Securing Cisco Network Devices (SND) (v1 0)

SND
Securing Cisco
Network Devices
Version 1.0
Student Guide
Copyright 2005, Cisco Systems, Inc. All rights reserved.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax
numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica
Croatia Cyprus Czech Republic Denmark Dubai, UAE Finland France Germany Greece
Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia
Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania
Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland
Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe
Copyright 2005 Cisco Systems, Inc. All rights reserved. CCSP, the Cisco Square Bridge logo, Follow
Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live,
Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST,
BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo,
Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering
the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive,
GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,
LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar,
Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView
Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0501R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY
OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO
SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY,
NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING,
USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be
accurate, it falls subject to the disclaimer above.
Table of Contents
Course Introduction 1
Overview 1
Learner Skills and Knowledge 1
Course Goal and Objectives 2
Course Flow 3
Additional References 4
Cisco Glossary of Terms 4
Your Training Curriculum 5
Introduction to Network Security 1-1
Overview 1-1
Module Objectives 1-1
Planning a Secure Network 1-3
Overview 1-3
Objectives 1-3
The Need for Network Security 1-4
Network Security Challenges 1-7
Primary Network Threats and Attacks 1-10
Network Security Policy 1-14
The Network Security Process 1-17
Summary 1-22
Lesson Self-Check 1-23
Lesson Self-Check Answer Key 1-27
Mitigating Network Attacks 1-29
Overview 1-29
Objectives 1-29
Mitigating Physical and Environmental Threats 1-30
Reconnaissance Attacks and Mitigation 1-36
Access Attacks and Mitigation 1-43
Denial of Service Attacks and Mitigation 1-53
Worm, Virus, and Trojan Horse Attacks and Mitigation 1-60
Application Layer Attacks and Mitigation 1-64
Management Protocols and Vulnerabilities 1-67
Determining Network Vulnerabilities 1-72
Summary 1-73
Introducing the Cisco Security Portfolio 1-79
Overview 1-79
Objectives 1-80
Introducing the Cisco Security Portfolio 1-81
Perimeter SecurityProducts and Solutions 1-83
Cisco IOS Firewall Highlights 1-89
Secure Connectivity VPNs Solutions 1-92
Secure ConnectivityThe Cisco VPN 3000 Series Concentrator 1-94
Secure ConnectivityCisco VPN-Enabled Routers 1-100
Secure ConnectivityVPN Product Positioning 1-104
Intrusion Prevention System Solutions 1-105
Network Intrusion Prevention System Solutions Cisco IPS Sensor Platforms 1-108
Host Intrusion Prevention System Solutions 1-111
Identity SolutionsCisco Secure Access Control Server 1-115
Network Admission Control 1-118
Security Management Solutions Security Management Center 1-120
Summary 1-123
Building Cisco Self-Defending Networks 1-127
Overview 1-127
Objectives 1-128
Changing Threats and Challenges 1-129
Building a Self-Defending Network 1-134
Adaptive Threat Defense 1-138
Cisco PIX Security Appliance Software v7.0 1-141
Cisco DDoS Modules 1-146
Cisco Secure MARS and Security Auditor 1-148
Securing the Network Infrastructure with Cisco IOS Software Security Features 1-151
Self-Defending Network Endpoint Security Solutions 1-155
Cisco Integrated Security Portfolio 1-157
Summary 1-159
Module Summary 1-167
Securing the Perimeter 2-1
Overview 2-1
Securing Administrative Access to Cisco Routers 2-3
Overview 2-3
Objectives 2-3
Configuring Router Passwords 2-4
Setting a Login Failure Rate 2-18
Setting Timeouts 2-19
Setting Multiple Privilege Levels 2-20
Configuring Banner Messages 2-23
Summary 2-25
Configuring AAA for Cisco Routers 2-29
Overview 2-29
Objectives 2-29
Introduction to AAA for Cisco Routers 2-30
Authenticate to a LAN 2-32
Authenticate Router Access 2-43
Configure AAA on Cisco Routers 2-45
Troubleshoot AAA on Cisco Routers 2-58
Summary 2-64
Introducing the Cisco Secure Access Control Server for Windows Server 2-69
Overview 2-69
Objectives 2-70
Cisco Secure ACS Overview 2-71
AAA Server Functions and Concepts 2-74
Cisco Secure ACS and the AAA Client 2-75
AAA ProtocolsTACACS+ and RADIUS 2-76
Authentication 2-77
Authorization 2-81
Accounting 2-82
Device Administration 2-83
Summary 2-84
ii Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring Basic Services on the Cisco Secure ACS for Windows 2-89
Overview 2-89
Objectives 2-89
The Cisco Secure ACS GUI 2-90
Creating the First Administrator User Account 2-93
Configuring Administrator Policies 2-96
Setting Up Remote Access 2-100
Basic Configuration Tasks 2-101
User Interface Configuration 2-102
System Configuration 2-107
Summary 2-109
Disabling Unused Cisco Router Network Services and Interfaces 2-113
Overview 2-113
Objectives 2-114
Routers Secure Networks 2-115
Vulnerable Router Services and Interfaces 2-119
Disabling Unnecessary Services and Interfaces 2-123
Disabling and Restricting Commonly Configured Management Services 2-136
Ensuring Path Integrity 2-140
Disabling Probes and Scans 2-142
Ensuring Terminal Access Security 2-145
Disabling Gratuitous and Proxy ARP 2-147
Disabling IP Directed Broadcast 2-149
Summary 2-150
Mitigating Threats and Attacks with Access Lists 2-155
Overview 2-155
Objectives 2-155
Cisco Access Lists 2-156
Applying Access Lists to Router Interfaces 2-162
Using Traffic Filtering with Access Lists 2-165
Filtering Router Service Traffic 2-168
Filtering Network Traffic to Mitigate Threats 2-172
Mitigating DDoS with Access Control Lists 2-180
Combining Access Functions 2-186
Caveats 2-189
Summary 2-191
Implementing Secure Management and Reporting 2-195
Overview 2-195
Objectives 2-195
Secure Management and Reporting Planning Considerations 2-196
Secure Management and Reporting Architecture 2-198
Configuring an SSH Server for Secure Management and Reporting 2-204
Using Syslog Logging for Network Security 2-207
Configuring Syslog Logging 2-211
SNMP Version 3 2-215
Configuring an SNMP Managed Node 2-222
Summary 2-230
Copyright 2005, Cisco Systems, Inc. Securing Cisco Network Devices (SND) v1.0 iii
Securing Catalyst Switches 2-235
Overview 2-235
Objectives 2-235
Basic Switch Operation 2-236
Securing Network Access at Layer 2 2-238
Protecting Administrative Access to Switches 2-239
Protecting Access to the Management Port 2-242
Turning Off Unused Network Interfaces and Services 2-244
CAM Table Overflow Attacks 2-246
MAC Address Spoofing Attacks 2-251
Using Port Security to Prevent Attacks 2-252
Configuring Cisco Catalyst Switch Port Security 2-257
Summary 2-264
Mitigating Layer 2 Attacks 2-267
Overview 2-267
Objectives 2-267
Mitigating VLAN Hopping Attacks 2-268
Preventing Spanning-Tree Protocol Manipulation 2-271
Mitigating ARP Spoofing with DAI 2-274
Defending Private VLANs 2-277
Layer 2 Security Best Practices 2-282
Summary 2-283
Using Catalyst Switch Security Features 2-287
Overview 2-287
Objectives 2-288
Embedded Security Features in Cisco Catalyst Switches 2-289
Identity-Based Network Services 2-292
Access Control Lists 2-294
Port Security 2-300
Private VLAN 2-301
Private VLAN Edge 2-302
Rate-Limiting 2-304
Switched Port Analyzer for Intrusion Prevention Systems 2-305
Management Encryption 2-306
Activity: Problems and Solutions 2-308
Summary 2-317
References 2-322
Cisco Security Appliances 3-1
Overview 3-1
Introducing the Cisco PIX Security Appliance Series 3-3
Overview 3-3
Objectives 3-3
Firewall Technologies 3-4
PIX Security Appliance Overview 3-12
PIX Security Appliance Models 3-21
PIX Security Appliance Licensing 3-23
Summary 3-26
iv Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Configuring a Cisco PIX Security Appliance from the CLI 3-29
Overview 3-29
Objectives 3-29
PIX Security Appliance Access Modes 3-30
Configuring the PIX Security Appliance 3-36
Adaptive Security Algorithm Security Levels 3-48
Connection and Translation Tables 3-48
Basic PIX Security Appliance Operational Commands 3-51
Examining PIX Security Appliance Status 3-67
Summary 3-75
Configuring a PIX Security Appliance with the Cisco PDM 3-79
Overview 3-79
Objectives 3-79
PDM Overview 3-80
PDM Operating Requirements 3-82
Microsoft Windows Requirements 3-85
SUN Solaris Requirements 3-85
Linux Requirements 3-86
General Guidelines 3-86
Prepare for the PDM 3-87
Configure the PIX Security Appliance Using the PDM 3-90
Summary 3-103
References 3-107
Securing Networks with Host- and Network-Based IPS 4-1
Overview 4-1
Introducing Intrusion Prevention Systems 4-3
Overview 4-3
Objectives 4-3
Intrusion Detection and Prevention Terminology 4-4
Intrusion Prevention Technologies 4-8
Network-Based Intrusion Prevention Systems 4-15
Host-Based Intrusion Prevention Systems 4-17
Cisco IPS Signatures 4-20
Cisco IPS Signature Engines 4-28
Cisco IPS Alarms 4-34
Cisco IPS Signature Engines 4-35
Cisco IPS Alarms 4-37
Summary 4-42
Configuring the Sensor Using the IDM 4-47
Overview 4-47
Objectives 4-48
The Sensor Command Line Interface 4-49
User Accounts and Account Roles 4-52
CLI Command Modes 4-54
Sensor Setup and CLI Configuration Tasks 4-56
IDS Device Manager Overview 4-64
Configuring Network Settings 4-67
Copyright 2005, Cisco Systems, Inc. Securing Cisco Network Devices (SND) v1.0 v
Configuring Allowed Hosts 4-69
Setting the Time 4-71
Creating User Accounts 4-74
Configuring Interfaces 4-76
Restoring Default Settings 4-80
Summary 4-81
Introducing the Cisco Security Agent 4-87
Overview 4-87
Objectives 4-88
The Cisco Security Agent 4-89
CSA Architecture 4-94
Attack and Interceptor Response 4-98
Selecting a Security Policy Model 4-99
Building a CSA Policy 4-101
Creating CSA Policy Rules 4-103
Summary 4-105
Deploying HIPs with the CSA MC 4-109
Overview 4-109
Objectives 4-109
Introducing Cisco Security Agent Management Center 4-110
CSA MC Configuration Roadmap 4-113
The CSA MC Interface 4-114
Installing CSA on Host Devices 4-118
Creating Groups 4-128
Building an Agent Kit 4-136
Managing Hosts 4-142
Summary 4-148
References 4-154
Building IPSec VPNs 5-1
Overview 5-1
Introducing IPSec VPNs 5-3
Overview 5-3
Objectives 5-3
IPSec Overview 5-4
IPSec Critical Function 1Confidentiality 5-9
IPSec Critical Function 2Data Integrity 5-15
IPSec Critical Function 3Origin Authentication 5-18
IPSec Critical Function 4Anti-replay 5-23
IPSec Protocol Framework 5-24
IPSec Operation 5-31
Creating ISAKMP Policies for a Purpose 5-33
Defining ISAKMP Policy Parameters 5-33
Summary 5-41
Building Cisco VPN Solutions 5-45
Overview 5-45
Objectives 5-45
Cisco IPSec VPNs 5-46
vi Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Cisco VPN Software Client 5-54
Cisco VPN 3002 Hardware Client 5-58
Choosing a VPN Client 5-59
Certicom VPN Client Support 5-60
Cisco VPN Client Smartcard Support 5-61
Summary 5-62
Completing the Quick Configuration of a Cisco VPN 3000 Series Concentrator 5-65
Overview 5-65
Objectives 5-65
Implementing a Remote Access VPN 5-66
Completing Quick Configuration of a Cisco VPN 3000 Series Concentrator 5-70
Cisco VPN 3000 Concentrator Series Manager GUI 5-84
Summary 5-86
Configuring the Cisco VPN 3000 Series Concentrator for Remote Access 5-89
Overview 5-89
Objectives 5-90
Pre-shared Keys 5-91
User and Group Authentication 5-93
VPN Network Authentication 5-96
Activating Client Authentication 5-97
Configuring Base-Group Parameters 5-99
Configuring Base-Group IPSec Parameters 5-101
Configuring Base-Group Remote Access Parameters 5-103
Configuring Client Configuration Parameters 5-107
Configuring Client Split Tunneling Policy 5-109
Split DNS Server Configuration 5-116
Summary 5-118
Configuring the Cisco VPN Software Client for Windows 5-123
Overview 5-123
Objectives 5-123
The VPN Software Client for Windows 5-124
Navigating the VPN Client User Interface 5-126
Using the Advanced Mode Menus 5-129
Using the Advanced Mode Tab Right Click Menus 5-134
Creating a New Connection 5-137
Preconfigure the Client for Remote Users 5-144
VPN Software Client Programs 5-147
Concentrator Connection Status 5-150
Summary 5-152
References 5-155
Copyright 2005, Cisco Systems, Inc. Securing Cisco Network Devices (SND) v1.0 vii
SND
Course Introduction
Overview
This course provides an opportunity to learn about a broad range of the components embedded
in Cisco SAFE. You learn to recognize threats and vulnerabilities to networks and learn how to
implement basic mitigation measures..
Learner Skills and Knowledge

This subtopic lists the skills and knowledge that learners must possess to benefit fully from the
course. The subtopic also includes recommended Cisco learning offerings that learners should
first complete to benefit fully from this course.
Learner Skills and Knowledge
Cisco Certified Network Associate (CCNA)

certification
Basic knowledge of the Windows operating system
Basic knowledge of Cisco IOS networking and
concepts
© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03

Course Goal and Objectives
This topic describes the course goal and objectives.
Course Goal
To perform basic task to secure network devices

at Layers 2 and 3 using command line interface
and web-based GUIs. Devices include routers,
switches, access control servers, IPS sensors
and VPN Concentrators.
Securing Cisco Network Devices
Upon completing this course, you will be able to meet these objectives:
Describe network security vulnerabilities and how a security policy plus the Cisco security
product portfolio provide network security
Configure Layer 2 and 3 devices on the network perimeter with Cisco Catalyst switch
security features and Cisco IOS software
Configure a Cisco PIX Security Appliance to perform basic security operations on a
network
Secure a network with host- and network-based IPS.
Build an IPSec VPN network using Cisco products and technologies
2 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Course Flow
This topic presents the suggested flow of the course materials.
Course Flow
Day 1 Day 2 Day 3 Day 4 Day 5

Course Daily Review Daily Review Daily Review Daily Review
Introduction
A Module 1 - Module 2 Module 2 Module 4 Module 5
M Introduction Securing Securing the Host and IPSec VPNs
to Network the Network
Security Perimeter
Perimeter Based IPS
Course Wrap-up
and Evaluation
Lunch
P Module 2 Module 2 Module 3 Module 5
M Securing the Securing the PIX Security IPSec VPNs
Perimeter Perimeter Appliances
The schedule reflects the recommended structure for this course. This structure allows enough
time for the instructor to present the course information and for you to work through the lab
activities. The exact timing of the subject materials and labs depends on the pace of your
specific class.
Copyright © 2005, Cisco Systems, Inc. Course Introduction 3

Additional References
This topic presents the Cisco icons and symbols that are used in this course, as well as
information on where to find additional technical references.
Cisco Icons and Symbols
Guard Network
File Server Cloud
Cisco Traffic
Anomaly Detector
VPN Concentrator
Laptop IOS Firewall
Router with
Firewall
Router
PIX Firewall
Right and Left
Sensor
Multilayer Switch,
Si
Si Si with and without Text
and Subdued
Cisco Glossary of Terms

For additional information on Cisco terminology, refer to the Cisco Internetworking Terms and
Acronyms glossary of terms at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.htm.
Your Training Curriculum
This topic presents the training curriculum for this course.
Cisco Career Certifications:

Cisco Certified Security Professional
Expand Your Professional Options

and Advance Your Career
Professional level recognition in network security
Recommended Training Through

Cisco Learning Partners
Expert
Securing Networks with PIX and ASA
CCIE - Security
Implementing Cisco IPS
Professional
Cisco Secure VPN
CCSP
Cisco SAFE Implementation*
www.cisco.com/go/certifications
© 2005 Cisco Systems, Inc. All rights reserved. * Recertification exam SND v1.08
You are encouraged to join the Cisco Certification Community, a discussion forum open to
anyone holding a valid Cisco Career Certification (such as Cisco CCIE®, CCNA®, CCDA®,
CCNP®, CCDP®, CCIP®, CCVP, or CCSP). It provides a gathering place for Cisco
certified professionals to share questions, suggestions, and information about Cisco Career
Certification programs and other certification-related topics. For more information, visit
www.cisco.com/go/certifications.
Copyright © 2005, Cisco Systems, Inc. Course Introduction 5

Cisco Security Certification Path
Cisco Security Specialist Recommended Training Through Cisco

Learning Partners
Prerequisite: Valid CCNA Certification
Cisco Firewall Specialist Recommended Training Through Cisco Learning

Partners
Securing Networks with PIX and ASA
Cisco IPS Specialist Recommended Training Through Cisco Learning

Partners
Implementing Cisco IPS
Cisco VPN Specialist Recommended Training Through Cisco Learning

Partners
Cisco Secure VPN
© 2005 Cisco Systems, Inc. All rights reserved.

www.cisco.com/go/certifications SND v1.09
Cisco Qualified Specialist (CQS) focused certifications demonstrate significant competency in

specific technology areas, solutions, or job roles. Individuals who have earned an associate-
level career certification or higher are eligible to become qualified in these focused areas. With
one or more specialist certifications, network professionals can better align their core expertise
with current industry needs.
For more information on the CQS focused certification, visit www.cisco.com/go/certifications.
Module 1
Introduction to Network
Security
Overview
The open nature of the Internet makes it increasingly important for growing businesses to pay
attention to the security of their networks. As companies begin to move more and more
business functions to the public network, they need to take precautions to ensure that the data is
not compromised or that the data does not end up in front of the wrong set of eyes.
Unauthorized network access by an outside hacker or disgruntled employee can wreak havoc
with your proprietary data, negatively affect company productivity, and stunt your ability to
compete. Unauthorized network access can also harm your relationships with customers and
business partners who may question your ability to protect their confidential information.
Module Objectives
Upon completing this module, you will be able to describe network security vulnerabilities and
how a security policy plus the Cisco security product portfolio provide network security. This
ability includes being able to meet these objectives:
Explain the need for increased network security and the need for policies for implementing
and maintaining network security in open networks
Explain the strategies used to mitigate network attacks
Describe the general features, purpose an benefits of the hardware and software
components of the Cisco security portfolio and solutions
Describe how the Disco Self-Defending Network strategy can be built by enhancing
existing network infrastructure with Cisco technologies, products and solutions
1-2 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005, Cisco Systems, Inc.
Lesson 1
Planning a Secure Network
Overview
How important is it to have a strong network security policy? The 2004 E-Crime Watch survey
conducted among security and law enforcement executives by CSO magazine, in cooperation
with the United States Secret Service and the Carnegie Mellon University Software
Engineering Institutes CERT® Coordination Center, shows a significant number of
organizations reporting an increase in electronic crimes and network, system or data intrusions.
Forty-three percent of respondents report an increase in electronic crimes and intrusions versus
the previous year, and seventy percent report that at least one electronic crime or intrusion was
committed against their organization. Respondents say that electronic crime cost their
organizations approximately $666 million in 2003.
This lesson provides an overview of security issues, and a description of the need for a security
policy.
Objectives
Upon completing this lesson, you will be able to explain the need for increased network
security and the need for policies for implementing and maintaining network security in open
networks. This ability includes being able to meet these objectives:
Explain the need for increased network security and dynamic security policies
Describe the security challenges created by e-business needs, legal issues and government
policies
Describe the four general categories of security threats and the four primary attack
categories
Describe the purpose and content of a security policy
Explain the process of maintaining continuous security based on the four sections of the
security wheel
The Need for Network Security
This topic describes how sophisticated attack tools and open networks have generated an
increased need for network security and dynamic security policies.
The Closed Network
Closed Network
Frame relay
X.25 leased
line
Remote Site Frame relay

X.25 leased
line
PSTN
Attacks from inside the network remain a threat.

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-3
The easiest way to protect a network from outside attack is to close it off completely from the
outside world. A closed network provides connectivity only to trusted known parties and sites,
and does not allow a connection to public networks.
Because there is no outside connectivity, networks designed in this way can be thought of as
being safe from outside attack. However, internal threats still exist. The Computer Security
Institute (CSI) in San Francisco, California, estimates that between 60% and 80% of network
misuse comes from inside the enterprises where the misuse has taken place.
1-4 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
Open Network
Mobile
and
Remote
Users Internet-based
Intranet (VPN)
Internet-based
Intranet (VPN)
Internet-based
Extranet (VPN)
Remote Remote
Site Site Partner
Mobile PSTN Site
and
Remote
Users
Today, corporate networks require access to the Internet and other public networks. Most
networks have several access points to public and private networks. Securing open networks
has become extremely important.
A report from the 2000 Computer Crime and Security Survey conducted by CSI with the
participation of the San Francisco Federal Bureau of Investigation (FBI) Computer Intrusion
Squad, provides an updated look at the impact of computer crime in the United States.
Based on responses from 503 computer security practitioners in U.S. corporations, government
agencies, financial institutions, medical institutions and universities, the findings of the "2002
Computer Crime and Security Survey" confirm that the threat from computer crime and other
information security breaches continues unabated and that the financial toll is mounting.
Highlights of the 2002 Computer Crime and Security Survey include the following:
Ninety percent of respondents (primarily large corporations and government agencies)
detected computer security breaches within the last twelve months.
Eighty percent acknowledged financial losses due to computer breaches.
Forty-four percent (223 respondents) were willing or able to quantify their financial losses.
These 223 respondents reported $455,848,000 in financial losses.
As in previous years, the most serious financial losses occurred through theft of proprietary
information (26 respondents reported $170,827,000) and financial fraud (25 respondents
reported $115,753,000).
For the fifth year in a row, more respondents (74%) cited their Internet connection as a
frequent point of attack than respondents who cited their internal systems as a frequent
point of attack (33%).
Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16%
acknowledged reporting intrusions to law enforcement.)
Copyright 2005, Cisco Systems, Inc. Introduction to Network Security 1-5

Threat CapabilitiesMore
Dangerous and Easier to Use
Packet Forging/
Spoofing
High
Stealth Diagnostics
Sophistication
Back Scanners
Doors
of Hacker Tools
Sniffers
Exploiting Known
Vulnerabilities Hijacking
Sessions
Disabling
Self-replicating Audits
Code
Password Technical
Cracking
Knowledge
Required
Password
Guessing
Low 1980 1990 2000
The figure illustrates how the increasing sophistication of hacking tools and decreasing skill
needed to use these tools have combined to pose increasing threats to open networks. With the
development of large open networks, security threats in the past 20 years have increased
significantly. Not only have hackers discovered more network vulnerabilities, but hacking tools
have become easier to use. Downloadable applications are now available that require little or no
hacking knowledge to implement. As well, troubleshooting applications intended for
maintaining and optimizing networks can, in the wrong hands, be used maliciously and pose
severe threats.
Network Security Challenges
This topic describes the security challenges created by e-business needs, legal issues and
government policies.
The Role of Security Is Changing
As business and
management practices
become more open and
reliant on using
Internet-powered
initiatives and online
collaboration, network
security becomes a
fundamental part of
their survival in an
increasingly
competitive and
threatening world.
The overall security challenge is to find a balance between two important needs. On one side,
there is a growing need to open networks to support evolving business needs and support
freedom of information initiatives, and on the other side there is a growing need to protect
private, personal and strategic business information.
Security has moved to the forefront of network management and implementation. For the
survival of many businesses, it is necessary to allow open access to network resources and to
ensure that data and resources are as secure as possible. The increasing importance of e-
business and the need for private data to traverse potentially unsafe public networks increases
the need for the development and implementation of a corporate-wide network security policy.
Establishing a network security policy should be the first step in migrating a network to a
secure infrastructure.

The E-Business Challenge
Internet E-Commerce Supply Chain Customer

Care
Business
Value
Workforce E-Learning Business security

Optimization requirements:
Defense-in-depth
Multiple components
Internet
Integration into
Corporate Presence
e-business
Internet Intranet infrastructure
Access Comprehensive
blueprint
Expanded Access, Heightened Security Risks

The Internet has radically shifted expectations of a companys abilities to build stronger
relationships with customers, suppliers, partners, and employees. E-business challenges
companies to become more agile and competitive. The benefits of this challenge are new
applications for e-commerce, supply-chain management, customer care, workforce
optimization, and e-learningapplications that streamline and improve processes, speed up
turnaround times, lower costs, and increase user satisfaction.
As enterprise network managers open their networks to more users and applications, they also
expose these networks to greater risk. The result has been an increase in business security
requirements. Security must be included as a fundamental component of any e-business
strategy.
E-business requires mission-critical networks that accommodate ever-increasing constituencies

and demands for greater capacity and performance. These networks also need to handle voice,
video, and data traffic as networks converge into multiservice environments.
Converging Dynamics
New laws are requiring

organizations to better
protect the privacy of
sensitive and personal
information.
A growing level of terrorist
and criminal activity is being
directed at communications
networks and computer
systems.
Cyber attacks and hacking
are much easier for a larger
number of perpetrators.
Three major dynamics have converged to heighten the need for network and system security.
These dynamics have raised the risks for organizations that are required to protect the privacy
of information or have a high political or brand profile. These dynamics are as follows:
There are new and pending laws in the United States and around the world that require
organizations to better protect the privacy of sensitive and personal information.
There is a growing level of terrorist and criminal activity directed at communications
networks and computer systems.
The increased use of Internet technology and connectivity around the world has made cyber
attacks and hacking much easier for a larger number of perpetrators.

Primary Network Threats and Attacks
This topic describes the four general categories of security threats and the four primary attack
categories.
Variety of Attacks
Internet
Internal
Exploitation
Dial-in
Exploitation
Network attacks can be as

varied as the systems that Compromised
they attempt to penetrate. Host
Without proper protection, any part of any network can be susceptible to attacks or
unauthorized activity. Routers, switches, and hosts can all be violated by professional hackers,
company competitors, or even internal employees. To determine the best ways to protect
against attacks, IT managers should understand the many types of attacks that can be instigated
and the damage that these attacks can cause to e-business infrastructures.
In the same CSI report sited earlier, respondents detected a wide range of attacks and abuses.
Examples of attacks and abuses are as follows:
Forty percent detected system penetration from the outside.
Forty percent detected denial of service attacks.
Seventy-eight percent detected employee abuse of Internet access privileges (for example,
downloading pornography or pirated software, or inappropriate use of e-mail systems).
Eighty-five percent detected computer viruses.
Thirty-eight percent of companies with websites suffered unauthorized access or misuse on
their websites within the last twelve months. Twenty-one percent said that they did not
know if there had been unauthorized access or misuse.
Twenty-five percent of those acknowledging attacks reported two to five incidents. Thirty-
nine percent reported ten or more incidents.
Seventy percent of those attacked reported vandalism. In 2000, this number was 64%.
Fifty-five percent reported denial of service. In 2000, this number was 60%.
Twelve percent reported theft of transaction information.
Security Threat Categories
There are four general categories of security

threats to the network:
Unstructured threats
Structured threats
External threats
Internal threats
Threats to network security fall into the following four general categories:
Unstructured threats: These threats primarily consist of random hackers using common
tools such as malicious shell scripts, password crackers, credit card number generators, and
dialer daemons. Although hackers in this category may have malicious intent, many are
more interested in the intellectual challenge of cracking safeguards than in creating havoc.
Structured threats: These threats are created by hackers who are more highly motivated
and technically competent. Typically, such hackers act alone or in small groups to
understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting
businesses. These groups are often involved in the major fraud and theft cases reported to
law enforcement agencies. Occasionally, such hackers are hired by organized crime,
industry competitors, or state-sponsored intelligence collection organizations.
External threats: These threats consist of structured and unstructured threats originating
from an external source. These threats may have malicious and destructive intent, or they
may simply be errors that generate a threat.
Internal threats: These threats typically involve disgruntled former or current employees.
Although internal threats may seem more ominous than threats from external sources,
security measures are available for reducing vulnerabilities to internal threats and
responding when attacks occur.

Types of Network Attacks
All of the following can be used to

compromise your system:
Reconnaissance attacks
Access attacks
Denial of service attacks
Worms, viruses, and Trojan horses
There are four types of network attacks:

Reconnaissance attacks: A reconnaissance attack is when an intruder attempts to discover
and map systems, services, and vulnerabilities. Attackers and hackers can employ social
engineering techniques to pose as legitimate people seeking out information. A few well
structured telephone calls to unsuspecting employees can provide a significant amount of
information.
Access attacks: An access attack is when an intruder attacks networks or systems to
retrieve data, gain access, or escalate access privileges.
Denial of service (DoS) attacks: A DoS attack is when an intruder attacks your network in
a way that damages or corrupts your computer system or denies you and others access to
your networks, systems, or services.
Worms, viruses, and Trojan horses: These attacks are when malicious software is
inserted onto a host in order to damage a system, corrupt a system, replicate itself, or deny
services or access to networks, systems, or services.
We will take a much closer look at these attack types in the next lesson.
Vulnerabilities and Exploits
A vulnerability is a weakness that compromises either

the security or the functionality of a system. Examples
include:
Poor passwords
Improper input handling
Insecure communication
An exploit is the mechanism used to leverage a
vulnerability. Examples include:
Password guessing tools
Shell scripts
Executable code
A vulnerability is a weakness that compromises either the security or the functionality of a

system. The following are examples of vulnerabilities:
Poor passwords: Passwords are the first line of defense. Weak or easily guessed
passwords are considered vulnerabilities.
Improper input handling: Software that does not properly handle all possible input can
have unexpected results. Improper input handling often leads to either a denial of service
(DoS) or access to restricted system resources.
Insecure communication: Data that is transferred in clear text is susceptible to
interception. System passwords, employee records, and confidential company documents
are some examples of data that is vulnerable to interception.
An exploit is the mechanism used to leverage a vulnerability to compromise the security or

functionality of a system. The following are examples of exploits:
Password guessing tools: These tools attempt to crack passwords by using knowledge of
the algorithm used to generate the actual password or by attempting to access a system
using permutations and combinations of different character sets. Some popular password
cracking tools are L0phtCrack and John the Ripper.
Shell or batch scripts: These scripts are created to automate attacks or perform simple
procedures known to expose the vulnerability.
Executable code: Exploits written as executable code require programming knowledge and
access to software tools such as a compiler. Consequently, executable code exploits are
considered to be more advanced forms of exploitation.

Network Security Policy
This topic describes the purposes and content of a security policy.
A security policy is a formal statement of the rules by which

people who are given access to an organizations technology
and information assets must abide.
RFC 2196, Site Security Handbook
A security policy is essentially a document summarizing how the corporation will use and
protect its computing and network resources.
A security policy can be as simple as an acceptable use policy for network resources, or it can
be several hundred pages in length and detail every element of connectivity and associated
policies.
Without a security policy, the availability of your network will be compromised. The policy
begins with assessing the risk to the network and building a response team. The policy also
requires implementing a security change management practice and a process for monitoring the
network for security violations. Finally, a review process to modify the existing policy and
adapt to lessons learned is required.
Why Create a Security Policy?
The benefits and purpose of a security policy

are as follows:
Creates a baseline of your current security posture and
implementation
Defines allowed and not-allowed behaviors
Helps determine necessary tools and procedures
Helps define roles and responsibilities
Informs users of their roles and responsibilities
States the consequences of misuse
Enables global security implementation and enforcement
Defines how to handle security incidents
Defines assets and how to use them
Provides a process for continuing review
Security policies provide many benefits and are worth the time and effort needed to develop
them. Computer security is now an enterprise-wide issue, and computing sites are expected to
conform to the network security policy. The following list describes important reasons for
developing a security policy:
Provides a general security framework for implementing network security
Defines what behavior is and is not allowed
Helps determine which tools and procedures are needed for the organization
It defines the roles and responsibilities of users and administrators
It informs user and administrators of their roles responsibilities
States consequences of misuse
Defines assets and how they are to be used to enhance security and reduce vulnerabilities
and threats
Defines a process for handling network security incidents
Provides a process for continuing review and enhancement of resulting network security

What Should the Security Policy Contain?
A security policy should contain the

following:
Statement of authority and scope
Acceptable use policy
Identification and authentication policy
Internet use policy
Campus access policy
Remote access policy
Incident handling procedure
The following are some of the key policy components:

Statement of authority and scope: This component specifies who sponsors the security
policy and what areas the policy covers.
Acceptable use policy: This component specifies what the company will and will not
allow regarding its information infrastructure.
Identification and authentication policy: This component specifies what technologies,
equipment, or combination of the two the company will use to ensure that only authorized
individuals have access to its network and data.
Internet access policy: This component specifies what the company considers ethical and
proper use of its Internet access capabilities.
Campus access policy: This component specifies how on-campus users will use the
company network infrastructure and data.
Remote access policy: This component specifies how remote users will access the
company network infrastructure and data.
Incident handling procedure: This component specifies how the company will create an
incident response team and the procedures it will use during and after an incident.
The Network Security Process
Cisco is serious about network security and about its implications for the critical infrastructures
on which developed nations depend. This topic explains the process of maintaining continuous
security based on the four sections of the security wheel.
Network Security is a Continuous Process
Network security is a
continuous process built Secure
around a security policy:
Step 1: Secure
Step 2: Monitor Security
Improve Policy
Monitor
Step 3: Test
Step 4: Improve
Test
After setting appropriate policies, a company or organization must methodically consider

security as part of normal network operations. This effort could be as simple as configuring
routers to not accept unauthorized addresses or services, or as complex as installing firewalls,
intrusion detection systems (IDS), intrusion prevention systems (IPS), centralized
authentication servers (for example, authentication, authorization, and accounting [AAA]
servers), and encrypted virtual private networks (VPNs) (for example, example, IPSec VPNs).
Before you can secure your network, however, you need to combine your understanding of
your users, the assets needing protection, and the network topology.

Secure the Network
This step involves the

following:
Secure
Implement security
solutions to stop or
prevent unauthorized Security
access or activities, Improve Policy
Monitor
and to protect
information:
Authentication
Test
Encryption
Firewalls
Vulnerability patching
The following solutions secure a network:

Authentication: Authentication is the recognition of each individual user, and the mapping
of their identity, their location, and their time to a policy. Authentication authorizes user
access to the network and network services.
Encryption: Encryption is a method for ensuring the confidentiality, integrity, and
authenticity of data communications across a network. The Cisco solution combines several
standards, including the Data Encryption Standard (DES), Triple Data Encryption Standard
(3DES) and Advanced Encryption Standard (AES).
Firewalls: A firewall is a set of related programs, located at a network gateway server or
router that protects the resources of a private network from users from other networks.
Vulnerability patching: The identification and patching of possible security holes that
could compromise a network.
Monitor Security

following: Secure
Detect violations to
the security policy.
Security
Involve system Improve Policy
Monitor
auditing and
real-time intrusion
detection.
Test
Validate the security
implementation in
Step 1: Secure.
To ensure that a network remains secure, it is important to monitor the state of security
preparation. Network vulnerability scanners can proactively identify areas of weakness, and
intrusion prevention systems can monitor and respond to security events as they occur. Using
security monitoring solutions, organizations can obtain unprecedented visibility into both the
network data stream and the security posture of the network.

Test Security

following: Secure
Validate effectiveness
of the security policy
through system Improve Security
Policy
Monitor
auditing and
vulnerability scanning.
Test
Testing security is as important as monitoring. Without testing the security solutions in place, it
is impossible to know about new or existing attacks. The hacker community is an ever-
changing environment. You can test security yourself or you can outsource it to a third party
such as the Cisco Security Posture Assessment (SPA) group.
The Cisco SPA is a premium network vulnerability assessment that provides comprehensive
insight into the security posture of a customer network. The Cisco SPA is delivered by highly
expert Cisco Network Security Engineers (NSEs) and includes an operational, granular analysis
of large-scale, distributed service provider networks from the perspective of an outside
hacker.
Improve Security

following: Secure
Use information from the
monitor and test phases
to make improvements
Security
to the security Improve Policy
Monitor
implementation.
Adjust the security
policy as security
vulnerabilities and risks Test
are identified.
Monitoring and testing provides the data necessary to improve network security.
Administrators and engineers should use the information from the monitor and test phases to
make improvements to the security implementation as well as to adjust the security policy when
vulnerabilities and risks are identified.

Summary
This topic summarizes the key points discussed in this lesson.
Summary
The need for network security has increased as networks have become
more complex and interconnected.
E-business needs, legal issues and government policies help drive the
need for network security.
There are four types of security threats:
Structured
Unstructured
Internal
External
There are four primary attack categories:
Reconnaissance attacks
Access attacks
Denial of service attacks
Worms, viruses, and Trojan horses
Summary (Cont.)
The components of a complete security policy are:

Internet use policy
A security wheel details the view that security is an ongoing
process and is comprised of four phases:
Secure
Monitor
Test
Improve
Lesson Self-Check
Q1) What is the main threat to a closed network? (Source: The Need for Network Security)
A) a deliberate attack from outside
B) a deliberate or accidental attack from inside
C) misuse by customers
D) misuse by employees
Q2) In the recent past, what two events have conspired to increase the threats from
hackers? (Choose two.) (Source: The Need for Network Security)
A) Hacker tools require more technical knowledge to use.
B) Hacker tools have become more sophisticated.
C) The number of reported security threats has remained constant year-to-year.
D) Hacker tools require less technical knowledge to use.
Q3) According to the Computer Security Institute, what percent of networks have
experienced a security breach? (Source: The Need for Network Security)
A) 20 to 30 percent
B) 80 to 90 percent
C) 60 to 80 percent
D) 50 to 60 percent
E) 30 to 50 percent
Q4) What three major dynamics are converging to heighten the need for network security?
(Source: Network Security Challenges)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________

Q5) Match one of following four types of security threats to each of the following
descriptions. (Source: Primary Network Threats and Attacks)
A) unstructured,
B) structured
C) external
D) internal)
_____ 1. an attack launched by highly motivated and technically competent hackers
_____ 2. an attack that may simply be the result of errors that generate a threat
_____ 3. an attack where random hackers use various common tools, such as
malicious shell scripts, password crackers, credit card number generators,
and dialer daemons
_____ 4. attacks where groups are involved in the fraud and theft cases reported to
law enforcement agencies
_____ 5. attacks that typically involve disgruntled former or current employees
_____ 6. attacks by hackers who are more interested in the intellectual challenge of
cracking safeguards than in creating havoc
Q6) Describe four types of security attacks. (Source: Primary Network Threats and Attacks)
______________________________________________________________________
______________________________________________________________________
Q7) Describe five benefits of a security policy. (Source: Network Security Policy)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q8) Describe three components of a security policy. (Source: Network Security Policy)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q9) According to the Site Security Handbook (RFC 2196) which of the following
statements defines a security policy? (Source: Network Security Policy)
A) A security policy is a formal statement of the rules by which people who are
given access to an organizations technology and information assets should
abide.
B) A security policy is a formal statement of the rules by which people who are
given access to an organizations technology and information assets must
abide.
C) A security policy is an informal statement of the rules by which people who are
given access to an organizations technology and information assets should
abide.
D) A security policy is an informal statement of the rules by which people who are
given access to an organizations technology and information assets must
abide.
Q10) Which section of a security policy specifies what technologies, equipment, or
combination of the two the company will use to ensure that only authorized individuals
have access to its data? (Source: Network Security Policy)
A) acceptable use policy
B) internet access policy
C) identification and authentication policy
D) remote access policy
E) statement of authority and scope
F) campus access policy
Q11) Which section of a Security Policy specifies how the company will create an incident
response team and the procedures it will use after and incident occurs? (Source:
Network Security Policy)
A) campus access policy
B) identification and authentication policy
C) remote access policy
D) incident handling procedure
E) internet access policy
F) acceptable use policy

Q12) Which of the following guidelines should a security policy contain? (Source: Network
Security Policy)
A) how often the business policy should be updated based on updates to the
security policy
B) what roles should be assigned to which people
C) dress codes
D) the business goals of a company
E) the organizational chart
Q13) Describe the four key methods for securing a network. (Source: The Network Security
Process)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q14) Which of the following Cisco security wheel steps involve implementing security
devices with the intent to prevent unauthorized access to network systems? (Source:
The Network Security Process)
A) Improve
B) Test
C) Secure
D) Monitor
Q15) Which step of the Cisco security wheel would an IPS be used? (Source: The Network
Security Process)
A) Test
B) Secure
C) Monitor
D) Improve
Q16) In which step of the Cisco security wheel would you implement encryption
technologies like IPSec? (Source: The Network Security Process)
E) Monitor
F) Test
G) Improve
H) Implement
I) Change
J) Secure
Lesson Self-Check Answer Key
Q1) B
Q2) B, D
Q3) C
Q4) The three converging dynamics are:
A) There are new and pending laws in the United States and around the world that require
organizations to better protect the privacy of sensitive and personal information
B) There is a growing level of terrorist and criminal activity being directed at communications
networks and computer systems
C) The increased use of Internet technology and connectivity around the world has made cyber
attacks and hacking much easier for a larger number of perpetrators
Q5) 1-B, 2-C, 3-A, 4-C, 5-D, 6-A
Q6) The four types of network attack are:
A) Reconnaissance attacks: An intruder attempts to discover and map systems, services, and
vulnerabilities.
B) Access attacks: An intruder attacks networks or systems to retrieve data, gain access, or escalate
access privileges.
C) Denial of service (DoS) attacks: An intruder attacks your network in a way that damages or
corrupts your computer system or denies you and others access to your networks, systems, or
services.
D) Worms, viruses, and Trojan horses: Malicious software is inserted onto a host in order to
damage a system, corrupt a system, replicate itself, or deny services or access to networks,
systems, or services.
Q7) Benefits of a security policy include the following:

Provides a general security framework for implementing network security
Defines what behavior is and is not allowed
Helps determine which tools and procedures are needed for the organization
Defines the roles and responsibilities of users and administrators
Informs user of their roles responsibilities
States consequences of misuse
Defines assets and how they are to be used to enhance security and reduce vulnerabilities and
threats
Defines a process for handling network security incidents
Provides a process for continuing review and enhancement of resulting network security

Q8) The components of a security policy include the following:
Internet use policy
Q9) B
Q10) C
Q11) D
Q12) B
Q13) The four methodologies are:
A) Authentication
B) Encryption
C) Firewalls
D) Vulnerability patching
Q14) C
Q15) C
Q16) F
Lesson 2
Mitigating Network Attacks
Overview
This lesson describes types of network attacks as well as provides some general strategies for
reducing vulnerabilities, and determining and mitigating common network attacks.
Objectives
Upon completing this lesson, you will be able to explain the strategies used to mitigate network
attacks. This ability includes being able to meet these objectives:
Mitigate hardware, environmental, electrical and maintenance-related security threats to
Cisco routers and switches
Describe the mitigation of reconnaissance attacks including packet sniffers, port scans, ping
sweeps and Internet information queries
Describe the mitigation of access attacks including password attacks, trust exploitation,
port redirection and man-in-the-middle attacks
Describe the mitigation of denial of service attacks including IP spoofing and distributed
denial of service attacks
Describe the mitigation of worm, virus and Trojan horse attacks
Describe the mitigation of application-layer attacks
Describe vulnerabilities in configuration management protocols and recommendations for
mitigating these vulnerabilities
Explain how the following tools are used to discover network vulnerabilities and threats:
GNU Netcat
Blues Port Scan
Ethereal
Microsoft Baseline Security Analyzer
Mitigating Physical and Environmental Threats
Improper and incomplete network device installation is an often-overlooked security threat,
which, if left unheeded, can have dire results. Software-based security measures alone cannot
prevent pre-meditated or even accidental network damage due to poor installations. This topic
discusses ways to identify and remedy insecure installations keeping in mind that some
physical security resolutions may be easily applied to some low-risk installations as well.
Installation Risk Assessment
Generally Low Risk Generally High Risk

(mission critical)
Headquarters
Mobile Worker
PSTN
Internet
SOHO
Before discussing how to secure Cisco network installations, it is important to make the
following distinction between low-risk and high-risk devices:
Low-risk devices: These devices are typically low-end, either small office or home office
(SOHO) devices. Examples of SOHO devices include the Cisco 800, the Cisco 900, the
Cisco 1700, the Cisco 1800 Series routers, and Cisco switches in environments where
access to the physical devices and cabling does not present a high-risk to the corporate
network. In these types of installations, it may be physically impossible and even too costly
to provide a locked wiring closet for physical device security. In these situations, the
information technology (IT) manager must make a decision on what devices can and cannot
be physically secured and at what risk.
High-risk (mission-critical) devices: These devices are typically found in larger offices or
corporate campuses where tens, hundreds, or even thousands of employees reside, or where
the same large numbers of employees remotely access corporate data. These devices are
usually Cisco routers, Cisco Catalyst switches, firewalls, and management systems used to
route and control large amounts of data, voice, and video traffic. These devices represent a
much higher security threat if physically accessed by disgruntled employees or impacted by
negative environmental conditions.
Common Threats to Physical Installations
Hardware threats
Environmental threats
Electrical threats
Maintenance threats
Insecure installations or physical access threats can be generally classified as follows:

Hardware threats: The threat of physical damage to the router or switch hardware.
Environmental threats: Threats such as temperature extremes (too hot or too cold) or
humidity extremes (too wet or too dry).
Electrical threats: Threats such as voltage spikes, insufficient supply voltage (brown-
outs), unconditioned power (noise), and total power loss.
Maintenance threats: Threats such as poor handling of key electronic components
(electrostatic discharge), lack of critical spares, poor cabling, poor labeling, and so on.

Hardware Threat Mitigation
Plan physical security to limit

SECURE INTERNET ACCESS COMPUTER ROOM
damage to the equipment:

AC UPS BAY
No unauthorized access from the
doors, ceiling, raised floor, SVRS
windows, ducts or ventslock it
up. LAN
Monitor and control closet entry

with electronic logs. W AN
Use security cameras.

HELP DESK
Card Re ader
Mission-critical Cisco network equipment should be located in wiring closets, or in computer

or telecommunications rooms that meet the following minimum requirements:
The room must be locked with only authorized personnel allowed access.
The room should not be accessible via a dropped ceiling, raised floor, window, ductwork,
or point of entry other than the secured access point.
If possible, electronic access control should be used with all entry attempts logged by
security systems and monitored by security personnel.
If possible, security personnel should monitor security cameras with automatic log
recording.
Environmental Threat Mitigation
Limit damage by creating a

proper operating environment:
Temperature control
Humidity control
Positive air flow
Remote environmental alarming
and recording and monitoring
The following items should be used to limit environmental damage to Cisco network devices:
The room must be supplied with dependable systems for temperature and humidity control.
Always verify the recommended environmental parameters of the Cisco network
equipment with the supplied product documentation.
If possible, the room environmental parameters should be remotely monitored and alarmed.
The room must be free from electrostatic and magnetic interferences.

Electrical Threat Mitigation
Limit electrical supply

problems by:
Installing UPS systems.
Installing generator sets.
Following a preventative
maintenance plan.
Installing redundant power
supplies.
Performing remote alarming
and monitoring.
Electrical supply problems can be limited by adhering to the following:

Install uninterrupted power supply (UPS) systems for mission-critical Cisco network
devices.
Install backup generator systems for mission-critical supplies.
Plan for and initiate regular UPS or generator testing and maintenance procedures based on
the manufacturer suggested preventative maintenance schedule.
Use filtered power.
Install redundant power supplies on critical devices.
Monitor and alarm power-related parameters at the supply and device level.
Maintenance-Related Threat Mitigation
Limit maintenance-related
threats by:
Using neat cable runs
Labeling critical cables and
components
Using ESD procedures
Stocking critical spares
Controlling access to console
ports
Maintenance-related threats are a broad category that covers many items. The following general
rules should be adhered to in order to prevent these types of threats:
All equipment cabling should be clearly labeled and secured to equipment racks to prevent
accidental damage or disconnection, or incorrect termination.
Cable runs, raceways, or both should be used to traverse rack-to-ceiling or rack-to-rack
connections.
Always follow electrostatic discharge (ESD) procedures when replacing or working inside
Cisco router and switch devices.
Maintain a stock of critical spares for emergency use.
Do not leave a console connected to and logged into any console port. Always log off
administrative interfaces when leaving.
Always remember that no room is ever totally secure and should not be relied upon to be
the sole protector of device access. Once inside a secure room, there is nothing to stop an
intruder from connecting a terminal to the console port of a Cisco router or switch.

Reconnaissance Attacks and Mitigation
This topic describes the mitigation of reconnaissance attacks including packet sniffers, port
scans, ping sweeps, and Internet information queries.
Reconnaissance Attacks
Reconnaissance refers to the

overall act of learning
information about a target
network by using readily
available information and
applications.
Reconnaissance attacks include:

Packet sniffers
Port scans
Ping sweeps
Internet information queries
Reconnaissance is the unauthorized discovery and mapping of systems, services, or

vulnerabilities. Reconnaissance is also known as information gathering, and in most cases,
precedes an actual access or denial of service (DoS) attack. First, the malicious intruder
typically conducts a ping sweep of the target network to determine which IP addresses are
alive. Then the intruder determines which services or ports are active on the live IP addresses.
From this information, the intruder queries the ports to determine the type and version of the
application and operating system running on the target host.
Reconnaissance is somewhat analogous to a thief casing a neighborhood for vulnerable homes,

such as an unoccupied residence, or a house with an easy-to-open door or window to break
into. In many cases the intruders look for vulnerable services that they can exploit later when
there is less likelihood that anyone is looking.
Reconnaissance attacks can consist of the following:

Packet sniffers
Port scans
Ping sweeps
Internet information queries
Packet Sniffers
Host A Host B
Router A Router B
A packet sniffer is a software application that uses a network adapter card in

promiscuous mode to capture all network packets. The following are packet
sniffer features:
Packet sniffers exploit information passed in clear text. Protocols that pass
information in clear text are Telnet, FTP, SNMP, POP and HTTP.
Packet sniffers must be on the same collision domain.
Packet sniffers can be used legitimately or can be designed specifically for
attack.
A packet sniffer is a software application that uses a network adapter card in promiscuous mode
to capture all network packets that are sent across a LAN. Packet sniffers can only work in the
same collision domain. Promiscuous mode is a mode in which the network adapter card sends
all packets received on the physical network wire to an application for processing.
Several network applications distribute network packets in clear text. Clear text is information
sent across the network that is not encrypted. Because the network packets are not encrypted,
they can be processed and understood by any application that can pick them off the network
and process them.
A network protocol specifies how packets are identified and labeled. The labels enable a
computer to determine whether a packet has been correctly forwarded to the intended
destination. Because the specifications for network protocols, such as TCP/IP, are widely
published, a third party can easily interpret the network packets and develop a packet sniffer.
Numerous freeware and shareware packet sniffers are available that do not require the user to
understand anything about the underlying protocols.
Note In an Ethernet LAN, promiscuous mode is a mode of operation in which every data packet
transmitted can be received and read by a network adapter. Promiscuous mode is the
opposite of nonpromiscuous mode. When a data packet is transmitted in nonpromiscuous
mode, all the LAN devices "listen to" the data to determine if the network address included in
the data packet is theirs.

Packet Sniffer Attack Mitigation
Host A Host B
Router A Router B
The mitigation techniques and tools include:

Authentication
Switched infrastructure
Antisniffer tools
Cryptography
The following techniques and tools can be used to mitigate packet sniffer attacks:
Authentication: Using strong authentication is a first option for defense against packet
sniffers. Strong authentication can be broadly defined as a method of authenticating users
that cannot easily be circumvented. A common example of strong authentication is one-
time passwords (OTPs).
An OTP is a type of two-factor authentication. Two-factor authentication involves using
something you have combined with something you know. Automated teller machines
(ATMs) use two-factor authentication. A customer needs both an ATM card and a personal
identification number (PIN) to make transactions. With OTPs you need a PIN and your
token card to authenticate to a device or software application. A token card is a hardware or
software device that generates new, seemingly random, passwords at specified intervals
(usually 60 seconds). A user combines that password with a PIN to create a unique
password that works only for one instance of authentication. If a hacker learns that
password by using a packet sniffer, the information is useless because the password has
already expired. Note that this mitigation technique is effective only against a sniffer
implementation that is designed to grab passwords. Sniffers deployed to learn sensitive
information (such as e-mail messages) will still be effective.
Switched infrastructure: This technique can be used to counter the use of packet sniffers
in your network environment. For example, if an entire organization deploys switched
Ethernet, hackers can gain access only to the traffic that flows on the specific port to which
they connect. A switched infrastructure obviously does not eliminate the threat of packet
sniffers, but it can greatly reduce their effectiveness.
Antisniffer tools: Software and hardware designed to detect the use of sniffers on a
network can be employed. Such software and hardware does not completely eliminate the
threat, but like many network security tools, they are part of the overall system. These
antisniffer tools detect changes in the response time of hosts to determine whether the hosts
are processing more traffic than their own traffic loads would indicate. One such network
security software tool called AntiSniff, is available from Security Software Technologies.
Cryptography: Rendering packet sniffers irrelevant is the most effective method for
countering packet sniffers. Cryptography is even more effective than preventing or
detecting packet sniffers. If a communication channel is cryptographically secure, the only
data a packet sniffer detects is cipher text (a seemingly random string of bits) and not the
original message. The Cisco deployment of network-level cryptography is based on IPSec,
which is a standard method for networking devices to communicate privately using IP.
Other cryptographic protocols for network management include Secure Shell Protocol
(SSH) and Secure Sockets Layer (SSL).

Port Scans and Ping Sweeps
These attacks can attempt to:

Identify all services on the network
Identify all hosts and devices on the network
Identify the operating systems on the network
Identify vulnerabilities on the network
As legitimate tools, port scan and ping sweep applications run a series of tests against hosts and
devices to identify vulnerable services that need to be attended to. The information is gathered
by examining IP addressing and port or banner data from both TCP and User Datagram
Protocol (UDP) ports.
In an illegitimate situation, a port scan can be a series of messages sent by someone attempting
to break into a computer to learn which computer network services (each service is associated
with a "well-known" port number) the computer provides. Port scanning can be an automated
scan of a range of TCP or UDP port numbers on a host to detect listening services. Port
scanning, a favorite computer hacker approach, provides information to the assailant as to
where to probe for weaknesses. Essentially, a port scan consists of sending a message to each
port, one at a time. The kind of response received indicates whether the port is used and can
therefore be probed for weakness.
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to
determine which of a range of IP addresses map to live hosts (computers). Whereas a single
ping will tell you whether one specified host computer exists on the network, a ping sweep
consists of ICMP echo-requests sent to multiple hosts. If a given address is live, it will return an
ICMP echo-reply. Ping sweeps are among the older and slower methods used to scan a
network. As an attack tool, a ping sweep sends ICMP (RFC 792) echo-requests ("pings") to a
range of IP addresses, with the goal of finding hosts that can be probed for vulnerabilities.
Port Scan and Ping Sweep Attack
Mitigation
Port scans and ping sweeps cannot be prevented without

compromising network capabilities.
Workstation
with HIPS
IDS/IPS
Scan Port Shared

Connection
Laptop
with HIPS
However, damage can be mitigated using intrusion

prevention systems at network and host levels.
Port scanning and ping sweeping is not a crime and there is no way to stop it when a computer
is connected to the Internet. Accessing an Internet server opens a port, which opens a door to
the computer. However, there are ways to prevent damage to the system.
Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge routers.
However, network diagnostic data is lost. Port scans can easily be run without full ping sweeps;
they simply take longer because they need to scan IP addresses that might not be live.
Network-based intrusion prevention systems (IPS) and host-based intrusion prevention systems
(HIPS) can usually notify an administrator when a reconnaissance attack is under way. This
warning allows the administrator to better prepare for the coming attack or to notify the Internet
service provider (ISP) that is hosting the system launching the reconnaissance probe.
Discovering stealth scans requires kernel level work. IPSs compare incoming traffic to
signatures in their database. Signatures are characteristics of particular traffic patterns. A
signature that could be used for detecting port scans is "several packets to different destination
ports from the same source address within a short period of time". Another such signature could
be "SYN to a non-listening port".

Internet Information Queries
Sample IP address query
Attackers can use Internet

tools like WHOIS as a
weapon.
The figure demonstrates how existing Internet tools can be used for network reconnaissance.
Domain name system (DNS) queries can reveal such information as who owns a particular
domain and what addresses have been assigned to that domain. Ping sweeps of the addresses
revealed by the DNS queries can present a picture of the live hosts in a particular environment.
After such a list is generated, port scanning tools can cycle through all well-known ports to
provide a complete list of all services running on the hosts discovered by the ping sweep.
Finally, the hackers can examine the characteristics of the applications that are running on the
hosts. This step can lead to specific information that is useful when the hacker attempts to
compromise that service.
IP address queries can reveal information such as who owns a particular IP address or range of
addresses and what domain is associated with them.
Access Attacks and Mitigation
This topic describes the mitigation of access attacks including password attacks, trust
exploitation, port redirection and man-in-the-middle attacks.
Access Attacks
Intruders use access attacks on

networks or systems for the
following reasons:
Retrieve data
Gain access
Escalate their access privileges
Access attacks include the

following:
Password attacks
Trust exploitation
Port redirection
Man-in-the-middle attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and Web
services to gain entry to Web accounts, confidential databases, and other sensitive information.
Access attacks can consist of the following:
Password attacks
Trust exploitation
Port redirection
Man-in-the-middle attacks
Each of these attacks will be discussed in detail.

Password Attacks
Hackers implement
password attacks
using the following:
Brute-force attacks
Trojan horse programs
IP spoofing
Packet sniffers
Password attacks can be implemented using several methods, including brute-force attacks,
Trojan horse programs, IP spoofing, and packet sniffers. Although packet sniffers and IP
spoofing can yield user accounts and passwords, password attacks usually refer to repeated
attempts to identify a user account, password, or both. These repeated attempts are called
brute-force attacks.
Often a brute-force attack is performed using a program that runs across the network and
attempts to log in to a shared resource, such as a server. When an attacker gains access to a
resource, the attacker has the same access rights as the user whose account has been
compromised. If this account has sufficient privileges, the attacker can create a back door for
future access, without concern for any status and password changes to the compromised user
account.
Password Attack Example
L0phtCrack can take the

hashes of passwords and
generate the clear-text
passwords from them.
Passwords are computed
using two methods:
Dictionary cracking
Brute-force
computation
Just as with packet sniffer and IP spoofing attacks, a brute-force password attack can provide
access to accounts that can be used to modify critical network files and services. An example
that compromises your network integrity is when an attacker modifies the routing tables for
your network. By doing so, the attacker ensures that all network packets are routed to the
attacker before they are transmitted to their final destination. In such a case, an attacker can
monitor all network traffic, effectively becoming a man in the middle.
A big security risk lies in the fact that passwords are stored as clear text. To overcome the risks,
they should be encrypted. On most systems, passwords are run through an encryption algorithm
to generate a one-way hash. A one-way hash is a string of characters that cannot be reversed
into its original text. Most systems do not decrypt the stored password during authentication,
they store the one-way hash. During the login process, you supply an account and password,
and the password encryption algorithm generates a one-way hash. This hash is compared to the
hash stored on the system. If they are the same, it is assumed that the proper password was
supplied.
A password hash is the result of the password being passed through an algorithm. The hash is
not the encrypted password, but rather a result of the algorithm. The strength of the hash lies in
the fact that the hash value can only be recreated using the original user and password
information, and that it is impossible to retrieve the original information from the hash. This
strength makes hashes perfect for encoding passwords for storage. In granting authorization,
the hashes are calculated and compared, rather than the plain password.
L0phtCrack is a Windows NT password-auditing tool used to compute Windows NT user

passwords from the cryptographic hashes that are stored in the system registry. L0phtCrack
computes the password from a variety of sources using a variety of methods. The end result is a
state of the art tool for recovering the passwords users use.
The following are the two methods for computing passwords with L0phtCrack:

Dictionary cracking: The password hashes for all of the words in a dictionary file are
computed and compared against all of the password hashes for the users. This method is
extremely fast and finds very simple passwords.
Brute-force computation: This method uses a particular character set, such as A to Z, or A
to Z plus 0 to 9, and computes the hash for every possible password made up of those
characters. Brute-force compilation always computes the password if that password is made
up of the character set you have selected to test. The problem for the attacker is that time is
required for completion of this type of attack.
Password Attack Mitigation
The following are password attack mitigation

techniques:
Do not allow users to use the same password on
multiple systems.
Disable accounts after a certain number of
unsuccessful login attempts.
Do not use plain text passwords.
Use strong passwords. (Use mY8!Rthd8y rather
than mybirthday)
Password attack mitigation techniques are as follows:

Do not allow users to have the same password on multiple systems. Most users use the
same password for each system they access, and often personal system passwords are also
the same.
Disable accounts after a specific number of unsuccessful logins. This practice helps to
prevent continuous password attempts.
Do not use plain-text passwords. Use of either an OTP or encrypted password is
recommended.
Use strong passwords. Strong passwords are at least eight characters long and contain
uppercase letters, lowercase letters, numbers, and special characters. Many systems now
provide strong password support and can restrict a user to the use of strong passwords only.

Trust Exploitation
A hacker leverages existing Trust relationships:

trust relationships. SystemA trusts SystemB
SystemB trusts everyone
Several trust models exist:
SystemA trusts everyone
Windows:
Domains
SystemA
Active directory User = psmith; Pat Smith
Linux and UNIX: Hacker

NIS gains
SystemB Compromised
access
by hacker
NIS+ to
User = psmith; Pat Smith
SystemA
Hacker
User = psmith; Pat Smithson
Although it is not an attack in itself, trust exploitation refers to an individual taking advantage
of a trust relationship within a network.
An example of when a trust exploitation can take place is when a perimeter network is
connected to a corporate network. These network segments often house DNS, Simple Mail
Transfer Protocol (SMTP), and HTTP servers. Because these servers all reside on the same
segment, a compromise of one system can lead to the compromise of other systems if those
other systems in turn trust systems attached to the same network.
Another example of trust exploitation is a system on the outside of a firewall that has a trust
relationship with a system on the inside of a firewall. When the outside system is compromised,
the attacker can leverage that trust relationship to attack the inside network.
Trust Exploitation Attack Mitigation
SystemA
Hacker
is SystemB compromised
blocked by hacker
Hacker
User = psmith; Pat Smithson
You can mitigate trust exploitation-based attacks through tight constraints on trust levels within
a network.
Systems on the outside of a firewall should never be absolutely trusted by systems on the inside
of a firewall. Such trust should be limited to specific protocols and, where possible, should be
validated by something other than an IP address.

Port Redirection
Source: Attacker Source: Attacker

Destination: A Destination: B
Attacker Port: 22 Port: 23
Compromised
Host A
Source: A
Destination: B
Port: 23
Host B
Port redirection attacks are a type of trust exploitation attack that uses a compromised host to
pass traffic that would otherwise be dropped, through a firewall. Consider a firewall with three
interfaces and a host on each interface. The host on the outside can reach the host on the public
services segment (commonly referred to as a demilitarized zone [DMZ]) (Host A in this
example), but not the host on the inside (Host B in this example). The host on the public
services segment can reach the host on both the outside and the inside. If hackers are able to
compromise the public services segment host, they can install software to redirect traffic from
the outside host directly to the inside host. Though neither communication violates the rules
implemented in the firewall, the outside host has now achieved connectivity to the inside host
through the port redirection process on the public services host. An example of an application
that can provide this type of access is Netcat.
Netcat is a featured networking utility which reads and writes data across network connections,
using the TCP/IP protocol. Netcat is designed to be a reliable "back-end" tool that can be used
directly or that can easily be driven by other programs and scripts. At the same time, Netcat is a
feature-rich network debugging and exploration tool because it can create almost any kind of
connection that you would need and has several interesting built-in capabilities.
Port redirection can be mitigated primarily through the use of proper trust models that are
network specific. Assuming a system is under attack, a host-based IPS can help detect a hacker
and prevent installation of such utilities on a host.
Man-in-the-Middle Attacks
Host A Host B
Data in clear text
Router A Router B
A man-in-the-middle attack requires that the hacker have

access to network packets that come across a network.
A man-in-the-middle attack is implemented using the following:
Network packet sniffers
Routing and transport protocols
The possible uses of man-in-the-middle attacks are the following:

Theft of information
Hijacking of an ongoing session to gain access to your internal network resources
Traffic analysis to derive information about your network and its users
Denial of service
Corruption of transmitted data
Introduction of new information into network sessions.
An example of a man-in-the-middle attack is when someone working for your ISP gains access
to all network packets transferred between your network and any other network. Man-in-the-
middle attackers take care not to disrupt traffic and thus set off alarms. Instead, they use their
position to stealthily extract information from the network.

