC Button FrameCreating, Saving,
and Deleting Data
CSA MC
Button Frame
All CSA MC action items appear in a frame at the bottom of the CSA MC window. The buttons
in this frame change in accordance with the actions available for the window that you are
viewing. Available CSA MC buttons and links are as follows:
Generate rules (pending changes): When you are ready to deploy your configuration
(policies, rules, variables, and so on) to systems, you must click this link in the button
frame to view and then generate all pending database changes. In most list view windows
in the CSA MC, there are New, Clone, and Delete buttons. (Clone is not present in all list
view windows because you can clone only certain configurations.)
New: Use the New button to create a new configuration item within the list view you have
chosen. Click the New button, and a new item appears in the list view. Click the new item
link to access the configuration window for that item.
Clone: Use the Clone button in conjunction with the check boxes beside each list view
item. To clone a particular configuration, click its check box and then click the Clone
button. You can clone one item at a time. New links to the cloned configurations appear in
the list view. When you clone an item, such as a policy that contains variable items like file
sets or network services, the cloned rule uses the same variables used in the original rule.
The variables themselves are not cloned.
Delete: Use the Delete button in conjunction with the check boxes beside each list view
item. To delete a configuration, click its check box (you can click several at once) and then
click the Delete button. All checked items are deleted. To quickly choose all check boxes,
click the top check box in the list view heading bar. Clicking the Delete button then deletes
all items.
4-116 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Save: When you enter configuration information, whether you are entering new data or
editing existing data, you must click the Save button to save your configuration in the CSA
MC database after you have finished. If you do not click Save before moving to another
window in the CSA MC, your data is lost. Although your information is stored in the
database when you click Save, it is not distributed to the Agents across your network until
you generate rules.
Compare: Policies, Variables, and Application Classes provide a Compare button in their
list views. When you click the check boxes next to two items, (you cannot compare more
than two configurations at a time) and click the Compare button, the CSA MC displays the
configurations side by side and highlights the differences in red. After you have examined
how the configurations compare, you can choose to merge them. The purpose of the
Compare tool is to assist you after you have imported configurations or upgraded the CSA
MC. These processes can cause you to have duplicate or very similar configuration items.
Comparing and merging configurations can help you to consolidate duplicate items more
easily.
Tip: To display a shortcut menu for performing the tasks provided by buttons on that
window and for additional configuration tasks not as easily accessible from your current
window you can right-click your mouse on a CSA MC window.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-117
Installing CSA on Host Devices
This topic describes how to install the CSA on host devices.
The following are the basic steps required for configuring a host with CSA MC:
Step 5 Install CSA on the host: The local administrator enters the Agent kit URL and
follows the prompts.
CSA default Agent kits, groups, policies, and configuration variables are designed to provide a
high level of security coverage for desktops and servers. These default Agent kits, groups,
policies, and configuration variables cannot anticipate all possible local security policy
requirements specified by the management of an organization, nor can they anticipate all local
combinations of application usage patterns. It is recommended that you deploy CSA using the
default configurations and then monitor and tune it for your environment.
4-118 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Logging in to CiscoWorks
Login:
Name
Password
When the installation is complete and the system has rebooted, the CSA MC interface is
available on the local system that is hosting. You can open the CiscoWorks software GUI by
choosing Start>Programs>CiscoWorks>CiscoWorks. The next step is to log in to CiscoWorks.
Administrators can have different levels of CSA MC database access privileges. The initial
administrator created by the CiscoWorks installation automatically has configuration
privileges.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-119
Initiating Secure Communications
The CSA MC uses SSL to secure all communications locally and remotely to the CSA MC user
interface. All configuration data travels over secure channels regardless of the location of the
CSA MC host system.
During installation, the CSA MC generates private and public keys that are used for secure
communications between any system accessing the CSA MC user interface and the CSA MC
itself. To access the CSA MC user interface from CiscoWorks, you must have SSL enabled in
CiscoWorks for the connection to be allowed.
Caution SSL is enabled during the installation of the CSA MC. Do not disable SSL under
CiscoWorks, or the CiscoWorks management console can become inaccessible.
Note When your browser connects to the server, it receives the server certificate. You are then
prompted to accept this certificate. It is recommended that you import the certificate into
your local certificate database so that you are not prompted to accept the certificate each
time that you log in.
4-120 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Accessing the CSA MC Interface
To access the CSA MC interface on the system running CiscoWorks, choose the VPN/Security
Management Solution>Management Center>Security Agents option as shown in the figure.
To access the CSA MC from a remote system, launch a browser on the remote host and enter
the following URL: https://(ciscoworks system hostname):1741. In the figure, the host name is
stormcenter. Then, log into CiscoWorks and choose the VPN/Security Management
Solution>Management Center>Security Agents option.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-121
Selecting a Default Group
Host groups reduce the administrative burden of managing a large number of Agents. Grouping
hosts together lets you apply the same policy to hosts with similar security requirements. A
group is the only element required to build Agent kits. When hosts register with the CSA MC,
they are automatically put into their assigned group or groups. Once hosts are registered, you
can edit their grouping at any time.
In the Quick Start configuration example used in this lesson, you will use the Web Servers for
Windows group. The Web Servers group requires no additional configuration, but the Windows
default groups preconfigured policies can be examined by choosing Systems>Groups and
clicking the Web Servers link as shown in the figure.
4-122 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Selecting a Default Group (Cont.)
The Systems>Groups>Web Servers window displays deployment configuration options and the
policies attached to this group.
Note CSA MC ships with preconfigured Agent kits you can use if they meet your initial needs
(accessible by choosing Maintenance>Agent Kits in the menu bar). CSA MC includes
prebuilt kits for desktops, servers, intrusion detection system (IDS) servers, and CSA MCs.
These kits place hosts in the corresponding groups and enforce the associated policies of
each group.
Caution It is recommended that you allow the installation program to install the preconfigured CSA
MC Agent kit on the CSA MC system. The installation program provides the appropriate
security policies for protecting the CSA MC.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-123
Sending Agent Kit URL to Host
You can obtain the Agent kit URL for the Web Servers group by choosing Maintenance>Agent
Kits and then clicking the Web_Server_V4.0.0.119 name in the lower (for Windows) box.
4-124 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Sending Agent Kit URL to Host (Cont.)
You can distribute this URL, via e-mail to the host systems for which the kit is designated. Host
systems access the URL to download and then install the kit. This method of distribution is the
recommended method of Agent kit distribution. However, you may also point users to a URL
for the CiscoWorks system. The CiscoWorks URL (http://<ciscoworks system
name>/csamc/kits) allows them to see all the kits that are available.
If you are pointing users to the agent kit URL and you have multiple Agent kits listed there, be
sure to tell users which kits to download.
Note If you type the URL rather than cutting and pasting it, remember that the spaces that appear
between the characters in the URL are actually underscore characters.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-125
Installing CSA on a Host
You must have local administrator privileges to install CSA on a host. To begin installation,
enter the Agent kit URL in your browser or click Start>Run and enter the URL on the run line.
A succession of alert messages may open. Click the Yes and Open buttons to proceed with the
installation.
Once you successfully download and install Agents, the system informs you that it will reboot
in 2 minutes. When the system restarts, the Agent service starts immediately, and the flag icon
appears in the system tray. At this time, the Agent automatically and transparently registers
with the CSA MC. The Agent is now ready to receive rules and begin protecting the host.
4-126 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Agent User Interface
To open the Agent user interface, end users can double-click the flag icon in their system trays.
The user interface opens on the desktop. Most fields are read-only status displays.
You can view successfully registered hosts by choosing Systems>Hosts from the menu bar on
the CSA MC.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-127
Creating Groups
This topic explains how to create groups to ease host management and security policy
deployment.
Group
Network Rules
Groups
Shim
Variables
Application
Classes
Actions
Hosts
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-20
The figure illustrates the components that work together to create Agent kits. The components
are described as follows:
Variables, Application Classes, and Actions: These elements are combined to create
rules.
Rules: Rules contain variables, application classes, and actions and are combined to form
policies.
Policies: Policies contain rules and are applied to a group or multiple groups.
Groups: Groups contain associations with policies and can accept hosts as members.
Agent Kits: Agent kits contain groups and (optionally) the network shim. Agent kits are
deployed to hosts to install the CSA software and all of the policies and rules that have
been built into them.
4-128 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Groups
Desktops
Group Web Servers Group
Web Servers
Group Policies
Desktops Group
Policies
Mail Servers
Group Policies
System hosts across your network, including mobile systems in the field, must download CSA
software and register with CSA MC to receive the security policies configured for them. Place
hosts into common groups to streamline the process of assigning policies to several hosts at
once. Using groups can reduce the administrative burden of managing a large number of
Agents.
In order to place hosts into groups, you must first analyze the security needs of each host
system and map out a security plan. Hosts with similar requirements can then be grouped
together.
CSA MC ships with several preconfigured groups you can use. If the included groups do not
suit your needs, use the instructions in this lesson to configure new groups or to edit existing
ones.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-129
Advantages to Forming Hosts into Groups
4-130 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Grouping Criteria
Hosts can be grouped together based on many different criteria. Some possible criteria are as
follows:
System function: For example, you can create a security policy that corresponds
specifically to the needs of your Web servers, and distribute it to that group.
Business group: You can distribute policies based on the needs of each business group,
such as finance, operations, or marketing.
Geographical or topological location: For reporting purposes, you can group hosts based
on their subnet, office, or data center location.
Importance to your enterprise: You can place mission-critical systems into a common
group that can receive critical alertlevel configurations.
Note Hosts may belong to multiple groups and automatically receive policies that are attached to
every group to which they belong. You can add hosts to a group or remove them at any
time. However, the policy configuration of a host that is moved to another group will not take
effect until you generate your rule programs and distribute them.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-131
Groups Window
When hosts across your network download and install Agent kits, they automatically and
transparently register with the CSA MC. Hosts inherit membership to the groups that were
associated with the Agent kit that they installed.
The first step to configure a group is to choose Systems>Groups from the main menu bar. A list
of existing groups is displayed in the left column of the window. Clicking the New button
allows you to create a new group entry. (This group is empty until hosts install Agents and
register.)
Note If you have All designated as the operating system type for your administrator session, you
are prompted to choose whether this is a Windows or a UNIX group. You cannot combine
UNIX and Windows hosts in the same group.
4-132 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Groups Configuration Window
STEP 1
STEP 2
STEP 3
Step 1 Provide a unique name for this group of hosts. Names are case insensitive, must start
with an alphabetic character, can be up to 64 characters long, and can include
alphanumeric characters, spaces, hyphens, and underscores. A naming convention
that lets you quickly recognize groups in the CSA MC group list view makes
management easier.
Step 2 The description line helps to identify this particular group. You can click the
+Detailed link if you wish to enter a longer description.
Step 3 (Optional) Check the Test Mode check box for this group if you want to test the
effect of this policy.
Caution In test mode, the CSA will not deny any action even if an associated policy says it should be
denied. Instead, the Agent will allow the action but log an event (if logging is chosen for the
rule). This feature helps you to understand the impact of deploying a policy on a host before
it is enforced.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-133
Groups Configuration Window (Cont.)
STEP 6
STEP 4
STEP 5
STEP 7
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-26
Step 4 (Optional) Check the Verbose logging mode check box if you want to change the
event log timer to log all recurring events rather than suppressing duplicates.
Step 5 (Optional) Check the No user interaction check box (available on Windows groups
only) if you do not want end users to interact with CSA MC using a local Agent
interface (clearing the cache, polling, and self-protection and rule queries). Clicking
this box ensures that no Agent user interface or query popup windows appear on
end-user systems.
Note To restrict end users from fully interacting with the Agent, you could combine the No user
interaction check box with using the Agent service control rule and the quiet software update
capability.
Step 6 (Optional) You can change the default polling interval from 600 seconds (10
minutes) to any value between 10 seconds and 86,400 seconds. This setting controls
how often Agents in this group poll the CSA MC for policy updates. Shortening the
polling time can be useful when you are trying out new policies.
Note If you change the polling interval for a group, that new interval time will not take effect until
the host polls in again for new rules. Therefore, it may take as long as the previous polling
interval setting before hosts begin polling using the new setting.
Step 7 When you have entered all required information, click the Save button to save your
group in the CSA MC database. After you have attached policies to specific groups,
the configuration window for the group displays a table listing all the rules, in order
of precedence, that are applied to that group. From this table, you can navigate to
those rules and policies.
4-134 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
The No User Interaction Check Box
Clicking the No user interaction check box for a group has the following effects:
Software updates:
Not automatic: Popup window prompts still appear to prompt the user to install
updates. The user must click the OK button in the popup window to begin the
update. However, the popup window will remain on the screen until the user
performs the update.
Automatic: Update behavior is unchanged.
When no Agent interface is present, no query user popup windows are displayed. The
default value is taken immediately on all query user rules and heuristics in the assigned
policies. The default value of allow or deny is taken on all query user access control rules
and the default value of terminate or no is taken on all heuristics (Trojan detection, network
worm, and so on) unless specific application-class exceptions are made for heuristic rules.
No popup windows provide messages to inform users that actions have been denied and
why.
The user does not have the ability to clear the cache or re-enable logging.
The user cannot initiate fast polling.
No end-user contact information can be sent to CSA MC.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-135
Building an Agent Kit
This topic explains how to build an Agent kit for a newly created group.
STEP 1
STEP 2
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-28
The CSA MC allows the creation of custom CSA installation kits that greatly reduce the
administrative burden of deploying CSA software to new systems. At the time you create the
Agent kit, it can be associated with one or more groups. The particular Agent kit that a host
installs determines its initial group placement. You can create as many Agent kits as necessary
to distribute your policies to targeted hosts.
After a kit is installed on a host, the Agent running on that host registers itself with the CSA
MC. The CSA MC then automatically places the host in the groups that were associated with
the installed kit.
Note The CSA MC ships with preconfigured Agent kits that you can use if they meet your initial
needs. There are prebuilt kits for desktops, servers, and many more. These kits place hosts
in the corresponding groups and enforce the associated policies of each group. (If you use a
preconfigured Agent kit, you do not have to build your own kit.)
Step 1 Choose Maintenance>Agent Kits from the main menu bar. The Agent kits that
were preconfigured or that have been added are displayed.
Step 2 Click the New button to create a new Agent kit.
4-136 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Building an Agent Kit (Cont.)
STEP 3
STEP 4
STEP 5
In the Agent kit configuration window, enter a name for this kit in the Name field. You must
use a unique name without spaces. A well-designed naming convention will make it
easier to recognize Agent kits.
Enter a description in the Description field. The description is an optional line of text that is
displayed in the Agent kit list view and helps you to identify this particular kit.
Choose the group or groups that will download and install this kit from the Select the groups
with which this kit should be associated pane. To choose multiple items in a list,
press the Ctrl key as you choose each item. To deselect a single item, press the Ctrl
key when you click that item. Press the Shift key when you click an item to choose
multiple successive items.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-137
Building an Agent Kit (Cont.)
STEP 9
Step 3 Choose whether or not to have Agents install quietly on end-user systems (Windows
only). Check the Quiet Install check box to require users to download the self-
extracting executable. Leaving the box unchecked also requires users to download
the self extracting executable. However no prompts appear and the user is not
required to enter any information or choose any options. Leaving the Quiet Install
check box cleared causes users to be prompted for installation options, such as
enabling the network shim, and the reboot prompt.
Step 4 For Windows Agent kits, if you choose Quiet Install, you can also choose whether
or not the network shim is installed during the installation.
Caution In some circumstances, you may not want users to enable the network shim on their
systems as part of the Agent installation. For example, if users have virtual private network
(VPN) software or a personal firewall installed on their systems, the network shim port scan
detection, SYN flood protection, and malformed packet detection capabilities may not be
needed. To allow users to enable the network shim installation, create kits without checking
the Quiet Install check box. Not enabling the network shim does not mean that network
access control rules will not work. It only means that the system hardening features are not
enabled.
Step 5 If you choose Quiet Install, you can also choose whether the system is automatically
rebooted once the installation is complete. (Even if an end user is present when the
installation is finished, this reboot cannot be stopped.)
Note In some cases, you may not want a system to reboot after the installation has been
completed. If a reboot does not occur after the Agent installation, partial security is enforced
immediately. Full security is enforced after the first reboot.
4-138 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
After you click the Make kit button, CSA MC produces a bundled kit for distribution. Choose
Maintenance>Agent Kit to see the URL for the kit. The URL may be distributed to users via
e-mail. This method is the recommended deployment procedure. Alternatively, you may point
users to a URL on the CSA MC where all Agent kits are available. The URL to access all
Agent kits on the CSA MC is https://<ciscoworks system name>/csamc/kits.
Note You must regenerate your rule program after Agent kits are created.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-139
Silent Install and Uninstall of Agent Kits
Scripted install
You can use a script to copy and silently install the
agent kit on systems.
Scripted uninstall
Use the CSA_uninstall.bat file in the client
system32 directory to remotely and silently
uninstall the agent.
You can use scripts to silently install and uninstall Windows Agents on end-user systems as
follows:
Scripted install: The Agent kit is a self-extracting executable placed in the following
directory on the server: %Program Files%\CSCOpx\CSA MC\bin\webserver\htdocs\
deploy_kits. (Retrieve the kit from this directory or download it from the server.) You can
then use a script to copy and silently install the Agent kit on systems. Note that you must
check the Quiet Install check box when you build the kit if you are planning to install it via
a script.
Scripted uninstall: The Agent installation places a .bat file in the system32 directory.
Administrators may use a script to remotely and silently uninstall the Agent by invoking
the CSA_uninstall.bat file in the system32 directory. You must also pass a parameter to the
file for the Agent to uninstall silently regardless of whether the original Agent kit was a
quiet install. Enter the following: CSA_uninstall.bat 3.
Note Before silently uninstalling the Agent via a script and stopping the Agent service, you must
disable any Agent service control rules that deny or query administrators.
4-140 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Notify End Users
STEP 10
Step 7 When an Agent kit is ready for distribution, you can notify end users to download
and install the kit from the URL produced by the CSA MC when the kit was made.
When the kit installation is complete, the Agent of each individual host
automatically and transparently registers with the CSA MC. Each kit is created for
particular groups based on the policies that will be attached to those groups.
Registration Control is accessible from the Maintenance drop-down list of the main menu bar.
Entering a range of addresses to be allowed to register with the CSA MC blocks Agent hosts
with other addresses from registering successfully. The default setting is for all addresses to be
allowed to register. This feature can be used to prevent unauthorized hosts from downloading
Agent kits and receiving rules.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-141
Managing Hosts
This topic explains how to manage hosts by modifying group membership.
Viewing Hosts
Active
Protected
Latest Software
Test Mode
Last Poll
You can see which hosts have successfully registered with the CSA MC by choosing Systems>
Hosts. Use the drop-down menu on the right side of the window to view an abbreviated host
status in the following categories:
Active: A host is active if it polls into the management server at regular intervals. A host
that has missed three polling intervals or that has not polled into the server for at least one
hour is considered an inactive host.
Protected: A system is not protected if it does not belong to a group or if it belongs to a
group that has no policies attached.
Latest Software: If an Agent is not running the latest software, you will want to deploy a
software update.
Test Mode: When you choose this viewing option, a yes in that column indicates
running in test mode and a no indicates not running in test mode.
Last Poll: When you choose this viewing option, the time and date of the most recent poll
for the host is displayed. By default, Agents poll the management server every 10 minutes
for updated policies.
4-142 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Host Detail
Available Information
Click the hostname link for detailed host information. In the host detail window, the following
additional options and information are available:
Clicking the Modify group membership link in the host detail window adds this host to a
group or removes it from a group.
The CSA MC provides an explanation, in paragraph form, of the policies attached to each
host. Clicking the Explain rules link allows you to view this explanation.
After hosts are registered, they automatically receive policies from the CSA MC.
When host Agents register with the CSA MC, the database receives the following information
on each host:
Name and Description: These fields are populated with information received from the
Agent system when it registers. The name shown is the name that identifies this host
system on the network.
Contact information: Click this link to view the contact information provided to the
Agent by the user. (The available fields for the user are first name, last name, e-mail,
telephone, and location.)
Events issued in the past 24 hours: This is the number of events (rule triggers) that have
occurred on the host system in the given time frame.
Verbose logging mode: This field can read as either Off or On, which indicates whether
this feature is enabled for this host. This feature is configurable through the Groups
window.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-143
Host Detail (Cont.)
Polling interval
Registration time
Time since last poll
Last known IP address
Host ID
UID
Configuration version
Operating system
Product information
Software
Test mode
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-35
Polling interval (seconds): The value shown in this field indicates the time interval at
which this system polls into the CSA MC. This feature is configurable through the Groups
window.
Registration time: This is the time that the Agent registered with the CSA MC.
Time since last poll: This is the interval that has elapsed since the host system last polling
request.
Last known IP address: This is the IP address of the host. If Dynamic Host Configuration
Protocol (DHCP) addressing is used, this is the last known address of the host. (Up to five
IP addresses can be listed.)
Host ID: The CSA MC assigns each registering host a unique ID number by which the
database identifies it.
UID: This is a globally unique ID for your Agent that is obtained from the Agent kit.
Different kits present different IDs. All hosts that install a particular kit will have the same
registration ID. After a host has registered, however, that host receives a unique global ID.
Configuration version: This field reads Up-to-date or Not up-to-date, which indicates
whether the Agent has the latest policy configuration from the CSA MC.
Note By default, Agents poll into the CSA MC every 10 minutes for updated policies.
Operating System: This is the operating system installed on this particular machine.
Product Information: This is the Agent version for this particular machine.
Software: This is the version of Agent software the system is running. If there is a software
update available for this host, this field provides that information. If an update for a host is
scheduled but not installed yet, this field provides that information as well.
4-144 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Test Mode: If this host is part of a group operating in test mode, that information is
displayed in this field.
Allow Agent user interaction: This indicates whether the end user has an Agent interface.
Profiler enabled: This item appears if the CSA Profiler is enabled on the end-user system.
Last Profiler data upload: If the Profiler is enabled on the end-user system, this field
indicates the time of the most recent upload of analysis logging data.
You can enter contact information, such as username, location, e-mail address, and telephone
number, for each host system. If an Agent is generating alerts, having this contact information
readily available can expedite troubleshooting. The host view also displays a table listing all the
rules and policies that are applied to that host. This table provides links allowing you to view
those rules and policies.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-145
Adding Hosts to a Group
When a host registers with the CSA MC, it is automatically placed into the group or groups you
designate for it. There is no need to add a host to a group initially. You only need to add hosts
to groups when you are changing the group designation of the hosts after they have registered.
Hosts may belong to multiple groups and will receive the policies that are attached to every
group to which they belong.
Caution You can add hosts to a group or remove them at any time. If you do change host group
assignments, the policy configuration of a host that has been moved to another group will
not take effect until you generate your rule programs and distribute them.
Complete the following steps to add one or more hosts to a single group:
Step 1 Choose Systems>Groups to add hosts to a particular group by accessing the edit
view of that group.
Step 2 Click the link for the group to which you want to add hosts. This action brings you
to the edit view of that group.
Step 3 Click the Modify host membership link to display a window containing a list of
host systems that are in this group (if any). Hosts in the group are listed in the
4-146 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Attached hosts pane to the right. Hosts listed in the Unattached hosts pane to the left
are not in the group.
Step 4 To add a host to this group, choose the host in the left pane and click the Add button
to move it to the right pane. It is now a part of the group.
To choose multiple items in a list, press the Ctrl key as you choose each item.
To deselect a single item, press the Ctrl key while you click that item. Click the
Select all link to choose all items in the Unattached hosts pane. Click the Add
button to add all selected items.
To remove a host from a group, choose the host that you wish to remove in the
Attached hosts pane to the right. Click the Remove button. The host will be
moved to the Unattached host pane to the left.
Step 5 Use the bulk transfer feature to easily move or copy all hosts from the group you
choose from the available drop-down menu into the group that you are currently
viewing. When you click the OK button beside the group selection field, all hosts in
the selected group are moved or copied.
Step 6 When you click the Generate rules link, policies associated with this group will no
longer be applied to the removed hosts. The removed hosts are not deleted from the
database; they are just no longer part of the group.
Caution When you configure new groups and policies or make changes to existing configurations,
they are saved in the database when you click the Save button, but they are not distributed
to the Agents across your network. When your configuration changes are complete, you
must click the Generate rules link to first view all new and edited configurations and then
distribute them to the Agents.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-147
Summary
This topic summarizes the key points discussed in this lesson.
Summary
4-148 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Put the following five steps required to install CSA on host devices in the correct order
by numbering them from 1 to 5 in the space provided. (Source: Installing CSA on Host
Devices)
A) Verify SSL on CiscoWorks. _____
B) Log in to CiscoWorks. _____
C) Select a default group. _____
D) Install CSA on the host. _____
E) Send Agent kit URL to host. _____
Q2) Which of the following CSA MC administrator roles provides full read and partial
write access to the CSA MC database? (Source: Installing CSA on Host Devices)
A) configure
B) deploy
C) monitor
Q3) Why is it recommended that you allow the installation program to install the
preconfigured CSA MC kit on the MC system? (Source: Installing CSA on Host
Devices)
Q4) Which three of the following components combine to form the rules in an Agent kit?
(Choose three.) (Source: Creating Groups)
A) variables
B) policies
C) application classes
D) groups
E) actions
F) Agent kits
Q5) What are three advantages of grouping host systems together? (Source: Creating
Groups)
______________________________________________________________________
______________________________________________________________________
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-149
Q6) List eight information items that are included in the database when a host Agent
registers with the CSA MC. (Source: Managing Hosts)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
4-150 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check Answer Key
Q1) A-2, B-1, C-3, D-5, E-4
Q2) B
Q3) It provides the appropriate security policies for protecting the CSA MC.
Q4) A, C, E
Q5) Grouping allows administrators to apply the same set of policies consistently across multiple host systems.
Rather than configuring a security policy on each host, a common policy can be deployed to any number of
hosts grouped by administrator-selected criteria.
Grouping eases deployment of alerts by applying alerts to many hosts at once. The use of groups sharpens
the filtering granularity of event sets, thus improving analysis of network events.
Administrators can use test mode to try policies on many hosts before enforcing those policies in
production.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-151
4-152 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Module Summary
This topic summarizes the key points discussed in this module.
Module Summary
Host- and network-based IPS protects data and information infrastructure. This module
provided an introduction to Cisco IPS the products and technologies and the tools used to
configure and manage IDS/IPS in your network. Cisco IDS/IPS products and technologies
work together to provide a comprehensive security package.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-153
References
For additional information, refer to these resources:
Cisco Systems, Inc. Cisco Intrusion Detection System Sensor Installation and Safety Note.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/sensor/7016_04.htm. or
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_release_and_i
nstallation_notes09186a00800eea60.html.
Cisco Systems, Inc. Cisco Intrusion Detection System Command Reference Version 41.
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_command_reference_c
hapter09186a008019d6cf.html.
Cisco Systems, Inc. Cisco Secure Software.
http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/.
Cisco Systems, Inc. Installing and Using the Cisco Intrusion Detection System Device
Manager and Event Viewer Version 4.1.
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_confi
guration_guide_book09186a008014a20c.html.
Cisco Systems, Inc. Intrusion Detection Systems.
http://www.informit.com/articles/article.asp?p=25334&seqNum=1.
Cisco Systems, Inc. SAFE: Worm Mitigation.
http://www.cisco.com/en/US/partner/netsol/ns340/ns394/ns171/ns128/networking_solution
s_white_paper09186a00801e120c.shtml.
Cisco Systems, Inc. The Science of Intrusion Detection System Attack Identification.
http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/idssa_wp.htm.
Cisco Systems, Inc. Using Management Center for Cisco Security Agents 4.0.
http://www.cisco.com/application/pdf/en/us/guest/products/ps5212/c1629/ccmigration_091
86a008019b755.pdf.
4-154 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Module 5
Overview
Virtual Private Networks (VPNs) are a cost-effective way to provide connectivity over the
public network to remote locations, while reducing network operation costs. Site-to-site VPNs
bring office operations together securely and cost-effectively, and enable businesses to avoid
the expenses associated with leased lines. Remote access VPNs are a cost-effective replacement
for traditional remote access servers, and provide faster, more convenient network access to
employees who work from home or on the road.
The Cisco products and technologies presented in this module are specifically positioned to
provide reliable and secure connectivity to meet a wide range of business requirements. You
will find them relatively easy to deploy, configure, operate and maintain.
Module Objectives
Upon completing this module, you will be able to build an IPSec VPN network using Cisco
products and technologies. This ability includes being able to meet these objectives:
Explain how IPSec technologies are used to build secure VPNs
Describe how Cisco VPN concentrators, VPN-enabled routers, security appliances and
VPN clients can be used to provide secure IPSec VPNs
Configure a Cisco VPN 3000 Series concentrator for remote assess using the Quick
Configuration feature
Configure user and group parameters on a Cisco concentrator for remote access
Configure the Cisco VPN Software Client for Microsoft Windows
5-2 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 1
Overview
A Virtual Private Network (VPN) uses public telecommunications networks to conduct private
data communications. VPNs use a variety of specialized protocols to support private
communications over a completely open and insecure public Internet. VPN architecture uses a
client and server approach. VPN clients authenticate users, encrypt data, and otherwise manage
sessions with VPN servers using a technique called tunneling.