Man-in-the-Middle Attack Mitigation
A man-in-the-middle attack
can see only cipher text.
IPSec tunnel
Host A Host B
Router A ISP Router B
Man-in-the-middle attacks can be effectively mitigated

only through the use of cryptography (encryption).
Man-in-the-middle attack mitigation is achieved, as shown in the figure, by encrypting traffic in

an IPSec tunnel. Encryption allows the hacker to see only cipher text.
Denial of Service Attacks and Mitigation
This topic describes the mitigation of denial of service attacks including IP spoofing and
distributed denial of service (DDoS) attacks.
Denial of Service Attacks
A denial of service (DoS)

attack damages or corrupts
your computer system or
denies you and others
access to your networks,
systems or services.
DoS attacks include:

IP spoofing
Distributed denial of service
(DDoS) attacks
DoS attacks are the most publicized form of attack, and are also among the most difficult to
completely eliminate. Even within the hacker community, DoS attacks are regarded as trivial
and considered bad form because they require so little effort to execute. Still, because of their
ease of implementation and potentially significant damage, DoS attacks deserve special
attention from security administrators. If you are interested in learning more about DoS attacks,
researching the methods employed by some of the better-known attacks can be useful. DoS
attacks can consist of the following:
IP spoofing
DDoS

IP Spoofing
IP spoofing occurs when a hacker inside or outside

a network impersonates the conversations of a
trusted computer.
IP spoofing can use either a trusted IP address in
the network or a trusted external IP address.
Uses for IP spoofing include the following:
Injecting malicious data or commands into an existing data
stream
Diverting all network packets to the hacker who can then
reply as a trusted user by changing the routing tables
IP spoofing may only be one step in a larger attack.
IP spoofing is a technique used to gain unauthorized access to computers, whereby the intruder
sends messages to a computer with an IP address indicating that the message is coming from a
trusted host. To engage in IP spoofing, hackers must first use a variety of techniques to find an
IP address of a trusted host and then modify their packet headers to appear as though packets
are coming from that trusted host. Further, the attacker can engage other unsuspecting hosts to
also generate traffic that appears as though it too is coming from the trusted host, thus flooding
the network.
Routers determine the best route between distant computers by examining the destination
address. The originating address is ignored by routers. However, the destination machine uses
the originating address when it responds back to the source. In a spoofing attack, the intruder
sends messages to a computer indicating that the message has come from a trusted system. For
example, an attacker outside your network pretends to be a trusted computer, either by using an
IP address that is within the range of IP addresses for your network or by using an authorized
external IP address that your network trusts and provides specified resource access to. To be
successful, the intruder must first determine the IP address of a trusted system, and then modify
the packet headers so that it appears that the packets are coming from the trusted system. The
goal of the attack is to establish a connection that allows the attacker to gain root access to the
host and to create a backdoor entry path into the target system.
Normally, an IP spoofing attack is limited to the injection of data or commands into an existing
stream of data passed between a client and server application or a peer-to-peer network
connection. To enable bidirectional communication, the attacker must change all routing tables
to point to the spoofed IP address. Another approach the attacker could take is to simply not
worry about receiving any response from the applications. For example, if an attacker is
attempting to get a system to mail a sensitive file, application responses are unimportant.
If an attacker manages to change the routing tables to divert network packets to the spoofed IP
address, the attacker can receive all the network packets that are addressed to the spoofed
address and reply just as any trusted user can. Like packet sniffers, IP spoofing is not restricted
to people who are external to the network.
IP spoofing can also provide access to user accounts and passwords, or it can be used in other
ways. For example, an attacker can emulate one of your internal users in ways that prove
embarrassing for your organization. The attacker could send e-mail messages to business
partners that appear to have originated from someone within your organization. Such attacks
are easier when an attacker has a user account and password, but they are also possible when
simple spoofing attacks are combined with knowledge of messaging protocols.

IP Spoofing Attack Mitigation
The threat of IP spoofing can be reduced, but

not eliminated, using the following measures:
Access control configuration.
Encryption.
RFC 2827 filtering.
Additional authentication requirement that does not
use IP address-based authentication. Examples are:
Cryptographic (recommended)
Strong, two-factor, one-time passwords
The threat of IP spoofing can be reduced, but not eliminated, through the following measures:
Access control configuration: The most common method for preventing IP spoofing is to
properly configure access control. To reduce the effectiveness of IP spoofing, configure
access control to deny any traffic from the external network that has a source address that
should reside on the internal network. Note that this helps prevent spoofing attacks only if
the internal addresses are the only trusted addresses. If some external addresses are trusted,
this method is not effective.
Encryption: Another possible way to prevent IP spoofing is to encrypt all network traffic
to avoid source and destinations hosts from being compromised.
RFC 2827 filtering: You can prevent your network users from spoofing other networks
(and be a good Internet citizen at the same time) by preventing any outbound traffic on
your network that does not have a source address in your organization IP range. This
filtering denies any traffic that does not have the source address that was expected on a
particular interface. For example, if an ISP is providing a connection to the IP address
15.1.1.0/24, the ISP could filter traffic so that only traffic sourced from address 15.1.1.0/24
can enter the ISP router from that interface. Note that unless all ISPs implement this type of
filtering, its effectiveness is significantly reduced.
Additional authentication: The most effective method for mitigating the threat of IP
spoofing is the same as the most effective method for mitigating the threat of packet
sniffers eliminate its effectiveness. IP spoofing can function correctly only when devices
use IP address-based authentication; therefore, if you use additional authentication
methods, IP spoofing attacks are irrelevant. Cryptographic authentication is the best form
of additional authentication. However, when cryptographic authentication is not possible,
strong two-factor authentication using OTPs can also be effective.
DoS and DDoS Attacks
DoS attacks focus on making a service

unavailable for normal use. They have the
following characteristics:
Generally not targeted at gaining access to your
network or the information on your network
Require very little effort to execute
Difficult to eliminate, but their damage can be
minimized
A DoS attack on a server sends extremely large volumes of requests over a network or the
Internet. These large volumes of requests cause the attacked server to dramatically slowdown.
Consequently, the attacked server becomes unavailable for legitimate access and use.
DoS attacks are different from most other attacks because they are not targeted at gaining
access to your network or the information on your network. These attacks focus on making a
service unavailable for normal use. This result is typically accomplished by exhausting some
resource limitation on the network or within an operating system or application. These attacks
require little effort to execute because they typically take advantage of protocol weaknesses or
because the attacks are carried out using traffic that would normally be allowed into a network.
DoS attacks are among the most difficult to completely eliminate because of the way they use
protocol weaknesses and native traffic to attack a network.
For all known DoS attacks, there are software fixes that system administrators can install to
limit the damage caused by the attacks. However, like viruses, new DoS attacks are constantly
being developed by hackers.

DDoS Example
1. Scan for systems to hack.

Client
System
4. The client
2. Install software
issues to scan,
commands
compromise, and
to handlers
infect agents.
that control
agents in a
mass attack. Handler
Systems
3. Agents are loaded with remote control attack software.
Agent
Systems
DDoS attacks are the next generation of DoS attacks on the Internet. This type of attack is
not new. UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP directed
broadcasts (also known as smurf attacks) are similar to DDos attacks; however but the scope of
the attack is new. Victims of DDoS attacks experience packet flooding from many different
sources, possibly spoofed IP source addresses that bring their network connectivity to a
grinding halt. In the past, the typical DoS attack involved a single attempt to flood a target host
with packets. With DDoS tools, an attacker can conduct the same attack using thousands of
systems.
In the figure, the hacker uses a terminal to scan for systems to hack. After handler systems are
accessed, the hacker installs software on these systems. This software attempts to scan for,
compromise, and infect agent systems. When the agent systems are accessed, the hacker then
loads remote control attack software to carry out the DDoS attack.
DoS and DDoS Attack Mitigation
The threat of DoS attacks can be reduced

using:
Antispoof features on routers and firewalls
Anti-DoS features on routers and firewalls
Traffic rate limiting at the ISP level
When attacks involve specific network server applications, such as an HTTP server or an FTP
server, the attacker focuses on acquiring and keeping all the available connections supported by
that server open. This strategy effectively locks out valid users of the server or service.
DoS attacks can also be implemented using common Internet protocols, such as TCP and
ICMP. For example, Ping of Death and Teardrop attacks exploit limitations in the TCP/IP
protocols. While most DoS attacks exploit a weakness in the overall architecture of the system
being attacked rather than a software bug or security hole, some attacks compromise the
performance of your network by flooding the network with undesired, and often useless,
network packets and by providing false information about the status of network resources.
The threat of DoS attacks can be reduced through the following three methods:
Anti-spoof features: Proper configuration of anti-spoof features on your routers and
firewalls can reduce your risk. This configuration includes filtering at least to an RFC 2827
level. If hackers cannot mask their identities, they might not attack.
Anti-DoS features: Proper configuration of anti-DoS features on routers and firewalls can
help limit the effectiveness of an attack. These features often involve limits on the amount
of half-open TCP connections that a system allows at any given time.
Traffic rate limiting: An organization can implement traffic rate limiting with its ISP.
This type of filtering limits the amount of nonessential traffic that crosses network
segments at a certain rate. A common example is to limit the amount of ICMP traffic
allowed into a network because it is used only for diagnostic purposes. ICMP-based DDoS
attacks are common.

Worm, Virus, and Trojan Horse Attacks and
Mitigation
This topic describes the mitigation of worm, virus, and Trojan horse attacks.
Worm, Virus, and Trojan Horse Attacks
The primary vulnerabilities

for end-user workstations
are:
Worms
Viruses
Trojan horse attacks
Viruses are malicious software that are attached to other programs and which execute a
particular unwanted function on a user workstation. A virus propagates itself by infecting other
programs on the same computer. Viruses can do serious damage, such as erasing files or erasing
an entire disk. They can also be a simple annoyance such as popping up a window that says
"Ha ha you are infected!" True viruses cannot spread to a new computer without human
assistance such as introducing an infected file on a floppy disc, or as an email attachment or
through file sharing.
A worm executes arbitrary code and installs copies of itself in the memory of the infected
computer. It can then infect other hosts from the infected computer. Like a virus, a worm is also
a program that propagates itself. Unlike a virus, a worm can spread itself automatically over the
network from one computer to the next. Worms are not clever or evil, they just take advantage
of automatic file sending and receiving features found on many computers.
Trojan horse is a general term, referring to programs that appear desirable, but actually contain
something harmful. For example, a downloaded game could erase files. The contents could also
hold a virus or a worm.
A Trojan horse can attack on three levels. A virus known as the Love Bug is an example of a
Trojan horse because it pretended to be a love letter when it actually carried a harmful program.
The Love Bug was a virus because it infected all image files on the attacked disk, turning them
into new Trojans. Finally, the Love Bug was worm because it propagated itself over the
Internet by hiding in the Trojan horses that it sent out using addresses in the attacked email
address book.
Virus and Trojan Horse Attacks
Viruses and Trojan horses can be contained

by the following:
Effective use of antivirus software
Keeping up-to-date with the latest developments in
these sorts of attacks
Keeping up-to-date with the latest antivirus
software and application versions
Viruses and Trojan horse attacks can be contained through the effective use of antivirus
software at the user level and potentially at the network level. Antivirus software can detect
most viruses and many Trojan horse applications and prevent them from spreading in the
network. Keeping up-to-date with the latest developments in these sorts of attacks can also lead
to a more effective posture against these attacks. As new virus or Trojan horse applications are
released, enterprises need to keep up-to-date with the latest antivirus software and application
versions.

The Anatomy of a Worm Attack
1. The enabling
vulnerability
2. Propagation
mechanism
3. Payload
The anatomy of a worm attack is as follows:

The enabling vulnerability: A worm installs itself on a vulnerable system.
Propagation mechanism: After gaining access to devices, a worm replicates and selects
new targets.
Payload: Once the device is infected with a worm, the attacker has access to the host
often as a privileged user. Attackers use a local exploit to escalate their privilege level to
administrator.
Typically, worms are self-contained programs that attack a system and try to exploit
vulnerabilities in the target. Upon successful exploitation of the vulnerability, the worm copies
its program from the attacking host to the newly exploited system to begin the cycle again. A
virus normally requires a path to carry the virus code from one system to another. The vector
can be a word-processing document, an e-mail message, or an executable program. The key
element that distinguishes a computer worm from a computer virus is that human interaction is
required to facilitate the spread of a virus.
Mitigating Worm Attacks
Four steps to mitigate worm attacks:

Step 1 Contain
Step 2 Inoculate
Step 3 Quarantine
Step 4 - Treat
Worm attack mitigation requires diligence on the part of system and network administration
staff. Coordination between system administration, network engineering, and security
operations personnel is critical in responding effectively to a worm incident. The following are
the recommended steps for worm attack mitigation:
Containment: Contain the spread of the worm inside your network and within your
network. Compartmentalize parts of your network that have not been infected.
Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems.
Quarantine: Track down each infected machine inside your network. Disconnect, remove,
or block infected machines from the network.
Treatment: Clean and patch each infected system. Some worms may require complete
core system reinstallations to clean the system.
Typical incident response methodologies can be subdivided into six major categories. The
following categories are based on the network service provider security (NSP-SEC) incident
response methodology:
Preparation: Acquire the resources to respond.
Identification: Identify the worm.
Classification: Classify the type of worm.
Traceback: Trace the worm back to its origin.
Reaction: Isolate and repair the affected systems.
Post mortem: Document and analyze the process used for the future.

Application Layer Attacks and Mitigation
This topic describes the mitigation of application-layer attacks.
Application-Layer Attacks
Application-layer attacks have the

following characteristics:
Exploit well-known weaknesses,
7 Application
such as those in protocols, that
are intrinsic to an application or
6 Presentation
system (for example, sendmail, 5 Session
HTTP, and FTP)
Often use ports that are allowed 4 Transport
through a firewall (for example,
TCP port 80 used in an attack
3 Network
against a web server behind a
firewall)
2 Data link
Can never be completely 1 Physical
eliminated, because new
vulnerabilities are always being
discovered
Application-layer attacks can be implemented using several different methods:

One of the most common methods of implementing application-layer attacks is exploiting
well-known weaknesses in software commonly found on servers, such as Sendmail,
PostScript, and FTP. By exploiting these weaknesses, attackers can gain access to a
computer with the permission of the account running the application. The account is
usually a privileged, system-level account.
Trojan horse program attacks are implemented using programs that an attacker substitutes
for common programs. These programs may provide all the functionality that the normal
program provides, but may also include other features that are known to the attacker, such
as monitoring login attempts to capture user account and password information. These
programs can capture sensitive information and distribute it back to the attacker. They can
also modify application functionality, such as applying a blind carbon copy to all e-mail
messages so that the attacker can read all of the organization e-mail.
One of the oldest forms of application-layer attacks is a Trojan horse program that displays
a screen, banner, or prompt that the user believes is the valid login sequence. The program
then captures the information that the user enters and stores or e-mails it to the attacker.
Next, the program either forwards the information to the normal login process (normally
impossible on modern systems) or simply sends an expected error to the user (for example,
Bad Username or Bad Password or a combination), exits, and starts the normal login
sequence. The user believes that they have incorrectly entered the password, re-enters the
information and is allowed access.
One of the newest forms of application-layer attacks exploits the openness of several new
technologies: the HTML specification, web browser functionality, and HTTP. These
attacks, which include Java applets and ActiveX controls, involve passing harmful
programs across the network and loading them through a user browser.

Application-Layer Attack Mitigation
Measures you can take to reduce your risks

include the following:
Read operating system and network log files, or
have them analyzed by log analysis applications.
Subscribe to mailing lists that publicize
vulnerabilities.
Keep your operating system and applications
current with the latest patches.
Use IDS/IPS that can scan for known attacks,
monitor and log attacks, and in some cases, prevent
attacks.
The following are some measures you can take to reduce your risks for application-layer
attacks:
Read operating system and network log files or have them analyzed. It is important to
review all logs and take action accordingly.
Subscribe to mailing lists that publicize vulnerabilities. Most application and operating
system vulnerabilities are published on the Web by various sources.
Keep your operating system and applications current with the latest patches. Always test
patches and fixes in a non-production environment. This practice prevents downtime and
keeps errors from being generated unnecessarily.
Use intrusion detection systems (IDS) or intrusion prevention systems (IPS) or both IDS
and IPS to scan for known attacks, monitor and log attacks, and ultimately prevent attacks.
Using these systems is essential to identifying security threats and mitigating some of these
threats. In most cases, mitigation can be done automatically.
Management Protocols and Vulnerabilities
The protocols used to manage your network can be a source of vulnerability. This topic
describes vulnerabilities in configuration management protocols and recommendations for
mitigating these vulnerabilities.
Configuration Management
Configuration management protocols include SSH,

SSL, and Telnet.
Telnet issues include the following:
The data within a Telnet session is sent as clear
text.
The data may include sensitive information.
If the managed device does not support any of the recommended protocols, such as SSH and
SSL, Telnet (not recommended) may have to be used. Recall that Telnet was developed in an
era when security was not an issue. The network administrator should recognize that the data
within a Telnet session is sent as clear text and may be intercepted by anyone with a packet
sniffer located along the data path between the managed device and the management server.
The clear text may include important or sensitive information, such as the configuration of the
device itself, passwords, or other sensitive data.

Configuration Management
Recommendations
When possible, the following practices are advised:

Use IPSec, SSH, SSL, or any other encrypted and
authenticated transport.
ACLs should be configured to allow only
management servers to connect to the device. All
attempts from other IP addresses should be denied
and logged.
RFC 3704 filtering at the perimeter router should
be used to mitigate the chance of an outside
attacker spoofing the addresses of the
management hosts.
Regardless of whether SSH, SSL or Telnet is used for remote access to the managed device,
access control lists (ACLs) should be configured to allow only management servers to connect
to the device. All attempts from other IP addresses should be denied and logged. RFC 3704
filtering at the ingress router should also be implemented to reduce the chance of an attacker
from outside the network spoofing the addresses of the management hosts.
Note RCF 3704 covers Ingress Filtering for Multihomed Networks. It updates RFC 2827.
Management Protocols
The following are management protocols that

that can be compromised:
SNMP: The community string information for simple
authentication is sent in clear text.
Syslog: Data is sent as clear text between the
managed device and the management host.
TFTP: Data is sent as clear text between the
requesting host and the TFTP server.
NTP: Many NTP servers on the Internet do not
require any authentication of peers.
SNMP is a network management protocol that can be used to retrieve information from a
network device (commonly referred to as read-only access) or to remotely configure parameters
on the device (commonly referred to as read-write access). SNMP uses passwords (called
community strings) within each message, as a very simple form of security. Unfortunately,
most implementations of SNMP on networking devices today send the community string in
clear text along with the message. Therefore, SNMP messages may be intercepted by anyone
with a packet sniffer located along the data path between the device and the management
server.
Syslog, which is information generated by a device that has been configured for logging, is sent
as clear text between the managed device and the management host. Syslog has no packet-level
integrity checking to ensure that the packet contents have not been altered in transit. An
attacker may alter syslog data in order to confuse a network administrator during an attack.
Trivial File Transfer Protocol (TFTP) is used for transferring configuration or system files
across the network. TFTP uses UDP for the data stream between the requesting host and the
TFTP server. As with other management protocols that send data in clear text, the network
administrator should recognize that the data within a TFTP session might be intercepted by
anyone with a packet sniffer located along the data path between the device and the
management server. Where possible, TFTP traffic should be encrypted within an IPSec tunnel
in order to reduce the chance of interception.
Network Time Protocol (NTP) is used to synchronize the clocks of various devices across a
network. Synchronization of the clocks within a network is critical for digital certificates and
for correct interpretation of events within syslog data. A secure method of providing clocking
for the network is for network administrators to implement their own master clocks for private
networks synchronized, via satellite or radio, to Coordinated Universal Time (UTC). However,
if network administrators do not wish to implement their own master clocks because of cost or
other reasons, clock sources are available for synchronization via the Internet.

An attacker could attempt a DoS attack on a network by sending bogus NTP data across the
Internet in an attempt to change the clocks on network devices in such a manner that digital
certificates are considered invalid. An attacker could also attempt to confuse a network
administrator during an attack by disrupting the clocks on network devices. This scenario
makes it difficult for the network administrator to determine the order of syslog events on
multiple devices.
Management Protocol Bets Practices
SNMP recommendations:
Configure SNMP with only read-only community strings.
Set up access control on the device you wish to manage
Use SNMP Version 3 or above.
Logging recommendations:
Encrypt syslog traffic within an IPSec tunnel.
Implement RFC 2827 filtering.
Set up access control on the firewall.
TFTP recommendations:
Encrypt TFTP traffic within an IPSec tunnel.
NTP recommendations:
Implement your own master clock.
Use NTP Version 3 or above.
Set up access control that specifies which network devices are
allowed to synchronize with other network devices.
The following are recommendations for the correct use of SNMP tools:
Configure SNMP with only read-only community strings.
Set up access control on the device you wish to manage via SNMP to allow access by only
the appropriate management hosts.
Use SNMP Version 3. This version provides secure access to devices through a
combination of authenticating and encrypting management packets over the network.
When possible, the following management practices are advised:
Encrypt syslog traffic within an IPSec tunnel.

Implement RFC 2827 filtering at the perimeter router when allowing syslog access from
devices on the outside of a firewall.
Implement ACLs on the firewall to allow syslog data from only the managed devices
themselves to reach the management hosts
When possible, encrypt TFTP traffic within an IPSec tunnel in order to reduce the chance
of interception.
The following are recommendations to follow when using NTP:

Implement your own master clock for private network synchronization.
Use NTP Version 3 or above because these versions support a cryptographic authentication
mechanism between peers.
Use ACLs that specify which network devices are allowed to synchronize with other
network devices.

Determining Network Vulnerabilities
This topic describes how GNU Netcat, Blues Port Scan, Ethereal, and Microsoft Baseline
Security Analyzer are used to discover network vulnerabilities and threats.
Determining Network Vulnerabilities
The following tools are useful when

determining general network vulnerabilities:
GNU Netcat Scan
Blues Port Scan
Ethereal
There are a number of the tools and techniques that you can use to find vulnerabilities in your
network. You will use some of these tools in the lab exercise for this lesson. Once you identify
the vulnerabilities, you can consider and implement mitigation steps as appropriate. The
following tools can be used to determine vulnerabilities:
Netcat is a featured networking utility that reads and writes data across network
connections using the TCP/IP protocol. Netcat is designed to be a reliable "back-end" tool
that can be used directly or can easily be driven by other programs and scripts. At the same
time, Netcat is a feature-rich network debugging and exploration tool because it can create
almost any kind of connection you would need and it has several interesting built-in
capabilities.
The Blues PortScan scans 300 ports per second on a NT or Windows 2000 machine.
Ethereal is used by network professionals around the world for troubleshooting, analysis,
software and protocol development, and education. Ethereal has all of the standard features
you would expect in a protocol analyzer, and several features not seen in any other product.
The Ethereal open source license allows talented experts in the networking community to
add enhancements. Ethereal runs on all popular computing platforms, including Unix,
Linux, and Windows.
Microsoft Baseline Security Analyzer (MBSA) is the free, best practices vulnerability
assessment tool for the Microsoft platform. MBSA is a tool designed for the IT
professional that helps with the assessment phase of an overall security management
strategy. MBSA includes a graphic and command line interface that can perform local or
remote scans of Windows systems.
Summary
Summary
It is very important to provide physical installation
security for enterprise network devices.
Packet sniffer attacks can be mitigated by authentication,
switched infrastructure, antisniffer tools, and
cryptography. Port scans and ping sweeps are mitigated
by turning off ICMP echo and echo reply and by
IDSs/IPSs at the network and host level.
Password attacks can be mitigated by restricting same
password use, disabling accounts after unsuccessful
logins, not using clear text passwords and using strong
passwords. Trust exploitation and port redirection are
mitigated by tight constraints on trust levels within a
network and by the use of proper trust models. Man in the
middle attacks can be mitigated through traffic
encryption.
Summary (Cont.)
IP spoofing attacks can be mitigated through access

control, RFC 2827 filtering and additional authentication.
DoS and DDoS attacks can be mitigated through antispoof
features, anti-DoS features and traffic rate limiting.
Worm attacks can be mitigated by containment, inoculation,
quarantine and treatment. Viruses and Trojan horse attacks
can be mitigated using up to date antivirus software.
Application layer attacks can be mitigated by analyzing
operating system and network log files, keeping up to date
on the latest vulnerabilities and patches, and using IDS/IPS.

Summary (Cont.)
Configuration management and management protocols are

an important part of securing a network.
The following tools help discover network vulnerabilities
and threats:
GNU Netcat
BluesPort Scan
Ethereal
Lesson Self-Check
Use the questions here to review what you learned in this lesson. The correct answers and
solutions are found in the Lesson Self-Check Answer Key.
Q1) List the four common threats to Cisco network physical installations. (Source: Securing
Cisco Router Installations)
Q2) Which type of reconnaissance attack is best mitigated by using strong authentication
and cryptography? (Source: Reconnaissance Attacks and Mitigation)
A) packet sniffers
B) port scans
C) ping sweeps
D) Internet information queries
Q3) Which type of reconnaissance attack is mitigated by turning off ICMP echo and echo-
reply? (Source: Reconnaissance Attacks and Mitigation)
A) packet sniffers
B) port scans
C) ping sweeps
Q4) Which of the following four attacks are classified as access attacks? (Choose four.)
(Source: Access Attacks and Mitigation)
A) port redirection
B) trust exploitation
C) password attacks
D) man-in-the-middle attacks
E) DDoS
F) Trojan horse
G) Love Bug
Q5) What are two methods for computing passwords with L0phtCrack? (Choose two.)
H) random access generator
I) dictionary cracking
J) brute force computation
K) password hashing
L) character duplication
Q6) Which type of attack is mitigated by encrypting traffic in an IPSec tunnel? (Source:
Access Attacks and Mitigation)
A) packet sniffers
B) password attack
C) man-in-the-middle attacks

Q7) Why are DoS attacks difficult to eliminate? (Source: Denial of Service Attacks and
Mitigation)
______________________________________________________________________
Q8) A virus can spread automatically through a network. (Source: Access Attacks and
Mitigation)
A) True
B) False
Q9) Encryption helps mitigate IP spoofing. (Source: Access Attacks and Mitigation)
A) True
B) False
Q10) Traffic rate limiting helps mitigate IP spoofing. (Source: Access Attacks and
Mitigation)
A) True
B) False
Q11) As a minimum, anti-spoofing configuration must meet the requirements of RFC 2827.
A) True
B) False
Q12) The Love Bug attack a not a virus, but a Trojan horse. (Source: Access Attacks and
Mitigation)
A) True
B) False
Q13) Trojan horse is a very specific term referring to a particular attack mechanism. (Source:
Access Attacks and Mitigation)
A) True
B) False
Q14) Worm containment includes tracking down each infected machine inside the network.
A) True
B) False
Q15) A hacker transmitting thousands of ICMP Pings from his PC to multiple target servers
is an example of a DDOS attack. (Source: Reconnaissance Attacks and Mitigation)
A) True
B) False
Q16) Why is telnet not a preferred configuration management protocol? (Source:
Management Protocols and Vulnerabilities)
A) It is slow.
B) It does not have a GUI.
C) It is not encrypted.
D) It is too easily spoofed.
Q17) What techniques and tools does Cisco recommend you use to detect and prevent
reconnaissance attacks? (Choose 3) (Source: Reconnaissance Attacks and Mitigation)
A) access lists
B) cryptography
C) lock-and-key
D) authentication
E) CBAC
F) IDS
Q18) Which type of network attack occurs when an intruder attempts to discover and map
systems, services, and vulnerabilities? (Source: Reconnaissance Attacks and
Mitigation)
A) time of day attack
B) reconnaissance attacks
C) denial of service (DoS) attacks
D) access attacks

Q1) Hardware, environmental, electrical and maintenance threats
Q2) A
Q3) C
Q4) A, B, C, D
Q5) B,C
Q6) C
Q7) Although there are software fixes that system administrators can install to limit the damage caused by all
known DoS attacks, new DoS attacks are constantly being developed by hackers.
Q8) False
Q9) True
Q10) False
Q11) True
Q12) False
Q13) False
Q14) False
Q15) False
Q16) C
Q17) B, D and F
Q18) B
Lesson 3
Introducing the Cisco Security

Portfolio
Overview
The Cisco security portfolio offers a complete range of manageable solutions designed to
maintain the integrity of critical network information and extend the reach of network
resources. Integrated security solutions provide robust protection within a comprehensive
product line including routers and switches as well as firewalls, intrusion detection systems and
VPN access concentrators. Robust management tools provide complete control and visibility
into the integrated network infrastructure from the individual device level to the entire network.
This lesson introduces the Cisco security portfolio of solutions and products currently available
and installed across customer networks.
Objectives
Upon completing this lesson, you will be able to describe the general features, purpose and
benefits of the hardware and software components of the Cisco security portfolio and solutions.
This ability includes being able to meet these objectives:
Match the components of the Cisco security portfolio against Cisco security solution
offerings
Describe the security features of the Cisco PIX 500 Series of security appliances, Firewall
Services Module, VPN Accelerator card and the Cisco IOS Firewall
Describe how secure connectivity is provided by VPNs
Describe the security features and solutions provided by the Cisco VPN 3000 Series
concentrator
Describe the security features of Cisco VPN-enabled routers
Describe optimum product positioning for a range of VPN requirements
Describe how Cisco IPS sensors prevent intrusions
Describe the relative positioning of Cisco IDS/IPS sensor platforms
Describe the use and features of a HIPS and the CSA in network security
Describe the use of Cisco Secure ACSs to provide network security through identification
and authentication
Describe the functions of Cisco Network Admission Control
Describe the use of the Cisco IP Solution Center and the CiscoWorks VMS to provide
network security through management
Introducing the Cisco Security Portfolio
This topic describes the components of the Cisco security portfolio in relation to Cisco security
solution offerings.
Cisco Security Solutions

Secure Perimeter Application Security
Connectivity Security Security Identity Management
Intrusion Detection
Firewalls VPN and Prevention Authentication Management
Cisco PIX Cisco VPN Cisco IDS/IPS Sensors Cisco Secure CiscoWorks
Security Concentrators Access Control VMS
Host Intrusion
Appliances Server
Cisco PIX Prevention System
Security
Cisco PIX Security
Appliances
Appliances
Cisco IOS Cisco IOS Cisco IOS
Firewall VPN IDS
© 2005 Cisco Systems, Inc. All rights reserved. SND V1.01-3
The goal of every network administrator must be to protect valuable data and network
resources from corruption and intrusion. Cisco security solutions provide the services necessary
to achieve this goal. Cisco offers a wide variety of security solutions built from a portfolio of
hardware and software products as shown in the Cisco Security Solutions table.
Cisco Security Solutions

Security Need Cisco Solution Cisco Products
Perimeter security: Perimeter security Firewalls Cisco IOS Firewalls

is provided by controlled access to
critical network applications, data, and Cisco PIX Security Appliances
services, which allows legitimate users
and information to pass through the
network.
Secure connectivity: Secure Virtual private Cisco VPN 3000 Series concentrators
connectivity is provided by connectivity network (VPN)
to Cisco VPN gateway products using Cisco PIX Security Appliances
standard security protocols such as
IPSec and L2TP. Cisco IOS VPN

Security Need Cisco Solution Cisco Products
Application security: Application Intrusion Cisco Network Intrusion Prevention

security is provided by the detection of detection and System (IPS) Sensor
suspicious application-level prevention
vulnerabilities including server and host Intrusion detection with Cisco IOS
security solutions. software
Cisco Intrusion Detection System

Module (IDSM2)
Network Module-Cisco Intrusion

Detection System (NM-CIDS) for
access routers
Intrusion detection with Cisco PIX

Security Appliances
Host-based intrusion prevention system

(HIPS)Cisco Security Agent (CSA)
Identity: Identity is provided by Authentication, Remote Authentication Dial-In User

identifying network users, hosts, authorization Service (RADIUS) and Terminal
applications, services, and resources. and accounting Access Controller Access Control
(AAA) System Plus (TACACS+)
Cisco Secure Access Control Server

(ACS)
Security management and Policy CiscoWorks VPN/Security

monitoring: Security management Management Solution (VMS)
and monitoring is provided by tools that
proactively detect security
weaknesses, perform real-time
network-based intrusion detection, and
configure, monitor, and administer
security policy.
Perimeter SecurityProducts and Solutions
This topic describes the security features of the Cisco PIX 500 Security Appliance Series,
Firewall Services Module, VPN Accelerator card and the Cisco IOS Firewall.
Perimeter Security Products and Solutions
Perimeter security is provided by:

Cisco PIX 500 Series of security appliances
FWSM for Cisco Catalyst 6500 Series switches and
Cisco 7600 Series internet routers chassis
VAC for the Cisco PIX 500 Series of security
appliances
Cisco IOS Firewall
Perimeter security solutions can be built using these products:

Cisco PIX 500 Series of security appliance: From compact "plug-and-play" appliances
for small and home offices to modular carrier-class gigabit appliances for enterprise and
service-provider environments, the Cisco PIX 500 Series of security appliances provide
robust, enterprise-class integrated network security services that create a strong
multilayered defense for fast-changing network environments.
Firewall Services Module (FSWM): These cards are designed for the chassis of the
Catalyst 6500 Series switch and Cisco 7600 Series router. These cards provide firewall
services along with a range of network services in one chassis.
VPN Accelerator Card (VAC): The VAC for the Cisco Secure PIX 500 Series of security
appliances provides high-performance, tunneling and encryption services suitable for site-
to-site and remote access applications.
Cisco IOS Firewall: The Cisco IOS Firewall feature provides robust, integrated firewall
and intrusion detection functionality for every perimeter of the network. Available for a
wide range of Cisco IOS software-based routers, the Cisco IOS Firewall offers
sophisticated security and policy enforcement for connections within an organization
(intranet) and between partner networks (extranets), as well as for securing Internet
connectivity for remote and branch offices.

Cisco PIX 500 Series of Security Appliances
PIX 535
PIX 525
PIX 515E
PIX 506E Gigabit Ethernet

PIX 501
Small to
Small and Remote and
Medium Service
Home Office Branch Office Enterprise
Business Provider
(SOHO (ROBO)
(SMB)
Functionality
The Cisco PIX 500 Series of security appliances scales to meet a range of requirements and
network sizes, and currently consists of five models.
The PIX 501 Security Appliance has an integrated 10/100BASE-T port (100BASE-T
option available in release 6.3) and an integrated four-port 10/100 switch.
The PIX 506E Security Appliance has dual integrated 10/100BASE-T ports (100BASE-T
option available in release 6.3 for the Cisco 506E Security Appliance only).
The PIX 515E Security Appliance supports single-port or four-port 10/100 Ethernet cards.
The PIX 525 Security Appliance supports single-port or four-port 10/100 Fast Ethernet and
Gigabit Ethernet.
The PIX 535 Security Appliance supports Fast Ethernet and Gigabit Ethernet.
The PIX 515E Security Appliance, the PIX 525 Security Appliance, and the PIX 535 Security
Appliance come with an integrated VPN Accelerator Card (VAC).
The PIX Security Appliance is secure right out of the box. Default settings allow all
connections from the inside interface access to the outside interface, and block all connections
from the outside interface to the inside interface. After a few installation procedures and an
initial configuration with six general commands, your PIX 500 Series of security appliance is
operational and protecting your network.
Cisco PIX 500 Security Appliance Features
Features and uses:

Typically used for site-to-site VPNs
Restricts access to network resources
Implemented at the physical perimeter
between customer intranet and the other
companys intranet
Determines whether traffic crossing in either
direction is authorized
Contains limited IDS capability
Provides a dedicated hardware appliance
Has little or no impact on network
performance
Globally networked businesses rely on their networks to communicate with employees,

customers, partners, and suppliers. While immediate access to information and communication
is an advantage, it raises security concerns such as protecting access to critical network
resources. Network administrators need to know who is accessing what resources and then
establish clear perimeters to control that access. An effective security policy balances
accessibility with protection. Security policies are enforced at network perimeters. Often people
think of a perimeter as the boundary between an internal network and the Internet, but a
perimeter can be established anywhere within a private network, or between your network and
a partner network. A solid perimeter security solution enables communications across it as
defined by the security policy, yet protects network resources from breaches or attacks. A
perimeter security solution controls multiple network entry and exit points and increases user
assurance by implementing multiple layers of security.

Firewall Services Module
Runs in Catalyst 6500 Series

switch and Cisco 7600 Series
router chassis
Designed for high-end enterprise
and service providers Firewall Services Module for
Cisco Catalyst 6500 Series
Based on the Cisco PIX Security
Appliance technology
Includes Cisco PIX Security
Appliance 6.0 feature set
Supports multiple performance
and redundancy features
Cisco Catalyst 6500 series /

Cisco 7600 Router series chassis
The FWSM is a multigigabit integrated firewall module for the Cisco Catalyst 6500 Series
switch and the Cisco 7600 Series router. It is fabric-enabled and capable of interacting with the
bus and the switch fabric. Based on Cisco PIX Security Appliance technology, FWSM provides
stateful firewall functionality in these switches and routers.
The FWSM has these features:

Includes the entire PIX Security Appliance Software version 6.0 feature set and the
following PIX Security Appliance Software version 6.3 features:
Command authorization
Object grouping
Internet Locator Service (ILS)/NetMeeting setup
URL filtering enhancement
Support for 100 VLANs
High-performance5 Gbps / three million pps throughput, full-duplex firewall functionality
One million concurrent connections
LAN failoverActive or standby, and interchassis or intrachassis
Dynamic routing with Open Shortest Path First (OSPF) and passive RIP
Supports multiple modules per chassis
Cisco PIX VPN Accelerator Cards
VAC VAC+
Offloads IPSec processes for demanding applications including large enterprise, complex, and high-
traffic environments
Fits in any Cisco PIX 515E Security Appliance, PIX 520 Security Appliance, PIX 525 Security
Appliance, or PIX 535 Security Appliance
100 Mbps of 3DES and SHA VAC+ delivers 2 to 4 times the throughput of
VAC
Requires PIX Software Version 5.3 or higher Requires PIX Software Version 6.3 or higher
Features: Features:
DES and 3DES encryption DES and 3DES encryption
Authentication Authentication
Tunneling Tunneling
AES encryption
The VAC and VAC+ provide high-performance tunneling and encryption services suitable for
site-to-site and remote-access applications. They are optimized to handle the repetitive but
voluminous mathematical functions required for IPSec. Offloading encryption functions to the
card not only improves IPSec encryption processing, but also maintains high-end firewall
performance.
The VAC and VAC+ fit in a PCI slot inside the PIX Security Appliance chassis. Both cards
feature Data Encryption Standard (DES) and Triple Data Encryption Standard (3DES)
encryption, plus authentication and tunneling. However, the VAC+ offers Advanced
Encryption Standard (AES) encryption. Detailed performance figures are provided later in this
course.

Cisco IOS Firewall
Cisco IOS Firewall feature highlights:
Stateful Cisco IOS Firewall Inspection Real-time alerts

Intrusion detection Audit trail
Firewall voice traversal Integration with Cisco IOS software
ICMP inspection Basic and advanced traffic filtering
Authentication proxy Policy-based multi-interface support
Destination URL policy management Network address translation
Per user firewalls Time-based access lists
Cisco IOS router and firewall Peer router authentication
provisioning
Denial of service detection and
prevention
Dynamic port mapping
Java applet blocking
VPNs, IPSec encryption, and QoS
support
As network security becomes increasingly critical to securing business transactions, businesses

must integrate security into the network design and infrastructure. Security policy enforcement
is most effective when it is an inherent component of the network.
Cisco IOS software runs on more than 80 percent of Internet backbone routers, which makes
this software the most fundamental component of network infrastructure. Cisco IOS software-
based security offers the best solution for end-to-end Internet, intranet, and remote-access
network security. Refer to the Application Guidelines table to help choose the right Cisco
router for varied security environments.
Application Guidelines
Application Optimum Router
Small or home offices Cisco UBR900 Series cable access routers, Cisco 800
Series, and 1700 Series routers
Branch and extranet environments Cisco 2600 Series, 3600 Series and 3700 Series
routers
Cisco 1800 Series and 2800 Series Integrated Services

Routers (ISRs)
VPN and WAN aggregation points or other Cisco 7100 Series, 7200 Series, 7400 Series, 7500
high-throughput environments Series and RSM Series routers
Cisco 3800 Series ISRs
Cisco Catalyst 5000 Series and Catalyst 6000 Series

switches
Cisco IOS Firewall Highlights
These are some of the highlights of the Cisco IOS Firewall:
Stateful IOS Firewall inspection engine: This feature provides internal users with secure,
per-application-based access control for all traffic across perimeters, such as perimeters
between private enterprise networks and the Internet. This is also called Context-based
Access Control (CBAC).
Intrusion detection: Inline deep packet inspection service that provides real-time
monitoring, interception, and response to network misuse with a broad set of the most
common attack and information-gathering intrusion detection signatures. Supports 102
signatures.
Firewall voice traversal: This feature is provided by application-level intelligence of the
protocol as to the call flow and associated channels that are opened. Voice protocols that
are currently supported are H.323v2 and Session Initiation Protocol (SIP).
ICMP inspection: This feature allows responses to ICMP packets (for example, ping and
traceroute) originating from inside the firewall, while denying other ICMP traffic.
Authentication proxy: This requires users to authenticate when attempting to access
network resources via HTTP. The users specific network access profiles automatically
retrieved and applied from a RADIUS or TACACS+ server. The user profiles are active
only when there is active traffic from the authenticated users. Authentication Proxy can
alternatively be triggered by either Telnet or FTP since Cisco IOS Software Release
12.3(1),
Destination URL policy management: These include several mechanisms that support
local caching of previous requests, predetermined static URL permission and denial tables,
as well as use of external server databases provided by Websense Inc. and N2H2 Inc. This
is better known as URL Filtering.
Per user firewalls: This feature enables service providers to provide a managed firewall
solution in the broadband market by downloading unique firewalls, access control lists
(ACLs), and other settings on a per user basis, using the AAA server profile storage after
authentication.
Cisco IOS router and firewall provisioning: This feature provides no touch provisioning
of the router, version updates and security policies such as firewall rules.
Denial of service detection and prevention: This feature defends and protects router
resources against common attacks, checks packet headers, and drops suspicious packets.
Dynamic port mapping: This feature allows firewall-supported applications on
nonstandard ports.
Java applet blocking: This feature defends against unidentified, malicious Java applets.
VPNs, IPSec encryption, and quality of Service (QoS) support:
Operate with Cisco IOS software encryption, tunneling, and QoS features to secure
VPNs
Provide scalable encrypted tunnels on the router while integrating strong perimeter
security, advanced bandwidth management, intrusion detection, and service-level
validation
The Cisco IOS Firewall is standards based for interoperability
Real-time alerts: This feature logs alerts for denial-of-service attacks or other pre-
configured conditions. This is now configurable on a per-application, per-feature basis.

Audit trail: This feature details transactions and records time stamp, source host,
destination host, ports, duration and total number of bytes transmitted for detailed
reporting. This is now configurable on a per-application, per-feature basis.
Integration with Cisco IOS software: This feature interoperates with Cisco IOS software
features, integrating security policy enforcement into the network.
Basic and advanced traffic filtering:
Cisco IOS Firewall can use standard and extended ACLs that apply access controls
to specific network segments and define which traffic passes through a network
segment.
Cisco IOS Firewall can use dynamic ACLs (Lock and Key) to grant temporary
access through firewalls upon user identification (username/password).
Policy-based multi-interface support: This feature provides ability to control user access
by IP address and interface, as determined by the security policy.
Network Address Translation (NAT): This feature hides internal network from the
outside for enhanced security.
Time-based access lists: This feature defines security policy based on the time of day and
day of week.
Peer router authentication: This feature ensures that routers receive reliable routing
information from trusted sources.
Cisco IOS Firewall Enhancements with
Cisco IOS Software Release 12.3
I am email
traffic honest!
Payload Port 25
Payload Port 80
I am http web Corporate

traffic honest! Server Farm
Office
Feature Benefit
HTTP Inspection Application level control to inspect port 80 tunneled
Engine traffic
Convergence of Cisco IOS Firewall and inline IPS
technologies
Control port 80 misuse by rogue applications
Example: Instant messaging and peer-to-peer applications
such as Kazaa
Email Inspection Control misuse of email protocols
Engine SMTP, ESMTP, IMAP, POP inspection engines
Advanced Application Provides protocol anomaly detection services
Inspection and Control
With Cisco IOS Software Release 12.3, the Cisco IOS Firewall brings the following features:
HTTP Inspection Engine: The HTTP Inspection Engine discovers and enforces network
security policy governing the traversal of web and non-web traffic over TCP port 80. This
engine can identify data traffic in order to enforce policies governing use of the protocol,
use of HTTP commands, and URL lengths. The HTTP Inspection Engine enforces
application request policy by ensuring that malformed URLs used for exploiting buffer
overflows in web server applications are dropped. If it is against the security policy, the
HTTP Inspection Engine drops the packet, resets the connection and sends an alarm.
Email Inspection Engine: This enhancement to the Email Inspection Engine adds support
for POP3 and IMAP in addition to the existing support for SMTP and Extended Simple
Mail Transfer Protocol (ESMTP).
Advanced Application Inspection and Control: Advanced Application Inspection and
Control provides protocol anomaly detection services.

Secure Connectivity VPNs Solutions
Cisco has developed and acquired products and solutions that are optimized for secure
connectivity. This topic describes how secure connectivity is provided by VPNs.
Secure Connectivity SolutionsVPNs

Secure connectivity provides Cisco offers the following:
the following: Cisco 3000 Series VPN Concentrators
Data privacy, encryption, and VPN VPN optimized routers
Extended network reach Hardware and software clients
Cost-effective, high-bandwidth
connectivity
Internal Corporate Corporate and Partner

Network VPN Clients
Internal
Remote and
Servers
Multilayer PIX Security VPN Mobile
Switch Appliance Router Workers
Internet
DMZ
VPN
Internal Routers and
Users Firewalls
Public Corporate Remote and Branch
Servers Offices
Secure connectivity provides the following:

Data privacy, encryption, and VPN:
Provides security over untrusted public networks
Provides enhanced transport security for private networks
Extended network reach:
Teleworkers
New or small sites
Partner connectivity
Cost-effective, high-bandwidth connectivity:
Reduces transport costs
Enables fast broadband telecommuters and remote site connectivity
Three VPN Solutions
Home Office
Intranet VPN: Low

cost, tunneled Remote Office
connections with rich
VPN services that lead POP
to cost savings and Main
new applications Office
VPN
POP Remote Access VPN:
Provides cost savings
Extranet VPN: Extends

WANs to business
partners, which leads to Business Partner
new applications and
business models
Mobile Worker
There are three basic VPN solutions to consider:

Intranet VPN: This VPN solution links corporate headquarters to remote offices over a
shared, prioritized network, and offers an extremely cost-effective alternative to dedicated
WANs. Intranet VPNs need to scale easily as the organization grows.
Extranet VPN: This VPN solution links network resources with third-party vendors and
business partners, extending elements of the corporate intranet beyond the organization. To
keep pace with rapidly changing business climates, extranet VPN access needs to be able to
be turned on and off on the fly.
Remote access VPN: This VPN solution connects telecommuters and mobile users
securely and cost-effectively to corporate network resources from anywhere in the world
over any access technology. Because this traffic may run on untrusted segments outside the
service provider network, it must be encrypted to ensure privacy and security.

Secure ConnectivityThe Cisco VPN 3000 Series
Concentrator
The Cisco VPN 3000 Series Concentrator is a family of purpose-built, remote-access VPN
platforms and client software that incorporates high availability, high performance, and
scalability with the most advanced encryption and authentication techniques available today.
This topic describes the security features and solutions provided by the Cisco VPN 3000 Series
Concentrator.
Cisco VPN 3000 Series Concentrator
Models available for small businesses (100 connections) up to

large enterprises (10000 connections)
Scalable and resilient
Unlimited Cisco VPN Client licensing
Supports a range of access methods:
WebVPN (Secure Socket Layer VPN),
Cisco VPN Client (IPSec VPN),
Microsoft embedded clients, and
Nokia Symbian client for wireless phones and PDAs
Integrated Web-based management for configuration and

monitoring
Supports Cisco Network Admission Controller (NAC)
With a Cisco VPN 3000 Series Concentrator, customers can vastly reduce their
communications expenditures by taking advantage of the latest VPN technology. These
concentrators are the only scalable platforms to offer field-swappable and customer-
upgradeable components. These components, called Scalable Encryption Processing (SEP)
modules, enable users to easily add capacity and throughput.
The Cisco VPN 3000 Series Concentrator includes models supporting a range of enterprise
customers, from small businesses with 100 or fewer remote-access users, to large organizations
with up to 10,000 simultaneous remote users. These concentrators provide businesses with
flexible, reliable, and high-performance remote-access solutions offering both IP Security
(IPSec) and Secure Sockets Layer (SSL)-based VPN connectivity on a single platform.
Cisco VPN 3000 Series Concentrators can be clustered to meet the demands of the largest
organizations. Clustering provides both scalability and a high level of resiliency. These
concentrators are available in both nonredundant and redundant configurations, allowing
customers to build the most robust, reliable, and cost-effective networks possible.
The Cisco VPN 3000 Series Concentrator provides the widest range of options, including
WebVPN (SSL VPN), Cisco VPN Client (IPSec VPN), Microsoft embedded clients, and the
Nokia Symbian client for wireless phones and personal digital assistants (PDAs). Secure,
remote connections can be established from an SSL-capable Web browser, an SSL VPN client,
or an IPSec VPN client, allowing for maximum flexibility and application access without the
need to deploy and manage separate devices.
Integrated Web-based management on Cisco VPN 3000 Series Concentrators provides a simple
interface to configure and monitor all remote-access users, providing ease of manageability
across both IPSec and SSL VPN environments.
IPSec-enabled NAC, is an industry initiative led by Cisco Systems that uses the network
infrastructure to enforce security policy compliance on all devices seeking to access network
computing resources. NAC features can be used in IPSec VPN deployments with the Cisco
VPN Client.

The Cisco Secure VPN Client Framework
Provides connectivity between all

clients and all Cisco central-site VPN
gear.
Based on a centralized push policy
technology:
Simplifies user experience
Provides more control for
companies
Reduces complexity of VPN
deployments
Can be implemented across all Cisco
VPN Concentrators, Cisco IOS routers,
and PIX Security Appliances.
Works on non-Windows operating systems (Linux, Mac, and Solaris):
Reduces support expense
Consolidates hardware
Reduces administration in the central site at the central site
Included with all models of Cisco 3000 Concentrators and most Cisco PIX 500
Series Security Appliances.
The VPN Client (version 4.x is shown in the figure) works with a Cisco VPN server to create a
secure connection, called a tunnel, between your computer and the private network. It uses the
Internet Key Exchange (IKE) and IPSec tunneling protocols to make and manage secure
connections. Some of the steps include:
Negotiating tunnel parametersaddresses, algorithms, lifetime, and so on.
Establishing tunnels according to the parameters.
Authenticating usersmaking sure users are who they say they are, by usernames, group
names and passwords, and X.509 digital certificates.
Establishing user access rightshours of access, connection time, allowed destinations,
allowed protocols, and so on.
Managing security keys for encryption and decryption.
Authenticating, encrypting, and decrypting data through the tunnel.
For example, to use a remote PC to read e-mail at your organization, you connect to the
Internet, then start the VPN Client and establish a secure connection through the Internet to
your organization's private network. When you open your e-mail, the Cisco VPN server uses
IPSec to encrypt the e-mail message. It then transmits the message through the tunnel to your
VPN Client, which decrypts the message so you can read it on your remote PC. If you reply to
the e-mail message, the VPN Client uses IPSec to process and return the message to the private
network through the Cisco VPN server.
The Cisco VPN Client supports Microsoft Windows 98, Windows Me, NT 4.0, 2000, XP;
Linux (Intel); Solaris (UltraSparc 32- and 64-bit); and Mac OS X, 10.1, and 10.2. The Cisco
VPN Client is compatible with all Cisco VPN products including:
Cisco VPN 3000 Series Concentrators
Cisco VPN 3000 Series Concentrator Software version 3.0 and higher
Cisco IOS Software Releases 12.2(8)T and higher
Cisco PIX Security Appliance Software version 6.0 and higher

Cisco VPN 3002 Hardware Client
Single User Cisco VPN Client

3002
Cable Modem
Home Office
3002 Cisco VPN 30xx

Internet
DSL Modem
Small Office Easy deployment

Centralized policy push
3002
Two 10/100 and 8-port hub version
ISDN Modem Supports DHCP client and server
Allows PAT (external and tunnel)
Supports client and network extension
modes
Based on the unified VPN client framework, the Cisco VPN 3002 Hardware Client combines
the best features of a software client, including scalability and ease-of-deployment, with the
stability and independence of a hardware platform. The Cisco VPN 3002 Hardware Client
works with all operating systems and does not interfere with the operation of the PC because it
is a separate hardware appliance.
The Cisco VPN 3002 Hardware Client is a small, highly cost-effective appliance and is ideal
for organizations where thousands of remote end-users might be tunneling into corporate
networks from large numbers of geographically dispersed branch or home office sites.
For security and easy configuration, the Cisco VPN 3002 Hardware Client includes two modes:
Client and Network Extension. In Client mode, the VPN 3002 Hardware Client emulates the
operation of VPN client software. The stations behind the VPN 3002 Hardware Client are non-
routable (invisible to the central site) and acquire their IP addresses from a built-in DHCP
server. The VPN 3002 Hardware Client public port can acquire its IP address from an Internet
service provider (ISP) by using its DHCP client capability. In Network Extension mode, the
stations behind the VPN 3002 Hardware Client are fully routable because the VPN 3002
Hardware Client now uses a secure site-to-site connection with the central site.
Remote Access Wireless VPN
Main Office
Cisco VPN 30xx
Internet
Aironet Client
Mobile
Certicom Aironet Client
Client Cisco VPN 3000 Client
Remote access wireless VPN solutions are available for the VPN concentrator via the Cisco
Architecture for Voice, Video, and Integrated Data (AVVID) partner program. With Cisco
VPN Software Release 3.0, all Cisco VPN 3000 Series Concentrators support Elliptic Curve
Cryptography (ECC). This new Diffie-Hellman (DH) group allows for much faster processing
of keying information by devices with limited processing power such as PDAs and smart
phones. Cisco VPN 3000 Series Concentrators can now securely terminate tunnels from IP-
enabled wireless devices, allowing a whole new class of users to securely access enterprise
information while preserving the investment in VPN termination equipment in the enterprise
data center.

Secure ConnectivityCisco VPN-Enabled
Routers
This topic describes the security features of the Cisco VPN-enabled routers.
Cisco VPN-Enabled Routers
Cisco VPN-enabled routers are used for site-to-site

VPNs:
Cisco 800 Series, 900 Series, 1700 Series, 2600 Series, 2700
Series, 3600 Series, 3700 Series, and 7000 Series routers
VPN Accelerator Module 2 (VAM2) enhances VPN
performance of Cisco 7000 series routers
Cisco 1800 Series, 2800 Series and 3800 Series Integrated
Services Routers have built-in VPN acceleration and the high
performance AIM
VPN-enabled routers offer:
Scalability
Network resiliency
Bandwidth optimization and QoS
Deployment flexibility
Site-to-site VPNs are alternative WAN infrastructures that are used to connect branch offices,
home offices, or business partner sites to all, or portions, of a company network. VPNs do not
inherently change private WAN requirements, such as support for multiple protocols, high
reliability, and extensive scalability, but instead meet these requirements more cost-effectively
and with greater flexibility. Site-to-site VPNs use the most pervasive transport technologies
available today, including the Internet or service providers IP networks, by employing
tunneling and encryption for data privacy and QoS for transport reliability.
Cisco VPN-enabled routers include high-performance, hardware-based IPSec encryption,

multiple WAN interfaces, and the entire Cisco IOS software feature set. Using Cisco IOS
software, Cisco VPN routers also provide a comprehensive feature set to meet the most diverse
networking requirements, including support for routing, multiprotocol, and multicast across the
VPN, as well as enhanced features like firewall capabilities and QoS. The following summarize
the site-to-site VPN scalability and features for Cisco VPN-enabled routers:
Scalability: Up to 140 Mbps of 3DES throughput and 3000 tunnels
Network resiliency:
Dynamic router recovery using routing protocols through IPSec-secured Generic
Routing Encapsulation (GRE) tunnels
Dynamic tunnel recovery using IPSec IKE keepalives
Bandwidth optimization and QoS:
Application-aware bandwidth allocation, queuing, policing, and traffic shaping
Ensured quality of latency-sensitive traffic
Deployment flexibility:
Interface flexibility for combined WAN and VPN or behind-edge VPN
Use as a standalone VPN device or as an integrated multi-function device
The Cisco 1800 Series, 2800 Series, and 3800 Series of ISRs incorporate hardware-based
encryption as a standard feature. Built-in, hardware-based encryption acceleration offloads the
VPN processes to provide increased VPN throughput with minimal impact on the router CPU.
If additional VPN throughput or scalability is required, optional VPN encryption advanced
integration modules (AIMs) are available. These routers also are offered as bundles with the
appropriate Cisco IOS software security images to enable a rich, integrated package of routing
and security.

VPN Accelerator Module 2 for Cisco 7100,
7200, and 7400 Series Routers
Hardware acceleration for

IPSec encryptionUp to 145 Mbps of VPN
performance and 5000 tunnels
RSAFaster tunnel-recovery key generation and
authentication
IPPCP LZS compression
The VPN Accelerator Module 2 (VAM2) is a single-width acceleration module that provides
high-performance, hardware-assisted tunneling and encryption services suitable for VPN
remote-access, site-to-site intranet, and extranet applications. The VAM2 also provides
platform scalability and security while working with all the services (security, QoS, firewall
and intrusion detection, service-level validation, and management) that are necessary for
successful VPN deployments. The VAM2 off-loads IPSec processing from the main processor,
and thus frees resources on the processor engines for other tasks.
Scalable Site-to-Site VPN Router Solutions
Cisco 1700 Series router

and 1800 Series ISRs Cisco 7000 Series routers and
VPN-enabled routers that Remote Cisco 3800 Series ISRs
connect remote offices at Office VPN-enabled routers that connect
T1/E1 speeds dedicated VPN head-end and hybrid
private WAN and VPNs.
Main Office
Branch
Office Internet
Cisco 2600 Series, 3600

Series, and 3700 Series Cisco SOHO Series, 800 Series,
routers, and 1800 Series and 900 Series routers
and 2800 Series ISRs VPN-enabled routers that connect
VPN-enabled routers that Small Office/ ISDN, DSL, and cables.
connect branch and regional Home Office
offices at nxT1/E1 speeds
Site-to-site VPNs can be deployed using a wide variety of Cisco VPN routers. Cisco VPN
routers provide scalability through optional encryption acceleration. The Cisco VPN router
portfolio provides solutions for small office and home office (SOHO) access through central-
site VPN aggregation. SOHO solutions include platforms for fast-emerging cable and DSL-
access technologies.
The following are scalability recommendations for site-to-site VPN solutions:

Remote office: Cisco 1700 Series and 1800 Series ISRs connect remote offices at T1/E1
speeds.
Regional office: Cisco 2600 Series, 3600 Series, and 3700 Series routers, and Cisco 1800
Series and 2800 Series ISRs connect branch and regional offices at nxT1/E1 speeds.
Small Office/Home Office (SOHO): Cisco 800 Series and 900 Series routers, are VPN-
enabled routers that are used for ISDN, DSL, and cable connectivity.
Main Office: Cisco 7000 Series and 3800 Series ISRs provide dedicated VPN head-end
and hybrid private WAN and VPN connectivity.

Secure ConnectivityVPN Product Positioning
This topic describes optimum product positioning for a range of VPN requirements.
VPN Product Positioning
Remote Access Site-to-Site Firewall-Based
Cisco 7200 Series

Cisco VPN 3060 and Cisco PIX 525 and
Large Enterprise router, Cisco 3800
VPN 3080 535 Security
Service Provider Concentrators
Series ISRs and
Appliances
higher
Cisco 3600 Series
Medium and 7100 Series
Enterprise Cisco VPN 3030 Cisco PIX 515
routers, and Cisco
Concentrator Security Appliances
2800 Series and
3800 Series ISR
Cisco 3600 Series,
Small Business or Cisco VPN 3005 and 2600 Series and Cisco PIX 506 and
VPN 3015 1700 Series routers, 515 Security
Branch Office Concentrators and 1800 Series Appliances
ISRs
Cisco VPN Software
SOHO Market Cisco 800 Series Cisco PIX 506 and
Client and Cisco
and 900 Series 501 Security
VPN 3002 Hardware
routers Appliances
Client
Cisco provides VPN solutions for all network sizes. The information in the figure indicates the
platforms that can support each size of network most effectively. You can use this information
as a starting point to choose which device best fits your environment.
Intrusion Prevention System Solutions
This topic describes how Cisco intrusion prevention systems (IPS) sensors prevent intrusions.
Intrusion Prevention System Solutions
Business
Partner
Users Internet IPS
Complements the
firewall and VPN by
monitoring traffic for
Extranet IPS malicious activity.
Monitors partner
traffic where
trust is implied
but not assured. Corporate
Office Internet
Intranet and Internal

Data
IPSProtects data Center NAS
centers and critical Remote access IPS DMZ
assets from internal Hardens perimeter
threats. Servers
control by monitoring
remote users.
The Cisco IPS is an enterprise-class, network-based intrusion protection system that is designed
to address the increased requirements for security visibility, denial of service (DoS) protection,
hacking detection, and e-commerce business defenses. The Cisco IPS family leads the market
in innovative security monitoring solutions. Sensor devices detect unauthorized activity such as
attacks by hackers by analyzing traffic in real time, which enables users to quickly respond to
security working breaches. When unauthorized activity is detected, Cisco IPS sensors can send
alarms to a management console with details of the activity, and can control other systems,
such as routers, to terminate the unauthorized sessions.
There are four recommended deployment scenarios:

Extranet IPS: IPS deployment to an extended network
Internet IPS: IPS deployment to a public network
Intranet and internal IPS: IPS deployment to an internal network
Remote access IPS: IPS deployment to a remote-access network

Intrusion Detection and Intrusion
Prevention
Intrusion detection systems (IDS):

Taps network traffic
Responds after the attack
IDS Version 4.x software
Intrusion prevention system (IPS)
Works inline
Stops attacks before they enter the network
IPS Version 5.0 software
It is critical that you master the following definitions:

Intrusion detection, intrusion prevention and intrusion protection
IDS alarms including false positive, false negative, true positive and true negative alarms:
Vulnerabilities and exploits
Intrusion detection methodologies including profile-based, signature-based and profile
analysis-based
IDS response operation (terminate, block or log)
An intrusion detection system (IDS) detects attacks against a network, including attacks against
hosts and devices. When the sensor detects unauthorized activity it can send alarms to the
management console(s) with details of the activity. IDS can only respond after an attack is
detected. In the case of atomic attack, in which the malicious content is contained in a single
packet, the malicious packet can reach its target before a response action can be taken. Intrusion
detection is the ability to detect misuse, abuse, and unauthorized access to networked resources.
An IPS represents a significant advance over IDS. With the release of Cisco IPS version 5.0,
every packet (even the very first one) can be dropped before it can reach its target.
Older Cisco IDS sensors such as the Cisco IDS 4250 XL Sensor and the Cisco IDS 4215
Sensor provide detection. Newer Cisco IPS sensors such as Cisco IPS 4255 Sensor and Cisco
IPS 4240 Sensor, as well as current Cisco IOS software, can be deployed inline to provide
intrusion prevention, or in a promiscuous mode can tap network traffic, to provide
detection.
Cisco IDS and IPS Active Defense Systems
Network sensors Overlaid network protection

Switch sensors Integrated switch protection
Router sensors Integrated router protection
Firewall sensor Integrated firewall protection feature
Comprehensive Robust system management and monitoring
management
Cisco provides a complete product portfolio that enables customers to implement and manage
active defense systems. The Cisco IDS and IPS products include the following:
Network sensors: These sensors provide dedicated intrusion detection and intrusion
prevention with the ability to monitor and protect network segments.
Switch sensors: These sensors are integrated into the switch fabric to provide seamless
intrusion detection.
Router sensors: These sensors provide intrusion detection for deployments that require
basic intrusion detection features.
Firewall sensors: These sensors provide intrusion detection for deployments that require
basic intrusion detection features.
Comprehensive management: These products provide robust system management and
monitoring.

Network Intrusion Prevention System
Solutions Cisco IPS Sensor Platforms
This topic describes the features of the components of the Cisco IDS/IPS portfolio. These
products work together to protect data and information infrastructure. They are available as
sensor appliances, modules for routers and switches and as embedded features in Cisco IOS and
PIX software features.
Cisco Sensor Platforms
1000
IDS 4250 XL
600
500
Catalyst 6500
IDSM-2
IPS 4255
250
IPS 4240
80
IDS 4215
45 Cisco IOS and PIX

software IDS/IPS
IDS Network
Module
10/100/1000 TX 10/100 TX 10/100/1000 TX 10/100/1000 TX or
Switched 1000 1000 SX
1000 SX
Network Media
The figure shows the relative positioning of the Cisco IDS/IPS 4200 Series sensors, the Cisco
Catalyst IDS Module, the Cisco IDS Network Module for access routers. Cisco IDS/IPS 4200
Series sensors can be placed on almost any segment of the enterprise wide network where
security visibility is required. They are critical components of the Cisco IPS solution. These
sensors work with other IDS/IPS components to protect data and the information infrastructure.
The Cisco IDS/IPS 4200 Series includes the following four products: Cisco IDS 4215 Sensor,
Cisco IPS 4240 Sensor, Cisco IPS 4255 Sensor, and Cisco IDS 4250-XL Sensor. This series
delivers a broad range of solutions that allows easy integration into many different
environments, including enterprise and service provider environments. Each sensor addresses
bandwidth requirements at one of several speeds, from 80 Mbps to gigabits per second.
The Cisco Catalyst 6500 Intrusion Detection System (IDSM-2) Services Module provides full-
featured intrusion protection in the core network fabric device.
The Network Module-Cisco IDS (NM-CIDS) can be installed in a Cisco 2600XM Series
router, a Cisco 2691 Router, a Cisco 3660 Router, or 3700 Series router to provide 45 Mbps of
full-featured intrusion protection services within the router.
The router sensor integrates intrusion detection into Cisco IOS software. A Cisco IOS IDS is
able to detect a limited subset of attacks compared to an IDS sensor appliance or IDSM-2.
Thus, it is appropriate for lower-risk environments.
The firewall sensor provides a focused set of IDS capabilities via a software solution integrated
into the Cisco PIX Security Appliance software.

Cisco IOS IPS
Newly enhanced router-based IPS enables broadly-

deployed worm and threat mitigation services
Able to load and enable IPS signatures in the same
manner as Cisco IDS sensor appliances
More than 700 of the same signatures also supported
by Cisco IDS Sensor platforms
Signatures can be customized for quick reaction to
new threats
Aimed at remote branch office applications
Supports Trend Micro Signatures
Cisco IOS Intrusion Prevention System (IPS) is an in-line, deep-packet inspection-based

solution that helps enable Cisco IOS software effectively mitigate a wide range of network
attacks without compromising router performance. With the intelligence and performance to
accurately identify, classify, and stop malicious or damaging traffic in real time, Cisco IOS IPS
is a core facet of the Self-Defending Network.
While it is common practice to defend against head-end attacks by inspecting traffic and
installing firewalls, it is also critical to stop malicious traffic close to its entry point by
protecting the branch offices. Deploying inline Cisco IOS IPS at the branch enables gateways
to drop traffic, send an alarm, or reset the connection as needed, to stop attacking traffic at the
point of origination and quickly remove unwanted traffic from the network.
Key benefits of Cisco IOS IPS include the following:

Leverages existing Cisco router infrastructure
Mitigates both internal and external attacks on the network with inline capabilities
Cisco IOS IPS complements Cisco IOS Firewall and VPN solutions for superior threat
protection at all entry points into the network
The software and hardware requirements of a Cisco IOS software-based device performing
intrusion detection are as follows:
Cisco IDS Sensor Software: Cisco IOS Software Release 12.0(5)T and later
Cisco IPS Sensor Software: Cisco IOS Software Release 12.3(8)T and later
Hardware: Cisco 830 Series, 1700 Series, 2600 Series, 3600 Series, 7100 Series, 7200
Series, 7500 Series and ISR Series routers
Host Intrusion Prevention System Solutions
This topic describes the use and features of host-based intrusion prevention system (HIPS) and
the Cisco Security Agent (CSA) in network security.
Host-Based Intrusion Prevention System
2. CSA checks the call

Cisco against policy
Security
Agent
3. Requests are
allowed or denied
1. An application calls
for system
resources
Application Kernel
A HIPS audits host log files, host file systems, and resources. A significant advantage of HIPS
is that it can monitor operating system processes and protect critical system resources,
including files that may exist only on that specific host. A HIPS combines behavioral analysis
and signature filters. As well, a HIPS combines the best features of antivirus, network firewalls
and application firewalls in one package.
A simple form of HIPS is to enable system logging on the host and then analyze the logs.
However, this can be extremely labor intensive. Contemporary HIPS software requires CSA)
software to be installed on each host to monitor activity performed on and against the host.
CSA performs the intrusion detection analysis and protects the host.