This lesson introduces IPSec VPN technology and explains the components that make up the
IPSec protocol
Objectives
Upon completing this lesson, you will be able to explain how IPSec technology is used to build
secure VPNs. This ability includes being able to meet these objectives:
Describe the building blocks of IPSec and the security functions that it provides
Describe how Cisco VPN routers use IPSec open encryption standards to provide
confidentiality
Describe how IPSec establishes data integrity using HMAC
Describe how IPSec establishes origin authentication using digital signatures, peer
authentication, pre-shared keys, RSA signatures and RSA-encrypted nonces
Describe the anti-replay function of IPSec
Explain how encryption, integrity and authentication are applied to the IPSec protocol suite
Explain the five steps of IPSec operation
IPSec Overview
This topic describes the building blocks of IPSec and the security functions that it provides.
What Is IPSec?
Main Site
Business Partner
with a Cisco Router
IPSec Perimeter
Router
Concentrator PIX
POP Security
Regional Office with Appliance
a PIX Security
Mobile Worker with a
Appliance
Cisco VPN Client
SOHO with a Cisco on a Laptop Corporate
ISDN/DSL Router
IPSec operates at the network layer to protect and authenticate IP packets between participating
IPSec devices (peers), such as PIX Security Appliances, Cisco routers, Cisco VPN 3000 Series
concentrators, Cisco VPN Clients, and other IPSec-compliant products. IPSec is not bound to
any specific encryption or authentication algorithms, keying technology, or security algorithms.
IPSec is a framework of open standards. By not binding IPSec to specific algorithms, IPSec
allows for newer and better algorithms to be implemented without patching the existing IPSec
standards. IPSec provides data confidentiality, data integrity, and origin authentication between
participating peers at the IP layer.
IPSec supports two encryption modes: transport and tunnel. Transport mode encrypts only the
data portion (payload) of each packet, but leaves the IP header untouched. The more secure
tunnel mode encrypts both the IP header and the payload. On the receiving side, an IPSec-
compliant device decrypts each packet.
5-4 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
IPSec Building Blocks
Component Role
Authenication Header IP header that provides a cryptographic
(AH) checksum on the packet
Used to achieve data authentication and
integrity
Separate from the ESP header
Encapculating Security Header applied after the packet has been
Payload (ESP) encrypted
Provides data confidentiality in transit
Provides for data authentication and
integrity
Security Association Specifies cryptographic parameters
(SA) needed before any two devices can
communicate using IPSec
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.04-4
IPSec
Framework
Choices:
ESP ESP AH
IPSec Protocol +AH
Encryption 3
DES AES
DES
The figure shows four IPSec framework squares to be filled. IPSec provides the framework,
and the administrator chooses the algorithms that are used to implement the security services
within that framework. The four sections of the IPSec framework are as follows:
When configuring the security services that are provided by an IPSec gateway, you first
must choose an IPSec protocol. The choices are as follows:
Authentication Header (AH).
Encapsulating Security Payload (ESP).
ESP with AH. Although AH is an important component of the IPSec protocol suite,
few deployments of IPSec have this protocol turned on. In general, much of the AH
functionality is embedded in ESP.
The second square is an encryption algorithm. Choose one of the following encryption
algorithm that is appropriate for the level of security desired:
Data Encryption Standard (DES): An algorithm that is used to encrypt and decrypt
packet data.
Triple Date Encryption Standard (3DES): An algorithm that effectively doubles
encryption strength over 56-bit DES. With 3DES, the resultant total key length is
56*3=168 bits.
Advanced Encryption Standard (AES): An algorithm that is a newer cipher
algorithm designed to replace DES. AES has a variable key length between 128 and
256 bits.
The third square is authentication. Choose one of the following authentication algorithms to
provide data integrity:
Message Digest 5 (MD5): An algorithm that is used to authenticate packet data
Secure Hash Algorithm 1 (SHA-1): An algorithm that is used to authenticate packet
data.
5-6 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
The last square is the Diffie-Hellman (DH) algorithm group. DH is a public-key
cryptography protocol that allows two parties to establish a shared secret key used by
encryption and hash algorithms (for example, DES and MD5) over an insecure
communications channel. Choose which group to use: DH1, DH2, or DH5.
IPSec spells out the rules for secure communications. In turn, IPSec relies on existing
algorithms to implement the encryption, authentication, and key exchange.
Function Benefit
IPSec services provide four critical functions. In general, local security policy dictates the use
of one or more of these services:
Confidentiality (encryption): The sender can encrypt the packets before transmitting them
across a network. By doing so, no one can eavesdrop on the communication. If intercepted,
the communications cannot be read.
Data integrity: The receiver can verify that the data was transmitted through the Internet
without being changed or altered in any way.
Origin authentication: The receiver can authenticate the source of the packet,
guaranteeing and certifying the source of the information.
Anti-replay protection: Anti-replay protection verifies that each packet is unique, not
duplicated. IPSec packets are protected by comparing the sequence number of the received
packets and a sliding window on the destination host, or security gateway. Packets whose
sequence number is before the sliding window is considered late or a duplicate. Late and
duplicate packets are dropped.
5-8 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
IPSec Critical Function 1Confidentiality
This topic describes how Cisco VPN routers use IPSec open encryption standards to provide
confidentiality.
This quarterly
report does not look
so good. I wonder
why?
Internet
The good news is that the Internet is a public network. The bad news is that the Internet is a
public network. IPSec provides confidentiality with encryption and an exchange of keys.
Encryption: Clear text data transported over the public Internet can be intercepted and
read. In order to keep the data private, the data can be encrypted. Digitally scrambling, the
data renders the data unreadable.
Key Exchange: For IPSec to work, the sending and receiving devices must share a public
key. Sharing is accomplished through a protocol known as Internet Security Association
and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to
obtain a public key and to authenticate the sender using digital certificates.
Public asymmetric key cryptographic systems use two key, a public key known to everyone,
and a private or secret key, known only to the recipient of the message. When User A wants to
send a secure message to User B, the public key for B is used to encrypt the message. User B
then uses a private key to decrypt it. An important element to the public key system is that the
public and private keys are related in such a way that only the public key can be used to encrypt
messages and only the corresponding private key can be used to decrypt them. Moreover, it is
virtually impossible to deduce the private key if you know the public key.
Key Key
Encrypt Decrypt
4ehIDx67NMop9eR
Pay to Terry Smith $100.00
Pay to Terry Smith $100.00 U78IOPotVBn45TR
One Hundred and xx/100
One Hundred and xx/100
For encryption to work, both the sender and receiver need to know the rules used to transform
the original message into its coded form. Rules are based on an algorithm and a key. An
algorithm is a mathematical function, which combines a message, text, digits, or all three with a
string of digits called a key. The output is an unreadable cipher string. Decryption is extremely
difficult or impossible without the correct key.
In the example, someone wants to send a financial document across the Internet. At the local
end, the document is combined with a key and is run through an encryption algorithm. The
output is undecipherable cyber text. The cyber text is then sent through the Internet. At the
remote end, the message is recombined with a key and sent back through the decryption
algorithm. The output is the original financial document.
The degree of security depends on the length of the key. If someone tries to hack the key
through a brute-force attack, guessing every possible combination, the number of possibilities
is a function of the key length. The time to process all the possibilities is a function of the
computer processing power. Therefore, the shorter the key, the easier it is to break. A 64-bit
key with a relatively sophisticated computer can take approximately 1 year to break. A 128-bit
key with the same machine can take roughly 1019 years to decrypt.
5-10 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Encryption Algorithms
IPSec
Framework
Choices:
ESP
IPSec Protocol ESP AH
+AH
Encryption 3
DES AES
DES
DES, 3DES, AES, and also the two authentication algorithms, MD5 and SHA-1, all require a
symmetric shared secret key to perform encryption and decryption. The question is how do the
encrypting and decrypting devices get the shared secret key?
The keys can be sent by e-mail, courier, overnight express or public key exchange. The easiest
method is DH public key exchange. The DH key agreement is a public key exchange method
that provides a way for two peers to establish a shared secret key that only they know, although
they are communicating over an insecure channel.
Public key cryptosystems rely on a two-key system: a public key, which is exchanged between
end-users, and a private key, which is kept secret by the original owners. The DH public key
algorithm states that if user A and user B exchange public keys and a calculation is performed
on their individual private key and on the public key of each other, the end result of the process
is an identical shared key. The shared key is used to derive encryption and authentication keys.
5-12 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
The DH Key Exchange Algorithm
Peer A Peer B
There are variations of the DH key exchange algorithm, known as DH group 1 through 7. DH
groups 1, 2, and 5 support exponentiation over a prime modulus with a key size of 768, 1024,
and 1536 respectively. Cisco VPN Clients support DH groups 1, 2, and 5. DES and 3DES
encryption supports DH groups 1 and 2. AES encryption supports DH groups 2 and 5. The
Certicom wireless VPN Client supports group 7. Group 7 supports elliptical curve cryptography
that reduces the time needed to generate keys. VPN peers negotiate which DH group to use
during the tunnel setup.
Security is not an issue with the DH key exchange. Although someone may know the public
key for a user, the shared secret cannot be generated because the private key never becomes
public.
DH is used in IKE negotiations to allow the peers to agree on a shared secret that is used to
generate keying materials for subsequent use. With DH, each peer generates a public and a
private key pair. The private key generated by each peer is kept secret and never shared. The
public key is calculated from the private key by each peer and is exchanged over the insecure
channel. Each peer combines the other public key with its own private key, and computes the
same shared secret number. The shared secret number is then converted into a shared secret
key. The shared secret key is never exchanged over the insecure channel.
Local Remote
Key Key
Remote Remote
Public Key Private Key
KJklzeAidJfdlwiej47
DlItfd578MNSbXoE
RSA is an encryption technique that is used for digital signatures. RSA encryption uses
asymmetric keys for encryption and decryption. Each end, local and remote, generates two
encryption keys, a private and public key. They keep their private key and exchange their
public key with people they wish to communicate with.
To send an encrypted message to the remote end, the local end encrypts the message using the
remote public key and the RSA encryption algorithm. The result is an unreadable cyber text.
This message is sent through the Internet. At the remote end, the remote end uses its private key
and the RSA algorithm to decrypt the cyber text. The result is the original message. The only
one who can decrypt the message is the destination that owns the private key.
With RSA encryption, the opposite also holds true. The remote end can encrypt a message
using its own private key. The receiver can decrypt the message using the sender public key.
5-14 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
IPSec Critical Function 2Data Integrity
This topic describes how IPSec establishes data integrity using hash-based message
authentication code (HMAC).
Yes, I am
Alex Jones.
Internet
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changes
No match = Alterations
The next VPN-critical function is data integrity. VPN data is transported over the public
Internet. Potentially, this data could be intercepted and modified. A VPN must provide a means
to check the integrity of information transmitted over the Internet. Mechanisms that provide
such integrity use a secret key usually called a "message authentication code" (MAC).
Typically, two parties use message authentication codes that share a secret key to validate
information transmitted between them. Based on cryptographic hash functions, hash-based
message authentication code (HMAC) attaches a hash to each message to guard against lose of
integrity. If the transmitted hash matches the received hash, the message has not been tampered
with. However, if there is no match, the message was altered.
In the example in the figure, someone is trying to send Terry Smith a check for $100. At the
remote end, Alex Jones is trying to cash the check for $1000. As the check progressed through
the Internet, it was altered. Both the recipient and dollar amounts were changed. In this case,
the hashes did not match. The transaction is no longer valid.
Data integrity is synonymous to authentication. The packets are authenticated using the hash
that is attached to each packet. Two main algorithms facilitate data integrity within the IPSec
framework, MD5 and SHA-1.
Local Remote
Shared
Variable-Length Received Secret
Input Message Message Key
Pay to Terry Smith $100.00 Shared Pay to Terry Smith $100.00
One Hundred and xx/100 Secret Key One Hundred and xx/100
1
Hash Hash
Function Function
The figure illustrates how HMAC works. At the local end, the message and a shared secret key
are sent through a hash algorithm, which produces a hash value. The message and hash are sent
over the network. At the remote end, there is a two-step process.
Step 1 The received message and shared secret key are sent through the hash algorithm,
resulting in a re-calculated hash value.
Step 2 The receiver compares the re-calculated hash with the hash that was attached to the
message. If the original hash and re-calculated hash match, the integrity of the
message is guaranteed. If any of the original message is changed while in transit, the
hash values are different.
Basically, a hash algorithm is a formula used to convert a variable length message into a single
string of digits of a fixed length. Hash is a one-way algorithm. A message can produce a hash,
but a hash cannot produce the original message. It is analogous to dropping a plate on the floor.
The plate can produce a multitude of pieces, but the pieces cannot be recombined to reproduce
the plate in its original form.
5-16 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
HMAC Algorithms
HMAC algorithms
Hash
HMAC-MD5
Function
HMAC-SHA-1
4ehIDx67NMop9 4ehIDx67NMop9
There are two common Hashed Message Authentication Code (HMAC) algorithms:
HMAC-MD5: Uses a 128-bit shared secret key. The variable length message and 128-bit
shared secret key are combined and run through the HMAC-MD5 hash algorithm. The
output is a 128-bit hash. The hash is appended to the original message and forwarded to the
remote end.
HMAC-SHA-1: HMAC-SHA-1 uses a 160-bit secret key. The variable length message
and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash
algorithm. The output is a 160-bit hash. The hash is appended to the original message and
forwarded to the remote end.
Local Remote
Internet
28d2mgjlx12ngadw Pay to Terry Smith $100.00
Pay to Terry Smith $100.00 ondyhe0tlfhgg6544 Hash
One Hundred and xx/100
One Hundred and xx/100
4ehIDx67NMop9 4ehIDx67NMop9
Match
Encryption Decryption
Algorithm Hash
Algorithm
Private
Key
Hash
Hash Public
Algorithm Key
The last critical function is origin authentication. In the middle ages, a seal guaranteed the
authenticity of an edict. In modern times, a signed document is notarized with a seal and a
signature. In the electronic era, a document is signed using the sender private encryption key
a digital signature. A signature is authenticated by decrypting the signature with the sender
public key.
In the example in the figure, the local device derives a hash and encrypts it with its private key.
The encrypted hash (digital signature) is attached to the message and forwarded to the remote
end. At the remote end, the encrypted hash is decrypted using the local end public key. If the
decrypted hash matches the re-computed hash, the signature is genuine. A digital signature ties
a message to a sender and the sender is authenticated. It is used during the initial establishment
of a VPN tunnel to authenticate both ends to the tunnel.
There are two common digital signature algorithms: RSA and Directory System Agent (DSA).
RSA is used commercially and is the most common. DSA is used by U.S. Government
agencies and is not as common.
5-18 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Peer Authentication
Remote Office
Corporate Office
Internet
HR
Servers
Peer
Authentication
When conducting business long distance, it is necessary to know who is at the other end of the
phone, e-mail, or fax. The same is true of IPSec VPN networking. The device on the other end
of the VPN tunnel must be authenticated before the communication path is considered secure.
There are three peer authentication methods:
Pre-shared keys: A secret key value entered into each peer manually authenticates the
peer.
RSA signatures: The exchange of digital certificates authenticates the peers.
RSA encrypted nonces: Nonces (random numbers generated by each peer) are encrypted
then exchanged between peers. The two nonces are used during the peer authentication
process.
Auth. Key
+ ID
Information
Auth. Key
+ ID
Information
Hash
Internet Hash
Authenticating hash
(Hash_I)
Computed
hash
(Hash_R)
=
Received
hash
(Hash_I)
With pre-shared keys, the same pre-shared key is configured on each IPSec peer. At each end,
the pre-shared key is combined with other information (like the DH generated secret key) to
form the authentication key. Starting at the local end, the authentication key and the identity
information (device-specific information) are sent through a hash algorithm to form Hash_I.
The local IKE peer provides one-way authentication by sending Hash_I to the remote peer. If
the remote peer is able to independently create the same hash, the local peer is authenticated.
The authentication process continues in the opposite direction. The remote peer combines its
identity information with the pre-shared-based authentication key and sends them through a
hash algorithm to form Hash_R. Hash_R is sent to the local peer. If the local peer is able to
independently create the same hash from its stored information and pre-shared-based
authentication key, the remote peer is authenticated. Each peer must authenticate its opposite
peer before the tunnel is considered secure. Pre-shared keys are easy to configure manually, but
do not scale well. Each IPSec peer must be configured with the pre-shared key of every other
peer with which it communicates.
5-20 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
RSA Signatures
Local Remote
Auth. Key + ID Auth. Key + ID
Information Information
Hash
Hash
Digital
2
Hash_I Signature
Private
Key Hash
1
Encryption Internet =
Algorithm Decryption
Algorithm Hash_I
Public
Digital Digital Digital
Cert. + Signature
Key
Cert.
With RSA signatures, Hash_I and Hash_R are authenticated and digitally signed. Starting at the
local end, the authentication key and identity information (device-specific information) are sent
through a hash algorithm to form Hash_I. The Hash_I is then encrypted using the local peer
private encryption key. The result is a digital signature. The digital signature and a digital
certificate are forwarded to the remote peer. The public encryption key for decrypting the
signature is included in the digital certificate exchanged between peers.
Step 1 The remote peer verifies the digital signature by decrypting it using the public
encryption key enclosed in the digital certificate. The result is Hash_I.
Step 2 The remote peer independently creates Hash_I from stored information. If the
calculated Hash_I equals the decrypted Hash_I, the local peer is authenticated as
shown in the figure.
After the remote peer authenticates the local peer, the authentication process begins in the
opposite direction. The remote peer combines its identity information with the authentication
key and sends this information through a hash algorithm to form Hash_R. Hash_R is encrypted
using the remote peer private encryption key, which is a digital signature. The digital signature
and certificate are sent to the local peer. The local peer performs two tasks; it creates the
Hash_R from stored information, and it decrypts the digital signature. If the calculated Hash_R
and the decrypted Hash_R match, the remote peer is authenticated. Each peer must authenticate
its opposite peer before the tunnel is considered secure.
Local Remote
Auth. key + ID
Information
+ ID
Auth. key
Information
Hash
Internet Hash
Authenticating Hash
(Hash_I)
Computed
Hash
(Hash_R)
=
Received
Hash
(Hash_I)
RSA encrypted nonces require that each party generate a nonce. The nonces are then encrypted
and exchanged. The nonces are encrypted by the initiator using the receiver public key. The
public keys need to be exchanged between the peers before IKE negotiation begins. When the
nonce is received, each end formulates an authentication key made up of the initiator and
responder nonces, the DH key, and the initiator and responder cookies. The nonce-based
authentication key is combined with device-specific information and runs through a hash
algorithm. The local IKE peer provides one-way authentication by sending Hash_I to the
remote peer. If the remote peer is able to independently create the same hash from stored
information and its nonce-based authentication key, the local peer is authenticated as shown in
the figure.
After the remote end authenticates the local peer, the authentication process begins in the
opposite direction. The remote peer combines its identity information with the nonce-based
authentication key and sends them through a hash algorithm to form Hash_R. Hash_R is sent to
the local peer. If the local peer is able to independently create the same hash from stored
information and the nonce-based key, the remote peer is authenticated. Each peer must
authenticate its opposite peer before the tunnel is considered to be secure.
5-22 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
IPSec Critical Function 4Anti-replay
This topic describes the anti-replay function of IPSec.
IPSec uses anti-replay mechanisms to ensure that IP packets cannot be intercepted by a third
party or man-in-the-middle and then be changed and reinserted into the data stream. This is
implemented in IPSec by:
The AH protocol
The ESP protocol
The anti-replay mechanism works by keeping track of the sequence number allocated to each
packet as it arrives at the VPN endpoint. When a security association (SA) is established
between two VPN endpoints, the sequence counter is set to 0. The packets that are encrypted
and transmitted over the VPN are sequenced starting from 1. Each time a packet is sent, the
receiver of the packet verifies that the sequence number is not that of a previously sent packet.
If the receiver receives a packet with a duplicate sequence number, the packet is discarded, and
an error message is sent back to the transmitting VPN endpoint to log this event.
Note AH implements anti-replay by default, although ESP implements anti-replay only when data
authentication is turned on (for example, MD5 or SHA-1) in the IPSec transform-set.
ESP
Router A Router B
Data payload is encrypted
IPSec is a framework of open standards. IPSec spells out the messaging to secure the
communications but relies on existing algorithms, such as DES, 3DES and AES, to implement
the encryption and authentication. The two main IPSec framework protocols are as follows:
Authentication Header (AH): AH is the appropriate protocol to use when confidentiality
is not required or permitted. AH provides data authentication and integrity for IP packets
passed between two systems. AH provides a means of verifying that any message passed
from Router A to Router B has not been modified during transit. AH verifies that the origin
of the data was either Router A or Router B. AH does not provide data confidentiality
(encryption) of packets. All text is transported in the clear.
Encapsulating Security Payload (ESP): A security protocol may be used to provide
confidentiality (encryption) and authentication. ESP provides confidentiality by performing
encryption at the IP packet layer. IP packet encryption conceals the data payload and the
identities of the ultimate source and destination. ESP provides authentication for the inner
IP packet and ESP header. Authentication provides data origin authentication, and data
integrity. Although both encryption and authentication are optional in ESP, at a minimum,
one of them must be selected.
5-24 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Authentication Header
Router A Router B
All data is in clear text
Authentication is achieved by applying a keyed one-way hash function to the packet to create a
hash or message digest. The hash is combined with the text and transmitted. Changes in any
part of the packet that occur during transit are detected by the receiver when it performs the
same one-way hash function on the received packet. Because the one-way hash also involves
the use of a symmetric key between the two systems, authenticity is guaranteed.
Received Re-computed
Hash Hash
Router A (00ABCDEF) = (00ABCDEF)
The AH function is applied to the entire datagram, except for any mutable IP header fields that
change in transit (for example, Time to Live [TTL] fields that are modified by the routers along
the transmission path). AH supports two algorithms:
HMAC-MD5
HMAC-SHA-1
Step 2 The hash is used to build an AH header, which is appended to the original packet.
Step 3 The new packet is transmitted to the IPSec peer.
Step 4 The peer hashes the IP header and data payload.
Step 5 The peer extracts the transmitted hash from the AH header.
Step 6 The peer compares the two hashes. The hashes must match exactly. If one bit is
changed in the transmitted packet, the hash output on the received packet changes
and the AH header does not match.
5-26 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Encapsulating Security Payload
Router A Router B
Data payload is encrypted
ESP provides confidentiality by encrypting the payload. ESP supports a variety of symmetric
encryption algorithms. The default algorithm for IPSec is 56-bit DES. Cisco products also
support the use of 3DES and AES for stronger encryption.
ESP can be used alone or in combination with AH. ESP with AH also provides integrity, and
authentication of the data grams. First, the payload is encrypted. Next, the encrypted payload is
sent through one of the following hash algorithms: HMAC-MD5 or HMAC-SHA-1. The hash
provides origin authentication and data integrity for the data payload.
Alternatively, ESP may also enforce anti-replay protection by requiring that a receiving host set
the replay bit in the header to indicate that the packet has been seen.
Internet
Router Router
IP HDR Data IP HDR Data
ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth
Encrypted
Authenticated
The original payload is well protected between two security gateways because the entire
original IP data gram is encrypted. An ESP trailer is added to the encrypted payload. With ESP
authentication, the encrypted IP datagram and the ESP header or trailer are included in the
hashing process. Finally a new IP header is appended to the front of the authenticated payload
(when using tunnel mode). The new IP address is used to route the packet through the Internet.
When both ESP authentication and encryption are selected, encryption is performed before
authentication. One reason for this order of processing is that it facilitates rapid detection and
rejection of replayed or bogus packets by the receiving node. Prior to decrypting the packet, the
receiver can authenticate inbound packets. By doing this, it can detect the problems and
potentially reduce the impact of denial of service (DoS) attacks.
5-28 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Modes of UseTunnel vs Transport Mode
IP HDR Data
Transport mode
ESP ESP
IP HDR ESP HDR Data Trailer Auth
Encrypted
Authenticated
Tunnel mode
ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth
Encrypted
Authenticated
ESP and AH can be applied to IP packets in two different ways, transport mode and tunnel
mode: These two modes are described as follows:
Transport mode: Transport mode protects the payload of the packet and higher layer
protocols, but leaves the original IP address in the clear. The original IP address is used to
route the packet through the Internet. ESP transport mode is used between two hosts, when
the final destination is the host itself. Transport mode provides security to the higher layer
protocols only.
Tunnel mode: ESP tunnel mode is used when either end of the tunnel is a security
gateway, a concentrator, a VPN-enabled router, or a PIX Security Appliance. Tunnel mode
is used when the final destination is not a host, but a VPN gateway. The security gateway
encrypts and authenticates the original IP packet. Next, a new IP header is appended to the
front of the encrypted packet. The outside, new, IP address is used to route the packet
through the Internet to the remote end security gateway. Tunnel mode provides security for
the whole original IP packet.
IPSec Operation
Host A Host B
Router A Router B
The goal of IPSec is to protect the desired data with the needed security services. IPSec
operation can be broken down into five simple steps.
Step 1 Interesting traffic: Traffic is deemed interesting when the VPN device recognizes
that the traffic you want to send needs to be protected.
Step 1 IKE phase 1: A basic set of security services are negotiated and agreed upon
between peers. This basic set of security services protects all subsequent
communications between the peers.
Step 2 IKE phase 2: IKE negotiates IPSec SA parameters and sets up matching IPSec SAs
in the peers. These security parameters are used to protect data and messages
exchanged between endpoints. The final result of IKE phase 1 and phase 2 is a
secure communications channel between peers.
Step 3 Data transfer: Data is transferred between IPSec peers based on the IPSec
parameters and keys stored in the SA database.
Step 4 IPSec tunnel termination: IPSec SAs terminate through deletion or by timing out.
5-30 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Step 1Interesting Traffic
Host A Host B
Router A Router B
Apply IPSec
10.0.1.3 10.0.2.3
Bypass IPSec
Discard
Part of formulating a security policy for the use of a VPN is to determine what traffic needs to
be protected and what traffic can be sent in the clear. For every inbound and outbound
datagram, there are the following three choices:
Apply IPSec
Bypass IPSec
Discard the data gram
For every datagram protected by IPSec, the system administrator must specify the security
services applied to the datagram. The security policy database specifies the IPSec protocols,
modes, and algorithms applied to the traffic. The services are then applied to traffic destined to
each particular IPSec peer. With the VPN client, you use menu windows to select connections
that you want secured by IPSec. When interesting traffic transits the IPSec client, the client
initiates the next step in the process: negotiating an IKE phase 1 exchange.
Host A Host B
Router A Router B
IKE Phase 1:
10.0.1.3 Main Mode Exchange 10.0.2.3
DH exchange DH exchange
The basic purpose of Internet Key Exchange (IKE) phase 1 is to negotiate IKE policy sets,
authenticate the peers, and set up a secure channel between the peers. IKE phase 1 occurs in
two modes: main mode and aggressive mode.
Main mode has three two-way exchanges between the initiator and receiver:
First exchange: The algorithms and hashes used to secure the IKE communications are
negotiated.
Second exchange: A DH exchange generates shared secret keys.
Third exchange: This exchange verifies the identity of the other side to make sure they are
communicating with the devices with which they think they are communicating.
In the aggressive mode, fewer exchanges are done and with fewer packets. On the first
exchange, almost everything is squeezed in: the IKE policy set negotiation, the DH public key
generation, a nonce that the other party signs, and an identity packet that can be used to verify
their identity via a third party. The receiver sends back everything that is needed to complete
the exchange. The only thing left is for the initiator to confirm the exchange. While aggressive
mode is faster, it does not provide identity protection and is therefore not recommended.
5-32 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
First and Second ExchangeIKE Policy
Sets and Establishing a Shared Secret
Host A Host B
Router A Router B
ISAKMP Policy 20
3DES
SHA
pre-share
DH1
lifetime
First Exchange
During the first exchange the algorithms and hashes that secure the IKE communications are
negotiated and agreed upon between peers. When trying to make a secure connection between
Host A and Host B through the Internet, IKE security proposals are exchanged between Router
A and Router B. The proposals identify various values being negotiated. Under each proposal,
the originator must delineate which algorithms are employed in the proposal (for example, DES
with MD5). Rather than negotiate each algorithm individually, the algorithms are grouped into
IKE policy sets. A policy set delineates which encryption algorithm, authentication algorithm,
mode, and key length are proposed. These IKE proposals and policy sets are exchanged during
the IKE main mode first exchange phase. If a policy set match is found between peers, the main
mode continues. If no match is found, the tunnel is torn down.
In the figure, Router A sends IKE policy sets 10 and 20 to Router B. Router B compares its set,
policy set 15, with those received from Router A. As shown in the figure, there is a match; the
Router A policy set 10 matches the Router B policy set 15.
In a point-to-point application, each end may only need a single IKE policy set defined.
However, in a hub and spoke environment, the central site may require multiple IKE policy sets
to satisfy all the remote peers.
Second Exchange
The second exchange uses a DH exchange to generate shared secret keys and to pass nonces to
the other party. These nonces are signed and returned to prove their identity. The shared secret
key is used to generate all the other encryption and authentication keys.
Internet
HR Servers
Peer
Authentication
The third and last exchange is used to authenticate the remote peer. The primary outcome of the
main mode is a secure communication path for subsequent exchanges between the peers.
Without proper authentication, it is possible to establish a secure communication channel with a
hacker who is now stealing all your sensitive material. There are three data origin
authentication methods:
Pre-shared keys: A secret key value that is entered into each peer manually and is used to
authenticate the peer.
RSA signatures: Uses the exchange of digital certificates to authenticate the peers.
RSA encrypted nonces: Nonces are basically long numbers that are used with private and
public key combinations and that also require a lot of manual configuration. Nonces are a
bit more secure than pre-shared keys, but less scaleable, so not widely used. Nonces are
encrypted and then exchanged between peers. Two nonces are used during the peer
authentication process.
5-34 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Step 3IKE Phase 2
Host A Host B
Negotiate IPSec
security parameters
Once the IKE SA is established in IKE Phase 1, session SAs are negotiated for securing normal
VPN traffic. The purpose of IKE phase 2 is to negotiate the IPSec security parameters used to
secure the IPSec tunnel. IKE phase 2 performs the following functions:
Negotiates IPSec security parameters and IPSec transform sets
Establishes IPSec SAs
Periodically renegotiates IPSec SAs to ensure security
Optionally performs an additional DH exchange
IKE phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established
the secure tunnel in phase 1. It negotiates a shared IPSec transform, derives shared secret
keying material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode
exchanges nonces that are used to generate new shared secret key material (perfect forward
secrecy (PFS)) and prevent replay attacks from generating bogus SAs.
Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires.
Quick mode is used to refresh the keying material used to create the shared secret key based on
the keying material derived from the DH exchange in phase 1.
Transform Set 40
ESP
DES
MD5 A transform set is a combination of
Tunnel
Lifetime
algorithms and protocols that enact
a security policy for traffic.
The ultimate goal of IKE phase 2 is to establish a secure IPSec session between endpoints.
Before that can happen, each pair of endpoints negotiates the level of security required (for
example, encryption and authentication algorithms for the session). Rather than negotiate each
protocol individually, the protocols are grouped into sets called an IPSec transform set. IPSec
transform sets are exchanged between peers during quick mode. If a match is found between
sets, IPSec session-establishment continues. If no match is found, the session is torn down.
In the example in the figure, Router A sends IPSec transform set 30 and 40 to Router B. Router
B compares its set, transform set 55, with those received from Router A. In this instance, there
is a match. Router A transform set 30 matches Router B transform set 55 as shown in the
figure. These encryption and authentication algorithms form a SA.
5-36 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Security Association
Security Association
BANK
Security Policy Database
Encryption Algorithm
192.168.2.1 Authentication
SPI12 Algorithm
ESP/3DES/SHA
tunnel Mode
28800
Key lifetime
SA Database
Internet
Destination IP address
SPI
192.168.12.1
SPI39 Protocol (ESP or AH)
ESP/DES/MD5
tunnel
28800
When the security services are agreed upon between peers, each VPN peer device enters the
information in a Security Policy Database (SPD). The information includes the encryption and
authentication algorithm, destination IP address, transport mode, key lifetime, and so on. This
information is referred to as the SA. The SA is a one-way logical connection that provides
security to all traffic traversing the connection. Because most traffic is bi-directional, two SAs
are required: one for inbound traffic, and one for outbound traffic. The VPN device indexes the
SA with a number called the Security Parameter Index (SPI). Rather than send the individual
parameters of the SA across the tunnel, the source gateway, or host, inserts the SPI into the ESP
header. When the IPSec peer receives the packet, it looks up the destination IP address, IPSec
protocol, and SPI in its SA database (SAD), and then processes the packet according to the
algorithms listed under the SPD.
The IPSec SA is a compilation of the SAD and SPD. SAD is used to identify the SA destination
IP address, IPSec protocol, and SPI number. The SPD defines the security services applied to
the SA, encryption and authentication algorithms, and mode and key lifetime.
In the corporate-to-bank connection shown in the figure, the security policy provides a very
secure tunnel using 3DES, SHA, tunnel mode, and a key lifetime of 28800. The SAD value is
192.168.2.1, ESP, and SPI-12. For the remote user accessing e-mails, a less secure policy is
negotiated using DES, MD5, tunnel mode, and a key lifetime of 28800. The SAD values are a
destination IP address of 192.168.12.1, ESP, and an SPI-39.
Data-Based Time-Based
Like passwords on your company PC, the longer you keep it, the more vulnerable it becomes.
The same is true of keys and SAs. For good security, the SA and keys should be changed
periodically.
5-38 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Step 4IPSec Session
Host A Host B
Router A Router B
10.0.1.3 10.0.2.3
IPSec Session
After IKE phase 2 is complete and quick mode has established IPSec SAs, traffic is exchanged
between Host A and B via a secure tunnel. Interesting traffic is encrypted and decrypted
according to the security services specified in the IPSec SA.
Host A Host B
Router A Router B
10.0.1.3 10.0.2.3
IPSec Tunnel
A tunnel is terminated
By an SA lifetime timeout
If the packet counter is
exceeded
Removes IPSec SA
IPSec SAs terminate through deletion or by timing out. A SA can time out when a specified
number of seconds has elapsed or when a specified number of bytes has passed through the
tunnel. When the SAs terminate, the keys are also discarded. When subsequent IPSec SAs are
needed for a flow, IKE performs a new phase 2, and, if necessary, a new phase 1 negotiation. A
successful negotiation results in new SAs and new keys. New SAs are usually established
before the existing SAs expire, so that a given flow can continue uninterrupted.
5-40 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Summary
This topic summarizes the key points discussed in this lesson.
Summary
Summary (Cont.)
Q1) What HMAC algorithm is considered cryptographically stronger? (Source: IPSec and
Data Integrity)
Q2) Which of the following encryption algorithms is only used by IKE? (Source: IPSec and
Encryption)
A) DES Algorithm
B) 3DES Algorithm
C) Advanced Encryption Standard (AES)
D) RSA
Q3) Explain the difference between symmetric and asymmetric encryption keys. (Source:
IPSec and Encryption)
Q4) What two protocols does IPSec implement to prevent man-in-the-middle attacks?
(Choose two.) (Source: IPSec Critical Function 4 Anti-replay)
A) Authentication Header
B) Internet Key Exchange (IKE)
C) Encapsulating Security Payload
D) Diffie-Hellman
E) Hash-based Message Authentication Code
Q5) Put the following steps in the correct order by writing 1-6 in the space provided.
(Source: IPSec Protocol Framework)
_____ 4. The hash is used to build an AH header, which is appended to the original
packet.
_____ 5. The peer extracts the transmitted hash from the AH header.
5-42 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Q6) What mode, when applied to AH and ESP, leaves the original IP address in clear?
(Source: IPSec Protocol Framework)
A) tunnel mode
B) transport mode
Q7) What are the two modes of IKE phase 1? (Choose two.) (Source: IPSec Operation)
A) main mode and agressive mode
B) tunnel mode and transport mode
C) encrypted mode and unencrypted mode
D) secure mode and hash mode
Q8) Explain the purpose of IKE phase 1 and IKE phase 2. (Source: IPSec Operation)
Q2) D
Q3) With symmetric key encryption, each peer uses the same key to encrypt and decrypt the data. With
asymmetric key encryption, the local end uses one key to encrypt, and the remote end uses another key to
decrypt the traffic.
Q4) A and C
Q5) 2, 4, 6, 1 5, 3
Q6) B
Q7) A
Q8) The basic purpose of Internet Key Exchange (IKE) phase 1 is to negotiate IKE policy sets, authenticate the
peers, and set up a secure channel between the peers. The purpose of Internet Key Exchange (IKE) phase 2
is to negotiate the IPSec security parameters used to secure the IPSec tunnel.
5-44 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 2
Overview
Cisco implementation if IPSec technology provides a wide range of virtual private network
(VPN) solutions using VPN concentrators, VPN-enabled routers, security appliances and VPN
Clients. The Cisco VPN Client provides a user interface for setting up and using a VPN. The
Cisco VPN Software Client is available as a free download for use with Cisco VPN products.
As well there is a Cisco VPN 3002 Hardware Client available for specific applications.
Hardware products were introduced earlier in the course. This lesson presents an overview of
hardware deployments in various VPN solutions as well as an overview of Cisco VPN Clients.
Objectives
Upon completing this lesson, you will be able to describe how Cisco VPN concentrators, VPN-
enabled routers, security appliances and VPN Clients can be used to provide secure IPSec
VPNs. This ability includes being able to meet these objectives:
Describe how to build Cisco IPSec VPNs using Cisco VPN-enabled routers, VPN
concentrators and security appliances
Describe the features of the Cisco VPN Software Client
Describe the features of the Cisco VPN 3002 Hardware Client
Describe how to choose between the VPN Software Client or VPN 3002 Hardware Client
depending on the requirements
Describe the features of the Certicom VPN Client designed to support cell phones, PDAs
and similar wireless appliances
Describe how the Cisco VPN Client supports Smartcard technologies
Cisco IPSec VPNs
This topic describes how to build Cisco IPSec VPNs using Cisco VPN-enabled routers, VPN
concentrators and security appliances.
IPSec VPNs
Mobile
User
Internet
An IPSec VPN uses IPSec to build an encrypted connection between private networks over a
public network such as the Internet. The V and N stand for virtual network. The information
from a private network is securely transported over a public network, the Internet, to form a
virtual network. The P stands for private. To remain private, the traffic is encrypted to keep the
data confidential. A VPN is a private virtual network.
There are three IPSec VPN solutions supported by Cisco products and technology:
Remote access VPN
Site-to-site VPN
Firewall-based VPN
5-46 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Remote Access VPNs
Central Site
Remote Access Client
DSL
Cable or
POP
Telecommuter Internet or
Router
POP
Mobile
Extranet
Consumer-to-Business
Remote access VPNs are targeted to mobile users and home telecommuters. In the past,
corporations supported remote users via dial-in networks and, access to the corporation network
often necessitated a toll or toll-free call. With the advent of VPNs, a mobile user can use a dial-
up or broadband connection to their ISP then use IPSec to access the corporation via the
Internet. Remote access VPNs support the needs of telecommuters, mobile users, extranet
consumer-to-business, and so on. The ubiquity of the Internet, combined with VPN
technologies, allows organizations to cost-effectively and securely extend the reach of their
networks to anyone, anyplace, anytime.
VPNs have become the logical solution for remote access connectivity because they provide the
following:
Secure communications with access rights tailored to individual users including employees,
contractors, and partners
Enhanced productivity by extending corporate network and applications
Reduced communications costs and increase flexibility
Central Site
Remote Site
DSL
Cable POP or
Internet
Router
Extranet
Business-to-Business
Intranet
VPN site-to-site can be used to connect corporate sites. With Internet access, leased lines and
frame relay lines can be replaced with site-to-site VPN for network connection. VPN can
support company intranets and business partner extranets. Site-to-site VPN is an extension of
the classic WAN.
5-48 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Firewall-Based VPN Solutions
Central Site
Remote Site
Internet
Intranet
The last solution is based on the capabilities of existing firewalls that can support both remote
access and site-to-site VPN requirements. Firewall-based VPN solutions are based more on
management issues rather than on technical issues. The difference is in who manages the VPN
network, the owner or the service provider? If corporate security manages the VPN network, a
firewall-based VPN may be the VPN solution of choice. Corporations can enhance their
existing firewall systems to support VPN services.
Three product groups support VPN technology. These are shown in the left column of the table
in the figure. The top row of the matrix shows the two VPN applications. You can select the
most appropriate product using this matrix. For example, if your primary requirement is for a
site-to-site VPN that allows for some remote access, a VPN-enabled router is the appropriate
product choice. Similarly, if the primary need is to provide remote access VPN with some site-
to-site connectivity, a VPN 3000 Series concentrator is the product of choice. The VPN
Products table provides details of available product choices.
VPN Products
Dedicated VPN Cisco VPN 3000 Series concentrators for remote access
Cisco 7200 Series routers
VPN-enabled routers series Cisco SOHO 70 Series and 800 Series routers
Cisco 1700 Series and 2600 Series routers
Cisco ISR 1800 Series, 2800 Series and 3800 Series routers
Cisco 7200 Series and 7400 Series routers
5-50 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Remote Access VPNsVPN 3000 Series
Concentrator
POP Internet
The Cisco VPN 3000 Series concentrator provides a family of purpose-built, remote access
VPN platforms and VPN Client software that incorporates high availability, high performance,
and scalability with the most advanced encryption and authentication techniques available
today. The Cisco VPN 3000 Series concentrator is unique to the industry because it is the only
scalable platform to offer field-swappable and customer-upgradeable components. These
components, called Scalable Encryption Processing (SEP) modules, enable companies to easily
add capacity and throughput.
The Cisco VPN Client software with unlimited distribution licensing is provided with all
versions of the Cisco VPN 3000 Series concentrator. The Cisco VPN 3000 Series concentrator
is available in redundant or load-balancing configurations, which enables customers to build the
most robust, reliable, and cost-effective VPNs possible.
The Cisco VPN 3002 Hardware Client is a network appliance that is used to connect small
office home office (SOHO) LANs to the VPN. This appliance comes in either a single port or
eight-port switch version. The VPN 3002 Hardware Client replaces traditional VPN Client
applications on individual SOHO computers.
Concentrators, Cisco VPN-enabled routers and PIX Security Appliances can communicate with
three types of IPSec clients:
The Certicom IPSec Client: This client is a wireless client that is loaded on wireless
personal digital assistants (PDAs) such as the Palm operating system, HP Jornada, Compaq
iPAQ, and so on.
The Cisco VPN Software Client: This client is a software client that is loaded on an
individual PC.
The Cisco VPN 3002 Hardware Client: This client is a standalone client that is located in
small offices and home offices.
5-52 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Scalable Site-to-Site VPN Router Solutions
Main Office
Branch
Office Internet
Site-to-site VPNs provide cost benefits relative to private WANs and enable new applications
such as extranets. However, site-to-site VPNs are still an end-to-end network and are subject to
the same requirements such as scalability, reliability, security, multi-protocol, and so on, that
exist in the private WAN. Because VPNs are built on a public network infrastructure, they have
additional requirements such as heightened security and advanced quality of service (QoS)
capabilities, and a set of policy management tools to manage these additional features.
The Cisco suite of VPN-enabled routers cover a range of VPN applications from telecommuter
applications using the Cisco 800 Series routers to enterprise headquarters applications using the
Cisco 3745 Router. VPN-enabled routers provide VPN solutions for hybrid VPN environments
where modularity, port density, and flexibility are required for private WAN aggregation and
other classic WAN applications. Cisco IOS Software running in Cisco routers combines rich
VPN services with industry-leading routing, to deliver a comprehensive solution. These Cisco
VPN-enabled products provide high performance for site-to-site, intranet, and extranet VPN
solutions.
Client Support
Web Server
Secure VPN Session
File
Server
The Cisco VPN Client is simple to deploy and operate, and allows organizations to establish
end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or
teleworkers. This thin design, IP security (IPSec)-implementation is compatible with all Cisco
VPN products.
The Cisco VPN Client can be preconfigured for mass deployments, and initial logins require
little user intervention. The Cisco VPN Client supports Windows 98, ME, NT 4.0, 2000, XP;
Linux (Intel); Solaris (UltraSparc 32- and 64-bit); and Mac OS X, 10.1, and 10.2. The Cisco
VPN Client is compatible with the following Cisco products:
The Cisco VPN Client is included with all models of Cisco VPN 3000 Concentrators and most
Cisco PIX 500 Security Appliances.
5-54 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco VPN Windows Software Client
The Cisco VPN Client allows organizations to establish end-to-end, encrypted VPN tunnels for
secure connectivity for mobile employees or teleworkers. This thin design, IPSec-
implementation is compatible with all Cisco VPN products and is simple to deploy and operate.
The Cisco VPN Client can be preconfigured for mass deployments, and initial logins require
little user intervention. It supports the innovative Cisco Easy VPN capabilities deliver uniquely
scalable, cost-effective, and easy-to-manage remote access VPN architectures that eliminate the
operational costs associated with maintaining a consistent policy and key management method.
AYT Answer
Are You
There AYT
Internet
(AYT)?
Yes
Push CPP
Centralized
Protection Internet
Policy (CPP)
Push CPP
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-13
The Cisco VPN Client (Windows) offers support for a firewall feature. The firewall feature is
designed to enhance security for Microsoft Windows-based PCs running the Cisco IPSec Client
Release 3.5 and higher. The feature is applied in one of the following three modes:
Are you there (AYT): For security reasons, a network administrator may require remote
PCs to be running a firewall application before allowing VPN tunnels to be built. The AYT
feature verifies the presence of a firewall and reports that information back to the
concentrator. Depending on the PC response, the concentrator can permit or deny the PC
IPSec tunnel.
Stateful firewall (always on): The stateful firewall module can only be enabled or
disabled by the remote client. With this mode, a default policy is loaded on the firewall.
The default firewall filter blocks all traffic inbound (to the client) that is not related to an
outbound session (from the client). Once the user enables the stateful firewall, it is always
on even when there are no established VPN tunnels.
Centralized protection policy (CPP): Enables network administrators to define a set of
rules (policies) to allow or drop traffic on connected VPN Clients. These policies are
pushed from the concentrator to the Cisco VPN Client (Windows) at connection time. The
VPN Client passes this policy to the firewall module on the client PC. The concentrator can
push policy to the Cisco Integrated Client (CIC) firewall and the Zonelabs, Zone Alarm and
Zone Alarm-Pro, firewall applications. CPP is only enforced while the Cisco VPN Client is
connected.
5-56 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco VPN Software Clients for Linux,
Solaris and Mac
Certificate management
Profile management
Connection management
Log management
The Cisco VPN Client software base has expanded to include Linux, Solaris, and Mac
operating systems. The system requirements for Linux, Solaris and MAC are listed in the
System Requirements table.
System Requirements
Linux Solaris UltraSPARC MAC
Operating Red Hat version 6.2 32-bit or 64-bit Mac OS X version
Systems (OS) Linux (Intel), or Solaris kernal 10.1.0 or later
compatible distribution, operating system
using kernel version version 2.6 or later
2.2.12 or later
Private
Power Power
Public Public Private
Hardware Hardware
Reset Reset
Console Console
The Cisco VPN 3002 Hardware Client has built in client software. This feature enables the
VPN 3002 Hardware Client to emulate the Cisco VPN 3000 Software Client. With the VPN
3002 Hardware Client, you can plug in remote site PCs, instead of having to load the Cisco
VPN Client Software, or additional applications on remote site PCs.
There are two versions of the Cisco VPN 3002 Hardware Client:
3002: One private and one public interface
3002-8E:
One public interface, and the private interface is a built-in 8 port 10/100BaseT
Ethernet switch (switch is locked in, not configurable)
Auto MDIX, which eliminates crossover cables
There are two modes of operation for the Cisco VPN 3002 Hardware Client:
In client mode, the hardware client uses port address translation (PAT) to hide its private
network. PCs connected behind the VPN 3002 Hardware Client are invisible to the outside.
In network extension mode, the PCs connected behind the VPN 3002 Hardware Client are
uniquely addressable behind this hardware client. Most companies use the VPN 3002
Hardware Client in the network extension mode because it enables the benefits of a site-to-
site VPN.
5-58 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Choosing a VPN Client
This topic describes how to choose between the VPN Software Client or 3002 Hardware Client
depending on the requirements.
SOHO
You must decide which Cisco VPN Client to employ in the network. You can employ a
hardware client, software client, or both. The two following fictitious companies are
characterized to better explain the clients:
Delicious Donuts: If you have a customer who wants to take advantage of the savings of a
VPN and they have 10,000 small office/home office (SOHO) sites within the US, you
would want to choose the Cisco VPN 3002 Hardware Client. The Cisco VPN Software
Client is built into this hardware client. The VPN Software Client can be pre-configured
and sent to remote offices where it can be plugged in to the local LAN and is ready to go.
The VPN 3002 Hardware Client supports multiple devices on the local LAN, and no
applications must be loaded on any of the local PCs. The VPN 3002 Hardware Client is
smart enough to launch a tunnel for any traffic bound for the corporate network.
MetaRay System Engineers: You have a company that has system engineers (road
warriors) who need to call back to the home office while on the road. To do so, they would
use the Cisco VPN Software Client, because the system engineer can load this software
client on the PC and launch it only when it is necessary. The Cisco VPN 3002 Hardware
Client is not feasible because the system engineer would need to physically carry it
wherever they may be.
Corporate
Network
Certicom IPSec
VPN Client
Certicom offers technology through the original equipment manufacturer (OEM) model of
embedding security solutions in a wide variety of third-party products. They have implemented
an IPSec client to run on cell phones, personal digital assistants (PDAs), and similar wireless
appliances. When these devices perform standard IPSec, it is very CPU-intensive. Diffie-
Hellman (DH) groups 1 and 2 take minutes to generate a key. Because of this, Certicom
developed DH Group 7, Elliptic Curve Cryptography (ECC) support, to provide a key that can
be generated in a short time (less than five seconds).
You must have the following to use Certicom VPN Client support:
Certicom VPN Client software
ECC (DH Group 7) protocol
A concentrator to terminate an IPSec client-to-LAN tunnel
However, the Certicom Client does not support load balancing when load balancing requires
the client to accept and interpret IKE redirect messages.
5-60 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco VPN Client Smartcard Support
This topic describes how the Cisco VPN Client supports Smartcard technologies.
Internet
Digital Certificate on a
Smartcard
A Smartcard can be used to store information, such as a digital certificate. Most digital
certificates are stored on a computer, but with a Smartcard, you can bring your authentication
with you (the user, not just the computer, can be authenticated). To use a Smartcard, a user
must have a Smartcard reader and driver software required to support the Smartcard reader
installed on their computer. The Smartcard is inserted into the reader and the user provides a
PIN to gain access to the card. Smartcards do not replace digital certificates; they act as a
secure and portable storage mechanism for digital certificates. The Cisco VPN Client
(Windows) supports Gemplus, Aladdin, and Activcard Smartcards.
Summary
5-62 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Which of the following type of VPN networks is best when corporate security manages
the VPN network? (Source: Cisco IPSec VPNs)
A) remote access VPN network
B) site-to-site VPN network
C) firewall-based VPN network
D) IPSec VPN
Q2) If the primary role is to perform as a remote access VPN with a few site-to-site
connections which of the following product is best choice? (Source: Cisco IPSec
VPNs)
A) VPN-enabled router
B) PIX Security Appliance
C) Cisco VPN 3000 Series concentrator
E) Cisco VPN 3002
Q3) What are the primary roles of Cisco VPN concentrators and VPN-enabled routers?
(Source: Cisco IPSec VPNs)
Q4) What Cisco products are supported by the Cisco VPN Client? (Source: Cisco VPN
Software Client)
Q5) Describe the are you there (AYT) firewall feature of the Cisco VPN Client. (Source:
Cisco VPN Software Client)
Q6) What are the uses for the two modes of operation for a Cisco VPN 3002 Hardware
Client? (Source: Cisco VPN 3002 Hardware Client)
Q7) Explain the use of a Smartcard to store digital certification information. (Source: Cisco
VPN Client Smartcard Support)
______________________________________________________________________
Q2) C
Q3) VPN concentrators can be configured to provide site-to-site VPNs, they are best suited to support remote
access VPNs. Site-to-site VPN requirements are best met using VPN-enabled routers.
Q4) The Cisco VPN Client supports Cisco VPN 3000 Series Concentrators, Cisco IOS Software releases
12.2(8)T and higher, and Cisco PIX Software version 6.0 and higher.
Q5) The AYT feature verifies that remote PCs are running a firewall before allowing a VPN connection.
Q6) Unlike most digital certificates that are stored on a computer, with a Smartcard, you bring your
authentication with you (the user, not just the computer, can be authenticated). To use a Smartcard, a user
must have a Smartcard reader and driver software required to support the Smartcard reader installed in
their computer. When a Smartcard is inserted in to the reader, the user must know a PIN to gain access to
the card. Smartcards do not replace digital certificates; they act as a secure and portable storage mechanism
for them.
Q7) Client mode is used to hide the private network. The network extension mode allows hosts that are
connected behind the client to be addressable, thus providing the benefits of a site-to-site VPN.
5-64 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 3
Overview
Integrated Web-based management on Cisco VPN 3000 Series concentrators provides a simple
interface to configure and monitor all remote-access users. This lesson explains how to
complete basic configuration tasks with the Quick Configuration feature embedded in the Cisco
VPN 3000 Concentrator Series Manager.
Objectives
Upon completing this lesson, you will be able to configure a Cisco VPN 3000 Series
concentrator for remote access using the Quick Configuration feature. This ability includes
being able to meet these objectives.
Describe how a remote-access VPN can be implemented with the Cisco VPN 3000 Series
concentrator and the Cisco VPN Software Client
Complete the Quick Configuration tasks using the Cisco VPN 3000 Concentrator Series
Manager
Describe the Cisco VPN 3000 Concentrator Series Manager GUI
Implementing a Remote Access VPN
This topic describes how a remote-access VPN can be implemented with the Cisco VPN 3000
Series concentrator and the Cisco VPN Software Client.
Telecommuter
Internet Service
File Server Telecommuter
Provider
Consider the following scenario. Remote users need to dial into the corporate office and access
e-mail, corporate presentations, order entry, and engineering. In addition, Corporate
Information Services wants remote users to access corporate resources fast, inexpensively, and
as securely as possible.
Implementing a remote-access virtual private network (VPN) with the Cisco VPN 3000 Series
concentrator and the Cisco VPN Software Client is the right choice. A remote-access VPN
enables remote users to access the corporate resources they require. With this choice, Corporate
Information Services can meet their speed, expense, and security requirements.
5-66 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
IPSec Client-to-LAN Components
Telecommuter
with the Cisco
Concentrator ISP ISP VPN 3000 Series
Application Concentrator
Internet Client
Server
PPP Connectivity
Dial Access
Telecommuter with
the Cisco VPN 3000
VPN Private IP Series Concentrator
Address Client
10.0.1.5 ISP
Internet
192.168.1.5 Adapter (NIC) IP Address
VPN Public IP 172.26.26.1 172.26.26.1
Application 192.168.1.5 ESP
10.0.1.10 Client IP Address
Server
10.0.1.20 10.0.1.20
10.0.1.10
Data
In the figure, a telecommuter needs to access information on the corporate server, with an IP
address of 10.0.1.10. The source address is the virtual IP address of the client, (10.0.1.20). The
concentrator or the Dynamic Host Configuration Protocol (DHCP) server usually supplies
virtual IP addresses to the software client, which gives the client the appearance of being
resident on the VPN.
Any data flowing from the server to the client must be protected as it traverses the Internet.
Therefore, information flowing between the server and the software client is encrypted,
authenticated, and encapsulated using the Encapsulating Security Payload (ESP) header to
maintain confidentiality and data integrity.
However, this practice presents an issue. If the payload is encapsulated and encrypted, the
routers in the Internet are unable to read the source and destination addresses of the packet and
are unable to route the packet. To solve this problem, tunnel mode is used with an additional IP
header added to the ESP-encapsulated data. In this way, client-to-server data is sent over the
Internet using an IP-in-IP encapsulation. The outside IP header is used to route the information
through the network using a routable address. The source address is the network interface card
(NIC) of the clients PC. The destination address is the public interface of the concentrator.
Upon receipt, the concentrator strips the outer IP header, decrypts the data, and forwards the
packet according to the inside IP destination address.
5-68 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
Cisco VPN Software Client
for Windows
Installed on
Windows System
Recall that the Cisco VPN Software Client for Windows works with the concentrator to create a
secure connection, called a tunnel, between your computer and the private network. Internet
Key Exchange (IKE) and IPSec tunneling protocols are used to make and manage the secure
connection.
Some of the operations that the Cisco VPN Software Client for Windows performs may be
invisible to you. These operations include the following:
Negotiating tunnel parameters such as addresses, algorithms, lifetime, and so on
Establishing tunnels according to the parameters
Authenticating users through usernames, group names, passwords, and digital certificates
Establishing user access rights such as hours of access, connection time, allowed
destinations, allowed protocols, and so on
Managing security keys for encryption and decryption
Establishing the IPSec session
Authenticating, encrypting, and decrypting data through the tunnel
Configuration Tasks
Step 1 From the console, set the system time, date, and time
zone.
Step 2 From the console, configure the VPN concentrator
Ethernet 1 interface to your private network.
Step 3 Configure other Ethernet interfaces.
Step 4 Enter system identification information.
Step 5 Specify tunneling protocols and encryption options.
Step 6 Specify methods for assigning IP addresses to clients
as a tunnel is established.
Step 7 Choose and identify the user authentication server.
Step 8 Populate the internal authentication server databases.
Step 9 Change the admin password for security.
Step 10 Save the configuration file.
When the concentrator is powered on for the first time, the factory default configuration boots
up and a Quick Configuration option is offered. The data requested by the Quick Configuration
mode is enough to make the concentrator operational. Once you have the basic configuration
entered through this mode, you can fine-tune the configuration through normal menu options.
The VPN Concentrator Series Manager (also known as the Manager) is an HTML-based
interface that lets you configure, administer, monitor, and manage the concentrator with a
standard web browser. To use it, you need only to connect to the concentrator using a PC and
browser on the same private network as the concentrator.
The initial configuration requires Steps 1 and 2 to be completed from the console.
Step 1 From the console, set the system time, date, and time zone.