Host-Based Intrusion Prevention System
(Cont.)
Corporate
Network
Agent Application
Server
Agent
Firewall
Untrusted
Network
Agent
Agent Agent Agent
SMTP Agent Agent Agent
Server
WWW DNS
Console
Server Server
The figure illustrates a typical HIPS deployment. Agents are installed not only on publicly
accessible servers, corporate mail servers, and application servers, but also on user desktops.
The Agents report events to a central console server located inside the corporate firewall.
CSA Architecture
Administration CSA Protected

Workstation Server
Alerts Events
SSL Security
Policy
CSA MC
The CSA architecture model consists of:

Management Center for Cisco Security Agent (CSA MC): CSA MC allows the
administrator to divide network hosts into groups by function and security requirements,
and then configure security policies for those groups. The CSA MC can maintain a log of
security violations and send alerts through e-mail or via a pager.
CSA: CSA is software that is installed in the host systems. CSA continually monitors local
system activity and analyzes the operations of that system. CSA takes proactive action to
block attempted malicious activity. CSA also polls the CSA MC at configurable intervals
for policy updates.
An administration workstation: An administration workstation can be any workstation
connecting securely to the CSA MC using a Secure Sockets Layer (SSL)-enabled web
interface.

Cisco Security Agent Features
Active protection
Protects applications and operating systems against known and
unknown attacks.
Provides preventive protection against entire classes of attacks
including port scans, buffer overflows, Trojans, malformed packets, and
e-mail worms.
Uses behavior-based technology to provide "Zero Update" prevention
for known and unknown attacks.
Prevents access to server resources before unauthorized activity
occurs.
Centralized Management
Automatic and transparent agent deployment to up to 5,000
endpoints
Active update capabilitiesSecurity policy and software updates
propagated to agents without operator intervention
Five to ten percent agent CPU overhead
The CSA defense-in-depth approach protects a system from attacks at the following layers:
Network
File system
Configuration
Execution space
Real-time correlation at agent and enterprise levels reduces false positives and allows
adaptability to new threats enterprise-wide and results in the following:
A multiple systems network scan within a configured time period to log network events.
Worm events on multiple systems cause all systems to quarantine the contaminated files.
NT event logs and virus scanner logs can be correlated across the enterprise.
Identity SolutionsCisco Secure Access Control
Server
This topic describes the use of Cisco Secure Access Control Servers (ACS) to provide network
security through identification and authentication.
Cisco Secure Access Control Server
Cisco Secure ACS is a

AAA system with these
features:
Key component used with
firewall, dial-up access 1 2 3
servers, and routers 4 5 6
7 8 9
Implemented at network 0
1 2 3
4 5 6
7 8 9
access points to authenticate

0
remote or dial-in users

Implemented, at WAN,
extranet connections to audit
activities and control
authentication and
authorization for business
partner connections
You can leverage the same Cisco Secure ACS access framework to control administrator access
and configuration for all network devices in your network that are enabled by RADIUS and
TACACS+. Advanced features of the Cisco Secure ACS include the following:
Automatic service monitoring
Database synchronization and importation of tools for large-scale deployments
Lightweight Directory Access Protocol (LDAP) user authentication support
User and administrative access reporting
Restrictions such as time of day and day of week
User and device group profiles

Cisco Secure ACSProduct Summary
The following is the Cisco

Secure ACS product
summary:
Easy-to-use web GUI
Full RADIUS and TACACS+ user
and administrator access
control
High performance (500+
authorizations per second)
Supports LDAP, NDS, and
ODBC datastores
Scalable data replication and
redundancy services
Full accounting and user
reporting features
This figure summarizes the features of Cisco Secure ACS.
Identity and Authentication
The following provide unified
control of user identity for the ACS OTP Hard and
enterprise: Server Soft Tokens
Cisco IOS routers VPN
VPNs Internet Clients
Firewalls Firewall Router

Dial-up and broadband
DSL Remote
Offices
Cable access solutions CA
VoIP
Cisco wireless solutions The following are
Cisco Catalyst switches authentication methods:
Network devices enabled Static passwords
by TACACS+ One-time passwords
Network devices enabled RADIUS
by RADIUS
TACACS+
The Cisco Secure ACS is a high-performance, highly scalable, centralized user access control
framework. Cisco Secure ACS offers centralized command and control for all user
authentication, authorization, and accounting activities. Cisco Secure ACS also distributes
those controls to hundreds or thousands of access gateways in your network. Authentication
verifies user identity. Authorization configures integrity, such as user access rights. Accounting
assists with auditing by logging user activities.

Network Admission Control
This topic describes the functions of Cisco Network Admission Control (NAC).
NAC
Coalition of Market-Leading Vendors
NAC Solution: Leverages the
network to intelligently enforce
access privileges based on
endpoint security posture
Hosts
Policy Server
Attempting
Decision Focused on limiting damage from
Network
Points viruses and worms
Access
Policy (AAA) Vendor Limits network access to compliant,
Server Server trusted endpoints
Credentials
Credentials Credentials Credentials Restricts network access by
noncompliant devices
RADIUS
Supports multiple AV vendors and
Notification Access Cisco Security Agent
Comply?
Cisco Rights The ISR Security Bundles ship with
Trust NAC capability
Agent
Enforcement
Cisco Network Admission Control (NAC) is a Cisco-led, multi-vendor program focused on

limiting damage from emerging security threats such as viruses and worms. NAC allows
network access only to compliant and trusted endpoint devices such as PCs, servers, and
wireless devices, and can restrict the access of non-compliant devices.
In its initial phase, NAC enables Cisco routers to enforce access privileges when an endpoint
device enters a network. This decision can be based on information about the endpoint device
such as its current antivirus state and operating system patch level. Based on customer-defined
policy, the network decides and enforces the appropriate admission control decision: permit,
deny, quarantine, or restrict. Initially, NAC will support endpoints running Microsoft®
Windows NT, XP and 2000 operating systems. NAC is a unique approach to prevent
vulnerable and non-compliant hosts from impacting enterprise resilience, and it enables
customers to leverage their existing network and antivirus infrastructure.
The figure illustrates three of the following four components of the NAC system:
Endpoint Security Software (Antivirus client, Cisco Security Agent, Personal Firewall)
and the Cisco Trust Agent): The Cisco Trust Agent collects security state information from
multiple security software clients, such as antivirus clients, and communicates this
information to the connected Cisco network where access control decisions are enforced.
Then, application and operating system status, such as antivirus and operating system patch
levels or credentials, can be used to determine the appropriate network admission decision.
Cisco and NAC co-sponsors will integrate the Cisco Trust Agent with their security
software clients.
Network Access Devices: Network devices which enforce admission control policy
include routers, switches, wireless access points, and security appliances. These devices
demand host credentials and relay this information to policy servers where network
admission control decisions are made. Based on customer-defined policy, the network
enforces the appropriate admission control decision: permit, deny, quarantine, or restrict.
Policy Server: The policy server is responsible for evaluating the endpoint security
information relayed from network devices and determining the appropriate access policy to
apply. Cisco Secure ACS server, an authentication, authorization, and accounting RADIUS
server, is the foundation of the policy server system. This server may work in concert with
NAC co-sponsor application servers that provide deeper credential validation capabilities,
such as antivirus policy servers.
Management System: Cisco management solutions will provision the appropriate Cisco
NAC elements and provide monitoring and reporting operational tools. CiscoWorks
VPN/Security Management Solution (CiscoWorks VMS) and CiscoWorks Security
Information Manager Solution (CiscoWorks SIMS) form the basis for this capability. Cisco
NAC co-sponsors will provide management solutions for their endpoint security software.

Security Management Solutions Security
Management Center
This topic describes the use of the Cisco IP Solution Center and the CiscoWorks VPN/Security
Management solution (VMS) to provide network security through management.
Security Management SolutionSecurity

Management Center
Branch OfficeIOS
DMZ Servers
Site-to-Site
Branch Office
DMZ Remote PIX
PIX Security
Appliance
Public
Corporate
Network Enterprise
Internet Telecommuter
Gateway Remote Access
IOS VPN Home Office

VPN Router MC Router
Remote PIX
Firewall management Security monitoring

Network IDS management Performance monitoring
HIPS management Operational management
VPN router management
CiscoWorks VMS contributes to organizational productivity by combining Web-based tools for

configuring, monitoring, and troubleshooting VPNs, firewalls, network intrusion detection
systems and host-based intrusion prevention systems. Integrated with other CiscoWorks
products, CiscoWorks VMS also includes network device inventory, change audit, and
software distribution features.
CiscoWorks VMS 2.2 provides the security management for your overall security needs. It
includes the following applications, organized by functional area:
Firewall management: This application enables the large-scale deployment of Cisco
firewalls. Smart Rules is an innovative feature that allows a security policy to be
consistently applied to all firewalls. Smart Rules allows a user to define common rules
once, reducing configuration time and resulting in fewer administrative errors.
Network-based IDS (NIDS) management: This application offers efficient deployment of
hundreds of sensors using group profiles. Additionally, powerful signature management
helps to increase the accuracy and specificity of detection.
HIPS management: This application is scalable to thousands of endpoints per manager to
support large enterprise deployments. The open and extensible architecture offers the
capability to define and enforce security according to corporate policy. Offers "zero
update" prevention for known and unknown attacks.
VPN router management: This application provides functions for the setup and
maintenance of large deployments of VPN connections and Cisco IOS Firewalls on Cisco
routers and Cisco Catalyst 6000 IPSec VPN Service Modules.
Security monitoring: This application provides integrated monitoring to help
administrators have a comprehensive view of security across the network, with event
correlation to detect threats not apparent with individual events.
Performance monitoring: This application provides functions for monitoring and
troubleshooting services that contribute to enterprise network security.
VPN monitoring: This application allows network administrators to collect, store, and
view information on VPN connections for remote-access or site-to-site VPN terminations.
Operational management: This application allows network managers to build a complete
network inventory, report on hardware and software changes, and manage software updates
to multiple devices.

Security management Center Value
Proposition
Complete coverage of network security components

Manages both appliance and network based security solutions
Full life cycle coverage: design, configure, monitor and troubleshoot
Multi-faceted scalability: smart rules hierarchy, AUS, workflow
Common operational management across infrastructure
Network and routing aware security management
CiscoWorks
VPN/Sec Mgmt Solution
ACS Mgmt Intrusion Detection
VPN Firewalls Scanning
Cisco VPN Cisco PIX Cisco IDS Cisco
Concentrators Security Sensors Access
Cisco PIX Appliances Control
Security Server
Appliances
Cisco IOS Cisco IOS Cisco IOS
VPN Firewall IDS
The figure summarizes the value proposition of VMS. Only VMS manages all components. No
competitor can make that claim.
Summary
Summary
The Cisco offers security portfolio encompasses the following:
Perimeter securityfirewalls
Secure connectivityVPNs
Intrusion detection and prevention
IdentityACS
Security managementCiscoWorks VMS
Perimeter security products are:

Cisco PIX 500 Security Appliance products
FWSM
VAC
Cisco IOS Firewall
VPN solutions include intranet VPN, extranet VPN, and remote
access VPN.
The Cisco VPN 3000 Concentrator Series support a wide range of
customers and includes the Cisco VPN Client.
Summary (Cont.)
Cisco VPN optimized routers provide scalability, network
resiliency, bandwidth optimization, QoS and deployment flexibility.
Cisco VPN products meet the needs of a wide variety of client
needs.
Cisco IPS solutions include network, switch, router, and firewall
sensors as well as comprehensive management.
The four products in the Cisco IDS/IPS 4200 Sensor Series provide
solutions for a wide range of client needs.
CSA which consists of CSA MC, CSA software, and an
administration workstation.
ACS provides network security through identification and
authentication.
Cisco NAC leverages the network to intelligently enforce access
privileges based on endpoint security posture
The CiscoWorks VMS provide network security through
management.

Lesson Self-Check
Q1) Which three of the following products are suitable for branch office and extranet
environments? (Choose three.) (Source: Perimeter Security)
A) Cisco 800 Series router
B) Cisco 2800 Series ISR
C) Cisco 2600 Series router
D) Cisco 3600 Series router
E) Cisco 3800 Series ISR
F) Cisco Catalyst 6500 switch with FWSM
Q2) Per-application-based access control and CBAC are synonymous. (Source: Perimeter
Security)
A) True
B) False
Q3) The VPN Accelerator Card (VAC) allows a Cisco Catalyst 6500 Switch chassis to act
as a VPN router. (Source: Perimeter Security)
A) True
B) False
Q4) The PIX 515E Security Appliance supports Gigabyte Ethernet. (Source: Perimeter
Security)
A) True
B) False
Q5) A Cisco 7600 Series router can use the FWSM. (Source: Perimeter Security)
A) True
B) False
Q6) By definition, a perimeter can be established anywhere within a private network.
(Source: Perimeter Security)
A) True
B) False
Q7) The Cisco VPN Client is packaged with unlimited licensing in every Cisco VPN 3000
Series Concentrator. (Source: Secure Connectivity)
A) True
B) False
Q8) Only Cisco 3030 VPN Concentrators and above have redundancy options. (Source:
Secure Connectivity)
C) True
D) False
Q9) Dual power supplies are optional on all Cisco 3000 VPN Series Concentrators.
(Source: Secure Connectivity)
A) True
B) False
Q10) An organization needing T3/E3 connectivity can effectively use a Cisco 3030 VPN
Concentrator. (Source: Secure Connectivity)
A) True
B) False
Q11) The Cisco VPN Client can be deployed on any Cisco IOS router or PIX Security
Appliance. (Source: Secure Connectivity)
A) True
B) False
Q12) Elliptic Curve Cryptography (ECC) allows Cisco VPN 3000 Series Concentrators to
securely terminate tunnels from IP-enabled wireless devices. (Source: Secure
Connectivity)
A) True
B) False
Q13) The VAM is designed to do IPSec processing. (Source: Secure Connectivity)
A) True
B) False
Q14) IPS responds after an attack. (Source: Intrusion Prevention System Solutions)
A) True
B) False
Q15) IPS capabilities are embedded in Cisco IOS software. (Source: Intrusion Prevention
System Solutions)
A) True
B) False
Q16) CSA is part of a Cisco HIPS solution. (Source: Intrusion Prevention System Solutions)
A) True
B) False

Q1) B, C, D
Q2) A
Q3) B: The VAC is used to enhance the VPN performance of the PIX 515, 520, 525, or 535 Security
Appliances.
Q4) B: Only the PIX 525 and 535 Security Appliances support Gigabyte Ethernet.
Q5) A
Q6) A
Q7) A
Q8) B
Q9) B: Dual power supplies are optional on the 3015, 3030 and 3060 models. They are standard on the 3080
model.
Q10) B: T3/E3 connectivity requires a Cisco 3030 VPN Concentrator or higher.
Q11) B: The client is deployed on Windows, Linux, Mac and Solaris platforms. It can be implemented across all
VPN concentrators, Cisco IOS routers and PIX security appliances.
Q12) A
Q13) A
Q14) B: IPS stops attacks before they enter the network.
Q15) B: Cisco IOS software has only limited IDS capabilities.
Q16) A
Lesson 4
Building Cisco Self-Defending

Networks
Overview
In the past, threats from both internal and external sources were relatively slow-moving and
easy to defend against. Now Internet worms spread across the world in a matter of minutes.
Security systemsand the network itselfmust react instantaneously. Obviously, as the nature
of threats to organizations continues to evolve, the defense posture taken by network
administrators and managers must also evolve.
The Cisco Self-Defending Network strategy describes the Cisco vision for security systems.
The Self-Defending Network strategy helps customers more effectively manage and mitigate
risks posed to their networked business systems and applications.
This lesson describes the Cisco Self-Defending Network strategy.
Objectives
On completing this lesson, you will be able to describe how the Cisco Self-Defending Network
strategy can be built by enhancing existing network infrastructure with Cisco technologies,
products and solutions. This ability includes being able to meet these objectives:
Describe how changing threats and challenges demand a new approach to network security
Describe how a customer can build a Self-Defending Network in three evolving phases
Describe the components of the adaptive threat defense phase of the Cisco Self-Defending
Network strategy
Describe the firewall, application inspection and VPN enhancements of the PIX Security
Appliance Software version 7.0
Describe the features of the Cisco Anomaly Guard Service Module and Traffic Anomaly
Detector module for the Cisco Catalyst 6500 Series switch and Cisco 7600 Series router
chassis
Describe how Cisco Secure MARS and Cisco Security Auditor provide management and
threat response
Describe how to secure network infrastructure with Cisco IOS software security features
Describe the features of Cisco Secure Desktop and Cisco Clean Access
Describe the positioning of the Cisco integrated security portfolio
Changing Threats and Challenges
This topic describes how changing threats and challenges demand a new approach to network
security.
Threat Evolution
Target and
Scope of Time from knowledge of vulnerability to release
of exploit is shrinking
Damage
Global
Seconds
Infrastructure The WAN Infrastructure must be
Impact Next Generation
an Intelligent Point of Defense
Infrastructure
hacking
Regional
Networks Minutes Flash threats
Massive worm
3rd Generation driven
DDoS
Multiple
Networks
Days Network DoS
Blended threat Damaging
(worm + virus+ payload
Weeks 2nd Generation
Macro viruses
trojan) viruses and
worms
Individual 1st Generation Turbo worms
Networks Email
Boot viruses Widespread
DoS system hacking
Limited
Individual hacking
Computer
1980s 1990s Today Future

The figure shows how the threats that organizations have faced have evolved over the past few
decades. As can be seen, the growth rate of vulnerabilities reported in operating systems and
applications is rising. The number and variety of viruses and worms that have appeared over
the past three years is daunting. Their rate of propagation is frightening. There have been
unacceptable levels of business outages and expensive remediation projects that consume staff,
time, and funds not originally budgeted for such tasks.
It can also be seen that blended threats are evolving. A blended threat uses multiple means of
propagation. They often have the characteristics of a virus in that they can attach themselves
parasitically to files to be delivered by email. They self-replicate across a network with worm-
like ability, and frequently search for, and exploit a system or application vulnerability, or
multiple vulnerabilities, to gain access to a host and deliver its payload. There is a view that
blended threats may be evolving into flash threats that may not only exploit new, unknown
vulnerabilities, but have the ability to propagate across the Internet in seconds, seriously
impacting the Internet on a global scale.
Also notice that trends are becoming regional and global in nature. Where attacks once
impacted single systems or one organization network, more recent attacks are impacting entire
regions. For example, attacks have expanded from individual denial of service (DoS) attacks
from a single attacker against a single target to large-scale distributed denial of service (DDoS)
attacks emanating from networks of compromised systems known as botnets
Treats are becoming persistent. Once started, attacks may appear in waves as infected systems
join the network. Being so complex and having so many end users (employees, vendors,
contractors), multiple types of endpoints (company desktop, home, server) and multiple types
of access (wired, wireless, virtual private network [VPN], dial), infections will be hard to
eradicate.
Copyright © 2005, Cisco Systems, Inc. Introduction to Network Security 1-129

Port 80 Applications Blur the Network
Perimeter
Networks face new vulnerabilities

through port 80:
Internet access 98% Perimeter security is no longer
enough.
Rich media 43%
IM traffic 43%
Port 80 opens once closed
Port networks to partners through
Web enabled apps 55% 80 business-to-business extranets,
Web services 43% retail outlet connections, and
home-based employees.
Internet What was once controlled (trusted)
is now uncontrolled (untrusted).
Non-compliant devices are a
64 percent of enterprises have opened conduit for attack.
port 80 on their firewalls for their
growing web application traffic Multihomed devices (wireless and
requirements. mobile) have blurred the perimeter.
Source: Aug 2002 InfoWorld/Network Computing
survey of IT Professionals
The figure presents an example of the dilemma that network-dependant enterprises face in
todays business environments. Networks can no longer be secured by simply securing the
network perimeter. Businesses have consolidated their data centers, converged internal
networks, and embraced the Internet. Environments that were once self-contained and
controlled, are now open to partners through business-to-business extranets, retail outlet
connections, and home-based employees. The point is that by extending the corporate network
the trust boundary has extended across untrusted intermediate networks and into uncontrolled
environments.
The growing list of devices that access networks poses more problems. Many devices are
frequently not in compliance with corporate policies. Devices that are compliant frequently are
used to access other uncontrolled networks prior to connecting into the corporate network. As a
result, devices on these external networks can become conduits for attacks and related misuse.
Common application interfaces: The emergence of common application interfaces based
on messaging protocols such as Extensible Markup Language (XML) and Simple Object
Access Protocol (SOAP)-has been a boon to e-commerce and corporate productivity.
However, as with most new technologies, these new message protocols have introduced an
entirely new set of vulnerabilities and attack vectors with which corporations must contend.
Data that was once spread across multiple network protocols and could be fairly easily
filtered through firewall policies is now combined within a few, if not a single transport
protocol (such as HTTP on TCP port 80). As a result, much of the data that used to reside
in packet headers now resides in the packet payload. This creates significant processing
challenges that make it easier for an attacker to evade classic network defenses.
Security can hamper policy: Further, in order to meet corporate data confidentiality and
integrity requirements, more and more of this application-level traffic is now being
encrypted through the Secure Socket Layer/Transport Layer Security (SSL/TLS) and HTTP
Secure socket (HTTPS) protocols. A side effect of this trend is that it makes it much harder
for IT departments to enforce corporate access policies at the network edge because they
cannot inspect the packet payloads of those encrypted flows. Although many organizations
mistakenly assume that if they comply with regulations, their infrastructure is more secure,
this is frequently not the case. Following the law of unintended consequences, the very act
of creating compliance may introduce new vulnerabilities. For example, worms and viruses
may spread more effectively in a network supporting end-to-end VPNs, given that the
intermediate nodes have no visibility into the traversing traffic. Such traffic may carry
worms to sensitive corporate servers in a secure, encrypted packet. In addition to taking
longer to diagnose such an attack, these end-to-end VPNs can make it more difficult to
remediate the problem.
Blurred perimeters: Tied to the notion of a secure perimeter, the wireless and mobile
network within enterprises now supports laptop PCs, personal digital assistants (PDA), and
mobile phones that have more than one network connection. These multihomed hosts are
capable of establishing ad-hoc wireless networks to enable peer-to-peer communication. In
addition, packets can effectively be forwarded across devices at the application level. As a
result, where a network boundary begins and ends becomes much more ambiguous.
Corporations need to be able to extend a control point onto these mobile devices in order to
manage secure system and maintain network availability.

The SQL Slammer Worm:
30 Minutes After Release
Saturation point was reached within two hours of start of infection

Infections doubled every 8.5 seconds
Spread 100 times faster than Code Red
At peak, scanned 55 million hosts per second
250,000 to 300,000 hosts were infected
Internet connectivity affected worldwide
As a means of illustrating the seriousness of network vulnerabilities, consider the effects of the
SQL Slammer worm first seen on January 25, 2003. This information is from the Cooperative
Association for Internet Data Analysis and the University of California at San Diego.
SQL Slammer compromised 90 percent of vulnerable systems within the first ten-minutes, and
doubled in size every 8.5 seconds. Within the first three minutes, it achieved its maximum
scanning rate of over 55 million scans per second.
Network Effects of the SQL Slammer Worm
Service providers noted

significant bandwidth
consumption at peering
points.
Average packet loss at the
height of infections was 20
percent.
South Korea lost almost all
Internet service.
ATMs around the world were
shut down.
Airline ticketing systems
were overwhelmed.
This screen shot was taken during the height of the infection. It shows UUNet being hit very
hard by the worm. It also shows how InterNAP had difficulties peering with Qwest, Genuity,
and AT&T.
South Korea sustained the most damage with almost total loss of Internet service. Over 70
percent of South Korean households have Internet service.

Building a Self-Defending Network
This topic describes how a customer can build a Self-Defending Network in three evolving
phases.
The Cisco Self-Defending Network Strategy
Cisco strategy to dramatically improve the network

ability to identify, prevent, and adapt to threats.
There are three pillars:
Secure Connectivity
VPN solutions including VPN concentrators, VPN-enabled routers
and firewall VPNs
Threat Defense
Appliance and Cisco IOS-based firewalls
Cisco Intrusion Detection and Prevention Systems
Trust and Identity

Network Admission Control, Cisco ACS and 802.1x technology
The Self-Defending Network strategy consists of three systems, or pillars, each with a specific
purpose. By using Cisco integrated security solutions, customers can leverage their existing
infrastructure to address potential threats to their network and protect their business. While
security risks are inherent in any network, customers can reduce their exposure and minimize
these risks by deploying four categories of overlapping and complementary security solutions:
Secure connectivity: Provides secure and scalable network connectivity, incorporating
multiple types of traffic. The examples shown in the figure were covered in previous
lessons.
Threat defense: Prevents and responds to network attacks and threats using network
services.
Trust and identity: Allows the network to intelligently protect endpoints using
technologies such as Network Admission Control (NAC), identity services and 802.1x.
The Self-Defending Network is based on a foundation of security integrated throughout the

network, with constant innovations in products and technologies and crafted into system level
solutions. Such solutions incorporate all aspects of the network as well as the sophisticated
services needed to make it work. In addition, Cisco is working with major industry partners to
ensure the completeness of the strategy.
Evolving a Self-Defending Network
Phase I: Integrated Security

Making every network element a point of defense:
routers, switches, appliances, endpoints
Secure connectivity (V3PN, DMVPN), threat defense, trust and identity
Network Foundation Protection
Phase II: Collaborative Security Systems

Security becomes a network-wide system: Endpoints +
Network + Policies
Multiple services and devices working in coordination to thwart
attacks with active management
NAC, IBNS, SWAN
Phase III: Adaptive Threat Defense

Mutual awareness among and between security services and network
intelligence
Increases security effectiveness, enables proactive response
Consolidates services, improves operations efficiency
Application recognition and inspection for secure application
delivery/optimization
Most customers will not adopt all of the components of the Cisco Self-Defending Network at
one time, as it may be difficult to overhaul all of the required subsystems at once without
disrupting the integrity of the IT services. Some customers may hesitate to turn over security
controls to an automated system until they are confident that the system will operate
dependably.
The Cisco Self-Defending Network initiative deals with these concerns by first providing
products that can be usefully deployed independently of one another. Then it offers solutions
that link these products together to build effective subsystems. This approach to evolving a
Self-Defending Network is based on a combination of product development, product
acquisitions, systems development, and partnering.
The figure illustrates the evolution of the Self-Defending Network Strategy to date. Note that
while point products serve as good incubators for deploying cutting edge security technologies,
they are not by themselves integrated throughout the network fabric. Building network security
based solely on single-purpose appliances is no longer practical.
The Self-Defending Network is developed in three phases:
Phase 1Integrated security: The first phase of the Cisco Self-Defending Network
security strategy focuses on the need for integrated security, blending IP and security
technologies. This phase aims to distribute security technologies throughout every segment
of the network to enable every network element as a point of defense.
Phase 2Collaborative security systems: The next phase introduced the Network
Admission Control (NAC) industry initiative. This initiative is the first industry-wide effort
that increases the network ability to identify, prevent, and adapt to security threats. This
phase aims to enable the security technologies integrated throughout the network to operate
as a coordinated system. Network-wide collaboration among the services and devices
throughout the network is used to defeat attacks.
Phase 3Adaptive threat defense: This phase aims at deploying innovative and threat
defense technologies throughout the integrated security fabric of the network. The goal is
to enable more proactive response to threats with greater operational efficiency by

consolidating multiple security services on devices and building a mutual awareness among
those services. Mutual awareness combines multiple security technologies on a device in a
complementary fashion to deliver stronger security services. As a simple example, consider
that a firewall provides good Layer 3 and Layer 4 access control and inspection, broad
enforcement actions, and strong resiliency. Intrusion Prevention Systems (IPS) provide
strong application intelligence. Combining and integrating these capabilities provides an
application intelligent device with broad mitigation capabilities and hardened resiliency.
Evolving a Self-Defending Network
Phase I: Integrated Security

Firewalls, intrusion prevention and secure
connectivity
Phase II: Collaborative Security Systems

NAC, NFP, VoIP, wireless, and service
virtualization
Phase III: Adaptive Threat Defense

Application inspection and control, real-time
worm, virus, spyware prevention, P2P and instant
messaging control
This figure shows the product and technology building blocks of the Self-Defending Network
aligned with each of the development phases. Many of these were described in a previous
lesson. This lesson describes the most recent and evolving products, technologies and solutions.

Adaptive Threat Defense
Adaptive threat defence is the ultimate goal of the Self-Defending Network. This topic
describes the components of the adaptive threat defense phase of Cisco Self-Defending
Network strategy.
Adaptive Threat Defense Products,

Services and Architecture Example
Access Control, Application Intelligence, Content Identity, Virtualization, QoS
Packet Inspection Inspection, Virus Mitigation Segmentation, Traffic Visibility
Firewall Services IPS and AV Services Network Intelligence
Application Inspection, Use Malware and Content Defense, Traffic and Admission Control,
Enforcement, Web Control Anomaly Detection Proactive Response
Application Security Anti-X Defenses Containment and
Control
Catalyst
Switch
CSA
Cisco Router Cisco DDoS
Firewall
VPN Si Si
Cisco Cisco PIX

Router Identity-Based
VPN Access Catalyst Networking
Switch
Quarantine VLAN Cisco IPS

NAC CSA
CSA
The third phase of the Self-Defending Network strategy, called adaptive threat defense (ATD),
helps to further minimize network security risks by dynamically addressing threats at multiple
layers, which enables tighter control of network traffic, endpoints, users, and applications. ATD
also simplifies architectural designs and lowers operational costs. This innovative approach
combines security features, multilayer intelligence, application protection, network-wide
control and threat containment within high-performance solutions. ATD is a critical
advancement in the Cisco Self-Defending Network security strategy that helps customers
fortify their business systems.
The figure shows the technology components of ATD in terms of the building blocks that
converge to provide new services with new applications. Building blocks are:
Firewall services to provide the basis of access control and traffic inspection.
IPS and network antivirus services to provide application intelligence with the ability to
look at packet payloads.
Network intelligence to include all network services applicable to security including
network segmentation through VLANs, identity for user knowledge, QoS for controlling
use of bandwidth, routing for topological awareness, switch root and Netflow for global
traffic visibility. Virtualized fabric is virtualization of services so that they can be cost-
effectively deployed.
When these building blocks are put together, a new class of services can be integrated
throughout the network fabric. These new services include the following:
Application security: Granular application inspection in firewalls, IDS and IPS
appliances. The ability to enforce appropriate application use policies such as. dont allow
users to use instant messaging (IM). Control of web traffic, including applications that
abuse port 80 (IM, peer-to-peer), as well as control of web services, such as XML
applications.
Anti-X defenses: Broad attack mitigation capabilities such as malware protection, anti-
virus, message security (antispam, antiphishing), antiDDoS, antiworm, etc. While these
technologies are interesting in and of themselves, Anti-X defenses are not just about
breadth of mitigation, but about distributing those mitigation points throughout key security
enforcement points in the network to stop attacks as far from their intended destination and
the core of the network as possible. Stopping an attack before it reaches the network core or
host greatly diminishes the damage it can cause and its chances of spreading further.
Network containment and control: Network intelligence and the virtualization of security
technologies provide the ability to layer sophisticated auditing, control, and correlation
capabilities to control and protect any networked element. Enables proactive response to
threats by aggregating and correlating security information, as well as protecting network
services such as VoIP and the device infrastructure (such as from installation of rogue
devices).

Adaptive Threat Defense Product
Announcements
Products Application Security Anti-X Containment and
Control
PIX 7.0 software Application inspection Virtual firewall, QoS,
and control for firewalls, transparent firewall, IPv6
and VoIP security support
IPS 5.0 Multivector threat Malware, virus, worm Accurate prevention
identification mitigation technologies for inline IPS
VPN 3000 SSL VPN Tunnel Client, Cisco Secure Desktop Cisco NAC
Concentrator 4.7 and fully clientless Citrix
Cisco IOS Application inspection Enhanced in-line IPS Network foundation
Software and control for Cisco IOS protection, virtual firewall,
Release firewalls IPSec virtual interface
12.3(14)T
Cisco Security Spyware mitigation, Context-based policies
Agent 4.5 and system inventory
auditing
Catalyst DDoS Guard, and Traffic
Modules Anomaly Detector
Cisco Secure Event correlation for
MARS proactive response
Cisco Security Network-wide security
Auditor policy auditing
The table in the figure shows a number of recent product announcements in support of ADT.
This list is not all inclusive. New products and technologies are being announced almost on a
weekly basis.
You will have seen many of these products in previous lessons. This should reinforce the
ability to build the Self-Defending Network on existing products and technologies.
In the next topics, the newest products and technologies from Cisco will be presented.
Cisco PIX Security Appliance Software v7.0
This topic describes the firewall, application inspection and VPN enhancements of the PIX
Security Appliance Software version 7.0.
PIX Software Version 7.0New Features
Web Security
Advanced HTTP firewall services
Controls actions that users can perform when accessing
websites
Peer-to-Peer X
Instant Msg Approved Access
HTTP Delete Port 80
Web Browsing
JPEG/EXE
X
Voice Security
Enhances security for next-generation converged networks
PIX Security Appliance Software version 7.0 brings a number of new features that provide
more control over applications. These new features are as follows:
Web security:
Advanced HTTP firewall services prevent web-based attacks and port 80 misuse
Controls peer-to-peer (KaZaA) to protect network capacity
Polices instant messaging to control usage, compliance and covert transmissions of
sensitive information.
These services give businesses control over what actions users can perform when accessing
websites:
Limits web server access to approved methods and commands to prevent
unauthorized changes
Filters Multipurpose Internet Mail Extension (MIME) type and validates content to
minimize risk of malware infection
Checks RFC protocol compliance for protocol anomaly detection
Voice security:
PIX Security Appliance Software version 7.0 enhances security for next-generation
converged networks.
Extends leading VoIP security with improved H.323, Session Initiation Protocol
(SIP), Media Gateway Control Protocol (MGCP), Real Time Streaming Protocol
(RTSP), and fragmentation/segmentation support.

Secures global system for mobile communication (GSM) wireless networks with
new GPRS tunneling protocol (GTP) and general packet radio service (GPRS)
inspection engine.
(Cont.)
Advanced application and

protocol security
Robust protocol conformance, state
tracking, and security checks for
over 30 protocols
Flexible policy control
Policy framework for granular
control over user to user and user to
application network Identify Apply
Flow Services
communications
Additional new features are as follows:

Advanced application and protocol security: Advanced application and protocol security
delivers robust protocol conformance, state tracking, and security checks for over 30
protocols including:
Internet core protocols
Database and operating system (OS) services
Communication programs
Security services
Flexible policy control: Introduces powerful policy framework for granular control over
user to user and user to application network communications including:
Simplifying mapping corporate security policy to actual firewall policy and its
operation
Defining flow-based and class-based policies
Providing granular control over policies

NCC
(Cont.)
Dept/Cust 1 Dept/Cust 2 Dept/Cust 3
Scalable security services

Security contexts (virtual firewalls)
PIX
Transparent Firewall
Easy to deploy firewall

services
Transparent firewall capabilities
Existing Network

Scalable security services: Scalable security services add support for security contexts
(virtual firewalls) to lower operational costs. This allows for device consolidation and
segmentation, and supports separated policies and administration.
Easy to deploy firewall services: This feature introduces transparent firewall capabilities
for rapid deployment of security. Transparent firewalls can be dropped into existing
networks without needing to readdress the network to simplify internal firewall deployment
and security zoning.
(Cont.)
Improved network and device Active
resiliency
Active-active failover for enhanced
resiliency and asymmetric routing
Active
support
Delivers new zero-downtime software
upgrade capability
Intelligent network integration
QoS traffic prioritization V VV V VV
Adds IPv6 support for hybrid IPv4 and D D D D
IPv6 network environments Quality of Service
Delivers PIM sparse mode multicast

support

Improved network and device resiliency: This feature introduces active-active failover
for enhanced resiliency and asymmetric routing support. It delivers new zero-downtime
software upgrade capability for improved uptime.
Intelligent network integration: Intelligent network integration provides quality of
service (QoS) traffic prioritization for improved handling of latency sensitive traffic.
Intelligent network integration adds IPv6 support for hybrid IPv4/IPv6 network
environments. Intelligent network integration delivers PIM sparse mode multicast support
for improved support for streaming data delivery services, video conferencing, and other
mission-critical real-time enterprise applications.

Cisco DDoS Modules
This topic describes the features of the Cisco Anomaly Guard Service Module and the Cisco
Traffic Anomaly Detector module for the Cisco Catalyst 6500 Series switch and Cisco 7600
Series router chassis.
Anti-X
Cisco DDoS Solutions
Appliances and new Cisco Guard

service modules
Detects and mitigates the
broadest range of DDoS attacks Cisco Traffic Anomaly Detector
Integrated mitigation driven by
behavioral anomaly recognition
Granularity and accuracy to
ensure business continuity by Cisco Anomaly Guard Module
forwarding legitimate
transactions
Performance and architecture
suitable for the largest
enterprises and service Cisco Traffic Anomaly Detector Module
provider managed services
The DDoS appliance solution acquired from Riverhead Networks is now available as integrated
service modules for the Catalyst 6500 Series switch and 7600 Series router. This solution
detects and automatically defends against crippling distributed denial of service (DDoS) attacks
of all types.
Because DDoS attacks mimic valid transactions and may contain no embedded exploits, this
solution is based on behavioral anomaly recognition. Precision analysis enables blocking only
the attack packets while forwarding legitimate transactions, key to ensuring online business
continuity. High performance and incremental clustering is designed to counter the strongest
attacks in the largest environments.
These modules can be deployed directly by large enterprises and successfully as managed
DDoS services by AT&T, Sprint, Cable and Wireless (C&W) and many others service
providers.
Integrated DDoS Protection:
Solution Overview
ISP
Anomaly Guard
Attack analysis and mitigation
Diverts traffic for on-demand Dynamic route
Line C ard Module
diversion
scrubbing
Anomaly
Dynamic filtering and Guard Supervisor
Engine 2
Module
antispoofing defenses or 720
Traffic Anomaly Detector

Passive monitoring to detect Alert Firewall Service
Module
and activate Guard for Traffic Anomaly
mitigation Detector Module
Line Card Module
Service module benefits Cat6K / 7600
Deployment flexibility
Infrastructure and services Internal Network
integration
Zone
Scalability and reliability under
Lower total cost of operation attack
The Guard provides mitigation driven by an embedded anomaly recognition engine. It is not a
simple static filter and policy device, but can actually learn about network traffic and take
appropriate actions on the basis of what it has learned.
The Guard uses a traffic diversion technique that scrubs DDoS traffic while letting
legitimate traffic continue. The Guard has multiple layers of defense including dynamic
filters and active anti-spoofing, all driven by the anomaly engine to defend against all
types, combinations and morphing of DDoS attacks.
The Traffic Anomaly Detector monitors traffic and can alert the operator or activate the
Guard for its on-demand scrubbing.
In the topology in the figure the following can be seen:
The Detector module recognizes that a single zone, or set of servers, has come under attack.
The Guard module is automatically alerted and begins diversion using routing updates.
Both good and bad traffic is diverted for scrubbing. The traffic is not blackholed, and the
router is not used to differentiate good from bad traffic.
Traffic diversion is intra-chassis using BGP or other routing protocols.
Only traffic to the attacked zone is diverted thru the Guard module for scrubbing.
Legitimate traffic is forwarded using different mechanisms including VPN
routing/forwarding (VRF) or tunneling.

Cisco Secure MARS and Security Auditor
This topic describes how Cisco Secure Monitoring, Analysis and Response System (CS-
MARS) and Cisco Security Auditor provide management and threat response.
Security Challenge: Business Problem
Network
and
after patching, putting out Security
fires, investigation and Event alarms, disconnected
remediation produce the Noise events, false positives,
audit report network anomalies
Never Inefficient
Enough Costly Attack
Security Business Identification
Staff Dilemma and
Response
Mitigate
Attacks
un-prioritized blended
Compliance
Sarbox, HIPAA, GLBA, and Audit
attacks, day zero
FISMA, Basel II due Mandates attacks, worms and
care and process network issues
The Cisco Secure MARS is an appliance based all inclusive solution that provides unmatched
insight and control of your existing security deployment. A key component of the Cisco
security management lifecycle, Cisco Secure MARS empowers your security and network
organizations to identify, manage, and counter security threats. It leverages your existing
network and security investments to identify, isolate and recommend precision removal of
offending elements. It also helps maintain internal policy compliance and can be an integral
part of the overall regulatory compliance solution kit.
The problems faced by security and network administrators are as follows:
Security and network information overload
Poor attack and fault identification, prioritization, and response
Increased attack sophistication, velocity, and remediation costs
Meeting compliance and audit requirements
Moderate security staff and budgets
Abbreviations and acronyms used in the figure refer to the following regulatory requirements:
Sarbox: Sarbanes-Oxley
FISMA: Federal Information Security Management Act
GLBA: Gramm-Leach-Bliley Act
Basel II: Basel II Capital Accord
Cisco Secure MARS
Leverages existing investment to build
pervasive security
Correlates data from across the network:
Firewalls, routers, switches, NIDS, CSA
Syslog, SNMP, RDEP, SDEE, NetFlow,
endpoint event logs
Rapidly locates and mitigates attacks
Key Features:
Determines security incidents based on
device messages, events, and sessions
Incidents are topologically aware for
visualization and replay
Mitigation on L2 ports and L3 chokepoints
Efficiently scales for real-time use across the
enterprise
Cisco Secure MARS addresses customer needs by providing the following:

Integrating network intelligence to modernize correlation of network anomalies and
security events
Visualizing validated incidents and automate investigation
Mitigating attacks by fully leveraging network and security infrastructure
Monitoring systems, network, and security operations to aid in compliance
Delivering a scalable appliance that is easy to deploy and use with the lowest TCO
CS-MARS appliances help companies to readily and accurately identify and eliminate network
attacks while maintaining network compliance. CS-MARS has the following advantages:
CS-MARS accurately identifies, correlates, visualizes, prioritizes, investigates and reports
incidents and mitigates attacks in progress.
These appliances target government entities, small-to-medium businesses and enterprises,
offering turn-key installation and an easy-to-use interface covering a wide spectrum of
security devices.
CS-MARS collects events from firewalls, VPN concentrators, host and network intrusion
detection systems and system logs and correlates them with vulnerability assessment and
NetFlow data to detect anomalies.
CS-MARS can identify and mitigate threats in the network and significantly extends the
Cisco Self-Defending Network initiative.

Cisco Security Auditor
Security Posture Analysis (SPA)

Examines multiple router,
switch, PIX Security Appliance Security Auditor
and VPN configurations against
Best Practices Benchmarking
predefined checklists that are Definition Benchmarking
best practices (NSA, CIS, Audit Best practices Policies
SAFE, TAC approved) compliant (NSA,SAFE)
User-defined Best
Benchmarking Raw
Scores
Benchmarks and scores lists of practice
Multiple device support
Benchmarking
Weighted Scores
policies against best practices
Cisco Network Infrastructure
Provides comprehensive set of Reporting of Results
audit result reports linking to Audit summary Recommendations
Audit Detail A suggestion to fix every
security vulnerabilities found Trend, Policy summary violation
Device summary
Offers recommendations to fix Alarms, notifications
the vulnerability SNAP Audit
Security Auditor extends the concept of SDM, and supports auditing

multiple devices against multiple checklists
The Cisco Security Auditor extends the Cisco portfolio of security management products by
providing security compliance auditing. Cisco Security Auditor provides new levels of security
assurance with cost-effective auditing of network infrastructure against corporate security
policies and industry best practices.
The Cisco Security Auditor eliminates common manual audit and implements a business-
centric, policy profile management model that allows customers to build high-level corporate
policies, while the application of those policies to specific network devices is offloaded to the
Security Auditor software.
The automated auditing capabilities of the software allow customers to eliminate costly manual
auditing operations for large scale networks, drastically reducing the time required to perform
an audit. Cisco Security Auditor also provides security improvement recommendations and
reporting that simplify the process of addressing network security vulnerabilities. This
capability allows management operations to effectively manage the risks related to their
network.
The product is built on scalable and generic auditing framework architecture to support the
audit of a large number of network instances. Cisco Security Auditor is an integral part of Cisco
full cycle security management solutions and provides security improvement recommendations
for the management solution to further enhance the security protection of customer networks.
The result is a powerful software solution that ensures organizational security compliance and
network availability, while increasing productivity and overall return on investment.
Securing the Network Infrastructure with Cisco
IOS Software Security Features
This topic describes how to secure network infrastructure with Cisco IOS software security
features.
Routers Are Targets

Router security is a critical element in any security deployment:
Routers advertise networks and filter who can use them.
Routers are potentially an aid to a hacker.
Routers provide access. Therefore, you should secure routers to reduce
the likelihood that they can be directly compromised.
PSTN Corporate Internet Module Campus Module

Module Management
Server Corporate
Routers are PSTN
Users
Targets
ISP Edge
Module
Internet Public
Services
Frame or ATM
Module WAN Module Corporate
Servers
FR/ATM
Recall that routers control access from network to network. They advertise networks, filter who
can use them, and are potentially an aid to a hacker. Consequently, router security is a critical
element in any security deployment. It is important for security professionals to be completely
up to date on current router documentation and possible threats to routers.

Switches Are Targets
Most of the router security concerns also apply to switches.
PSTN Campus Module

Corporate Internet Module
Module Management
Server
Switches are PSTN Corporate
Users
Targets
ISP Edge
Module
Internet Public
Services
Frame or ATM
Module WAN Module Corporate
Servers
FR/ATM
Similar to router considerations, both Layer 2 and Layer 3 switches have their own set of
security considerations. Unlike routers, not as much information is available about the security
risks in switches and what can be done to mitigate those risks. Most of the router security
techniques also apply to switches.
Enhanced Cisco IOS Security Services
AutoSecure
Single command locks down routers to
NSA standards
Control-Plane Policing
Control-plane rate-limiting throttles the
amount of traffic forwarded to the route
processor in a given interval
Silent Mode:
Reduces hacker ability to reconnoiter the
network
Scavenger-class QoS
QoS and rate limiting ensures that
mission critical traffic gets through.
Maintains management traffic so IT
managers can place ACLs and track down
infections.
In complex network environments, networking devices offer a robust set of configuration

options to meet the requirements of different businesses. These services also include a rich set
of perimeter security services that protect the network from hostile intentions, as well as
security services that protect the networking device itself. To address the increasing complexity
of the attacks in a heightened security environment, Cisco has enhanced Cisco IOS Security
Services for both perimeter and device protection, thus ensuring the availability of the device.
The following services, designed to protect the networking device, are recent enhancements to
Cisco IOS software that compliment its already rich set of services.
AutoSecure: Cisco AutoSecure provides vital security requirements to networks by
incorporating a straightforward "one touch" device lockdown process. Cisco AutoSecure
enables rapid implementation of security policies and procedures to simplify the security
process, without having to understand all the Cisco IOS software features and execute each
of the many command-line interface (CLI) commands manually. This feature uses a single
command that instantly configures the security posture of routers and disables non-essential
system processes and services, thereby eliminating potential security threats.
Control Plane Policing (CoPP): A router can be logically divided into three functional
components or planes: the data plane, the management plane and the control plane. Most
traffic travels through the router over the data plane, but the route processor must handle
certain packets, such as routing updates, keepalives, and network management. This
functionality is often referred to as control and management plane traffic. A DoS attack
targeting the route processor will result in excessive CPU use. Such an attack can be
devastating to network stability and availability. CoPP addresses the need to protect the
control and management planes and ensures routing stability, reachability, and packet
delivery. CoPP uses a dedicated control-plane configuration via the Modular Quality of
Service CLI (MQC) to provide filtering and rate limiting capabilities for control plane
packets.
Silent Mode: One requirement for hacking a system is reconnaissance: gaining information
about the network. Hackers conduct reconnaissance by listening to system messages, such
as the status of packet delivery, which provide information such as the IP addresses of

devices. Silent Mode is a new Cisco IOS software feature designed to reduce the amount of
information that a hacker can gather about a network. Silent Mode stops the router from
generating certain informational packets. For example, it suppresses the Internet Control
Message Protocol (ICMP) messages and Simple Network Management Protocol (SNMP)
traps that are normally generated by the router. Like CoPP, Silent Mode leverages the
familiar MQC interface.
Scavenger-class QoS: Not all DoS attacks are designed to overload servers; some atacks
target the network infrastructure itself. These types of attacks deny service by saturating
link bandwidths, exhausting router and switch CPUs, or spoofing control plane traffic. The
definition of scavenger-class traffic is based on an Internet2 draft outlining a "less than best
effort" service. Non-business, entertainment-oriented applications such as KaZaA and
Napster, as well as gaming traffic, are well suited to such a service class. Scavenger traffic
is permitted as long as all other more important classes are being adequately serviced. In
the event of congestion, the scavenger class is the first to be dropped and squelched.
Self-Defending Network Endpoint Security
Solutions
This topic describes the features of Cisco Secure Desktop and Cisco Clean Access.
Cisco Secure DesktopComprehensive

Endpoint Security for SSL VPN
Complete Pre-Connect
Assessment:
Location assessmentmanaged or
unmanaged desktop?
Security posture assessmentAV
operational or up-to-date, personal Windows 2000 or XP Cisco Secure Desktop
firewall operational, malware present?
Comprehensive Session Original User Desktop Temporary CSD Desktop

Protection:
Data sandbox and encryption protects
every aspect of session
Malware detection with hooks to
Microsoft free anti-spyware software
Post-Session Clean-Up:
Encrypted partition overwrite (not just
deletion) using DoD algorithm
Cache, history and cookie overwrite
File download and email attachment
overwrite Works with Desktop Guest Permissions
Auto-complete password overwrite No admin privileges required
The Cisco acquisition of Twingo Systems has provided a desktop security solution for Secure
Socket Layer (SSL) VPNs, and brings the same level of security provided by IPSec VPNs. The
core technology of this product, the Cisco Secure Desktop, removes sensitive security
information related to an SSL VPN connection at the close of the session. Cisco Secure
Desktop protects from exploitation of such information for host network or system penetration.
The Cisco Secure Desktop writes all data associated with the SSL VPN session to a single and
segregated part of the end systems hard drive. Cisco Secure Desktop provides a single location
for session clean-up and partitions the session from unsecured areas of the end system. The
Virtual Secure Desktop is transparent to the end user and users continue to have access to all of
the PC hardware and software resources.
The Cisco Secure Desktop software is integrated into the Cisco Web VPN solution on the Cisco
VPN 3000 Concentrator Series.

Cisco Clean AccessAdmission Control
for Small-Medium Business
THE GOAL
1. End User Attempts to Access a Web

Page or Uses an Optional Client
Network access is blocked until end
user provides login information Authentication
Server
Cisco Clean
Access Manager
Cisco Clean
2. User Is Intranet
Redirected to a Login Page Access Server
Network
Clean Access validates
username and password and
also performs device and
network scans to assess
vulnerabilities on the device
3b. Device Is Clean

3a. Device Is Non-Compliant Quarantine Machine gets on clean
or Login Is Incorrect Role list and is granted
User is denied access and assigned access to network
to a quarantine role with access to
online remediation resources
Cisco Clean Access extends the offerings in Cisco Network Admission Control (NAC) to the
small-medium enterprise market where a turnkey solution is preferred. Like NAC, it is
designed to enforce endpoint policy compliance and enables organizations to intelligently
provide trusted access to "clean" endpoints.
Cisco Clean Access is a shrink-wrapped NAC solution that recognizes users, their devices
and roles. Cisco Clean Access evaluates the security posture of the endpoint and scans for
vulnerabilities and enforces policy in the network.
Cisco Integrated Security Portfolio
This topic describes the positioning of the Cisco integrated security portfolio.
The Cisco Integrated Security Portfolio

Site-to-Site VPN
Firewall Routers
Cisco SOHO 90 Cisco 800 Series Cisco 1700 Cisco 2600 Cisco 3600 Cisco 3700 Cisco 7xxx
Cisco PIX Security

Appliances Cisco PIX 501 Cisco PIX 506E Cisco PIX 515E Cisco PIX 525 Cisco PIX 535
Remote Access
VPN and VPN
Clients Cisco VPN 3005 Cisco VPN 3015 Cisco VPN 3030 Cisco VPN 3060 Cisco VPN 3080
Intrusion Detection
and Prevention
Systems Network sensor Router sensors Firewall sensor
Endpoint Server and Cisco Secure

Protection Desktop Identity Access Control
Software Cisco Security Agent Protection Server
Cisco Catalyst 6500 IDS Firewall VPN SSL

Series Service Module Module Module Module
Modules
Security IP Solution Center Cisco Threat

VPN and Security Response
Management Management Technology
A truly secure network requires multiple products and technologies that collaborate seamlessly
across platforms and integrate tightly with the network infrastructure. This figure illustrates the
full range of the Cisco integrated security portfolio. No single product or technology is able to
secure a network. There is no other vendor with such a diversity of platforms.
Cisco offers the broadest portfolio of integrated security products in the industry that are
designed to meet the requirements and diverse deployment models of any network and any
environment. These products include the following:
Cisco IOS platforms with integrated VPN and stateful firewall support for secure IP
connectivity
Cisco PIX Security Appliances with integrated VPN to ensure perimeter security and
access control
Cisco VPN Concentrator 3000 Series remote access VPN appliances for secure
telecommuter connectivity
Appliance-based network intrusion detection and protections systems (IDS/IPS) as well as
integrated network IDS/IPS for Cisco IOS routers and PIX Security Appliances
Endpoint protection software to protect servers and desktops from the damaging effects of
known and unknown threats
Cisco Secure Access Control Server to ensure that users have the proper authority to access
corporate resources
Security modules for the Cisco Catalyst 6500 Series switch and Cisco 7600 Series router
that provide security throughout the data center
Security management including Cisco Threat Response Technology to reduce false alarms,
analyze and escalate real attacks, and mitigate costly intrusions

Cisco Integrated Security Prevent
Outbreaks
Ensure Security Identify Compliant
Prevent Outbreak Compliance Before and Non-Compliant
Identify Introduction and Allowing Internet Endpoints
Anomalous Propagation Browsing
Behavior 3rd Non-
Perimeter Protection Cisco
for Branch (against Access Party Responsive
Control Policy Assessment
worms, viruses, etc.) Server Server Server
via IOS FW / IPS Prevent
Outbreak
Cisco Clean Pipe
Introduction NAC, AV
Offered Through
(NAC), AV, and CSA
Managed Security Cisco W orks
CSA Propagation
Cisco ISR Provider VMS
Cisco PIX
Web
Service Provider Servers
Network
NAC, AV Cisco ISR Email
CSA Cisco Servers
Catalyst
Enforce Outbreak Control 6500
Cisco 4200 DNS
Identify Quarantine IPS Sensor Servers
and Remediate
Permit / deny access CSA
Prevent Identify Content
Outbreaks and Contain Engine
Outbreaks
Prevent Server- Host
based Infection Protection
The Cisco approach to security has evolved from a point product approach to this integrated
security approach. The figure illustrates the positioning of the Cisco security product portfolio
in the context of the Self-Defending Network.
Summary
This topic summarizes what you learned in this lesson.
Summary
Changing threats and challenges demand a new

approach to network security.
Self-Defending Networks can be built on existing
infrastructure over three evolving phases.
Adaptive threat defense dynamically addresses
threats at multiple layers, enables tighter control of
traffic, endpoints, users, and applications.
Adaptive threat defense simplifies architectural
designs and lowers operational costs.
Advanced features of PIX Security Appliance
Software version 7.0 provide control over web
applications, VoIP, protocols, policies and services,
while providing a resilient and versatile security
solution.
Summary
Cisco Guard and Traffic Anomaly Detector in

appliance and module form detect and defend
against DDoS attacks of all types.
Cisco Secure MARS and Security Auditor provide
management and threat response.
Enhanced security features of Cisco IOS software
secure routers and switches in the network
infrastructure.
Cisco Secure Desktop and Cisco Clean Access
ensure the security of network endpoints.

Lesson Self-Check
Q1) Summarize the characteristics of a blended threat. (Source: Changing Threats and
Challenges)
Q2) Define a flash threat. (Source: Changing Threats and Challenges)
Q3) Describe the vulnerability stemming from the following sources: (Source: Changing
Threats and Challenges)
Source Vulnerability
Common application interfaces
Corporate security policies
Wireless and mobile network

within enterprises
Q4) Identify the goal of each phase in the evolution of the self-defended network and
identify the products and technologies associated with each phase. (Source: Building a
Self-Defending Network)
Phase Goal Products and Technologies
Phase I
Phase II
Phase III

Q5) Which statement identifies a capability of the anomaly Guard? (Source: Cisco DDoS
Modules)
A) Passive monitoring to activate the Detector for mitigation
B) Diverts traffic for on-demand scrubbing
C) Transparent firewall capabilities
Q6) Summarize the key features of the Cisco Secure MARS and the Security Auditor.
(Source: Cisco Secure MARS and Security Auditor)
Q7) Identify four typical traffic types accessing port 80 and identify the types of controlled
traffic a Cisco PIX Security Appliance Software version 7.0 will allow into a secure
network. (Source: Cisco PIX Security Appliance Software v7.0)
_________________________________________
D) _________________________________________
E) _________________________________________
F) _________________________________________
G) _________________________________________
H) _________________________________________
Q8) Identify the four enhanced Cisco IOS security services and describe the key feature for
each. (Source: Securing the Network Infrastructure with Cisco IOS Software Security
Features)
IOS Security Service Feature
Q9) Describe the steps that the Cisco Clean Access solution uses to provide secure
admission control for small-medium business. (Source: Self-Defending Network
Endpoint Security Solutions)

Q1) The summary should touch on the following points:
A blended threat uses multiple means of propagation.
Has the characteristics of a virus
Can self-replicate across a network with worm-like ability
Can search for and exploit a system or application vulnerability, or multiple vulnerabilities.
Q2) The definition should be similar to the following:

A flash threat exploits new possible unknown vulnerabilities as well as having the ability to
propagate across the Internet in seconds
Q3) The following table identifies the security vulnerability stemming from the following sources:
Source Vulnerability
Common application Much of the data that used to reside in packet headers now
interfaces resides in the packet payload.
Corporate security In a network supporting end-to-end VPNs intermediate nodes

policies have no visibility into the traversing traffic.
Wireless and mobile Multihomed hosts establish ad-hoc wireless networks enabling
network within peer-to-peer communication allowing packets to be forwarded
enterprises across devices at the application level.
Q4) The following table identifies the goal of each phase in the evolution of the a self-defended network and
identifies the products and technologies associated with each phase:
Phase Goal Products and Technologies
Phase I Integrated security Firewalls, intrusion prevention and secure connectivity
Phase II Collaborative security NAC, NFP, VoIP, wireless, and service virtualization
systems
Phase III Adaptive threat Application inspection and control, real-time worm,
defense virus, spyware prevention, P2P and IM control
Q5) B
Q6) The summary should touch on the following points:
Determines security incidents based on device messages, events, and sessions
Incidents are topologically aware for visualization and replay
Mitigation on L2 ports and L3 chokepoints
Efficiently scales for real-time use across the enterprise
Q7) The four typical traffic types accessing port 80 and identifies the types of controlled traffic a PIX Security
Appliance Software version 7.0 will allow into a secure network.
A) Peer-to-Peer
B) HTTP Delete
C) Instant Msg
D) JPEG/EXE
E) approved Access
F) Web Browsing
Q8) The following table identifies the four enhanced Cisco IOS security services and describe the key feature
for each:
IOS Security Service Feature
Silent Mode Reduces hackers ability to reconnoiter

the network
AutoSecure Single command locks down routers to

NSA standards
Scavenger-class QoS Maintains management traffic so IT

managers can place ACLs and track
down infections
Control-Plane Policing Control-plane rate-limiting throttles the

amount of traffic forwarded to the Route
Processor in a given interval

Q9) The steps described should be equivalent to the following:
Step Action Notes
1. End User Attempts to Access a Web Page Network access is blocked until end user
or Uses an Optional Client provides login information
2. User is Redirected to a login page Clean Access validates username and

password; also performs device and
network scans to assess vulnerabilities on
the device
3. Device is declared non-compliant or login User is denied access and assigned

is incorrect to a quarantine role with access to online
Or remediation resources
Device is declared clean Or

Machine gets on clean list and is granted
access to network
4. End User logs on to the Corporate Intranet

or the Network
Module Summary
This topic summarizes the key points discussed in this module.
Module Summary
Open networks require increased network

security from threats and attacks. Organizations
should have a security policy for implementing
and maintaining network security.
There are a number of key strategies that can be
used to mitigate network attacks.
The Cisco security portfolio provides a
comprehensive range of products and security
solutions to a wide range of business models.
The Cisco Self-Defending Network strategy helps
manage and mitigate risks posed to networked
business systems and applications.
This module described the need for increased security in open networks. Because the frequency
and sophistication of the types of threats and attacks have increased significantly, strategies that
mitigate network attacks were described. The need for a security policy and the Cisco security
portfolio were described.