Note IP addresses are not preprogrammed into the concentrator at the factory. Use the console
port to program in the correct IP addresses for the VPN private IP address. The serial
console port needs to be configured for 9600 bps, 8 data bits, no parity, and 1 stop bit (8N1).
When the addresses have been programmed, the operator can access the concentrator via
the browser.
5-70 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
Step 2 From the console, configure the concentrator Ethernet 1 interface to your private
network. From this point you can use a browser to complete Quick Configuration
with the VPN 3000 Concentrator Series Manager. Although you can continue with
the console, we recommend using a browser.
Once these steps are completed, the Concentrator is re-booted and options for continuing the
configuration using the CLI or Quick configuration option are presented. The following steps
can be completed using the Quick Configuration and its GUI interface:
Step 3 Configure the other Ethernet interfaces that are connected to a public network or an
additional external network.
Step 4 Enter system identification information: system name, date, time, DNS, domain
name, and default gateway.
Step 5 Specify tunneling protocols and encryption options.
Step 6 Specify methods for assigning IP addresses to clients as a tunnel is established.
Step 7 Choose and identify the user authentication server: the internal server, RADIUS,
Windows NT Domain, SDI, or Kerberos (or Active) Directory.
Step 8 If using the internal authentication server, populate the internal user database.
Once Steps 1 and 2 have been completed, and the Concentrator has been re-booted, the screen
shown in the figure will appear. At this point, the concentrator can be configured via Quick
Configuration or via the main menu. This lesson focuses on the Quick Configuration option.
Quick Configuration enables you to configure the minimum parameters for operation and
automatically enables remote IPSec client connections via an ISP for a single user group. The
main menu is used to add additional IPSec user groups and to configure all features
individually. Using Quick Configuration, an IPSec remote access application can be
programmed by accessing six windows. Using the main menu, the same application requires
the operator to access 12 or more windows.
Note You can run Quick Configuration only once. You must reboot to the factory default
configuration to run it again.
5-72 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
Step 3Configure IP Interfaces
In this example, the private LAN interface was initially configured using the CLI. To configure
the public LAN interface (toward the Internet), click the public interface hyperlink to access the
public interface configuration window.
The figure contains an example of the first Quick Configuration window. It displays the current
configuration of the following IP interfaces:
Private (Ethernet 1): Interface toward the internal network
Public (Ethernet 2): Interface toward the public network (Internet)
External (Ethernet 3): Interface toward the external network or DMZ
The window displayed in the figure is used to configure the public IP interface. The public IP
interface can be configured in one of the following three ways: disabled, set as a DHCP client,
or configured to use a static IP address. The public IP interface parameters are as follows:
Disabled radio button: This radio button disables the interface.
DHCP Client radio button: This radio button enables this interface and uses DHCP to
obtain an IP address. In the System Name field, you can enter a name (such as VPN01 for
the concentrator). This name must uniquely identify this device on your network.
Static IP Addressing radio button: This radio button enables this interface and sets the
static IP address. The IP Address field is where the IP address for this interface is entered.
Use dotted decimal notation (for example, 192.168.1.5). Ensure that no other device is
using this address on the network. The Subnet Mask field is where the subnet mask for this
interface is entered. Use dotted decimal notation (for example, 255.255.255.0). The
Manager automatically supplies a standard subnet mask appropriate for the IP address you
just entered. For example, the IP address 192.168.1.5 is a Class C address, and the standard
subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is
not allowed.
Public Interface check box: A public interface is an interface to a public network, such as
the Internet. For example, you must configure a public interface before you can configure
NAT and IPSec LAN-to-LAN. You should designate only one concentrator interface as a
public interface. If the interface is a public interface, check the Public Interface check box.
MAC Address field: This field displays the MAC address for this interface.
Filter drop-down menu: Click this menu arrow and choose the public (default) filter, to
allow only non source-routed inbound and outbound tunneling protocols and Internet
Control Message Protocol (ICMP). The public filter is the default filter for Ethernet 2
(Public Interface).
Speed drop-down menu: Keep the default value to let the concentrator automatically
detect and set the appropriate speed, either 10 or 100 Mbps (default). Ensure that the port
5-74 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
on the active network device (hub, switch, router, etc.) to which you connect this interface
is also set to automatically negotiate the speed. Otherwise, choose the appropriate fixed
speed.
Maximum transmission unit (MTU) field: The MTU value specifies the packet size, in
bytes, for the interface. Valid values range from 68 to 1500. The default value, 1500, is the
MTU for Ethernet.
5-76 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
Step 5Specify Tunneling Protocols and
Encryption Options
IPSec
Internet
Internet
DHCP Server
10.0.1.10 DHCP Address
In the remote access PC, there are two IP addresses: the NIC address and the virtual IP address.
The Configuration>Quick>Address Assignment window allows you to define how the remote
PC receives the second IP address. There are four possible methods for obtaining the virtual IP
address from which you must choose:
Client Specified: This method enables the client to specify its own IP address. For
maximum security, it is recommended that you control IP address assignments and not use
the client-specified IP addresses.
Per User: This method assigns IP addresses retrieved from an authentication server on a
per-user basis. If you are using an authentication server (external or internal) that has IP
addresses configured, this method is recommended.
DHCP: This method uses the DHCP server to assign IP addresses.
Configured Pool: This method uses the concentrator to assign IP addresses from an
internally configured IP address pool.
5-78 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
Step 7Select the Authentication Server
User
Authentication Cisco VPN
NT 3000 Series
Internet
Domain Concentrator
10.0.1.10 Client
Before remote users can gain access to the private corporate network, they must be
authenticated. Use the Configuration>Quick>Authentication window to define the types of
authentication servers:
Server Type drop-down menu: The drop-down arrow provides a choose of one of the
following:
RADIUS: An external Remote Authentication Dial-In User Service (RADIUS)
server.
Windows NT Domain: An external Windows NT domain server. Use the computer
name, not the domain name. If you are unsure of the NT server computer name,
refer to Start>Control Panel>System>Network Identification on your PC or ask your
network administrator.
SDI: An external Rivest, Shamir, and Adleman (RSA) Security Inc. SecurID server.
Kerberos/Active Directory: Supports authentication to Kerberos/Active Directory,
which is the default authentication mechanism in Microsoft Windows 2000 and
Windows XP.
Internal Server: The internal concentrator authentication server (a maximum of
100 groups and users).
Authentication Server Address field: The IP address of the Windows NT domain
authentication server (for example, 10.0.1.10).
Domain Controller Name field: The Windows NT primary domain controller hostname
for this server (for example, Boston). Do not use the domain name.
Customer Service
/Base/Service
Finance VP of
/Base/Finance Finance
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-15
Within a corporation, not everyone has the same access requirements: customer service
engineers may require seven-day, 24-hour access; sales entry personnel need five-day, eight-
hour access; and contract help might need access from 9 a.m. to 5 p.m., with restricted server
access. The concentrator can accommodate different access and usage requirements. You can
define different rights and privileges on a group basis.
Within the concentrator user management configuration tree, there are three group categories:
Default group: The default group is a default template. The majority of the corporation
access rights and privileges are defined in this group.
Groups: Individual groups inherit the attributes of the default group, and you can then
customize rights and privileges to meet the needs of specific groups.
Users: An individual user may require a unique set of privileges.
By configuring the default group first, specific groups second, and users third, you can quickly
manage access and usage rights for large numbers of users.
5-80 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
Step 8 (Cont.)Populate Authentication
Server Databases (Users and Groups)
5-82 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
Step 9Set the Admin Password
The window shown in the figure is the last Quick Configuration window. It is used to change
the administrative password. To change the administrative password, enter information in the
following fields:
Password: Enter or edit the unique password for this administrator. The maximum number
of characters is 31. The field displays only asterisks.
Caution The default password that Cisco supplies is the same as the username. It is strongly
recommended that you change this password in a production environment. (Do not change
the password in the classroom environment.)
Verify: Re-enter the password to verify it. The field displays only asterisks.
When you are finished with the configuration window and click Apply, the configuration takes
effect immediately. Click the Save Needed icon to save the changes to memory. If you reboot
without saving, your configuration changes are lost.
Table of Toolbar
Contents
Manager
Screen
The top frame contains the Cisco VPN 3000 Concentrator Series Manager toolbar. This toolbar
provides quick access to VPN 3000 Concentrator Series Manager functions.
The main frame displays the Cisco VPN 3000 Series Concentrator Series Manager window.
You can navigate the Cisco VPN 3000 Concentrator Series Manager using either the table of
contents (TOC) in the left frame or the toolbar at the top of the frame. To navigate from the
TOC, select a title on the left frame of the window, and the concentrator opens the VPN 3000
Series Concentrator Series Manager window for that topic in the main frame.
The primary tool for navigating the VPN 3000 Concentrator Series Manager is the table of
contents in the left frame. The Table of Contents allows access to the three major sections and
their many subsections:
Configuration: Setting all the parameters for the Cisco VPN 3000 Series concentrator that
govern its use and functionality as a VPN device:
Interfaces: Ethernet and power-supply interface parameters
System: Parameters for system-wide functions such as server access, address
management, IP routing, built-in management servers, event handling, and system
identification
User Management: Attributes for groups and users that determine their access to
and use of the VPN
Policy Management: Policies that control access times and data traffic through the
VPN via filters, rules, and IPSec Security Associations (SAs)
5-84 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
Tunneling and Security: Attributes for Point-to-Point Tunneling Protocol (PPTP),
Layer 2 Tunneling Protocol (L2TP), IPSec, Secure Shell (SSH) Protocol, SSL, and
WebVPN
Administration: Managing higher-level functions that keep the Cisco VPN 3000 Series
concentrator operational and secure, such as who is allowed to configure the system, what
software runs on it, and managing its digital certificates
Monitoring: Viewing routing tables, event logs, system light emitting diodes (LEDs) and
status, data on user sessions, and statistics for protocols and system functions
Summary
5-86 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) How can routers read IP addresses from encrypted and encapsulated data payloads?
(Source: Implementing a Remote Access VPN)
A) The AH includes the IP address in an unencrypted format.
B) An additional IP header is added to the ESP-encapsulated data containing the
source and final destination network addresses.
C) An additional IP header is added to the ESP-encapsulated data containing the
address of the network interface card (NIC) of the client PC and the public
interface of the concentrator.
D) Using IP-in-IP encapsulation, the concentrator does not need an IP address
before forwarding the packet according to the inside IP destination address.
Q2) The Quick Configuration process can be run as often as necessary. (Source:
Completing Quick Configuration of a Cisco VPN 3000 Series Concentrator)
A) True
B) False
Q3) In Quick Configuration, NAT and IPSec LAN-to-LAN can only be configured if the
Public Interface check box is checked. (Completing Quick Configuration of a Cisco
VPN 3000 Series Concentrator)
A) True
B) False
Q4) Interface speeds default to 10 or 100 Mbps unless otherwise configured. (Completing
Quick Configuration of a Cisco VPN 3000 Series Concentrator)
A) True
B) False
Q5) The concentrator can be configured to support PPTP, L2TP or IPSec, but not all three
simultaneously. (Completing Quick Configuration of a Cisco VPN 3000 Series
Concentrator)
A) True
B) False
Q6) Group and user access is configured in the order default group, specific groups and
then users. (Completing Quick Configuration of a Cisco VPN 3000 Series
Concentrator)
A) True
B) False
Q2) B
Q3) A
Q4) A
Q5) B
Q6) A
5-88 Securing Cisco Network Devices (SND) v1.0 Copyright © 2004, Cisco Systems, Inc.
Lesson 4
Overview
The Quick Configuration process described in the previous lesson allows you to configure the
basic operational settings of the concentrator. However, you have not yet configured group and
user parameters. Those settings are made using features in the configuration menus in the Cisco
VPN 3000 Concentrator Series Manager.
This lesson explains how to configure group and user parameters for a Cisco concentrator.
While this process can be done from the console, it is recommended you use the Cisco VPN
3000 Concentrator Series Manager. This lesson will show you how to use the tools in the
manager to complete the tasks needed to configure remote access.
Objectives
Upon completing this lesson, you will be able to configure user and group parameters on a
Cisco concentrator for remote access. This ability includes being able to meet these objectives.
Describe the characteristics and uses of the two types of preshared keys
Describe how Cisco concentrators check parameters to authenticate users and groups
Define two types of VPN network authentication
Explain how to activate IKE proposals to match client software authentication requirements
Describe how to configure base-group parameters included under the General and IPSec
tabs
Explain how to configure base-group IPSec parameters
Explain how to configure base-group parameters that apply to remote-access IPSec client
connections
Explain how to configure client parameters that will be pushed to clients during IPSec
tunnel creation
Explain how to configure the appropriate split tunneling policy for remote clients
Describe how to configure DNS server addresses to allow split tunneling
5-90 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Pre-shared Keys
This topic describes the characteristics and uses of the two types of pre-shared keys.
10.0.1.3 10.0.2.3
IPSec Tunnel
IPSec SA
IPSec SA 10.0.2.3
IPSec uses encryption technology to provide data confidentiality, integrity, and authenticity
between participating peers in a private network. IPSec provides secure tunnels between two
peers, such as two routers. These tunnels are sets of security associations (SAs) established
between two IPSec peers. SAs define which protocols and algorithms should be applied to
sensitive packets and specify the keying method to be used by the two peers.
You will also recall that an IPSec operation has five steps:
Type Characteristics
Unique Tied to a specific IP address
Most secure type of key
Impractical for VPNs
Group Associated with a specific group of users
Used for remote access VPNs
Can be the Base Group or any other group
Should be used to establish IKE and IPSec
settings
Can use internal or external databases
There are two methods of exchanging keys: using pre-shared keys or using a certificate
authority (CA). From a procedural perspective, it is easier to configure a Cisco concentrator
using pre-shared keys because the client only needs to know the address of the concentrator and
the shared secret key.
Remote access virtual private network (VPN) connections require both device and user
authentication. Normally user authentication is achieved using Remote Authentication Dial-In
User Service (RADIUS) or Terminal Access Controller Access Control System Plus
(TACAC+) that can authenticate users through an internal database. Such internal
authentication requires a username and password for each user, as well as assigning each user
to a group that is to be used for IPSec device authentication. Once the devices have established
the IPSec tunnel, the user is prompted to enter a username and password to continue. Failure to
authenticate causes the tunnel to drop.
Device authentication can be established using pre-shared keys or digital certificates. With pre-
shared keys, the system administrator chooses the key and then shares that key with users or
other system administrators. In this lesson, two types of pre-shared keys will be considered:
Unique: A unique pre-shared key is tied to a specific IP address. A unique key is the most
secure type of key. Since the majority of ISPs use dynamically assigned IP addresses, it is
impractical for remote VPNs.
Group: Cisco concentrators use group pre-shared keys for remote access VPNs. A group
pre-shared key is associated with a specific group of users. The group can be the base
group or any other group that you define. It is good practice to use groups to establish IKE
and IPSec settings and to provide other capabilities that are unique to a specific set of users.
If you choose to use the Cisco concentrator internal database for user authentication, you
can assign your users to specific groups, which makes the process of managing pre-shared
keys much easier.
5-92 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
User and Group Authentication
This topic describes how Cisco concentrators check parameters to authenticate users and
groups.
Groups and users are core concepts in managing the security of VPNs and in configuring the
Cisco concentrator. Groups and users have attributes that are configured via parameters and
that determine their access to and use of the VPN. Users are members of groups, and groups
are members of the base group. If you do not assign a user to a particular group, that user is by
default a member of the base group.
Groups simplify system management. To streamline the configuration task, the concentrator
provides a base group that you configure first. The base-group parameters are those that are
most likely to be common across all groups and users. As you configure a group, you can
simply specify that it inherit parameters from the base group. Similarly, a user can inherit
parameters from a group. Thus, you can quickly configure authentication for large numbers of
users.
Of course, if you decide to grant identical rights to all VPN users, then you do not need to
configure specific groups. However, VPNs are seldom managed that way. For example, you
might allow a finance group to access one part of a private network, a customer support group
to access another part, and a management information system (MIS) group to access other
parts. Further, you might allow specific users within MIS to access systems that other MIS
users cannot access.
You can configure detailed parameters for groups and users on the concentrator internal
authentication server. External RADIUS authentication servers can also return group and user
parameters that match those on the concentrator. Other authentication servers do not; they can
however, authenticate users. The concentrator internal authentication server is adequate for a
small user base.
VPN 3000 Series Concentrator Model Maximum Number of Groups and Users
(Combined)
VPN 3000 Series concentrator Model Maximum Groups and Users Allowed in the
Internal Database
3005 100
3015 100
3020 250
3030 500
3060 1000
3080 1000
5-94 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
VPN Concentrator Authentication Order
IPSec tunnel-group parameters are the parameters of the IPSec group used to create
the tunnel. The IPSec group is configured on the internal server or on an external
RADIUS server.
If any parameters are missing, the system looks at base-group parameters. For VPN
3002 Hardware Client parameters, which enable or disable interactive hardware
client authentication and individual user authentication, the IPSec tunnel group
parameters take precedence over parameters set for users and groups.
4. Base-group parameters.
Because of the way authentication occurs, it is recommended that groups and users be
configured in this order:
1. Base-group parameters
2. Group parameters
3. User parameters
Concentrator
Authentication
Internal
Server
Group
Internet
Network
Authentication
(Xauth)
Note With the original Cisco VPN Client version 2.5, Xauth was performed after IKE Phase 1 was
completed. Beginning with the Cisco VPN Client version 3.0, Xauth is performed during IKE
Phase 1. For the client to talk to the concentrator, the correct IKE proposals must be defined
for each Cisco VPN Client.
5-96 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Activating Client Authentication
Before the concentrator can interface with clients, the appropriate IKE proposal must be
properly activated. This topic explains how to activate IKE proposals to match client software
authentication requirements.
3002, 3.x or
4.x Client
2.5 Client
Certicom
Client
Active Inactive
Proposals Proposals
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-8
The type of client resident on the remote PC is identified in the vendor identification field of an
IKE message. The IKE proposal on the concentrator must match the requirements of the client.
The concentrator can handle several types of remote clients: the Cisco VPN Client version 3.0
or higher, the Cisco VPN Client version 2.5, and the Certicom client. Before the concentrator
can interface with these clients, you must make sure that the appropriate IKE proposal is
configured, activated, and prioritized.
IKE proposals are sets of parameters for Phase 1 IPSec negotiations. During Phase 1, the two
peers establish a secure tunnel within which they then negotiate the Phase 2 parameters. Use
the Configuration > System > Tunneling and Security > IPSec > IKE Proposals window to
activate IKE proposals.
In remote access connections, the client sends IKE proposals to the concentrator. The
concentrator functions only as the responder. As the responder, the concentrator checks the
active IKE proposal list, in priority order, to see if it can find a proposal that matches the
parameters in the proposed Security Association (SA) of the client. If a match is found, the
establishment of a tunnel continues. If no match is found, the tunnel is torn down.
Each IKE proposal in the IKE Proposals window is a template. The parameters assigned to
the template are applied to the individual remote connection.
As described, individual IKE templates were displayed under the Active Proposals column. By
selecting an IKE proposal and then clicking Modify, the administrator can view or modify the
individual parameters of the IKE proposal, or template. Use the Configuration > System >
Tunneling Protocols > IPSec > IKE Proposals > Modify window to check the IKE proposals to
make sure that you have the correct IKE parameters for a particular client type.
Clicking the Authentication Mode drop-down arrow allows you to choose the proper
authentication mode:
Pre-shared Keys (Xauth) for Cisco VPN Client version 3.0 or later applications
Pre-shared Keys for the Cisco VPN Client version 2.5.
Pre-shared Keys with DH7 for Certicom client applications
Clicking on the Diffie-Hellman Group drop-down arrow allows you to choose the correct
DH group for each Software Client:
Group 1 (768 bits) for Cisco VPN Client version 2.5s using digital certificates
Group 2 (1024 bits) for Cisco VPN Client version 2.5s using pre-shared keys
Group 5 (1536 bits) for clients using Advanced Encryption Standard (AES)
encryption
Group 7 (Elliptic Curve Cryptosystem [ECC]) for the Certicom client
Clicking on the Encryption Algorithm drop-down arrow allows you to choose the proper
encryption algorithm from among DES-56, 3DES-168, AES-128, AES-192 (AES-192 is
not supported on either the Cisco VPN Software or Hardware Clients), and AES-256.
5-98 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Base-Group Parameters
This topic describes how to configure base-group parameters included under the General and
IPSec tabs.
Tunneling Protocols
Base-group parameters streamline the configuration task and are likely to be common across all
groups and users. Groups can inherit parameters from this base group, and users can inherit
parameters from their group or the base group. You can override these parameters as you
configure groups and users. Users who are not members of a group are, by default, members of
the base group.
For example, the figure shows the screen that is used to configure general parameters including
security, access, performance, and protocols. Using the General tab, you can configure general
security, access, performance, and protocol parameters that apply to the base group. There are
three main sections in this window:
The top section defines access rights and privileges.
The center section is for Windows Internet Name Service (WINS) and Domain Name
System (DNS) information used by the client.
The bottom section defines the tunneling protocols that are supported by this group.
WINS and DNS information used by the client can be set as follows:
Primary DNS field: Enter the IP address of the primary DNS server for this group.
Secondary DNS field: Enter the IP address of the secondary DNS server for this group.
Primary WINS field: Enter the IP address of the primary WINS server for this group.
Secondary WINS field: Enter the IP address of the secondary WINS server for this group.
Scalable Encryption Processing (SEP) Card Assignment check boxes: These boxes
depend on concentrator model. It is recommended that you leave all four check boxes
selected (for redundancy).
5-100 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Base-Group IPSec Parameters
If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the General
Parameters tab, the next step is to select the Configuration > User Management > Base Group
Screen > IPSec Tab. This topic describes how to configure base-group IPSec parameters.
IPSec Parameters
IPSec
NT Internet
Domain
User
Server
Authentication
The IPSec tab enables you to configure IPSec parameters that apply to the base group. This
window is divided into two sections: IPSec Parameters and Remote Access Parameters.
Client
Application Internet
Server
Receive
data Worry
timer
DPD message (Are you there) expires
DPD message (Are you there ACK)
Dead peer detection (DPD) messages enable VPN devices to detect tunnel failure on the
devices located at the other end of a tunnel (for example, when you reboot one device and lose
an Internet connection). A worry metric determines how often a DPD message is sent in the
absence of data received from the IKE peer. When data is received, the worry timer is reset. If
the worry timer expires, a DPD message is sent. The worry timers for Cisco VPN 3000 Series
concentrator products are as follows:
For both Version 3.0 or later software and hardware client, the worry timer is set for 20
seconds.
For the concentrators, the worry timer is set for 5 minutes.
If you are configuring a group of mixed peers, and some of those peers support IKE keepalives
while others do not, enable IKE keepalives for the entire group. During IKE negotiation, each
of the clients identify whether DPD messages are supported. Both ends must support the
feature. The feature has no effect on the peers that do not support it.
Note To reduce connectivity costs, disable IKE keepalives if this group includes any VPN clients
connecting via ISDN lines. ISDN connections normally disconnect if the ISDN is idle.
However, the IKE keepalive mechanism prevents connections from idling out and
disconnecting.
5-102 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Base-Group Remote Access
Parameters
If you select Remote Access, you must configure the Remote Access Parameters. This topic
describes how to configure base-group parameters that apply to remote-access IPSec client
connections.
Group Lock check box: Checking this check box locks users into a specific group. (For
example, RADIUS allows you to lock specific users to a group.) You can lock a user to a
group based on the organizational unit (OU) of a certificate or by using the RADIUS class
attribute OU = group name. For example, according to the RADIUS server, Joe is a
member of the Training group. If Joe tries to log in as a member of the IS group, which has
different access rights, the connection fails.
Authentication drop-down menu: In the concentrator, remote users are authenticated
twice. This parameter pertains to the private network authentication, which determines how
users within the group are authenticated and whether a Windows NT, SDI, or RADIUS
server will authenticate them.
Authorization Type drop-down menu: If members of this group need authorization in
addition to authentication, you can choose an authorization method. The following options
are available:
None: Do not authorize users in this group.
RADIUS: Use an external RADIUS authorization server to authorize users in this
group.
Lightweight Directory Access Protocol (LDAP): Use an external LDAP
authorization server to authorize users in this group.
Authorization Required check box: If you are using authorization, you can make it
mandatory or optional.
5-104 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Mode Configuration
Push
Internet
NT
Domain
Server WINS
DNS
Virtual IP Address
Recall that mode configuration allows all client configuration parameters to be passed to the
client. Most of the configuration issues in a remote access network originate at the remote PC.
There are a large number of parameters to be programmed on the remote user PC and not
everyone can perform the needed changes. The Internet Engineering Task Force (IETF) IPSec
Working Internet Group solved the issues by using mode configuration. The end user or IT
department loads a minimum IPSec configuration in the end-user PC. During IPSec tunnel
establishment, the concentrator pushes the remaining information to the PC.
IPSec uses mode configuration to pass all configuration parameters such as WINS and DNS IP
address information and virtual IP addresses, and so on, to a client. You must check the Mode
Configuration box to use mode configuration. Otherwise, those parameterseven if configured
with entriesare not passed to the client.
The WINS and DNS information is programmed in the Groups > General tab.
The virtual IP address and network mask originate at the concentrator, a DHCP server, or a
RADIUS server.
The virtual IP address source is configurable in the Configuration > System > Address
Management window.
Check the Mode Configuration check box to use mode configuration with IPSec clients (also
known as the Internet Security Association and Key Management protocol (ISAKMP)
Configuration Method or Configuration Transaction). This option exchanges configuration
parameters with the client while negotiating SAs. If you check this box, configure the desired
mode configuration parameters. If you ignore these boxes, they are checked by default. To use
split tunneling, this box must be checked. To use L2TP over IPSec do not check this box.
5-106 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Client Configuration Parameters
This topic explains how to configure client parameters that will be pushed to clients during
IPSec tunnel creation.
Cisco Client
Parameters
Microsoft Client
Parameters
Common Client
Parameters
The figure shows three groups of client parameters that must be set. The three groups are as
follows:
Cisco client parameters
Microsoft client parameters
Common client parameters
Recall that the end user or IT department can load a minimum IPSec configuration in the end-
user PC. Using mode configuration, the concentrator pushes any and all necessary remaining
information to the PC during IPSec tunnel establishment.
The administrator can program client parameters under the Configuration > User Management
> Groups > Client Config tab.
Push
NT
Internet
Domain
Server
During IPSec tunnel establishment, the concentrator pushes the software client information to
the PC. These parameters include a login banner, split tunneling, IPSec over User Datagram
Protocol (UDP), and so on.
The following Cisco VPN Client parameters can be set from the Client Config tab:
Banner field: When a client logs into the VPN, the banner that you enter in this field is
displayed. It can be up to 510 characters and can consist of multiple lines of text instead of
a single line (the text wraps). Enter a period (.) in the command line interface (CLI) to
finish the entry and set the banner. If you enter more than 510 characters, the software
client will see an error during login.
Allow Password Storage on Client check box: Password storage on the client is not
recommended for security purposes.
IPSec over UDP check box: IPSec packets are wrapped in UDP so firewalls and routers
can perform Network Address Translation (NAT).
IPSec over UDP Port field: To enable IPSec over UDP, a UDP port number must be
assigned.
IPSec Backup Servers drop-down menu: You can enable a hardware client to connect to
the central site when the primary central-site concentrator is unavailable. Configure backup
servers for a hardware client either on the hardware client or on a group basis at the
primary central-site concentrator. If you configure backup servers on the central-site
concentrator, that concentrator pushes the backup server policy to the Hardware Client in
the group.
5-108 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Client Split Tunneling Policy
This topic explains how to configure the appropriate split tunneling policy for remote clients.
Encrypted Client
www.news.com
Clear
Text
Option 3: Split Tunneling Clear Text
Encrypted Client
Split tunneling lets an IPSec client conditionally direct packets over an IPSec tunnel in
encrypted form, or to a network interface in clear text form. Packets not bound for destinations
on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel,
decrypted, and then routed to a final destination. Therefore, split tunneling eases the processing
load, simplifies traffic management, and speeds up untunneled traffic.
The administrator must decide which tunneling option is correct for each group of remote
clients. There are three tunneling options available to the network administrator:
Tunnel everything: Once an IPSec tunnel is established, all traffic is encrypted and sent
down a single tunnel.
Tunnel everything except local LAN traffic: Everything is encrypted and sent through
the tunnel except traffic destined for the local LAN. There are occasions when the remote
user needs to print out spreadsheets locally. For this group of users, tunneling everything
except local LAN traffic is the correct option.
Split tunneling: With split tunneling, a remote user can simultaneously send clear text to a
printer, download images from a web site, and send an encrypted report to headquarters.
Encrypt
Everything
Client
After the VPN tunnel is launched, all traffic is directed through the VPN tunnel. The VPN
tunnel everything option allows only IP traffic to and from the secure gateway and prohibits
any IP traffic to and from resources on a local network (for example, printer, fax, and shared
files on another system). While the IPSec tunnel is established, any Internet-bound traffic is
forced through the tunnel to the central site.
The Tunnel everything radio button is found within the Split Tunneling Policy row in the
Group > Client Config tab.
5-110 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Split Tunneling Option 2Local LAN
Everything mode
with Clear text
local LAN option
Encrypted Client
The local LAN access option, on the other hand, provides access to resources on a local LAN
while the VPN tunnel is established. The local LAN addresses are pushed to the software client.