Module 2
Securing the Perimeter
Overview
Globally networked businesses rely on networks to communicate with employees, customers,
partners, and suppliers. While immediate access to information and communication is an
advantage, it raises concerns about securityprotecting access to critical network resources.
Security policies are enforced at network perimeters. Network administrators need to know
who is accessing which resources and they need to establish clear perimeters to control that
access. An effective security policy balances accessibility with protection. A perimeter is more
than just the boundary between an internal network and the public Internet. You can put a
perimeter anywhere within a private network, or between your network and a partner network.
A solid perimeter security solution enables communications as defined by the security policy,
yet protects network resources from breaches or attacks. Perimeter security controls multiple
network entry and exit points, and increases user assurance by implementing multiple layers of
security.
The Cisco perimeter security solution provides several levels of perimeter security that can be
deployed throughout your network. The solution is highly flexible, and can be tailored to your
security policy. This module focuses on mitigating threats at Layers 2 and 3 using the security
features embedded in the Cisco Catalyst switch and Cisco IOS software. As well, basic aspects
of physical security are discussed.
Module Objectives
Upon completing this module, you will be able to configure Layer 2 and Layer 3 devices on the
network perimeter with Cisco Catalyst switch security features and Cisco IOS software. This
ability includes being able to meet these objectives:
Secure Cisco router physical installations and administrative access
Configure AAA implementation on a Cisco router
Describe how Cisco Secure ACS provides AAA services to network devices that function
as AAA clients
Configure basic administrative access, AAA clients, users and groups
Disable unused Cisco router network services and interfaces
Mitigate threats and attacks to Cisco perimeter routers by formatting and applying access
lists to filter traffic
Securely implement management and reporting features of syslog, SSH and SNMPv3
Explain how Layer 2 attacks can be mitigated
Explain how to mitigate attacks against network topologies and protocols
Describe how to use the security features embedded in Catalyst switches to mitigate
network threats
Lesson 1
Securing Administrative
Access to Cisco Routers
Overview
This lesson shows you how to secure Cisco routers using proven methods for physically
securing the router, and protecting the router administrative interface. In order to practice what
you have learned, a hands-on lab exercise has been provided. In this lab exercise you will
configure secure access for a router administrative interface.
Objectives
Upon completing this lesson, you will be able to secure Cisco router physical installations and
administrative access. This ability includes being able to meet these objectives:
Configure passwords to secure administrative access to Cisco routers
Secure administrative access to Cisco routers by setting a login failure rate
Secure administrative access to Cisco routers by setting timeouts
Secure administrative access to Cisco routers by setting multiple privilege levels
Secure administrative access to Cisco routers by configuring banner messages
Configuring Router Passwords
This topic describes how to configure secure administrative access to Cisco routers by
configuring passwords. Configuring secure administrative access is an extremely important
security task. If an unauthorized person were to gain administrative access to a router, the
person could alter routing parameters, disable routing functions, or discover and gain access to
other systems in the network.
Configuring the Router Password
Boston
Console Port
Console
A console is a terminal connected to a router

console port.
The terminal can be a dumb terminal or a PC with
terminal emulation software.
Strong passwords and similar secrets, such as SNMP community strings (SNMP community
strings will be described later in this course) are the primary defense against unauthorized
access to your router. The best way to handle most passwords is to maintain them on a
TACACS+ or RADIUS authentication server. However, almost every router needs a locally
configured password for privileged access, and may also have other password information in its
configuration file.
One way to perform initial router configuration tasks is to access the router console port with a
console. A console is a terminal that is connected to a router console port; it can either be a
dumb terminal or a PC running terminal emulation software. Consoles are only one of the ways
that network administrators can obtain administrative access to configure and manage routers.
Other ways to gain administrative access include: Telnet, HTTP/HTTPS, Secure Shell Protocol
SSH Protocol, Simple Network Management Protocol (SNMP), and the Cisco Security Device
Manager (SDM) feature.
The first step in securing Cisco router administrative access is to configure secure system
passwords. These passwords are either stored in the router itself (local) or on remote
authentication, authorization, and accounting (AAA) servers, such as the Cisco Secure Access
Control Server (ACS). This topic contains information on configuring local passwords only.
Password authentication using AAA is described later in this course.
Password Creation Rules
Follow these rules when you create

passwords for Cisco routers:
Passwords can be 1 to 25 characters in length.
Passwords can include:
alphanumeric characters
upper-case and lower-case characters
symbols and spaces
Passwords cannot have a number as the first character.
Password-leading spaces are ignored, but any and all
spaces after the first character are not ignored.
Change passwords often.
When creating passwords for Cisco routers, always keep the following rules in mind:
Passwords can be 1 to 25 characters in length, but should have a minimum of ten
characters. Passwords may include the following:
any alphanumeric character,
A mix of uppercase and lowercase characters, and
symbols and spaces.
Passwords cannot have a number as the first character.
Passwords should not utilize dictionary words.
Password-leading spaces are ignored, but all spaces after the first character are not ignored.
You should decide when and how often the passwords should be changed.
You may want to add your own rules to this list, making your passwords even safer.
Copyright © 2005, Cisco Systems, Inc. Securing the Perimeter 2-5

Initial Configuration Dialog
Sample Router Configuration

É±«´¼ §±« ´·µ» ¬± »²¬»® ¬¸» ·²·¬·¿´ ½±²º·¹«®¿¬·±² ¼·¿´±¹á Å§»-ñ²±Ã §
Ý±²º·¹«®·²¹ ¹´±¾¿´ °¿®¿³»¬»®-æ
Û²¬»® ¸±-¬ ²¿³» ÅÎ±«¬»®Ãæ Þ±-¬±²
Ì¸» »²¿¾´» -»½®»¬ ·- ¿ °¿--©±®¼ «-»¼ ¬± °®±¬»½¬ ¿½½»-- ¬± °®·ª·´»¹»¼
ÛÈÛÝ ¿²¼ ½±²º·¹«®¿¬·±² ³±¼»-ò Ì¸·- °¿--©±®¼ô ¿º¬»® »²¬»®»¼ô ¾»½±³»-
»²½®§°¬»¼ ·² ¬¸» ½±²º·¹«®¿¬·±²ò
Û²¬»® »²¿¾´» -»½®»¬æ Ý¿²¬Ù»--Ó»

Ì¸» »²¿¾´» °¿--©±®¼ ·- «-»¼ ©¸»² §±« ¼± ²±¬ -°»½·º§ ¿² »²¿¾´» -»½®»¬
°¿--©±®¼ô ©·¬¸ -±³» ±´¼»® -±º¬©¿®» ª»®-·±²-ô ¿²¼ -±³» ¾±±¬ ·³¿¹»-ò
Û²¬»® »²¿¾´» °¿--©±®¼æ É±²¬Ù»--Ó»

Ì¸» ª·®¬«¿´ ¬»®³·²¿´ °¿--©±®¼ ·- «-»¼ ¬± °®±¬»½¬ ¿½½»-- ¬± ¬¸» ®±«¬»®
±ª»® ¿ ²»¬©±®µ ·²¬»®º¿½»ò
Û²¬»® ª·®¬«¿´ ¬»®³·²¿´ °¿--©±®¼æ Ý¿²¬Ù»--Ó»ÊÌÇ
If you are working on a new router (from the factory) or an existing router that has been reset
(possibly using the Cisco password recovery procedure), you are prompted by the Cisco IOS
command-line interface (CLI) if you want to enter the initial configuration dialog. The figure
show provides a router configuration sample with this initial prompt.
Within the first few questions of the initial configuration dialog, several Cisco router password
requirements can be found:
The router enable secret password
The router enable password
The password used to access the router using virtual terminal (Telnet)
The enable secret password is used to enter enable mode (sometimes referred to as privileged or
privileged-EXEC mode). You can set the enable secret password by entering a password during
the initial configuration dialog (as shown in the figure), or by using the enable secret command
in global configuration mode. The enable secret password is always encrypted inside the router
configuration using a Message Digest 5 (MD5) hashing algorithm.
The enable password command is also used to enter enable mode but is a holdover from older
versions of Cisco IOS software. By default, the enable password is not encrypted in the router
configuration. Cisco decided to keep the older enable password command in later versions of
Cisco IOS software even though enable secret password is a safer way to store privileged-
EXEC passwords. The older command was kept in case the router is downgraded to a version
of Cisco IOS software that did not support enable secret password. The enable password
protects the privileged-EXEC.
The virtual terminal password is the line-level password entered when connecting to the router
using Telnet. You can set this password during the initial configuration dialog (as shown in the
figure) or by using the password command in vty line configuration mode.
Password Minimum Length Enforcement
®±«¬»®ø½±²º·¹)#
-»½«®·¬§ °¿--©±®¼- ³·²ó´»²¹¬¸ ´»²¹¬¸

Sets the minimum length of all Cisco IOS
passwords
Þ±-¬±²ø½±²º·¹÷ý -»½«®·¬§ °¿--©±®¼- ³·²ó´»²¹¬¸ ïð
Cisco IOS Software Release 12.3(1) and later allows administrators to set the minimum
character length for all router passwords using the security passwords global configuration
command. This command provides enhanced security access to the router by allowing you to
specify a minimum password length, which eliminates common passwords that are prevalent on
most networks, such as lab and cisco. This command affects user passwords, enable
passwords and secrets, and line passwords created after the command was executed. Existing
router passwords remain unaffected.
It is highly recommended that you set your minimum password length to at least 10 characters.
Never use a length of zero.
After this command is enabled, any attempt to create a new password that is less than the
specified length fails and results in an error message similar to the following:
Ð¿--©±®¼ ¬±± -¸±®¬ ó ³«-¬ ¾» ¿¬ ´»¿-¬ ïð ½¸¿®¿½¬»®-ò Ð¿--©±®¼
½±²º·¹«®¿¬·±² º¿·´»¼ò

Configure the Enable Password
Using enable secret
®±«¬»®ø½±²º·¹÷ý
»²¿¾´» -»½®»¬ °¿--©±®¼
Hashes the password in the router configuration

file
Uses a strong hashing algorithm based on MD5
Þ±-¬±²ø½±²º·¹÷ý »²¿¾´» -»½®»¬ Ý«®·«³çê
Þ±-¬±²ý -¸±© ®«²²·²¹ó½±²º·¹

ÿ
¸±-¬²¿³» Þ±-¬±²
ÿ
²± ´±¹¹·²¹ ½±²-±´»
»²¿¾´» -»½®»¬ ë üïü°¬Ý¶üªÎÛ®Íñ¬»¸ªëíÖ¶¿¯ÚÓ¦ÞÌñ
ÿ
If you did not use the initial configuration dialog to configure your enable secret password, you
must use the enable secret command in global configuration mode as shown in the figure. The
enable secret command uses a one-way encryption hash based on MD5 (designated by the
number 5 in the figure sample configuration) and is considered irreversible by most
cryptographers. However, even this type of encryption is still vulnerable to brute force or
dictionary attacks.
If you forget the enable secret password, you have no alternative but to replace it using the
Cisco router password recovery procedure.
Configure the Console Port Line-Level
Password
®±«¬»®ø½±²º·¹÷ý
´·²» ½±²-±´» ð
Enters console line configuration mode
®±«¬»®ø½±²º·¹ó´·²»÷ý
´±¹·²
Enables password checking at login
®±«¬»®ø½±²º·¹ó´·²»÷ý
°¿--©±®¼ °¿--©±®¼
Sets the line-level password to password (for
example ConUser1)
Þ±-¬±²ø½±²º·¹÷ý ´·²» ½±² ð
Þ±-¬±²ø½±²º·¹ó´·²»÷ý ´±¹·²
Þ±-¬±²ø½±²º·¹ó´·²»÷ý °¿--©±®¼ Ý±²Ë-»®ï
By default, Cisco router console ports allow a hard BREAK signal (within 60 seconds of a
reboot) to interrupt the normal boot sequence and give the console user complete control of the
router. This is used for maintenance purposes, such as when running the Cisco router password
recovery procedure. Even though this hard BREAK sequence is, by default, available to
someone who has physical access to the router console port, it is still important to set a line-
level password for users who might try to gain console access remotely. The hard BREAK
sequence may be disabled using the no service password-recovery command described later.
Note If a router is configured with the no service password-recovery command, all access to
the ROMMON is disabled.
By default, the console port does not require a password for console administrative access.
However, you should always configure a console port line-level password. The figure
illustrates the steps (in global configuration mode) that are required to create a new line-level
password for the console.
Note Notice that the password is seen in clear text (unencrypted). Passwords left in clear text
pose a serious threat to router security.

Configure a VTY Line-Level Password
®±«¬»®ø½±²º·¹÷ý
´·²» ª¬§ -¬¿®¬ó´·²»ó²«³¾»® »²¼ó´·²»ó²«³¾»®
Enters VTY line configuration mode
Specifies the range of VTY lines to configure
®±«¬»®ø½±²º·¹ó´·²»÷ý
´±¹·²
Enables password checking at login for VTY (Telnet)
sessions
®±«¬»®ø½±²º·¹ó´·²»÷ý
°¿--©±®¼ °¿--©±®¼
Sets the line-level password to password (for
example: CantGessMeVTY)
Þ±-¬±²ø½±²º·¹÷ý ´·²» ª¬§ ð ì
Þ±-¬±²ø½±²º·¹ó´·²»÷ý ´±¹·²
Þ±-¬±²ø½±²º·¹ó´·²»÷ý °¿--©±®¼ Ý¿²¬Ù»--Ó»ÊÌÇ
Cisco routers support multiple Telnet sessions (up to five simultaneous sessions by default
more can be added), each serviced by a logical vty. By default, Cisco routers do not have any
line-level passwords configured for these vty. If you enable password checking, you must also
configure a vty password before attempting to access the router using Telnet. If you fail to
configure a vty password, and password checking is enabled for vty, you will encounter an
error message similar to the following:
Ì»´²»¬ ïðòðòïòî
Ì®§·²¹ ïðòðòïòî ›òò ±°»²
Ð¿--©±®¼ ®»¯«·®»¼ô ¾«¬ ²±²» -»¬
ÅÝ±²²»½¬·±² ¬± ïðòðòïòî ½´±-»¼ ¾§ º±®»·¹² ¸±-¬Ã
There are two ways to configure a vty password; the first way is to enter the password during
the initial configuration dialog, the second way is by using the password command in vty
configuration mode, as shown in the figure. Always configure passwords for all of the vty ports
in this manner.
In the example shown in the figure, vty 0 4 (logical vty 1 to vty 5) are configured
simultaneously to look for the password specified. Just like console line-level passwords, vty
passwords are, by default, shown as clear text (unencrypted) in the router configuration.
The following are a few more things to consider when securing Telnet connections to a Cisco
router:
If you fail to set an enable password for the router, you will not be able to access
privileged-EXEC mode using Telnet. Use either the enable password or enable secret
password command to set the enable password for your routers.
Telnet access should be limited only to specified systems by building a simple access
control list (ACL) that does the following:
Allows Telnet access from specific hosts only (allows certain IP addresses)
Blocks Telnet access from specific untrusted hosts (disallows certain IP addresses)
Ties the ACL to the VTY lines using the access-class command
The following is an example showing ACL 30 restricting Telnet access to host
10.0.1.1 and denying access from host 10.0.1.2 for vty 0 to 4:
Þ±-¬±²ø½±²º·¹÷ý ¿½½»--ó´·-¬ íð °»®³·¬ ïðòðòïòï
Þ±-¬±²ø½±²º·¹÷ý ¿½½»--ó´·-¬ íð ¼»²§ ïðòðòïòî
Þ±-¬±²ø½±²º·¹÷ý ´·²» ª¬§ ð ì
Þ±-¬±²ø½±²º·¹ó´·²»÷ý ¿½½»--ó½´¿-- íð ·²
You must configure passwords for all of the vty on the router. Remember that you can add
more vty to the router and these lines must be protected as well as the default 0 to 4 lines.

Configure an Auxiliary Line-Level Password
®±«¬»®ø½±²º·¹÷ý
´·²» ¿«¨ ð
Enters auxiliary line configuration mode
®±«¬»®ø½±²º·¹ó´·²»÷ý
´±¹·²
Enables password checking at login for auxiliary
line connections
®±«¬»®ø½±²º·¹ó´·²»÷ý
°¿--©±®¼ °¿--©±®¼
Sets the line-level password to password
(for example NeverGessMeAux)
Þ±-¬±²ø½±²º·¹÷ý ´·²» ¿«¨ ð
Þ±-¬±²ø½±²º·¹ó´·²»÷ý ´±¹·²
Þ±-¬±²ø½±²º·¹ó´·²»÷ý °¿--©±®¼ Ò»ª»®Ù»--Ó»ß«¨
By default, Cisco router auxiliary ports do not require a password for remote administrative
access. Administrators sometimes use this port to remotely configure and monitor the router
using a dialup modem connection.
Unlike console and vty passwords, the auxiliary password is not configured during the initial
configuration dialog and should be configured, as shown in the figure, using the password
command in auxiliary line configuration mode.
If you wish to turn off the EXEC process for a specified line such as on the aux port, use the no
exec command within the auxiliary line configuration mode.
Setting the auxiliary line-level password is only one of several steps you must complete when
configuring a router auxiliary port for remote dial-in access. The Configuring an Auxiliary
Line-Level Password table lists the steps and commands used when configuring an auxiliary
port.
Configuring an Auxiliary Line-Level Password
Step Action Notes
1. Þ±-¬±²ø½±²º·¹÷ý ´·²» ¿«¨ ð These commands permit incoming and

outgoing modem calls on this line.
Þ±-¬±²ø½±²º·¹ó´·²»÷ý ³±¼»³
·²±«¬
2. Þ±-¬±²ø½±²º·¹ó´·²»÷ý -°»»¼ This command specifies the line speed that

çêðð should be used to communicate with the
modem.
3. Þ±-¬±²ø½±²º·¹ó´·²»÷ý ¬®¿²-°±®¬ This command allows all protocols to use the

·²°«¬ ¿´´ line.
4. Þ±-¬±²ø½±²º·¹ó´·²»÷ý This command enables RTS and CTS flow

º´±©½±²¬®±´ ¸¿®¼©¿®» control.
5. Þ±-¬±²ø½±²º·¹ó´·²»÷ý ´±¹·² These commands authenticate incoming

connections using the password configured
Ô±¹·² ¼·-¿¾´»¼ ±² ´·²» êëô on the line (the password is configured in
«²¬·´ •°¿--©±®¼Ž ·- -»¬ step 6).
6. Þ±-¬±²ø½±²º·¹ó´·²»÷ý °¿--©±®¼ Configures the password

Ò»ª»®Ù»--Ó»ß«¨ NeverGessMeAux to authenticate incoming
calls on this line.

Encrypting Passwords Using
service password-encryption
®±«¬»®ø½±²º·¹÷ý
-»®ª·½» °¿--©±®¼ó»²½®§°¬·±²
Encrypts all clear text passwords in the router
configuration file
Þ±-¬±²ø½±²º·¹÷ý -»®ª·½» °¿--©±®¼ó»²½®§°¬·±²
Þ±-¬±²ý -¸±© ®«²²·²¹ó½±²º·¹

»²¿¾´» °¿--©±®¼ é ðêðîððîêïììßðêïÛ
ÿ
´·²» ½±² ð
°¿--©±®¼ é ðçëêÚëéßïðçß
ÿ
´·²» ª¬§ ð ì
°¿--©±®¼ é ðíìßïèÚíêêßð
ÿ
´·²» ¿«¨ ð
°¿--©±®¼ é éßìÚëïçîíðêß
Just like console and vty passwords, auxiliary passwords are not encrypted in the router
configuration. This is why it is important to use the service password-encryption command.
With the exception of the enable secret password, all Cisco router passwords are, by default,
stored in clear text form within the router configuration. View these passwords with the show
running-config command. Sniffers can also see these passwords if your Trivial File Transfer
Protocol (TFTP) server configuration files traverse an unsecured intranet or Internet
connection. If an intruder gains access to the TFTP server where the router configuration files
are stored, the intruder will be able to obtain these passwords.
A proprietary Cisco algorithm based on a Vigenere cipher (indicated by the number 7 when
viewing the configuration) allows the service password-encryption command to encrypt all
passwords (except the previously encrypted enable secret password) in the router configuration
file. This method is not as safe as MD5, which is used with the enable secret command, but
prevents casual discovery of the router line-level passwords.
Note The encryption algorithm in the service password-encryption command is considered

relatively weak by most cryptographers and several Internet sites post mechanisms for
cracking this cipher. This posting only proves that relying on the encrypted passwords alone
is not sufficient security for your Cisco routers. You need to ensure that the communications
link between the console and the routers, or between the TFTP or management server and
the routers is a secured connection. Securing this connection is discussed later.
After all of your passwords have been configured for the router, you should run the service
password-encryption command in global configuration mode, as shown in the figure.
Enhanced Username Password Security
®±«¬»®ø½±²º·¹÷ý
«-»®²¿³» ²¿³» -»½®»¬ ¥ÅðÃ °¿--©±®¼ ¤ ë »²½®§°¬»¼ó
-»½®»¬£
Uses MD5 hashing for better username password
security
Better than the type 7 encryption found in service
password-encryption command
Þ±-¬±²ø½±²º·¹÷ý «-»®²¿³» ®¬®¿¼³·² -»½®»¬ ð

Ý«®·«³çê
Þ±-¬±²ø½±²º·¹÷ý «-»®²¿³» ®¬®¿¼³·² -»½®»¬ ë
üïüº»¾ðü¿ïðìÏ¼çËÆòñßµððÕÌ¹¹ÐÜð
Starting with Cisco IOS Software Release 12.0(18)S, system administrators can choose to use
an MD5 hashing mechanism to encrypt username passwords. MD5 hashing of passwords is a
much better encryption scheme than the standard type 7 encryption found in the service
password-encryption command. The added layer of MD5 encryption is useful in
environments in which the password crosses the network or is stored on a TFTP server.
MD5 hashing of Cisco IOS username passwords is accomplished with the username secret
command in global configuration mode. Administrators can choose to enter a clear text
password for MD5 hashing by the router (option 0), or they can enter a previously encrypted
MD5 secret (option 5). The syntax for the username secret command is as follows:
username name secret {[0] password | 5 encrypted-secret}
Command Element Description
name The username
0 (Optional) Indicates that the following clear text password is to be

hashed using MD5.
password The clear text password to be hashed using MD5
5 Indicates that the following encrypted-secret password was

hashed using MD5
encrypted-secret The MD5 encrypted-secret password that will be stored as the

encrypted user password
Note MD5 encryption is a strong encryption method that is not retrievable; therefore, you cannot
use MD5 encryption with protocols that require clear text passwords, such as Challenge
Handshake Authentication Protocol (CHAP).

Securing ROMMON with
no service password-recovery
®±«¬»®ø½±²º·¹÷ý
²± -»®ª·½» °¿--©±®¼ó®»½±ª»®§
By default, Cisco routers are factory configured
with service password-recovery set.
The no version prevents console from accessing
ROMMON.
Þ±-¬±²ø½±²º·¹÷ý ²± -»®ª·½» °¿--©±®¼ó®»½±ª»®§

ÉßÎÒ×ÒÙæ
Û¨»½«¬·²¹ ¬¸·- ½±³³¿²¼ ©·´´ ¼·-¿¾´» °¿--©±®¼ ®»½±ª»®§
³»½¸¿²·-³ò Ü± ²±¬ »¨»½«¬» ¬¸·- ½±³³¿²¼ ©·¬¸±«¬
¿²±¬¸»® °´¿² º±® °¿--©±®¼ ®»½±ª»®§ò
ß®» §±« -«®» §±« ©¿²¬ ¬± ½±²¬·²«»á Å§»-ñ²±Ãæ §»-
Þ±-¬±²ø½±²º·¹÷ý
By default, Cisco IOS routers allow a break sequence during power up, that forces the router
into ROMMON mode. Once the router is in ROMMON mode, anyone can choose to enter a
new enable secret password using the well-known Cisco password recovery procedure. This
procedure, if performed correctly, leaves the router configuration intact. This scenario presents
a potential security breach in that anyone who gains physical access to the router console port
can enter ROMMON, reset the enable secret password, and discover the router configuration.
This potential security breach can be mitigated using the no service password-recovery global
configuration command. The no service password-recovery command is a hidden Cisco IOS
command and has no arguments or keywords.
Caution If a router is configured with no service password-recovery command, all access to the
ROMMON is disabled. If the router Flash memory does not contain a valid Cisco IOS image,
you will not be able to use the ROMMON XMODEM command to load a new Flash image. In
order to repair the router, you must obtain a new Cisco IOS image on a Flash SIMM, or on a
PCMCIA card (3600 only). See Cisco.com for more information regarding backup Flash
images.
Once the no service password-recovery command is executed, the router boot sequence will
look similar to the following:
Í§-¬»³ Þ±±¬-¬®¿°ô Ê»®-·±² ïïòíøî÷Èßìô ÎÛÔÛßÍÛ ÍÑÚÌÉßÎÛ øº½ï÷
Ý±°§®·¹¸¬ ø½÷ ïççç ¾§ ½·-½± Í§-¬»³-ô ×²½ò
Ýîêðð °´¿¬º±®³ ©·¬¸ êëëíê Õ¾§¬»- ±º ³¿·² ³»³±®§
ÐßÍÍÉÑÎÜ ÎÛÝÑÊÛÎÇ ÚËÒÝÌ×ÑÒßÔ×ÌÇ ×Í Ü×ÍßÞÔÛÜ

°®±¹®¿³ ´±¿¼ ½±³°´»¬»ô »²¬®§ °±·²¬æ ð¨èðððèðððô -·¦»æ ð¨»¼ç»»ì
Also, after the no service password-recovery command is executed, a show running
configuration command listing will contain the no service password-recovery statement as
shown here:
ÿ
ª»®-·±² ïîòð
-»®ª·½» ¬½°óµ»»°¿´·ª»-ó·²
-»®ª·½» ¬·³»-¬¿³°- ¼»¾«¹ ¼¿¬»¬·³» ´±½¿´¬·³» -¸±©ó¬·³»¦±²»
-»®ª·½» ¬·³»-¬¿³°- ´±¹ ¼¿¬»¬·³» ´±½¿´¬·³» -¸±©ó¬·³»¦±²»
-»®ª·½» °¿--©±®¼ó»²½®§°¬·±²
²± -»®ª·½» °¿--©±®¼ó®»½±ª»®§
ÿ
¸±-¬²¿³» Þ±-¬±²

Setting a Login Failure Rate
This topic describes how to secure administrative access to Cisco routers by setting a login
failure rate.
Authentication Failure Rate with Logging

®±«¬»®ø½±²º·¹÷ý
-»½«®·¬§ ¿«¬¸»²¬·½¿¬·±² º¿·´«®» ®¿¬» ¬¸®»-¸±´¼ó

®¿¬» ´±¹
Configures the number of allowable
unsuccessful login attempts
By default, router allows 10 login failures
before initiating a 15-second delay
Generates a syslog message when rate is
exceeded
Þ±-¬±²ø½±²º·¹÷ý -»½«®·¬§ ¿«¬¸»²¬·½¿¬·±² º¿·´«®»

®¿¬» ïð ´±¹
Starting with Cisco IOS Software Release 12.3(1), system administrators can configure the
number of allowable unsuccessful login attempts using the security authentication failure
rate global configuration command, as shown in the figure.
When the number of failed login attempts reaches the configured rate, two events occur:
A TOOMANY_AUTHFAILS event message is sent by the router to the configured syslog
server.
A 15-second delay timer starts.
Once the 15-second delay has passed, the user may continue to attempt to log into the router.
The syntax for the security authentication failure rate command is as follows:
security authentication failure rate threshold-rate log
threshold-rate This is the number of allowable unsuccessful login attempts. The

default is 10 (the range is 2 to 1024).
log The log keyword is required. This command must result in a

generated syslog event
Setting Timeouts
This topic describes how to secure administrative access to Cisco routers by setting timeouts.
Setting Timeouts for Router Lines

®±«¬»®ø½±²º·¹ó´·²»÷ý
»¨»½ó¬·³»±«¬ ³·²«¬»- Å-»½±²¼-Ã
Default is 10 minutes
Terminates an unattended console connection
Provides an extra safety factor when an
administrator walks away from an active console
session
Þ±-¬±²ø½±²º·¹÷ý ´·²» ½±²-±´» ð
Þ±-¬±²ø½±²º·¹ó´·²»÷ý»¨»½ó¬·³»±«¬ í íð
Þ±-¬±²ø½±²º·¹÷ý ´·²» ¿«¨ ð

Þ±-¬±²ø½±²º·¹ó´·²»÷ý»¨»½ó¬·³»±«¬ í íð
Terminates an unattended console/auxiliary

connection after 3 minutes and 30 seconds
By default, an administrative interface stays active (and logged on) for 10 minutes after the last
session activity. After that, the interface times out and logs out of the session. It is
recommended that you fine-tune these timers to limit the amount of time to within 2 or 3
minutes maximum.
You can adjust these timers using the exec-timeout command in line configuration mode for
each of the line types used.
The syntax for the exec-timeout command is as follows:
exec-timeout minutes [seconds]
minutes This integer specifies the number of minutes.
seconds (Optional) This integer specifies the additional time interval in

seconds.

Setting Multiple Privilege Levels
This topic describes how to secure administrative access to Cisco routers by setting multiple
privilege levels.
Setting Multiple Privilege Levels

®±«¬»®ø½±²º·¹÷ý
°®·ª·´»¹» ³±¼» ¥´»ª»´ ´»ª»´ ½±³³¿²¼ ¤ ®»-»¬

½±³³¿²¼£
Level 0 is predefined for user-level access

privileges.
Levels 1 to 14 may be customized for user-level
privileges.
Level 15 is predefined for enable mode (enable
command).
Þ±-¬±²ø½±²º·¹÷ý °®·ª·´»¹» »¨»½ ´»ª»´ î °·²¹
Þ±-¬±²ø½±²º·¹÷ý »²¿¾´» -»½®»¬ ´»ª»´ î Ð¿¬®·±¬
Cisco routers enable you to configure various privilege levels for your administrators. Different
passwords can be configured to control who has access to the various privilege levels. This is
especially helpful in a help desk environment where certain administrators are allowed to
configure and monitor every part of the router (level 15) while other administrators may be
restricted to only monitoring (customized levels 2 to 14). The 16 levels (0 to 15) are defined in
the figure.
Privileges are assigned to levels 2 to 14 using the privilege command from global
configuration mode, as shown in the figure.
The syntax for the privilege command is as follows:
privilege mode {level level command | reset command}
Command Description
mode This command specifies the configuration mode. See the list after
this table for options for this argument.
level (Optional) This command enables setting a privilege level with a

specified command.
level (Optional) This is the privilege level associated with a command.

You can specify up to 16 privilege levels, using numbers 0 to 15.
command (Optional) This sets of command to which the privilege level is

associated.
reset (Optional) This command resets the privilege level of a

command.
command (Optional) This is the command for which you want to reset the
privilege level.
Use the router(config)#privilege ? command to see a complete list of router configuration

modes on your router. The following list contains some the router configuration modes that can
be configured using the privilege command.
accept-dialinvirtual private dial-up network (VPDN) group accept dialin configuration
mode
accept-dialoutVPDN group accept dialout configuration mode
address-familyAddress Family configuration mode
atm-bm-configAsynchronous Transfer Mode (ATM) bundle member configuration mode
atm-bundle-configATM bundle configuration mode
atm-vc-configATM virtual circuit configuration mode
atmsig_e164_table_modeATMSIG E164 Table
cascustomChannel-associated signaling (cas) custom configuration mode
configureGlobal configuration mode
controllerController configuration mode
dhcpDHCP pool configuration mode
dspfarmDigital Signal Processor (DSP) farm configuration mode
execExec mode
flow-cacheFlow aggregation cache configuration mode
interfaceInterface configuration mode
interface-dlciFrame Relay data-link connection identifier (DLCI) configuration mode
ip-vrfConfigure IP VPN routing/forwarding (VRF ) parameters
lineLine configuration mode
map-classMap class configuration mode
map-listMap list configuration mode
null-interfaceNull interface configuration mode

preautAAA Preauth definitions
request-dialinVPDN group request dialin configuration mode
request-dialoutVPDN group request dialout configuration mode
route-mapRoute map configuration mode
routerRouter configuration mode
tdm-connTime-division multiplexing (TDM) connection configuration mode
vc-classVirtual circuit (VC) class configuration mode
vpdn-groupVPDN group configuration mode
rsvp_policy_local
alps-ascuAirline product set (ALPS) agent-set control unit (ASCU) configuration mode
alps-circuitALPS circuit configuration mode
config-rtr-httpResponse Time Reporter (RTR) HTTP raw request configuration
crypto-mapCrypto map config mode
crypto-transformCrypto transform config mode
gatewayGateway configuration mode
ipenaclIP named extended access-list configuration mode
ipsnaclIP named simple access-list configuration mode
laneATM LAN Emulation Lecs Configuration Table
mpoa-clientMultiprotocol over ATM (MPOA) Client
mpoa-serverMPOA Server
rtrRTR Entry Configuration
sg-radiusRemote Authentication Dial-In User Service (RADIUS) server group definition
sg-tacacs+Terminal Access Controller Access Control System Plus (TACACS+) server
group
sip-uaSession Initiation Protocol (SIP) unnumbered acknowledgement (UA)
configuration mode
subscriber-policySubscriber policy configuration mode
tclToolkit Command Language (TCL) mode
templateTemplate configuration mode
translation-ruleTranslation cule configuration mode
voiceclassVoice class configuration mode
voiceportVoice configuration mode
voipdialpeerDial Peer configuration mode
Configuring Banner Messages
This topic describes how to secure administrative access to Cisco routers by configuring banner
messages.
Configuring Banner Messages
®±«¬»®ø½±²º·¹÷ý
¾¿²²»® ¥»¨»½ ¤ ·²½±³·²¹ ¤ ´±¹·² ¤ ³±¬¼ ¤

-´·°ó°°°£ ¼ ³»--¿¹» ¼
Specifies what is proper use of the system
Specifies that the system is being monitored
Specifies that privacy should not be expected when
using this system
Þ±-¬±²ø½±²º·¹÷ý ¾¿²²»® ³±¬¼ û

ÉßÎÒ×ÒÙæ Ç±« ¿®» ½±²²»½¬»¼ ¬± üø¸±-¬²¿³»÷ ±²
¬¸» Ý·-½± Í§-¬»³-ô ×²½±®°±®¿¬»¼ ²»¬©±®µò
Ë²¿«¬¸±®·¦»¼ ¿½½»-- ¿²¼ «-» ±º ¬¸·- ²»¬©±®µ
©·´´ ¾» ª·¹±®±«-´§ °®±-»½«¬»¼ò û
Banner messages should be used to warn would-be intruders that they are not welcome on your
network. Banners are very important especially from a legal perspective. Intruders have been
known to win court cases because they did not encounter appropriate warning messages when
accessing router networks.
Choosing what to place in your banner messages is extremely important and should be
reviewed by legal counsel before placing them on your routers. Never use the word welcome
or any other familiar greeting that may be misconstrued as an invitation to use the network.
Banners are disabled by default and must be explicitly enabled by the administrator. As shown
in the figure, use the banner command from global configuration mode to specify appropriate
messages.

The syntax for the banner command is as follows:
banner {exec | incoming | login | motd | slip-ppp} d message d
¾¿²²»® »¨»½ This command specifies and enables a message to be displayed

when an EXEC process is created on the router (an EXEC
banner).
¾¿²²»® ·²½±³·²¹ This command specifies and enables a banner to be displayed

when there is an incoming connection to a terminal line from a
host on the network.
¾¿²²»® ´±¹·² This command specifies and enables a customized banner to be

displayed before the username and password login prompts.
¾¿²²»® ³±¬¼ This command specifies and enables a message-of-the-day

(MOTD) banner.
¾¿²²»® -´·°ó°°° This command specifies and enables a banner to be displayed

when a Serial Line Interface Protocol (SLIP) or PPP connection is
made.
¼ This represents the delimiting character of your choice (for

example, a pound sign [#]. You cannot use the delimiting
character in the banner message.
³»--¿¹» This represents message text. You can include tokens in the form
$(token) in the message text. Tokens are replaced with the
corresponding configuration variable.
The following list contains valid tokens for use within the message section of the banner
command.
$(hostname): Displays the hostname for the router
$(domain): Displays the domain name for the router
$(line): Displays the vty or tty (asynchronous) line number
$(line-desc): Displays the description attached to the line
Summary
Summary
Administrative access for enterprise routers can be

secured in the following ways:
Configuring router passwords
Setting a login failure rate
Setting timeouts
Setting multiple privilege levels
Configuring banner messages

Lesson Self-Check
Q1) Which command is used to enter privileged or privileged-EXEC mode? (Source:

Configuring Router Passwords)
Q2) List the passwords that are, by default, shown as clear text (unencrypted) in the router
configuration. (Source: Configuring Router Passwords)
Q3) By default, Cisco router auxiliary ports do not require a password for remote
administrative access. (Source: Configuring router Passwords)
A) True
B) False
Q4) What is the default number of failed attempts and delay time before login can begin
again? (Source: Setting Timeouts)
Q5) What happens when the number of failed login attempts reaches the configured rate?
(Source: Setting Timeouts)
Q6) How long does an administrative interface stay active (and logged on) by default?
(Source: Setting Timeouts)
Q7) In the banner motd command, the motd stands for _____________________.
(Source: Configuring Banner Messages)
Q8) Which three of the following are recommended for mitigating electrical threats?
(Choose three.) (Source: Securing Cisco Router Installations)
A) Install backup generator systems for all router and switch devices.
B) Plan for regular UPS and generator testing.
C) Install UPS systems for mission- critical devices.
D) Use filtered power.
E) Install UPS systems on all devices.
Q1) The enable secret command
Q2) All Cisco router passwords are, by default, stored in clear text form except the enable secret password.
Q3) A
Q4) Ten login failures and a 15-second delay
Q5) A TOOMANY_AUTHFAILS event message is sent by the router to the configured syslog server and a set
time delay timer begins.
Q6) 10 minutes
Q7) MOTD specifies and enables a message-of-the-day (MOTD) banner.
Q8) B, C, D

Lesson 2
Configuring AAA for Cisco

Routers
Overview
This lesson presents an introduction to implementing authentication, authorization and
accounting (AAA). To practice what you have learned, a hands-on lab exercise will follow the
lesson. In this lab exercise you will configure basic Cisco router authentication.
Objectives
Upon completing this lesson, you will be able to configure AAA implementation on a Cisco
router. This ability includes being able to meet these objectives:
Describe three ways that Cisco uses to implement AAA services for Cisco routers
Describe the methods of authentication that are used to provide remote access to a LAN
Describe the three general steps required to configure a Cisco perimeter router to perform
AAA using a local database for authentication
Configure AAA on Cisco perimeter routers using aaa commands
Troubleshoot AAA on a Cisco perimeter router using the debug aaa command
Introduction to AAA for Cisco Routers
This topic describes the three ways that Cisco uses to implement AAA services for Cisco
routers. AAA is used by router administrators and users who wish to access the corporate LAN
through dial-in or Internet connections.
AAA ModelNetwork Security Architecture
Authentication
Who are you?
I am user student and my password validateme proves it.
Authorization
What can you do? What can you access?
User student can access host serverXYZ using Telnet.
Accounting
What did you do? How long did you do it?
How often did you do it?
User student accessed host serverXYZ using Telnet for 15
minutes.
AAA services provide a higher degree of scalability than the line-level and privileged-EXEC
authentication you have learned so far.
Unauthorized access in campus, dialup, and Internet environments creates the potential for
network intruders to gain access to sensitive network equipment and services. The Cisco AAA
architecture enables systematic and scalable access security.
Network and administrative access security in the Cisco environment, whether it involves
campus, dialup, or Internet access, is based on a modular architecture that has three functional
components; authentication, authorization, and accounting:
Authentication: Requires users and administrators to prove that they really are who they
say they are. Authentication is established using a username and password, challenge and
response, token cards, and other methods: I am user student and my password validateme
proves it.
Authorization: After authenticating the user and administrator, authorization services
decide which resources the user and administrator are allowed to access and which
operations the user and administrator are allowed to perform: User student can access host
serverXYZ using Telnet.
Accounting and auditing: Accounting records what the user and administrator actually
did, what they accessed, and how long they accessed it for accounting and auditing
purposes. Accounting keeps track of how network resources are used: User student
accessed host ServerXYZ using Telnet for 15 minutes.
Implementing Cisco AAA
Remote Client Cisco Secure ACS
(Dialup Client) for Windows Server
NAS
PSTN/ISDN
Corporate
Console File Server
Remote Client
(VPN Client)
Internet
Cisco Secure ACS
Router Solution Engine
Administrative accessconsole, Telnet, and aux access

Remote user network accessDialup or VPN access
Cisco networking products support AAA access control using line passwords, a local security
database, or remote security server databases. A local security database is configured in the
router for a small group of network users using the username xyz password strongpassword
command. A remote security database is a separate server running an AAA security protocol,
providing AAA services for multiple network devices and large numbers of network users.
Cisco provides three ways of implementing AAA services for Cisco routers, network access
servers (NASs), and switch equipment, as shown in the figure:
Self-contained AAA: AAA services may be self-contained in the router or NAS itself (also
known as local authentication).
Cisco Secure ACS for Windows Server: AAA services on the router or NAS contact an
external Cisco Secure Access Control Server (ACS) for Windows system for user and
administrator authentication.
Cisco Secure ACS Solution Engine: AAA services on the router or NAS contact an
external Cisco Secure ACS Solution Engine for user and administrator authentication.
Copyright 2005, Cisco Systems, Inc. Securing the Perimeter 2-31

Authenticate to a LAN
This topic describes the authentication methods that are used to provide remote access to a
LAN.
Implementing Authentication Using Local

Services
Remote Client
Perimeter
1
Router
2
3
1. The client establishes connection with the router.

2. The router prompts the user for a username and
password.
3. The router authenticates the username and password in
the local database. The user is authorized to access the
network based on information in the local database.
If you have one or two NASs or routers providing access to your network for a limited number
of users, you may store username and password security information locally on the Cisco NASs
or routers. This is referred to as local authentication on a local security database. Local
authentication characteristics are as follows:
Used for small networks
Username and password are stored in the Cisco router
User authenticates against the local security database in the Cisco router
Does not require an external database
The system administrator must populate the local security database by specifying username
profiles for each user that might log in.
The figure shows how local authentication typically works.
Implementing Authentication Using
External Servers
Perimeter
Router Cisco Secure
1 ACS for
3
Windows Server
2
4
Cisco Secure
ACS Solution
Remote Client Engine
1. The client establishes a connection with the router.

2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS
(server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to
access the router (administrative access) or the network based on
information found in the Cisco Secure ACS database.
The problem with local implementations of AAA is that it does not scale well. Most corporate
environments have multiple Cisco routers and NASs with multiple router administrators and
hundreds or thousands of users needing access to the corporate LAN. Maintaining local
databases for each Cisco router and NAS for this size of network is just not feasible.
One or more Cisco Secure ACS systems (server or engine) can manage the entire user and
administrative access needs for an entire corporate network using one or more databases.
External AAA systems, such as the Cisco Secure ACS for Windows or Cisco Secure ACS
Solution Engine, communicate with Cisco routers and NASs using the Terminal Access
Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User
Service (RADIUS) protocols to implement AAA functions.

The TACACS+ and RADIUS AAA Protocols
Two different protocols are Security Server

used to communicate between
the AAA security servers and Cisco Secure ACS
authenticating devices.
Cisco Secure ACS supports
both TACACS+ and RADIUS:
TACACS+ remains more
secure than RADIUS. TACACS+ RADIUS
RADIUS has a robust API
and strong accounting.
Router Network
Firewall Access
Server
TACACS+ and RADIUS are the two predominant security server protocols used by Cisco
firewalls, routers, and NASs for AAA. Cisco developed the Cisco Secure ACS Family of AAA
servers to support both TACACS+ and RADIUS.
The Cisco Secure ACS Family is a comprehensive and flexible platform for securing access to
the network. Cisco Secure ACS secures network access for the following:
Dialup access via Cisco access servers and routers
Router and switch console, auxiliary, and vty port administrative and network access
Cisco PIX Security Appliance access
Cisco Virtual Private Network (VPN) 3000 Series Concentrators (RADIUS only)
Cisco Secure ACS works closely with the NAS, router, VPN 3000 Concentrator, and PIX
Security Appliance to implement a comprehensive security policy via the AAA architecture.
Cisco Secure ACS also works with industry-leading token cards and servers.
The Cisco Secure ACS for Windows Server is easily managed via standard browsers, which
enables simple moves, adds, and changes to usernames, passwords, and network devices. Cisco
Secure ACS is implemented on Microsoft Windows 2000 Server platforms.
The Cisco Secure ACS Solution Engine performs many of the same functions as the Cisco
Secure ACS for Windows Server products, but in a single rack-unit (RU) mounted, dedicated
hardware platform.
Authentication Methods and Ease of Use
Strongest
Token cards or soft tokens using OTPs
S/Key (OTP for terminal login)
Username and password (aging)
Username and password (static)
No username or password
Weak
Low Ease of use High
The most common method of user authentication is the use of usernames and passwords. These
methods range from weak to strong in authentication security. Simple authentication methods
use a database of usernames and passwords, while methods that are more complex use one-time
passwords (OTPs). Consider each of the methods listed in the figure from the bottom of the list
up:
No username or password: Some system administrators and users decide not to use the
username and password capabilities of their access devices. This is the least secure option.
A network intruder only has to discover the access method to gain access to the networked
system.
Username and password (static): Stays the same until changed by the system
administrator or user. Susceptible to playback attacks, eavesdropping, theft, and password
cracking programs.
Username and password (aging): Expires after a set time (usually 30 to 60 days) and
must be reset, usually by the user, before network access is granted. Susceptible to
playback attacks, eavesdropping, theft, and password cracking, but to a lesser degree than
static username and password pairs.
OTPs: A stronger method that provides the most secure username and password
authentication. Most OTP systems are based on a secret pass-phrase, which is used to
generate a list of passwords. They are only good for one login, and are therefore, not useful
to anyone who manages to eavesdrop and capture it. S/KEY is an OTP method developed
and trademarked by Bellcore, and is typically used for terminal logins. In S/KEY, the secret
pass-phrase is used to generate the first password, and each successive password is
generated from the previous one by encrypting it. A list of passwords is generated by the
S/KEY server software, and is distributed to users.
Token cards and soft tokens: Based on something you have (token card) and something
you know (token card personal identification number [PIN]). Token cards are typically
small electronic devices about the size and complexity of a credit card-sized calculator.
There are many token card vendors, and each has its own token card server. The PIN is

placed (manually or automatically generated) into the card, which generates a secure
password. A token server receives and validates the password. The password interplay
usually consists of a remote client computer, a NAS, and a security server running token
security software.
The authentication method should be chosen and implemented based on the guidelines
established in the network security policy.
AuthenticationRemote PC Username and
Password
Windows dialup networking

connection: username and
password fields
Security
Network Server
Access Server
PSTN or ISDN
Windows
Remote PC
Username and password (TCP/IP PPP)
An example of dialup authentication using username and password authentication is shown in

the figure. On the client end, a Windows dialup networking connection prompts the user for
their username and password. This information is sent for authentication over communication
lines using TCP/IP and PPP to a remote NAS or a security server. As a matter of policy, do not
allow users to check the Save password check box.

AuthenticationOne-Time Passwords and
S/KEY
List of one-time passwords íðèîðîßè

ðëððíðïÞ
íðèîðîïï
íïðÞíððç
ßððíðîðï
ðêðíëëðì
ðîðîðìíè
ðêïíðîëë
ïÛïéðÜíç íçíïíðíî íîíïíéíð íêíìíéëß
Generated by S/KEY program ÝèìÜÚÞÝð ìÝéÞÜìÞï ÚéçÚÝîÛÜ íðßðîÛßì
hash function
Sent in clear text over network
Server must support S/KEY
Security Server
Supports S/KEY
íðèîðîßè íðèîðîïï ßððíðîðï ðîðîðìíè
ðëððíðïÞ íïðÞíððç ðêðíëëðì ðêïíðîëë
ïÛïéðÜíç íçíïíðíî íîíïíéíð íêíìíéëß
ÝèìÜÚÞÝð ìÝéÞÜìÞï ÚéçÚÝîÛÜ íðßðîÛßì
S/KEY
S/KEY Passwords Workstation Password
(clear text)
Remote logins can allow passwords to be sent as clear text over networks. An eavesdropper
could capture passwords and use them to gain unauthorized access to systems. One way to
create passwords that can be safely sent over remote connections is to do what S/KEY does and
use a one-way hashing algorithm to create an OTP scheme.
S/KEY uses either Message Digest 4 (MD4) or MD5 (one-way hashing algorithms developed
by Ron Rivest) to create an OTP system. In this system, passwords are sent as clear text over
the network; however, after a password has been used, it is no longer useful to the
eavesdropper. The main advantage of S/KEY is that it protects against eavesdroppers without
modification of client software and imposes only marginal inconvenience to the users.
The S/KEY system involves three main pieces: the client, the host, and a password calculator.
The client is responsible for providing the login shell to the user. The shell does not contain any
persistent storage for password information. The host is responsible for processing the user
login request. The host stores the current OTP as well as the login sequence number in a file
and is responsible for providing the client with a seed value. The password calculator is a one-
way hashing function that creates an irreversible password. The network protocol between the
client and the host is completely independent of the scheme. Cisco Secure ACS supports
S/KEY authentication.
AuthenticationToken Cards and Servers
1. 2.
3. 4.
(OTP)
Cisco Secure Token Server

ACS
Another OTP authentication method that adds a new layer of security is accomplished with a
token card (or smart card) and a token server. Each token card, about the size of a credit card, is
programmed to a specific user and each user has a unique PIN that can generate a password
keyed strictly to the corresponding card. OTP authentication takes place between the specified
token server with a token card database and the user.
Token cards and servers generally work as shown in the figure and as described in the
following steps:
Step 1 The user generates an OTP with the token card that uses a security algorithm.
Step 2 The user enters the OTP into the authentication screen generated by the remote
client (in this example the Windows Dial-Up Networking screen).
Step 3 The remote client sends the OTP to the token server via the network and an
authenticating device, either directly or through the AAA server.
Step 4 The token server uses the same algorithm to verify that the password is correct and
authenticates the remote user.
Two token card and server methods are used:

Time-based: In this system, the token card contains a cryptographic key and generates a
password (or token) using a PIN entered by the user. The password is entered into the
remote client, which sends it to the token server. The password is loosely synchronized in
time to the token server. The server compares the token received to a token generated
internally. If they match, the user is authenticated and allowed access.

Challenge-response: In this system, the token card stores a cryptographic key. The token
server generates a random string of digits and sends it to the remote client that is trying to
access the network. The remote user enters the random string, and the token card computes
a cryptographic function using the stored key and random string. The result is sent back to
the token server, which has also computed the function. If the results match, the user is
authenticated.
Token cards are now implemented in software for installation on the remote client. SofToken,
which generates single-use passwords without the associated cost of a hardware token, is one
example of software token cards.
AAA ExampleAuthentication via PPP Link
TCP/IP PPP PPP

and PPP PSTN or Network
Client ISDN Access
Server
PAPPassword Authentication Protocol

Clear text, repeated password
Subject to eavesdropping and replay attacks
CHAPChallenge Handshake Authentication Protocol
Secret password, per remote user
Challenge sent on link (random number)
Challenge can be repeated periodically to prevent session hijacking
The CHAP response is an MD5 hash of (challenge + secret) that provides
authentication
Robust against sniffing and replay attacks
MS-CHAPMicrosoft CHAP v1 (supported in Cisco IOS Software Release 11.3
and later) and v1 or v2 (supported in Cisco IOS Software Release 12.2 and later)
An important component to consider in remote access security is support for authentication

accomplished with Password Authentication Protocol (PAP), Challenge Handshake
Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP). PPP is a standard encapsulation protocol for the transport of different network-
layer protocols (including, but not limited to IP) across serial point-to-point links. PPP enables
authentication between remote clients and servers using PAP, CHAP, or MS-CHAP.
PAP provides a simple method for the remote client to establish its identity using a two-way
handshake. The handshake is done only after initial PPP link establishment. After the link
establishment phase is complete, a username and password pair is repeatedly sent in clear text
by the peer to the authenticator until authentication is acknowledged or the connection is
terminated.
CHAP is used to periodically verify the identity of the peer using a three-way handshake. The
handshake is done upon initial link establishment, and may be repeated anytime after the link
has been established.
CHAP provides protection against playback attack by the peer using an incrementally changing
identifier and a variable challenge value. The use of repeated challenges is intended to limit the
time of exposure to any single attack. The authenticator is in control of the frequency and
timing of the challenges.
This authentication method depends upon a secret known only to the authenticator and that
remote client. The secret is not sent over the link. Although the authentication is only one-way,
by negotiating CHAP in both directions the same secret set may easily be used for mutual
authentication.
CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password
databases commonly available (such as the Windows 2000 SAM hive) cannot be used.
MS-CHAP is the Microsoft version of CHAP. MS-CHAP is an extension of the CHAP

described in RFC 1994. MS-CHAP enables PPP authentication between a PC using Microsoft
Windows and an NAS. PPP authentication using MS-CHAP can be used with or without AAA
security services.
MS-CHAP differs from standard CHAP as follows:

MS-CHAP is enabled while the remote client and the NAS negotiate PPP parameters after
link establishment.
The MS-CHAP response packet is in a format designed for compatibility with Microsoft
Windows networking products.
MS-CHAP enables the network security server (authenticator) to control retry and
password-changing mechanisms. MS-CHAP allows the remote client to change the MS-
CHAP password.
MS-CHAP defines a set of reason-for-failure codes returned to the remote client by the
NAS.
The ppp authentication ms-chap command used in Cisco IOS Software Release 11.3 and later
allows Cisco routers to define MS-CHAP authentication.
Authenticate Router Access
This topic describes the three general steps that are required to configure a Cisco router to
perform AAA using a local database for authentication.
Authenticating Router Access
Telnet Host
LAN
Console
Router
Internet
Remote router Remote LAN

administrative network
access access
It is important that you secure the interfaces of all your routers, particularly your network
access servers and Internet routers.
You must configure the router to secure administrative access and remote LAN network access
using AAA commands. The router access modes, port types, and AAA command elements are
compared in the Router Access table.
Router Access
Network Access
Access Type Modes Server Ports AAA Command Element
Remote Character TTY, vty, AUX, and login, exec, nasi connection,
administrative (line/exec mode) console arap, and enable commands
access
Remote network Packet (interface async, group-async ppp, network, and arap commands
access mode) BRI and PRI

Router Local Authentication Configuration
Process
The following are the general steps required to

configure a Cisco router for local authentication:
Secure access to privileged-EXEC mode.
Enable AAA globally on the perimeter router with the aaa
new-model command.
Configure AAA authentication lists.
Configure AAA authorization for use after the user has
passed authentication.
Configure the AAA accounting options for how you want
to write accounting records.
Verify the configuration.
The following are the three general steps required to configure the router for AAA:
Step 1 Secure access to privileged-EXEC and configuration mode on vty, asynchronous,

auxiliary, and TTY ports.
Step 2 Enable AAA globally on the router.

Step 3 Configure AAA on the router.
Configure AAA on Cisco Routers
This topic describes how to configure AAA on a Cisco peripheral router using aaa commands.
Enable AAA Globally Using the

aaa new-model Command
®±«¬»®ø½±²º·¹÷ý
¿¿¿ ²»©ó³±¼»´
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ²»©ó³±¼»´
Establishes AAA section in configuration file

®±«¬»®ø½±²º·¹÷ý
«-»®²¿³» «-»®²¿³» °¿--©±®¼ °¿--©±®¼
®±«¬»®ø½±²º·¹÷ý «-»®²¿³» Ö±»ïðê °¿--©±®¼ ïÓ«¹ÑÖ¿ª¿
Helps prevent administrative access lockout while

configuring AAA
The first step to configure a NAS or router to use the AAA process is to establish an AAA topic
in the configuration file using the aaa new-model command.
The aaa new-model command forces the router to override every other authentication method
previously configured for the router lines. If an administrative Telnet or console session is lost
while enabling AAA on a Cisco router, and no local AAA user authentication account and
method exists, the administrator will be locked out of the router. Therefore, it is important that
you configure a local database account, as shown in the figure.
Caution When using the Cisco IOS Software aaa new-model command, always provide for a local
login method. This provision guards against the risk of being locked out of a router should
the administrative session fail while you are in the process of enabling AAA.
At a minimum, the following commands should be entered in the following order:
1. Router(config)# aaa new-model
2. Router(config)# username username password password
3. Router(config)# aaa authentication login default local
Specifying the local authentication method enables you to re-establish your Telnet or console
session and use the locally defined authentication list to access the router. If you fail to do this,
and you become locked out of the router, physical access to the router is required (console

session), with a minimum of having to perform a password recovery sequence. At worst, the
entire configuration saved in non-volatile random-access memory (NVRAM) can be lost.
aaa authentication Commands
®±«¬»®ø½±²º·¹÷ý
¿¿¿ ¿«¬¸»²¬·½¿¬·±² ¿®¿°

¿¿¿ ¿«¬¸»²¬·½¿¬·±² ¾¿²²»®
¿¿¿ ¿«¬¸»²¬·½¿¬·±² »²¿¾´» ¼»º¿«´¬
¿¿¿ ¿«¬¸»²¬·½¿¬·±² º¿·´ó³»--¿¹»
¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·²
¿¿¿ ¿«¬¸»²¬·½¿¬·±² °¿--©±®¼ó°®±³°¬
¿¿¿ ¿«¬¸»²¬·½¿¬·±² °°°
¿¿¿ ¿«¬¸»²¬·½¿¬·±² «-»®²¿³»ó°®±³°¬
These aaa authentication commands are available in

Cisco IOS Software Releases 12.2 and later.
Each of these commands has its own syntax and
options (methods).
The figure contains a complete listing of aaa authentication commands for Cisco IOS
Software Release 12.2 and later. It is important that you learn the following three commands
and how to implement them in an AAA environment:
The aaa authentication login command
The aaa authentication ppp command
The aaa authentication enable default command
After enabling AAA globally on the access server, you need to define the authentication
method lists and apply them to lines and interfaces. These authentication method lists are
security profiles that indicate the service, PPP, AppleTalk Remote Access Protocol (ARAP), or
NetWare Access Server Interface (NASI) or login and authentication method (local,
TACACS+, RADIUS, line, or enable authentication). Up to four authentication methods may
be applied to a line or interface. A good security practice is to have either local or enable
authentication as a last resort method to recover from a severed link to the chosen method
server.
Complete the following steps to define an authentication method list using the aaa
authentication command:
Step 1 Specify the service (PPP, ARAP, or NASI) or login authentication.

Step 2 Identify a list name or use default. A list name is any alphanumeric string you
choose. You assign different authentication methods to different named lists. You
can specify only one dial-in protocol per authentication method list. However, you
can create multiple authentication method lists with each of these options. You must
give each list a different name.

Step 3 Specify the authentication method and how the router should handle requests when
one of the methods is not operating (the AAA server is down). You can specify up to
four methods for AAA to try before stopping the authentication process.
Step 4 After defining these authentication method lists, apply them to each of the
following:
LinesTTY, vty, console, aux, and async lines or the console port for login and
asynchronous lines (in most cases) for AppleTalk Remote Access (ARA)
InterfacesInterfaces sync, async, and virtual configured for PPP, Serial Line
Interface Protocol (SLIP), NASI or ARAP
Step 5 Use the aaa authentication command in global configuration mode to enable the
AAA authentication processes.
aaa authentication login Command
®±«¬»®ø½±²º·¹÷ý
¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ¥¼»º¿«´¬ ¤ ´·-¬ó²¿³»£

³»¬¸±¼ï Å³»¬¸±¼îòòòÃ
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ¼»º¿«´¬ »²¿¾´»
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ½±²-±´»ó·² ´±½¿´
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ¬¬§ó·² ´·²»
To set AAA authentication at login use the aaa authentication login command in global
configuration mode, as shown in this figure.
The following is the syntax for the aaa authentication login command:
aaa authentication login {default | list-name} method1 [method2. . .]
default Uses the listed authentication methods that follow this argument as the
default list of methods when a user logs in
list-name Character string used to name the list of authentication methods activated
when a user logs in
method Specifies at least one of the following keywords:
enable: Uses the enable password for authentication
krb5: Uses Kerberos 5 for authentication
krb5-telnet: Uses Kerberos 5 Telnet authentication protocol when using

Telnet to connect to the router
line: Uses the line password for authentication
local: Uses the local username database for authentication
local-case: Uses case-sensitive local username authentication
none: Uses no authentication
group radius: Uses the list of all RADIUS servers for authentication
group tacacs+: Uses the list of all TACACS+ servers for authentication
group group-name: Uses a subset of RADIUS or TACACS+ servers for

authentication as defined by the aaa group server radius or aaa group
server tacacs+ commands

aaa authentication ppp Command
®±«¬»®ø½±²º·¹÷ý
¿¿¿ ¿«¬¸»²¬·½¿¬·±² °°° ¥¼»º¿«´¬ ¤ ´·-¬ó²¿³»£

³»¬¸±¼ï Å³»¬¸±¼îòòòÃ
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸»² °°° ¼»º¿«´¬ ´±½¿´
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸»² °°° ¼·¿´ó·² ´±½¿´ ²±²»
To specify one or more AAA authentication methods for use on serial interfaces running PPP,
use the aaa authentication ppp command in global configuration mode, as shown in the
figure.
The following is the syntax for the aaa authentication ppp command:
aaa authentication ppp {default | list-name} method1 [method2. . . ]
default Uses the listed authentication methods that follow this argument as the
default list of methods when a user logs in
list-name Character string used to name the list of authentication methods activated
when a user logs in
if-needed: Does not authenticate if user has already been authenticated

on a TTY line
krb5: Uses Kerberos 5 for authentication (can only be used for PAP
authentication)
local: Uses the local username database for authentication
local-case: Uses case-sensitive local username authentication

group group-name: Uses a subset of RADIUS or TACACS+ servers for
authentication as defined by the aaa group server radius or aaa group
server tacacs+ commands
aaa authentication enable default Command
®±«¬»®ø½±²º·¹÷ý
¿¿¿ ¿«¬¸»²¬·½¿¬·±² »²¿¾´» ¼»º¿«´¬ ³»¬¸±¼ï

Å³»¬¸±¼îòòòÃ
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² »²¿¾´» ¼»º¿«´¬ ¹®±«°

¬¿½¿½-õ »²¿¾´» ²±²»
Use the aaa authentication enable default command in global configuration mode, as shown
in this figure, to enable AAA authentication to determine if a user can access the privileged
command level.
The following is the syntax for the aaa authentication enable default command:
aaa authentication enable default method1 [method2. . . ]
The example in the figure creates an authentication list that first tries to contact a TACACS+
server. If no server can be found, AAA tries to use the enable password. If this attempt also
returns an error (because no enable password is configured on the server), the user is allowed
access with no authentication.
Refer to the AAA Authentication Method Table for a full description of the method
command element.

AAA Authentication Method Command Element
enable: Uses the enable password for authentication
line: Uses the line password for authentication
group radius: Uses the list of all RADIUS servers for

authentication
group tacacs+: Uses the list of all TACACS+ servers for

authentication
group group-name: Uses a subset of RADIUS or TACACS+

servers for authentication as defined by the aaa group server
radius or aaa group server tacacs+ commands
Apply Authentication Commands to Lines
and Interfaces
®±«¬»®ø½±²º·¹÷ý ´·²» ½±²-±´» ð

®±«¬»®ø½±²º·¹ó´·²»÷ý ´±¹·² ¿«¬¸»²¬·½¿¬·±² ½±²-±´»ó·²
®±«¬»®ø½±²º·¹÷ý ·²¬ -íñð
®±«¬»®ø½±²º·¹ó·º÷ý °°° ¿«¬¸»²¬·½¿¬·±² ½¸¿° ¼·¿´ó·²
Authentication commands can be applied to lines or

interfaces.
Note: It is recommended that you always define a default list for

AAA to provide last resort authentication on all lines and
interfaces protected by AAA.
As shown in the figure, authentication commands can be applied to router lines and interfaces.
The following is a brief explanation of the examples shown in the figure:

line console 0: Enters line console configuration mode
login authentication console-in: Uses the list named console-in for login authentication on
console port 0
int s3/0: Specifies port 0 of serial interface slot number 3
ppp authentication chap dial-in: Uses the list named dial-in for PPP CHAP
authentication on interface s3/0

aaa authorization Command
®±«¬»®ø½±²º·¹÷ý
¿¿¿ ¿«¬¸±®·¦¿¬·±² ¥²»¬©±®µ ¤ »¨»½ ¤ ½±³³¿²¼- ´»ª»´ ¤

®»ª»®-»ó¿½½»-- ¤ ½±²º·¹«®¿¬·±²£ ¥¼»º¿«´¬ ¤ ´·-¬ó²¿³»£
³»¬¸±¼ï Å³»¬¸±¼îòòòÃ
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸±®·¦¿¬·±² ½±³³¿²¼- ï ¿´°¸¿ ´±½¿´
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸±®·¦¿¬·±² ½±³³¿²¼- ïë ¾®¿ª± ´±½¿´
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸±®·¦¿¬·±² ²»¬©±®µ ½¸¿®´·» ´±½¿´ ²±²»
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸±®·¦¿¬·±² »¨»½ ¼»´¬¿ ·ºó¿«¬¸»²¬·½¿¬»¼
Use the aaa authorization command in global configuration mode, as shown in the figure, to
set parameters that restrict administrative exec access to the routers or user access to the
network.
The following is the syntax for the aaa authorization command:
aaa authorization {network | exec | commands level | reverse-access | configuration}

{default | list-name} method1 [method2. . .]
Refer to the AAA Authorization Command Table for a full description of the command
syntax.
AAA Authorization Command Syntax
network Runs authorization for all network-related service requests,

including SLIP, PPP, PPP Network Control Protocols (NCPs), and
ARA
exec This command element runs authorization to determine if the user

is allowed to run an EXEC shell. This facility might return user
profile information such as autocommand information.
commands Runs authorization for all commands at the specified privilege

level
level This is the specific command level that should be authorized.

Valid entries are 0 to 15.
reverse-access Runs authorization for reverse access connections, such as

reverse Telnet
configuration Downloads the configuration from the AAA server
default Uses the listed authentication methods that follow this argument
as the default list of methods for authorization
list-name This is the character string that is used to name the list of
authorization methods.
group group-name: Uses a subset of RADIUS or TACACS+

servers for authentication as defined by the aaa group server
radius or aaa group server tacacs+ commands
if-authenticated: Allows the user to access the requested

function if the user is authenticated
krb5-instance: Uses the instance defined by the kerberos
instance map command
local: Uses the local database for authorization
none: No authorization is performed
There is a provision for naming the authorization list after specifying the service just like there
is for naming an authentication list. Also the list of methods is not limited to a single method,
but may have up to four failing over methods listed, similar to what the aaa authentication
command provides.
Named authorization lists allow you to define different methods for authorization and
accounting and apply those methods on a per-interface or per-line basis.
A brief explanation of the examples is as follows:

aaa authorization commands 1 alpha local: Uses the local user name database to
authorize the use of all level 1 commands for the alpha list.
aaa authorization commands 15 bravo local: Uses the local database to authorize the use
of all level 15 commands for the bravo list.
aaa authorization network charlie local none: Uses the local database to authorize the
use of all network services such as SLIP, PPP, and ARAP for the charlie list. If the local
server is not available, this command performs no authorization, and the user can use all
network services.
aaa authorization exec delta if-authenticated: Lets the user run the exec process if the
user is already authenticated.

aaa accounting Command
®±«¬»®ø½±²º·¹÷ý
¿¿¿ ¿½½±«²¬·²¹ ¥¿«¬¸ó°®±¨§ ¤ -§-¬»³ ¤ ²»¬©±®µ ¤ »¨»½ ¤

½±²²»½¬·±² ¤ ½±³³¿²¼- ´»ª»´£ ¥¼»º¿«´¬ ¤ ´·-¬ó²¿³»£ Åª®º
ª®ºó²¿³»Ã ¥-¬¿®¬ó-¬±° ¤ -¬±°ó±²´§ ¤ ²±²»£ Å¾®±¿¼½¿-¬Ã ¹®±«°
¹®±«°²¿³»
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿½½±«²¬·²¹ ½±³³¿²¼- ïë ¼»º¿«´¬ -¬±°ó±²´§

¹®±«° ¬¿½¿½-õ
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ²»©ó³±¼»´

®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ¼»º¿«´¬ ¹®±«°
¬¿½¿½-õ
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿«¬¸±®·¦¿¬·±² ¿«¬¸ó°®±¨§ ¼»º¿«´¬ ¹®±«°
¬¿½¿½-õ
®±«¬»®ø½±²º·¹÷ý ¿¿¿ ¿½½±«²¬·²¹ ¿«¬¸ó°®±¨§ ¼»º¿«´¬ -¬¿®¬ó-¬±°
¹®±«° ¬¿½¿½-õ
To enable AAA accounting of requested services for billing or security purposes when you use
RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To
disable AAA accounting, use the no form of this command. Refer to the AAA Accounting
Command Syntax table for a description of the command syntax.
The first example in the figure defines a default command accounting method list, where
accounting services are provided by a TACACS+ security server, set for privilege level 15
commands with a stop-only restriction.
The second example defines a default auth-proxy accounting method list, where accounting
services are provided by a TACACS+ security server with a start-stop restriction. The aaa
accounting command activates authentication proxy accounting.
AAA Accounting Command Syntax
auth-proxy Provides information about all authenticated-proxy user events
system Performs accounting for all system-level events not associated with users,
such as reloads
network Runs accounting for all network-related service requests, including Serial
Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs),
and AppleTalk Remote Access Protocol (ARAP)
exec This command element runs accounting for EXEC shell session. This
keyword might return user profile information such as what is generated by
the autocommand command.
connection Provides information about all outbound conections made from the network
access server, such as Telnet, local-area transport (LAT), TN3270, packet
assembler and disassembler (PAD), and rlogin
commands level This command element runs accounting for all commands at the specified
privilege level. Valid privilege level entries are integers from 0 to 15.
default Uses the listed accounting methods that follow this argument as the default
list of methods for accounting services
list-name Character string used to name the list of at least one of the accounting
methods
vrf vrf-name (Optional) Specifies a Virtual Route Forwarding (VRF) configuration
Note: VRF is used only with system accounting.
start-stop This command element sends a "start" accounting notice at the beginning
of a process and a "stop" accounting notice at the end of a process. The
"start" accounting record is sent in the background. The requested user
process begins regardless of whether the "start" accounting notice was
received by the accounting server.
stop-only Sends a "stop" accounting notice at the end of the requested user process
none Disables accounting services on this line or interface
broadcast (Optional) This command element enables sending accounting records to

multiple AAA servers. Simultaneously sends accounting records to the first
server in each group. If the first server is unavailable, fail over occurs using
the backup servers defined within that group.
group group-name At least one of the keywords

Troubleshoot AAA on Cisco Routers
This topic explains how to troubleshoot AAA on a Cisco peripheral router using debug aaa
commands.
Troubleshooting AAA Using debug

Commands
®±«¬»®ý
¼»¾«¹ ¿¿¿ ¿«¬¸»²¬·½¿¬·±²

Use this command to help troubleshoot AAA
authentication problems.
®±«¬»®ý
¼»¾«¹ ¿¿¿ ¿«¬¸±®·¦¿¬·±²

authorization problems.
®±«¬»®ý
¼»¾«¹ ¿¿¿ ¿½½±«²¬·²¹

accounting problems.
Use the following debug commands on your routers to trace AAA packets and monitor
authentication, authorization, or accounting activities:
The debug aaa authentication command displays debugging messages on authentication
functions.
The debug aaa authorization command displays debugging messages on authorization
functions.
The debug aaa accounting command displays debugging messages on accounting
functions.
Troubleshooting AAA Using the debug aaa
authentication Command
®±«¬»®ý ¼»¾«¹ ¿¿¿ ¿«¬¸»²¬·½¿¬·±²

ïïíïîíæ Ú»¾ ì ïðæïïæïçòíðë ÝÍÌæ ßßßñÓÛÓÑÎÇæ ½®»¿¬»Á«-»® øð¨êïçÝìçìð÷ «-»®ãùù
®«-»®ãùù °±®¬ãù¬¬§ïù ®»³Á¿¼¼®ãù¿-§²½ñèïëêðù ¿«¬¸»²Á¬§°»ãßÍÝ×× -»®ª·½»ãÔÑÙ×Ò
°®·ªãï
ïïíïîìæ Ú»¾ ì ïðæïïæïçòíðë ÝÍÌæ ßßßñßËÌØÛÒñÍÌßÎÌ øîéèìðçéêçð÷æ °±®¬ãù¬¬§ïù
´·-¬ãùù
¿½¬·±²ãÔÑÙ×Ò -»®ª·½»ãÔÑÙ×Ò
ïïíïîëæ Ú»¾ ì ïðæïïæïçòíðë ÝÍÌæ ßßßñßËÌØÛÒñÍÌßÎÌ øîéèìðçéêçð÷æ «-·²¹ þ¼»º¿«´¬þ
´·-¬
ïïíïîêæ Ú»¾ ì ïðæïïæïçòíðë ÝÍÌæ ßßßñßËÌØÛÒñÍÌßÎÌ øîéèìðçéêçð÷æ Ó»¬¸±¼ãÔÑÝßÔ
ïïíïîéæ Ú»¾ ì ïðæïïæïçòíðë ÝÍÌæ ßßßñßËÌØÛÒ øîéèìðçéêçð÷æ -¬¿¬«- ã ÙÛÌËÍÛÎ
ïïíïîèæ Ú»¾ ì ïðæïïæîêòíðë ÝÍÌæ ßßßñßËÌØÛÒñÝÑÒÌ øîéèìðçéêçð÷æ ½±²¬·²«»Á´±¹·²
ø«-»®ãùø«²¼»º÷ù÷
ïïíïîçæ Ú»¾ ì ïðæïïæîêòíðë ÝÍÌæ ßßßñßËÌØÛÒ øîéèìðçéêçð÷æ -¬¿¬«- ã ÙÛÌËÍÛÎ
ïïíïíðæ Ú»¾ ì ïðæïïæîêòíðë ÝÍÌæ ßßßñßËÌØÛÒñÝÑÒÌ øîéèìðçéêçð÷æ Ó»¬¸±¼ãÔÑÝßÔ
ïïíïíïæ Ú»¾ ì ïðæïïæîêòíðë ÝÍÌæ ßßßñßËÌØÛÒ øîéèìðçéêçð÷æ -¬¿¬«- ã ÙÛÌÐßÍÍ
ïïíïíîæ Ú»¾ ì ïðæïïæîèòïìë ÝÍÌæ ßßßñßËÌØÛÒñÝÑÒÌ øîéèìðçéêçð÷æ ½±²¬·²«»Á´±¹·²
ø«-»®ãù¼·¿´´±½¿´ù÷
ïïíïííæ Ú»¾ ì ïðæïïæîèòïìë ÝÍÌæ ßßßñßËÌØÛÒ øîéèìðçéêçð÷æ -¬¿¬«- ã ÙÛÌÐßÍÍ
ïïíïíìæ Ú»¾ ì ïðæïïæîèòïìë ÝÍÌæ ßßßñßËÌØÛÒñÝÑÒÌ øîéèìðçéêçð÷æ Ó»¬¸±¼ãÔÑÝßÔ
ïïíïíëæ Ú»¾ ì ïðæïïæîèòïìë ÝÍÌæ ßßßñßËÌØÛÒ øîéèìðçéêçð÷æ -¬¿¬«- ã ÐßÍÍ
To display information on AAA authentication, use the debug aaa authentication command in
privileged-EXEC command mode, as shown in the figure. Use the no debug aaa
authentication form of the command to disable this debug mode.
This figure contains debug output for a successful AAA authentication using a local database.

authorization Command
®±«¬»®ý ¼»¾«¹ ¿¿¿ ¿«¬¸±®·¦¿¬·±²

îæîíæîïæ ßßßñßËÌØÑÎ øð÷æ «-»®ãù½¿®®»´ù
îæîíæîïæ ßßßñßËÌØÑÎ øð÷æ -»²¼ ßÊ -»®ª·½»ã-¸»´´
îæîíæîïæ ßßßñßËÌØÑÎ øð÷æ -»²¼ ßÊ ½³¼ö
îæîíæîïæ ßßßñßËÌØÑÎ øíìîèèëëêï÷æ Ó»¬¸±¼ãÌßÝßÝÍõ
îæîíæîïæ ßßßñßËÌØÑÎñÌßÝõ øíìîèèëëêï÷æ «-»®ã½¿®®»´
îæîíæîïæ ßßßñßËÌØÑÎñÌßÝõ øíìîèèëëêï÷æ -»²¼ ßÊ -»®ª·½»ã-¸»´´
îæîíæîïæ ßßßñßËÌØÑÎñÌßÝõ øíìîèèëëêï÷æ -»²¼ ßÊ ½³¼ö
îæîíæîïæ ßßßñßËÌØÑÎ øíìîèèëëêï÷æ Ð±-¬ ¿«¬¸±®·¦¿¬·±² -¬¿¬«- ã
Úß×Ô
To display information on AAA authorization, use the debug aaa authorization command in
privileged-EXEC mode. Use the no debug aaa authorization form of the command to disable
this debug mode.
The figure displays sample output from the debug aaa authorization command where an exec
authorization for user carrel is performed. The output is interpreted as follows:
On the first line, the username carrel is authorized.
On the second and third lines, the attribute value (AV) pairs are authorized.
The debug output displays a line for each AV pair that is authorized.
The display indicates the authorization protocol used.
The final line in the display indicates the status of the authorization process, which, in this
case, has failed.
The aaa authorization command causes a request packet containing a series of AV pairs to be
sent to the TACACS daemon as part of the authorization process. The daemon responds in one
of the following three ways:
Accepts the request as is
Makes changes to the request
Refuses the request, thereby refusing authorization
The AV pairs associated with the debug aaa authorization command that may appear in the
debug output are described as follows:
service=arap: Authorization for the ARA protocol is being requested.
service=shell: Authorization for exec startup and command authorization is being
requested.
service=ppp: Authorization for PPP is being requested.
service=slip: Authorization for SLIP is being requested.
protocol=lcp: Authorization for Link Control Protocol (LCP) is being requested (lower
layer of PPP).
protocol=ip: Used with service=slip and service=ppp to indicate which protocol layer is
being authorized.
protocol=ipx: Used with service=ppp to indicate which protocol layer is being authorized.
protocol=atalk: Used with service=ppp or service=arap to indicate which protocol layer is
being authorized.
protocol=vines: Used with service=ppp for Virtual Integrated Network Service (VINES)
over PPP.
protocol=unknown: Used for undefined or unsupported conditions.
cmd=x: Used with service=shell, if cmd=NULL, this is an authorization request to start an
exec. If cmd is not NULL, this is a command authorization request and will contain the
name of the command being authorized (for example, cmd=telnet).
cmd-arg=x: Used with service=shell. When performing command authorization, the name
of the command is given by a cmd=x pair for each argument listed (for example, cmd-
arg=archie.sura.net).
acl=x: Used with service=shell and service=arap. For ARA, this pair contains an access list
number. For service=shell, this pair contains an access class number (for example, acl=2).
inacl=x: Used with service=ppp and protocol=ip. Contains an IP input access list for SLIP
or PPP/IP (for example, inacl=2).
outacl=x: Used with service=ppp and protocol=ip. Contains an IP output access list for
SLIP or PPP/IP (for example, outacl=4).
addr=x: Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that
the remote host should use when connecting via SLIP or PPP/IP (for example,
addr=172.30.23.11).
routing=x: Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to
the /routing flag in SLIP and PPP commands. Can either be true or false (for example,
routing=true).
timeout=x: Used with service=arap. The number of minutes before an ARA session
disconnects (for example, timeout=60).
autocmd=x: Used with service=shell and cmd=NULL. Specifies an autocommand to be
executed at exec startup (for example, autocmd=telnet yxz.com).
noescape=x: Used with service=shell and cmd=NULL. Specifies a noescape option to the
username configuration command. Can be either true or false (for example, noescape=true).
nohangup=x: Used with service=shell and cmd=NULL. Specifies a nohangup option to the
username configuration command. Can be either true or false (for example,
nohangup=false).
priv-lvl=x: Used with service=shell and cmd=NULL. Specifies the current privilege level
for command authorization as a number from 0 to 15 (for example, priv-lvl=15).
zonelist=x: Used with service=arap. Specifies an AppleTalk zonelist for ARA (for example,
zonelist=5).

addr-pool=x: Used with service=ppp and protocol=ip. Specifies the name of a local pool
from which to get the address of the remote host.
accounting Command
®±«¬»®ý ¼»¾«¹ ¿¿¿ ¿½½±«²¬·²¹

ïêæìçæîïæ ßßßñßÝÝÌæ ÛÈÛÝ ¿½½¬ -¬¿®¬ô ´·²» ïð
ïêæìçæíîæ ßßßñßÝÝÌæ Ý±²²»½¬ -¬¿®¬ô ´·²» ïðô ¹´¿®»
ïêæìçæìéæ ßßßñßÝÝÌæ Ý±²²»½¬·±² ¿½½¬ -¬±°æ
¬¿-µÁ·¼ãéð -»®ª·½»ã»¨»½ °±®¬ãïð °®±¬±½±´ã¬»´²»¬
¿¼¼®»--ãïéîòíïòíòéè ½³¼ã¹´¿®» ¾§¬»-Á·²ãíðè
¾§¬»-Á±«¬ãéê °¿µ-Á·²ãìë °¿µ-Á±«¬ãëì »´¿°-»¼Á¬·³»ãïì
To display information on accounting events as they occur, use the debug aaa accounting
privileged exec command, as shown in the figure. Use the no debug aaa accounting form of
the command to disable this debug mode. This figure displays sample output from the debug
aaa accounting command.
The information displayed by the debug aaa accounting command is independent of the
accounting protocol used to transfer the accounting information to a server. Use the debug
tacacs and debug radius protocol-specific commands to get more detailed information about
protocol-level issues.
You can also use the show accounting command to step through all active sessions and to print
all the accounting records for actively accounted functions. The show accounting command
enables you to display the active accounting events on the system. This command provides
systems administrators with a quick look at what is happening, and may also be useful for
collecting information in the event of data loss on the accounting server. The show accounting
command displays additional data on the internal state of the AAA security system if the debug
aaa accounting command is active as well.

Summary
Summary
Administrative and remote network access modes
can be secured with AAA.
Cisco router AAA configuration should follow
an orderly progression.
Use the aaa new-model command to add AAA
services to a Cisco router.
Use aaa commands to specify authentication,
authorization, and accounting processes and
methods.
Use debug aaa commands selectively to
troubleshoot AAA.
Lesson Self-Check
Q1) Name the strongest authentication method. (Source: Introduction to AAA for Cisco
Routers)
Q2) List the three pieces of the S/KEY system. (Source: Introduction to AAA for Cisco
Routers)
Q3) Put the following three steps required to configure the router for AAA in the correct
order. Put the number 1, 2, or 3 in the space provided. (Source: Authenticate to a LAN)
_____ 1. Configure AAA on the router. _____
_____ 2. Secure access to privileged-EXEC and configuration mode on vty,
asynchronous, auxiliary and TTY ports. _____
_____ 3. Enable AAA globally on the router. _____
Q4) How can you guard against the risk of being locked out of a router should the
administrative session fail while you are in the process of enabling AAA? (Source:
Authenticate to a LAN)
Q5) What authentication method uses "something you have and something you know"?
(Source: Authenticate to a LAN)
A) token card
B) OTP
C) username and password (aging)
D) username and password (static)

Q6) Match the following commands to the description by placing the letter of the command
in the space provided beside the description (Source: Configure AAA on Cisco
Routers)
A) aaa new-model
B) aaa authentication
C) aaa authentication login
D) aaa authentication ppp
E) aaa authentication enable default
F) aaa authorization
_____ 1. In global configuration mode, this command enables the authentication

process.
_____ 2. In global configuration mode, this command enables AAA authentication

to determine if a user can assess the privileged command level.
_____ 3. This command forces the router to override every other authentication
method previously configured for the router lines.
_____ 4. In global configuration mode, this command specified one or more AAA
authentication methods for use on serial interfaces.
_____ 5. In global configurations mode, this command sets AAA authentication at

login.
_____ 6. In global configuration mode, this command sets parameters that restrict
administrative access to the routers or user access to the network.
Q7) List the three debug commands used for troubleshooting AAA. (Source: Troubleshoot
AAA on Cisco Routers)
Q1) Token cards or soft tokens using OTPs
Q2) The client, the host and a password calculator
Q3) A-3, B-1, C-2
Q4) Provide for a local login method
Q5) A
Q6) A-3, B-1, C-5, D-4, E-2, F-6
Q7) debug aaa authorization, debug aaa authentication, debug aaa accounting

Lesson 3
Introducing the Cisco Secure

Access Control Server for
Windows Server
Overview
In the previous lesson, you implementing authentication, authorization and accounting on a
Cisco router. This lesson will introduce the Cisco Secure ACS for Windows Server. It will
cover some of the terminology used in reference to access control procedures, some of the
challenges of controlling and securing user access to network resources, and how Access
Control Servers (ACS) meet these challenges. An overall knowledge of Cisco Secure ACS
terminology, functions and positioning in the network will form a basis for configuring basic
Cisco Secure ACS functions in your network.
Objectives
Upon completing this lesson, you will be able to describe how Cisco Secure ACS provides
AAA services to network devices that function as AAA clients. This ability includes being able
to meet these objectives:
Describe the key features, concepts and purpose of the Cisco Secure ACS for Windows
Server
List the function of each of the technologies that Cisco Secure ACS incorporates to render
AAA services to AAA clients
Describe the interaction between Cisco Secure ACS and the AAA client
Explain how Cisco Secure ACS uses both TACACS+ and RADIUS
Define authentication as it applies to Cisco Secure ACS in terms of considerations, user
databases, protocol-database compatibility and basic and advanced password configuration
Describe the authorization process and how it is related to authentication
Describe the purpose and function of TACACS+, RADIUS and administrative accounting
Explain how Cisco Secure ACS can be used for configuration and administrative tasks
Cisco Secure ACS Overview
This topic describes the key features, concepts and purpose of Cisco Secure ACS for Windows
Server.
The Hard Way to Manage Access
Individual device Firewall
configuration is required Dial-Up

Network Access
Non scalable VPN
Time-consuming
VoIP
Difficult logistics
802.1x Switches
Device Administration
Access and privilege rights Wireless
options are limited
Non scalable
Telnet Admin
In the past, network security was relatively simple. Users were physically located within the
corporate campus and the networks were smaller. But now, the corporate networks can be
accessed using wireless interface cards or using the public ISP network and virtual private
networks (VPN). It is not uncommon for a wireless user to easily access the Internet and other
corporate resources through unsecured resources. The security challenges arising from this
expanded access are daunting. Many network administrators are unaware of vulnerabilities and
believe the deployment of authentication, authorization and accounting (AAA) services is too
time consuming, not scalable, or difficult to administer.
Most network access devices come with AAA type features embedded in their software. As a
simple example, Cisco IOS devices allow you to configure access control lists (ACLs) to
control access by host, protocol, interface, and so on. It is quite feasible for a network
administrator to configure each access device in a very small network individually and since
the administrative access needed to configure the devices is limited to a few individuals who
need complete access, simple enable password protection is often adequate. However, as
networks grow and become more geographically dispersed, configuring individual devices one
by one becomes impractical.

Cisco Access Control Server
Access
Access
Desktop
Desktop File Control
Control Policy
File Policy
Internet Servers Server
Server Server
Servers Server
Desktop Workgroup
Workgroup Access Access
Switch
Switch Router Gateway
Router Point
PIX Security
Appliance
File
Notebook
Notebook Servers
Email
Email Corporate
Server
Server User
IPIPTelephone
Telephone
Most access devices have an embedded authentication, authorization and accounting (AAA or
triple A) client that defers AAA services to an AAA server. This configuration allows
centralization of access control for quick administration of access control changes for users and
devices on a global basis, and has the advantage of being very scalable. A centralized AAA
server allows for precise access control, even among the cadre of network administrators. For
example, selected administrators can have full administration rights on some routers but not all,
depending on policy.
When a user attempts to access the network or network devices through a device configured as
an AAA client, the AAA client forwards the user authentication request (username and
password) to the AAA server. The AAA server returns either a success or a failure response,
depending on the information in the server repository. Once the user is successfully
authenticated, the AAA server sends a set of session attributes (authorization) to the AAA
client to provide additional security and control of privileges for the user.
The Cisco Secure Access Control Server (ACS) for Windows Server combines all three AAA
activities on one device:
Authentication:
When a user seeks network access, the Network Access Device (NAD) challenges
the user for identity credentials such as a password or a token. NAD passes these
credentials to the Cisco Secure ACS for AAA analysis.
Cisco Secure ACS authenticates the credentials against a known database of users.
Cisco Secure ACS then applies the users corresponding access policy to the NAD.
Authorization:
The user is either denied access or authorized access to assigned resources on the
network allowed by policy.
Accounting:
Cisco Secure ACS accounting can then start monitoring and logging the network
activity of the user.
Cisco Secure ACS Components
Cisco Secure ACS has three components:

AAA clients
AAA server
User or accounts databases
Cisco Secure ACS for Windows provides a centralized identity networking solution and
simplified user management experience across all Cisco devices and security management
applications. Cisco Secure ACS helps to ensure enforcement of assigned policies by allowing
network administrators to control the following:
Who can log into the network
The privileges each user has in the network
Recorded security audit or account billing information
Access and command controls that are enabled for the administrator of each configuration
Cisco Secure ACS has three components:

AAA clients that make requests and communicate with the AAA server, sending usernames
and other parameters;
AAA server to receive authentication requests from the clients, to compare them to a
database, to authorize the client, and to begin accounting tasks.
User or accounts databases to allow administrators to manage users and groups with
different levels of permissions. Databases can be Open Database Connectivity (ODBC),
Lightweight Directory Access Protocol (LDAP), Novell Directory Services (NDS), or
Windows NT, 2000, or 2003 structures.

AAA Server Functions and Concepts
This topic lists the function of each of the technologies that Cisco Secure ACS incorporates to
render AAA services to AAA clients.
What is AAA?
Authentication: Who is allowed

access to the network?
Authorization: What are they allowed
to do?
Accounting: What did they do?
AAA is an architectural framework for consistently configuring a set of three independent

security functions. AAA provides a modular way of performing the following services:
Authentication: This service provides the method of identifying users, including login and
password dialog, challenge and response, messaging support, and encryption (depending on
the security protocol selected).
Authorization: This service provides the method for remote-access control, including one-
time authorization or authorization for each service, per-user account list and profile,
support for user groups, and support of IP, Internetwork Packet Exchange (IPX),
AppleTalk Remote Access (ARA), and Telnet.
Accounting: This service provides the method for collecting and sending security server
information used for billing, auditing, and reporting. This information typically consists of
such items as user identities, start and stop times, executed commands (such as Point-to-
Point Protocol [PPP]), number of packets, and number of bytes.
Cisco Secure ACS and the AAA Client
Describe the interaction between Cisco Secure ACS and the AAA client.
.
AAA Protocols
RADIUS or TACACS+
AAA Client AAA Server
RADIUS TACACS+
UDP connectionless TCP connection oriented
Encrypts only the passwords up
Full packet encryption
to 16 bytes
Authentication and authorization

Independent AAA architecture
service combined
Less intrinsically suited for router

Useful for router management
management
Cisco Secure ACS uses two distinct protocols for AAA services:
Remote Authentication Dial-In User Service (RADIUS) and
Terminal Access Controller Access Control System (TACACS+)
RADIUS is the industry standard for AAA support. It provides authentication and authorization
in a single step. When the user logs into the network, the NAS prompts the user for a username
and a password. The NAS then sends the request to the Cisco Secure ACS. The NAS may
include a request for access restrictions or per-user configuration information. The RADIUS
server returns a single response with authentication approval status and any related access
information available.
TACACS+ is the Cisco Systems proprietary AAA protocol that separates the authentication,
authorization, and accounting steps. This allows administrators to use separate authentication
solutions while still using TACACS+ for authorization and accounting. For example, if
additional authorization checking is needed, the access server can check with a TACACS+
server to determine whether the user is granted permission to use a particular command. This
provides greater control over the commands that can be executed on the access server and
decouples the authorization process from the authentication mechanism. As another example,
with TACACS+, it is possible to use Kerberos Protocol authentication and TACACS+
authorization and accounting. After an NAS passes authentication on a Kerberos server, it
requests authorization information from a TACACS+ server without having to re-authenticate
the NAS by using the TACACS+ authentication mechanism. The NAS informs the TACACS+
server that it has successfully passed authentication on a Kerberos server, and the server then
provides authorization information.

AAA ProtocolsTACACS+ and RADIUS
This topic describes how Cisco Secure ACS uses both TACACS+ and RADIUS.
TACACS+ vs. RADIUS
In the figure, the TACACS+ traffic example assumes that when a user Telnets to a router,
performs a command, and then exits the router, the login authentication, exec authorization,
command authorization, start-stop exec accounting, and command accounting are implemented
with TACACS+.
The RADIUS traffic example assumes that when a user Telnets to a router, performs a
command, and then exits the router (other management services are not available), the login
authentication, exec authorization, and start-stop exec accounting are implemented with
RADIUS.
Authentication
This topic defines authentication as it applies to Cisco Secure ACS in terms of considerations,
user databases, protocol-database compatibility and basic and advanced password
configuration.
Cisco Secure ACS Authentication

Features
Variety of Local or Variety

Authentication TACACS+ of External
Methods RADIUS Databases
AAA Client
(Network Access Server) Cisco Secure ACS
Variety of authentication methods:

ASCII, PAP, CHAP, MS-CHAP, LEAP, EAP-CHAP, EAP-TLS
Passwords options:
Single or separate passwords
Inbound and outbound
Password aging
Local or variety of external user databases
The simplest form of authentication requires the user to provide a username and password. This
is a popular method for service providers because of its easy application by the client. The
disadvantage is that someone else can give this information to someone else, someone can
guess it, or someone can capture it. Simple unencrypted username and password is not a strong
authentication mechanism but can be sufficient for low authorization or privilege levels such as
Internet access.
When an AAA client receives the username and password, the information is forwarded to the
AAA server or Cisco Secure ACS system using either RADIUS or TACACS+. As previously
described, RADIUS and TACACS+ encrypt the password using different methods. However,
the password is in clear text between the user workstation and the AAA client.
Using a username and a password that is fixed for authentication is adequate for simple
network implementations, but as a rule, when more authorization privileges are granted to a
user, the stronger the authentication needs to be. More modern and secure authentication
methods such as Challenge Handshake Authentication Protocol (CHAP) and one-time
passwords (OTP) have been developed to provide stronger authentication.
Cisco Secure ACS supports a wide variety of authentication methods including:
Password Authentication Protocol (PAP): This method uses clear-text passwords (that is,
unencrypted passwords) and is the least sophisticated authentication protocol. If you are
using the Windows NT or Windows 2000 user database to authenticate users, you must use
PAP password encryption or Microsoft CHAP (MS-CHAP).
CHAP: This method uses a challenge-response mechanism with one-way encryption on
the response. CHAP enables the Cisco Secure ACS to negotiate downward from the most
secure to the least secure encryption mechanism, and it protects passwords transmitted in

the process. CHAP passwords are reusable. If you are using the Cisco Secure user database
for authentication, you can use either PAP or CHAP. CHAP does not work with the
Windows NT or Windows 2000 user database; use MS-CHAP for this database.
AppleTalk Remote Access Protocol (ARAP): This method uses a two-way challenge-
response mechanism. The AAA client challenges the end-user client to authenticate itself,
and the end-user client challenges the AAA client to authenticate itself.
Wireless Authentication Methods: Network administrators have become more aware of

the vulnerabilities of deploying wireless technology without proper AAA services and
encryption methods. The vulnerabilities lay with the implementation the Rivest Cipher 4
(RC4) encryption algorithm in the Wired Equivalent Privacy (WEP) encryption framework.
Extensible Authentication Protocol (EAP) provides static WEP keys on a per session basis
for wireless encryption. There are several weaknesses in the key scheduling algorithm of
RC4, which is a widely used stream cipher in software applications. This cipher can
provide unauthorized users with a small number of key bits that can be used to construct
the WEP key that is necessary to gain access to a network.
Lightweight EAP (LEAP): Cisco Systems has been shipping a security scheme known as
LEAP since November 2000. LEAP is based on the 802.1x authentication framework and
mitigates several of the weaknesses by utilizing dynamic WEP and sophisticated key
management on a per packet basis.
Cisco Secure ACS also offers support for many password options including the following:
Single password for all authentication methods (ACSII, PAP, CHAP, MS-CHAP, and
ARAP): This is the easiest set-up, but since the ASCII and PAP password is clear text,
there is a chance that the CHAP password can be compromised.
Separate passwords for ASCII, PAP, CHAP, MS-CHAP, ARAP: This option is less
convenient for the end user (needs two passwords), but if the ASCI or PAP password is
compromised, the CHAP password can remain intact.
Inbound password: This option is most commonly used by Cisco Secure ACS users. This
feature will be described in more detail. Both RADIUS and TACACS+ support inbound
passwords.
Outbound password: The outbound password enables an AAA client to authenticate itself
to another AAA client or end-user client via outbound authentication. This feature will be
described in more detail. Only TACACS+ supports outbound passwords.
Token caching: This option caches the OTP token for limited time use in a second ISDN B
channel using the same OTP entered during original authentication. For greater security,
the B-Channel authentication request from the AAA client should include the OTP in the
username value (for example Fredpassword) while the password value contains an
ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then verify that the
token is still cached and validate the incoming password against either the single
ASCII/PAP/ARAP or separate CHAP/ARAP password, depending on the user
configuration.
Password aging: With this option, the password expires after a number of logins or days or
weeks, or some specified time period.
User changeable passwords: With Cisco Secure ACS, you can install a separate program
that enables users to change their passwords by using a web-based utility.
Inbound and Outbound Password Options
Inbound passwords:
Most commonly used
supported by both TACACS+ and RADIUS
held internally to the Cisco Secure user database
not given to an external source if outbound password is
configured.
Outbound passwords:
Only supported by TACACS+
Can be used to forces a AAA client to be authenticated by
another AAA client and end-user client.
In addition to the basic password configurations listed above, Cisco Secure ACS supports the
following:
Inbound passwordsPasswords used by most Cisco Secure ACS users. Both TACACS+
and RADIUS protocols support inbound passwords. They are held internally to the Cisco
Secure user database and are not usually given up to an external source if an outbound
password has been configured.
Outbound passwordsThe TACACS+ protocol supports outbound passwords that can be
used, for example, when an AAA client has to be authenticated by another AAA client and
end-user client. Passwords from the Cisco Secure user database are then sent back to the
second AAA client and end-user client.
The TACACS+ SENDAUTH feature enables an AAA client to authenticate itself to another
AAA client or an end-user client via outbound authentication. The outbound authentication can
be PAP, CHAP, or ARAP. With outbound authentication, the Cisco Secure ACS password is
given out. By default, the user ASCII/PAP or CHAP/ARAP password is used, depending on
how this has been configured; however, we recommend that the separate SENDAUTH
password be configured for the user so that Cisco Secure ACS inbound passwords are never
compromised.
If you want to use outbound passwords and maintain the highest level of security, we
recommend that you configure users in the Cisco Secure user database with an outbound
password that is different from the inbound password.

Cisco Secure ACS Authentication External
Database Support
Authentication Protocol
ASCII PAP CHAP ARP MS- MS- LEAP EAP- EAP-
CHAP CHAP MD5 TLS
Database v.1 v.2
Cisco Secure ACS Yes Yes Yes Yes Yes Yes Yes Yes Yes
Windows SAM Yes Yes No No Yes Yes Yes No No
Windows AD Yes Yes No No Yes Yes Yes No Yes
Novell NDS Yes Yes No No No No No No No
LDAP Yes Yes No No No No No No Yes
OCBC Yes Yes Yes Yes Yes Yes Yes No No
LEAP Proxy RADIUS No No No No Yes No Yes No No
Server
ActivCard Yes Yes No No No No No No No
CRYPTOCard Yes Yes No No No No No No No
RADIUS Token Server Yes Yes No No No No No No No
Vasco Yes Yes No No No No No No No
AXENT Yes Yes No No No No No No No
RSA Yes Yes No No No No No No No
Safeword Yes Yes No No No No No No No
The table in the figure illustrates the flexibility of Cisco Secure ACS authentication. The
network administrator has flexibility in the type of database to employ to store AAA
information.
Cisco Secure ACS includes its own database and can also leverage many external databases
containing user authentication information. In this latter case, Cisco Secure ACS maps the user
to an external database to centralize the information for authentication. Different levels of
security can be concurrently used with Cisco Secure ACS for varying customer security
requirements and policies. Not all the authentication protocols supported by Cisco Secure ACS
can be used with the external databases supported by Cisco Secure ACS.
Authorization
This topic describes the authorization process and how it is related to authentication.
Cisco Secure ACS Authorization Features
User Profile
AAA Client
The user can access these network services:

Different levels of service by user or group
Permit or deny logins based on time or day
Disable account based on failed attempts or
on a specific date
Maximum sessions by user or group
Dynamic usage quotas
Once a user has been authenticated, Cisco Secure ACS sends the AAA client a user profile,
which contains policies that dictate what network services the user can access. Cisco Secure
ACS allows the administrator to customize authorization on an individual user or a user group.
Access can be differentiated by levels of security, access times, and services. For example,
logins can be configured to permit or deny access based on time-of-day and day-of-the-week.
Downloaded policies can also include ACLs on a per-user or per-group basis to restrict areas of
the network or limit certain services such as FTP.
Some additional Cisco Secure ACS authorization features include the ability to perform the
following:
Disable an account after a number of failed attempts or on a specific date
Limit the number of concurrent sessions for either a group or a user
Define usage quotas by duration or total number based on daily, weekly, or monthly
periods
It should be evident that to provide capabilities such as time restricted accounts throughout the
enterprise, without a centralized AAA server, would consume vast amounts of time. However,
with Cisco Secure ACS, access configuration becomes much less complicated and time-
consuming.

Accounting
This topic describes the purpose and function of TACACS+, RADIUS, and administrative
accounting.
ACS Accounting Features
What the
user is doing?
AAA Client
CSV or ODBC accounting records

Records session start and stop
duration
AAA client messages with username
Caller-line identification
Once the user has been granted access to the network with certain privileges, the accounting
functions provided by the RADIUS and TACACS+ protocols allow the AAA clients to forward
relevant data for each user session to the Cisco Secure ACS. Depending on the configuration,
Cisco Secure ACS writes accounting records to either a comma-separated value (CSV) log file
or an Open DataBase Connectivity (ODBC) database. The logs are configured to capture as
much information as needed, but generally record information on session start and stop times,
AAA client messages by username, caller line identification, and duration of each session. The
log files can easily be exported into popular database and spreadsheet applications for billing,
security audits, and report generation.
Device Administration
This topic explains how Cisco Secure ACS can be used for configuration and administrative
tasks.
ACS Device Administration Features
Telnet Admin TACACS+

Cisco Secure ACS
Authentication: Access per user, group, or

network device group
Authorization: Commands per user, group, or
network device group
Accounting: Lists commands entered
As mentioned earlier in this lesson, AAA functionality within Cisco Secure ACS can be used
for two similar access functions: network access, and access to network devices for
administration and configuration. It was also mentioned that the TACACS+ protocol is better
suited for the later task because it has more features for user and command authorization.
Similar to network access, access to a device is controlled by an authentication dialog between
the AAA client (device to be accessed) and the Cisco Secure ACS server. Most network
administrators are familiar with logging into a device, providing the enable password, and
performing the functions they choose. With Cisco Secure ACS, different users can be given
different privileges even with device functions at the same privilege level.
To achieve this granularity of authorization, Cisco Secure ACS uses the concept of command
authorization sets (also known as device command sets [DCS]). For greatly enhanced
scalability and manageability of setting authorization restrictions for network administrators,
the Cisco Secure ACS DCS mechanism controls the authorization of each command on each
device per user, per group, or per network device group mapping. When TACACS+ command
authorization is enabled, each command executed by the authenticated user is sent by the AAA
client to Cisco Secure ACS for inclusion in the accounting logs.

Summary
Summary
Cisco Secure ACS simplifies user management

across all Cisco devices and security
management applications.
Cisco Secure ACS combines AAA on one device
and provides access control to network access
servers through AAA.
Cisco Secure ACS uses the industry standard
(RADIUS) and the Cisco proprietary AAA protocol
(TACACS+) for AAA services.
Cisco Secure ACS uses RADIUS and TACACS+ to
communicate between the AAA client and the
AAA server.
Summary (Cont.)
Cisco Secure ACS supports a full range of

authentication methods and password options.
Cisco ACS authorization disables accounts after
failed logins, limits concurrent sessions, and can
assign use quotas.
Accounting details are recorded in a log or ODBC
database.
A device command set controls the authorization
of each command on each device per user, per
group or per network device group mapping.
Lesson Self-Check
Q1) What are the three components of the Cisco Secure ACS? (Choose three.) (Source:
Cisco Secure ACS Overview)
A) AAA server
B) access point
C) user database
D) VPN
E) antivirus client
F) AAA client
Q2) Which three of the following are characteristics of RADIUS? (Choose three.) (Source:
Cisco Secure ACS and the AAA Client)
A) full packet encryption
B) encrypts passwords up to 16 characters in length
C) combines authentication and authorization into one step
D) treats authentication, authorization and accounting separately
E) best suited for router management
F) works with Kerberos encryption
Q3) Which four of the following are characteristics of TACACS+? (Choose four.) (Source:
Cisco Secure ACS and the AAA Client)
A) full packet encryption
B) combines authentication and authorization into one step
C) TCP connection oriented
D) treats authentication, authorization and accounting separately
E) best suited for router management
F) works with Kerberos encryption
Q4) Passwords are in clear text between the user workstation and the AAA client. (Source:
Authentication)
A) True
B) False
Q5) CHAP uses a challenge-response mechanism with one-way encryption on the response.
(Source: Authentication)
A) True
B) False
Q6) CHAP provides OTP. (Source: Authentication)
A) True
B) False
Q7) As a security feature, Cisco Secure ASC provides single passwords for PAP and
CHAP. (Source: Authentication)
A) True
B) False

Q8) Both RADIUS and TACACS+ support outbound passwords. (Source: Authentication)
A) True
B) False
Q1) A, C and F
Q2) B, C and E
Q3) A, C, D and F
Q4) B
Q5) A
Q6) B
Q7) B
Q8) B

Lesson 4
Configuring Basic Services on

the Cisco Secure ACS for
Windows
Overview
In this lesson, you will learn how to configure basic services using the graphical user interface
(GUI) of the Cisco Secure Access Control Server (ACS) for Windows Server. There will be a
lab exercise in which you will be able to complete some of these tasks on a network.
Objectives
Upon completing this lesson, you will be able to configure basic administrative access, AAA
clients, users and groups. This ability includes being able to meet these objectives.
Describe the layout of the Cisco Secure ACS interface
Describe how to configure the first administrator user account on Cisco Secure ACS
Describe how to configure administrator policies on the Cisco Secure ACS including
administrative access, session policy, and audit control policy
Describe how to set up the Cisco Secure ACS for remote administrator access
Describe how to configure external user databases, user interfaces and the system
Explain how the Interface Configuration task can be used to display or hide configuration
items
Describe how the System Configuration task is used to configure basic system parameters,
advanced system features, and basic system management tasks
The Cisco Secure ACS GUI
This topic describes the layout of the Cisco Secure ACS interface.
Starting Cisco Secure ACS
Start on Port 2002. ACS

selects a unique port
for the administrative
session.
Access to Cisco Secure ACS is through a web browser client on the same machine as the Cisco
Secure ACS application. To access the Cisco Secure ACS interface, follow these steps:
Open a supported web browser on the Cisco Secure ACS local machine. Make sure a
supported web browser is properly configured. For example, Java and JavaScript must be
enabled.
Enter the following URL to access the ACS: http://<server IP address or host name or local
host or 127.0.0.1>:2002.
By default, ACS does not require authentication when accessed from a Web browser on the
server. At this point, no ACS administrators have been configured. The ACS desktop loads
immediately.
The Cisco Secure ACS interface allows you to configure a range of TCP ports to be used as the
HTTP port for administrative sessions. As shown in the diagram, the initial HTTP port for the
connection to the ACS was changed from 2002 to 4778. A different port for HTTP will be
selected for each administrative session.
Later in this lesson, we will describe how to configure the range of ports used for HTTP
administrative sessions.
The figure shows the opening screen for the upcoming lab exercise.
Cisco Secure ACS GUI
Selected Back to Initial Screen

Configuration Task
Screens
Configuration
Options
Cisco Secure ACS

Configuration
Tasks
Next Choices for

Configuration Task Help on Choices
or Option Selected (or display of
results)
The Cisco Secure ACS GUI can be broken down into three main components: the navigation
menu, a left display area and a right display area. The major functions or tasks of Cisco Secure
ACS are organized on the left side of the Cisco Secure ACS interface in the navigation menu.
When one of these functions or configuration tasks is selected, the two display areas will
change. Notice that the function or configuration task selected is listed above the left display
area. Typically, the left display area displays other selectable subtasks or items to be
configured. The title bar of the display area indicates what to do with the display contents. The
right display area typically displays content sensitive help for the items displayed in the left
display area. The right display area can also display results of items selected in the left display
area or error messages for incorrect configurations. Scrolling to the bottom of the help display
reveals a Section Information button that when clicked displays the appropriate section of the
Cisco Secure ACS User Guide for the task selected from the navigation menu. Finally, the X
button in the upper-right corner of the desktop ends the administrative session.

Navigation Menu
Configure individual user settings
Configure group settings
Develop reusable, shared sets of authorization components
Configure NASs, NDGs, AAA servers and Distribution Tables
Service & logging control, date format, password, validation,

database replication, RDBMS, synchronization, ACS backup and
restore, IP Pool management, VoIP accounting
Configure TACACS+, RADIUS, user, and group options
Configure ACS administration, access, session and audit

policies
Unknown user policy, database group mappings, configure

External Databases
View enabled reports from ACS browser interface
Online documentation
The navigation bar is where the configuration of Cisco Secure ACS begins. Understanding
what items of Cisco Secure ACS can be configured by each function or task in the navigation
bar clarifies the use of Cisco Secure ACS. The following is a brief description of each Cisco
Secure ACS configuration task on the navigation menu. Each of these tasks will be discussed in
the remainder of this lesson.
User Setup: Use this menu item to create user profiles and to add to the Cisco Secure ACS
database (map a user to an authentication database, associate a user with a user group for
authorization, and configure any user specific authorizations).
Group Setup: Use this menu item to name groups and configure group authorizations.
Shared Profile Components: Use this menu item to develop reusable, shared sets of
authorization components and ease the authorization configuration for users and groups.
Create shared components for downloadable Cisco PIX access control lists (ACLs),
Network Access Restrictions (NARs), and Command Authorization sets.
Network Configuration: Use this menu item to create network device groups (optional),
add authentication, authorization, and accounting (AAA) clients and servers, map AAA
clients and servers to network device groups.
System Configuration: Use this menu item to configure database maintenance, IP pool
management, VoIP accounting, Cisco Secure ACS service control, logging features, date
format, and password validation.
Interface Configuration: Use this menu item to choose which features and options the
Cisco Secure ACS interface will display.
Administration Control: Use this menu item to create administrator users and define
administrative access, session, and audit policies.
External User Databases: Use this menu item to configure which external databases are to
be used, create an unknown user policy, and map user databases to a user group.
Reports and Activities: Use this menu item to view any enabled reports.
On-Line Documentation: Use this menu item to view the online documentation.
Creating the First Administrator User Account
This topic describes how to configure the first administrator user account on the Cisco Secure
ACS.
Creating the First Administrator User

Account
Help on Administration
Control Buttons
To secure local access to Cisco Secure ACS and to allow for remote access to Cisco Secure
ACS, a Cisco Secure ACS administrator user must be created. The navigation menu button
descriptions on the previous page indicate that the Administration Control task is used to
complete this function.
The Administrative Control page displays a list of all the configured administrator accounts and
various task buttons that are used to add new Cisco Secure ACS administrators and to configure
various administrative policies. The right display area shows help descriptions for each of the
Administrative Control sub-tasks.
To add a new Cisco Secure ACS administrator, click the Add Administrator button.

Creating the First Administrator User
Account (Cont.)
Sub-task
Enter administrator ID
and password.
Help on Administrator
Grant this administrator Attributes
all privileges.
Submit to add an administrator. Add More

Cancel to return to previous screen Privileges
The Add Administrator configuration page asks for user input of the administrator: (account)
name and a password. The rest of the Add Administrator page allows for the configuration of
the privileges for this administrator. Administrators must be explicitly granted privileges to
administer user groups, as well as all other configuration activities associated with the functions
listed in the navigation bar. For some of these functions, privileges can also be granted at the
sub-task level. For this user, however, we wish to have at least one Cisco Secure ACS
administrator who has all privilegesa super user.
When you click the Grant All button in the Administrator Privileges display box, all privileges
are granted. This causes all groups listed in the left Available Groups box to be moved into the
Editable Groups box and for all other privileges to be granted. Granting all privileges allows
this administrator to perform all Cisco Secure ACS configuration functions.
Clicking the Submit button creates a new Cisco Secure ACS administrator and returns to the
Administrative Control display page. Clicking the Cancel button returns you to the main
Administrative Control display page without actually creating the administrator.
Note The Administrator Privileges listed will change based on what is selected in the Advanced
Options sub-task of the Interface Configuration function. Later in this lesson, we will revisit
adding administrators and discuss the Interface Configuration function.
You can edit a Cisco Secure ACS administrator account to change the privileges granted to the
administrator. Revoking all privileges effectively disables an administrator account. You
cannot change the name of an administrator account; however, you can delete an administrator
account and then create an account with the new name. Simply click the name of the
administrator account whose privileges you want to edit, and follow the prompts. When all the
changes have been made, click Submit to save the changes.
You can delete a Cisco Secure ACS administrator account when you no longer need it. We
recommend deleting any unused administrator accounts. Simply click the name of the
administrator account you wish to delete and click Delete. On confirmation, Cisco Secure ACS
deletes the account. The Administrators table on the Administration Control page no longer
lists the administrator account that you deleted.

Configuring Administrator Policies
This topic describes how to configure administrator policies on the Cisco Secure ACS
including administrative access, session policy, and audit control policy.
Administrator Policies
Edit or delete an
administrative user.
Click on a policy to set or edit.
The administrator policies can be configured by clicking the appropriate button from the main
Administrative Control display page. There are three administrator policy buttons: the Access
Policy button, the Session Policy button and the Audit Policy button. Note that the
administrator just configured is now displayed in the list of Cisco Secure ACS administrators.
To edit or delete administrators, select them from this list. Click on the appropriate button to
enter the configuration dialog page for each of these policies. Submitting the policy returns you
to this main Administrative Control display page.
Access Policy
Indicate the IP address

from which a Cisco Secure
ACS administrator is
allowed to connect (default
displayed).
Restrict ports to be used for

administrator session (defaults
displayed).
Submit to add an administrator.

Cancel to return to previous
screen.
The Access Policy feature affects access to remote Cisco Secure ACS administration sessions.
You can limit remote administrator access by IP address and by the TCP port range used for
administrative sessions. Not all deployments of Cisco Secure ACS may want the system to be
accessed remotely for administration purposes. Therefore, use the Access Policy to determine
the rules for administrative access to the Cisco Secure ACS system.
Remote access to the Cisco Secure ACS can be limited to hosts with selected IP addresses. Use
the IP Address Filtering configuration box to determine the filtering criteria for permit or deny
access to the Cisco Secure ACS. IP Address Filtering is for the IP addresses listed in the IP
Address Ranges configuration box.
Note The IP address used for filtering is the one received by Cisco Secure ACS. This is crucial to
understand if either Network Address Translation (NAT) or proxy HTTP is implemented.
As previously mentioned, Cisco Secure ACS allocates the TCP port to be used for HTTP when
the administrator is granted access. The range of TCP ports to be used can be limited using the
HTTP Port Allocation configuration box. This limitation can help secure remote access to the
Cisco Secure ACS through a firewall.
Along with the account login information, the Administrative Access Policy can be used to
further refine secure access to the Cisco Secure ACS. Clicking the Submit button enforces the
newly configured access policies and returns to the main Administrative Control display page.

Session Policy
Uncheck to force username

and passwords for all
Session Control logins (local and remote).
Attributes
Submit to add an administrator.

Cancel to return to previous screen.
The Session Policy feature controls various aspects of the Cisco Secure ACS administrative
sessions. Session policies are used to help increase the security of the Cisco Secure ACS. When
initially installed, Cisco Secure ACS allows for automatic local login (no username or
password). Now that an administrator account with all privileges has been created, this
capability can be disabled to force all access to the Cisco Secure ACS to be authenticated.
Because leaving a Cisco Secure ACS administrative session unattended can be a recipe for
disaster, use the Session Policy to cease a session after a configurable amount of idle time.
Previously, the Access Policy configured a valid range of IP addresses to be used for remote
administrative access to the Cisco Secure ACS. The Cisco Secure ACS is by default configured
to send an error message for any access attempt made from a machine not in the valid range.
Uncheck this option in the Session Policy if no message is required. Finally, use the Session
Policy to lock out an administrator after a configurable number of failed login attempts.
Clicking the Submit button enforces the newly configured session policies and returns to the
main Administrative Control display page.
Audit Policy
Parameters for
Administrator Audit
Reports
To view Audit Reports select:

Reports and Activities >
Administrator Audit > filename.
Submit to add an administrator
Cancel to return to previous screen
All activities performed by Cisco Secure ACS administrators are logged to an audit file. The
Audit Policy controls the time or amount of information in each file and the duration
maintained in the database. New audit files can be generated on a daily, weekly, monthly, or on
a configurable file size basis. Depending on which time option is selected, new daily files are
opened at 12:01 a.m. every day, new weekly files are opened at 12:01 a.m. every Sunday, and
monthly files are opened at 12:01 a.m. the first day of every month. Files can be maintained in
the directory based on a number of files, or on the age of the files. If the Manage Directory
check box is not checked, all logs are kept indefinitely. The Administrator Audit information
can be viewed by choosing Reports and Activities > Administrator Audit > filename.
Clicking the Submit button enforces the newly configured audit policies and returns to the main
Administrative Control display page.

Setting Up Remote Access
This topic describes how to set up the Cisco Secure ACS for remote administrator access.
Remotely Accessing Cisco Secure ACS
Starts on port 2002: ACS

selects a unique port for the
administrative session
All remote users must login.

Sessions are controlled by
administration control policies.
Now that a Cisco Secure ACS administrator account and administrative policies have been
created, an administrator can remotely access Cisco Secure ACS from a host machine in the
valid IP address range defined in the Access Policy.
To remotely access Cisco Secure ACS follow these steps:
Open a supported web browser. Make sure a supported Web browser is properly
configured; for example, Java and JavaScript must be enabled.
Enter the following URL to access the Cisco Secure ACS: http ://<server IP address or
hostname>:2002.
At this point, you will receive the Login dialog as illustrated in the figure. Enter the Cisco
Secure ACS administrator account name and password and click Login.
The Cisco Secure ACS start page is now displayed. Notice that Cisco Secure ACS has assigned
a new TCP port for HTTP use for this session. This assignment is based on the range of ports to
be used for HTTP allocation as configured in the Access Policy.
Basic Configuration Tasks
This topic describes how to configure external user databases, user interfaces and the system.
Basic Configuration Tasks
Configure external user databases

Configure the user interface
Configure the system
The overall goal of complete deployment planning is to ensure that the basic configuration
tasks need only be performed once. However, because of the flexibility of the Cisco Secure
ACS, Cisco Secure ACS administrators may find themselves returning to some of these
configuration tasks on a periodic basis to fine-tune their Cisco Secure ACS deployment.
Based on display dependencies, there is some logic to the listed order of the configuration tasks
in this section. The external databases are configured first because they drive some system
configuration tasks. The Interface Configuration task drives which configuration components
are displayed in most of the other Cisco Secure ACS configuration task screens. Finally, the
Configure Reports task was included here because it is actually configured from within the
System Configuration tasks of Cisco Secure ACS. The basic configuration tasks are as follows:
It is logical that the starting point is to configure any external user databases used for
authentication. For Cisco Secure ACS to communicate with the external databases, some
form of application programming interface (API) for communication with the external
database is required.
The Interface Configuration task is the next logical choice in the configuration progression
because it can be used to display or hide different configuration items in most other
functional configuration areas of the Cisco Secure ACS.
The System Configuration task is used to configure some basic system parameters
(Logging, Date Format Control, Password Validation, and so on), advanced system features
that depend on how ACS is to be deployed (ACS Certificate Setup, IP Pools Server, and so
on), and basic system management tasks (ACS Backup, ACS Service Management).

User Interface Configuration
This topic explains how the Interface Configuration task can be used to display or hide
configuration items.
Interface Configuration
RADIUS and TACACS+ appear Interface

as options on this page only Configuration
after a AAA client is configured
Options
to use them.
The Interface Configuration task is the next logical choice in the progression of configuring
Cisco Secure ACS because it can be used to display or hide different configuration items in
most other functional configuration areas of the Cisco Secure ACS. This feature enhances the
ease of use of the Cisco Secure ACS product by hiding those features that are not being used.
When selecting the Interface Configuration task from the navigation menu, the Cisco Secure
ACS administrator is presented with several options for controlling what is displayed on the
various configuration screens within the Cisco Secure ACS. There are four categories of
Interface Configuration options:
User Data
Terminal Access Controller Access Control System Plus (TACACS+)
RADIUS
Advanced Options
The RADIUS and TACACS+ options only appear after an AAA client has been configured to
use the security protocol.
Administrators should plan which configuration features they want to use prior to starting any
detailed configuration work. Returning to this section to turn on or off a feature could mean a
fair amount of reconfiguration.
It should be noted that disabling an option in the Interface Configuration task does not affect
anything except the display of that function in the Cisco Secure ACS interface. Configurations
made while an Interface Configuration option was active, remain in effect even when that
Interface Configuration option is turned off. Further, the interface still displays any option that
has non-default values, even if you have configured that option to be hidden. If you later delete
values associated with that option, Cisco Secure ACS then hides the option from the interface.

Interface ConfigurationUser Data
RADIUS and TACACS+ appear

as options on this page only
after a AAA client is configured
to use them.
Choose the fields to be displayed on the

User Setup page.
You can edit the name and later select
fields to include in accounting logs.
Choosing the User Data Configuration option enables you to add (or edit) up to five fields used
to record additional information on each user. The fields you define on the Configure User
Defined Fields page subsequently appear in the Supplementary User Information section at the
top of the User Setup page. For example, you could add the user company name, telephone
number, department, billing code, and so on. These fields are also available for inclusion in the
accounting logs.
Clicking the Submit button includes these fields in the User Setup configuration dialog.
Interface ConfigurationAdvanced Options
Reduce configuration complexity

by turning off features you do not
intend to use.
Use the Advanced Options sub-task of the Interface Configuration task to choose which
configuration options to display for the various Cisco Secure ACS tasks, and to simplify their
configuration screens. The figure indicates which Cisco Secure ACS task displays will be
modified because of the selection of one of the Advanced Options. The Advanced Options can
be put into general areas of configuration including: various authorization parameters on either
a user or group level, the features of the Cisco Secure ACS network to use, logging options,
and specialized system configurations.
The Advanced Options features include the following:
Per-User TACACS+ and RADIUS Attributes: This option enables TACACS+ and
RADIUS attributes to be set at a per user level, in addition to being set at the group level.
User-Level NAR Sets: This option allows for named, IP-based and command-line
interface- (CLI) or dialed number identification service- (DNIS) based shared NARs to be
used on the User Setup page.
User-Level NARs: This option enables two sets of options for defining user-level: IP
based and CLI- or DNIS-based NARs on the User Setup page.
User-Level Downloadable ACLs: This option allows for shared downloadable ACLs to
be used on the User Setup page.
Default Time-of-Day and Day-of-Week Specification: This option enables the default
time-of-day and day-of-week access settings grid on the Group Setup page.
Group-Level Network Access Restriction Sets: This option allows for named, IP-based
and CLI- or DNIS-based shared NARs to be used on the Group Setup page.
Group-Level Network Access Restrictions: This option enables the two sets of options
for defining user-level, IP-based and CLI- or DNIS-based NARs on the Group Setup page.
Group-Level Downloadable ACLs: This option allows for shared downloadable ACLs to
be used on the Group Setup page.

Group-Level Password Aging: This option enables the Password Aging section on the
Group Setup page. The Password Aging feature enables you to force users to change their
passwords.
Max Sessions: This option enables the Max Sessions section on both the User and Group
Setup pages. The Max Sessions option sets the maximum number of simultaneous
connections for a group or a user.
Usage Quotas: This option enables the Usage Quotas sections on both the User and Group
Setup pages. The Usage Quotas option sets one or more quotas for usage by a group or a
user.
Distributed System Settings: This option displays the AAA server and proxy table on the
Network Interface page. If the tables are not empty and have information other than the
defaults in them, they always appear. This option must be enabled to make use remote
logging, database replication and Relational Database Management System
Synchronization (RDBMS).
Remote Logging: This option enables the remote logging feature in the Logging page of
the System Configuration section. Distributed System Settings must be enabled.
Cisco Secure ACS Database Replication: This option enables the Cisco Secure ACS
database replication information on the System Configuration page. Distributed System
Settings must be enabled.
RDBMS: This option enables the RDBMS option on the System Configuration page. If
RDBMS is configured, this option always appears. Distributed System Settings must be
enabled.
IP Pools: This option enables the IP Pools Address Recovery and IP Pools Server options
on the System Configuration page.
Network Device Groups: This option enables the use of Network Device Groups (NDG).
When NDG are enabled, the Network Configuration section and parts of the User Setup
and Group Setup pages change to enable you to manage groups of network devices (AAA
clients or AAA servers). This feature is useful if you have many devices to administer.
Voice over IP (VoIP) Group Settings: This option enables the VoIP option on the Group
Setup page.
Voice over IP (VoIP) Accounting Configuration: This option enables the VoIP
Accounting Configuration option on the System Configuration page. This option is used to
determine the logging format of RADIUS VoIP accounting packets.
ODBC Logging: This option enables the ODBC logging sections on the Logging page of
the System Configuration section.
When changes to the Advanced Options are complete you must click the Submit button to have
the changes take effect.
System Configuration
This topic describes how the System Configuration task is used to configure basic system
parameters, advanced system features, and basic system management tasks.
System Configuration
How Cisco Secure ACS will be used

determines what elements need to
be configured.
Some tasks and subtasks show

up only if enabled by the
Interface Configuration task.
The System Configuration task is used to configure some basic system parameters (Logging,
Date Format Control, Password Validation, and so on), advanced system features (depending
on how ACS is to be deployed these features are: ACS Certificate Setup, IP Pools Server, and
so on), and basic system management tasks (ACS Backup, ACS Service Management). Thus,
what is actually selected for configuration on the System Configuration page depends on how
the ACS system is to be deployed and used.
Note Some of the options on this page may only be displayed if corresponding Interface
Configuration Advanced Options are enabled.
The following is a list of the System Configuration options. Most tasks are self explanatory to
configure, but for additional information consult the ACS User Guide or the online content
sensitive information displayed in the right display area of the ACS desktop. Some of these
options will be discussed in more detail in other sections of this lesson.
Service Control: This option opens the page from which you can stop or restart the ACS
services and configure the service log detail. Service Log configuration is discussed later in
this section.
Logging: This option configures various Cisco Secure ACS reports and customizes the
type of information that is logged. Logging configuration is discussed later in this lesson.
Date Format Control: This option configures the date format, either month/day/year or
day/month/year, for CSV files and Service Logs.
Password Validation: This option configures password parameters such as, password
length. Note that this option does not apply to administrator passwords, enable passwords,
or sendauth passwords.

Cisco Secure Database Replication: If this option does not appear, choose Interface
Configuration > Advanced Options > Database Replication, where you can configure
database replication among Cisco Secure ACS platforms. To use this option you must have
already enabled and configured Distributed-System Settings in the Interface Configuration
section.
RDBMS Synchronization: If this feature does not appear, choose Interface Configuration
> Advanced Options > RDBMS Synchronization where you can configure database
synchronization. To use this option you must have already enabled and configured the
ODBC-compliant relational database.
Cisco Secure ACS Backup: This option backs up or configures parameters for backing up
the Cisco Secure ACS system.
Cisco Secure ACS Restore: This option restores or configures parameters for restoring the
Cisco Secure ACS configuration from a Cisco Secure ACS system backup file.
Cisco Secure ACS Service Management: This option configures the Cisco Secure ACS
monitoring service, CSMon, and for e-mail notification of CSMon events.
IP Pools Address Recovery: If this feature does not appear, choose Interface
Configuration > Advanced Options > IP Pools Server where you can enable automatic
recovery of IP pools whose addresses have not been used for a specified amount of time.
IP Pools Server: If this feature does not appear, choose Interface Configuration >
Advanced Options > IP Pools Server where you can configure IP pools. The IP pools
feature enables you to assign the same IP address to multiple users, as long as the users are
on different segments of the network. This enables you to reuse IP addresses and reduce the
number of IP addresses on your network. When you enable the IP pools feature, ACS
dynamically issues IP addresses from the IP pools you have defined by number or name.
You can configure up to 999 IP pools, for approximately 255,000 users.
VoIP Accounting Configuration: If this feature does not appear, choose Interface
Configuration > Advanced Options > Voice-over-IP (VoIP) Accounting Configuration
where you can configure VoIP accounting. The VoIP accounting configuration feature
enables you to specify whether VoIP accounting packets are logged along with RADIUS
accounting data, in a CSV file, or in both locations.
Cisco Secure ACS Certificate Setup: This option configures automatic or manual
certificate enrollment to support EAP-TLS.
Certification Authority Setup: This option configures which certificate authorities Cisco
Secure ACS is to trust when authenticating users with the EAP-TLS protocol.
Global Authentication Setup: This option specifies settings for all EAP and MS-CHAP
authentication requests.
Summary
Summary
The Cisco Secure ACS GUI is accessed through a web browser.

The GUI is comprised of three components: Tasks (navigation
bar), the left display area and the right (help) display area.
The first step is to create a first Administrator User Account
using the Add Administrator configuration window.
Configure administrator policies use the Administrator Control
display page and the Access Session and Audit Policy features.
You can configure remote access to Cisco Secure ACS.
Tasks such as configuring external user databases, user
interfaces and the system should be completed in systematic
order.
To simplify configuration screens, the Interface Configuration
task is used to display or hide different configuration items.
The System Configuration task is used to configure basic
system parameters, advanced system features, and basic
system management tasks.

Lesson Self-Check
Q1) JavaScript must be enabled to access the Cisco Secure ACS GUI. (Source: The Cisco
Secure ACS GUI)
A) True
B) False
Q2) A product code serves as a password when accessing the Cisco Secure ACS GUI for
the first time. (Source: The Cisco Secure ACS GUI)
A) True
B) False
Q3) The same port is used for each administrative session. (Source: The Cisco Secure ACS
GUI)
A) True
B) False
Q4) User setup is used to map users to the authentication database. (Source: The Cisco
Secure ACS GUI)
A) True
B) False
Q5) Group setup is used to map users to groups. (Source: The Cisco Secure ACS GUI)
A) True
B) False
Q6) The Shared Profile Components menu item allows you to create shared components for
downloadable Cisco PIX ACLs. (Source: The Cisco Secure ACS GUI)
A) True
B) False
Q7) Which three of the following buttons are used to configure administrator policies?
(Choose three.) (Source: Configuring Administrator Policies)
A) Access Policy button,
B) Authentication Policy button
C) Session Policy button
D) Audit Policy
E) Account Policy button
F) Group Policy button
Q8) Why does Cisco Secure ACS require a password for remote access? (Source: Setting
Up Remote Access)
______________________________________________________________________
______________________________________________________________________
Q9) Although administrators can fine tune configurations after they have been completed, it
is recommended that the initial configuration of Cisco Secure ACS follows a sequence.
Arrange the following configuration tasks in the recommended order by placing a
number of 1 to 4 in the space provided. (Source: Basic Configuration tasks).
A) configure the Cisco Secure ACS logs _____
A) configure the user interfaces _____
B) configure the system _____
C) configure the external user databases _____
Q10) The RADIUS and TACACS+ configuration options only appear after an AAA client
has been configured to use the protocol. (Source: User Interface Configuration)
A) True
B) False
Q11) Supplementary User Information appears in the User Interface, but is actually entered
in the accounting logs. (Source: User Interface Configuration)
A) True
B) False
Q12) TACACS+ and RADIUS attributes can only be set at a group level. (Source: User
Interface Configuration)
A) True
B) False
Q13) You can use shared downloadable ACLs on the User Setup page. (Source: User
A) True
B) False
Q14) You cannot use shared downloadable ACLs on the Group Setup page. (Source: User
A) True
B) False
Q15) Users can be authenticated against which of the following? (Source: User Databases)
A) an internal database with specific user assignment
B) a token server
C) an external database with a specific user assignment
D) A and B
E) B and C
F) A and C
G) A, B and C

Q1) A
Q2) B
Q3) B
Q4) A
Q5) B
Q6) A
Q7) A, C and D
Q8) The first time an administrator accesses the Cisco Secure ACS is from the console. A password is not
needed. Only after administrator policies, which include the setting of user accounts and passwords, have
been configured can a remote access be granted.
Q9) D, B, C and A
Q10) A
Q11) B
Q12) B
Q13) A
Q14) B
Q15) E
Lesson 5
Disabling Unused Cisco

Router Network Services and
Interfaces
Overview
Cisco routers are initially deployed with services that are enabled by default.
This lesson concerns Cisco configuration settings that network administrators should consider
changing on their routers, especially on their border routers, to improve security. The lesson
presents basic configuration settings that are almost universally applicable in IP networks, and
a few unexpected things about which you should be aware.
The list is not exhaustive, nor can it be substituted for understanding on the part of the network
administrator; it is simply a reminder of some of the things that are sometimes forgotten. Only
commands that are important in IP networks are mentioned. Many of the services that can be
enabled in Cisco routers require careful security configuration. However, this lesson describes
services that are enabled by default, or that are almost always enabled by users, and that may
need to be disabled or reconfigured.
Consideration of these services is particularly important because some of the default settings in
Cisco IOS software are there for historical reasons; they made sense when they were chosen,
but would probably be different if new defaults were chosen today. Other defaults make sense
for most systems, but may create security exposures if they are used in devices that form part of
a network perimeter defense. Still other defaults are actually required by standards, but are not
always desirable from a security point of view.
This lesson describes ways to secure networks by shutting off unnecessary network services
and interfaces. To practice what you have learned, a lab exercise in the form of an open
discussion of the existing lab topology will follow.
Objectives
Upon completing this lesson, you will be able to disable unused Cisco router network services
and interfaces. This ability includes being able to meet these objectives:
Describe the purpose of each of the four basic router topologies
Identify the router services and interfaces that are vulnerable to network attacks
Explain how to disable the most vulnerable and unnecessary router services and interfaces
Explain how to disable and restrict commonly configured management services
Explain how to ensure path integrity by disabling ICMP mask redirects and IP source
routing
Explain how to disable probes and scans including finger service, ICMP masks,
unreachable messages, and ICMP mask replies and redirects
Explain how to ensure terminal access security by disabling IP identification
Explain how to disable gratuitous and proxy ARPs to mitigate DoS, DDoS, and man-in-
the-middle attacks
Explain how disable IP directed broadcast to mitigate DoS and DDoS attacks
Routers Secure Networks
This topic describes the purpose of each of the four basic router topologies.
Standalone Perimeter Router
Corporate
(trusted)
Network
Untrusted Perimeter
Network (premises)
Router
Internet
The most basic routed network consists of a corporate LAN connected to the Internet using a
single perimeter router. The perimeter router is the first line of defense for an enterprise
network. This router must secure the corporate network (trusted network) from malicious
activity originating on the Internet (untrusted network). Installations of this type are typical of
small enterprises.

Perimeter Router and Firewall
Corporate
(trusted)
Network
Untrusted Perimeter
Network (premises screening) Firewall
Router
Internet
Web
Server
DMZ
Mail
Server
Medium-sized networks typically use a firewall appliance behind the perimeter router. In this
scenario, the perimeter router provides basic packet filtering on packets destined for the
corporate network, while the firewall appliance, with its additional security features, performs
user authentication and more advanced packet filtering.
Firewall installations also facilitate the creation of demilitarized zones (DMZs) where hosts that
are commonly accessed from the Internet are placed.
Perimeter Router with Integrated Firewall
Corporate
(trusted)
Network
Perimeter
Untrusted (firewall)
Network Router
Internet
Web
Server
DMZ
Mail
Server
Cisco IOS software offers an alternative to a firewall appliance by incorporating many firewall
features in the perimeter router itself. Although this option does not provide the same
performance and security features that a Cisco PIX Security Appliance offers, a router with an
integrated firewall feature set can solve most small-to-medium business perimeter security
requirements.