These IP addresses are added to the access control list (ACL) of the software client driver.
These bypass addresses route ahead of the VPN tunnel encryption algorithm. Any data bound
for, or received from, the addresses specified in the mode configuration message is sent or
received in the clear. This practice allows access to the local LAN while the IPSec tunnel is
running. All other traffic is encrypted and forwarded to the central site. For security purposes,
the user has the ability to disable local LAN access when using an unsecured local network (for
example, in a hotel).
Step 1 Enable this feature by choosing the Allow the networks in the list to bypass the
tunnel radio button, which is located within the Split Tunneling Policy row.
Step 2 Supply the referenced IP address list by choosing VPN Client Local LAN (Default)
from the Split Tunneling Network List drop-down menu.
192.168.1.X
Encrypted Client
A local LAN network address list is required for the local LAN option. Use the Configuration >
Policy Management > Traffic Management > Network Lists window to configure the LAN
address. The address list pushed to the client is 0.0.0.0/0.0.0.0. This is a special feature that
directs the client to interpret the network address or subnet mask of the LAN interface over
which the VPN connection is made as the local LAN address. Route all locally addressed LAN
packets in clear text. The 0.0.0.0/0.0.0.0 network address list is referred to as the client LAN
(default) list.
In the example in the figure, the client resides on the 192.168.1.0 network. Having received a
192.168.1.0/0.0.0.255 network list, the client routes all 192.168.1.0/24 traffic in clear text. All
other traffic is encrypted and sent down the tunnel.
5-112 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Option 3Split Tunneling
www.news.com
Clear
Text
Before
Split
Tunneling
Encrypted Client
www.news.com
Clear
Text
After Split
Tunneling
Encrypted Client
Split tunneling enables remote users to access Internet networks without requiring them to
tunnel through the corporate network. Before split tunneling is enabled, all traffic originating
from the client is encrypted and routed through the secure tunnel. This traffic includes both
secure and Internet browsing traffic. The secure traffic is terminated, while Internet traffic is
routed back out to the Internet. A large percentage of the corporate backbone bandwidth is used
for redirected web browsing traffic from remote users.
Split tunneling addresses the redirect issue, because split tunneling routes secure encrypted
traffic through the tunnel. Nonsecure traffic (for example, web browsing) is sent in the clear.
The ISP can route the traffic accordingly (for example, secure traffic goes to the corporate
network, and web browsing goes to the ISP).
An advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth
as Internet traffic does not have to pass through the VPN server. A disadvantage of split
tunneling is that it essentially renders the VPN vulnerable to attack as it is accessible through
the public, non-secure network.
www.news.com
Clear
Text
Clear Text
Encrypted Client
The concentrator pushes specific IP addresses to the client to implement split tunneling. Traffic
bound for one of these addresses is encrypted and sent to the concentrator. If the IP address is
different from the pushed addresses, the message is sent in the clear and is routable by the ISP.
Step 1 Enable split tunneling by clicking the Only tunnel networks in the list radio button
within the Split Tunneling Policy row.
Step 2 Choose the appropriate list from the Split Tunneling Network List drop-down menu.
This menu presents a predefined list of secure network addresses.
5-114 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Split TunnelingAdding a Network List
www.news.com
Clear
Text
Clear Text
10.0.1.0
Encrypted Client
The concentrator pushes specific IP addresses to the client. Traffic bound for one of these
addresses is encrypted and sent to the concentrator. These addresses are defined under
Configuration > Policy Management > Traffic Management-Network Lists. Assign a name for
the list in the List Name field, and supply the network and wildcard mask in the Network List
field. In the figure, the administrator wants to send clear text to the Internet and local printer.
The administrator also wants to send encrypted traffic to the headquarters (the 10.0.1.0/24
network). In the Network List field, the administrator defines a network list and configures the
private network IP address and wildcard mask (10.0.1.0/0.0.0.255). As a result, any traffic
bound for a host on the 10.0.1.0/24 network is encrypted and sent down the IPSec tunnel. All
other traffic is sent in plain text.
No Match for
cisco.com
www.news.com
www.cisco.com
Clear Text
DNS DNS
Server
Match for
10.0.1.0 Tunneled
cisco.com
DNS Client
Split DNS lets an internal DNS server resolve a list of centrally-defined local domain names,
while ISP-assigned DNS servers resolve all other DNS requests. Split DNS is used in split-
tunneling connections. The client resolves whether a DNS query packet is to be sent in clear
text or is to be encrypted and sent down the tunnel. If the packet is encrypted and sent down the
tunnel, a corporate DNS server resolves the DNS query. Clear text DNS requests are resolved
by ISP-assigned DNS servers. In other words, the internal DNS server resolves the domain
names for traffic through the tunnel, and the ISP-assigned DNS servers resolve DNS requests
that travel in the clear to the Internet.
The client receives a comma-delimited list of split-DNS names from the concentrator via mode
configuration. When the client receives a DNS query packet, the domain name is compared and
sequentially checked against the split-DNS names. A case-insensitive domain name comparison
starts at the end of each domain name string and continues toward the beginning of each string,
resulting in a match or no match. Query packets passing the comparison have their destination
IP address rewritten and tunneled using the primary DNS IP address configured on the
concentrator.
5-116 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Split DNS Server Configuration
www.cisco.com www.news.com
Clear Text
DNS DNS
Server
10.0.1.0 Tunneled
Client
DNS
In the figure, the corporate DNS server resolves all cisco.com DNS name requests. The
ISP-assigned DNS server resolves all clear text DNS requests. Once split tunneling is
configured, configuring split DNS is a two-step process:
Step 1 Assign the names of the corporate DNS servers in the Split DNS Names field (for
example, cisco.com) in the Configuration > User Management > Groups > Client
Config tab window. Commas, without spaces, separate the names for multiple
entries.
Step 2 Define the primary and secondary DNS server IP addresses in the Configuration >
User Management > Groups > General tab window. The primary and secondary
DNS servers resolve the encrypted DNS queries.
Summary
Summary (Cont.)
5-118 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Pre-shared keys are to device authentication as _________ and ______are to user
authentication. (Source: Pre-shared Keys)
Q2) Give two reasons why Cisco concentrators use less secure group pre-shared keys rather
than more secure of unique pre-shared keys. (Source: Pre-shared Keys)
______________________________________________________________________
Q3) By default, a user not assigned to a group is part of the base group. (Source: User and
Group Authentication)
A) True
B) False
Q4) Only when specific rights need to be granted to users, are groups needed. (Source: User
and Group Authentication)
A) True
B) False
Q5) All external authentication servers return group and user parameters to match those on
the concentrator. (Source: User and Group Authentication)
A) True
B) False
Q6) If you need to configure more than 250 groups and users on a Cisco VPN 3020
concentrator, an external is needed. (Source: User and Group Authentication)
C) True
D) False
Q7) Parameters are authenticated in the same order in which they are configured. (Source:
User and Group Authentication)
A) True
B) False
Q8) Explain why the concentrator needs to know what type of client is negotiating an IKE
proposal? (Source: Activating Client Authentication)
______________________________________________________________________
______________________________________________________________________
2 Override inherited group parameters Configuration > User Management > Base
as you configure groups and users Group > (tab?) (Checkbox)
3 Select authorization method for Configuration > User Management > Base
members of a group Group > (tab?) (Checkbox)
4 Modify the individual parameters of Configuration > User Management > Base
the IKE proposal or template Group > (tab?)
5 Enter the pre-shared secret Configuration > User Management > Base
Group > (tab?)
6 Enable the IKE Keepalive feature Configuration > System > Address
Management
7 Configure the virtual IP address for Configuration > User Management > Base
mode configuration Group > (tab?) > (checkbox?)
Q10) What are the three choices to be considered when configuring split tunneling, and
which is the default? (Source: Configuring Client Split Tunneling Policy)
Q11) When split tunneling is configured, does the concentrator tell the client what addresses
will be tunneled or does it tell the client what addresses will not be tunneled? (Source:
Configuring Client Split Tunneling Policy)
5-120 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check Answer Key
Q1) RADIUS and TACACS+
A) Since the majority of ISPs use dynamically assigned IP addresses, it is impractical for remote
VPNs; and
B) Assigning users to groups makes the process of managing pre-shared keys much easier.
Q3) A
Q4) A
Q5) B
Q6) A
Q7) B
Q8) The IKE proposal on the concentrator must match the requirements of the client. For example, under Cisco
VPN Client 2.5, Xauth was completed after IKE phase 1. With Cisco VPN Client 3.5 and newer, Xauth is
performed during IKE phase 1.
Q9) This table shows the correct matches with additional information.
1 Prevent users from selecting passwords 4 Configuration > User Management > Base Group
with alphabetic characters only > General > Allow Alphabetic-Only Passwords
2 Override inherited group parameters as 5 Configuration > User Management > Base Group
you configure groups and users > General
3 Select authorization method for 3 Configuration > User Management > Base Group
members of a group > IPSec > Authorization Type
4 Modify the individual parameters of the 2 Configuration > System > Tunneling Protocols >
IKE proposal or template IPSec > IKE Proposals > Modify
5 Enter the pre-shared secret 6 Configuration > User Management > Base Group
> IPSec > Default Pre-shared Key
6 Enable the IKE Keepalive feature 7 Configuration > User Management > Base Group
> IPSec > IKE Keepalives
7 Configure the virtual IP address for 1 Configuration > System > Address Management
mode configuration
Q10) Tunnel everything, tunnel everything except local LAN traffic, split tunneling. The default is to tunnel
everything.
Q11) When split tunneling has been configured, concentrator pushes specific IP addresses to the client to
implement split tunneling. Traffic bound for one of these addresses is encrypted and sent to the
concentrator. If the IP address is different from the pushed addresses, the message is sent in the clear and is
routable by the ISP.
Overview
This lesson explains how to configure the Cisco VPN Software Client for Windows Release
4.6.
Objectives
Upon completing this lesson, you will be able to configure the Cisco VPN Software Client for
Microsoft Windows. This ability includes being able to meet these objectives.
Describe the features of the Cisco VPN Software Client for Windows
Describe the main VPN Client window and the tools, tabs, menus and icons for navigating
the user interface in the Simple Mode and Advanced Mode
Describe the functions available from the Advanced Mode menus
Describe the right-click tab menus from the Connection Entries tab, the Certificates tab,
and the Log tab for frequently performed operations
Describe the process required to create a new connection
Describe the remote-user preconfiguration process
Describe additional programs available from the Microsoft Windows Start menu
Describe the session monitoring features of the VPN 3000 Series concentrator
The VPN Software Client for Windows
This topic describes the features of the Cisco VPN Software Client for Windows.
Feature Purpose
The Cisco VPN Software Client for Windows (referred to in this lesson as VPN Client) runs on
a Windows-based PC. On a remote PC, the VPN Client creates a secure connection over the
Internet. Through this connection, you can access a private network through a virtual private
network (VPN). The server verifies that incoming connections have up-to-date policies in place
before establishing these networks. Cisco IOS routers, Cisco VPN 3000 Series concentrators,
and Cisco PIX Security Appliance central-site servers can all terminate VPN connections from
VPN Clients.
The following VPN Client applications can be selected from the Programs menu:
Help: This application displays an online manual with instructions on using the
applications.
SetMTU: This application lets you manually change the size of the maximum transmission
unit (MTU). (See VPN Client Administrator Guide, Chapter 6.)
VPN Client: This application lets you configure connections to a VPN server, start
connections, enroll for certificates to authenticate connections to VPN servers, and display
events from the log.
Uninstall VPN Client: This application lets you safely remove the VPN Client software
from your system and retain your connection and certificate configurations.
Note You can install the VPN Client through either the InstallShield wizard or the Microsoft
Installer. If you install the VPN Client through the Microsoft Installer, the Programs menu
shown in the figure does not contain the Uninstall application.
5-124 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
How the VPN Client Works
The VPN Client works with a Cisco VPN server to create a secure connection, called a tunnel,
between your computer and the private network. The VPN Client uses Internet Key Exchange
(IKE) and IPSec tunneling protocols to make and manage secure connections. Some of the
steps include:
Step 1 Negotiate tunnel parameters such as addresses, algorithms, lifetime, and so on.
Step 2 Establish tunnels according to the parameters.
Step 3 Authenticate users via usernames, group names and passwords, and X.509 digital
certificates to make sure users are who they say they are.
Step 4 Establish user access rights such as hours of access, connection time, allowed
destinations, allowed protocols, and so on.
For example, to use a remote PC to read e-mail at your organization, you connect to the
Internet, then start the VPN Client and establish a secure connection through the Internet to the
organization private network. When you open your e-mail, the Cisco VPN server uses IPSec to
encrypt the e-mail message. The VPN server then transmits the message through the tunnel to
your VPN Client, which decrypts the message so you can read it on your remote PC. If you
reply to the e-mail message, the VPN Client uses IPSec to process and return the message
through the private network to the Cisco VPN server.
The figure shows the VPN Client window. This window allows you to do the following:
Enable accessibility options
Choose a run mode simple or advanced
Use toolbar action buttons
Use main tab menus
Use advanced mode menus
Use right-click menus
Get help
5-126 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Run Modes Simple or Advanced
Default is
Advanced Mode
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-7
You can run the Cisco VPN Client in Simple Mode or in Advanced Mode. The default is
Advanced Mode, although your network administrator might have configured simple mode as
the default.
Use simple mode if you only want to start the Cisco VPN Client application and connect to a
VPN device using the default connection entry.
You can toggle between Advanced Mode and Simple Mode by pressing Ctrl-M. Alternatively,
you can choose your mode from the Options menu.
The figure shows the VPN Client window and the primary navigation areas. The navigation
areas are as follows:
1. VPN Client version information.
2. Menu bar.
3. Toolbar action buttons. The buttons that are available depend on which tab is forward.
5-128 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Using the Advanced Mode Menus
This topic describes the functions available from the Advanced Mode menus.
Use the Connection Entries menu as a shortcut to frequently used connection entry operations.
The following submenus and options are available:
Connect to: Connects to a VPN device using the selected connection entry. If the
Connections tab is not selected, a submenu, which lists all available connection entries, is
displayed.
Disconnect: Disconnects your current VPN session.
Create Shortcut: Creates a shortcut on your desktop for the current connection entry.
Modify: Allows you to edit the current connection entry.
Delete: Allows you to delete the current connection entry.
Duplicate: Allows you to duplicate the selected connection entry. This menu choice lets
you create a new connection entry using the configuration from a current connection entry
as a template.
Set as Default Connection Entry: Makes the current connection entry the default.
New: Creates a new connection entry.
Import: Brings in a new connection entry profile from a file.
Exit VPN Client: Closes the Cisco VPN Client application.
Use the Status menu to display routes and notifications and to reset the statistics display. The
following commands are available:
Statistics: Allows you to view tunnel details, route details, and firewall information for the
current VPN session.
Notifications: Allows you to view notices from the VPN device to which you are currently
connected.
Reset Stats: Allows you to clear the statistics from the statistics displays and start over.
5-130 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Advanced Mode Certificates Menu
Use the Certificates menu to enroll and manage certificates. The following submenus and
options are available:
View: Allows you to view the properties of the selected certificate
Import: Allows you to imports a certificate file from a specified file location
Export: Allows you to export the selected certificate to a specified file location
Enroll: Allows you to enroll with a Certificate Authority (CA) to obtain a certificate
Verify: Verifies that a certificate is still valid
Delete: Removes the selected certificate
Change Certificate Password: Allows you to change the password that protects the
selected certificate in the Cisco VPN Client certificate store
Retry Certificate Enrollment: Allows you to retry a previously attempted certificate
enrollment
Show CA/RA Certificates: Displays digital certificates issued by either a CA or a
Registration Authority (RA)
Use the Log menu to manage the log. The following submenus and options are available:
Enable or Disable: Clicking enable starts collecting events; clicking disable stops
collecting events.
Clear: Erases the events displayed on the log tab (and log window).
Log Settings: Allows you to change the logging levels of event classes.
Log Window: Displays a separate window that shows events. From this window, you can
save the display, edit logging levels by event class, and clear both log displays. This
window shows more events than the display area of the main advanced mode window.
Search Log: Displays a dialog box where you enter the exact string to be matched. The
search string is not case sensitive, and wild cards are not supported. Matched instances are
highlighted on the log tab, not the log window.
Save: Stores the current log in a specified log file.
5-132 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Advanced Mode Options Menu
Use the Options menu to perform actions such as launching an application. The following
submenus and options are available:
Application Launcher: Allows you to start an application before connecting to a VPN
device.
Windows Logon Properties: Allows you to control logon features for the Windows NT
platform. The following logon features are available:
Ability to start a connection before logging on to a Windows NT system
Permission to launch a third-party application before logging on to a Windows NT
system
Control of autodisconnect behavior when logging off
Stateful Firewall (Always On): Enables and disables the internal stateful firewall.
Simple Mode: Switches to simple mode.
Preferences: Allows you to sets the following features:
Save window settings: Saves any changes you make to the Cisco VPN Client
window
Hide upon connect: Places the Cisco VPN Client window in the dock when the
VPN connection is established
Enable tool tips: Enables tool tips for the toolbar action buttons
The figure shows the right-click menu options available when a connection entry is highlighted
on the Connection Entries tab display. The menu options are as follows:
Connect: Uses the selected connection entry to connect to a VPN device.
Disconnect: Ends the current VPN session.
Duplicate: Makes a copy of the selected connection entry. This action allows you to create
a new connection entry using the configuration from a current connection entry as a
template.
Delete: Erases the selected connection entry.
Create Shortcut: Places a link to the connection entry on your desktop.
Modify: Allows you to edits the properties of the current connection entry (for example, its
name, host name, and so on).
Erase Saved User Password: Deletes the user password that is saved on the VPN Client
workstation and forces the VPN Client to prompt you for a password each time you
establish a connection.
Set as Default Connection Entry: Uses the selected connection entry as the default.
5-134 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Certificates TabRight Click Menu
The figure shows the right-click menu options available when the Certificates tab is forward
and a certificate entry is highlighted. The menu options are as follows:
View: Allows you to view the properties of the selected certificate.
Export: Allows you to send the selected certificate to a specified file location.
Verify: Verifies that the selected certificate is valid.
Delete: Erases the selected certificate.
Change Certificate Password: Allows you to update the password that protects the
certificate in the VPN Client certificate store.
Retry Certificate Enrollment: Allows you to try a previous certificate enrollment again.
The figure shows the right-click menu options available when the Log tab is forward. The
menu options are as follows:
Copy: Removes the selected item from the current context and saves a copy to the
clipboard.
Select All: Selects the entire contents of the log file, usually in preparation for another
operation.
5-136 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Creating a New Connection
This topic describes the process required to create a new connection.
Concentrator
Authentication
The end user
never sees this
after initial
configuration.
To use the VPN Client, you must create at least one connection entry that identifies the
following information:
The VPN device: The remote server to access.
Preshared keys: The IPSec group to which the system administrator assigned you. Your
group determines how you access and use the remote network. For example, your group
specifies access hours, number of simultaneous logins, user authentication method, and the
IPSec algorithms that your VPN Client uses.
Certificates: The name of the certificate that you are using for authentication.
Optional parameters: Parameters that govern VPN Client operation and connection to the
remote network.
You can create multiple connection entries if you use your VPN Client to connect to multiple
networks (not simultaneously) or if you belong to more than one VPN remote access group.
Clicking New from the toolbar or the Connection Entries menu displays the Create New VPN
Connection Entry window. The following parameters must be entered:
Connection Entry: You must use any unique name to identify this connection (for
example, Engineering). The name can contain spaces, and it is not case sensitive.
Description: This field is optional, but it helps further identify this connection (for
example, Connection to Engineering remote server).
Host: You must provide the host name or IP address of the remote VPN device you want to
access.
For certificates to be exchanged, the Certificate radio button must be clicked. In the Name
drop-down menu, any personal certificates loaded on your PC are listed. Choose the certificate
to be exchanged with the Concentrator during connection establishment. If no personal
certificates are loaded in your PC, the drop-down menu is blank. Clicking the Validate
Certificate button checks the validity of the Software Client certificate.
5-138 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Creating a New ConnectionTransport
Tunneling
options
Transparent tunneling allows secure transmission between the Cisco VPN Client and a secure
gateway through a router that is acting as a firewall, and that may also be performing Network
Address Translation (NAT) or Port Address Translation (PAT). Transparent tunneling
encapsulates Protocol 50 Encapsulating Security Payload (ESP) traffic within User Datagram
Protocol (UDP) packets and can allow for both IKE (UDP 500) and Protocol 50 traffic to be
encapsulated in TCP packets before it is sent through the NAT or PAT devices or firewalls. The
most common application for transparent tunneling is behind a home router performing PAT.
The central-site group in the Cisco VPN device must be configured to support transparent
tunneling. This parameter is enabled by default. Disable this parameter by unchecking the
check box under the Transport tab. It is recommended that you always keep this parameter
selected. Not all devices support multiple simultaneous connections behind them. Some cannot
map additional sessions to unique source ports. Be sure to check with the vendor of your device
to verify whether this limitation exists. Some vendors support Protocol 50 (ESP) PAT (IPSec
pass-through), which might let you operate without enabling transparent tunneling.
You must choose a mode of transparent tunneling, over UDP or over TCP. The mode you use
must match that used by the secure gateway to which you are connecting. Either mode operates
properly through a PAT device. Multiple simultaneous connections might work better with
TCP. If you are in an extranet environment, then in general, TCP mode is preferable. UDP does
not operate with stateful firewalls; in that case, you should use TCP.
This screen is found via Status > Statistics > Route Details.
In a configuration of multiple network interface cards, local LAN access pertains only to
network traffic on the interface on which the tunnel was established. The Allow Local LAN
Access parameter gives you access to the resources on your local LAN (printer, fax, shared
files, and other systems) when you are connected through a secure gateway to a central-site
VPN device. When this parameter is enabled and when your central site is configured to permit
it, you can access local resources while you are connected. When this parameter is disabled, all
traffic from your Cisco VPN Client system goes through the IPSec connection to the secure
gateway.
To enable this feature, check the Allow Local LAN Access check box; to disable this feature,
uncheck the check box. If the local LAN you are using is not secure, you should disable this
feature. For example, you would disable this feature when you are using a local LAN in a hotel
or airport.
A network administrator at the central site configures a list of networks at the VPN Client side
that you can access. You can access up to ten networks when this feature is enabled. When
local LAN access is allowed and you are connected to a central site, all traffic from your
system goes through the IPSec tunnel except traffic to the networks excluded from doing so (in
the network list).
When this feature is enabled and configured on the Cisco VPN Client and permitted on the
central-site VPN device, you can see a list of the local LANs available by looking at the Routes
table.
5-140 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Adjusting the Peer Response Timeout
Value
The Cisco VPN Client uses a keepalive mechanism called dead peer detection (DPD) to check
the availability of the VPN device on the other side of an IPSec tunnel. If the network is
unusually busy or unreliable, you might need to increase the number of seconds to wait before
the Cisco VPN Client decides that the peer is no longer active. The default number of seconds
to wait before terminating a connection is 90 seconds. The minimum number you can configure
is 30 seconds, and the maximum is 480 seconds.
Adjust the setting, by entering the number of seconds in the Peer response timeout field. The
Cisco VPN Client continues to send DPD requests every 5 seconds, until it reaches the number
of seconds specified by the peer response timeout value.
The private network may include one or more backup VPN servers to use if the primary server
is not available. Your system administrator tells you whether to enable backup servers.
Information on backup servers can download automatically from the Cisco VPN 3000 Series
concentrator, or you can manually enter this information.
5-142 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Creating a New ConnectionDial-Up
You can enable and configure a connection to the Internet through dial-up networking by
checking the Connect to Internet via dial-up check box. This feature is not selected by default.
You can connect to the Internet using the Cisco VPN Client application in either of the
following ways:
Microsoft Dial-Up Networking (DUN): If you have DUN phonebook entries and have
enabled the Connect to Internet via dial-up feature, Microsoft DUN is enabled by default.
To link your Cisco VPN Client connection entry to a DUN entry, click the Phonebook
Entry drop-down arrow and choose an entry from the menu. The Cisco VPN Client then
uses this DUN entry to dial automatically into the Microsoft network before making the
VPN connection to the private network.
Third-party dial-up program: If you have no DUN phonebook entries and have enabled
the Connect to Internet via dial-up feature, then the third-party dial-up application is
enabled by default. Click the Browse button to enter the name of the program in the
Application field. This application launches the connection to the Internet. The string you
choose or enter in this field is the path name to the command that starts the application and
the name of the command; for example: c:\isp\ispdialer.exe dialEngineering. Your network
administrator might have set this up for you.
oem.ini
vpnclient.ini
.pcf
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05-23
An administrator has the ability to preconfigure Cisco VPN Software Clients. A folder is placed
on the remote user PC. Inside the folder is a copy of the Cisco VPN Client software plus three
additional files:
oem.ini: Installs the client without user intervention.
vpnclient.ini: A global profile that you use to set certain standards for all profiles. If this
file is bundled with the client software, it automatically configures the client global
parameters when it is first installed.
.pcf: Creates connection entries within the dialer application. If this file is bundled with the
client software, it automatically configures the Cisco VPN Client connection parameters
when it is first installed. There is one user profile for each .pcf file.
The administrator creates these files using a text editor and places them in the local file system
of the remote user. The files must be located in the same folder as the client setup.exe file.
Note The easiest way to create a profile for the Windows platforms is to run the Cisco VPN Client
and use the Cisco VPN Client GUI to configure the parameters. When you have created a
profile in this way, you can copy the .pcf file to a distribution disk for your remote users. This
approach eliminates errors you might introduce by typing the parameters, and the group
password is automatically converted to an encrypted format.
5-144 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
.pcf File
The .pcf file contains all the client configuration parameters. Profiles are created in two ways:
The remote user creates connection entries via the new connection wizard. The output of
the new connection wizard is a .pcf file.
The administrator creates .pcf files using a text editor and places them in the local file
system of the remote user: the C:\ProgramFiles\CiscoSystems\VPN Client\Profiles
directory.
Each connection has its own .pcf file that can be viewed and edited in Notepad. If this file is
bundled with the client software, the installer automatically configures the client when the
client is first installed.
To make a parameter read-only so that the client user cannot change it within the GUI, put an
exclamation mark (!) before the parameter name.
Name of the
destination
folder
Identifies
whether or
not to restart
the system
after the
silent
installation
The oem.ini file installs the client without user intervention. The administrator can create an
oem.ini file in Notepad. For Silent Mode, enter 0 or 1:
1: Activates silent installation (do not prompt user)
0: Prompts the user during installation
After the oem.ini file is created, identify the path name and folder to contain the client software.
The default path name to the Cisco VPN Client software is
C:\ProgramFiles\CiscoSystems\VPN Client.
To reboot the system after installation, enter 1 or 2 after Reboot. Depending on the number, the
following will occur:
If silent mode is on (1) and reboot is 1, the system automatically reboots after installation.
If silent mode is on (1) and reboot is 2, the system does not reboot after the installation.
5-146 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
VPN Software Client Programs
This topic describes additional programs available from the Microsoft Windows Start menu.
Some of these are packaged with the Cisco VPN Client and some are packaged with Microsoft
Windows 2000 and Microsoft Windows XP.
After the client has been installed, the client program menu is accessed by choosing Start >
Programs > Cisco Systems VPN Client. Under the Cisco Systems VPN Client menu, a number
of options are available:
Help: Accesses client help text. Help is also available by doing the following:
Pressing F1 at any window while using the Cisco VPN Client.
Clicking the Help button on windows that display it.
Clicking the logo in the title bar.
Set MTU: The client automatically sets the MTU size to approximately 1420 bytes. For
specific applications, Set MTU can change the MTU size to fit a specific scenario.
Uninstall Software Client: Only one client can be loaded at a time. When you are
upgrading, you must uninstall the old client before installing the new client. Choose this
option to remove the old client.
The Set MTU option is used primarily for troubleshooting connectivity problems. For specific
applications where fragmentation is still an issue, Set MTU can change the MTU size to fit the
specific scenario. The Cisco VPN Client automatically adjusts the MTU size to suit your
environment; therefore, running this application should not be necessary.
The MTU parameter determines the largest packet size in bytes that the client application can
transmit through the network. If the MTU size is too large, the packets may not reach their
destination. Adjusting the size of the MTU affects all applications that use the network adapter.
Therefore, the MTU setting you use can affect the performance of your PC on the network.
MTU sizing affects fragmentation of IPSec and IPSec through NAT mode packets to your
connection destination. A large size (for example, more than 1300) can increase fragmentation.
Using a size of 1300 or smaller usually prevents fragmentation. Fragmentation and reassembly
of packets at the destination causes slower tunnel performance. Also, many firewalls do not let
fragments through.
To implement a different MTU size, choose the network adapter in the Network Adapters
(IPSec only) field. In the example in the figure, Dial-up Networking is selected. In the MTU
Options group box, set the MTU option size by clicking the appropriate radio button. You must
reboot for MTU changes to take effect.
5-148 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Virtual Adapter
A virtual adapter is a software-only driver that acts as a valid interface in the system. The
purpose of a virtual adapter is to solve protocol incompatibility problems. The virtual adapter
appears in the network properties list just like a physical network adapter and displays all the
information you would usually find under any other network adapter that is installed. It is
available on Windows 2000 and XP only.
The VPN 3000 Series concentrator tracks many statistics and the status of many items essential
to system administration and management. Use the VPN Concentrator Series Manager
Monitoring windows to view all those status items and statistics. You can view the state of
LEDs that show the status of hardware subsystems in the device and the statistics that are
stored and available in standard MIB-II data objects.
The figure shows comprehensive data for all active user and administrator sessions on the VPN
3000 Series concentrator. It has four topics:
Session Summary: This topic gives you an overview of all the sessions as well as total
active, peak concurrent, and total concurrent sessions.
LAN-to-LAN Sessions: This topic displays individual LAN-to-LAN sessions. In the
figure, there are currently no LAN-to-LAN sessions.
Remote Access Sessions: This topic displays statistics on all the remote access sessions. In
the figure, there is currently one active session. The username is student1, and it belongs to
the Training group. The virtual IP address assigned is 10.0.1.70, and the tunneling protocol
is IPSec, using Triple-Data Encryption Standard (3DES) for encryption.
Management Sessions: This topic displays information on all the current management
users. In the figure, the IP address of the admin user is 10.0.1.70.
5-150 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Viewing Connected ClientsStatus Details
The Monitoring > Sessions window displays basic information about an individual session.
However, more in-depth statistics may be required. By double-clicking the remote access
username, the administrator can access session details. Session details provide specific IKE and
IPSec session information and bandwidth statistics. They also provide a breakdown of the
authentication modes, encryption and hash algorithms, Diffie-Hellman (DH) groups, and rekey
intervals for both the IKE and IPSec sessions.
These Manager screens show detailed parameters and statistics for a specific remote-access or
LAN-to-LAN session. The parameters and statistics differ depending on the session protocol.
There are unique screens for to following:
IPSec LAN-to-LAN (IPSec/LAN-to-LAN)
IPSec remote access (IPSec User)
IPSec through UDP (IPSec/UDP)
IPSec through TCP (IPSec/TCP)
Layer 2 Transport Protocol (L2TP)
L2TP over IPSec (L2TP/IPSec)
Point to Point Tunneling Protocol (PPTP)
The Manager displays the appropriate screen when you click a highlighted connection name or
username on the Monitoring > Sessions screen. The figure shows an example of one kind of
detail screen. Depending on the type of connection you select, your detail screen might look
somewhat different from the example shown. But, each session detail screen shows three
tables: summary data, bandwidth management information, and detail data. The summary data
echoes the session data from the Monitoring > Sessions screen. The Bandwidth Statistics table
shows information about the effect of policing on that session. The session detail table shows
all the relevant parameters for each session and sub session.
Summary
The VPN Client for Windows works with the VPN server to
establish secure connections.
The VPN Client user interface provides a Simple Mode and an
Advanced Mode for establishing a VPN connection. New
connections are established through the interface.
The Advanced Mode menus allow several configuration options.
The Advanced Mode right-click menus provide shortcuts for
frequently performed configuration operations.
Administrators can preconfigure software client parameters.
Other VPN Client programs allow you to modify configurations,
set MTU size and uninstall without losing the connection or
configured parameters.
Windows includes a virtual adapter.
Client sessions can be monitored from the VPN 3000 Series
concentrator.
5-152 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) Which two of the following tasks can be completed using the Simple mode to run the
Cisco VPN Client? (Choose two.) (Source: The Software Client for Windows)
A) manage the Cisco VPN Client
B) configure connection entries
C) start the Cisco VPN Client application
D) connect to a VPN device using the default connection entry
E) enroll for and manage certificates
Q2) What does the Allow Local LAN Access parameter provide? (Source: Creating a New
Connection)
______________________________________________________________________
______________________________________________________________________
Q3) Which of the following three preconfiguration files contains the information that will
install the Cisco VPN Software Client without user intervention? (Source: Preconfigure
Client for Remote Users)
A) oem.ini
B) vpnclient.ini
C) .pdf
Q4) How can you make a parameter read-only so that the Cisco VPN Software Client user
cannot change it within the GUI? (Source: Preconfigure Client for Remote Users)
______________________________________________________________________
Q2) The Allow Local LAN Access parameter gives you access to the resources on your local LAN (printer,
fax, shared files, and other systems) when you are connected through a secure gateway to a central-site
VPN device. When this parameter is enabled and when your central site is configured to permit it, you can
access local resources while you are connected.
Q3) A
5-154 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Module Summary
This topic summarizes the key points discussed in this module.
Module Summary
This module described how to use Cisco technologies and products to establish IPSec VPNs for
site-to-site, remote access and firewall VPNs.
References
For additional information, refer to these resources:
Cisco Systems Inc. VPN 3000 Series Concentrator Getting Started, Release 4.1.
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_getting_starte
d_guide_book09186a00801f0e16.html.
Cisco Systems Inc. VPN 3000 Series Concentrator Reference Volume I: Configuration,
Release 4.1.
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_configuration
_guide_book09186a00801f1c6d.html.
Cisco Systems Inc. VPN 3000 Series Concentrator Reference Volume II: Administration
and Monitoring, Release 4.1.
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_administration
_guide_book09186a00801f1eb9.html.
Cisco Systems Inc. VPN Client User Guide for Windows, Release 4.6.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_book0918
6a008031f122.html.
Securing Cisco
Network Devices
Version 1.0
Lab Guide
Copyright 2005, Cisco Systems, Inc. All rights reserved.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax
numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica
Croatia Cyprus Czech Republic Denmark Dubai, UAE Finland France Germany Greece
Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia
Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania
Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland
Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe
Copyright 2005 Cisco Systems, Inc. All rights reserved. CCSP, the Cisco Square Bridge logo, Follow
Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live,
Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST,
BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo,
Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering
the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive,
GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,
LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar,
Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView
Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0501R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY
OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO
SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY,
NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING,
USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be
accurate, it falls subject to the disclaimer above.
SND
Lab Guide
Overview
This guide presents the instructions and other information concerning the activities for this
course. You can find the solutions in the activity Answer Key.
Outline
This guide includes these activities:
Lab 1-1: Discovering Network Vulnerabilities and Threats
Lab 2-1: Securing Cisco Router Administrative Access
Lab 2-2: Configuring AAA for Cisco Routers
Lab 2-3: Configuring Cisco Secure ACS for Windows Server
Lab 2-4: Disabling Unused Cisco Router Network Services and Interfaces
Lab 3-1: Configuring the PIX Security Appliance with the PDM
Lab 4-1: Completing Basic Sensor Configuration with the Cisco IDS Device Manager
Lab 5-1: Configuring a Cisco VPN 3000 Series Concentrator for Remote Access Using Pre-
shared Keys
Lab 5-2: Configuring the Cisco VPN 3000 Series Concentrator using the Cisco VPN
Software Client for Windows
Activity Objective
In this activity you will discover vulnerabilities that open networks to attacks. After completing
this activity, you will be able to meet these objectives:
Port scan a host using a command-line utility (Netcat)
Scan a network using a vulnerability scanner to discover network services and
vulnerabilities using Blues Port Scanner
Analyze network traffic with Ethereal
Scan a host using Microsoft Baseline Security Analyzer
Visual Objective
The figure illustrates the network topology you will use in this lab exercise.
This topology represents a typical enterprise network with a demilitarized zone (DMZ). You
will enter the network from your student PC (10.0.P.11) which will have a number of
management applications and clients in its image.
You will enter the network through a PIX Security Appliance and have access to the perimeter
router (pP) and the DMZ. There is a sensor protecting the Super Server (WWW, FTP, and so
on), a remote terminal server (RTS), and a concentrator located in the DMZ.
2 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
The perimeter router (rP) forms the key element in the security solution you will develop over
this course. There is also a backbone router (RBB) which connects outside and a branch office
topology (brB).
Required Resources
In this configuration, a pod consists of one learner and one laptop with access to the lab
network. These are the resources and equipment required to complete this activity:
The following software must be installed on each student PC
Netcat 1.11
Blues Port Scanner v.5
Tera Term 2.3
Microsoft Baseline Security Analyzer
Command List
There are no Cisco IOS software or Cisco Catalyst switch commands in this activity.
Job Aids
These job aids are available to help you complete the lab activity.
Value Information Provided by Your Instructor
Pod Number/Router Number
REMOTE IP
REMOTE Port
REMOTE Username and Password
Activity Procedure
Complete these steps:
Step 1 Change the directory to the one where Netcat resides. (The directory may vary from
PC to PC. Normally the instructor will have put it into C:\Hack101\). Start Netcat
from the DOS command prompt window.
Step 2 At the command prompt window, enter nc h. This will list all the command line
options available in Netcat. Note the meanings of the v, -z, -n and w options.
Step 3 Using the flags provided in the list of options, start a port scan on the target host or
other devices as specified by the instructor. Enter nc -v -z -n -w 3 172.16.P.50 20-
443.
Note If you specify the 20-1742 port range, it may take some time to produce the scan results. To
produce faster scan results, specify a smaller port range.
Activity Procedure
Complete these steps:
Step 2 Enter the IP address for the public services segment server in the Start field
172.16.P.50 (Where P is your pod number).
Step 3 Enter the IP address for the public services segment server in the End field
172.16.P.50 (Where P is your pod number).
Step 4 Click the Show List button. The Ports to Scan window opens.
Step 5 Click the Check All button on the right side of the window.
Step 6 Close the window.
Step 7 Click the Start scan button.
Step 8 When the scan has completed, view the results in the main window.
Activity Verification
The results of the port scan will appear in a window as shown in the figure. In this example, the
same services are displayed. Your results may vary.
4 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
TCP: 172.16.3.5 [21-ftp]
TCP: 172.16.3.5 [25-smtp]
TCP: 172.16.3.5 [80-www-http]
TCP: 172.16.3.5 [135-epmap]
TCP: 172.16.3.5 [139-netbios-ssn]
TCP: 172.16.3.5 [443-https]
TCP: 172.16.3.5 [445-microsoft-ds]
Activity Procedure
Complete these steps:
Step 1 Double-click the Ethereal icon on your desktop.
Step 4 After about 5 minutes or when told by the instructor, click STOP.
Activity Verification
You have completed this task when the Ethereal window is populated with the network traffic
that has been captured. Examine the traffic to see what type of information is available.
Activity Procedure
Complete these steps:
Step 1 Double-click the Microsoft Baseline Security Analyzer icon on your desktop
Step 2 Click the Scan a Computer button. The Pick a Computer to Scan page is displayed
Step 3 Enter the IP address of your student PC in the IP address field 10.0.P.11 (Where P is
your pod number) and select all scanning options.
Step 5 When the scan has completed, view the results in the main window.
Activity Verification
The scan will list a number of security vulnerabilities and look similar to the output in the
figure.
6 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Copyright 2005, Cisco Systems, Inc. SND V1.0 Lab Guide 7
Lab 2-1: Securing Cisco Router Administrative
Access
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity you will be able to secure Cisco router administrative access. After completing
this activity, you will be able to meet these objectives:
Complete the lab exercise setup
Configure password minimum length
Configure the enable secret password
Configure the console port line-level password
Configure the vty line-level password
Configure the auxiliary port line-level password
Encrypt clear text passwords
Test administrative access security
Configure enhanced username password security
Visual Objective
The figure illustrates what you will accomplish in this activity.
VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
Organization Network
rP
.150 e0/0 192.168. .0/24
8 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Required Resources
There is no change in the resources required to complete this activity.
Command List
The table describes the commands used in this activity.
Command Description
-»½«®·¬§ °¿--©±®¼- ³·²ó This command provides enhanced security access to the
´»²¹¬¸ router by allowing you to specify a minimum password
length, eliminating common passwords that are prevalent on
most networks, such as lab and cisco. This command
affects user passwords, enable passwords and secrets, and
line passwords. After this command is enabled, any
password that is less than the specified length will fail.
°¿--©±®¼
-»®ª·½» °¿--©±®¼ó Encrypts passwords
»²½®§°¬·±²
Job Aids
There are no additional job aids for this activity.
Activity Procedure
Complete these steps
Step 1 Ensure that your student PC is powered on and Windows 2000 Server is operational.
Your instructor will provide you with the correct username and password to log into
the student PC.
Step 2 Configure your student PC for IP address 10.0.P.11 with a default gateway of
10.0.P.1 (Where P is your pod number).
Activity Verification
You should be able to ping the gateway router from the Windows command prompt (C:\ping
10.0.P.1).
Activity Procedure
Complete these steps:
Step 1 Access the RTS (IP 10.0.P.100) and connect to the console port of your perimeter
router (rP) (IP 192.169.P.150).
Step 2 Enter enable mode using a password of cisco. Your display should resemble the
following:
ÎÐâ »²¿¾´»
Step 3 Password: cisco. Your display should resemble the following:
ÎÐý
Step 4 View the router running configuration using the show run command. Your display
should resemble the following:
ÎÐý -¸±© ®«²
Step 5 Enter global configuration mode using the configure terminal command. Your
display should resemble the following:
ÎÐý ½±²º·¹ ¬»®³·²¿´
ÎÐø½±²º·¹÷ý
Step 6 Configure a minimum password length of eight characters using the security
passwords command. Your display should resemble the following:
ÎÐø½±²º·¹÷ý -»½«®·¬§ °¿--©±®¼- ³·²ó´»²¹¬¸ è
ÎÐø½±²º·¹÷ý
Note The password length may be limited by the Cisco IOS software version.
Step 7 Return to the enable prompt. Your display should resemble the following:
ÎÐø½±²º·¹÷ý »²¼
ÎÐý
Activity Verification
You have completed this task when you can attain these results:
Check the answer key to ensure you have replied correctly to Question 1.
The results of Step 5 will be verified in the next task.
10 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Task 3: Configure the Enable Secret Password
In this task you will configure an encrypted password on the perimeter router (rP) (Where P is
your pod number). The rP currently has enable password protection only. This enable password
is unencrypted by default.
Activity Procedure
Complete these steps:
Step 1 Attempt to configure an enable secret password of Curium using the enable secret
command (passwords are case sensitive). Your display should resemble the
following:
ÎÐø½±²º·¹÷ý »²¿¾´» -»½®»¬ Ý«®·«³
Q2) Does the router accept the new enable secret password? Why or why not?
_________________________________________________________
Step 2 Configure an enable secret password of Curium96 using the enable secret command
(passwords are case-sensitive). Your display should resemble the following:
ÎÐø½±²º·¹÷ý »²¿¾´» -»½®»¬ Ý«®·«³çê
ÎÐø½±²º·¹÷ý »²¼
Step 3 Show the running configuration using the show run command. Your display should
resemble the following:
ÎÐý -¸±© ®«²
Q3) Can you read the enable secret password? Why or why not?
_________________________________________________________
Note Find the enable password in the router configuration listing. Notice that the enable password,
cisco, is shorter than the minimum length required of new passwords. This is because
minimum length only affects passwords created after the security passwords min-length
command is run. It has no effect on older passwords until you reboot the router. (This is an
important item for you to note when you configure your router passwords, and it is the
reason why it is a good idea to set the minimum password length first.) The next time you
reboot the router, an error message will inform you that the enable password is too short.
Activity Verification
You have completed this task when you attain these results:
Step 3 verifies this task.
Check the answer key to ensure you have replied correctly to Questions 2 and 3.
Activity Procedure
Complete these steps:
Copyright 2005, Cisco Systems, Inc. SND V1.0 Lab Guide 11
Step 1 Enter console 0 line configuration mode using the line console command. Your
display should resemble the following:
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý ´·²» ½±²-±´» ð
ÎÐø½±²º·¹ó´·²»÷ý
Step 2 Enable password checking on login using the login command. Your display should
resemble the following:
ÎÐø½±²º·¹ó´·²»÷ý ´±¹·²
û Ô±¹·² ¼·-¿¾´»¼ ±² ´·²» ðô «²¬·´ •°¿--©±®¼Ž ·- -»¬
ÎÐø½±²º·¹ó´·²»÷ý
Step 3 Enter a new console line-level password of ConUser1 using the password command
(passwords are case sensitive). Your display should resemble the following:
ÎÐø½±²º·¹ó´·²»÷ý °¿--©±®¼ ݱ²Ë-»®ï
ÎÐø½±²º·¹ó´·²»÷ý »²¼
ÎÐý
Step 4 Show the running configuration and view the line con 0 section.
Q4) Can you read the console line 0 line-level password? Why or why not?
________________________________________________________
Activity Verification
You have completed this task when you attain these results:
Step 4 verifies this task.
Check the answer key to ensure you have replied correctly to Question 4.
Activity Procedure
Complete these steps:
Step 1 Enter vty lines 0 to 4 configuration mode using the line vty command. Your display
should resemble the following:
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý ´·²» ª¬§ ð ì
ÎÐø½±²º·¹ó´·²»÷ý
Step 2 Enable password checking on login using the login command. Your display should
resemble the following:
ÎÐø½±²º·¹ó´·²»÷ý ´±¹·²
12 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
ÎÐø½±²º·¹ó´·²»÷ý
Step 3 Enter a new console line-level password of VTYUser1 using the password command
(passwords are case sensitive). Your display should resemble the following:
ÎÐø½±²º·¹ó´·²»÷ý °¿--©±®¼ ÊÌÇË-»®ï
ÎÐø½±²º·¹ó´·²»÷ý »²¼
ÎÐý
Step 4 Show the running configuration and view the line vty 0 4 section.
Q5) Can you read the vty line 0 4 line-level password? Why or why not?
________________________________________________________
Activity Verification
You have completed this task when you attain these results:
Step 4 verifies this task.
Check the answer key to ensure you have replied correctly to Question 5.
Activity Procedure
Complete these steps:
Step 1 Enter auxiliary line 0 configuration mode using the line aux command. Your display
should resemble the following:
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý ´·²» ¿«¨ ð
ÎÐø½±²º·¹ó´·²»÷ý
Step 2 Enable password checking on login using the login command. Your display should
resemble the following:
ÎÐø½±²º·¹ó´·²»÷ý ´±¹·²
û Ô±¹·² ¼·-¿¾´»¼ ±² ´·²» êëô «²¬·´ •°¿--©±®¼Ž ·- -»¬ò
ÎÐø½±²º·¹ó´·²»÷ý
Step 3 Enter a new auxiliary port line-level password of AuxUser1 using the password
command (passwords are case sensitive). Your display should resemble the
following:
ÎÐø½±²º·¹ó´·²»÷ý °¿--©±®¼ ß«¨Ë-»®ï
ÎÐø½±²º·¹ó´·²»÷ý »²¼
ÎÐý
Step 4 Show the running configuration and view the line aux 0 section.
Q6) Can you read the auxiliary line 0 line-level password? Why or why not?
________________________________________________________
Activity Procedure
Complete these steps:
Step 1 Encrypt all clear text passwords using the service password-encryption command.
Your display should resemble the following:
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý -»®ª·½» °¿--©±®¼ó»²½®§°¬·±²
ÎÐø½±²º·¹÷ý »²¼
Step 2 Show the running configuration and view the passwords.
Step 3 Save your running configuration to the startup-config file using the copy run start
command. Your display should resemble the following:
ÎÐý ½±°§ ®«² -¬¿®¬
Ü»-¬·²¿¬·±² º·´»²¿³» Å-¬¿®¬«°ó½±²º·¹Ãá äÛ²¬»®â
Þ«·´¼·²¹ ½±²º·¹«®¿¬·±²›
ÅÑÕÃ
ÎÐý
Activity Verification
You have completed this task when you attain these results:
14 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Step 2 verifies this task. Step 3 saves the configuration for the next task where it will be
verified. Check the answer key to ensure you have replied correctly to Questions 7 to 11.
Activity Procedure
Complete these steps:
Step 1 Log out of the router console port connection.
Step 2 Access your router console port.
Step 3 Log in using the ConUser1 console port line-level password.
Step 4 Enter privileged-EXEC mode using the Curium96 enable secret password.
Step 5 Log out of the router console port connection.
Step 6 Leave the command prompt session window open. Open another command prompt
shell on your student PC and establish a Telnet session to the inside interface of your
router at IP address 192.168.P.150 (Where P is your pod number).
Q12) Are you able to use the enable password? Why or why not?
________________________________________________________
Step 9 Enter privileged-EXEC mode using the Curium96 enable secret password.
Step 10 Log out of the router and close this command prompt session window.
Activity Verification
You have completed this task when you attain these results:
Check the answer key to ensure you have replied correctly to Questions 12 and 13.
Activity Procedure
Complete these steps:
Step 1 Log in to the router and enter global configuration mode.
Step 2 Create a new user account with MD5 hashing for the password. Your display should
resemble the following:
ÎÐø½±²º·¹÷ý «-»®²¿³» ®¬®¿¼³·² -»½®»¬ ð ×®·¼·«³éé
Q13) Can you read the password for the new user account? Why or why not?
______________________________________________________________
Q14) Which hashing method is used for the password?
______________________________________________________________
Activity Verification
You have completed this task when you attain these results:
Check the answer key to confirm you have replied correctly to Questions 13 and 14.
16 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lab 2-1 Answer Key: Securing Cisco Router Administrative
Access
When you complete this activity, your answers will be similar to the following:.
Q1) Yes. The enable password is not yet encrypted.
Q3) No. You cannot read the enable secret password because it is automatically hashed when created.
Q7) No. The passwords have all been encrypted using the service password-encryption command.
Q8) Level 5.
Q9) Level 7.
Q10) Level 5 is harder to crack because it uses a strong MD5 hashing algorithm.
Q11) No. The enable secret password takes precedence over the enable password.
Q14) The password is hashed using MD5 (as noted by the number 5 in the configuration).
Activity Objective
In this activity you will configure the perimeter router to work with the local database, enable a
password and line authentication to provide authentication, authorization, and accounting
services. After completing this activity, you will be able to meet these objectives:
Complete the lab exercise setup
Configure local database authentication using AAA
Verify the perimeter router configuration
Test authentication using debug
Visual Objective
The following figure displays the configuration you will complete in this lab exercise.
Required Resources
There is no change in the resources required to complete this activity.
18 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Command List
The table describes the commands used in this activity.
Command Description
-»®ª·½» ¬·³»-¬¿³°- ¼»¾«¹ Adds the date and time to debug messages
¼¿¬»¬·³» ³-»½
Job Aids
There are no additional job aids for this activity.
Now that the perimeter router administrative access points are protected (except PPP), you need
to use AAA commands to prepare for migration to a Cisco Secure Access Control Server
(ACS) environment. The goal of this task is to show you that each router access point can be
secured using unique methods.
There are five access points to protect: line, vty, AUX, console, and PPP. In this task you will
configure unique method login authentication on all access points.
Activity Procedure
Complete these steps:
Step 1 Turn on AAA features using the aaa new-model command. Your display should
resemble the following:
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý ¿¿¿ ²»©ó³±¼»´
Step 2 As an added safety measure, create a local username and password account to use in
case you lose your Telnet connection during AAA configuration. Your display
should resemble the following:
Note It is recommended that you never use admin as a username because it is too easy to
guess.
Step 8 Test the console port authentication method you just configured.
Step 9 Secure vty access for the IS department username isgroup with a password of
isdoorin1 and a new list name of is-in using the commands in the following
configuration display:
ÎÐâ »²¿¾´»
п--©±®¼æ Ý«®·«³çê
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý «-»®²¿³» ·-¹®±«° °¿--©±®¼ ·-¼±±®·²ï
ÎÐø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ·-ó·² ´±½¿´
ÎÐø½±²º·¹÷ý ´·²» ª¬§ ð ì
ÎÐø½±²º·¹ó´·²»÷ý ´±¹·² ¿«¬¸»²¬·½¿¬·±² ·-ó·²
ÎÐø½±²º·¹ó´·²»÷ý »²¼
This is the same idea as the console protection, but on the Telnet access via vty
ports.
20 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Step 10 Exit privileged-EXEC mode and log out of the router.
Step 11 Leave the command prompt session window open. Open another command prompt
shell on your PC and telnet to the inside interface of your router at IP address
192.168.P.150. (Where P is your pod number)
Step 12 Test the vty line authentication method you just configured.
Step 13 Enter enable mode and copy the router running configuration to the startup
configuration.
Step 14 Log out of the router and close this command prompt window.
Activity Verification
You have completed this task when you attain these results:
Use the show run command to view the configuration. At this point, your perimeter router
configuration should look similar to the following subsections.
Note This is a partial view of your router configuration containing only the sections modified in this
lab exercise. Your encrypted passwords may vary.
ÿ
¸±-¬²¿³» ÎÐ
ÿ
-»½«®·¬§ °¿--©±®¼- ³·²ó´»²¹¬¸ è
²± ´±¹¹·²¹ ½±²-±´»
¿¿¿ ²»©ó³±¼»´
ÿ
ÿ
¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ¼»º¿«´¬ »²¿¾´»
¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ½±²-±´»ó·² ´±½¿´
¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ·-ó·² ´±½¿´
¿¿¿ -»--·±²ó·¼ ½±³³±²
»²¿¾´» -»½®»¬ ë üïüòïÛÐüÌÍɨêÊÇïÏê§èï-ÛͪÒñ
»²¿¾´» °¿--©±®¼ é ðêðëðêíîìÚìï
ÿ
«-»®²¿³» ¿¼³·² °¿--©±®¼ é ïìïêïêðêðëðßîÛîìîÞíß
«-»®²¿³» ·-¹®±«° °¿--©±®¼ é ðïïßïëððëìðìïì
ÿ
´·²» ½±² ð
°¿--©±®¼ é ðéîÝîÛìîéÞïßïÝïéìê
´±¹·² ¿«¬¸»²¬·½¿¬·±² ½±²-±´»ó·²
´·²» ¿«¨ ð
°¿--©±®¼ é ðëîßïíïéïìëÚìÞïÞìè
´·²» ª¬§ ð ì
°¿--©±®¼ é ïîîÚíïîÛîéïèðçïêéÞ
It is important in debugging to ensure that you have a proper time reference for messages,
especially if you are logging multiple devices to a central logging system. Log in to user mode
and enter the show clock command to check the router clock. If the time and date are incorrect,
access enable mode and enter the following command: clock set HH:MM:SS DD month
YYYY (for example, clock set 10:00:00 21 March 2002).
Activity Procedure
Complete these steps:
Step 1 Enter global configuration mode and use the following commands to ensure that you
have detailed time stamp information for your debug output:
ÎÐø½±²º·¹÷ý -»®ª·½» ¬·³»-¬¿³°- ¼»¾«¹ ¼¿¬»¬·³» ³-»½
ÎÐø½±²º·¹÷ý ´±¹¹·²¹ ½±²-±´»
ÎÐø½±²º·¹÷ý »²¼
Step 2 Turn on debugging for AAA authentication. Your display should resemble the
following:
ÎÐý ¼»¾«¹ ¿¿¿ ¿«¬¸»²¬·½¿¬·±²
Step 3 Trigger an AAA authentication event by logging out of your console connection and
logging in with username admin and password admindoor.
Step 4 When you have logged in and are presented with the user mode prompt, continue in
enable mode. The debug output follows (with notes in <brackets>):
Ë-»®²¿³»æ ¿¼³·²
п--©±®¼æ 䪿´·¼ °¿--©±®¼ »²¬»®»¼ ¸»®»â
Ó¿® îï ïéæðëæððòìêïæ ßßßñßËÌØÛÒñÔÑÙ×Ò øððððððëí÷æ з½µ ³»¬¸±¼
´·-¬ ù½±²-±´»ó·²ù
ÎÐâ »²¿¾´»
п--©±®¼æ <valid enable password entered here>
Ó¿® îï ïéæðëæïïòêëêæ ßßßæ °¿®-» ²¿³»ã¬¬§ð ·¼¾ ¬§°»ãóï ¬¬§ãóï
Ó¿® îï ïéæðëæïïòêëêæ ßßßæ ²¿³»ã¬¬§ð º´¿¹-ãð¨ïï ¬§°»ãì -¸»´ºãð
-´±¬ãð ¿¼¿°¬»®ãð °±®¬ã𠽸¿²²»´ãð
Ó¿® îï ïéæðëæïïòêëêæ ßßßñÓÛÓÑÎÇæ ½®»¿¬»Á«-»® øð¨èîÞîïíèÝ÷
«-»®ãù¿¼³·²ù ®«-»®ãùÒËÔÔù ¼-ðãð °±®¬ãù¬¬§ðù ®»³Á¿¼¼®ãù¿-§²½ù
¿«¬¸»²Á¬§°»ãßÍÝ×× -»®ª·½»ãÛÒßÞÔÛ °®·ªãïë ·²·¬·¿´Á¬¿-µÁ·¼ãùðù
Ó¿® îï ïéæðëæïïòêëêæ ßßßñßËÌØÛÒñÍÌßÎÌ øíîëìéëëêçì÷æ
°±®¬ãù¬¬§ðù ´·-¬ãùù ¿½¬·±²ãÔÑÙ×Ò -»®ª·½»ãÛÒßÞÔÛ
Ó¿® îï ïéæðëæïïòêëêæ ßßßñßËÌØÛÒñÍÌßÎÌ øíîëìéëëêçì÷æ ½±²-±´»
»²¿¾´» ó ¼»º¿«´¬ ¬± »²¿¾´» °¿--©±®¼ ø·º ¿²§÷
22 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Ó¿® îï ïéæðëæïïòêëêæ ßßßñßËÌØÛÒñÍÌßÎÌ øíîëìéëëêçì÷æ
Ó»¬¸±¼ãÛÒßÞÔÛ
Ó¿® îï ïéæðëæïïòêêðæ ßßßñßËÌØÛÒøíîëìéëëêçì÷æ ͬ¿¬«-ãÙÛÌÐßÍÍ
Ó¿® îï ïéæðëæïèòêéïæ ßßßñßËÌØÛÒñÝÑÒÌ øíîëìéëëêçì÷æ
½±²¬·²«»Á´±¹·² ø«-»®ãùø«²¼»º÷ù÷
Ó¿® îï ïéæðëæïèòêéïæ ßßßñßËÌØÛÒøíîëìéëëêçì÷æ ͬ¿¬«-ãÙÛÌÐßÍÍ
Ó¿® îï ïéæðëæïèòêéïæ ßßßñßËÌØÛÒñÝÑÒÌ øíîëìéëëêçì÷æ
Ó»¬¸±¼ãÛÒßÞÔÛ
Ó¿® îï ïéæðëæïèòéëëæ ßßßñßËÌØÛÒøíîëìéëëêçì÷æ ͬ¿¬«-ãÐßÍÍ
Ó¿® îï ïéæðëæïèòéëëæ ßßßñÓÛÓÑÎÇæ º®»»Á«-»® øð¨èîÞîïíèÝ÷
«-»®ãùÒËÔÔù ®«-»®ãùÒËÔÔù °±®¬ãù¬¬§ðù ®»³Á¿¼¼®ãù¿-§²½ù
¿«¬¸»²Á¬§°»ãßÍÝ×× -»®ª·½»ãÛÒßÞÔÛ °®·ªãïë
ÎÐý
Step 5 Log out of the router.