Perimeter Router, Firewall, and Internal
Router
Corporate
(trusted)
Network
Untrusted Perimeter Internal

Network (premises) Firewall (local network)
Router Router
Internet
Web
Server
DMZ
Mail
Server
Finally, many medium-to-large sized enterprises use a combination of internal (local network)
routers and perimeter (premises) routers and firewall appliances. Internal routers provide
additional security to the network by screening traffic to various parts of the protected
corporate network. Virtual local area networks (VLANs) are also commonly implemented
within an enterprise network using Cisco Catalyst switches. Cisco Catalyst multilayer switches
containing their own security features can sometimes replace internal (local network) routers to
provide higher performance in VLAN architectures.
Vulnerable Router Services and Interfaces
This topic describes the router services and interfaces that are vulnerable to network attacks.
Vulnerable Router Services and Interfaces
Disabling unnecessary services and Ensuring path integrity:

interfaces: ICMP redirects
Unused router interfaces IP source routing
Bootp server
Disabling probes and scans:
Cisco Discovery Protocol (CDP)
Finger
Configuration auto-loading
ICMP unreachable notifications
FTP server
ICMP mask reply
TFTP server
Ensuring terminal access
NTP service
security:
PAD service
IP identification service
TCP and UDP minor services
TCP keepalives
DEC MOP service
Disabling gratuitous and proxy
Disable commonly configured
ARP:
management services:
Gratuitous ARPs
SNMP
Proxy ARP
HTTP server
DNS Disabling IP directed broadcast
Cisco routers support many network services that may not be required in certain enterprise
networks. The services listed in the figure have been chosen for their vulnerability to malicious
exploitation. These are the router services most likely to be used in network attacks. For ease of
learning, we have grouped them as follows:
Disabling unnecessary services and interfaces: These services and interfaces include:
Router interfaces: Limit unauthorized access to the router and the network by
disabling unused open router interfaces.
Bootp server: This service is enabled by default. This service allows a router to act
as a Bootp server for other routers. This service is rarely required and should be
disabled.
Cisco Discovery Protocol (CDP): This service is enabled by default. CDP is used
primarily to obtain protocol addresses of neighboring Cisco devices and discover the
platforms of those devices. CDP can also be used to show information about the
interfaces your router uses. CDP is media- and protocol-independent, and runs on
most Cisco-manufactured equipment, including routers, bridges, access servers,
switches, and phones. If not required, this service should be disabled globally or on
a per-interface basis.
Configuration auto-loading: This service is disabled by default. Auto-loading of
configuration files from a network server should remain disabled when not in use by
the router.
FTP server: This service is disabled by default. The FTP server enables you to use
your router as an FTP server for FTP client requests. Because it allows access to

certain files in the router Flash memory, this service should be disabled when it is
not required.
TFTP server: This service is disabled by default. The TFTP server enables you to
use your router as a TFTP server for TFTP clients. This service should be disabled
when it is not in use because it allows access to certain files in the router Flash
memory.
Network Time Protocol (NTP) service: This service is disabled by default. When
enabled, the router acts as a time server for other network devices. If configured
insecurely, NTP can be used to corrupt the router clock and potentially the clock of
other devices that learn time from the router. Correct time is essential for setting
proper time stamps for IPSec encryption services, log data, and diagnostic and
security alerts. If this service is used, restrict which devices have access to NTP.
Disable this service when it is not required.
Packet assembler and disassembler (PAD) service: This service is enabled by
default. The PAD service allows access to X.25 PAD commands when forwarding
X.25 packets. This service should be explicitly disabled when not in use.
TCP and User Datagram Protocol (UDP) Minor services: Theses services are
enabled in Cisco IOS Software Releases prior to Cisco IOS Software Release 11.3
and disabled in Cisco IOS Software Releases 11.3 and later. The minor services are
provided by small servers (daemons) running in the router. They are potentially
useful for diagnostics, but are rarely used. Disable this service explicitly.
Maintenance Operation Protocol (MOP) service: This service is enabled on most
Ethernet interfaces. MOP is a Digital Equipment Corporation maintenance protocol
that should be explicitly disabled when it is not in use.
Disabling and restricting commonly configured management services: These services
include:
Simple Network Management Protocol (SNMP): This service is enabled by
default. The SNMP service allows the router to respond to remote SNMP queries
and configuration requests. If required, restrict which SNMP systems have access to
the router SNMP agent and use SNMP version 3 whenever possible because this
version offers secure communication not available in earlier versions of SNMP.
Disable this service when it is not required.
HTTP configuration and monitoring: The default setting for this service is Cisco
device dependent. This service allows the router to be monitored or have its
configuration modified from a Web browser via an application such as the Cisco
Security Device Manager. You should disable this service if it is not required. If this
service is required, restrict access to the router HTTP service using access control
lists (ACLs).
Domain Name System (DNS): This client service is enabled by default. By default,
Cisco routers broadcast name requests to 255.255.255.255. Restrict this service by
disabling it when it is not required. If the DNS lookup service is required, make sure
that you set the DNS server address explicitly.
Ensuring path integrity: These measures include:
ICMP redirects: This service is enabled by default. ICMP redirects cause the router
to send ICMP redirect messages whenever the router is forced to resend a packet
through the same interface on which it was received. This information can be used
by attackers to redirect packets to an untrusted device. This service should be
disabled when not required.
IP source routing: This service is enabled by default. The IP protocol supports
source routing options that allow the sender of an IP datagram to control the route
that a datagram will take toward its ultimate destination, and generally the route that
any reply will take. These options can be exploited by an attacker to bypass the
intended routing path and security of the network. Also, some older IP
implementations do not process source-routed packets properly, and it may be
possible to crash machines running these implementations by sending datagrams
with source routing options. Disable this service when it is not required.
Disabling probes and scans: These measures include:
Finger service: This service is enabled by default. The finger protocol (port 79)
allows users throughout the network to get a list of the users currently using a
particular device. The information displayed includes the processes running on the
system, the line number, connection name, idle time, and terminal location. This
information is provided through the Cisco IOS software show users EXEC
command. Unauthorized persons can use this information for reconnaissance
attacks. Disable this service when it is not required.
ICMP unreachable notifications: This service is enabled by default. This service
notifies senders of invalid destination IP networks or specific IP addresses. This
information can be used to map networks and should be explicitly disabled on
interfaces to untrusted networks.
ICMP mask reply: This service is disabled by default. When enabled, this service
tells the router to respond to ICMP mask requests by sending ICMP mask reply
messages containing the interface IP address mask. This information can be used to
map the network, and this service should be explicitly disabled on interfaces to
untrusted networks.
Ensuring terminal access security: These measures include:
IP identification service: This service is enabled by default. The identification
protocol (specified in RFC 1413) reports the identity of a TCP connection initiator
to the receiving host. This data can be used by an attacker to gather information
about your network, and this service should be explicitly disabled.
TCP keepalives: This service is disabled by default. TCP keepalives help clean
up TCP connections where a remote host has rebooted or otherwise stopped
processing TCP traffic. Keepalives should be enabled globally to manage TCP
connections and prevent certain DoS attacks.
Disabling gratuitous and proxy Address Resolution Protocol (ARP): These measures
include:
Gratuitous ARP: This service is enabled by default. Gratuitous ARP is the main
mechanism used in ARP poisoning attacks. You should disable gratuitous ARPs on
each router interface unless this service is otherwise needed.
Proxy ARP: This service is enabled by default. This feature configures the router to
act as a proxy for Layer 2 address resolution. This service should be disabled unless
the router is being used as a LAN bridge.
Disabling IP directed broadcast: This service is enabled in Cisco IOS Software Releases
prior to Cisco IOS Software Release 12.0 and disabled in Cisco IOS Software Releases
12.0 or later. IP directed broadcasts are used in the common and popular smurf denial of
service (DoS) attack and other related attacks. This service should be disabled when not
required.

What You Need to Do
Know that these services can be used by

attackers.
You do not have to know how they can be
used, but you do need to know how and
when to disable them.
Leaving unused network services enabled increases the possibility of malicious exploitation of
those services. Turning off or restricting access to these services greatly improves network
security. While it is not required that you explain why many of these services pose the
vulnerabilities they do, you do need to know how and when they need to be disabled.
Disabling Unnecessary Services and Interfaces
This topic describes how to disable the most vulnerable and unnecessary router services and
interfaces on your router.
Disabling Unused Router Interfaces
Attack Austin1
Host
e0/0 e0/1
Internet
e0/2
Î±«¬»®ø½±²º·¹ó·º÷ý
-¸«¬¼±©²
ß«-¬·²ïø½±²º·¹÷ý ·²¬»®º¿½» »ðñî

ß«-¬·²ïø½±²º·¹ó·º÷ý -¸«¬¼±©²
Unused open router interfaces invite unauthorized access to the router and the network. You
can limit this type of attack by administratively disabling the unused interfaces on all routers.
Always disable unused router interfaces using the shutdown command in interface
configuration mode as shown in the figure.
The shutdown command has no keywords or arguments.
Once an interface is shutdown, the router requires administrative privileges to open (no shut)
the interface to enable the network connection.

Disabling Bootp Server
Austin2
Austin1
Austin3:
Requests a
Austin3 Cisco IOS
Bootp image from
Austin1
request
Austin4
Î±«¬»®ø½±²º·¹÷ý
²± ·° ¾±±¬° -»®ª»®
Globally disables the Bootp service for
this router
ß«-¬·²ïø½±²º·¹÷ý ²± ·° ¾±±¬° -»®ª»®
Bootstrap Protocol (BOOTP) is a UDP that enables a diskless workstation to discover its own
IP address and the IP address of a BOOTP server on the network. Bootstrap Protocol also
allows a file to be loaded into memory to boot the machine, which enables the workstation to
boot without requiring a hard or floppy disk drive. The protocol is defined by RFC 951.
Cisco routers use BOOTP to access copies of Cisco IOS software images on another Cisco
router running the BOOTP service. In this scenario, one Cisco router acts as a Cisco IOS server
that can download Cisco IOS software to other Cisco routers acting as a Bootstrap Protocol
client (bootpc). This service is rarely used, but when it is, it can allow the following to occur:
An attacker can use this service to download a copy of the router Cisco IOS software.
An attacker could exploit this service to perform DoS attacks against the router.
This service is enabled by default.
To disable the Bootp service, use the no ip bootp server command in global configuration
mode as shown in the figure.
The no ip bootp server command has no arguments or keywords.
Disabling CDP
Austin2
Austin1
CDP requests
Austin3
NMS1: Requests CDP requests

Austin4 neighbor Network Austin4: Cannot
identification? Austin4 provide neighbor
management
identification to
system NMS1 NMS1
Î±«¬»®ø½±²º·¹÷ý
²± ½¼° ®«²
Globally disables CDP
ß«-¬·²ìø½±²º·¹÷ý ²± ½¼° ®«²
CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-
manufactured devices (routers, bridges, access servers, and switches) and allows network
management applications to discover Cisco devices that are neighbors of already known
devices. This service is enabled by default.
With CDP enabled, network management applications, such as CiscoWorks Campus Manager,
can learn the device type and the IP addresses of neighboring devices. This feature enables
applications to use the learned IP addresses to send queries to neighboring devices.
Attackers can use CDP during reconnaissance attacks to learn of neighboring devices, thus
discovering the network. For this reason, CDP should be disabled, either globally or on a per-
interface basis, when not required.
Disable CDP globally on the router using the no cdp run command in global configuration
The no cdp run command has no arguments or keywords.
If you need to use CDP, restrict its use to only those interfaces that require it. Keep the global
setting enabled, but use the no cdp enable command in interface configuration mode to disable
it on a per-interface basis as shown here:
ß«-¬·²ìø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
ß«-¬·²ìø½±²º·¹ó·º÷ý ²± ½¼° »²¿¾´»

Disabling Configuration Autoloading
Network Booting
Austin1 Austin2
Austin3
AustinTFTP
Austin4
Î±«¬»®ø½±²º·¹÷ý
²± ¾±±¬ ²»¬©±®µ ®»³±¬»ó«®´
²± ¾±±¬ ¸±-¬ ®»³±¬»ó«®´
ß«-¬·²ìø½±²º·¹÷ý ²± ¾±±¬ ²»¬©±®µ

¬º¬°æññß«-¬·²ÌÚÌÐñÌÚÌÐñß«-¬·²ìò½±²º¹
ß«-¬·²ìø½±²º·¹÷ý ²± ¾±±¬ ¸±-¬
¬º¬°æññß«-¬·²ÌÚÌÐñÌÚÌÐñß«-¬·²ìò½±²º¹
Î±«¬»®ø½±²º·¹÷ý
²± -»®ª·½» ½±²º·¹
ß«-¬·²ìø½±²º·¹÷ý ²± -»®ª·½» ½±²º·¹
Most Cisco routers are configured to load their Cisco IOS image and startup configuration from
local Flash memory. However, you may configure your Cisco routers to load their IOS
software image and startup configuration from a network server instead. Loading router images
and configurations across a network can be dangerous and should be considered only for fully
trusted networks (as in a stand-alone test network). This setting is disabled by default.
If network booting is enabled, it is recommended that you set your routers to obtain their
configurations from a local (trusted) source using the boot network remote-url or boot host
remote-url command in global configuration mode. Disable this setting when it is not required.
The router will attempt to load two configuration files.
The first is the network configuration file containing common commands that apply to all
routers on a network. Use the boot network command to identify the network
configuration file.
The second is the host configuration file containing commands that apply to a specific
router. Use the boot host command to identify the host configuration file.
Use the service config command to enable the loading of the specified configuration file at
reboot time. Without this command, the router ignores the boot host and boot network
command. Explicitly disable configuration auto-loading for a previously configured remote
host using the no boot network, no boot host and no service config commands in global
The syntax for the no boot network command is as follows:
no boot network remote-url
®»³±¬»ó«®´ Use the following syntax to provide the location of the

configuration file:
ftp:[[[//[username[:password]@]location]/directory]/filename]
rcp:[[[//[username@]location]/directory]/filename]
tftp:[[[//location]/directory]/filename]
The no service config command has no arguments or keywords.

Disabling FTP Server
Austin2
Austin1
Austin3
ftp 16.1.1.15
Austin4 Connection
16.1.1.15 refused
Î±«¬»®ø½±²º·¹÷ý
²± º¬°ó-»®ª»® »²¿¾´»
²± º¬°ó-»®ª»® ©®·¬»ó»²¿¾´»
ß«-¬·²ìø½±²º·¹÷ý ²± º¬°ó-»®ª»® »²¿¾´»

ß«-¬·²ìø½±²º·¹÷ý ²± º¬°ó-»®ª»® ©®·¬»ó»²¿¾´»
The FTP server feature configures a router to act as an FTP server. FTP clients can copy files to
and from certain directories on the router. In addition, the router can perform many other
standard FTP server functions. This feature first became available in Cisco IOS Software
Release 11.3 AA.
FTP access to your routers can be used to gain access to the router file system and therefore can
be used to attack the network or the router itself. Unless your routers are being used as FTP
servers, you should always disable the FTP server feature.
Starting in Cisco IOS Software Release 12.3, the router FTP service is disabled by default using
the no ftp-server write-enable command. This can be seen in any Cisco IOS Software Release
12.3 or greater by using the show running-config command as shown here (this example
shows only a small portion of the show running-config command output):
ß«-¬·²ìý -¸±© ®«²²·²¹ó½±²º·¹
ÿ
ÿ
²± º¬°ó-»®ª»® ©®·¬»ó»²¿¾´»
ÿ
Routers operating with a Cisco IOS Software Release earlier than 12.3 should have their FTP
servers disabled using the no ftp-server enable command, as shown in the figure.
Routers operating with a Cisco IOS Software Release of 12.3 or later, where the FTP server has
been manually enabled, should have the FTP server disabled using the no ftp-server write-
enable command, as shown in the figure.
The no ftp-server enable and the no ftp-server write-enable commands have no arguments or
keywords.
Disabling TFTP Server
Austin2
Austin1
Austin3
ftp 16.1.1.15
Austin4 Connection
16.1.1.15 refused
Î±«¬»®ø½±²º·¹÷ý
²± ¬º¬°ó-»®ª»® º´¿-¸æ
ß«-¬·²ìø½±²º·¹÷ý ²± ¬º¬°ó-»®ª»® º´¿-¸æ
TFTP is a simple form of the FTP. TFTP uses the UDP and provides no security features. TFTP
is often used by servers to boot diskless workstations, X-terminals, and routers.
The TFTP server feature configures a router to act as a TFTP server host. As a TFTP server
host, the router responds to TFTP Read Request messages by sending a copy of the system
image contained in ROM or one of the system images contained in Flash memory to the
requesting host. The TFTP Read Request message must use one of the filenames that are
specified in the configuration. This feature is disabled by default.
Flash memory can be used as a TFTP file server for other routers on the network. This feature
allows you to boot a remote router with an image that resides in the Flash server memory. Some
Cisco devices allow you to specify one of the various Flash memory locations (bootflash, slot0,
slot1, slavebootflash, slaveslot0, or slaveslot1) as the TFTP server.
TFTP access to your routers can be used to gain access to the router file system and therefore
can be used to attack the network or the router itself. Unless your routers are being used as
TFTP servers, you should always disable the TFTP server feature.
Note Disabling the TFTP server varies across different Cisco router product lines. Always consult
the configuration guide for your particular Cisco router model before continuing.
Disable the TFTP server for Flash memory using the no tftp-server flash: global configuration
command as shown in the figure.
The syntax for the no tftp-server flash command is as follows:

no tftp-server flash: [partition-number:]filename1 [alias filename2]
flash: This specifies TFTP service of a file in Flash memory. Use flash:
to disable the TFTP server for all files in Flash memory.
partition-number: (Optional.) This specifies TFTP service of a file in the specified

partition of Flash memory. If the partition number is not specified,
the file in the first partition is used.
filename1 Name of a file in Flash or in ROM that the TFTP server uses in
answering TFTP Read Requests
alias Specifies an alternate name for the file that the TFTP server uses
in answering TFTP Read Requests
filename2 This is the alternate name of the file that the TFTP server uses in
answering TFTP Read Requests. A client of the TFTP server can
use this alternate name in its Read Requests.
Disabling NTP Service
Austin2
Austin1
NTP messages
Austin3
NTP Master
NTP messages
Austin4: Drop all
Austin4 NTP messages
e0/0
Î±«¬»®ø½±²º·¹÷ý
²± ²¬°
ß«-¬·²ìø½±²º·¹÷ý ²± ²¬°
Î±«¬»®ø½±²º·¹ó·º÷ý
²¬° ¼·-¿¾´»
ß«-¬·²ìø½±²º·¹÷ý ·²¬»®º¿½» »ðñð

ß«-¬·²ìø½±²º·¹ó·º÷ý ²¬° ¼·-¿¾´»
NTP is an Internet standard protocol (built on top of TCP/IP) that assures accurate
synchronization to the millisecond of computer clock times in a network of computers. Based
on Coordinated Universal Time (UTC), NTP synchronizes client workstation clocks to the U.S.
Naval Observatory Master Clocks in Washington, DC and Colorado Springs CO. NTP runs as a
continuous background client program on a computer and sends periodic time requests to
servers, to obtain server time stamps, which are then used to adjust the client clock.
Corrupting the network time base is one way in which attackers subvert certain security
protocols, and for this reason, you should disable the NTP when it is not required. This service
is disabled by default.
To disable the NTP service globally, use the no ntp command in global configuration mode as
shown in the figure.
The no ntp command has no arguments or keywords.
If you require NTP for some router interfaces but wish to prohibit its use on specific interfaces,
use the ntp disable interface configuration command as shown in the figure. Remember that
disabling the reception of NTP messages on a router interface does not prevent NTP messages
from traversing the router. Use an access list to keep NTP messages from traversing the router
interfaces.
The ntp disable command has no arguments or keywords.
If you need to use NTP, it is important that you consider the following:
Configure a trusted time source and configure all routers as part of an NTP hierarchy
(configure static NTP peer and NTP server addresses).
Use NTP authentication.

Disabling PAD Service
Houston1
X.25 X.25 host

IP X.25
PAD
Attack host
attempts to
connect to Austin1
Austin1 PAD. Austin2
Internet
IP IP
PAD
Austin1: IP
traffic onlyno
PAD required
Î±«¬»®ø½±²º·¹÷ý
²± -»®ª·½» °¿¼
ß«-¬·²ïø½±²º·¹÷ý ²± -»®ª·½» °¿¼

By default, the PAD service is enabled on most Cisco routers. This service is used to enable
X.25 connections between the routers and other network devices. One example of where the
PAD service is used is when a router must process traffic between a remote IP user and an X.25
host. In this scenario, the remote IP user communicates with the enterprise router PAD service,
which then performs any IP-to-X.25 protocol translation and X.25 message forwarding.
Once a connection to the router PAD service is established, an attacker could use the PAD
interface to cause disruptions to both route processing and device stability. Therefore, the PAD
service should be explicitly disabled when not required for X.25 network operations.
Disable the PAD service using the no service pad command in global configuration mode, as
The no service pad command has several arguments and keywords but they are not required to
disable the PAD service.
Disabling Minor Services
Î±«¬»®ø½±²º·¹÷ý
²± -»®ª·½» ¬½°ó-³¿´´ó-»®ª»®-
Î±«¬»®ø½±²º·¹÷ý
²± -»®ª·½» «¼°ó-³¿´´ó-»®ª»®-
ß«-¬·²îø½±²º·¹÷ý ²± -»®ª·½» ¬½°ó-³¿´´ó-»®ª»®-

ß«-¬·²îø½±²º·¹÷ý ²± -»®ª·½» «¼°ó-³¿´´ó-»®ª»®-
By default, Cisco devices through to Cisco IOS Software Release 11.3 offer the following
minor services:
Echo: Echoes back whatever you type. To test this service, issue the telnet a.b.c.d echo
command from a remote host.
Chargen: Generates a stream of ASCII data. To test this service, issue the telnet a.b.c.d
chargen command from a remote host.
Discard: Discards whatever you type. To test this service, issue the telnet a.b.c.d discard
command from a remote host.
Daytime: Returns system date and time if you have configured NTP or if you have set the
date and time manually. To test this service, issue the telnet a.b.c.d daytime command
from a remote host.
Small services are enabled by default in Cisco IOS Software Release prior to version 11.3 and
disabled in Cisco IOS Software Releases 11.3 and later. These services, especially their UDP
versions, can be used to launch DoS attacks and other attacks against the router that would
otherwise be prevented by packet filtering.
For example, an attacker might send a Domain Name System (DNS) packet that falsifies the
source address as a DNS server that would otherwise be unreachable by the attacker, and that
falsifies the source port to be the DNS service port (port 53). If such a packet were sent to the
Cisco router UDP echo port, the router would send a DNS packet to the server in question. No
outgoing access list checks would be applied to this packet, since it would be considered locally
generated by the router itself.
Although most abuses of the small services can be avoided or made less dangerous by using
anti-spoofing access lists, the services should almost always be disabled in any router that is
part of a firewall or that lies in a security-critical part of the network. Since the services are
rarely used, the best policy is usually to disable them on all routers of any description.

The small services are disabled by default in Cisco IOS Software Releases 12.0 and later
software. In earlier software, they may be disabled using the commands no service tcp-small-
servers and no service udp-small-servers in global configuration mode as shown in the figure.
The no service tcp-small-servers command has no arguments or keywords.
The no service udp-small-servers command has no arguments or keywords.
Disabling MOP Service
Austin3 DEC-CPU1
e0/0 e0/1
Austin1
MOP enabled on e0/1
Internet
MOP allowed
Austin2
e0/0 e0/1 Attack host
(using MOP)
MOP disabled
on e0/1
MOP denied
Î±«¬»®ø½±²º·¹ó·º÷ý
²± ³±° »²¿¾´»¼
ß«-¬·²îø½±²º·¹÷ý ·²¬»®º¿½» »ðñï

ß«-¬·²îø½±²º·¹ó·º÷ý ²± ³±° »²¿¾´»¼
The Digital Equipment Corporation MOP service is enabled, by default, on many Cisco router
interfaces. MOP presents a potential attack vector on the router and therefore should be
explicitly disabled at all interfaces that do not require it.
Disable the MOP service using the no mop enabled command in interface configuration mode,
as shown in the figure.
The no mop enabled command has no arguments or keywords.

Disabling and Restricting Commonly Configured
Management Services
This topic explains how to disable and restrict commonly configured management services.
Disabling SNMP
SNMP attack host SNMP attack

attempts host attempts
connection Austin1
connection
Internet
SNMP
disallowed
ß«-¬·²ïø½±²º·¹÷ý ²± -²³°ó-»®ª»® ½±³³«²·¬§ °«¾´·½ ®±

ß«-¬·²ïø½±²º·¹÷ý ²± -²³°ó-»®ª»® ½±³³«²·¬§ ½±²º·¹ ®©
ß«-¬·²ïø½±²º·¹÷ý ²± -²³°ó-»®ª»® »²¿¾´» ¬®¿°-
ß«-¬·²ïø½±²º·¹÷ý ²± -²³°ó-»®ª»® -§-¬»³ó-¸«¬¼±©²
ß«-¬·²ïø½±²º·¹÷ý ²± -²³°ó-»®ª»®
The SNMP service allows a router to respond to remote SNMP queries and configuration
changes. If you plan to use SNMP, you should restrict which SNMP systems have access to the
routers using access lists. When you decide not to use SNMP for a router, you must make sure
that you complete several steps to ensure that SNMP is truly unavailable to an attacker.
Disabling the SNMP service alone does not fully protect the router. The default for this service
depends on the Cisco IOS software version.
The following steps should be completed on a Cisco router in order to fully disable SNMP
access to that router:
Step 1 Remove any existing SNMP community strings using the no snmp-server
community command in global configuration mode, as shown in the figure.
The syntax for the no snmp-server community command is as follows:
no snmp-server community string [ro | rw]
string The community string that you wish to remove
ro Specifies that the string to be removed has read-only access.
rw Specifies that the string to be removed has read-write access.
Step 2 Create an access list that explicitly denies all SNMP messages for this router.
Step 3 Create a new, difficult-to-crack read-only SNMP community string, and make it
subject to the new access list you created in Step 2.
Step 4 Disable all SNMP trap functions using the no snmp-server enable traps command
in global configuration mode as shown in the figure.
The syntax for the no snmp-server enable traps command is as follows:
no snmp-server enable traps [notification-type]
Command Description
²±¬·º·½¿¬·±²ó¬§°» (Optional.) This is the type of notification (trap or inform) to

disable. If no type is specified (most secure form of the
command), all notifications available on the router are disabled.
Step 5 Disable the SNMP system shutdown function using the no snmp-server system-
shutdown command in global configuration mode as shown in the figure. This
prevents an SNMP system-shutdown request (from an SNMP manager) from
resetting the Cisco SNMP agent on the router.
The no snmp-server system-shutdown command has no arguments or keywords.
Step 6 Disable the SNMP service using the no snmp-server command in global
The no snmp-server command has no arguments or keywords.

Disabling HTTP Configuration and
Monitoring
Austin2
Austin1
Austin3
http 16.1.1.15
Austin4 Connection
16.1.1.15 refused
Î±«¬»®ø½±²º·¹÷ý
²± ·° ¸¬¬° -»®ª»®
ß«-¬·²ìø½±²º·¹÷ý ²± ·° ¸¬¬° -»®ª»®
Most Cisco IOS software releases support remote configuration and monitoring using HTTP. In
general, HTTP access is equivalent to interactive access to the router. The authentication
protocol used for HTTP is equivalent to sending a clear text password across the network. This
makes HTTP a relatively risky choice for use across the public Internet. This service is disabled
by default.
Note Several router management tools, such as the Cisco Security Device Manager (SDM), use
HTTP to access the router. Do not disable the router HTTP service if SDM, or another HTTP
dependent management system, is to be used to manage the router.
If Web-based administration is not required, disable the HTTP service using the no ip http
server command in global configuration mode as shown in the figure.
The no ip http server command has no arguments or keywords.
If Web-based administration is a requirement for your network, the following is required:

Configure usernames and passwords as described previously. The password is sent as clear
text, so it is recommended that you avoid using the enable password as an HTTP password.
Use authentication, authorization, and accounting (AAA) using external AAA servers,
whenever possible. As with interactive logins, the best choice for HTTP authentication is a
TACACS+ or RADIUS server (use the ip http authentication aaa command).
Use IP access lists to restrict which hosts have Web server access to the routers.
Use syslog logging to track who accesses the routers, and when they are accessed.
Note The latest versions of Cisco IOS crypto images support the use of a secure version of HTTP
called HTTPS. If your router Cisco IOS image and the Web-based manager both support
this feature, use HTTPS for Web-based administration of your routers instead of HTTP.
Restricting DNS Service
Austin2
Austin1
Austing3: Do
not send DNS
Austin3 query
DNS1 Austin4: OK to
16.1.1.20 Austin4 sent DNS query
DNS
Î±«¬»®ø½±²º·¹÷ý query
·° ²¿³»ó-»®ª»® -»®ª»®ó¿¼¼®»--ï
Å-»®ª»®ó¿¼¼®»--î›-»®ª»®ó¿¼¼®»--êÃ
ß«-¬·²ìø½±²º·¹÷ý ·° ²¿³»ó-»®ª»® ïêòïòïòîð
Î±«¬»®ø½±²º·¹÷ý
²± ·° ¼±³¿·²ó´±±µ«°
ß«-¬·²íø½±²º·¹÷ý ²± ·° ¼±³¿·²ó´±±µ«°
By default, the Cisco router DNS lookup service sends name queries to the 255.255.255.255
broadcast address. Using this broadcast address should be avoided as it may allow an attacker
to emulate one of your DNS servers and respond to router queries with erroneous data.
This service is enabled by default. If your routers need to use this service, make sure that you
explicitly set the IP address of your DNS servers in the router configuration.
Set the DNS server IP addresses using the ip name-server command in global configuration
The syntax for the ip name-server command is as follows:
ip name-server server-address1 [server-address2...server-address6]
server-address1 IP address of name server
server-address2server- (Optional.) This is the IP addresses of additional name servers. A

address6 maximum of six name servers is allowed.
Note Always disable the DNS lookup service when it is not in use.
Disable the DNS lookup service using the no ip domain-lookup command in global
The no ip domain-lookup command has no arguments or keywords.

Ensuring Path Integrity
This topic describes how to ensure path integrity by disabling ICMP mask redirects and IP
source routing.
Disabling ICMP Redirects

No ICMP
redirects
allowed on
e0/0
Austin1
Austin2
Internet
e0/0 e0/1
ICMP redirect message

sent to host 16.1.1.12
Attacker
behind router Austin2
16.1.1.12
Î±«¬»®ø½±²º·¹ó·º÷ý
²± ·° ®»¼·®»½¬
ß«-¬·²îø½±²º·¹÷ý ·²¬»®º¿½» »ðñð

ß«-¬·²îø½±²º·¹ó·º÷ý ²± ·° ®»¼·®»½¬
ICMP is an extension to the IP defined by RFC 792. ICMP supports packets containing error,
control, and informational messages. The ping command, for example, uses ICMP to test an
Internet connection.
Cisco IOS software enables ICMP redirect messages by default. An ICMP redirect message
instructs an end node to use another, more efficient path to a particular destination. In a
properly functioning IP network, a router should send redirects only to hosts on its own local
subnets, end nodes should never send a redirect, and redirects should never be sent more than
one network hop away. However, an attacker may violate these rules.
Disable IP redirects using the no ip redirect command in interface configuration mode as

The no ip redirect command has no arguments or keywords.
It is a good idea to filter out incoming ICMP redirects at the input interfaces of any router that
lies at a border between administrative domains. You should also configure any access list that
is applied on the input side of a Cisco router interface to filter out all ICMP redirects. This
operation causes no operational impact in a correctly configured network.
This filtering prevents a router from ever processing or acting upon any ICMP redirect
messages and can prevent buffer overflow DoS attacks on routers running older Cisco IOS
images. It is still possible for attackers to exploit redirect vulnerabilities if their host is directly
connected to the same segment as a host that is under attack.
Disabling IP Source Routing
Î±«¬»®ø½±²º·¹÷ý
²± ·° -±«®½»ó®±«¬»
ß«-¬·²îø½±²º·¹÷ý ²± ·° -±«®½»ó®±«¬»
The IP protocol supports source routing options that allow the sender of an IP datagram to
control the route that a datagram takes toward its ultimate destination, and generally the route
that any reply takes on the return trip. These options are sometimes used for performing path
analysis and testing, but are rarely utilized during normal traffic patterns. Some older IP
implementations do not process source-routed packets properly, and it may be possible to crash
machines running these implementations by sending datagrams with source routing options.
Source routing is enabled in Cisco IOS software by default.
When a Cisco router is set with the no ip source-route command in global configuration mode,
IP packets that carry a source routing option are never forwarded. Use this command unless
you know that your network needs source routing.
The no ip source-route command has no arguments or keywords.

Disabling Probes and Scans
This topic describes how to disable probes and scans, including finger service, ICMP masks,
unreachable messages and ICMP mask replies and redirects.
Disabling Finger Service
Austin2
Austin1
Austin3
Connect 16.1.1.15
finger Austin4 Connection
16.1.1.15 refused
Î±«¬»®ø½±²º·¹÷ý
²± ·° º·²¹»®
ß«-¬·²ìø½±²º·¹÷ý ²± ·° º·²¹»®
ß«-¬·²ìø½±²º·¹÷ý ²± -»®ª·½» º·²¹»®
ß«-¬·²ìø½±²º·¹÷ý »¨·¬
ß«-¬·²ìý ½±²²»½¬ ïêòïòïòïë º·²¹»®
Ì®§·²¹ ïêòïòïòïëô éç òòò
û Ý±²²»½¬·±² ®»º«-»¼ ¾§ ®»³±¬» ¸±-¬
Cisco routers provide an implementation of the finger service that is used to find out which
users are logged into a network device. Although this information is not usually sensitive, it can
sometimes be useful to an attacker for reconnaissance purposes. This service is enabled by
default.
Disable the finger service using the no ip finger or no service finger commands in global
Note The service finger command has been replaced by the ip finger command (introduced in
Cisco IOS Software Release 11.3). However, the service finger and no service finger
commands continue to function to maintain backward compatibility with Cisco IOS software
versions prior to Cisco IOS Software Release 11.3.
The no ip finger command has no arguments or keywords.
This no service finger command has no arguments or keywords.
Disabling ICMP Unreachable Messages
Î±«¬»®ø½±²º·¹ó·º÷ý
²± ·° «²®»¿½¸¿¾´»
ß«-¬·²îø½±²º·¹÷ý ·²¬»®º¿½» »ðñð

ß«-¬·²îø½±²º·¹ó·º÷ý ²± ·° «²®»¿½¸¿¾´»
Attackers can use ICMP unreachable messages to map your network. These messages are
enabled in Cisco IOS software by default and should be disabled on all interfaces, especially
those interfaces connected to untrusted networks.
Disable IP unreachable messages using the no ip unreachable command in interface

The no ip unreachable command has no arguments or keywords.

Disabling ICMP Mask Replies
Austin1
Austin2
Internet
e0/0 e0/1
ICMP mask request to

16.1.1.12
Attacker
No ICMP
mask replies 16.1.1.12
Î±«¬»®ø½±²º·¹ó·º÷ý
²± ·° ³¿-µó®»°´§
ß«-¬·²îø½±²º·¹÷ý ·²¬»®º¿½» »ðñð

ß«-¬·²îø½±²º·¹ó·º÷ý ²± ·° ³¿-µó®»°´§
Mask replies are disabled in Cisco IOS software by default. When mask replies are enabled, the
Cisco IOS software responds to ICMP mask requests by sending ICMP mask reply messages.
These messages can provide an attacker with critical network information in reconnaissance
attacks. Automatic replies should be disabled on all router interfaces, especially those pointing
to untrusted networks.
Disable IP mask replies using the no ip mask-reply command in interface configuration mode
The no ip mask-reply command has no arguments or keywords.
Ensuring Terminal Access Security
This topic explains how to ensure terminal access security by disabling IP identification.
Disabling IP Identification
Î±«¬»®ø½±²º·¹÷ý
²± ·° ·¼»²¬¼
ß«-¬·²îø½±²º·¹÷ý ²± ·° ·¼»²¬¼
Identification support allows you to query a TCP port for identification. This feature enables
RFC 1413, an unsecure protocol for reporting the identity of a client that is initiating a TCP
connection and a host responding to the connection.
With identification support, an attacker can connect to a TCP port on a host, issue a simple text
string to request information, and get back a simple text-string reply. No attempt is made to
protect against unauthorized queries. This service should be explicitly disabled.
Disable RFC 1413 identification using the no ip identd command in global configuration mode
The no ip identd command has no arguments or keywords.

Enabling TCP Keepalives
TCP session initiated by Telnet session initiated by
Austin1 to TACACS1 local host to Austin1
ACS TACACS1 Austin1 Austin2 Local host
TCP TCP
connection connection
ACK ACK
ACK ACK
(tcp-keepalives-out) (tcp-keepalives-in)
Î±«¬»®ø½±²º·¹÷ý
-»®ª·½» ¬½°óµ»»°¿´·ª»-ó·²
Î±«¬»®ø½±²º·¹÷ý
-»®ª·½» ¬½°óµ»»°¿´·ª»-ó±«¬
ß«-¬·²ïø½±²º·¹÷ý -»®ª·½» ¬½°óµ»»°¿´·ª»-ó·²

ß«-¬·²ïø½±²º·¹÷ý -»®ª·½» ¬½°óµ»»°¿´·ª»-ó±«¬
By default, Cisco routers do not continually test whether a previously connected TCP endpoint
is still reachable. If one end of a TCP connection idles out or terminates abnormally (crashes,
reloads, and so on), the opposite end of the connection may still believe the session is available.
These orphaned sessions use up valuable router resources. Attackers have been known to
take advantage of this weakness to attack Cisco routers.
To remedy this situation, Cisco routers can be configured to send periodic keepalive messages
(one ACK per minute) to ensure that the remote end of a session is still available. If the remote
device fails to respond (with another ACK) within five minutes, the router clears the
connection. This action immediately frees router resources for other more important tasks.
Keepalives are important because they help guard against orphaned sessions.
Use the service tcp-keepalives-in command in global configuration mode to detect and delete
inactive incoming sessions as shown in the figure.
Use the service tcp-keepalives-out command in global configuration mode to detect and delete
inactive outgoing sessions initiated by the router as shown in the figure.
These commands have no arguments or keywords.
Disabling Gratuitous and Proxy ARP
This topic explains how to disable gratuitous and proxy ARP to help mitigate man-in-the-
middle, DoS and distributed DoS (DDoS) attacks.
Disabling Gratuitous ARPs

Local
PPP Client
Address
Pool
PSTN
NAS1
PPP connection and IP
address negotiation
Gratuitous-ARP disabled
Î±«¬»®ø½±²º·¹ó·º÷ý
²± ·° ¹®¿¬«·¬±«-ó¿®°-
ÒßÍïø½±²º·¹÷ý ²± ·° ¹®¿¬«·¬±«-ó¿®°-
Without prompting, a gratuitous ARP (gARP) message tells all hosts on a network segment, the
IP address to MAC address binding for that host. Unfortunately, a gARP can easily be spoofed.
Any device can pretend to be something it is not by sending out a gARP with its IP address.
This causes the endpoint to replace the MAC address of a legitimate network device with the
MAC address of the attacker in the ARP table of the target device. This can be a spoof of the
default router, by an adjacent server, or by another endpoint of the device with which the
device is attempting to communicate. This spoofing allows the attacker to assume a man-in-the-
middle position for eavesdropping, redirection, manipulation or a DoS attack.
By default, most Cisco routers send out a gratuitous gARP message whenever a client connects
and negotiates an IP address over a PPP connection. A gARP is the main mechanism used in
ARP poisoning attacks. You should disable gARPs unless they are otherwise needed.
Note Cisco routers generate a gARP transmission even when the client receives the address from
a local address pool.
Starting with Cisco IOS Software Release 11.3, system administrators can disable gratuitous
ARP transmissions using the no ip gratuitous-arps command in global configuration mode, as
The no ip gratuitous-arps command has no arguments or keywords.

Disabling Proxy ARP
Proxy ARP
allowed on eO/1
Attack Austin1
Host
e0/0 e0/1
Internet
e0/2
Attempted Spoof
Proxy ARP
Disallowed
Proxy ARP
allowed on e0/2
Î±«¬»®ø½±²º·¹ó·º÷ý
²± ·° °®±¨§ó¿®°
ß«-¬·²ïø½±²º·¹÷ý ·²¬»®º¿½» »ðñð

ß«-¬·²ïø½±²º·¹ó·º÷ý ²± ·° °®±¨§ó¿®°
Proxy ARP enables a router to respond to ARP requests intended for another destination host.
By "faking" its identity, the router accepts responsibility for routing packets to the "real"
destination host.
When proxy ARP is enabled on a Cisco router, it allows that router to extend the network (at
Layer 2) across multiple interfaces (LAN segments). Cisco routers enable proxy ARP on all
interfaces by default.
Because proxy ARP allows the traversal of LAN segments, proxy ARP is only safe when used
between trusted LAN segments. Attackers can take advantage of the trusting nature of proxy
ARP by spoofing a trusted host and then intercepting packets. Because of this inherent security
weakness, you should always disable proxy ARP on router interfaces that do not require it,
especially those connected to untrusted networks.
Disable proxy ARP using the no ip proxy-arp command in interface configuration mode as
The no ip proxy-arp command has no arguments or keywords.
Disabling IP Directed Broadcast
This topic explains how to disable IP directed broadcasts to mitigate DoS and DDoS attacks.
Disabling IP Directed Broadcast

Host with
falsified
source Austin1
address
Austin2
Internet
e0/0 e0/1 Target
Segment
ICMP echo requests to
Directed
directed broadcast
broadcasts
address dropped
Î±«¬»®ø½±²º·¹ó·º÷ý
²± ·° ¼·®»½¬»¼ó¾®±¿¼½¿-¬
ß«-¬·²îø½±²º·¹÷ý ·²¬»®º¿½» »ðñï

ß«-¬·²îø½±²º·¹ó·º÷ý ²± ·° ¼·®»½¬»¼ó¾®±¿¼½¿-¬
IP directed broadcasts are a very common and popular smurf DoS and man-in-the-middle
attack technique. This service is enabled in Cisco IOS software versions prior to Cisco IOS
Software Releases 12.0 and disabled in Cisco IOS Software Releases 12.0 and later.
An IP directed broadcast is a datagram sent to the broadcast address of a subnet to which the
sending machine is not directly attached. The directed broadcast is routed through the network
as a unicast packet until it arrives at the target subnet where it is converted into a link-layer
broadcast. Because of the nature of IP addressing architecture, only the last router in the chain,
the one that is connected directly to the target subnet, can identify a directed broadcast.
Directed broadcasts are occasionally used for legitimate purposes, but such use is not common.
In a smurf attack, the attacker sends ICMP echo requests from a spoofed source address to a
directed broadcast address causing all the hosts on the target subnet to send replies to the
spoofed source. By sending a continuous stream of such requests, the attacker can create a huge
stream of replies to overwhelm the host whose address is being spoofed.
If a Cisco interface is configured with the no ip directed-broadcast command, directed

broadcasts that would otherwise be converted into link-layer broadcasts at that interface are
dropped. This means that the no ip directed-broadcast command must be configured on every
interface of every router that might be connected to a target subnet; it is not sufficient to
configure only perimeter routers. The no ip directed-broadcast command is the default in
Cisco IOS Software Releases 12.0 and later. In earlier releases, the command should be applied
to every LAN interface that is not required to forward legitimate directed broadcasts.
Disable IP directed broadcasts using the no ip directed-broadcast command in interface

configuration mode as shown in the figure. This command has no arguments or keywords.

Summary
Summary
Routers are an integral and vulnerable part of a network
topology.
Many routers services and interfaces are enabled by default, and
vulnerable and should be secured.
Unnecessary router services and interfaces should be disabled.
Commonly configured management services that are not
required should be disabled.
Services that affect path integrity should be disabled.
Services that provide for probes and scans should be disabled.
IP identification should be disable to assure terminal access
security.
Man-in-the-middle attacks can be mitigated by disabling
gratuitous ARPs.
DoS and DDoS attacks can be mitigated by disabling proxy ARP
and IP directed broadcast.
Lesson Self Check
Q1) Which command is used to disable CDP? (Source: Disabling Unnecessary Router
Services and Interfaces)
A) shutdown cdp
B) no cdp
C) no cdp server
D) no cdp run
Q2) Which two commands disable autoloading? (Choose two.) (Source: Disabling
Unnecessary Router Services and Interfaces)
A) no boot network
A) no service autoloading
B) no service config
C) no autoload config
Q3) Which command disables FTP with Cisco IOS software releases prior to Cisco IOS
Software Release 12.3? (Source: Disabling Unnecessary Router Services and
Interfaces)
A) no ftp-server write-enable
B) no ftp-server enable
Q4) Which service should be disabled to prevent a Cisco router from accessing a copy of a
Cisco IOS images on another Cisco router running the same protocol? (Source: Disable
Unnecessary Services and Interfaces)
A) CDP
B) bootp server
C) configuration autoloading
D) MOP
Q5) Which router service can be used to find out which users are logged into a network
device? (Source: Disable Probes and Scans)
E) identd
F) finger
G) show login
H) show line
Q6) Which service can attackers use during reconnaissance attacks to learn of neighboring
Cisco devices. (Source: Disable Unnecessary Services and Interfaces)
A) finger
B) configuration autoloading
C) CDP
D) IP source routing

Q7) Match the following threats to the correct mitigation technique. (Source: Disable
Unnecessary Services and Interfaces)
A) An attacker is corrupting the network time base.
B) An attack on the X.25 interface can cause disruptions to both route processing
and device stability.
C) An attacker sends a DNS packet, falsifying the source address to be a DNS
server that would otherwise be unreachable by the attacker and falsifying the
source port to be the DNS service port (port 53).
D) This protocol is a potential attack vector on the router.
_____ 1. Disable MOP service
_____ 2. Disable PAD service
_____ 3. Disable the NTP service globally
_____ 4. Disable small servers
Q8) Which of the following services requires five steps to completely disable access to the
router? (Source: Disable Commonly Configured Management Services)
A) SNMP service
B) HTTP service
C) DNS lookup service
D) TFTP service
E) FTP service
Q9) Which of the following services should not be disabled if a router management tool
such as the Cisco Security Device Manager (SDM) is used to manage the router?
(Source: Disable Commonly Configured Management Services)
A) SNMP service
B) HTTP service
C) DNS lookup service
D) TFTP service
E) FTP service
Q10) Which command is used to define an SNMP password? (Source: Disable Commonly
Configured Management Services)
A) snmp-server enable
B) snmpserver host
C) snmp-server community
D) snmp-server password
E) snmp-server manager
Q11) Which router command enables the sending of all types of SNMP traps? (Source:
Disable Commonly Configured Management Services)
A) snmp -server community
B) snmp-server enable informs
C) snmp-server enable traps snmp
D) snmp -server enable traps
Q12) What Cisco IOS software feature should be disabled to stop attackers from mapping
your network? (Source: Disable Probes and Scans)
Q13) What service is used in the extremely common and popular smurf denial of service
attack and other related attacks? (Source: Mitigate DoS and DDoS attacks)

Q1) D
Q2) A and C
Q3) B
Q4) B
Q5) B
Q6) C
Q7) A-3, B-2 , C-4, D-1
Q8) A
Q9) B
Q10) C
Q11) D
Q12) Disable ICMP unreachable messages
Q13) IP Directed Broadcast
Lesson 6
Mitigating Threats and Attacks

with Access Lists
Overview
This lesson describes how to mitigate threats and attacks to Cisco peripheral routers by
formatting and applying access control lists (ACLs) to filter traffic. ACLs provide packet
filtering at the router level and are used extensively at a firewall to protect internal networks
from the outside world. This lesson outlines the types of ACLs that are available and provides
guidelines that help create these ACLs. To practice what you have learned, a hands-on lab
exercise has been provided. In this lab exercise you will secure a Cisco peripheral router with
access lists.
Objectives
Upon completing this lesson, you will be able to mitigate threats and attacks to Cisco perimeter
routers by formatting and applying access lists to filter traffic. This ability includes being able
to meet these objectives:
Identify the types and formats of IP access lists that are used by routers to restrict access
and filter packets
Describe how to apply access lists to router interfaces
Explain the use of traffic filtering with access lists to mitigate threats in a network
Explain how to implement access lists to filter IP traffic destined for Telnet, SNMP and
RIP services
Explain how to implement access lists to mitigate threats
Explain how to configure router access lists to help reduce the effects of DDoS attacks
Describe how to combine many access list functions into two or three larger access lists
Explain some of the caveats to be considered when building access lists
Cisco Access Lists
This topic describes the types and formats of IP access lists that are used by routers to restrict
access and filter packets.
Standard and Extended IP Access Lists
Cisco routers support two basic types of IP access lists:

Standard IP access list: Filters IP packets based on the
source address only
¿½½»--ó´·-¬ ïð °»®³·¬ ïçîòïêèòíòð ðòðòðòîëë
Extended IP access list: Filters IP packets based on several

attributes, including:
Source and destination IP addresses
Source and destination TCP/UDP ports
Protocol type (IP, ICMP, UDP, TCP, or protocol number)
¿½½»--ó´·-¬ ïðï °»®³·¬ ¬½° êíòíêòçòð ðòðòðòîëë ¿²§

»¯ èð
The Cisco ACL is probably the most commonly used object in Cisco IOS software. This ACL
is not only used for packet filtering (a type of firewall) but also for selecting types of traffic to
be analyzed, forwarded, or influenced in some way.
The access list is a group of statements. Each statement defines a pattern that would be found in
an IP packet. As each packet comes through an interface with an associated access list, the list
is scanned from top to bottom and in the exact order in which it was entered, for a pattern that
matches the incoming packet. A permit or deny rule associated with the pattern determines the
fate of that packet.
Cisco routers use access lists as packet filters to decide which packets can access a router
service or which packets can be allowed across an interface. Packets that are allowed across an
interface are called permitted packets. Packets that are not allowed across an interface are called
denied packets. Access lists contain one or more rules or statements that determine what data is
to be permitted or denied, or both permitted or denied, across an interface.
Access lists are designed to enforce one or more corporate security policies. For example, a
corporate security policy may allow only packets using source addresses from within the
trusted network to access the Internet. Once this policy is written, you can develop an access
list that includes certain statements which, when applied to a router interface, can implement
this policy.
Cisco router security depends strongly on well-written access lists to restrict access to router
network services, and to filtering packets as they traverse the router.
Cisco routers support three types of IP access lists: standard, extended and enhances IP access
lists. The figure describes the following two types:
Standard IP access lists: A Standard Access List only allows you to permit or deny traffic
from specific IP addresses. The destination of the packet and the ports involved do not
matter. The example in the figure allows traffic from all addresses in the range 192.168.3.0
to 192.168.3.255
Extended IP access lists: An IP extended access list is a series of statements that are
created in global mode. This list can filter IP packets based on several attributes (protocol
type, source and IP address, destination IP address, source TCP or User Datagram Protocol
(UDP) ports, destination TCP or UDP ports, optional protocol type information for finer
granularity of control). The example shown in the figure configures ACL 101 to permit
traffic originating from any address on the 63.36.9.0/24 network to any destination host
port 80 (http). More on extended ACLs will be presented in this lesson.
Note Cisco IOS Software Release 11.1 introduced substantial changes to IP access lists. These
extensions are backward compatible. Migrating from a release earlier than the Cisco IOS
Software Release 11.1 to the current image will convert your access lists automatically.
However, previous Cisco IOS software releases are not forward compatible with these
changes. Therefore, if you save an access list with the current image and then use older
software, the resulting access list will not be interpreted correctly, and could cause severe
security problems. Save your old configuration file before booting Cisco IOS Software
Release 11.1 images.

Enhanced Access Lists
Cisco routers support several enhanced types of

access lists:
Dynamic (lock and key): Create dynamic entries
Time-based: Access lists whose statements become active
based upon the time of day or day of week
Reflexive: Creates dynamic openings on the untrusted side
of a router based on sessions originating from a trusted side
of the router
Context-based access control (CBAC): Allows for secure
handling of multichannel connections based on upper-layer
information
Cisco routers also support enhanced access lists, which are designed to provide better security
for routers and their networks. These enhanced access lists are described as follows:
Dynamic: Dynamic access lists (also known as lock and key), create specific, temporary
openings in response to user authentication. The syntax for dynamic access lists is very
similar to extended access lists. Dynamic access lists are available starting in Cisco IOS
Software Release 11.1. Here is a simple example of using a dynamic access list:
A user originates a Telnet session with a router.
The router authenticates the user with a username and password lookup.
The router closes the Telnet session and creates a dynamic entry in the access list to
permit packets from the authenticated user source IP address.
Once the user closes the session, the dynamic entry is deleted.
Time-based: These access lists are simply numbered or named access lists that are
implemented based upon the time of day or the day of the week. These access lists make it
easier to implement changes to your routing plans for after hours, weekends, or for other
time and day related organizational events. Time-based access lists are available starting in
Cisco IOS Software Releases 12.0.
Reflexive: These access lists create dynamic entries for IP traffic on one interface of the
router based upon sessions originating from a different interface of the router. This
enhanced access list allows you to control connections on the untrusted side of a router
when a connection is initiated from the trusted side. These access lists are actually modified
extended IP named access lists. Reflexive access lists are available starting in Cisco IOS
Software Release 11.3.
Context-based access control (CBAC): Where reflexive access lists can only secure
single-channel applications like Telnet, CBAC can secure multichannel operations based on
upper-layer information. CBAC examines packets as they enter or leave router interfaces,
and determines which application protocols to allow. CBAC access lists are available
starting in Cisco IOS Software Release 12.0T as part of the firewall feature set.
Identifying Access Lists
Cisco routers can identify access lists using two

methods:
Access list numberThe number of the access list
determines which protocol it is filtering:
(199) and (13001999): Standard IP access lists
(100199) and (20002699): Extended IP access lists
Access list name (Cisco IOS Software Releases 11.2 and
later)You provide the name of the access list:
Names contain alphanumeric characters.
Names cannot contain spaces or punctuation and
must begin with a alphabetic character.
Prior to Cisco IOS Software Release 11.2, you had to assign a number to each ACL as it was
created. Since then, either a number or a name can identify Cisco access lists and the protocols
they filter.
Using numbered ACLs is an effective method on smaller networks with more homogeneously
defined traffic. Because each ACL type is limited to an assigned range of numbers, it easy to
determine the type of ACL you are using. There can be up to 99 standard IP ACLs ranging in
number from 1 to 99. The extended IP ACL number range is assigned from 100 to 199, and
2000 to 2699. The Access List Number and Type table lists the number range and the type of
associated access list.
Access List Number and Type
Access List Number Type
1-99 IP standard access list
100-199 IP extended access list
200-299 Protocol type-code access list
300-399 DECnet access list
400-499 XNS standard access list
500-599 XNS extended access list
600-699 AppleTalk access list
700-799 48-bit MAC address access list
800-899 IPX standard access list
900-999 IPX extended access list
1000-1099 IPX SAP access list

Access List Number Type
1100-1199 Extended 48-bit MAC address access list
1200-1299 IPX summary address access list
1300-1999 IP standard access list (expanded range)
2000-2699 IP extended access list (expanded range)
Starting with Cisco IOS Software Release 11.2, you can identify access lists with an
alphanumeric string (a name) rather than a number. These named access lists will not be
recognized by any software release prior to Cisco IOS Software Release 11.2. Named access
lists allow you to configure more access lists in a router than if you were to use numbered
access lists alone. If you identify your access list with a name rather than a number, the mode
and command syntax are slightly different. Currently, only packet and route filters can use a
named list.
Guidelines for Developing Access Lists
Guideline 1Base access lists on the security policy.

Guideline 2Write it out.
Get a piece of paper and write out what you want this
access list to accomplish.
This is the time to think about potential problems.
Guideline 3Set up a development system.
This allows you to copy and paste statements easily.
It also allows you to develop a library of access lists.
Store the files as ASCII text files.
Guideline 4Apply access list to a router and test.
If at all possible, run your access lists in a test
environment before placing them into production.
Before you start to develop any access lists, consider the following basic rules:
Guideline 1: Base your access lists on your security policy. Unless the access list is
anchored in a comprehensive security policy, you cannot be absolutely certain it will
effectively control access in the way access needs to e controlled.
Guideline 2: Write it out. Never sit down at a router and start to develop an access list
without first spending some time in design. The best access list developers suggest that you
write out a list of things you want the access list to accomplish. Starting with something as
simple as, This access list must block all Simple Network Management Protocol (SNMP)
access to the router except for the SNMP host at 16.1.1.15.
Guideline 3: Set up a development system. Whether you use your laptop PC or a
dedicated server, you need a place to develop and store your access lists. Word processors
or text editors of any kind are suitable, as long as you can save the files in ASCII text
format. Build yourself a library of your most commonly used access lists and use them as
sources for new files. Access lists can be pasted into the router running configuration
(requires console or Telnet access), or can be stored in a router configuration file. The
system you chose should support TFTP to make it easy to transfer any resulting
configuration files to the router.
Note Hackers love to gain access to router configuration development systems or TFTP servers
that store access lists. A hacker can discover a lot about your network from looking at these
easily read text files. For this reason, it is imperative that the system where you choose to
develop and store your router files be a secure system.
Guideline 4: Test. If possible, test your access lists in a secure environment before placing them into
production. Testing is a common sense approach to any router configuration changes. Most enterprises
maintain their own network test beds. While testing may appear to be an unnecessary cost, over time it can
save time and money.

Applying Access Lists to Router Interfaces
This topic describes how to apply access lists to router interfaces.
Applying Access Lists to Inbound and

Outbound Interfaces
Austin1
In s0/0 e0/0 In
Internet
Out Out
e0/1
In Out
Inbound (in): Data flows toward router interface

Outbound (out): Data flows away from router
interface
Packet filtering access lists must be applied to a router interface to take effect. It is important to
note that access lists are applied to an interface based on the direction of the data flow as shown
in the figure. You can apply the list to incoming packets, (an "in" access list) or outgoing
packets (an "out" access list).
Inbound (in): The packet filtering access list applies to packets received on the router
interface.
Outbound (out): The packet filtering access list applies to packets transmitted out of the
router interface. For out access lists, you need to set up the filter only on the one outgoing
interface rather than on the individual incoming interfaces. This improves performance
because only the network you are protecting will force a lookup on the access list.
Applying Access Lists to Interfaces
Î±«¬»®ø½±²º·¹÷ý
·° ¿½½»--ó¹®±«° ¥¿½½»--ó´·-¬ó²«³¾»® ¤ ¿½½»--ó

´·-¬ó²¿³»£ ¥·² ¤ ±«¬£
Ì«´-¿ø½±²º·¹÷ý ·²¬»®º¿½» »ðñï

Ì«´-¿ø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° î ·²
Ì«´-¿ø½±²º·¹ó·º÷ý »¨·¬
Ì«´-¿ø½±²º·¹÷ý ·²¬»®º¿½» »ðñî
Ì«´-¿ø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ³¿·´¾´±½µ ±«¬
Ì«´-¿ø½±²º·¹ó·º÷ý »²¼
Before applying a packet filtering access list to a router interface, make sure you know in which
direction it will filter.
Apply access lists to router interfaces using the ip access-group command in interface
The syntax for the ip access-group command is as follows:
ip access-group {access-list-number | access-list-name} {in | out}
access-list-number This is the number of the IP standard numbered or IP extended

numbered access list. This number is a decimal number from 1 to
199 or from 1300 to 2699.
access-list-name Name of the IP standard named or IP extended named access

list as specified by the ip access-list command
in Filters on inbound (flowing toward router interface) packets
out Filters on outbound (flowing away from router interface) packets

Enable Turbo ACLs on Cisco 7200, 7500
and 12000 Routers
R2
e0/0 e0/1 Remote access LAN 16.2.1.0/24

16.1.1.2 16.2.1.1
Î±«¬»®ø½±²º·¹÷ý
¿½½»--ó´·-¬ ½±³°·´»¼
Î±«¬»®ý
-¸±© ¿½½»--ó´·-¬ ½±³°·´»¼
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ½±³°·´»¼

Îîø½±²º·¹÷ý »¨·¬
Îîý -¸±© ¿½½»--ó´·-¬ ½±³°·´»¼
Access lists are normally searched sequentially to find a matching rule, and are ordered
specifically to take this factor into account. Because of increasing needs and requirements for
security filtering and packet classification, ACLs can expand to the point that searching the
ACL adds a significant amount of time and memory when packets are being forwarded. As
well, the time taken by the router to search the list is not always consistent, which adds a
variable latency to the packet forwarding. A high CPU load is necessary for searching an ACL
with several entries.
The Turbo ACL feature, supported by Cisco 7200 Series, 7500 Series and 12000 Series routers,
processes access lists into lookup tables. Packet headers are used to access these tables in a
small, fixed number of lookups, independent of the existing number of ACL entries. The
benefits of the Turbo ACL feature are:
For ACLs larger than 3 entries, the CPU load required to match the packet to the pre-
determined packet-matching rule is lessened. The CPU load is fixed, regardless of the size
of the ACL, which allows for larger ACLs without incurring additional CPU overhead
penalties. The larger the ACL, the greater the benefit.
The time taken to match the packet is fixed, so that latency of the packets are smaller
(significantly in the case of large ACLs) and more importantly, the time taken to match is
consistent, which allows better network stability and more accurate transit times.
If your router supports turbo ACLs, you should use the access-list compiled command in
global configuration mode as shown in the figure whenever you develop access lists with more
than three statements.
The access-list compiled command has no keywords or arguments.
To view the status of your turbo access lists, use the show access-lists compiled command in
privileged EXEC mode as shown in the figure.
The show access-lists compiled command has no keywords or arguments.
Using Traffic Filtering with Access Lists
This topic explains the use traffic filtering with access lists to mitigate threats in a network.
Traffic Filtering
Corporate
Untrusted Perimeter (trusted)
Network (premises screening) Firewall Network
Router
Internet
Web
Server
DMZ
Mail
Server
Use ACLs to filter ingress and egress from routers

and firewall appliances.
Use ACLs to disable and limit services, ports and
protocols
To review, always apply the following general rules when deciding how to handle router
services, ports, and protocols:
Disable unused services, ports, or protocols: In the case where no one, including the router
itself, needs to use an enabled service, port, or protocol, disable that service, port, or
protocol.
Limit access to services, ports, or protocols: In the case where a limited number of users or
systems require access to an enabled router service, port, or protocol, limit access to that
service, port, or protocol using access control lists.
ACLs are important because they act as traffic filters between the corporate (trusted) network
and the Internet (untrusted network). Using access lists, the router enforces corporate security
policies by rejecting protocols and restricting port usage.
The Blocked Services table contains a list of common router services that can be used to
gather information about your network, or worse, can be used to attack your network. Unless
your network configuration specifically requires one of these services, they should not be
allowed to traverse the router. Use access lists to block these services inbound to the protected
network and outbound to the Internet.

Blocked Services
Service Port Transport
tcpmux 1 TCP and UDP
echo 7 TCP and UDP
discard 9 TCP and UDP
systat 11 TCP
daytime 13 TCP and UDP
netstat 15 TCP
chargen 19 TCP and UDP
time 37 TCP and UDP
whois 43 TCP
bootp 67 UDP
tftp 69 UDP
subdup 93 TCP
sunrpc 111 TCP and UDP
loc-srv 135 TCP and UDP
netbios-ns 137 TCP and UDP
netbios-dgm 138 TCP and UDP
netbios-ssn 139 TCP and UDP
xdmcp 177 UDP
netbios (ds) 445 TCP
rexec 512 TCP
lpr 515 TCP
talk 517 UDP
ntalk 518 UDP
uucp 540 TCP
Microsoft UPnP SSDP 1900, 5000 TCP and UDP
nfs 2049 UDP
X Window System 6000-6063 TCP
irc 6667 TCP
NetBus 12345 TCP
NetBus 12346 TCP
Back Orifice 31337 TCP and UDP
The Deny Services table contains a listing of common services that reside either on the
corporate protected network or on the router itself. These services should be denied to untrusted
clients using access lists.
Deny Services
Service Port Transport
finger 79 TCP
snmp 161 TCP and UDP
snmp trap 162 TCP and UDP
rlogin 513 TCP
who 513 UDP
rsh, rcp, rdist, rdump 514 TCP
syslog 514 UDP
new who 550 TCP and UDP
There are several ways to control access to router services:

Disable the service itself: Once a router service is disabled, no one can use that service.
Disabling a service is safer, and more reliable, than attempting to block all access to the
service using an access list.
Restrict access to the service using access lists: If your situation requires limited access to a
service, then build and test appropriate access lists that can be applied to the service.

Filtering Router Service Traffic
This topic explains how to implement access lists to filter IP traffic destined for Telnet, SNMP
and Routing Information Protocol (RIP).
Reference Network Topology

Authentication
Remote User Server File Server User
16.2.1.2 16.2.1.4
PSTN 16.2.1.3
s0/0 R2
Corporate LAN
16.1.0.0/16 e0/1 Remote access LAN 16.2.1.0/24
e0/0
Remote Office LAN 16.1.1.2 16.2.1.1
9.0.0.0/8
R4 R1 Public Web Mail Admin
Internet Server Server Server User
e0/1 e0/0 e0/0 16.2.2.3 16.2.2.4 16.2.2.5 16.2.2.6
e0/1
9.2.1.1 9.1.1.1 16.2.0.10/24
16.1.1.1
R3
e0/0 e0/1 DMZ LAN 16.2.2.0/24

DNS 16.1.10.1 16.2.2.1
16.1.1.4
e0/2
16.2.3.1 FTP/Web
Server 16.2.3.2
User 16.2.3.3
Protected LAN 16.2.3.0/24

This figure shows the network topology referenced in the remainder of this lesson.
For the sake of clarity, the access lists contained in the following topics are depicted as
individual access lists. Generally, you would not build a succession on small access lists as we
will show. Most likely, you would build at least one access list for the outside router interface,
one for the inside router interface, and one or more access lists for general router use. Do not
attempt to combine the small examples shown here into these larger lists, as the statements tend
to contradict one another. A sample router configuration is shown at the end of this lesson that
details how these functions are combined into logical access lists.
Telnet Service Filtering
Authentication
Server File Server User
16.2.1.2 16.2.1.4 16.2.1.3
s0/0 R2
Corporate LAN
16.1.0.0/16 e0/0 e0/1 Remote Access LAN 16.2.1.0/24
16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ çð °»®³·¬ ¸±-¬ ïêòîòïòí ´±¹

Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ çð °»®³·¬ ¸±-¬ ïêòîòïòî ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ çð ¼»²§ ¿²§ ´±¹
Îîø½±²º·¹÷ý ´·²» ª¬§ ð ì
Îîø½±²º·¹ó´·²»÷ý ¿½½»--ó½´¿-- çð ·²
Îîø½±²º·¹ó´·²»÷ý »²¼
Telnet (vty) is typically used by systems administrators to remotely access the router console
for configuration and maintenance. You should restrict which hosts have access to the vty lines
of the router by using an access list statement as shown in the figure.
In this example, IP standard access list 90 allows only hosts 16.2.1.3 and 16.2.1.2 to access
router R2 using Telnet (port 23). All other hosts are denied Telnet access to R2. This access list
is also designed to log all successful and unsuccessful attempts to access R2 using Telnet.

SNMP Service Filtering
Authentication
Server File Server User
16.2.1.2 16.2.1.4 16.2.1.3
s0/0 R2
Corporate LAN
16.1.0.0/16 e0/0 e0/1 Remote Access LAN 16.2.1.0/24
16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ èð °»®³·¬ ¸±-¬ ïêòîòïòí

Îîø½±²º·¹÷ý -²³°ó-»®ª»® ½±³³«²·¬§ -²³°ó¸±-¬ï ®± èð
Because of the inherent lack of authentication in SNMPv1, this version of SNMP should be
used only on protected, internal networks. You should limit access to a router SNMP agent
using an access list statement as shown in the figure.
In the example, only the SNMP host with an IP address of 16.2.1.3 may access the router R2
SNMP agent. The access list further specifies that the SNMP host must use a community string
of snmp-host1.
Note The latest Cisco IOS software versions support SNMPv3, which offers more secure SNMP
operations. It is recommended that you implement SNMPv3 rather than older SNMP
versions whenever possible.
RIP Route Filtering
Corporate LAN
16.1.0.0/16
R1 Public Web Mail Admin
Internet Server Server Server
User
e0/0 16.2.2.3 16.2.2.4 16.2.2.5
e0/1 16.2.2.6
16.2.0.10/24 16.1.1.1
R3
e0/0 e0/1 DMZ LAN 16.2.2.0/24

DNS 16.1.10.1 16.2.2.1
16.1.1.4
Îïø½±²º·¹÷ý ¿½½»--ó´·-¬ ïî ¼»²§ ïêòîòîòð ðòðòðòîëë

Îïø½±²º·¹÷ý ¿½½»--ó´·-¬ ïî °»®³·¬ ¿²§
Îïø½±²º·¹÷ý ®±«¬»® ®·° ï
Îïø½±²º·¹ó®±«¬»®÷ý ¼·-¬®·¾«¬»ó´·-¬ ïî ±«¬
Îïø½±²º·¹ó®±«¬»®÷ý »²¼
Cisco routers share routing table update information to provide directions on where to route
traffic. Access lists should be used to limit which routes a router accepts (take in) or advertises
(send out) to its counterparts.
The example in the figure shows a standard IP access list as it is applied to the RIP routing
protocol, with process-id 1. In this example, router R1 does not advertise any routes of the
16.2.2.0 Demilitarized Zone (DMZ) network out interface e0/0.

Filtering Network Traffic to Mitigate Threats
This topic explains how to implement access lists to mitigate a range of threats.
IP Address Spoof MitigationInbound
R2
e0/0 e0/1 Remote Access LAN 16.2.1.0/24

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïëð ¼»²§ ·° ïêòîòïòð ðòðòðòîëë ¿²§ ´±¹

Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïëð ¼»²§ ·° ïîéòðòðòð ðòîëëòîëëòîëë ¿²§ ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïëð ¼»²§ ·° ðòðòðòð ðòîëëòîëëòîëë ¿²§ ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïëð ¼»²§ ·° ïðòðòðòð ðòîëëòîëëòîëë ¿²§ ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïëð ¼»²§ ·° ïéîòïêòðòð ðòïëòîëëòîëë ¿²§ ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïëð ¼»²§ ·° ïçîòïêèòðòð ðòðòîëëòîëë ¿²§ ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïëð ¼»²§ ·° îîìòðòðòð ïëòîëëòîëëòîëë ¿²§ ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïëð ¼»²§ ·° ¸±-¬ îëëòîëëòîëëòîëë ¿²§ ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïëð °»®³·¬ ·° ¿²§ ïêòîòïòð ðòðòðòîëë
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïëð ·²
Îîø½±²º·¹ó·º÷ý »¨·¬
Access lists can be used to mitigate many threats including the following:
IP address spoofingInbound
IP address spoofingOutbound
Denial of service (DoS) TCP SYN attacksBlocking external attacks
DoS TCP SYN attacksUsing TCP Intercept
DoS Smurf attacks
Filtering ICMP messagesInbound
Filtering ICMP messagesOutbound
Filtering traceroute
As a rule, do not allow any IP packets containing the source address of any internal hosts or
networks, inbound to a private network. The figure shows access list 150 for router R2. In this
example, any packets containing the following IP addresses in their source field will be denied:
Denies any addresses from the internal 16.2.1.0 network
Denies any local host addresses (127.0.0.0/8)
Denies any reserved private addresses (RFC 1918)
Denies any addresses in the IP multicast address range (224.0.0.0/4)
This access list is applied inbound to the external interface (e0/0) of router R2.
IP Address Spoof MitigationOutbound
R2

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïðë °»®³·¬ ·° ïêòîòïòð ðòðòðòîëë ¿²§

Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïðë ¼»²§ ·° ¿²§ ¿²§ ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïðë ·²
Îîø½±²º·¹ó·º÷ý »²¼
Be a good citizen and prevent your network from being spoofed.
As a rule, you should not allow any outbound IP packets with a source address other than a
valid IP address of the internal network.
The example in the figure shows access list 105 for router R2. This access list permits only
those packets that contain source addresses from the 16.2.1.0/24 network and denies all others.
This access list is applied inbound to the inside interface (e0/1) of router R2.
Note Cisco routers running Cisco IOS Software Release 12.0 and later may use IP Unicast
Reverse Path Forwarding (RPF) verification as an alternative IP address spoof mitigation
mechanism.

DoS TCP SYN Attack MitigationBlocking
External Access
R2

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïðç °»®³·¬ ¬½° ¿²§ ïêòîòïòð ðòðòðòîëë

»-¬¿¾´·-¸»¼
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïðç ¼»²§ ·° ¿²§ ¿²§ ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïðç ·²
Îîø½±²º·¹ó·º÷ý »²¼
TCP SYN attacks involve sending large numbers of TCP SYN packets from a spoofed source
into the internal network, which results in the flooding of the TCP connection queues of the
receiving nodes.
The access list in the figure is designed to prevent inbound packets, with the SYN flag set, from
entering the router. However, the access list does allow TCP responses from the outside
network for TCP connections that originated on the inside network.
DoS TCP SYN Attack MitigationUsing
TCP Intercept
R2

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ·° ¬½° ·²¬»®½»°¬ ´·-¬ ïïð

Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïð °»®³·¬ ¬½° ¿²§ ïêòîòïòð ðòðòðòîëë
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïð ¼»²§ ·° ¿²§ ¿²§
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïïð ·²
Îîø½±²º·¹ó·º÷ý »²¼
TCP Intercept is a very effective tool for protecting internal network hosts from external TCP
SYN attacks.
TCP Intercept protects internal hosts from SYN flood attacks by intercepting and validating
TCP connection requests before they reach the hosts. Valid connections (those connections
established within the configured thresholds) are passed on to the host. Invalid connection
attempts are dropped.
Note Because TCP Intercept examines every TCP connection attempt, TCP Intercept can impose
a performance burden on your routers. Always test for any performance problems before
using TCP Intercept in a production environment.

DoS Smurf Attack Mitigation
R2
e0/0 e0/1
Remote Access LAN 16.2.1.0/24
16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïï ¼»²§ ·° ¿²§ ¸±-¬ ïêòîòïòîëë ´±¹

Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïï ¼»²§ ·° ¿²§ ¸±-¬ ïêòîòïòð ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïïï ·²
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïïï ±«¬
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïïï ·²
Îîø½±²º·¹ó·º÷ý »²¼
Smurf attacks consist of large numbers of ICMP packets sent to a router subnet broadcast
address using a spoofed source IP address from that same subnet. Some routers may be
configured to forward these broadcasts to other routers in the protected network, and this
process causes performance degradation. The access list shown in the figure is used to prevent
this forwarding process and halt the smurf attack.
The access list in the figure blocks all IP packets originating from any host destined for the
subnet broadcast addresses specified (16.2.1.255 and 16.2.1.0).
Note Cisco IOS Software Releases 12.0 and later now have the no ip directed-broadcast feature
enabled by default, which prevents this type of ICMP attack. Therefore, you may not need to
build an ACL as shown here.
Filtering ICMP MessagesInbound
R2

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïî ¼»²§ ·½³° ¿²§ ¿²§ »½¸± ´±¹

Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïî ¼»²§ ·½³° ¿²§ ¿²§ ®»¼·®»½¬ ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïî ¼»²§ ·½³° ¿²§ ¿²§ ³¿-µó®»¯«»-¬ ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïî °»®³·¬ ·½³° ¿²§ ïêòîòïòð ðòðòðòîëë
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïïî ·²
Îîø½±²º·¹ó·º÷ý »²¼
There are several types of ICMP message types that can be used against your network.
Programs use some of these messages; others are used for network management and so are
automatically generated by the router.
ICMP echo packets can be used to discover subnets and hosts on the protected network and can
also be used to generate DoS floods. ICMP redirect messages can be used to alter host routing
tables. Both ICMP echo and redirect messages should be blocked inbound by the router.
The access list statement shown in the figure blocks all ICMP echo and redirect messages. As
an added safety measure, this access list also blocks mask-request messages. All other ICMP
messages inbound to the 16.2.1.0/24 network are allowed.

Filtering ICMP MessagesOutbound
R2

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïì °»®³·¬ ·½³° ïêòîòïòð ðòðòðòîëë ¿²§ »½¸±

Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïì °»®³·¬ ·½³° ïêòîòïòð ðòðòðòîëë ¿²§
°¿®¿³»¬»®ó°®±¾´»³
°¿½µ»¬ó¬±±ó¾·¹
-±«®½»ó¯«»²½¸
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïïì ¼»²§ ·½³° ¿²§ ¿²§ ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïïì ·²
Îîø½±²º·¹ó·º÷ý »²¼
The following ICMP messages are required for proper network operation and should be
allowed outbound:
Echo: Allows users to ping external hosts
Parameter problem: Informs host of packet header problems
Packet too big: Required for packet maximum transmission unit (MTU) discovery
Source quench: Throttles down traffic when necessary
As a rule, you should block all other ICMP message types outbound.
The access list shown in the figure permits all of the required ICMP messages outbound while
denying all others.
Filtering UDP Traceroute Messages
R2

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïîð ¼»²§ «¼° ¿²§ ¿²§ ®¿²¹» ííìðð íììðð ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïîð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïîï °»®³·¬ «¼° ïêòîòïòð ðòðòðòîëë ¿²§ ®¿²¹»
ííìðð íììðð ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïîï ·²
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïîï ±«¬
Îîø½±²º·¹ó·º÷ý »²¼
The Traceroute feature uses some of the ICMP message types to complete several tasks.
Traceroute displays the IP addresses of the routers that a packet encounters along it path (hops)
from source to destination. Attackers can use ICMP responses to the UDP traceroute packets to
discover subnets and hosts on the protected network.
As a rule, you should block all inbound and outbound traceroute UDP messages as shown in
the figure (UDP ports 33400 to 34400).

Mitigating DDoS with Access Control Lists
This topic explains how to configure router access lists to help reduce the effects of distributed
denial of service (DDoS) attacks.
Basics of DDoS Attacks
Client Client
Handler Handler Handler Handler
Agent Agent Agent Agent Agent Agent Agent Agent
DDoS attacks exploit specific ports.

Access lists can control access on a port-by-port basis.
The figure helps explain how a DDoS attack occurs:

Behind a Client is a person who launches the attack.
A Handler is a compromised host that is running the attacker program. Each handler is
capable of controlling multiple agents.
An Agent is a compromised host that is running the attacker program. Each agent is
responsible for generating a stream of packets that is directed toward the intended victim.
Generally, routers cannot prevent all DDoS attacks, but they can help reduce the number of
occurrences by building access lists that filter known attack ports. The following pages explain
how to block DDoS agents including Trin00, Stacheldraht, Trinity v3 and SubSeven by
blocking selected ports. These access list rules are generally applied to inbound and outbound
traffic between the protected network and the Internet.
A DDoS attack compromises several hundred to several thousand hosts. The hosts are usually
Linux and SUN computers. However, the attack tools can be ported to other platforms as well.
The process of compromising a host and installing the tool is automated. A DoS attack
proceeds as follows:
Step 1 The attacker initiates a scan phase in which a large number of hosts (on the order of
100,000 or more) are probed for a known vulnerability.
Step 2 The attacker compromises the vulnerable hosts to gain access.
Step 3 The attacker installs the tool on each host.
Step 4 The attacker uses the compromised hosts for further scanning and compromises.
Because an automated process is used, attackers can compromise and install the tool on a single
host in under 5 seconds and then several thousand hosts can be compromised in under an hour.

DDoS Attack MitigationTrin00
R2

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ îéêêë ´±¹

Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ «¼° ¿²§ ¿²§ »¯ íïííë ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ «¼° ¿²§ ¿²§ »¯ îéììì ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïçð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïçð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Trin00 is a distributed SYN DoS attack. The attack method is a UDP flood. The Trinoo attack
sets up communications between clients, handlers and agents using the following ports:
1524 tcp
27665 tcp
27444 udp
31335 udp
The mitigation tactic for the Trin00 attack, as well as for the other DoS attacks considered in
this topic, is to block both interfaces in the in direction. The goal is to prevent infected outside
systems from sending messages to our network, and to prevent any infected internal systems
from sending messages out of our network to the vulnerable ports.
For example, in the figure, the command access-list 190 deny tcp any any eq 27665 log
translates to access list number 190 will deny any tcp traffic going from any network to any
network which has the port equivalent to 27665 and this will be logged.
If one wants to get specific as to the exact incoming and outgoing network, then those ports
need to be specified. For example, if the IP address of the inside network is 10.0.1.0 and we
want to block all traffic going from this inside network to the internet, the command would be
access-list 190 deny tcp 10.0.1.0 0.0.0.255 any eq 27665 log.
However, you must consider that blocking these ports may have an impact on regular network
users as they block some high port numbers that may be used by legitimate network clients.
You may wish to wait to block these port numbers until a particular threat presents itself.
DDoS Attack MitigationStacheldraht
R2

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ ïêêêð ´±¹

Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ êëððð ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïçð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïçð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Stacheldraht is a DDoS tool appeared in the late summer of 1999 and combines features of
Trinoo and Tribe Flood Network (TFN). Stacheldraht also contains some advanced features,
such as encrypted attacker-master communication and automated agent updates. The possible
attacks are similar to those of TFN; namely, ICMP flood, SYN flood, UDP flood, and smurf
attacks.
A Stacheldraht attack sets up communication between clients, handlers and agents using the
following ports:
16660 tcp
65000 tcp
ICMP ECHO
ICMP ECHO REPLY
Note The ports listed above are the default ports for this tool. Use these ports for orientation and
example only, because the port numbers can easily be changed.
This figure shows an example that mitigates a Stacheldraht DDoS attack by blocking traffic on
the following ports:
TCP16660
TCP65000

DDoS Attack MitigationTrinity v3
R2

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ ííîéð ´±¹

Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ íçïêè ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïçð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïçð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Trinity is capable of launching several types of flooding attacks on a victim site, including
UDP, fragment, SYN, RST, ACK, and other floods. Communication from the handler or
intruder to the agent is accomplished via Internet Relay Chat (IRC) or ICQ from AOL. Trinity
appears to use primarily port 6667 and also has a backdoor program that listens on TCP port
33270.
This figure shows an example that mitigates a Trinity v3 DDoS attack by blocking traffic on
the following ports:
TCP33270
TCP39168
DDoS Attack MitigationSubSeven
R2

16.1.1.2 16.2.1.1
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ ®¿²¹» êéïï êéïî ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ êééê ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ êêêç ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ îîîî ´±¹
Îîø½±²º·¹÷ý ¿½½»--ó´·-¬ ïçð ¼»²§ ¬½° ¿²§ ¿²§ »¯ éððð ´±¹
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñð
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïçð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Îîø½±²º·¹÷ý ·²¬»®º¿½» »ðñï
Îîø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïçð ·²
Îîø½±²º·¹ó·º÷ý »²¼
Depending on the version, an attacker will try to exploit ports 1243, 1999, 2773, 2774, 6667,
6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, 54283. The figure shows an
example that mitigates a SubSeven DDoS attack by blocking traffic on the following ports:
TCPRange 6711 to 6712
TCP6776
TCP6669
TCP2222
TCP7000

Combining Access Functions
This topic describes how to combine many access list functions into two or three larger access
lists.
Combining Access Functions

Authentication
Remote User Server File Server User
16.2.1.2 16.2.1.4
PSTN 16.2.1.3
s0/0 R2
Corporate LAN
16.1.0.0/16 e0/0 e0/1 Remote access LAN 16.2.1.0/24
Remote Office LAN 16.1.1.2 16.2.1.1
9.0.0.0/8
R4 R1 Public Web Mail Admin
Internet Server Server Server
User
e0/1 e0/0 e0/0 e0/1 16.2.2.3 16.2.2.4 16.2.2.5
16.2.2.6
9.2.1.1 9.1.1.1 16.2.0.10/24 16.1.1.1
R3
e0/0 e0/1 DMZ LAN 16.2.2.0/24

DNS 16.1.10.1 16.2.2.1
16.1.1.4
e0/2
16.2.3.1 FTP/Web
Server 16.2.3.2
User 16.2.3.3

This is an example of a possible configuration for Router R2 in our reference network. This
partial configuration file contains several access lists that contain most of the access list
features already explained in this lesson. View this partial configuration as an example of how
to integrate multiple access list policies into a few main router access lists.
The following partial configuration file shows how to combine many access list functions into
two or three larger access lists.
ÿ
¸±-¬²¿³» Îî
ÿ
·²¬»®º¿½» Û¬¸»®²»¬ðñð
·° ¿¼¼®»-- ïêòïòïòî îëëòîëëòðòð
·° ¿½½»--ó¹®±«° ïîê ·²
ÿ
·²¬»®º¿½» Û¬¸»®²»¬ðñï
·° ¿¼¼®»-- ïêòîòïòï îëëòîëëòîëëòð
·° ¿½½»--ó¹®±«° ïîè ·²
ÿ
®±«¬»® ±-°º ìì
²»¬©±®µ ïêòïòðòð ðòðòîëëòîëë ¿®»¿ ð
²»¬©±®µ ïêòîòïòð ðòðòðòîëë ¿®»¿ ï
ÿ
ÿ ß½½»-- ´·-¬ èð ¿°°´·»- ¬± ÍÒÓÐ ¸±-¬- ¿´´±©»¼ ¬± ¿½½»-- ¬¸·- ®±«¬»®
²± ¿½½»--ó´·-¬ èð
¿½½»--ó´·-¬ èð °»®³·¬ ¸±-¬ ïêòîòïòî
¿½½»--ó´·-¬ èð °»®³·¬ ¸±-¬ ïêòîòïòí
ÿ
ÿ ß½½»-- ´·-¬ ïîê ¿°°´·»- ¬± ¬®¿ºº·½ º´±©·²¹ º®±³ »¨¬»®²¿´ ²»¬©±®µ- ¬±
¬¸»
ÿ ·²¬»®²¿´ ²»¬©±®µ ±® ¬± ¬¸» ®±«¬»® ·¬-»´º
²± ¿½½»--ó´·-¬ ïîê
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ïêòîòïòð ðòðòðòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ¸±-¬ ïêòïòïòî ¸±-¬ ïêòïòïòî ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ïîéòðòðòð ðòîëëòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ðòðòðòð ðòîëëòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ïðòðòðòð ðòîëëòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ïéîòïêòðòð ðòïëòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ïçîòïêèòðòð ðòðòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° îîìòðòðòð ïëòîëëòîëëòîëë ¿²§ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ¿²§ ¸±-¬ ïêòîòïòîëë ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ¿²§ ¸±-¬ ïêòîòïòð ´±¹
¿½½»--ó´·-¬ ïîê °»®³·¬ ¬½° ¿²§ ïêòîòïòð ðòðòðòîëë »-¬¿¾´·-¸»¼
¿½½»--ó´·-¬ ïîê ¼»²§ ·½³° ¿²§ ¿²§ »½¸± ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·½³° ¿²§ ¿²§ ®»¼·®»½¬ ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·½³° ¿²§ ¿²§ ³¿-µó®»¯«»-¬ ´±¹
¿½½»--ó´·-¬ ïîê °»®³·¬ ·½³° ¿²§ ïêòîòïòð ðòðòðòîëë
¿½½»--ó´·-¬ ïîê °»®³·¬ ±-°º ïêòïòðòð ðòðòîëëòîëë ¸±-¬ ïêòïòïòî
¿½½»--ó´·-¬ ïîê ¼»²§ ¬½° ¿²§ ¿²§ ®¿²¹» êððð êðêí ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ¬½° ¿²§ ¿²§ »¯ êêêé ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ¬½° ¿²§ ¿²§ ®¿²¹» ïîíìë ïîíìê ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ¬½° ¿²§ ¿²§ »¯ íïííé ´±¹
¿½½»--ó´·-¬ ïîê °»®³·¬ ¬½° ¿²§ »¯ îð ïêòîòïòð ðòðòðòîëë ¹¬ ïðîí
¿½½»--ó´·-¬ ïîê ¼»²§ «¼° ¿²§ ¿²§ »¯ îðìç ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ «¼° ¿²§ ¿²§ »¯ íïííé ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ «¼° ¿²§ ¿²§ ®¿²¹» ííìðð íììðð ´±¹
¿½½»--ó´·-¬ ïîê °»®³·¬ «¼° ¿²§ »¯ ëí ïêòîòïòð ðòðòðòîëë ¹¬ ïðîí
¿½½»--ó´·-¬ ïîê ¼»²§ ¬½° ¿²§ ®¿²¹» ð êëëíë ¿²§ ®¿²¹» ð êëëíë ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ «¼° ¿²§ ®¿²¹» ð êëëíë ¿²§ ®¿²¹» ð êëëíë ´±¹
¿½½»--ó´·-¬ ïîê ¼»²§ ·° ¿²§ ¿²§ ´±¹
ÿ
ÿ ß½½»-- ´·-¬ ïîè ¿°°´·»- ¬± ¬®¿ºº·½ º´±©·²¹ º®±³ ¬¸» ·²¬»®²¿´ ²»¬©±®µ
¬± »¨¬»®²¿´ ÿ ²»¬©±®µ- ±® ¬± ¬¸» ®±«¬»® ·¬-»´º
²± ¿½½»--ó´·-¬ ïîè

¿½½»--ó´·-¬ ïîè ¼»²§ ·° ¸±-¬ ïêòîòïòï ¸±-¬ ïêòîòïòï ´±¹
¿½½»--ó´·-¬ ïîè °»®³·¬ ·½³° ïêòîòïòð ðòðòðòîëë ¿²§ »½¸±
¿½½»--ó´·-¬ ïîè °»®³·¬ ·½³° ïêòîòïòð ðòðòðòîëë ¿²§ °¿®¿³»¬»®ó°®±¾´»³
¿½½»--ó´·-¬ ïîè °»®³·¬ ·½³° ïêòîòïòð ðòðòðòîëë ¿²§ °¿½µ»¬ó¬±±ó¾·¹
¿½½»--ó´·-¬ ïîè °»®³·¬ ·½³° ïêòîòïòð ðòðòðòîëë ¿²§ -±«®½»ó¯«»²½¸
¿½½»--ó´·-¬ ïîè ¼»²§ ¬½° ¿²§ ¿²§ ®¿²¹» ï ïç ´±¹
¿½½»--ó´·-¬ ïîè ¼»²§ ¬½° ¿²§ ¿²§ »¯ ìí ´±¹
¿½½»--ó´·-¬ ïîè ¼»²§ ¬½° ¿²§ ¿²§ »¯ çí ´±¹
¿½½»--ó´·-¬ ïîè ¼»²§ ¬½° ¿²§ ¿²§ ®¿²¹» ïíë ïíç ´±¹
¿½½»--ó´·-¬ ïîè ¼»²§ ¬½° ¿²§ ¿²§ »¯ ììë ´±¹
¿½½»--ó´·-¬ ïîè ¼»²§ ¬½° ¿²§ ¿²§ ®¿²¹» ëïî ëïè ´±¹
¿½½»--ó´·-¬ ïîè ¼»²§ ¬½° ¿²§ ¿²§ »¯ ëìð ´±¹
¿½½»--ó´·-¬ ïîè °»®³·¬ ¬½° ïêòîòïòð ðòðòðòîëë ¹¬ ïðîí ¿²§ ´¬ ïðîì
¿½½»--ó´·-¬ ïîè °»®³·¬ «¼° ïêòîòïòð ðòðòðòîëë ¹¬ ïðîí ¿²§ »¯ ëí
¿½½»--ó´·-¬ ïîè °»®³·¬ «¼° ïêòîòïòð ðòðòðòîëë ¿²§ ®¿²¹» ííìðð íììðð
´±¹
¿½½»--ó´·-¬ ïîè ¼»²§ ¬½° ¿²§ ®¿²¹» ð êëëíë ¿²§ ®¿²¹» ð êëëíë ´±¹
¿½½»--ó´·-¬ ïîè ¼»²§ «¼° ¿²§ ®¿²¹» ð êëëíë ¿²§ ®¿²¹» ð êëëíë ´±¹
¿½½»--ó´·-¬ ïîè ¼»²§ ·° ¿²§ ¿²§ ´±¹
ÿ
ÿ ß½½»-- ´·-¬ èë ¿°°´·»- ¬± ®»³±¬» ¿½½»-- º±® ¬¸» -°»½·º·»¼ ¸±-¬- ¬±
¬¸» ®±«¬»®
ÿ ·¬-»´º
²± ¿½½»--ó´·-¬ èë
¿½½»--ó´·-¬ èë °»®³·¬ ¬½° ¸±-¬ ïêòîòïòïð ¸±-¬ ðòðòðòð »¯ îí ´±¹
¿½½»--ó´·-¬ èë °»®³·¬ ¬½° ¸±-¬ ïêòîòïòïï ¸±-¬ ðòðòðòð »¯ îí ´±¹
¿½½»--ó´·-¬ èë °»®³·¬ ¬½° ¸±-¬ ïêòîòïòïî ¸±-¬ ðòðòðòð »¯ îí ´±¹
¿½½»--ó´·-¬ èë ¼»²§ ·° ¿²§ ¿²§ ´±¹
ÿ
-²³°ó-»®ª»® ½±³³«²·¬§ -²³°ó¸±-¬ï ®± èð
ÿ
Caveats
This topic explains some of the caveats to be considered when creating access lists.
Access List Caveats
Statement Caveat
Implicit deny all You may not see this statement but it does exist.
Standard access You may need to create extended access lists to
list limitation implement security policies.
Statement Access list statements are evaluated from top
evaluation order down so always consider the order of the
statements.
Order of access list Place more specific access list statements higher
statements in the access list.
Ensure statements at the top of the access list do
not negate any statements found lower in the list.
Directional filtering Always double-check the direction (inbound or
outbound) of data that your access list is filtering.
There are several caveats to consider when working with access lists:
Implicit deny all: All Cisco access lists end with an implicit deny all statement. Although
you may not actually see this statement in your access lists, they do exist.
Standard access list limitation: Because standard access lists are limited to packet
filtering on source addresses only, you may need to create extended access lists to
implement your security policies.
Statement evaluation order: Access list statements are evaluated in a sequential (top
down) order starting with the first entry in the list. This process means that it is very
important to consider the order in which you place statements in your access lists.
Specific statements: Certain access list statements are more specific than others and
therefore should be placed higher in the access list. For example; blocking all UDP traffic
at the top of the list negates the blocking of SNMP packets lower in the list. Care must be
taken that statements at the top of the access list do not negate any statements found lower
in the list.
Directional filtering: Cisco access lists have a directional filter that determines whether
they examine inbound packets (toward the interface) or outbound packets (away from the
interface). Always double-check the direction of data that your access list is filtering.

Access List Caveats (Cont.)
Statement Caveat
Modifying numbered Adding new statements may require a new
access lists access list to be created.
Special packets If filtering router generated packets is part of
the security policy, then they must be acted
upon by inbound access lists on adjacent
routers or through other router filter
mechanisms using ACLs.
Extended access list Always consider placing extended access lists
placement on routers as close as possible to the source
being filtered.
Standard access list Always place standard access lists as close to
placement the destination as possible.
Adding statements: New statements added to an existing access list are always appended
to the bottom of the access list. Because of the inherent top down statement evaluation
order of access lists, these new entries may render the access list unusable. In these cases, a
new access list must be created (with the correct statement ordering). Delete the old access
list and assign the new access list to the router interface.
Special packets: Router generated packets such as routing table updates, are not subject to
outbound access list statements on the source router. If filtering these types of packets is
part of your security policy, then they must be acted upon by inbound access lists on
adjacent routers or through other router filter mechanisms using ACLs.
Extended access list placement: Extended access lists that are placed on routers too far
from the source being filtered can adversely impact packets flowing to other routers and
interfaces. Always consider placing extended access lists on routers as close as possible to
the source being filtered.
Standard access list placement: Because standard access lists filter packets based on the
source address, placing these access lists too close to the source can adversely impact
packets destined to other destinations. Always place standard access lists as close to the
destination as possible.
Summary
Summary
Standard, extended, enhanced, named and numbered access lists
can be created.
There are basic and simple rules to be followed when creating
access lists.
Access lists must be applied based on the direction of the data
flow.
Access lists can be used to filter traffic to mitigate security
threats.
Access lists can be used to filter traffic and mitigate several
common threats.
Access lists can be used to mitigate DDoS attacks.
Many access list functions can be combined into two or three
larger access lists.
There are many caveats to be considered when creating access
lists.

Lesson Self Check
Q1) Which two of the following access list numbers represent a Standard IP access list?
(Choose two.) (Source: Cisco Access Lists)
A) 1 to 99
B) 100 to 199
C) 1300 to 1999
D) 2000 to 2699
Q2) Explain what the command statement access-list 10 permit 192.168.3.0 0.0.0.255
does. (Source: Cisco Access Lists)
Q3) Explain what the command statement access-list 101 permit tcp 63.36.9.0 0.0.0.255
any eq 80 does. (Source: Cisco Access Lists)
______________________________________________________________________
Q4) List the four types of enhanced access lists. (Source: Applying Access Lists to Router
Interfaces)
______________________________________________________________________
Q1) A, C
Q2) This standard access list command statement allows traffic from all addresses in the range 192.168.3.0 to
192.168.3.255.
Q3) This extended access list command statement says that ACL 101 will permit traffic originating from any
address on the 63.36.9.0/24 network to any destination host port 80 (http).
Q4) Dynamic, time-based, reflexive, context-based access control (CBAC)

Lesson 7
Implementing Secure
Management and Reporting
Overview
This lesson describes how to securely implement the management and reporting features of
syslog, Secure Shell (SSH) and Simple Network Management Protocol version 3 (SNMPv3).
Objectives
Upon completing this lesson, you will be able to securely implement management and
reporting features of syslog, SSH and SNMPv3. This ability includes being able to meet these
objectives:
Describe the factors you must consider when planning the secure management and
reporting configuration of network devices
Describe the factors that affect the architecture of secure management and reporting in
terms of in-band and out-of-band information paths
Describe the steps used to configure an SSH server for secure management and reporting
Describe how the syslog function plays a key role in network security
Describe how to configure syslog on Cisco routers using syslog router commands
Describe the security features of SNMPv3
Describe how to configure SNMPv3 on a Cisco IOS router or switch
Secure Management and Reporting Planning
Considerations
This topic explains the factors you must consider when planning the secure management and
reporting configuration of network devices.
Considerations for Secure Management and

Reporting
What are the most important logs?

How are important messages separated from
routine notifications?
How do you prevent tampering with logs?
How do you make sure time stamps match?
What log data is needed in criminal investigations?
How do you deal with the volume of log messages?
How do you manage all the devices?
How can you track changes when attacks or
network failures occur?
Configuring logging for your Cisco routers is a straightforward operation when your network
contains only a few Cisco routers. However, logging and reading information from hundreds of
devices can prove to be a challenging proposition and can raise the following important
questions.
Which logs are most important?
How do you separate important messages from mere notifications?
How do you ensure that logs are not tampered with in transit?
How do you ensure your time stamps match each other when multiple devices report the
same alarm?
What information is needed if log data is required for a criminal investigation?
How do you deal with the volume of messages that can be generated by a large network?
Securing administrative access and device configurations is also a straightforward operation for
smaller Cisco router networks. However, managing administrative access and device
configurations for many more devices can raise questions such as the following:
How do you securely manage many devices in many locations?
How can you track and troubleshoot changes on devices when attacks or network failures
occur?
Each of these issues is specific to your needs. To identify the priorities of reporting and
monitoring, input from management as well as from the network and security teams is required.
The implemented security policy should also play a large role in answering these questions.
From a reporting standpoint, most networking devices can send syslog data that can be
invaluable when you are troubleshooting network problems or security threats. You can send
this data to your syslog analysis host from any device whose logs you wish to view. This data
can be viewed in real time or on demand and in scheduled reports. Depending on the device
involved, you can choose various logging levels to ensure that the correct amount of data is
sent to the logging device. You must also flag device log data within the analysis software to
permit granular viewing and reporting. For example, during an attack, the log data provided by
Layer 2 switches might not be as interesting as the data provided by the intrusion detection
system (IDS).
To ensure that log messages are time-synchronized to one another, clocks on hosts and network
devices must be synchronized. For devices that support it, Network Time Protocol (NTP)
provides a way to ensure that accurate time is kept on all devices. When you are dealing with
an attack, seconds matter, because it is important to identify the order in which a specified
attack occurred.
Configuration change management is another issue related to secure management. When a

network is under attack, it is important to know the state of critical network devices and when
the last known modifications occurred. Creating a plan for change management should be a part
of your comprehensive security policy, but, at a minimum, you should record changes using
authentication systems on the devices and archive configurations via FTP or TFTP.

Secure Management and Reporting Architecture
This topic describes the factors that affect the architecture of secure management and reporting
in terms of in-band and out-of-band information paths.
Secure Management and Reporting

Architectural Perspective
Protected Management Network
(behind firewall)
To all
SNMP device
Server console
Terminal ports
Server
Syslog
Server
Cisco IOS
Firewall with
VPN
Access Encrypted In-Band
Control Network
Server Management (VPN) Production
Network
System
Admin
Host
In-Band Management OOB Network

Management
Out-of-Band Management
The figure shows a management module with two network segments separated by a Cisco IOS
router that acts as a firewall and a virtual private network (VPN) termination device. The
segment outside the firewall connects to all the devices that require management. The segment
inside the firewall contains the management hosts themselves and the Cisco IOS routers that act
as terminal servers.
Information flow between management hosts and the managed devices can take two paths:
Out-of-band (OOB): Information flows within a network on which no production traffic
resides.
In-band: Information flows across the enterprise production network or the Internet (or
both).
The connection to the production network is only provided for selective Internet access, limited
in-band management traffic, and IPSec-protected management traffic from predetermined
hosts. In-band management occurs only when a management application itself does not
function out-of-band or when the Cisco device being managed does not physically have enough
interfaces to support the normal management connection. It is this latter case that employs
IPSec tunnels. The Cisco IOS firewall is configured to allow syslog information into the
management segment, as well as Telnet, SSH, and SNMP, if these services are first initiated by
the inside network.
Both management subnets operate under an address space that is completely separate from the
rest of the production network. This practice ensures that the management network is not
advertised by any routing protocols and it enables the production network devices to block any
traffic from the management subnets that appears on the production network links.
Any in-band management or Internet access occurs through a Network Address Translation
(NAT) process on the Cisco IOS router that translates the nonroutable management IP
addresses to previously determined production IP address ranges.
The management module provides configuration management for nearly all devices in the
network using two primary technologies:
Cisco IOS routers acting as terminal servers: The routers provide a reverse Telnet function
to the console ports on the Cisco devices throughout the enterprise.
Dedicated management network segment: More extensive management features (software
changes, content updates, log and alarm aggregation, and SNMP management) are
provided through the dedicated management network segment.
Because the management network has administrative access to nearly every area of the
network, it can be a very attractive target to hackers. The management module has been built
with several technologies designed to mitigate those risks. The first primary threat is a hacker
attempting to gain access to the management network itself. This threat can be mitigated only
through the effective deployment of security features in the remaining modules in the
enterprise. All the remaining threats assume that the primary line of defense has been breached.
To mitigate the threat of a compromised device, access control is implemented at the firewall,
and at every other possible device, to prevent exploitation of the management channel. A
compromised device cannot even communicate with other hosts on the same subnet because
private virtual local-area networks (VLANs) on the management segment switches force all
traffic from the managed devices directly to the Cisco IOS firewall, where filtering takes place.
Password sniffing reveals only useless information because of the one-time password (OTP)
environment. Use SNMPv3 where possible since SMNPv3 supports authentication and
encryption.
SNMP management has its own set of security needs. Keeping SNMP traffic on the
management segment allows the traffic to traverse an isolated segment when it pulls
management information from devices. In Cisco self-defending network topology, SNMP
management pulls information only from devices rather than being allowed to push changes.
To ensure management information is pulled, each device is configured with a read-only
string. You may configure SNMP read-write when using an OOB network, but be aware of
the increased security risk of a clear text string allowing modification of device configurations.
Proper aggregation and analysis of the syslog information is critical to the proper management
of a network. From a security perspective, syslog provides important information about security
violations and configuration changes. Depending on the device in question, different levels of
syslog information might be required. Having full logging with all messages sent might provide
too much information for an individual or syslog analysis algorithm to sort. Logging for the
sake of logging does not improve security.

Information Paths
Protected Management Network OOB Configuration
(behind firewall) Management
To all
SNMP device
Server console
Terminal ports
Server
Syslog Cisco
Server IOS
Firewall
with
Access VPN Encrypted In-Band
Control Network
Server Management (VPN) Production
Network
System Private VLANs

Admin
Stateful Packet
Host Filtering and IPSec
Termination for
Configuration and Management
Content Management OOB Network
Management
(SSH if possible)
Network administrators need to securely manage all devices and hosts in the network. Logging
and reporting information flow from the devices to the management hosts, while content,
configurations, and new software, flow to the devices from the management hosts.
From an architectural perspective, providing OOB management of network systems is the best
first step in any management and reporting strategy. Devices should have a direct local
connection to such a network where possible, and where impossible (because of geographic or
system-related issues), the device should connect via a private encrypted tunnel over the
production network. Such a tunnel should be preconfigured to communicate only across the
specific ports required for management and reporting. The tunnel should also be locked down
so that only appropriate hosts can initiate and terminate tunnels.
OOB management is not always desirable. Often the decision depends on the type of
management application that you are running and the protocols that are required. For example,
consider a management tool whose goal is determining the reachability of all the devices on the
production network. If a critical link failed between two core switches, you would want this
management console to alert an administrator. If this management application is configured to
use an OOB network, it may never determine that the link has failed, because the OOB network
makes all devices appear to be attached to a single network. With management applications
such as these, it is preferable to run the management application in-band. In-band management
needs to be configured in as secure a manner as possible. Often in-band and OOB management
can be configured from the same management network, provided there is a firewall between the
management hosts and the devices needing management.
In-Band Management Considerations
What management protocols does each device

support?
Does the management channel need to be active at
all times?
Is SNMP necessary?
Is there a change management policy or plan in
place?
When in-band management of a device is required, you should consider the following
questions:
What management protocols does the device support? Devices with IPSec should be
managed by simply creating a tunnel from the management network to the device. This
setup allows many insecure management protocols to flow over a single encrypted tunnel.
When IPSec is not possible because it is not supported on a device, other, less secure
options must be chosen. For configuration of the device, SSH or Secure Sockets Layer
(SSL) can often be used instead of Telnet to encrypt any configuration modifications made
to a device. These protocols can sometimes also be used to push and pull data to a device
instead of insecure protocols such as TFTP and FTP. Often, however, TFTP is required on
Cisco equipment to back up configurations or to update software versions. This fact leads
to the second question.
Does this management channel need to be active at all times? If not, temporary holes
can be placed in a firewall while the management functions are performed and then later
removed. This process does not scale with large numbers of devices, however, and should
be used sparingly, if at all, in enterprise deployments. If the channel needs to be active at all
times, such as with SNMP, the third question should be considered.
Do you really need this management tool? Often, SNMP managers are used on the inside
of a network to ease troubleshooting and configuration. However, SNMP should be treated
with the utmost care because the underlying protocol has its own set of security
vulnerabilities. If SNMP is required, consider providing read-only access to devices via
SNMP, and treat the SNMP community string with the same care you might use for a root
password on a critical UNIX host. Know that by introducing SNMP into your production
network, you are introducing a potential vulnerability into your environment. And finally,
if you do need the tool, use SNMPv3 authentication and encryption features.

General Guidelines
OOB management guidelines:
Provide highest level of security and mitigate the risk of
passing insecure management protocols over the
production network.
Keep clocks on hosts and network devices synchronized.
Record changes and archive configurations.
In-band management guidelines:
Apply only to devices needing to be managed or monitored.
Use IPSec when possible.
Use SSH or SSL instead of Telnet.
Decide whether the management channel needs to be open
at all times.
Keep clocks on hosts and network devices synchronized.
Record changes and archive configurations.
The figure outlines guidelines for out-of-band and in-band management of the architecture.
As a general rule, OOB management is appropriate for large enterprise networks. In smaller
networks, in-band management is recommended as a means of achieving a more cost-effective
security deployment. In such architectures, management traffic flows in-band in all cases and is
made as secure as possible using tunneling protocols and secure variants to insecure
management protocols (for example, SSH is used whenever possible instead of Telnet).
To ensure that log messages are time-synchronized to one another, clocks on hosts and network
devices must be synchronized. For devices that support it, NTP provides a way to ensure that
accurate time is kept on all devices.
When you are dealing with an attack, seconds matter, because it is important to identify the
order in which a specified attack occurred.
NTP is used to synchronize the clocks of various devices across a network. Synchronization of
the clocks within a network is critical for digital certificates and for correct interpretation of
events within syslog data. A secure method of providing clocking for the network is for
network administrators to implement their own master clocks. The private network should then
be synchronized to Coordinated Universal Time (UTC) via satellite or radio. However, clock
sources are available that synchronize via the Internet for network administrators who do not
wish to implement their own master clocks because of cost or other reasons.
An attacker could attempt a denial of service (DoS) attack on a network by sending bogus NTP
data across the Internet in an attempt to change the clocks on network devices in such a manner
that digital certificates are considered invalid. Further, an attacker could attempt to confuse a
network administrator during an attack by disrupting the clocks on network devices. This
scenario would make it difficult for the network administrator to determine the order of syslog
events on multiple devices.
NTP version 3 and above supports a cryptographic authentication mechanism between peers.
The use of the authentication mechanism, as well as the use of access control lists (ACLs) that
specify which network devices are allowed to synchronize with other network devices, is
recommended to help mitigate such an attack.
The network administrator should weigh the cost benefits of pulling the clock time from the
Internet with the possible risk of doing so and allowing unsecured packets through the firewall.
Many NTP servers on the Internet do not require any authentication of peers. Therefore, the
network administrator must trust that the clock itself is reliable, valid, and secure. NTP uses
User Datagram Protocol (UDP) port 123.

Configuring an SSH Server for Secure
This topic describes the steps used to configure an SSH server for secure management and
reporting.
Configuring the SSH Server for Secure

ß«-¬·²îý ½±²º·¹ ¬
ß«-¬·²îø½±²º·¹÷ý ·° ¼±³¿·²ó²¿³» ½·-½±ò½±³
ß«-¬·²îø½±²º·¹÷ý ½®§°¬± µ»§ ¹»²»®¿¬» ®-¿
¹»²»®¿´óµ»§- ³±¼«´«- ïðîì
Í»°¬ îî ïíæîðæìëæ ûÍÍØóëóÛÒßÞÔÛÜæ ÍÍØ ïòë ¸¿- ¾»»²
»²¿¾´»¼
ß«-¬·²îø½±²º·¹÷ý ·° --¸ ¬·³»ó±«¬ ïîð
ß«-¬·²îø½±²º·¹÷ý ·° --¸ ¿«¬¸»²¬·½¿¬·±²ó®»¬®·»- ì
ß«-¬·²îø½±²º·¹÷ý ´·²» ª¬§ ð ì
ß«-¬·²îø½±²º·¹ó´·²»÷ý ²± ¬®¿²-°±®¬ ·²°«¬ ¬»´²»¬
ß«-¬·²îø½±²º·¹ó´·²»÷ý ¬®¿²-°±®¬ ·²°«¬ --¸
ß«-¬·²îø½±²º·¹ó´·²»÷ý »²¼
ß«-¬·²îý
Whenever possible, you should use SSH instead of Telnet to manage your Cisco routers. SSH
version 1 is supported in Cisco IOS Software Releases 12.1(1)T and later. SSH version 2 is
supported in Cisco IOS Software Releases 12.3(4)T and later. Cisco routers configured for SSH
act as SSH servers. You must provide an SSH client such as PuTTY, OpenSSH, or Tera Term
for the administrator workstation that you wish to use to configure and manage routers using
SSH.
Note Cisco routers operating at Cisco IOS Software Releases 12.1(3)T and later can act as SSH
clients as well as SSH servers. This means that you could initiate an SSH client-to-server
session from your router to a central SSH server system. SSH employs strong encryption to
protect the SSH client-to-SSH server session. Unlike Telnet, where anyone with a sniffer can
see exactly what you are sending and receiving to and from your routers, SSH encrypts the
entire session.
Complete the following tasks before configuring your routers for SSH server operations:
Ensure that the target routers are running an image from Cisco IOS Software Release
12.1(1)T or later and the IPSec feature set. Only Cisco IOS software images containing the
IPSec feature set support a SSH server.
Ensure that the target routers are configured for local authentication or authentication,
authorization and accounting (AAA) for username or password authentication or both.
Ensure that each of the target routers has a unique hostname.
Ensure that each of the target routers is using the correct domain name of your network.
Complete the following steps to configure your Cisco router to support SSH server:
Step 1 Configure the IP domain name using the ip domain-name command in global
configuration mode as shown in the figure and in the following example:
ß«-¬·²îø½±²º·¹÷ý ·° ¼±³¿·²ó²¿³» ½·-½±ò½±³
Step 2 Generate keys to be used with SSH by generating the Rivest, Shamir, and Adleman
(RSA) keys using the crypto key generate rsa command in global configuration
mode as shown in the figure and in the following example:
ß«-¬·²îø½±²º·¹÷ý ½®§°¬± µ»§ ¹»²»®¿¬» ®-¿ ¹»²»®¿´óµ»§- ³±¼«´«-
ïðîì
Note It is recommended that you use a minimum key length of modulus 1024.
Step 3 To display the keys (Optional: Use the show cry key mypubkey rsa command to
display the generated keys.
Step 4 Configure the time that the router waits for the SSH client to respond using the ip
ssh time-out command in global configuration mode as shown in the figure and in
the following example:
ß«-¬·²îø½±²º·¹÷ý ·° --¸ ¬·³»ó±«¬ ïîð
Step 5 Configure the SSH retries using the ip ssh authentication-retries command in
global configuration mode as shown in the figure and in the following example:
ß«-¬·²îø½±²º·¹÷ý ·° --¸ ¿«¬¸»²¬·½¿¬·±²ó®»¬®·»- ì
Caution Be sure to disable Telnet transport input on all of the router vty lines or else the router will
continue to allow insecure Telnet sessions.
Step 6 Disable vty inbound Telnet sessions as shown in the figure and in the following
example:
ß«-¬·²îø½±²º·¹÷ý ´·²» ª¬§ ð ì
ß«-¬·²îø½±²º·¹ó´·²»÷ý ²± ¬®¿²-°±®¬ ·²°«¬ ¬»´²»¬
Step 7 Enable vty inbound SSH sessions as shown in the figure and in the following
example:
ß«-¬·²îø½±²º·¹ó´·²»÷ý ¬®¿²-°±®¬ ·²°«¬ --¸
ß«-¬·²îø½±²º·¹ó´·²»÷ý »²¼
ß«-¬·²îý
The SSH protocol is automatically enabled once you generate the SSH (RSA) keys as shown in
the figure. Once the keys are created, you may access the router SSH server using your SSH
client software.
The procedure for connecting to a Cisco router SSH server varies depending on the SSH client
application that you are using. Generally, the SSH client passes your username to the router

SSH server. The router SSH server prompts you for the correct password. Once the password
has been verified, you can configure and manage the router as if you were a standard vty user.
Using Syslog Logging for Network Security
This topic describes how the syslog function plays a key role in network security.
Implementing Log Messaging for Security
Routers should be configured to send log

messages to one or more of the following:
Console
Terminal lines
Memory buffer
SNMP traps
Syslog
Syslog logging is a key security policy
component.
Implementing a router logging facility is an important part of any network security policy.
Cisco routers can log information regarding configuration changes, access list violations,
interface status, and many other types of events. Cisco routers can direct log messages to
several different facilities. You should configure the router to send log messages to one or more
of the following:
Console: Console logging is used when modifying or testing the router while it is
connected to the console. Messages sent to the console are not stored by the router, and
therefore are not very valuable as security events.
Terminal lines: Enabled EXEC sessions can be configured to receive log messages on any
terminal lines. Similar to console logging, this type of logging is not stored by the router
and therefore is only valuable to the user on that line.
Memory buffer: You may direct a router to store log messages in router memory. Buffered
logging is a bit more useful as a security tool, but has the drawback of having events
cleared whenever the router is booted.
Simple Network Management Protocol (SNMP) traps: Certain router events may be
processed by the router SNMP agent and forwarded as SNMP traps to an external SNMP
host. This is a viable security logging facility, but requires the configuration and
maintenance of an SNMP system.
Syslog: Cisco routers can be configured to forward log messages to an external syslog
service. This service may reside on any number of servers, including Microsoft Windows
and UNIX-based systems. Syslog is the most popular message logging facility because this
facility provides long-term log storage capabilities and a central location for all router
messages.

Syslog Systems
Syslog
Public Web Mail Admin
Server Server Server Server
16.2.2.3 16.2.2.4 16.2.2.5 (Log Host)
16.2.2.6
Syslog Client
R3
e0/0 e0/1 DMZ LAN 16.2.2.0/24

16.1.10.1 16.2.2.1
e0/2
16.2.3.1 FTP/Web
Server 16.2.3.2
User 16.2.3.3
Syslog server: A host that accepts and processes log

messages from one or more syslog clients
Syslog client: A host that generates log messages and
forwards them to a syslog server
Syslog is a de-facto standard for logging system events. As shown in the figure, syslog
implementations contain two types of systems:
Syslog servers: These systems are also known as log hosts. These systems accept and
process log messages from syslog clients.
Syslog clients: Syslog clients are router or other types of Cisco equipment that generate
and forward log messages to syslog servers.
Note Performing forensics on router logs can become very difficult if your router clocks are not
running the proper time. It is recommended that you use a NTP facility to ensure all of your
routers are operating at the correct time.
Cisco Log Severity Levels
Level Name Description

0 Emergencies Router unusable
1 Alerts Immediate action required
2 Critical Condition critical
3 Errors Error condition
4 Warnings Warning condition
5 Notifications Normal but important event
6 Informational Informational message
7 Debugging Debug message
Cisco router log messages fall into one of eight levels as shown in the figure. The lower the
level number, the higher the severity level:
Syslog Level Definition Example
LOG_EMERG A panic condition normally broadcast to Cisco IOS software could not load
all users
LOG_ALERT A condition that should be corrected Temperature too high

immediately, such as a corrupted system
database
LOG_CRIT Critical conditions, e.g., hard device Unable to allocate memory

errors
LOG_ERR Errors Invalid memory size
LOG_WARNING Warning messages Crypto operation failed
LOG_NOTICE Conditions that are not error conditions, Interface changed state, up or down
but should possibly be handled specially
LOG_INFO Informational messages Packet denied by access list
LOG_DEBUG Messages that contain information Packet type invalid

normally of use only when debugging a
program
Note When entering logging levels in commands in Cisco IOS Software Releases11.3 and earlier,
you must specify the level name. Cisco IOS Software Releases 12.0 and later support using
both the level number or the level name or both the number and name.

Log Message Format
Log Message
Name and
Time Stamp Severity Level
Ñ½¬ îç ïðæððæðï ÛÍÌæ ûÍÇÍóëóÝÑÒÚ×ÙÁ×æ Ý±²º·¹«®»¼ º®±³ ½±²-±´» ¾§

ª¬§ð øïêòîòîòê÷
Message Text
Cisco router log messages contain the following three main parts:
Time stamp
Log message name and severity level
Message text
Note The log message name is not the same thing as a severity level name.
Configuring Syslog Logging
This topic describes how to configure syslog on Cisco routers using syslog router commands.
Configuring Syslog
Î±«¬»®ø½±²º·¹÷ý
´±¹¹·²¹ Å¸±-¬ó²¿³» ¤ ·°ó¿¼¼®»--Ã

Step 1 - Sets the destination (log) hosts
Î±«¬»®ø½±²º·¹÷ý
´±¹¹·²¹ ¬®¿° ´»ª»´
Step 2 - Sets the log severity (trap) level
Î±«¬»®ø½±²º·¹÷ý
´±¹¹·²¹ º¿½·´·¬§ º¿½·´·¬§ó¬§°»

Step 3 - Sets the syslog facility
Complete the following five steps to implement syslog on your Cisco routers:
Step 1 Configure log host(s): You must configure the router to send log messages to one or more
syslog servers (also known as log hosts). There is no maximum number of log hosts supported
by Cisco routers, but usually only one or two are needed. Log hosts are identified by their host
name or IP address.
Use the logging command in global configuration mode to set the destination (log) hosts as
The syntax for the logging command is as follows:
logging [host-name | ip-address]
host-name The name of the host to be used as a syslog server
ip-address The IP address of the host to be used as a syslog server
Step 2 (Optional) Set the log severity (trap) level: This limits the logging of error messages sent to
syslog servers to only those messages at the specified level (default is severity level 6).
Use the logging trap command in global configuration mode to set the severity (trap) level as
The syntax for the logging trap command is as follows:

logging trap level
level This limits the logging of messages to the syslog servers to a

specified level. You can enter the level number (0 to 7) or level
name.
Step 3 (Optional) Set the syslog facility: You must configure the syslog facility in which error
messages are sent. The eight commonly used syslog facility names for Cisco routers are local0
through local7 (default is facility local7).
Use the logging facility command in global configuration mode to set the syslog facility as
The syntax for the logging facility command is as follows:
logging facility facility-type
facility-type The syslog facility type (local0 to local7)
Configuring Syslog (Cont.)
Î±«¬»®ø½±²º·¹÷ý
´±¹¹·²¹ -±«®½»ó·²¬»®º¿½» ·²¬»®º¿½»ó¬§°»

·²¬»®º¿½»ó²«³¾»®
Step 4 - Sets the source interface

Î±«¬»®ø½±²º·¹÷ý
´±¹¹·²¹ ±²
Step 5 - Enables logging
Step 4 (Optional) Set the source interface: By default, syslog messages are sent using the IP address
of the source interface. You should specify the source IP address of syslog packets, regardless
of the interface where the packets actually exit the router.
Use the logging source-interface command in global configuration mode to set the source
interface as shown in the figure.
The syntax for the logging source-interface command is as follows:
logging source-interface interface-type interface-number
interface-type The interface type (for example, Ethernet)
interface-number The interface number (for example, 0/1)
Step 5 Enable logging: Make sure that the router logging process is enabled using the logging on
command in global configuration mode as shown in the figure.
The logging on command has no arguments or keywords.

Syslog Implementation Example
Syslog
Public Web Mail Admin
Server Server Server Server
16.2.2.3 16.2.2.4 16.2.2.5 (Log Host)
16.2.2.6
Syslog Client
R3
e0/0 e0/1 DMZ LAN 16.2.2.0/24

16.1.10.1 16.2.2.1
e0/2
16.2.3.1 FTP/Web
Server 16.2.3.2
User 16.2.3.3
Îíø½±²º·¹÷ý ´±¹¹·²¹ ïêòîòîòê

Îíø½±²º·¹÷ý ´±¹¹·²¹ ¬®¿° ·²º±®³¿¬·±²¿´
Îíø½±²º·¹÷ý ´±¹¹·²¹ -±«®½»ó·²¬»®º¿½» ´±±°¾¿½µ ð
Îíø½±²º·¹÷ý ´±¹¹·²¹ ±²
This figure contains an example of configuring syslog for router R3 using the commands
previously described.
SNMP Version 3
This topic describes the security features of SNMPv3.
SNMPv1 and v2 Architecture
The SNMP NMS asks agents embedded in network devices for

information or tells the agents to do something.
Managed Node
SNMP Agent
Managed Node
sets SNMP Agent

Network
Management
Station (NMS)
gets
Managed Node
SNMP Agent
SNMP: Security is Not My Problem

SNMP was developed to manage nodes (servers, workstations, routers, switches, hubs and
security appliances) on an IP network. All versions of SNMP are application layer protocols
that facilitate the exchange of management information between network devices. SNMP is
part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. SNMP
enables network administrators to manage network performance, find and solve network
problems, and plan for network growth.
SNMP versions 1 and 2 are based on three concepts: managers, agents, and the management
information base (MIB). In any configuration, at least one manager node runs SNMP
management software. Network devices that need to be managed, such as bridges, routers,
servers, and workstations, are equipped with an agent software module. The agent is
responsible for providing access to a local MIB of objects that reflects the resources and
activity at its node.
The SNMP manager can retrieve (get) information from the agent, or change (set) information
in the agent. Sets can change variables (settings, configuration) in the agent device or initiate
actions in devices. A reply to a set indicates the new setting in the device. For example, a set
can cause a router to reboot or send or to receive a configuration file.
The action of gets and sets are the vulnerabilities that open SNMP to attack.

Community Strings
Used to authenticate messages between a

management station and an SNMP v1/v2c
engine:
Read only community strings can get
information, but can not set information in an
agent.
Read-write community strings, can get and set
information in the agent.
Set access is equivalent to having the enable
password for a router.
Having set access is like having the enable
password for the device.
SNMPv1 and v2 use a community string to access router SNMP agents. SNMP community
strings act like passwords. An SNMP community string is a text string used to authenticate
messages between a management station and an SNMP engine.
If the manager sends one of the correct read-only (RO) community strings, it can get
information but not set information in an agent
If the manager uses one of the correct read-write (RW) community strings, it can get or set
information in the agent
In effect, having set access is equivalent to having the enable password.
SNMP agents accept commands and requests only from SNMP systems using the correct
community string. By default, most SNMP systems use a community string of public. If you
configure your router SNMP agent to use this commonly known community string, anyone
with an SNMP system is able to read the router MIB. Because router MIB variables can point
to things like routing tables and other security-critical parts of the router configuration, it is
extremely important that you create your own custom SNMP community strings.
SNMP Security Models and Levels
Definitions:
Security modela security strategy used by the SNMP agent
Security levelthe permitted level of security within a security
model
Model Level Authentication What Happens
v1 noAuthNoPriv Community Authenticates with a community
String string match
v2c noAuthNoPriv Community Authenticates with a community
String string match
v3 noAuthNoPriv Username Authenticates with a user name
v3 authNoPriv MD5 or SHA Provides HMAC-MD5 or HMAC-SHA
algorithms for authentication
v3 authPriv MD5 or SHA Provides HMAC-MD5 or HMAC-SHA
algorithms for authentication
Provides DES 56-bit encryption in
addition to authentication based on
the CBC-DES (DES-56) standard
A combination of a security model and a security level will determine which security
mechanism is employed when handling an SNMP packet:
A security model is an authentication strategy that is set up for a user and the group in
which the user resides. Currently, Cisco IOS software supports three security models:
SNMPv1, SNMPv2c, and SNMPv3.
A security level is the permitted level of security within a security model. The security
level is a type of security algorithm performed on each SNMP packet. The three levels are:
noauth, auth, and priv. The noauth level authenticates a packet by a string match of the user
name. The auth level authenticates a packet by using either the Hashed Message
Authentication Codes with MD5 (RFC 2104) (HMAC MD5) or SHA algorithms. The priv
level authenticates a packet by using either the HMAC MD5 or SHA algorithms and
encrypts the packet using the Cipher Block Chaining- Data Encryption Standard(CBC-
DES) (DES-56) algorithm.
SNMP Version 3 (SNMPv3) adds security and remote configuration capabilities to the previous
versions. SNMPv3 provides three security model and security level options. The SNMP
Security Models and Levels table identifies what the combinations of security models and
levels mean.

SNMP Security Models and Levels Table
Model Level Authentication Encryption What Happens
v1 noAuthNoPri Community string No Uses a community string match for

v authentication
v2c noAuthNoPri Community string No Uses a community string match for

v authentication
v3 noAuthNoPri Username No Uses a username match for

v authentication
v3 authNoPriv MD5 or SHA No Provides authentication based on the

HMAC-MD5 or HMAC-SHA algorithms
v3 authPriv MD5 or SHA DES Provides authentication based on the

HMAC-MD5 or HMAC-SHA algorithms
Provides DES 56-bit encryption in

addition to authentication based on the
CBC-DES (DES-56) standard
SNMPv3 Architecture
NMS Transmissions from manager to

agent may be authenticated to
guarantee the identity of sender
and integrity and timeliness of
message. Managed
Node
Managed
Node
DES Encryption
SNMPv3 messages
NMS may be encrypted
to ensure privacy. Managed
Node
Agent may enforce access

control to restrict each principal
to certain actions on certain
portions of its data.
Managed
NMS
Node
In its natural evolution, the current version of SNMPv3, addresses the vulnerabilities of earlier
versions by including three important services: authentication, privacy, and access control.
SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3

provides secure access to devices by a combination of authenticating and encrypting packets
over the network. The security features provided in SNMPv3 are:
Message integrity: Ensuring that a packet has not been tampered with in-transit
Authentication: Determining the message is from a valid source
Encryption: Scrambling the contents of a packet prevent it from being seen by an
unauthorized source

SNMPv3 Operational Model
Network Management SNMP Entity

Station (NMS) SNMP
MIB
Agent
Managed Node
SNMP
SNMP
Application Entity
SNMP Entity
SNMP SNMP SNMP
MIB
Application Manager Agent
Managed Node
SNMP
Application SNMP Entity
SNMP
MIB
Agent Managed Node
The concepts of separate SNMP Agents and SNMP Managers do not apply in SNMPv3. These
concepts have been combined into single SNMP entities. An SNMP entity consists of an SNMP
engine and SNMP applications. SNMP applications refer to internal applications within an
SNMP entity. These internal applications can generate SNMP messages, respond to received
SNMP messages, generate notifications, receive notifications, and forward messages between
SNMP entities.
Each managed node and the network management station (NMS) is a single entity. The
applications in each entity are as follows:
Managed Node SNMP Entities: The managed node SNMP entity includes an SNMP
agent and an SNMP MIB. The agent implements the SNMP protocol and allows a managed
node to provide information to the NMS and accept instructions from it. The MIB defines
the information that can be collected and used to control the managed node. Information
exchanged using SNMP takes the form of objects from the MIB.
Network Management Station SNMP Entities: The SNMP entity on a network
management station includes an SNMP manager and SNMP applications. The manager
implements the SNMP protocol and collects information from managed nodes and sends
instructions to them. The SNMP applications are software applications used by the network
administrator to manage the network.
SNMPv3 Features and Benefits
Features:
Message integrity: Ensures that a packet has not been tampered
with in-transit
Authentication: Determines that the message is from a valid
source
Encryption: Scrambles the contents of a packet to prevent it
from being seen by an unauthorized source
Benefits:
Data can be collected securely from SNMP devices without fear
of the data being tampered with or corrupted.
Confidential information, for example, SNMP Set command
packets that change a router configuration, can be encrypted to
prevent its contents from being exposed on the network.
The figure summarizes the features and benefits of SNMPv3. It is strongly recommended that
all network management use SNMPv3 over previous versions.

Configuring an SNMP Managed Node
This topic explains how to configure a SNMPv3 on a Cisco IOS router or switch.
SNMPv3 Configuration Task List
Cisco IOS SNMPv3 server configuration tasks

include:
Configuring the SNMP-server engineID
Configuring the SNMP-server group names
Configuring the SNMP-server users
Configuring the SNMP-server hosts
The figure lists the four configuration tasks that will be explained in this topic.
Configuring the SNMP-Server EngineID
Î±«¬»®ø½±²º·¹÷ý
-²³°ó-»®ª»® »²¹·²»×Ü Å´±½¿´ »²¹·²»·¼ó-¬®·²¹Ã ¤

Å®»³±¬» ·°ó¿¼¼®»-- «¼°ó°±®¬ °±®¬ó²«³¾»® »²¹·²»·¼ó
-¬®·²¹Ã
Configures names for both the local and remote

SNMP engine (or copy of SNMP) on the router
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® »²¹·²»×Ü ´±½¿´ ïîíì
To configure a name for either the local or remote SNMP engine on the router, use the snmp-
server engineID global configuration command. Use the no form of this command to remove a
specified SNMP group.
The example configures an engine ID of 123400000000000000000000. Note that you do not

have to specify the entire 24-character engine ID if it contains trailing zeros. Specify only the
portion of the Engine ID up until the point where only zeros remain in the value.
The syntax for the snmp-server engineID command is as follows:
snmp-server engineID [local engineid-string] | [remote ip-address udp-port port-number

engineid-string]
Parameter Purpose
local (Optional) Specifies the local copy of SNMP on the router
engineid-string (Optional) The name of a copy of SNMP
remote (Optional) Specifies the remote copy of SNMP on the router
ip-address (Optional) The IP address of the device that contains the remote copy of
SNMP
udp-port (Optional) Specifies a UDP port of the host to use
port (Optional) This is the socket number on the remote device that contains
the remote copy of SNMP. The default is 161.