Step 6 Log in again, but this time enter an invalid enable password. Your display should
resemble the following:
Ë-»®²¿³»æ ¿¼³·²
п--©±®¼æ ävalid password entered hereâ
Ó¿® îï ïéæðéæìðòêïîæ ßßßñßËÌØÛÒñÔÑÙ×Ò øððððððëì÷æ з½µ ³»¬¸±¼
´·-¬ ù½±²-±´»ó·²ù
ÎÐâ »²¿¾´»
п--©±®¼æ äinvalid enable password entered hereâ
Ó¿® îï ïéæðéæëîòïðíæ ßßßæ °¿®-» ²¿³»ã¬¬§ð ·¼¾ ¬§°»ãóï ¬¬§ãóï
Ó¿® îï ïéæðéæëîòïðíæ ßßßæ ²¿³»ã¬¬§ð º´¿¹-ãð¨ïï ¬§°»ãì -¸»´ºãð
-´±¬ãð ¿¼¿°¬»®ãð °±®¬ã𠽸¿²²»´ãð
Ó¿® îï ïéæðéæëîòïðéæ ßßßñÓÛÓÑÎÇæ ½®»¿¬»Á«-»® øð¨èîÝÛêîÛð÷
«-»®ãù¿¼³·²ù ®«-»®ãùÒËÔÔù ¼-ðãð °±®¬ãù¬¬§ðù ®»³Á¿¼¼®ãù¿-§²½ù
¿«¬¸»²Á¬§°»ãßÍÝ×× -»®ª·½»ãÛÒßÞÔÛ °®·ªãïë ·²·¬·¿´Á¬¿-µÁ·¼ãùðù
Ó¿® îï ïéæðéæëîòïðéæ ßßßñßËÌØÛÒñÍÌßÎÌ øîíëèéïïíëê÷æ
°±®¬ãù¬¬§ðù ´·-¬ãùù ¿½¬·±²ãÔÑÙ×Ò -»®ª·½»ãÛÒßÞÔÛ
Ó¿® îï ïéæðéæëîòïðéæ ßßßñßËÌØÛÒñÍÌßÎÌ øîíëèéïïíëê÷æ ½±²-±´»
»²¿¾´» ó ¼»º¿«´¬ ¬± »²¿¾´» °¿--©±®¼ ø·º ¿²§÷
Ó¿® îï ïéæðéæëîòïðéæ ßßßñßËÌØÛÒñÍÌßÎÌ øîíëèéïïíëê÷æ
Ó»¬¸±¼ãÛÒßÞÔÛ
Ó¿® îï ïéæðéæëîòïðéæ ßßßñßËÌØÛÒøîíëèéïïíëê÷æ ͬ¿¬«-ãÙÛÌÐßÍÍ
û ß½½»-- ¼»²·»¼
ÎÐâ
Ó¿® îï ïéæðéæëëòïèðæ ßßßñßËÌØÛÒñÝÑÒÌ øîíëèéïïíëê÷æ
½±²¬·²«»Á´±¹·² ø«-»®ãùø«²¼»º÷ù÷
Ó¿® îï ïéæðéæëëòïèðæ ßßßñßËÌØÛÒøîíëèéïïíëê÷æ ͬ¿¬«-ãÙÛÌÐßÍÍ
Ó¿® îï ïéæðéæëëòïèðæ ßßßñßËÌØÛÒñÝÑÒÌ øîíëèéïïíëê÷æ
Ó»¬¸±¼ãÛÒßÞÔÛ
Ó¿® îï ïéæðéæëëòîêðæ ßßßñßËÌØÛÒøîíëèéïïíëê÷æ °¿--©±®¼
·²½±®®»½¬
Ó¿® îï ïéæðéæëëòîêðæ ßßßñßËÌØÛÒøîíëèéïïíëê÷æ ͬ¿¬«-ãÚß×Ô
Activity Verification
You have completed this task when you attain these results:
The output from a valid password entered in Steps 1 to 3 should match the output shown in
Step 4.
The output from an invalid password should match the output in Step5.
24 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lab 2-2 Answer Key: Configuring AAA for Cisco Routers
When you complete this activity, your answers will similar to the following:
Q1) Curium96 is used because the enable secret password takes precedence over the enable password.
Activity Objective
In this activity, you will configure a Cisco Secure ACS for Windows Server to provide AAA
services. After completing this activity, you will be able to meet these objectives:
Complete the lab exercise setup
Install Cisco Secure ACS for Windows Server
Take a grand tour of Cisco Secure ACS for Windows Server
Configure the Cisco Secure ACS for Windows Server database for authentication
Configure the router to authenticate to the Cisco Secure ACS for Windows Server database
Visual Objective
The following figure illustrates the network environment that you will create.
VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
Organization Network
rP
.150 e0/0 192.168. .0/24
Scenario
You will configure an AAA server to perform AAA services to secure Telnet, EXEC, and vty
access to a Cisco perimeter router. You will configure Cisco Secure ACS to use the Cisco
Secure ACS database.
26 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Required Resources
There is no change in the resources required to complete this activity.
Command List
You will complete this activity from a GUI.
Job Aids
There are no additional job aids for this activity.
Activity Procedure
Complete these steps:
Step 1 Ensure that your student PC is powered on and Windows 2000 Server is operational.
Your instructor will provide you with the correct username and password to log into
the student PC.
Step 2 Configure your student PC for IP address 10.0.P.11 with a default gateway of
10.0.P.1 (Where P is your pod number).
Step 3 If you just completed the lab exercise from the previous lesson, disable logging to
the router console using the no logging console command.
Step 4 Verify that the Kiwi daemon has been installed.
Activity Verification
You will have properly completed this task if your PC and the default gateway have the correct
IP addresses.
Activity Procedure
Complete these steps:
Step 1 Log in to Microsoft Windows 2000 Server using the administrator account. Your
instructor will provide you with the correct username and password combination for
the administrator account.
Step 2 Open the CiscoApps folder on your desktop.
Step 3 Open the Cisco Secure ACS folder.
Step 4 Begin the Cisco Secure ACS installation by double-clicking the setup.exe file. The
Cisco Secure ACS for Windows Server installation wizard starts.
Copyright 2005, Cisco Systems, Inc. SND V1.0 Lab Guide 27
Step 5 Click Accept to acknowledge the terms of the Cisco Secure ACS license agreement.
Step 6 Click Next in the Welcome window.
Step 7 Click all items listed in the Before You Begin window and click Next.
Step 8 Click Next to accept the default settings in the Choose Destination Location
window.
Step 9 Complete the following sub-steps within the Authentication Database Configuration
window:
1. Check the Also check the Windows User Database check box.
2. Click Yes for the Grant dialin permission to user setting check box.
3. Click Next.
Step 10 Complete the following sub-steps within the Cisco Secure ACS Network Access
Server Details window:
1. Click TACACS+ (Cisco IOS) from the Authenticate Users Using scroll box.
2. Enter the name of your router in the Access Server Name box (for example,
R1, R2, and so on).
6. Click Next. Setup will start installing files on your student PC.
Step 11 Check all check boxes within the Advanced Options window and click Next. It is
important that you check all check boxes as this determines what ACS options you
will be able to configure later.
Step 12 Click Next to accept the default settings within the Active Service Monitoring
window.
Step 13 Click Next to accept the default settings within the Network Access Server
Configuration window.
Step 14 Click Next to accept the default setting (no password specified) in the Enable Secret
Password window. You already specified the router enable secret password in the
previous lab exercise.
Step 15 Click Next to accept the default settings within the Access Server Configuration
window.
Step 16 Complete the following sub-steps within the NAS Configuration window:
28 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Use the scroll bar to view all of the parameters in the command box. These
parameters are created during the installation process of the Cisco Secure ACS
software.
Do not use the Telnet Now? function at this time. The Telnet Now? function
allows you to telnet to your router and then copy and paste these parameters into
your router, saving time in the router setup process. You will be entering these
commands and parameters manually later in this lab exercise.
Click Next.
Step 17 Click Next to accept the default settings within the Cisco Secure ACS Service
Initiation window.
Step 18 Click Finish to close the Setup Complete window.
Step 19 Review the contents of the README.TXT file and close the associated window.
Step 20 Close the Internet Explorer window containing the Cisco Secure ACS main window.
Activity Verification
You have completed this task when you attain these results:
Use the Windows Task Manager (Ctrl+Alt+Delete>Task Manager) to determine whether
the following services are running on your student PC:
CSAdmin
CSAuth
CSDBSync
CSLog
CSMon
CSRadius
CSTacacs
If these services are not running, restart your student PC and repeat this task. Once you are
finished, close any open windows.
Activity Procedure
Complete these steps:
Step 1 Double-click the ACS Admin desktop icon to start the ACS configuration manager.
Step 2 Click the Cisco Systems icon at the top of the left pane.
Q6) What is the status of the Cisco Secure service, level of detail for logging, and frequency
of new file generation?
________________________________
Step 8 Click Cancel to return to the select list. Click Logging and answer the following
question:
Q10) Where can the ACS user and group databases be backed up?
________________________________
Step 12 Click Cancel to return to the select list. Click ACS Restore and answer the
following question:
30 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
________________________________
Step 13 Click Cancel to return to the select list. Click ACS Service Management and
answer the following question:
Q12) What are the two ways a system administrator can be notified of logged events?
________________________________
Step 14 Click Cancel to return to the select list.
Step 15 Examine the interface configuration functions. Click Interface Configuration in the
left pane. Click User Data Configuration and answer the following question:
Step 20 In the Advanced Configuration Options section, check all four options.
Step 21 Click Submit to return to the select list and answer the following question:
Q15) Where are the TACACS+ services and advanced configuration objects applied that you
configure in this window?
______________________________________________________________________
______________________________________________________________________
Step 22 Click Administration Control in the left frame and answer the following questions:
Q18) What two options are available if a user is not found in the Cisco Secure database?
Which one is the default?
________________________________
Q19) What external databases can be checked for the unknown user?
Q20) What do you click in the External User Database Configuration section?
________________________________
Step 28 Click Cancel to return to the select list.
Step 29 Examine the reports and activity functions. Click Reports and Activity in the left
frame. Click Administration Audit and answer the following question:
Take a moment to browse the new features, software requirements, and troubleshooting
sections of the online documentation.
Activity Verification
You have completed this task when you attain this result:
Check the answer key to ensure you correctly answered Questions 1 through 21.
In this task you will add a group and user to the Cisco Secure ACS for Windows Server
database.
Activity Procedure
Complete these steps:
Step 1 Create a new user group by completing the following sub-steps:
1. Click the Group Setup button in the left frame.
2. Click Group 1 from the drop-down list.
32 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
3. Click the Rename Group button to rename the group to is-in. Select the existing name,
enter the new group name, and click the Submit button.
4. Click Edit Settings and set the group settings as follows:
In the Password Aging Rules section, check the Apply age-by-date rules check
box.
Configure the apply age-by-date rule for 30 days active, a warning period of 4,
and a grace period of 4.
In the IP Assignment section, click No IP address assignment.
In the TACACS+ Settings section, click Shell (exec).
In the Enable Options section, click Max Privilege for any AAA Client and set
the level to level 15.
Leave all other sections at their default values.
Q22) How else can password aging be controlled when authenticating against the Cisco
Secure ACS for Windows Server database?
________________________________
Step 2 Set the router host and key value by completing the following sub-steps:
1. Click AAA Clients from the left pane.
Step 3 Add and configure a user to authenticate against the Cisco Secure ACS database. Click the
User Setup button in the left pane and complete the following steps:
1. Enter a username of isadmin.
2. Click Add/Edit and ensure that Account Disabled is deselected.
3. Scroll to the User Setup area and click CiscoSecure Database for password authentication.
4. Enter a password of isuser for the user isadmin. Ensure that you enter the password twice
to confirm it.
5. Scroll to the Group to which the user is assigned section and assign the user to the is-in
group.
6. Scroll to the Account Disable section and click Disable account if
and check the Failed
attempts exceed:5 check box.
7. Scroll to the Advanced TACACS+ Settings section and click Use group level setting.
Remember that the group setting is level 15.
8. Scroll to the TACACS+ Enable Password section and click the Use Separate Password
check box.
Q23) What is the main difference between the parameters in the user and group setups?
______________________________________________________________________
______________________________________________________________________
Step 4 Minimize the Cisco Secure ACS window.
Activity Verification
You have completed this task when you attain this result:
You correctly answer Questions 22 and 23.
Activity Procedure
Complete these steps:
Step 1 Log into the router using the AAA administrator account user name of admin with a password of
admindoor.
34 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
ÎÐø½±²º·¹ó´·²»÷ý »¨·¬
Step 7 Force the use of the enable restrictions you placed in the Cisco Secure ACS for Windows Server,
and override the enable secret password on the router Enter the following command to protect the
enable password and privileged mode:
ÎÐýø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² »²¿¾´» ¼»º¿«´¬ ¹®±«° ¬¿½¿½-õ
Step 8 Change the AUX access by entering the following commands:
ÎÐø½±²º·¹÷ý ´·²» ¿«¨ ð
ÎÐø½±²º·¹ó´·²»÷ý ²± °¿--©±®¼ ß«¨Ë-»®ï
ÎÐø½±²º·¹ó´·²»÷ý ²± »¨»½
ÎÐø½±²º·¹ó´·²»÷ý »¨·¬
Step 9 If something happens and ports or access points are added to the machine, then you have to protect
them. Complete the following sub-steps on the router:
12. You already protected with the enable password. You will change this to use TACACS+.
Enter the following commands exactly as shown:
Note You should always place an enable at the end of the aaa authentication login default
group tacacs+ enable command as shown in this step. This allows you to access
privileged-EXEC mode even if the TACACS+ server is down. The router first tries to locate a
TACACS+ server, and if it cannot find one, will default to the standard enable password.
13. Open a new command prompt shell and telnet to the inside interface of your router:
192.168.P.150 (Where P = pod number).
Note It is a good idea to open a second window and monitor the AAA debug logs as they perform
these tasks.
14. Log in using the isadmin username and the isuser password. Your router should
authenticate with the ACS and allow you to log in. If you cannot log in, recheck your work
and try again.
15. Enter privileged-EXEC mode using the ispassword password. Your router should
authenticate with the ACS and allow you to log in. If you cannot log in, recheck your work
and try again.
16. Copy the running configuration to the startup configuration using the copy run start
command. Your display should resemble the following:
ÎÐø½±²º·¹÷ý »²¼
ÎÐý ½±°§ ®«² -¬¿®¬
17. Log out of the Telnet session and close the command prompt window.
18. Log out of Cisco Secure ACS and minimize the window.
19. Return the router to the default lab configuration in preparation for the next lab.
36 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lab 2-3 Answer Key: Configuring Cisco Secure ACS for
Windows Server
When you complete this activity, your answers will be similr to the following:
Q2) The Cisco Secure ACS home page, version 3.2 or later.
Q6) One.
Q7) Cisco Secure is currently running; the level is low, new file every day.
Q9) Enables control of password length when users change their password.
Q12) User and group database and the Cisco Secure ACS System Configuration.
Q13) Events can be logged to the NT/2000 event log, or an e-mail notification of the event can be sent to the
system administrator.
Q14) You can specify unique information that will be displayed for each user, such as location or department
and can have the information reflected in the accounting logs if desired.
Q15) You can configure the advanced features that will appear in the user interface. You click only applicable
features, reducing the complexity of the Cisco Secure ACS windows displayed.
Q16) TACACS+ Services and Advanced Configuration Objects configured in the TACACS+ (Cisco) window
are applied and appear as selectable options in the User and Group setup windows for each user and group.
Q18) You can add, delete, and control administrator accounts from a web browser. You can control
administrator passwords, privileges, system configuration, reports, and activity.
Q19) It depends on the configuration that was created during the installation.
Q20) The Windows NT or Windows 2000 user database, or any configured, supported external database
(CRYPTOCard, ODBC, and so on).
Q21) The external user database you want to use for authentication.
Q23) By using the age-by-uses rules in the Password Aging Rules window.
Q24) Group setup parameters apply to all users assigned to the group. User setup parameters only apply to that
user. User parameters can override group parameters.
Activity Objective
Unused Cisco router network services and interfaces present vulnerabilities to network security.
In this lab, you will describe how you address the vulnerabilities they might or might not pose.
After completing this activity, you will be able to meet these objectives:
Verify the configuration of the perimeter router
Explain how to disable unnecessary services
Visual Objective
The following figure displays the network topology you will use in this lab exercise.
Required Resources
You will be using the application TFTP Desktop in this lab.
Command List
The commands you might use in this activity are shown in the Unused Services and Interfaces
Guidelines table.
38 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Job Aids
The Unused Services and Interfaces Guidelines table will help you complete the lab activity.
1. Disable unused router interfaces Disable unused router interfaces using the shutdown
commands.
6. Assure terminal access security Disable IP identification using the no ip identd command to
assure terminal access security.
8. Mitigate DoS and DDoS attacks Mitigate DoS and DDoS attacks by:
Activity Procedure
Complete these steps:
Step 1 Login to your perimeter router using the username and password from the previous
exercise.
Step 2 Display the current configuration of the router using the show run command.
Step 3 Double-click the TFTP Desktop server icon on your student PC.
Step 4 Open a Window command prompt and enter C:\tftp i [host IP] GET source
[destination file]. TFTP Desktop will begin transferring your configuration to your
student PC. Follow the directions to open the file in Windows Notepad or a text
editor of your choice.
Step 5 Examine the configuration against the lists of services in the Unused Services and
Interfaces Guidelines table. Note any services and interfaces that do not comply
with these guidelines.
Activity Verification
You have completed this task when you attain this result:
Your comparison should reveal a number of potential vulnerabilities from which you will
protect your network in the following tasks.
Activity Verification
There is no additional verification required for this activity.
40 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lab 3-1: Configuring the PIX Security Appliance
with PDM
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will configure the PIX Security Appliance with PDM. After completing
this activity you will be able to meet these objectives:
Install PDM and access it from the browser
Clear the PIX Security Appliance configuration and access the PDM Startup Wizard
Use the PDM Startup Wizard to configure a privileged mode password
Configure outbound access with NAT
Test connectivity through the PIX Security Appliance
Configure and test inbound access
Visual Objectives
The following figure displays the configuration you will complete in this lab exercise.
Activity Procedure
Complete these steps:
Step 1 Load the PDM file into the PIX Security Appliance. Your display should resemble
the following:
°·¨Ðø½±²º·¹÷ý ½±°§ ¬º¬°æññïðòðòÐòïðñ°¼³óíðîò¾·² º´¿-¸æ°¼³
(Where P is your pod number)
Step 2 Enable the HTTP server in the PIX Security Appliance. Your display should
resemble the following:
°·¨Ðø½±²º·¹÷ý ¸¬¬° -»®ª»® »²¿¾´»
(Where P is your pod number)
Step 3 Grant permission for the inside host to initiate an HTTP connection to the PIX
Security Appliance. Your display should resemble the following:
°·¨Ðø½±²º·¹÷ý ¸¬¬° ïðòðòÐòïï îëëòîëëòîëëòð ·²-·¼»
(Where P is your pod number)
Step 4 Access the PDM console by completing the following substeps:
3. When prompted for the username and password, do not enter a username or
password. Click OK to continue.
4. Click Yes in the Security Warning window. If the Update Config window
opens, click Proceed.
Step 5 Notice that the current PIX Security Appliance configuration has been imported.
Examine the configuration by clicking the Configuration button and then complete
the following substeps:
1. Click the Access Rules tab. Notice that an access policy has been created to
correspond to the ACLs you configured earlier in the course.
42 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
2. Click the Translation Rules tab. Notice that the static mappings, NAT, and
global pools appear here.
4. Click the System Properties tab. Notice that the configuration of the PIX
Security Appliance interfaces is displayed.
Step 6 Close the browser. The Are you sure? window opens.
Step 7 Click Yes. The PDM application closes.
Activity Verification
You have completed this task when you attain this result:
You have been able to access the PIX through the PDM.
Activity Procedure
Complete these steps:
Step 1 In the PDM console window, erase the current PIX Security Appliance
configuration. When prompted to confirm, press Enter. Your display should
resemble the following:
°·¨Ðø½±²º·¹÷ý ©®·¬» »®¿-»
Û®¿-» Ð×È ½±²º·¹«®¿¬·±² ·² º´¿-¸ ³»³±®§á Ž±²º·®³Ã äÛ²¬»®â
Step 2 In the Telnet window, reload the PIX Security Appliance. When prompted to
confirm, press Enter. Your display should resemble the following:
°·¨Ðø½±²º·¹÷ý ®»´±¿¼
Ю±½»»¼ ©·¬¸ ®»´±¿¼á Ž±²º·®³Ã äÛ²¬»®â
Step 3 When prompted to pre-configure the PIX Security Appliance through interactive
prompts, press Enter.
Step 4 Agree to use the current password by pressing Enter. Your display should resemble
the following:
Û²¿¾´» °¿--©±®¼ Åä«-» ½«®®»²¬ °¿--©±®¼âÃæ äÛ²¬»®â
Step 5 Accept the default year by pressing Enter. Your display should resemble the
following:
Ý´±½µ øËÌÝ÷æ
Ç»¿® Å·²-»®¬ ½«®®»²¬ §»¿® ·² ¬¸» º±®³ ÇÇÇÇÃæ äÛ²¬»®â
Step 6 Accept the default month by pressing Enter. Your display should resemble the
following:
Ó±²¬¸ ÅÒ±ªÃæ äÛ²¬»®â
3. When prompted for the username and password, do not enter a username or
password. Click OK to continue. The Security Warning window opens.
5. Click Proceed. If the Preview CLI Commands window opens, click Send.
The PIX Device Manager main window opens.
Activity Verification
You have completed this task when you attain these results:
The PDM window opens after Step 15.
44 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Task 3: Use the PDM Startup Wizard to Configure a Privileged
Mode Password
In this task you will configure a privileged mode password.
Activity Procedure
Complete these steps:
Step 1 In the PIX Device Manager Startup Wizard window, click Next. The Startup Wizard
Basic Configuration group box appears.
Step 2 Verify that pixP appears in the PIX Host Name field.
(Where P is your pod number)
Step 3 Verify that cisco.com appears in the Domain Name field.
Step 4 Click Change Enable Password within the Enable Password group box.
Step 5 Enter cisco in the New Enable Password text box.
Step 6 Enter cisco in the Confirm New Enable Password text box.
Step 8 Leave the Username field blank, enter cisco in the password field, and click OK.
The main Cisco PIX Device Manager window opens.
Activity Verification
You have completed this task when you attain this result:
The PDM window opens on Step 8.
Activity Procedure
Complete these steps:
Step 1 Click the Configuration button, then click the System Properties tab.
Step 2 Configure the inside interface by completing the following substeps:
1. Click ethernet1 in the Interfaces table and click the Edit button. The Edit
Interface window opens.
8. Choose auto from the Speed and duplex mode drop-down menu.
10. Click OK. You are returned to the Systems Properties tab.
Step 3 Configure the outside interface by completing the following substeps:
1. Click ethernet0 in the Interfaces table, and then click the Edit button. The
Edit Interface window opens.
4. Verify that the Static IP Address radio button is selected within the IP
Address group box.
9. Choose auto from the Speed and duplex mode drop-down menu.
11. Click OK. You are returned to the System Properties tab.
4. Click Add from the Static Route group box. The Add Static Route window
opens.
46 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
8. Enter 0.0.0.0 in the Mask drop-down menu.
10. Click OK. The static route appears in the Static Route table.
2. Click the Manage Pools button. The Manage Global Address Pools window
opens.
7. Enter 192.168.P.20 in the first IP address field. (Where P is your pod number)
10. Click OK. You are returned to the Manage Global Address Pools window.
11. Click OK. You are returned to the Translation Rules tab.
3. Choose Rules>Add from the main menu. The Add Address Translation Rule
window opens.
4. Verify that the inside interface is chosen in the Interface drop-down menu.
7. Click the inside network by clicking 10.0.P.0. (Where P is your pod number)
8. Click OK. You are returned to the Add Address Translation Rule window.
10. Verify that Dynamic is selected in the Translate Address to group box.
13. Click OK in the Add Address Translation Rule window. The new rule
appears on the Translation Rules tab.
Activity Verification
You have completed this task when you attain this result:
Each of the steps includes the necessary substeps to ensure it has been properly verified.
Activity Procedure
Complete these steps:
1. Choose Tools>Ping.
3. Click Ping.
4. Observe the following output in the Ping Output window. The output should
appear similar to the following: (Where P is your pod number)
48 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Step 3 Click Close.to exit the Ping window by
Step 4 Test the operation of the global and NAT you configured by originating connections
through the PIX Security Appliance. To do this, complete the following substeps:
2. Use the web browser to access the Super Server at IP address 172.26.26.50 by
entering http://172.26.26.50.
Step 5 Observe the translation table by completing the following substeps:
3. Click Send.
4. Observe the output in the Response field. Your display should resemble the
following:
λ-«´¬ ±º ¬¸» Ð×È ½±³³¿²¼æ •-¸±© ¨´¿¬»Œ
Note A global address chosen from the low end of the global range has been mapped to the
student PC.
Activity Verification
You have completed this task when you attain this result:
If the results of Step 6 are similar to those shown.
Activity Procedure
Complete these steps:
Step 1 Enable command preview by completing the following substeps:
2. Click the Add New Rule icon in the toolbar. The Add Address Translation
Rule window opens.
3. Verify that the inside interface is chosen in the Interface drop-down menu.
7. Click OK. You are returned to the Add Address Translation Rule window.
11. Click OK. The new rule appears on the Translation Rules tab.
3. Click Send.
Step 4 Verify that the output in the Response field is similar to the following. Your display
should resemble the following:
λ-«´¬ ±º º·®»©¿´´ ½±³³¿²¼æ •½´»¿® ¨´¿¬»Œ
̸» ½±³³¿²¼ ¸¿- ¾»»² -»²¬ ¬± ¬¸» º·®»©¿´´ò
Step 5 Ping a peer pod inside host from the internal host. The ping should fail because the
peer pod policy presently prevents pinging. Your display should resemble the
following:
ÝæÄâ °·²¹ ïçîòïêèòÏòïð
з²¹·²¹ ïçîòïêèòÏòïð ©·¬¸ íî ¾§¬»- ±º ¼¿¬¿æ
λ¯«»-¬ ¬·³»¼ ±«¬ò
λ¯«»-¬ ¬·³»¼ ±«¬ò
50 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
λ¯«»-¬ ¬·³»¼ ±«¬ò
(where Q is your peer pod number)
Step 6 Close the Ping window.
Step 7 Configure an ACL to allow pinging through the PIX Security Appliance by
completing the following substeps:
9. Click OK. The new rule appears on the Access Rules tab.
Step 8 Ping a peer pod inside host from the internal host. Be sure to coordinate with the
peer pod. Your display should resemble the following:
ÝæÄâ °·²¹ ïçîòïêèòÏòïð
з²¹·²¹ ïçîòïêèòÏòïð ©·¬¸ íî ¾§¬»- ±º ¼¿¬¿æ
λ°´§ º®±³ ïçîòïêèòÏòïðæ ¾§¬»-ãíî ¬·³»äïð³- ÌÌÔãïîëâ
λ°´§ º®±³ ïçîòïêèòÏòïðæ ¾§¬»-ãíî ¬·³»äïð³- ÌÌÔãïîëâ
λ°´§ º®±³ ïçîòïêèòÏòïðæ ¾§¬»-ãíî ¬·³»äïð³- ÌÌÔãïîëâ
λ°´§ º®±³ ïçîòïêèòÏòïðæ ¾§¬»-ãíî ¬·³»äïð³- ÌÌÔãïîëâ
(where Q is your peer pod number)
Step 9 Close the Ping window.
Step 10 Configure an ACL to allow Web access to the inside host from the outside by
completing the following substeps:
5. Choose inside from the Interface drop-down menu within the Destination
Host/Network group box.
8. Click the IP address of the inside host: 10.0.P.11 (Where P is your pod
number).
11. Verify that = is chosen in the Service drop-down menu within the Source Port
group box.
12. Verify that any appears in the Service field within the Source Port group box.
13. Verify that = is chosen in the Service drop-down menu within the Destination
Port group box.
14. Click the ellipsis button within the Destination Port group box. The Service
window opens.
16. Click OK. You are returned to the Add Rule window.
3. Click Send.
4. Verify that the output in the Response field is similar to the following. Your
display should resemble the following:
λ-«´¬ ±º º·®»©¿´´ ½±³³¿²¼æ •-¸±© ¨´¿¬»Œ
ð ·² «-»ô í ³±-¬ «-»¼
52 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Step 12 Test Web access to the inside hosts of opposite pod groups by completing the
following substeps:
2. Use the web browser to access the inside host of the peer pod group
http://192.168.Q.10 (where Q is your peer pod number). You should be able
to establish a Web connection to the peers inside host.
Step 13 Test FTP access to the inside hosts of other pod groups by completing the following
substeps:
1. On the client PC, use FTP to get into the inside host of another pod group by
choosing Start>Run>ftp 192.168.Q.10 (where Q is your peer pod number).
You should be unable to access the peers inside host via FTP.
2. Have an opposite pod group use FTP to attempt to get into the inside host.
Step 14 Observe the transactions by completing the following substeps:
3. Click Send.
4. Verify that the output in the Response box is similar to the following:
®»-«´¬ ±º º·®»©¿´´ ½±³³¿²¼æ •-¸±© ¿®°Œ
7. Click Send.
8. Verify that the output in the Response field is similar to the following:
®»-«´¬ ±º º·®»©¿´´ ½±³³¿²¼æ •-¸±© ½±²²Œ
ð ·² «-»ô ê ³±-¬ «-»¼
ÌÝÐ ±«¬ ïçîòïêèòÏòïðæèð ·² ïðòïòÐòïïæ íèçí ·¼´» ðæððæðé Þ§¬»-
ìêí º´¿¹- Ë×Ñ
ÌÝÐ ±«¬ ïçîòïêèòÏòïðæèð ·² ïðòïòÐòïïæ íèçí ·¼´» ðæððæðé Þ§¬»-
ìêí º´¿¹- Ë×Ñ
Activity Verification
You have completed this task when you attain this result:
The results of Step 6 are similar to those shown.
54 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lab 4-1: Completing Basic Sensor Configuration
with the Cisco IDS Device Manager
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will complete initial setup of a Cisco sensor using the IDS Device Manager
(IDM). After completing this activity, you will be able to meet these objectives:
Assign sensor IP settings from the CLI
Access and navigate the IDM
Assign the sensor network settings
Enable the sensor sensing interface
Set the time and date
Create and test user accounts
Display events
Display statistics
Visual Objective
The following illustration displays the lab topology for your classroom environment.
Setup
Before starting this lab exercise, your instructor will provide you with the IP address of the
terminal server and instructions to access the sensor. Verify that your PC is able to ping the
terminal server.
Activity Procedure
Complete these steps:
Step 2 Access the sensor via its console port as directed by your instructor. Your display
should resemble the following:
®¬-â-Ð
(Where P is your pod number)
Step 3 Log in to the CLI. Your display should resemble the following:
-»²-±® ´±¹·²æ ½·-½±
п--©±®¼æ ·¿¬¬¿½µ«î
Step 4 Enter the setup command and press the space bar. The System Configuration Dialog
will be displayed, although results may vary from pod to pod. Your display should
resemble the following:
-»²-±®ý -»¬«°
óóó ͧ-¬»³ ݱ²º·¹«®¿¬·±² Ü·¿´±¹ óóó
߬ ¿²§ °±·²¬ §±« ³¿§ »²¬»® ¿ ¯«»-¬·±² ³¿®µ ùáù º±® ¸»´°ò
Ë-»® ½¬®´ó½ ¬± ¿¾±®¬ ½±²º·¹«®¿¬·±² ¼·¿´±¹ ¿¬ ¿²§ °®±³°¬ò
Ü»º¿«´¬ -»¬¬·²¹- ¿®» ·² -¯«¿®» ¾®¿½µ»¬- ùÅÃùò
Ý«®®»²¬ ݱ²º·¹«®¿¬·±²æ
²»¬©±®µÐ¿®¿³-
·°ß¼¼®»-- ïðòïòçòîðï
56 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
²»¬³¿-µ îëëòîëëòîëëòð
¼»º¿«´¬Ù¿¬»©¿§ ïðòïòçòï
¸±-¬²¿³» -»²-±®
¬»´²»¬Ñ°¬·±² ¼·-¿¾´»¼
¿½½»--Ô·-¬ ·°ß¼¼®»-- ïðòðòðòð îëëòðòðòð
»¨·¬
¬·³»Ð¿®¿³-
-«³³»®Ì·³»Ð¿®¿³-
¿½¬·ª»ó-»´»½¬·±² ²±²»
»¨·¬
»¨·¬
-»®ª·½» ©»¾Í»®ª»®
¹»²»®¿´
°±®¬- ììí
»¨·¬
»¨·¬
²»¬©±®µÐ¿®¿³-
·°ß¼¼®»-- ïðòðòÐòì
¼»º¿«´¬Ù¿¬»©¿§ ïðòðòÐòï
¸±-¬²¿³» -»²-±®Ð
¿½½»--Ô·-¬ ·°ß¼¼®»-- ïðòðòÐòïï ²»¬³¿-µ îëëòîëëòîëëòîëë
»¨·¬
¬·³»Ð¿®¿³-
-«³³»®Ì·³»Ð¿®¿³-
¿½¬·ª»ó-»´»½¬·±² ²±²»
»¨·¬
58 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
»¨·¬
-»®ª·½» ©»¾Í»®ª»®
¹»²»®¿´
°±®¬- ììí
»¨·¬
»¨·¬
Activity Verification
There is no verification necessary for this task.
Activity Procedure
Complete these steps:
Step 1 Confirm that the sensor is be initialized and that you are able to ping the sensor.
Step 2 Open your web browser and specify the sensor as the location. To do this, enter the
following URL field in your web browser:
¸¬¬°-æññïðòðòÐòì
(Where P is your pod number)
Step 3 Click Yes when the Security Alert panel appears asking if you want to proceed.
Step 4 Log in to the IDM as user admin. The admin password is adminpass.
Step 5 Choose Device > Sensor Setup.
Step 6 Click Network from the TOC. The network settings for your sensor are displayed in
the Network Settings panel.
Step 7 Click the Configuration tab and observe the configuration options that are available.
Step 8 Click the Monitoring tab and observe the options that are available.
Step 9 Click the Administration tab and observe the options that are available.
Activity Verification
There is no verification required for this task.
Step 3 In the IP Address field, enter the IP address of the sensor, 10.0.P.4, Where P is the
pod number.
Step 4 In the Netmask field, enter the netmask for the sensor, 255.255.255.0.
Step 5 In the Default Route field, enter the default route IP address for the sensor, 10.0.P.1,
Where P is the pod number.
Step 6 In the Web Server Port field click the Use Default Ports check box to use the
default port. The default port for http is 80. The default port for https is 443.
Step 7 Click Apply to Sensor to save and apply your changes.
60 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Task 4: Enable the Sensor Sensing Interface
After configuring system information, you are ready to assign interfaces, configure signatures,
set up blocking, set up automatic signature updates, and restore defaults. In this task you will
enable the sensor sensing interface.
Activity Procedure
Complete these steps:
Step 1 Choose Configuration > Sensing Engine from the IDM. The Sensing Engine
window opens.
Step 2 Click Interfaces from the TOC. The Interfaces page is displayed.
Step 3 Check the checkbox for int0 and click Enable. The following message is displayed:
ݱ²º·¹«®¿¬·±² «°¼¿¬» ·- ·² °®±¹®»--ò ̸·- °¿¹» ©·´´ ¾»
«²¿ª¿·´¿¾´» º±® ¿ º»© ³·²«¬»-ò
Step 4 Click OK. The Interfaces page is displayed with the following message:
ݱ²º·¹«®¿¬·±² «°¼¿¬» ·- ·² °®±¹®»--ò ̸·- °¿¹» ©·´´ ¾»
«²¿ª¿·´¿¾´» º±® ¿ º»© ³·²«¬»-ò
Step 5 Click Interfaces from the TOC. The Interfaces page is refreshed.
Activity Verification
You have completed this task when you attain this result:
The int0 displays Yes in the Enabled column.
Step 1 Select Device > Sensor Setup > Time. The Time Settings page appears.
Step 2 In the Time field under Time Settings, enter the current time (hh:mm:ss).
Step 3 In the Date field under Time Settings, enter the current date (mm:dd:yyyy).
Step 4 Click Apply Time to Sensor to apply your settings.
Step 5 In the Zone Name field under Standard Timezone, enter the local time zone to be
displayed when summer time is not in effect.
Step 6 If you are using an NTP server to set the sensor time, enter the NTP server IP
address in the NTP Server IP field.
Step 7 Choose Enabled under Daylight Savings Time to enable daylight savings time. In
the DST Zone Name field, enter the name of the zone (text 1 to 32 characters) to be
displayed when summer time is in effect. In the Start Time field, accept the default
of 2:00.
Activity Verification
There is no additional verification for this task.
Step 1 Choose Device > Sensor Setup > Users. The Users page appears.
Step 2 Click Add to add the User 1. The Adding page appears.
Step 3 In the User Name field, enter the new username service.
62 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Step 12 Test user accounts by attempting to make changes to settings from different
privilege levels. The following table outlines the subtasks you must complete.
Record the results in the table as appropriate.
Task Login as
and attempt to
Results:
12.b. view Attempt to add a TLS Trusted Host with IP address 10.0.P.12
by choosing Device > Sensor Setup > Allowed Hosts
Results:
Results:
Results:
Results:
Results Table
Task Result
End Date Date 4 of the course Date 4 of the course Date 4 of the course
Step 1 Select Monitoring > Events. The Events Display page appears.
Step 2 Complete the check boxes using the parameters in the Event Display 1 column.
Click Apply to Sensor to save your changes. The Events page lists the events you
just selected. Note the types of information that is displayed.
Step 3 Repeat Step 2 using the parameters in the Event Display 2 column. Note how this
information differs from the previous Event Display.
Step 4 Repeat Step 2 using the parameters in the Event Display 3 column. Note how this
information differs from the previous Event Display.
Activity Verification
There is no additional verification required.
Activity Procedure
Complete these steps:
64 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Step 1 Select Monitoring > Statistics. The Statistics page appears.
Step 2 In a discussion with your instructor, summarize the meaning of these statistics. You
can jot down some notes on the Statistics Table.
Statistics Table
WebServer
TransactionSource
TransactionServer
NAC
Logger
Host
EventStore
EventServer
AnalysisEngine
Authorization
Step 3 To update statistics as they change, click Statistics again or click Reload in your
browser.
Activity Verification
There is no additional verification required.
Activity Objective
In this activity you will work with your lab activity partner to configure the Cisco VPN Client
and the Cisco VPN 3000 Series Concentrator to enable IPSec-encrypted tunnels using pre-
shared keys. After completing this activity, you will be able to meet these objectives:
Complete the lab exercise setup
Return the concentrator to factory settings
Configure the concentrator private interface using the CLI
Configure the concentrator public interface using the CLI
Configure the concentrator default gateway using the CLI
Configure the concentrator using the Cisco VPN 3000 Series Concentrator Manager
Verify the concentrator IKE proposal
Verify the concentrator group parameters
Modify the concentrator public filter
Apply the concentrator public filter
Visual Objective
The following figure displays the configuration you will complete in this lab exercise.
66 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
SND Lab Topology
VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
Organization Network
rP
.150 e0/0 192.168. .0/24
Scenario
Your company wants to implement a VPN using remotely located Cisco VPN Clients
terminating at centrally located concentrators. You must configure both the remote Cisco VPN
Clients and the concentrators for remote access using pre-shared keys for authentication.
In this first exercise, you will configure the concentrator. You will configure the VPN client
after completing the next lesson.
The Network Parameters Used in Lab 4-1 and 4-2 table contains the recommended device
and interface IP addresses and subnet masks used in this lab exercise. Verify these values with
your instructor before proceeding with the lab exercise.
Activity Procedure
Complete these steps:
Step 1 Ensure that your student PC is powered on.
Step 2 Ensure that your student IP addresses are configured correctly:
Primary IP address: 172.26.26.P (Where P is your pod number)
Default gateway IP address: 172.26.26.150
Step 3 Ensure that your concentrator is powered on.
Step 4 Uninstall the Cisco VPN Client if it is installed. Choose Start>Programs>Cisco
Systems VPN Client>Uninstall VPN Client to remove the Cisco VPN Client.
Respond to the questions appropriately.
Activity Verification
There is no verification of this task.
After you access the concentrator console port, the concentrator login prompt appears. In this
task you will return the concentrator to the factory settings.
Activity Procedure
Complete these steps:
Step 1 Log in to the concentrator CLI using the administrator account. Your display should
resemble the following:
Ô±¹·²æ ¿¼³·²
п--©±®¼æ ¿¼³·²
If you get a Quick prompt for the system time or date parameters, the device has
already been rebooted to factory defaults. In that case, skip this task and proceed
directly to Task 3.
Step 2 Access the Administration menu. Your display should resemble the following:
Ó¿·² óâ î
Step 3 Access the System Reboot menu. Your display should resemble the following:
ß¼³·² óâ í
Step 4 Access the Schedule Reboot menu. Your display should resemble the following:
ß¼³·² óâ î
68 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Step 5 Click Reboot ignoring the Configuration file. Your display should resemble the
following:
ß¼³·² óâ í
Step 6 Click Reboot Now. Your display should resemble the following:
ß¼³·² óâ î
The Reboot scheduled immediately message appears, followed by the Rebooting
VPN 3000 Series Concentrator now message. Do not attempt to log in to the first
login prompt you see because it takes several moments for the concentrator to
complete the reboot function. A login prompt appears when the reboot is complete.
Step 7 Leave the CLI session open.
Activity Verification
You have completed this task when you attain this result:
The CLI session is open after Step 6.
In this task you will configure the concentrator private LAN interface using the CLI Quick
Configuration mode.
Activity Procedure
Complete these steps:
Step 1 Log in to the concentrator CLI using the administrator account. Your display should
resemble the following:
Ô±¹·²æ ¿¼³·²
п--©±®¼æ ¿¼³·²
Note When an administrator reboots a concentrator CLI, as in the previous task, menus open in a
slightly different order. If the system parameters prompt appears, press Enter through the
time, date, time zone, and Daylight Savings Time (DST) prompts to accept the default
values.
Step 2 Enter the concentrator private interface IP address. Your display should resemble the
following:
Ï«·½µ Û¬¸»®²»¬ ï óâ Åðòðòðòðà ïéîòïèòÐòë
(Where P is your pod number)
Step 3 Enter the concentrator private interface subnet mask. Your display should resemble
the following:
Ï«·½µ Û¬¸»®²»¬ ïóâ Åîëëòðòðòðà îëëòîëëòîëëòð
Activity Verification
You have completed this task when you attain this result:
The CLI session is open after Step 8.
Activity Procedure
Complete these steps:
Step 1 Log in to the concentrator CLI using the administrator account. Your display should
resemble the following:
Ô±¹·²æ ¿¼³·²
п--©±®¼æ ¿¼³·²
Step 2 Click the Configuration menu. Your display should resemble the following:
Ó¿·² óâ ï
Step 3 Click the Interface Configuration menu. Your display should resemble the
following:
ݱ²º·¹ óâ ï
Step 4 Click the Configure Ethernet #2 (Public) menu. Your display should resemble the
following:
ײ¬»®º¿½»- óâ î
70 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Step 5 Click the Interface Setting menu. Your display should resemble the following:
Û¬¸»®²»¬ ײ¬»®º¿½» î óâ ï
Step 6 Accept the default setting to Enable using Static IP Addressing. Your display should
resemble the following:
Û¬¸»®²»¬ ײ¬»®º¿½» î óâ Åíà äÛ²¬»®â
Step 7 Enter the concentrator public interface IP address. Your display should resemble the
following:
Û¬¸»®²»¬ ײ¬»®º¿½» î óâ Åðòðòðòðà ïçîòïêèòÐòë
(Where P is your pod number)
Step 8 Accept the default setting for the subnet mask. Your display should resemble the
following:
Û¬¸»®²»¬ ײ¬»®º¿½» î óâ Åîëëòîëëòîëëòðà äÛ²¬»®â
Note Several messages appear, indicating the condition of the Ethernet #2 (public) interface.
Disregard the messages.
Step 9 Click the Select IP Filter menu. Your display should resemble the following:
Û¬¸»®²»¬ ײ¬»®º¿½» îóâ í
Step 10 Choose 0 (no filter) on the Ethernet #2 (public) interface. Your display should
resemble the following:
Û¬¸»®²»¬ ײ¬»®º¿½» î óâ ÅЫ¾´·½ øÜ»º¿«´¬÷à ð
Note In this lab exercise, you have disabled filtering on the public LAN interface to allow access to
the HTTP-based Cisco VPN 3000 Series Concentrator Manager from your student PC.
Never select 0 (no filter) in a live network, because doing so could facilitate a security
breach.
Step 11 Return to the top-level menu by using the following shortcut. Your display should
resemble the following:
Û¬¸»®²»¬ ײ¬»®º¿½» î óâ ¸
Step 12 Save changes to the configuration file. Your display should resemble the following:
Ó¿·² óâ ì
Step 13 Do not exit the CLI. Leave the Command Prompt window open, because it will be
used to complete the tasks that follow.
Activity Verification
You have completed this task when you attain this result:
Save the changes to the configuration file.
Activity Procedure
Complete these steps:
Step 1 Click the Configuration menu. Your display should resemble the following:
Ó¿·² óâ ï
Step 2 Click the System Management menu. Your display should resemble the following:
ݱ²º·¹ óâ î
Step 3 Click the IP Routing menu. Your display should resemble the following:
ͧ-¬»³ óâ ì
Step 4 Click the Default Gateways menu. Your display should resemble the following:
᫬·²¹ óâ î
Step 5 Click the Set Default Gateway menu. Your display should resemble the following:
᫬·²¹ óâ ï
Step 6 Enter the backbone router IP address. Your display should resemble the following:
᫬·²¹ óâ ïçîòïêèòÐòïëð
(Where P is your pod number)
Step 7 Click the Set Default Gateway Metric menu. Your display should resemble the
following:
᫬·²¹ óâ î
Step 8 Accept the Default Gateway Routing Metric of 1. Your display should resemble the
following:
᫬·²¹ óâ Åïà äÛ²¬»®â
Step 9 Return to the top-level menu. Your display should resemble the following:
᫬·²¹ óâ ¸
Step 10 Save changes to the configuration file. Your display should resemble the following:
Ó¿·² óâ ì
Step 11 Exit the CLI session. Your display should resemble the following:
Ó¿·² óâ ê
Step 12 Close the Command Prompt window.
Activity Verification
You have completed this task when you attain this result:
You have saved your changes to the configuration file.
72 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Task 6: Configure the Concentrator Using the Cisco VPN 3000
Series Concentrator Manager
Earlier you configured both the private and public interfaces using the CLI feature of the
concentrator. This procedure assumes that Windows 2000 is already running on the student PC
Complete the following steps to complete the concentrator configuration using the Cisco VPN
3000 Series Concentrator Manager.
Activity Procedure
Complete these steps:
Step 1 Double-click the Internet Explorer icon to launch the program.
Step 2 Enter a concentrator public interface IP address in the Internet Explorer Address
field: 192.168.P.5 (Where P is your pod number). Internet Explorer connects to the
Cisco VPN 3000 Series Concentrator Manager.
Step 3 Log in to the Cisco VPN 3000 Series Concentrator Manager using the administrator
account. Your display should resemble the following:
Ô±¹·²æ ¿¼³·²
п--©±®¼æ ¿¼³·²
Note The username (login) and password are always case sensitive.
Step 4 In the main window, click the click here to start Quick Configuration link.
2. If you want to make any changes, click on the appropriate interface, make
your changes, and click Apply. When you are back to this screen, click
Continue.
2. Your instructor will provide you with the values to complete the following
table:
Time (Hour:Minute:Second
AM/PM)
Date (Month/Day/Year)
3. In the System Info window, enter the correct time, date, and time zone from
the previous table.
4. Check or uncheck the Enable DST Support check box, depending on which
action has been circled in the previous table.
8. Click Continue.
4. Click Continue.
Step 8 From the Configuration>Quick>Address Assignment window, complete the
following substeps:
1. Click DHCP.
3. Click Continue.
Note If no DHCP server is available, the Configured Pool option can be used (For example, with
a range of 172.18.P.100 to 172.18.P.150)
74 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
4. Verify that Internal Server is selected from the Server Type drop-down menu.
5. Click Continue.
Step 10 From the Configuration>Quick>User Database window, complete the following
substeps:
Note These entries are all case sensitive. Create all entries in lowercase form only.
4. Click Add the new user to the database. The new username should appear
in the Current Users window.
5. Click Continue.
Note These entries are all case sensitive. Create all entries in lowercase form only.
4. Click Continue.
1. Click the Save Needed icon, in the upper right corner of the window. The
Save Successful window opens.
2. Click OK.
Step 14 Leave Internet Explorer open and continue to the next task.
Activity Verification
There is no verification required for this task.
Activity Procedure
Complete these steps:
Step 1 From the Configuration menu tree, choose System>Tunneling
Protocols>IPSec>IKE Proposals.
Step 2 Ensure that the CiscoVPNClient-3DES-MD5 proposal appears first under the Active
Proposals list.
Step 3 If you need to make changes, click the Save Needed icon. Always click
CiscoVPNClient-3DES-MD5 when using the Cisco VPN 3.x or 4.x Client. Always
click IKE-3DES-MD5 when using the Cisco VPN 2.5 Client.
Step 4 Leave Internet Explorer open and continue to the next task.
Activity Verification
There is no verification required for this task.
Activity Procedure
Complete these steps:
Activity Verification
There is no verification required for this task.
76 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Filtering must be enabled on the public interface in order for the Cisco VPN Client to connect
to the concentrator. By definition, the filter permits only tunnel and ICMP traffic to pass
through the interface. This filter excludes any HTTP traffic from your student PC. However, for
this lab exercise, the public filter can be modified to permit HTTP traffic to travel both inbound
and outbound. With a modified filter, you can configure and monitor the network from the
public side of the network. In this task you will modify the public filter of the concentrator.
Activity Procedure
Complete these steps:
Step 1 From the Configuration menu tree, choose Policy Management>Traffic
Management>Filters.
Step 2 Choose the Public (Default) filter from the Filter list.
Step 3 Click Assign Rules to Filter within the Actions group box.
Step 4 Choose Incoming HTTP In (forward/in) from the Available Rules list.
Step 5 Click Add.
Step 6 Choose Incoming HTTP Out (forward/out) from the Available Rules list.
Activity Verification
There is no verification required for this task.
Activity Procedure
Complete these steps:
Step 1 From the Configuration menu tree, choose Interfaces>Ethernet 2 (Public).
Step 2 Select the General tab.
78 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Lab 5-2: Configure the Cisco 3000 VPN Series
Concentrator with the Cisco VPN Software Client
for Windows
Complete the following lab activity to practice what you learned in the related module.
Activity Objective
In this activity you will configure the Cisco VPN 3000 Series Concentrator for remote access
with the Cisco VPN Client. After completing this activity, you will be able to meet these
objectives:
Complete the lab exercise setup
Install the Cisco VPN Client
Configure the Cisco VPN Client
Verify the Cisco VPN Client properties
Open the Cisco VPN Client
Verify the Cisco VPN connection status
Monitor the concentrator statistics
Visual Objective
The following figure displays the configuration you will complete in this lab exercise.
Activity Procedure
Complete these steps:
Step 1 Ensure that your student PC is powered on.
Step 2 Ensure that your student IP addresses are configured correctly:
Primary IP address: 172.26.26.P (Where P is your pod number)
Default gateway IP address: 172.26.26.150
Step 3 Ensure that your concentrator is powered on.
Activity Verification
There is no verification necessary for this task.
Activity Procedure
Complete these steps:
Step 1 Open the Cisco VPN Client folder found on the student PC desktop.
Step 2 Double-click the setup.exe file from the Cisco VPN Client folder. If this is the first
time that the Cisco VPN Client is being installed on this PC, a window opens and
displays the following message: Do you want the installer to disable the IPSec
Policy Agent?
Step 3 If the disable IPSec policy agent message appears, click Yes. The Welcome window
opens.
Step 4 Read the Welcome window and click Next. The License Agreement window opens.
Step 5 Read the license agreement and click Yes. The Destination Folder Location window
opens.
80 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Step 6 Accept the defaults by clicking Next. The Program Folders window opens.
Step 7 Accept the defaults by clicking Next. The Start Copying Files window opens.
Step 8 The files are copied to the hard disk drive of the student PC and the InstallShield
Wizard Complete window opens.
Step 9 Click Yes, I want to restart my computer now, and click Finish. The student PC
restarts.
Step 10 Log in to the student PC.
Step 11 Close the Cisco VPN Client folder.
Activity Verification
You have successfully completed this task when you attain these results:
If when you choose Start>Programs>Cisco Systems VPN Client>VPN Client, the Cisco
Systems VPN Client window opens.
Close the window and move to Task 3.
Activity Procedure
Complete these steps:
Step 6 Verify that the Group Authentication radio button is selected and complete the
substeps listed here. The following entries are always case sensitive. Use lowercase
characters for this lab exercise.
Activity Procedure
Complete these steps:
Step 1 Ensure that the Cisco VPN Client window is open. If the Cisco VPN Client window
is not open, choose: Start>Programs>Cisco Systems VPN Client> VPN Client.
Step 2 Click studentP within the Connection Entry group box and click Modify.
(Where P is your pod number)
Step 3 Verify that the IP address of the remote server is set to a concentrator public
interface IP address: 192.168.P.5.
(Where P is your pod number)
Step 4 Click the Authentication tab and verify the spelling of the group name. If
necessary, you can edit the group name and password here.
Step 5 Click the Transport tab and view the available options. Do not make any changes to
the default settings.
Activity Verification
There is no additional verification needed.
Activity Procedure
Complete these steps:
82 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
2. When prompted to enter a password, enter studentP.
(Where P is your pod number)
Step 5 Click OK. The following messages flash by quickly at the bottom of the window:
ײ·¬·¿´·¦·²¹ ¬¸» ½±²²»½¬·±²
ݱ²¬¿½¬·²¹ ¬¸» -»½«®·¬§ ¹¿¬»©¿§ ¿¬
ß«¬¸»²¬·½¿¬·²¹ «-»®
Activity Verification
You have completed this task when you attain this result:
The window closes and a Cisco VPN Client icon appears in the system tray.
Activity Procedure
Complete these steps:
Step 1 Double-click the Cisco VPN Client icon in the system tray and answer the
following questions:
____________________________
Step 2 Click the Status>Statistics
menu option and answer the following questions.
_____________________________
Q3) What authentication method was used?
_____________________________
Q4) What client IP address was assigned to you?
_____________________________
Step 3 Click Close.
Activity Verification
You have completed this task when attain this result:
You have correctly answered the four questions.
Activity Procedure
Complete these steps:
Step 1 Double-click the Internet Explorer icon.
Step 2 Enter a concentrator private interface IP address in the Internet Explorer Address
field: 10.0.P.5 (Where P is your pod number). Internet Explorer connects to the
Cisco VPN 3000 Series Concentrator Manager.
Step 3 Log in to the Cisco VPN 3000 Series Concentrator Manager using the following
administrator account:
Ô±¹·²æ ¿¼³·²
п--©±®¼æ ¿¼³·²
Step 4 From the Monitoring menu, choose Routing Table.
_____________________________
Step 5 From the Monitoring menu, choose Filterable Event Log.
Step 7 Disconnect your VPN session if it is still active by using the Cisco VPN Client icon
in the system tray of the student PC.
Step 10 Click the |<< button and answer the following questions:
_____________________________
Q7) What is the username of the remote client?
_____________________________
Q8) For what SA is the IKE remote peer configured?
_____________________________
Step 11 From the Monitoring menu, choose Sessions and answer the following question:
84 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Protocol ___________________________
Encryption _________________________
Login time _________________________
Duration ___________________________
Client type _________________________
Client version _______________________
Step 12 Click studentP (Where P is your pod number). More information is displayed. Use
this information to answer the following questions:
Step 14 Disconnect your VPN session if it is still active by using the Cisco VPN Client icon
in the student PC system tray).
Step 15 Close Internet Explorer.
Warning It is very important that you log out of the Cisco VPN 3000 Series Concentrator Manager
when finished. Failing to log out before exiting the manager interface leaves an administrator
session open. Eventually, all possible administrator sessions will be used, and you will not
be allowed to log in again. Also, only the first administrator session has read and write
access. The remaining administrator sessions have read-only access.
Activity Verification
You will have completed this task when you attain this result:
Answer Questions 5 to 11 correctly. Check the answer key for the correct responses.