Configuring the SNMP-Server Group Names
Î±«¬»®ø½±²º·¹÷ý
-²³°ó-»®ª»® ¹®±«° Å¹®±«°²¿³» ¥ªï ¤ ªî½ ¤ ªí¥¿«¬¸ ¤

²±¿«¬¸ ¤ °®·ª££Ã Å®»¿¼ ®»¿¼ª·»©Ã Å©®·¬» ©®·¬»ª·»©Ã
Å²±¬·º§ ²±¬·º§ª·»©Ã Å¿½½»-- ¿½½»--ó´·-¬Ã
Configures a new SNMP group, or a table that maps

SNMP users to SNMP views
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® ¹®±«° ¶±¸²¹®±«° ªí ¿«¬¸
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® ¹®±«° ¾·´´¹®±«° ªí ¿«¬¸

°®·ª
To configure a new SNMP group, or a table that maps SNMP users to SNMP views, use the
snmp-server group global configuration command. To remove a specified SNMP group, use
the no form of this command.
The first example shows how to define a group 'Johngroup using User Security Model (USM)
V3 and is using authentication but not privacy (encryption).
The second example shows how to define a group Bobgroup using USM V3 and using
authentication and privacy (encryption).
The syntax for the snmp-server group command is as follows:
snmp-server group [groupname {v1 | v2c | v3{auth | noauth | priv}}] [read readview] [write
writeview] [notify notifyview] [access access-list]
Parameter Purpose
groupname The name of the group
v1 (Optional) The least secure of the possible security models
v2c (Optional) The second least secure of the possible security models. It allows for the
transmission of informs and counter 64, which allows for integers twice the width of what
is normally allowed.
v3 (Optional) The most secure of the possible security models
auth (Optional) Specifies authentication of a packet without encrypting it
noauth (Optional) Specifies no authentication of a packet
priv (Optional) Specifies authentication of a packet and then scrambles it
read (Optional) The option that allows you to specify a read view
readview (Optional) A string (not to exceed 64 characters) that is the name of the view that
enables you only to view the contents of the agent
Parameter Purpose
write (Optional) The option that allows you to specify a write view
writeview (Optional) A string (not to exceed 64 characters) that is the name of the view that
enables you to enter data and configure the contents of the agent
notify (Optional) The option that allows you to specify a notify view
notifyview (Optional) A string (not to exceed 64 characters) that is the name of the view that
enables you to specify a notify, inform, or trap
access (Optional) The option that enables you to specify an access list
access-list (Optional) A string (not to exceed 64 characters) that is the name of the access list

Configuring the SNMP-Server Users
Î±«¬»®ø½±²º·¹÷ý
-²³°ó-»®ª»® «-»® «-»®²¿³» Å¹®±«°²¿³» ®»³±¬» ·°ó

¿¼¼®»-- Å«¼°ó°±®¬ °±®¬Ã ¥ªï ¤ ªî½ ¤ ªí Å»²½®§°¬»¼Ã
Å¿«¬¸ ¥³¼ë ¤ -¸¿£ ¿«¬¸ó°¿--©±®¼ Å°®·ª ¼»-ëê °®·ª
°¿--©±®¼ÃÃ Å¿½½»-- ¿½½»--ó´·-¬Ã
Configures a new user to an SNMP group
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® «-»® Ö±¸² ¶±¸²¹®±«° ªí

¿«¬¸ ³¼ë ¶±¸²î°¿--©¼
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® «-»® Þ·´´ ¾·´´¹®±«° ªí
¿«¬¸ ³¼ë ¾·´´í°¿--©¼ ¼»-ëê °¿--©±®¼î
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® ¹®±«° ¶±¸²¹®±«° ªí ¿«¬¸
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® ¹®±«° ¾·´´¹®±«° ªí ¿«¬¸
°®·ª
To configure a new user to an SNMP group, use the snmp-server user global configuration
command. To remove a user from an SNMP group, use the no form of the command .
The example shows how to define a user John, belonging the to group johngroup.
Authentication uses the password john2passwd and noPrivacy (no encryption) is applied.
Then, a user Bill, belonging to the group billgroup, is defined using the password
bill3passwd and Privacy (encryption) is applied.
The syntax for the snmp-server user command is a follows:
snmp-server user username [groupname remote ip-address [udp-port port] {v1 | v2c | v3
[encrypted] [auth {md5 | sha} auth-password [priv des56 priv password]] [access access-list]
Parameter Purpose
username The name of the user on the host that connects to the agent
groupname (Optional) The name of the group to which the user is associated
remote (Optional) Specifies the remote copy of SNMP on the router
ip-address (Optional) The IP address of the device that contains the remote copy of SNMP
port (Optional) This is A UDP port number that the host uses. The default is 162.
v1 (Optional) The least secure of the possible security models
v2c (Optional) This is the second least secure of the possible security models. It allows for the
v3 (Optional) The most secure of the possible security models
Parameter Purpose
encrypted (Optional) Specifies whether the password appears in encrypted format (a series of digits,
masking the true characters of the string)
auth (Optional) Initiates an authentication level setting session
md5 (Optional) The HMAC-MD5-96 authentication level
sha (Optional) The HMAC-SHA-96 authentication level
auth- (Optional) A string (not to exceed 64 characters) that enables the agent to receive
password packets from the host
priv (Optional) The option that initiates a privacy authentication level setting session
des56 (Optional) The CBC-DES privacy authentication algorithm
priv (Optional) A string (not to exceed 64 characters) that enables the host to encrypt the
password contents of the message that it sends to the agent
access (Optional) The option that enables you to specify an access list
access-list (Optional) A string (not to exceed 64 characters) that is the name of the access list
There are several more snmp-server commands available to you that are described in the Cisco
IOS Software Command Reference at Cisco.com.

Configuring the SNMP-Server Hosts
Î±«¬»®ø½±²º·¹÷ý
-²³°ó-»®ª»® ¸±-¬ Å¸±-¬ Å¬®¿°- ¤ ·²º±®³-ÃÃ Åª»®-·±²

¥ï ¤ î½ ¤ í Å¥¿«¬¸ ¤ ²±¿«¬¸ ¤ °®·ª£ÃÃ ½±³³«²·¬§ó
-¬®·²¹ Å«¼°ó°±®¬ °±®¬Ã Å²±¬·º·½¿¬·±²ó¬§°»Ã
Configures the recipient of an SNMP trap operation.

ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® »²¹·²»×Ü ®»³±¬» ïðòïòïòï
ïîíì
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® «-»® ¾·´´ ¾·´´¹®±«°
®»³±¬» ïðòïòïòï ªí
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® ¹®±«° ¾·´´¹®±«° ªí ²±¿«¬¸
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® »²¿¾´» ¬®¿°-
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® ¸±-¬ ïðòïòïòï ·²º±®³
ª»®-·±² í ²±¿«¬¸ ¾·´´
ÐÎïø½±²º·¹÷ý -²³°ó-»®ª»® ³¿²¿¹»®
To configure the recipient of an SNMP trap operation, use the snmp-server host global
configuration command. To remove the specified host, use the no form of this command.
To be able to send an inform, you need to perform the following steps:
Step 1 Configure a remote engine ID.
Step 2 Configure a remote user.

Step 3 Configure a group on a remote device.
Step 4 Enable traps on the remote device.

Step 5 Enable the SNMP manager.
The first example shows how to send configuration informs.
The syntax for the snmp-server host command is as follows:
snmp-server host [host [traps | informs]] [version {1 | 2c | 3 [{auth | noauth | priv}]]

community-string [udp-port port] [notification-type]
Parameter Purpose
host The address of the recipient for which the traps are targeted
traps (Optional) Specifies the type of notification being sent should be a trap
informs (Optional) Specifies the type of notification being sent should be an inform
version (Optional) Specifies the security model to use
1 (Optional) The least secure of the possible security models
2c (Optional) This is the second least secure of the possible security models. It allows for the
transmission of informs and counter 64 which allows for integers twice the width of what
Parameter Purpose
3 (Optional) The most secure of the possible security models
auth (Optional) Specifies authentication of a packet without encrypting it
noauth (Optional) Specifies no authentication of a packet
priv (Optional) Specifies authentication of a packet and then scrambles it
community- This is a string that is used as the name of the community and it acts as a password by
string controlling access to the SNMP community. This string can be set using the snmp-server
host command, but it is recommended that you set the string using the snmp-server
community command before using the snmp-server host command.
port (Optional) This is a UDP port number that the host uses. The default is 162.
notification- Optional) This is the type of trap to be sent to the host. If no type is specified, all traps are
type sent. For a full list refer to the SNMPv3 Configuration Guide. some of the types of traps
are as follows:
Bgp: Sends Border Gateway Protocol (BGP) state change traps.
config: Sends configuration traps.
hsrp: Sends Hot Stanby Routing Protocol (HSRP) notifications.
sdlc: Sends Synchronous Data Link Control (SDLC) traps.
snmp: Sends Simple Network Management Protocol (SNMP) traps defined in RFC
1157.
syslog: Sends error message traps (Cisco Syslog MIB). Specify the level of
messages to be sent with the logging history level command.
tty: Sends Cisco enterprise-specific traps when a Transmission Control Protocol

(TCP) connection closes.
x25: Sends X.25 event traps.

Summary
Summary
There are a number of factors that must be considered before

configuring logging on Cisco routers.
Since out-of-band management architectures provide higher
levels of security and performance than in-band architectures, the
decision to use an in-band solution must be considered carefully.
Management communications should use SSH rather than Telnet.
Implementing a router logging facility is an important part of any
network security policy.
Syslog is implemented on your Cisco router using syslog router
commands
Network management will be greatly enhanced by implementing
the security features of SNMPv3 rather than earlier versions.
Cisco IOS SNMPv3 server configuration tasks include: configuring
SNMP-server engine ID, group names, users and hosts.
Lesson Self Check
Q1) What are some of the considerations when planning how to implement logging on a
network? (Source: Secure Management and Reporting Planning Considerations)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q2) Besides being able to securely manage devices on a network, what other security
concern should a network administrator have with respect to attacks or network failure?
(Source: Secure Management and Reporting Planning Considerations)
______________________________________________________________________
Q3) Label the following descriptions as either out-of-band or in-band. (Source: Secure
Management and Reporting Planning Considerations)
A) Information flows across the enterprise production network or the Internet (or
both). __________
B) Information flows within a network on which no production traffic resides.
__________
C) This type of management is recommended for devices in large enterprise
networks. __________
D) This type of management is recommended for devices in smaller networks
Q4) Label the following guidelines as applicable to in-band management or as applicable to
out-of-band management or as applicable to both? (Source: Secure Management and
Reporting Architecture)
A) IBM use IPSec when possible. __________
B) OOB provides highest level of security and mitigates the risk of passing
insecure management protocols over the production network management.
__________
C) Both keep clocks on hosts and network devices synchronized. __________
D) IBM use SSH or SSL instead of Telnet. __________
E) Both record changes and archive configurations. __________
Q5) What two types of systems are parts of a syslog implementation? (Source: Using
Syslog Logging for Network Security)

Q6) Indicate the severity number (0 to 7) after the corresponding name and description
listed below. (Source: Using Syslog Logging for Network Security)
A) Emergencies (router unusable) _____
B) Informational (informational message) _____
C) Errors (error condition) _____
D) Warnings (warning condition) _____
E) Alerts (immediate action required) _____
F) Notifications (informational message) _____
G) Debugging (debug message) _____
H) Critical (condition critical) _____
Q1) The following questions should be considered when planning to implement logging on a network:
Which logs are most important?
How do you separate important messages from mere notifications?
How do you ensure that logs are not tampered with in transit?
How do you ensure your time stamps match each other when multiple devices report the same
alarm?
What information is needed if log data is required for a criminal investigation?
How do you deal with the volume of messages that can be generated by a large network?
Q2) Besides figuring out how to securely manage many devices in many locations, a network administrator
must also be able to track changes on devices to troubleshoot when attacks or network failures occur.
Q3) A- in-band, B- out-of-band, C- out-of-band, D- in-band
Q4) A- in-band management, B- out-of-band management, C- both in-band management and out-of-band
management, D- in-band management, E- both in-band and out-of-band management
Q5) Syslog servers and syslog clients
Q6) A-0, B-6, C-3, D-4, E-1, F-5, G-7, H-2

Lesson 8
Securing Catalyst Switches

Overview
Anyone accessing a public network must know about hackers and their methods. Failure to
understand what they do, can leave you and your network exposed. While thieves and
opportunists always go after an easy target versus a difficult (or well prepared) target, some
hackers specifically go after very difficult targets such as government offices or networking
companies, solely for the prestige of doing so.
This lesson describes the steps needed to provide basic security to Cisco Catalyst switches in
the network. This description and a discussion of network vulnerabilities at Layer 2 will better
prepare you for mitigation strategies presented in subsequent lessons.
Objectives
Upon completing this lesson, you will be able to explain how Layer 2 attacks can be mitigated.
This ability includes being able to meet these objectives:
Explain how basic switch operation opens networks to attack at Layer 2
Describe the basic steps in securing network access at Layer 2
Describe how to configure passwords to protect administrative access to switches
Describe how to protect the access to the management port on a switch
Explain why unused network interfaces and services should be disabled
Describe how an attacker can flood a switch
Describe how an attacker launches a MAC spoofing attack
Describe port security as a key step in defending networks from Layer 2 attacks
Describe how to configure port security on a Cisco Catalyst switch
Basic Switch Operation
This topic explains how basic switch operation opens networks to attack at Layer 2.
Why Worry about Layer 2 Security?

OSI was built to allow different layers to work without knowledge of each other
Host A Host B
Application Stream
Application Application
Presentation Presentation
Session Session
Transport Protocols/Ports Transport
Network IP Addresses Network
MAC Addresses
Data Link Data Link
Physical Links
Physical Physical
Unlike hubs, switches are able to regulate the flow of data between their ports by creating
instant networks that contain only the two end devices communicating with each other at that
moment in time. When data frames are sent by end systems, their source and destination
addresses are not changed throughout the switched domain. Switches maintain content-
addressable memory (CAM) lookup tables to track the source addresses located on the switch
ports. These lookup tables are populated by an address-learning process on the switch. If the
destination address of a frame is not known, or if the frame received by the switch is destined
for a broadcast or multicast address, the switch forwards the frame out all ports. With their
ability to isolate traffic and create instant networks, switches can be used to divide a physical
network into multiple logical or virtual LANs (VLANs), through the use of Layer 2 traffic
segmentation.
The Domino Effect
If one layer is hacked, communications are compromised without the other
layers being aware of the problem.
Security is only as strong as your weakest link.
When it comes to networking, Layer 2 can be a very weak link.
Application Stream
Application Application
Presentation Presentation
Session Session
Transport Protocols/Ports Transport
Network IP Addresses Network
Data Link Initial

MACCompromise
Addresses Data Link
Physical Links
Physical Physical
What is significant about Layer 2? As the data link layer in the OSI Model, it is one of seven
layers designed to work together but with autonomy. Layer 2 sits above the physical layer, but
below the network and transport layers. Layer 2 independence enables interoperability and
interconnectivity. However, from a security perspective, Layer 2 independence creates a
challenge because a compromise at one layer is not always known by the other layers. If the
initial attack comes in at Layer 2, the rest of the network can be compromised in an instant.
Network security is only as strong as your weakest linkand that may well be the data link
layer.

Securing Network Access at Layer 2
This topic describes the basic steps in securing network access at Layer 2.
Securing Network Access at Layer 2
Follow these steps:

Protect administrative access to the switch.
Protect the switch management port.
Turn off unused network services.
Lock down the ports.
Use Cisco Catalyst switch security features.
The first steps in defending against Layer 2 attacks is to ensure you configure every switch in
the network with basic security in mind. In this lesson, the first four of these steps will be
presented.
Protecting Administrative Access to Switches
This topic describes how to configure passwords to protect administrative access to switches.
Protecting Administrative Access
Two access levels:

User levelaccessed via Telnet or SSH
connections to a switch or via the console line on
the switch
Privileged levelaccessed after user level is
established
Main vulnerability arises from poor password
security.
By default, Cisco IOS switches have two levels of access: User (Level 1) and Privileged (Level
15). The User level is typically accessed via Telnet or SSH connections to a switch or via the
console line on the switch. The Privileged level is typically accessed after the User level is
established.
Each level is usually configured with a password. Specific vulnerabilities associated with these
passwords include the following:
By default, a Cisco switch shows the passwords in plaintext for the following settings in the
configuration file: the enable password, the username password, the console line and the
virtual terminal lines. If an attacker collects the configuration file for the switch from the
network using a network analyzer, these passwords can then be used to access this system.
If the enable secret command is not used to set the enable password or the password on a
Cisco switch is weak, an attacker may be able to obtain privileged level access to retrieve or
to change information on the switch. Also, setting the same password for the enable
secret passwords on multiple switches provides a single point of failure because one
compromised switch endangers other switches.
Using the same password for both the enable secret and other settings on a switch allows
for potential compromise because the password for certain settings (for example, telnet)
may be in plaintext and can be collected on a network using a network analyzer. The
attacker who can collect passwords going to a switch may be able to gain privileged level
access at a later time.

Password Encryption
Í©·¬½¸ø½±²º·¹÷ý
»²¿¾´» °¿--©±®¼
Sets a local password to control access to various

privilege levels
Í©·¬½¸ø½±²º·¹÷ý
»²¿¾´» -»½®»¬ Å´»ª»´ ´»ª»´Ã ¥°¿--©±®¼ ¤

Å»²½®§°¬·±²ó¬§°»Ã »²½®§°¬»¼ó°¿--©±®¼£
Specifies an additional layer of security over the
enable password command
Using strong passwords is one of the first steps in defending switch configurations.
Unfortunately, user passwords in Cisco IOS configuration files are encrypted using a scheme
that is very weak by modern cryptographic standards. For that reason, the enable password
command should no longer be used.
Use the enable secret command for better security. The only instance in which the enable
password command might be tested is when the device is running in a boot mode that does not
support the enable secret command.
Configure an enable secret password on each Cisco switch.
Password Guidelines
Passwords:
Should be at least eight characters long.
Do not use real words.
Mix letters, numbers and special characters.
Do not use a number for the first character of the password.
Administrators should:
Change passwords every 90 days.
Make sure the enable secret password is unique for each
switch.
Do not use enable secret passwords for anything else on the
switch.
Use the following guidelines for creating the password:

Passwords should be at least eight characters long and not based on words.
Include at least one character from each of the sets of letters, numbers and special
characters. Special characters are: , ,./<>;':"[]\{}|~!@#$%^&*()_+`-= .
Do not use a number for the first character of the password.
Administrators should ensure that that the following is implemented:
Change passwords at least once every 90 days.
Use a unique password for the enable secret password on each switch.
Use a different password for the enable secret password than for passwords used for the
other settings (for example, telnet) on the same switch.

Protecting Access to the Management Port
This topic describes how to protect access to the management port on a switch.
Protecting the Management Port
Assign a unique account for each

administrator.
Use a strong and unique password on every
switch.
Set a timeout.
Use a banner.
Use out-of-band management.
Every switch has a management port called the console line (line con 0), that provides direct
administrative access to the switch. If the management port on the switch has settings that are
too permissive, then the switch is susceptible to attacks. The management port is a source of
vulnerability as follows:
A switch with a management port using a default user account allows an attacker to attempt
to make connections using one or more of the well-known default user accounts (for
example, administrator, root, security). To mitigate this threat, set up a unique account for
each administrator for access to the console line. Varying privilege levels from 0 to 15 can
be set on each administrator account. Privilege level 0 is the lowest level on Cisco switches
and allows a very small set of commands.
Bad passwords pose multiple vulnerabilities:
A missing or weak password allows an attacker to guess or crack the password and
then retrieve or change information on the switch.
Using the same password for the management port on multiple switches provides a
single point of network failure. The attacker who compromises one switch can then
compromise other switches.
Using the same password for the management port and other settings on a switch
allows for potential compromise. For example, the password for certain settings (for
example, telnet), may be in plaintext. These passwords can be collected on a network
using a network analyzer. The attacker who collects telnet passwords from network
traffic going to a switch may be able to access the switch management port at a later
time.
If the connections to a management port on a switch do not have a timeout period set or
have a large timeout period (greater than 9 minutes), then the connections are more
available for an attacker hijack.
A banner gives notice to anyone who connects to a switch that it is for authorized use only
and any use of the network will be monitored. Courts have dismissed cases against those
who have attacked systems without banners. Having no banner on a switch may lead to
legal or liability problems.
In terms of network design, use out-of-band management. This approach separates management
traffic from operational traffic preserving operational bandwidth.

Turning Off Unused Network Interfaces and
Services
This topic explains why unused network interfaces and services should be disabled.
Turning Off Unused Network Services
Enabled network services open vulnerabilities

because:
Many connections are unencrypted.
Default user accounts allow unauthorized entry.
Weak and shared passwords on services open
doors for attackers.
Extended time-outs allow high jacking.
Less is more.
Switches and routers can have a number of network services enabled. Many of these services
are typically not necessary for normal operation. Many services are enabled by default. Others
are sometimes left enabled when they are no longer necessary. Leaving unused network
services enabled increases the possibility of those services being maliciously exploited and
susceptible to information gathering or to network attacks.
The figure shows some basic considerations for turning off or restricting access to these
services greatly improves network security:
Remember that connections to many of the services on a switch are not encrypted, so an
attacker may be able to collect network traffic related to these services using a network
analyzer. The traffic may contain usernames, passwords or other configuration information
related to the switch.
Just like the management port, any other network service using a default user account,
allows an attacker to attempt to make connections using one or more of the well-known
default user accounts.
It should be self-evident that a network service set with no password, using a default
password or a weak password, presents a vulnerability. Setting the same password for the
network service on multiple switches provides a single point of failure. The attacker who
compromises one switch can compromise other switches.
Broad access that allows all systems or a large number of systems to connect to a network
service on a switch makes the switch vulnerable to attack.
As with the management port, all services should have a timeout to reduce hijack attempts.
In terms of network services and switch security, less is more.
Shutting Down Interfaces
Í©·¬½¸ø½±²º·¹÷ý ·²¬»®º¿½» º¿-¬»¬¸»®²»¬ ðñï

Í©·¬½¸ø½±²º·¹ó·º÷ý -¸«¬¼±©²
Shuts down a single interface
Í©·¬½¸ø½±²º·¹÷ý ·²¬»®º¿½» ®¿²¹» º¿-¬»¬¸»®²»¬ ðñî ó è

Í©·¬½¸ø½±²º·¹ó·ºó®¿²¹»÷ý -¸«¬¼±©²
Shuts down a range of interfaces
The figure shows examples of very basic uses of the port security command. The next few
examples will show more robust configuration scripts.
Secured ports restrict a port to a user-defined group of stations. When you assign secure
addresses to a secure port, the switch does not forward any packets with source addresses
outside the defined group of addresses. If you define the address table of a secure port to
contain only one address, the workstation or server attached to that port is guaranteed the full
bandwidth. As part of securing the port, you can also define the size of the address table for the
port.

CAM Table Overflow Attacks
This topic describes how an attacker can flood a switch by launching a CAM table overflow
attack.
CAM Learns by Flooding the Network

MAC Port
The CAM
A 1
table is
incomplete.
C 3 A->B
MAC B
A->B MAC C
Port 2 sees
Port 1 traffic
to MAC B
MAC A Port 3
A->B
B is unknown so
the switch will
flood the frame. MAC C
The Content Addressable Memory (CAM) table in a switch contains the MAC addresses
available on a given physical port of a switch and the associated VLAN parameters for each.
When a Layer 2 switch receives a frame, the switch looks in the CAM table for the destination
MAC address. If an entry exists for the MAC address in the CAM table, the switch forwards
the frame to the MAC address port designated in the CAM table. If the MAC address does not
exist in the CAM table, the switch acts like a hub and forwards the frame out every port on the
switch.
CAM table overflow attacks are sometimes referred to as MAC flooding attacks. To understand
the mechanism of a CAM table overflow attack, recall the basic operation of a switch.
In the figure, Host A sends traffic to Host B. The switch receives the frames and looks up the
destination MAC address in its CAM table. If the switch cannot find the destination MAC in
the CAM table, it then copies the frame and broadcasts it out every switch port.
CAM Learns MAC B is on Port 2
CAM learns MAC Port

that B is on A 1
Port 2. B 2
C 3 MAC B
B->A
Port 2
Port 1
MAC A Port 3
C drops the
packet
addressed to B.
MAC C
Host B receives the frame and sends a reply to Host A. The switch then learns that the MAC
address for Host B is located on Port 2 and writes that information into the CAM table.
Host C also receives the frame from Host A to Host B, but since the destination MAC address
of that frame is Host B, Host C drops that frame.

The CAM Table is UpdatedFlooding Stops
CAM MAC Port

tables are A 1
limited in B 2
size. A->B
C 3 MAC B
Port 2
Port 1
MAC A Port 3
CAM has
learned B is on
Port 2. MAC C does not see
traffic to MAC B MAC C
anymore.
Now, any frame sent by Host A (or any other host) to Host B is forwarded to Port 2 of the
switch and not broadcast out every port.
The key to understanding how CAM overflow attacks work is to know that CAM tables are
limited in size. MAC flooding makes use of this limitation to bombard the switch with fake
source MAC addresses until the switch CAM table is full. The switch then enters into what is
known as a failopen mode, starts acting as a hub and broadcasts packets to all the machines
on the network. The attacker can now see all the frames sent from a victim host to another host
without a CAM table entry.
Intruder Launches macof
MAC
MAC Port
Port
Bogus
addresses are XX
A 33
1
added to the YB 32
CAM table. CC 33 MAC B
Port 2
macof starts
Port 1 sending
unknown bogus
MAC A Port 3 MAC addresses.
Y->?
X is on Port Y is on Port
3 and CAM 3 and CAM
is updated. is updated. MAC C
Intruder runs macof
on MAC C.
An attacker can use the normal operating characteristics of the switch to stop the switch in its
tracks.
MAC flooding can be performed using macof, a utility which comes with dsniffsuite.
Dsniff is a collection of tools for network auditing and penetration testing. A network intruder
can use the macof tool to flood the switch with a large number of invalid-source MAC
addresses until the CAM table fills up. When the CAM table is full, the switch floods all ports
with incoming traffic because it cannot find the port number for a particular MAC address in
the CAM table. The switch, in essence, acts like a hub.
Dsniff (macof) can generate 155,000 MAC entries on a switch per minute. Assuming a perfect
hash function, the CAM table will be completely filled after 131,052 (approx. 16,000 x 8)
entries. Depending on the switch, the maximum CAM table size will vary.
In the example shown in the figure, the macof program is running on the host with MAC
address C in the bottom right. This tool floods a switch with packets containing randomly
generated source and destination MAC and IP addresses. Over a short period of time the CAM
table in the switch fills up until it cannot accept new entries. When the CAM table fills up with
these invalid-source MAC addresses, the switch begins to forward all frames it receives to
every port.

The CAM Table Overflows and Switch
Crumbles Under the Pressure
The CAM MAC Port

table is full X 3
so Port 3 is Y 3
closed. A->B
C 3 MAC B
A->B
Port 2
Port 1
MAC A Port 3
A->B
MAC B is unknown so
the switch floods the
frame looking for MAC C
MAC B.
As long as macof is left running, the CAM table on the switch will remain full. When this
happens the switch begins to broadcast all received packets out every port so that packets sent
from Host A to Host B are also broadcast out of Port 3 on the switch.
You will learn how to mitigate this threat later in this lesson.
MAC Address Spoofing Attacks
This topic explains how an attacker can spoof a MAC address to attack a network.
MAC Spoofing Attack

Switch Port Switch Port
1 2 3 1 2 3
Host
A B C
Host
A B C
1 2 1 2
A B A B
MAC (A)
3 3
Switch Port Switch Port

1 2 3 1 2 3
Host A,B C Host A B C
1 2 1 2
A B A B
DEST MAC: A
3 3
DEST MAC: A
In a MAC spoofing attack, the network attacker uses a known MAC address to attempt to make
the targeted switch forward frames destined for the remote host to the network attacker. By
sending a single frame with the source Ethernet address of another host, the network attacker
overwrites the CAM table entry so that the switch forwards packets destined for the host to the
network attacker. From then on, the host being spoofed does not receive any traffic until it
sends traffic to again reset the CAM table entry to point back to the original port.
This figure shows how MAC spoofing works:
Top left illustration on the figure: Under a normal operating environment, the switch has
learned that Host A is on Port 1, Host B is on Port 2, and Host C is on Port 3. The CAM
table reflects this situation.
Top right illustration on the figure: When under attack the network attacker causes Host B
to send a packet identifying itself using the IP address of Host B but the MAC address of
Host A.
Bottom left illustration on the figure: The switch now moves the location of Host A in its
CAM table from Port 1 to Port 2. Traffic from Host C destined to Host A is now visible to
Host B and is therefore compromised.
Bottom right illustration on the figure: To correct this situation, Host A must send out
traffic on the switch port for the switch to relearn the location of the Host A MAC address.
However, until that happens, the door is open to intruders.
You will learn how to mitigate this threat later in this lesson.

Using Port Security to Prevent Attacks
This topic describes port security as a key step in defending networks from Layer 2 attacks.
Using Port Security to Mitigate Attacks
Port security can:

block input to a port from unauthorized MAC
addresses
filter traffic to or from a specific host based on the
host MAC address
Port security mitigates:
CAM table overflow attacks
MAC address spoofing attacks
You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port
when the MAC address of the station attempting to access the port is different from any of the
MAC addresses specified for that port. Alternatively, you can use port security to filter traffic
destined to or received from a specific host based on the host MAC address.
By limiting the number of valid MAC addresses allowed on a port, the port security feature is
an effective mitigation against CAM table overflow and MAC address spoofing attacks. The
specifics on how to configure port security to mitigate these attacks is presented later in this
lesson.
Port Security Fundamentals
This feature restricts input to an interface by

limiting and identifying MAC addresses of end
devices.
Secure MAC addresses are included in an address
table in one of these ways:
Use the switchport port-security mac-address mac_address
interface configuration command to configure all secure
MAC addresses.
allow the port to dynamically configure secure MAC
addresses with the MAC addresses of connected
devices.
configure some addresses and allow the rest to be
configured dynamically.
Configure violation rules restrict or shutdown.
A switch that does not provide port security allows an attacker to attach a system to an unused,
enabled port and to perform information gathering or attacks. A switch can be configured to act
like a hub, which means that every system connected to the switch can potentially view all
network traffic passing through the switch to all systems connected to the switch. Thus, an
attacker could collect traffic that contains usernames, passwords or configuration information
about the systems on the network.
Port security limits the number of valid Media Access Control (MAC) addresses allowed on a
port. All switch ports or interfaces should be secured before the switch is deployed. In this way
the security features are set or removed as required instead of adding and strengthening features
randomly or as the result of a security incident. Note that port security cannot be used for
dynamic access ports or destination ports for the Switched Port Analyzer. However, use port
security for active ports on the switch as much as possible.
You can use the port security feature to restrict input to an interface by limiting and identifying
MAC addresses of the end devices that are allowed to access the port. When you assign secure
MAC addresses to a secure port, the port does not forward packets with source addresses
outside the group of defined addresses. If you limit the number of secure MAC addresses to one
and assign a single secure MAC address to that port, the workstation attached to that port is
assured the full bandwidth of the port and only that workstation with that particular secure
MAC address can successfully connect to that switch port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is
reached, when the MAC address of a workstation attempting to access the port is different from
any of the identified secure MAC addresses, a security violation occurs.
After you have set the maximum number of secure MAC addresses on a port, the secure
addresses are included in an address table in one of these ways:
You can configure all secure MAC addresses by using the switchport port-security mac-
address mac_address interface configuration command when using a Cisco IOS Catalyst
switch.

You can allow the port to dynamically learn the secure MAC addresses with the MAC
addresses of connected devices.
You can configure a number of static secure MAC addresses and allow the rest to be
dynamically learned.
You can configure the interface for one of these violation modes, based on the action taken if a
violation occurs:
Protect: When the number of secure MAC addresses reaches the limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number
of secure MAC addresses or increase the number of maximum allowable addresses. You
are not notified that a security violation has occurred.
Restrict: When the number of secure MAC addresses reaches the limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number
of secure MAC addresses or increase the number of maximum allowable addresses. In this
mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is
sent, a syslog message is logged, and the violation counter increments.
Shutdown: In this mode, a port security violation causes the interface to immediately
become error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a
syslog message, and increments the violation counter. When a secure port is in the error-
disabled state, you can bring it out of this state by entering the errdisable recovery cause
psecure-violation global configuration command, or you can manually re-enable it by
entering the shutdown and no shutdown interface configuration commands. Shutdown is
the default mode.
Using Port Security to Mitigate Attacks
The Security Violation Mode Actions table provides a summary of these modes.
Port
Security security
Violation Modecan:
Actions
block input to a port from unauthorized MAC
addresses Sends Displays Violation
Violation Traffic is Sends Syslog Error Counter Shuts
filter traffic to or from a specific host based on the
Mode Forwarded SNMP Trap Message Message Increments Down Port
host MAC address
Protect
Port No No No
security mitigates: No No No
Restrict No Yes Yes No Yes No

CAM table overflow attacks
MAC
Shutdown No addressYes
spoofing attacks
Yes No Yes Yes
Port Security Configuration
Secure MAC addresses:

Static secure MAC addresses
Dynamic secure MAC addresses
Sticky secure MAC addresses
Security violations occur when:
A station whose MAC address is not in the
address table attempts to access the interface
when the table is full.
An address is being used on two secure interfaces
in the same VLAN.
Ports can be configured with the following types of secure MAC addresses:
Static secure MAC addresses: These addresses are manually configured by using the
switchport port-security mac-address mac-address interface configuration command,
stored in the address table, and added to the switch running configuration.
Dynamic secure MAC addresses: These addresses are dynamically configured, stored
only in the address table, and removed when the switch restarts.
Sticky secure MAC addresses: These addresses are dynamically configured, stored in the
address table, and added to the running configuration. The sticky secure MAC addresses do
not automatically become part of the configuration file, which is the startup configuration
used each time the switch restarts. If you save the sticky secure MAC addresses in the
configuration file, when the switch restarts, the interface does not need to relearn these
addresses. If you do not save the configuration, they are lost.
A security violation occurs in the following situations:

The maximum number of secure MAC addresses have been added to the address table and
a station whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure
interface in the same VLAN.

Port Security Defaults
Feature Default Setting

Port security Disabled on a port
Maximum number of 1
secure MAC addresses
Violation mode Shutdown. The port shuts
down when the maximum
number of secure MAC
addresses is exceeded, and
an SNMP trap notification is
sent.
The figure shows the default port security values on a Cisco Catalyst switch. The next topic
shows you how to change these values to take full advantage of the port security feature.
Configuring Cisco Catalyst Switch Port Security
This topic describes how to configure port security on a Cisco Catalyst switch.
Configuring Port Security on a Cisco

Catalyst Switch
1. Enter global configuration mode.

2. Enter interface configuration mode for the port you want to
secure.
3. Enable basic port security on the interface.
4. Set the maximum number of MAC addresses allowed on this
interface.
5. Set the interface security violation mode. The default is
shutdown. For mode, select one of these keywords:
shutdown
restrict
protect
6. Return to privileged EXEC mode.
7. Verify the entry.
The graphic lists the tasks required to configure port security on a Cisco Catalyst switch. The
Enabling Port Security with Cisco IOS Software Commands table provides a description of
the steps and commands required.
Enabling Port Security with Cisco IOS Software Commands
Step Command Description

1 ½±²º·¹«®» ¬»®³·²¿´ This command opens the global
configuration mode.
2 Í©·¬½¸ø½±²º·¹÷ý ·²¬»®º¿½» This command is used to enter interface

·²¬»®º¿½»Á·¼ configuration mode and to enter the physical
interface to configure (for example,
gigabitethernet 3/1).
3 Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ This command sets the interface mode as

³±¼» ¿½½»-- access. An interface in the default mode
(dynamic desirable) cannot be configured as
a secure port.
4 Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ This command enables port security on the

°±®¬ó-»½«®·¬§ interface.
5 Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ This command sets the maximum number of

(Optional) °±®¬ó-»½«®·¬§ ³¿¨·³«³ ª¿´«» secure MAC addresses for the interface. The
range is 1 to 3072; the default is 1.
6 Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ This command sets the violation mode.

(Optional) °±®¬ó-»½«®·¬§ ª·±´¿¬·±²
¥®»-¬®·½¬ ¤ -¸«¬¼±©²£

7 Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ This command sets the rate limit for bad
°±®¬ó-»½«®·¬§ ´·³·¬ ®¿¬» packets.
·²ª¿´·¼ó-±«®½»ó³¿½
8 Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ This command enters a secure MAC
(Optional) °±®¬ó-»½«®·¬§ ³¿½ó¿¼¼®»-- address for the interface. You can use this
³¿½Á¿¼¼®»-- command to enter the maximum number of
secure MAC addresses. If you configure
fewer secure MAC addresses than the
maximum, the remaining MAC addresses
are dynamically learned.
9 Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ This command enables sticky learning on

(Optional) °±®¬ó-»½«®·¬§ ³¿½ó¿¼¼®»-- the interface.
-¬·½µ§
10 Í©·¬½¸ø½±²º·¹ó·º÷ý »²¼ This command returns the console to
privileged EXEC mode.
11 Í©·¬½¸ý -¸±© °±®¬ó-»½«®·¬§ These commands verify your entries.

¿¼¼®»-- ·²¬»®º¿½»
·²¬»®º¿½»Á·¼
Í©·¬½¸ý -¸±© °±®¬ó-»½«®·¬§
¿¼¼®»--
Setting the Maximum Number of Devices on
a Port
There can be 1 to 132 secure MAC addresses

in an address table:
All configured from the command-line interface
(CLI)
All configured dynamically
Some configured from CLI and the rest configured
dynamically
Advantages of limiting devices:
Dedicated bandwidth
Added security
A secure port can have from 1 to 132 associated secure addresses. After you have set the
maximum number of secure MAC addresses on a port, the secure addresses are included in an
address table in one of these ways:
You can configure all secure MAC addresses by using the switchport port-security mac-
address mac-address interface configuration command.
You can allow the port to dynamically configure secure MAC addresses with the MAC
addresses of connected devices.
You can configure a number of addresses and allow the rest to be dynamically configured.
Once the maximum number of secure MAC addresses is configured, they are stored in an
address table. To ensure that an attached device has the full bandwidth of the port, configure
the MAC address of the attached device and set the maximum number of addresses to one,
which is the default.
By limiting the number of devices that can connect to a secure port, you can provide dedicated
bandwidth to selected users. For example, if the size of the address table is set to one, the
attached device is guaranteed the full bandwidth of the port. As added security, once the
maximum number of devices has been set, unknown devices cannot connect to the port.

Port Security Configuration Script
Configuration Parameters:
Enable port security on Fast Ethernet port 1
Set the maximum number of secure addresses to 50
Set violation mode to default
No static secure MAC addresses needed
Enable sticky learning
Í©·¬½¸ý ½±²º·¹«®» ¬»®³·²¿´

Í©·¬½¸ø½±²º·¹÷ý ·²¬»®º¿½» º¿-¬»¬¸»®²»¬ðñï
Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ ³±¼» ¿½½»--
Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ °±®¬ó-»½«®·¬§
Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ °±®¬ó-»½«®·¬§ ³¿¨·³«³ ëð
Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ °±®¬ó-»½«®·¬§ ³¿½ó¿¼¼®»-- -¬·½µ§
Í©·¬½¸ø½±²º·¹ó·º÷ý »²¼
MAC addresses are gathered dynamically, with some switches supporting static entries and
sticky entries. Static entries are manually entered for each port (for example, switchport port-
security mac-address mac-address) and saved in the running configuration. Sticky entries are
similar to static entries except that they are dynamically learned. Existing dynamic entries are
converted to sticky entries when the switchport port-security mac-address sticky command
is issued for a port. These former dynamic entries are entered into the running configuration
using the command switchport port-security mac-address sticky mac-address. If the running
configuration is then saved to the startup configuration then these MAC addresses do not need
to be relearned on restart. Also, the maximum number of MAC addresses (for example, the
command switchport port-security maximum value) for the port can be set.
This figure shows how to enable port security on Fast Ethernet port 1 and to set the maximum
number of secure addresses to 50. The violation mode is the default, no static secure MAC
addresses are configured, and sticky learning is enabled.
Verify the Configuration
Í©·¬½¸ý -¸±© °±®¬ó-»½«®·¬§ ·²¬»®º¿½» º¿-¬»¬¸»®²»¬ðñï

Ð±®¬ Í»½«®·¬§æ Û²¿¾´»¼
Ð±®¬ -¬¿¬«-æ Í»½«®»Ë°
Ê·±´¿¬·±² ³±¼»æ Í¸«¬¼±©²
Ó¿¨·³«³ ÓßÝ ß¼¼®»--»- æëð
Ì±¬¿´ ÓßÝ ß¼¼®»--»-æ ïï
Ý±²º·¹«®»¼ ÓßÝ ß¼¼®»--»-æ ð
Í¬·½µ§ ÓßÝ ß¼¼®»--»- æïï
ß¹·²¹ ¬·³»æ îð ³·²-
ß¹·²¹ ¬§°»æ ×²¿½¬·ª·¬§
Í»½«®»Í¬¿¬·½ ¿¼¼®»-- ¿¹·²¹æ Û²¿¾´»¼
Í»½«®·¬§ Ê·±´¿¬·±² ½±«²¬æ ð
The figure shows the output of the verification step.

Mitigating MAC Spoofing
Example 1: Enabling Port Security
Ý±²-±´»â ø»²¿¾´»÷ -»¬ °±®¬ -»½«®·¬§ îñï »²¿¾´»

Ð±®¬ îñï °±®¬ -»½«®·¬§ »²¿¾´»¼ ©·¬¸ ¬¸» ´»¿®²»¼ ³¿½
¿¼¼®»--ò
Ì®«²µ·²¹ ¼·-¿¾´»¼ º±® Ð±®¬ îñï ¼«» ¬± Í»½«®·¬§ Ó±¼»
Example 2: Manually Specifying a Secure MAC Address
Ý±²-±´»â ø»²¿¾´»÷ -»¬ °±®¬ -»½«®·¬§ îñï »²¿¾´» ððóçðóî¾ó

ðíóíìóðè
Ð±®¬ îñï °±®¬ -»½«®·¬§ »²¿¾´»¼ ©·¬¸ ððóçðóî¾óðíóíìóðè ¿-
¬¸» -»½«®» ³¿½ ¿¼¼®»--
Ì®«²µ·²¹ ¼·-¿¾´»¼ º±® Ð±®¬ îñï ¼«» ¬± Í»½«®·¬§ Ó±¼»
Ý±²-±´»â ø»²¿¾´»÷
Network Attack Mitigation
×ÑÍø½±²º·¹ó·º÷ý °±®¬ -»½«®·¬§ ³¿¨ó³¿½ó½±«²¬ ¥ïóïíî£

×ÑÍø½±²º·¹ó·º÷ý °±®¬ -»½«®·¬§ ¿½¬·±² ¥-¸«¬¼±©²¤¬®¿£
×ÑÍø½±²º·¹ó·º÷ý ¿®° ¬·³»±«¬ -»½±²¼-
Mitigates MAC spoofing with Cisco IOS software

commands

Summary
Summary
Layer 2 vulnerabilities often escape attention because any security
structure is only as strong as its weakest link.
Five basic steps can mitigate Layer 2 attacks.
Use passwords to protect administrative access to switches.
Protect the management port by assigning unique accounts, strong
passwords, timeouts, banners and by using out-of-band
management.
Turn off unused network services and interfaces.
Limiting the number of valid MAC addresses allowed on a port
provides many benefits.
Configure port security with Cisco IOS software or Cisco Catalyst
switch commands.
Mitigate CAM table overflow attacks with Cisco IOS software or Cisco
Catalyst switch commands.
Configuring port security can prevent MAC address spoofing
attacks.
Lesson Self-Check
Q1) Match each of the following commands with the type of attack that the command will
mitigate by putting the letter of the command in the space provided beside each type of
attack. (Source: Mitigating CAM Table Overflow Attacks, Mitigating MAC Spoofing
Attacks)
A) arp timeout
B) set port security
_____ 1. CAM table overflow
_____ 2. Media Access Control (MAC) Address spoofing
Q2) Explain the role of the CAM table in switch security. (Source: Mitigating CAM Table
Overflow Attacks)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q3) What does the port security command provide? (Source: Mitigating MAC Address
Spoofing Attacks)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________

Q1) A-2, B-1
Q2) Switches maintain CAM lookup tables to track the source addresses located on the switch ports. These
lookup tables are populated by an address-learning process on the switch. The CAM table in a switch
contains the MAC addresses available on a given physical port of a switch. When a Layer 2 switch
receives a frame, the switch looks in the CAM table for the destination MAC address. If an entry exists for
the MAC address in the CAM table, the switch forwards the frame to the port designated in the CAM table
for that MAC address. If the MAC address does not exist in the CAM table, the switch forwards the frame
out every port on the switch, effectively acting like a hub. If a response is seen, the switch updates the
CAM table.
Q3) The port security command provides the capability to specify the MAC address of the system connected to
a particular switch port. The command also provides the ability to specify an action to take if a port-
security violation occurs.
Lesson 9
Mitigating Layer 2 Attacks

Overview
The previous lesson described Catalyst switch threats that you need to mitigate in terms of the
switches themselves and the threats that come from vulnerabilities in Layer 2 topologies and
the protocols that support them. This lesson describes how to mitigate attacks arising from
those vulnerabilities in Layer 2 topologies.
Objectives
Upon completing this lesson, you will be able to explain how to mitigate attacks against
network topologies and protocols. This ability includes being able to meet these objectives:
Explain how to configure VLANs to mitigate VLAN hopping attacks
Explain how to prevent Spanning-Tree Protocol manipulation
Explain how to mitigate APR spoofing with Dyanamic ARP Inspection (DAI)
Explain how to configure ACL on the router to mitigate a private VLAN proxy attack
Explain how specific best practices that mitigate attacks on specific areas of Layer 2
hardware and software components
Mitigating VLAN Hopping Attacks
Along with MAC flooding attacks, virtual local area network (VLAN) hopping attacks are the
most problematic. This topic explains how to configure VLANs to mitigate VLAN hopping
attacks.
VLAN Hopping by Switch Spoofing
Rogue
Trunk Port
Trunk Port
An attacker tricks a network switch into believing it is a legitimate switch

on the network needing trunking.
Autotrunking allows the rogue station to become a member of all VLANs.
Note: There is no way to execute these attacks unless the switch is
misconfigured.
VLAN architecture simplifies network maintenance and improves performance. However,

VLAN operation opens the door to abuse. VLAN hopping, allows traffic from one VLAN to be
seen by another VLAN without first crossing a router. Under certain circumstances, attackers
can sniff data and extract passwords and other sensitive information at will. The attack works
by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access
to all VLANs. Trunk ports route traffic for multiple VLANs across the same physical link,
generally between switches. The data moving across these links can be encapsulated with
Institute of Electrical and Electronic Engineers (IEEE) 802.1Q or Inter-Switch Link (ISL).
In a basic VLAN hopping attack, the attacker takes advantage of the default autotrunking
configuration on most switches. By tricking a switch into thinking it is another switch with a
need to trunk, an attacker can gain access to all the VLANs allowed on the trunk port. This
attack requires a "trunking-favorable" setting, such as Auto, to succeed. Now, the attacker is a
member of all the trunked VLANs on the switch and can send and receive traffic on those
VLANs.
A VLAN hopping attack can be launched in one of two ways:
Spoof the DTP messages from the attacking host to cause the switch to enter trunking
mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch
delivers the packets to the destination.
Introduce a rogue switch and turn trunking on. The attacker can then access all the VLANs
on the victim switch from the rogue switch.
The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports except
the ones that specifically require trunking.
VLAN Hopping by Double Tagging
The first switch

strips off the first
tag and sends it
back out.
Attacker
(VLAN 10) 20
802.1q, Frame Frame
Trunk
(Native VLAN = 10)
Note: This attack works only if the trunk has
the same native VLAN as the attacker Victim
The attacker sends double encapsulated 802.1Q frames. (VLAN 20)
The switch performs only one level of decapsulation.
Only unidirectional traffic is passed.
It works even if the trunk ports are set to off.
Note: There is no way to execute these attacks unless the switch is
misconfigured.
The double tagging (or double encapsulated) VLAN hopping attack takes advantage of the way
the hardware on most switches operates. Most switches perform only one level of IEEE 802.1Q
decapsulation and allow an attacker, in specific situations, to embed a hidden .1Q tag inside the
frame, which allows the frame to go to a VLAN that the outer .1Q tag did not specify. An
important characteristic of the double encapsulated VLAN hopping attack is that it works even
if trunk ports are set to OFF.
The attack works as follows:
Step 1 The attacker sends a double-tagged 802.1q frame to the switch. The outer header has
the VLAN tag of the attacker and the native VLAN of the trunk port. (For the
purposes of this attack, assume VLAN 10.) The inner tag is the victim VLAN,
VLAN 20.
Step 2 The frame arrives on the switch, which looks at the first 4-byte 802.1q tag. The
switch sees that the frame is destined for VLAN 10 and sends it out on all VLAN 10
ports (including the trunk) since there is no CAM table entry. Remember that, at this
point, the second VLAN tag is still intact and was never inspected by the first
switch.
Step 3 The frame arrives at the second switch but has no knowledge that it was supposed to
be for VLAN 10. (Remember, native VLAN traffic is not tagged by the sending
switch as specified in the 802.1q spec.)
Step 4 The second switch looks at only the 802.1q tag (the former inner tag that the attacker
sent) and sees that the frame is destined for VLAN 20 (the victim VLAN). The
second switch sends the packet on to the victim port or floods it, depending on
whether there is an existing CAM table entry for the victim host.
The figure illustrates the attack. It is important to note that this attack is only unidirectional and
works only when the attacker and trunk port have the same native VLAN. Thwarting this type
of attack is not as easy as stopping basic VLAN hopping attacks. The best approach is to make
sure that the native VLAN of the trunk ports is different than the native VLAN of the user
ports.

Mitigating VLAN Hopping Network Attacks
Example 1: Setting a Trunk Port
Ý±²-±´»âø»²¿¾´»÷-»¬ ¬®«²µ ïñî ±²

Ð±®¬ø-÷ ïñî ¬®«²µ ³±¼» -»¬ ¬± ±²ò
Ý±²-±´»â ø»²¿¾´»÷
Example 2: Adding a range of VLANs to the allowed VLAN list
Ý±²-±´»â ø»²¿¾´»÷ -»¬ ¬®«²µ ïñï ëóëð

ß¼¼·²¹ ª´¿²- ëóëð ¬± ¿´´±©»¼ ´·-¬ò
Ð±®¬ø-÷ ïñï ¿´´±©»¼ ª´¿²- ³±¼·º·»¼ ¬± ïôëóëðôïðïóïððëò
Ý±²-±´»â ø»²¿¾´»÷
Example 3: Setting Drop-thresholds
Ý±²-±´»â ø»²¿¾´»÷ -»¬ °±®¬ ¿®°ó·²-°»½¬·±² îñï ¼®±°ó¬¸®»-¸±´¼

ëðð -¸«¬¼±©²ó¬¸®»-¸±´¼ ïððð
Ü®±° Ì¸®»-¸±´¼ãëððô Í¸«¬¼±©² Ì¸®»-¸±´¼ãïððð -»¬ ±² °±®¬ îñïò
Ý±²-±´»â ø»²¿¾´»÷
To prevent VLAN hopping attack using double 802.1q encapsulation, the switch must look
further into the packet to determine whether more than one VLAN tag is attached to a given
frame. Unfortunately, the application-specific integrated circuits (ASICs) that are used by most
switches are only hardware optimized to look for one tag and then to switch the frame. The
issue of performance versus security requires administrators to balance their requirements
carefully.
Mitigating VLAN hopping attacks using double 802.1q encapsulation requires several
modifications to the VLAN configuration. One of the more important elements is to use
dedicated native VLAN for all trunk ports. This attack is easy to stop if you follow the best
practice that native VLANs for trunk ports should never be used anywhere else on the switch.
Also, disable all unused switch ports and place them in an unused VLAN.
Set all user ports to nontrunking mode by explicitly turning off Dynamic Trunk Protocol (DTP)
on those ports that can be used to mitigate VLAN hopping attack using switch spoofing.
Use the set trunk command to configure trunk ports and to add VLANs to the allowed VLAN
list for existing trunks. The example shown in the figure shows how to set Port 2 on Module 1
as a trunk port. The full command syntax is as follows:
-»¬ ¬®«²µ ³±¼ñ°±®¬ ¥±² ¤ ±ºº ¤ ¼»-·®¿¾´» ¤ ¿«¬± ¤ ²±²»¹±¬·¿¬»£Åª´¿²-Ã
Å·-´ ¤ ¼±¬ï¯ ¤ ²»¹±¬·¿¬»Ã
Use the set port arp-inspection command to set Address Recognition Protocol (ARP)
inspection thresholds on a per-port basis. If the number of packets exceeds the drop-threshold
rate, the excess packets are dropped. The excess packets are still counted toward the shutdown-
threshold rate. If the number of packets exceeds the shutdown-threshold rate, the port is shut
down. The full command syntax is as follows:
-»¬ °±®¬ ¿®°ó·²-°»½¬·±² ³±¼ñ°±®¬ ¼®±°ó¬¸®»-¸±´¼ ®¿¬» -¸«¬¼±©²ó
¬¸®»-¸±´¼ ®¿¬»
The example in the figure shows how to set the drop-threshold to 500 and the shutdown-
threshold to 1000 for port 2/1.
Preventing Spanning-Tree Protocol Manipulation
This topic explains how to prevent STP manipulation.
STP Attack
On booting the switch, STP identifies one switch as a root bridge

and blocks other redundant data paths.
STP uses BPDUs to maintain a loop-free topology.
F F
A F F
Root
F = Forwarding port
B = Blocking port
F F
B F
X B
Another attack against switches involves intercepting traffic by attacking the STP.
STP maintains a loop-free topology in a redundant Layer 2 infrastructure by identifying one
switch as a root bridge and blocking other redundant data paths. Upon bootup the switches
begin a process of determining a loop-free topology. The switches identify one switch as a root
bridge and block all other redundant data paths.
STP sends messages using Bridge Protocol Data Units (BPDUs) describing the configuration,
topology change notification (TCN) and topology change acknowledgment (TCA).

STP Attack (Cont.)
Access Switches Access Switches

Root Root
F F F F
B
X
F F F F
F B F FB
Root
Attacker sends spoofed BPDUs to Attacker now becomes the

change the STP topology. root bridge.
By attacking the STP, the network attacker hopes to spoof the attacked system by acting as the
root bridge in the topology. The attacker broadcasts STP configuration or topology change
BPDUs in an attempt to force spanning-tree recalculations.
The BPDUs sent out by the attacker system announce that the attacking system has a lower
bridge priority which causes the attacker system to be elected as the root bridge. If successful,
the attacker PC receives the user frames as each frame flows through the attacker PC posing as
the root bridge.
The figure illustrates how a network attacker can use STP to change the topology of a network
so that it appears that the attacker host is a root bridge. By transmitting spoofed STP BPDU
packets, the attacker causes the switches to initiate STP recalculations that result in all traffic
between the two switches flowing through the attacker PC.
Mitigating STP Attacks with bpdu-guard
and guard root
Ý¿¬ÑÍâ ø»²¿¾´»÷-»¬ -°¿²¬®»» °±®¬º¿-¬ ¾°¼«ó¹«¿®¼ »²¿¾´»

×ÑÍø½±²º·¹÷ý-°¿²²·²¹ó¬®»» °±®¬º¿-¬ ¾°¼«¹«¿®¼
Mitigates STP manipulation with bpdu-guard command
Ý¿¬ÑÍâ ø»²¿¾´»÷ -»¬ -°¿²¬®»» ¹«¿®¼ ®±±¬ ïñï

×ÑÍø½±²º·¹ó·º÷ý-°¿²²·²¹ó¬®»» ¹«¿®¼ ®±±¬
Mitigates STP manipulation with guard root command
To mitigate STP manipulation, use the guard root command and the Cisco IOS bpduguard
command or the Cisco Catalyst switch bpdu-guard enhancement command to enforce the
placement of the root bridge in the network and to enforce the STP domain borders.
The root guard feature is designed to provide a way to enforce the root-bridge placement in the
network. Root guard must be enabled on all ports where the root bridge should not appear. If
the bridge receives superior STP BPDUs on a root guard enabled port, this port is moved to a
root-inconsistent STP state (effectively equal to listening state), and no traffic is forwarded
across this port.
The STP BPDU guard is designed to allow network designers to keep the active network
topology predictable. BPDU guard can be globally enabled and will disable any portfast port
that receives a BDPU message. Because these portfast ports are end user ports, there should be
no reason for BPDU messages to be sent to them. While a BPDU guard may seem unnecessary
since the administrator can set the bridge priority to zero, there is still no guarantee that it will
be elected as the root bridge. There may still be a bridge with priority zero and a lower bridge
ID. BPDU guard is best deployed towards user-facing ports to prevent rogue switch network
extensions by an attacker.
BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the
port upon BPDU reception if portfast is enabled on the port. This effectively denies devices
behind such ports to participate in STP. The port that is put into an error disable state requires
manual intervention to be re-enabled or error disable-timeout needs to be configured.
Root guard allows the device to participate in STP as long as the device does not try to become
the root. If root guard blocks the port, subsequent recovery is automatic, as soon as the
offending device stops sending superior BPDUs.

Mitigating ARP Spoofing with DAI
This topic explains how to mitigate APR spoofing with Dynamic ARP Inspection (DAI).
ARP SpoofingMan-in-the-Middle Attacks
A B
C
Host HA Host HB
( IA, MA) ( IB, MB)
IP and MAC addresses are

shown in parentheses. Host HC
( IC, MC)
ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous
reply from a host even if an ARP request was not received. After the attack, all traffic from the
device under attack flows through the attacker computer and then to the router, switch, or host.
An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2
network by poisoning the ARP caches of systems connected to the subnet and by intercepting
traffic intended for other hosts on the subnet. The figure shows an example of ARP cache
poisoning.
Hosts A, B, and C are connected to the router on interfaces A, B and C, all of which are on the
same subnet. Their IP and MAC addresses are shown in parentheses. In this example, Host A
uses IP address IA and MAC address MA. When Host A needs to communicate to Host B at
the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB.
When the router and Host B receive the ARP request, they populate their ARP caches with an
ARP binding for a host with the IP address IA and a MAC address MA; for example, IP
address IA is bound to MAC address MA. When Host B responds, the router and Host A
populate their ARP caches with a binding for a host with the IP address IB and the MAC
address MB.
Host C can poison the ARP caches of the router, Host A, and Host B by broadcasting forged
ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of
MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC
address for traffic intended for IA or IB. This means that Host C intercepts that traffic. Because
Host C knows the true MAC addresses associated with IA and IB, it can forward the
intercepted traffic to those hosts by using the correct MAC address as the destination. Host C
has inserted itself into the traffic stream from Host A to Host B, which is the topology of the
classic man-in-the middle attack.
Mitigating Man-in-the-Middle Attacks with
DAI
MAC or IP tracking built on DHCP Snooping
DHCP Discovery (bcast)
10.1.1.1
DHCP Offer (ucast)

10.1.1.2
DHCP Server
DAI Function:
Track Discovery
Track DHCP offer MAC or IP
Track subsequent ARPs for MAC or IP
DAI provides protection against attacks such as ARP poisoning using

spoofing tools such as ettercap, dsniff, arpspoof.
The DAI feature of Cisco Catalyst switches stops ARP spoofing man-in-the-middle attacks.
Like DHCP Snooping, DAI uses the concept of trusted and untrusted ports to decide which
ARP packets need to be inspected. To do this, DAI intercepts all ARP packets and examines
them for proper MAC-to-IP bindings. This is done by using the DHCP binding table that was
built by enabling DHCP Snooping. If an ARP packet arrives on a trusted port, then no
examination is made. If it arrives on an untrusted port, the ARP is examined and compared
against the table. If gARPs or IP-to-MAC addresses change, the port can be locked down. As
well, ARP ACLs can be written for non-DHCP MAC or IP addresses to protect those devices.

DAI in Action
Not according to this
binding table.
10.1.1.2
10.1.1.1 10.1.1.2
GW is
10.1.1.1
I am your
GW:
10.1.1.1
gARP is sent to attempt to change the IP

address to MAC bindings.
A binding table containing IP-address and MAC-address associations

is dynamically populated using DHCP snooping.
DAI can also validate ARP packets against user-configured ARP
ACLs to handle hosts using statically configured IP addresses.
In the figure, a user has an IP address of 10.1.1.2 and is connected to a gateway with IP
10.1.1.1. An intruder residing on an untrusted port sends a gARP in an attempt to reset IP-to-
MAC bindings so all traffic from 10.1.1.2 to the 10.1.1.1 default gateway goes to the attacker.
DAI examines the ARP packet and compares its information with the information in the switch
DHCP binding table. If there is no match, the ARP packet is dropped and the port is locked.
Defending Private VLANs
This topic explains how to configure ACLs on the router to mitigate a private VLAN proxy
attack.
Defending Private VLANs
Traffic flows on private

VLANs:
RED and YELLOW can
communicate with BLUE
RED and YELLOW cannot
communicate with each
other
Secondary VLANs
Primary VLANs
Host 1 (FTP)
Secondary VLAN Ports

Host 2 (HTTP)
Promiscuous Port
Host 3 (Admin)
PVLANs allow you to segregate traffic at Layer 2 and turn a broadcast segment into a non-
broadcast multi-access-like segment. PVLANs provide Layer 2 isolation between ports within
the same broadcast domain.
There are three types of PVLAN ports:
Promiscuous: A promiscuous port can communicate with all interfaces, including the
isolated and community ports within a PVLAN.
Isolated: An isolated port has complete Layer 2 separation from the other ports within the
same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated
ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to
promiscuous ports.
Community: Community ports communicate among themselves and with their
promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in
other communities or isolated ports within their PVLAN.
The figure represents the private VLANs as different pipes that connect routers and hosts. The
pipe that bundles all the others is the primary VLAN blue, and the traffic on VLAN blue flows
from the routers to the hosts. The pipes internal to the primary VLAN are the secondary
VLANs marked in yellow and red. Traffic traveling on those pipes flows only from the hosts
towards the router.
In this topology, the promiscuous port can forward both primary and secondary VLANs.
Traffic that comes to a switch from a promiscuous port is able to go out on all the ports that
belong to the same primary VLAN. Traffic that comes to a switch from a port mapped to a
secondary VLAN (an isolated or a community VLAN) can be forwarded to a promiscuous port

or a port belonging to the same community VLAN. Multiple ports mapped to the same isolated
VLAN cannot exchange any traffic.
In the figure, the primary VLAN is represented in blue; the secondary VLANs are represented
in red and yellow. Host 1 is connected to an isolated port of the switch that belongs to the
secondary VLAN red. Host 2 is connected to a community port of the switch that belongs to the
secondary VLAN yellow. Host 3, the administrator, is attached to a promiscuous port.
When a host is transmitting, the traffic is carried in the secondary VLAN. For example, when
Host 2 transmits, its traffic goes on VLAN yellow. When those hosts are receiving, the traffic
comes from the VLAN blue, which is the primary VLAN.
Routers and firewalls are connected to promiscuous ports because those ports can forward
traffic coming from every secondary VLAN defined in the mapping as well as the primary
VLAN. The ports connected to each host can only forward the traffic coming from the primary
VLAN and the secondary VLAN configured on those ports.
Private VLAN Proxy Attack
Attacker
PVLANs drop the packet.
Mac:A IP:1
Router
Mac:C IP:3
Victim
Mac:B IP:2
Promiscuous Port
Isolated Port
While private VLANs are a common mechanism used to restrict communications between
systems on the same logical IP subnet (same VLAN), they are not a fail proof mechanism.
Private VLANs work by limiting the following ports within a VLAN that can communicate
with other ports in the same VLAN:
Isolated ports within a VLAN can communicate only with promiscuous ports.
Community ports can communicate only with other members of the same community and
promiscuous ports.
Promiscuous ports can communicate with any port.
One network attack capable of bypassing the network security of private VLANs involves the
use of a proxy to bypass access restrictions to a private VLAN.

Private VLAN Proxy Attack (Cont.)
Attacker Promiscuous Port

PVLANs forward
Mac:A IP:1 the packet. Isolated Port
S:A1 D:B2
Router
Mac:C IP:3
Victim
Mac:B IP:2 The intended PVLAN security
is bypassed.
Private VLANs are subject to a proxy attack in which frames are forwarded to a host on the
network connected to a promiscuous port such as a router. In this figure, the network attacker
sends a packet with the source-IP and MAC address of their device, a destination IP address of
the target system, but a destination MAC address of the router. The switch forwards the frame
to the router switch port.
The router routes the traffic, rewrites the destination MAC address as that of the target, and
sends the packet back out. Now the packet has the proper format, as shown, and is forwarded to
the target system (Mac B, IP 2). This network attack allows only for unidirectional traffic,
because any attempt by the target to send traffic back is blocked by the private VLAN
configuration. If both hosts are compromised, static ARP entries that show that the victim
machines are reachable by the router MAC address could be used to allow bidirectional traffic.
This scenario is not a private VLAN vulnerability because all the rules of private VLANs were
enforced. However, the network security was bypassed.
Network Attack Mitigation
×ÑÍø½±²º·¹÷ý ¿½½»--ó´·-¬ ïðï ¼»²§ ·°

ïéîòïêòíìòðòðòðòðòîëë ïéîòïêòíìòð ðòðòðòîëë ´±¹
×ÑÍø½±²º·¹÷ý ¿½½»--ó´·-¬ ïðï °»®³·¬ ·° ¿²§ ¿²§
×ÑÍø½±²º·¹ó·º÷ý ·° ¿½½»--ó¹®±«° ïðï ·²
Mitigates private VLAN proxy attack
Configure ACLs on the router port to mitigate private VLAN attacks. Configure an inbound
ACL on the router to stop all traffic from the local subnet to the same local subnet.
VACLs can also be used to help mitigate the effects of private VLAN attacks.
The figure provides an example of using ACLs on the router port. In this case, a server-farm
segment is 172.16.34.0/24. Configuring the ACLs on the default gateway as shown would
mitigate the private VLAN proxy attack.

Layer 2 Security Best Practices
This topic describes specific best practices that mitigate attacks on specific areas of Layer 2
hardware and software components.
Layer 2 Best Practices
Restrict management access to the switch so that parties on nontrusted

networks cannot exploit management interfaces and protocols such as
Simple Network Management Protocol (SNMP).
Avoid using clear text management protocols on a hostile network.
Turn off unused and unneeded network services.
Use port security mechanisms to limit the number of allowed MAC
addresses to provide protection against a MAC flooding attack.
Use a dedicated VLAN ID for all trunk ports.
Shut down unused ports in the VLAN.
Prevent denial-of-service attacks and other exploitation by locking down
the spanning-tree protocol and other dynamic protocols.
Avoid using VLAN 1, where possible, for trunk and user ports.
Use DHCP Snooping, DAI and IP Port Guard to mitigate man-in-the-middle
attacks.
Use Cisco IOS hardware ACLs, where available, to block undesirable
traffic.
The figure summarizes Layer 2 security best practices that have been described and explained
in the last two lessons. You should be able to explain how each of these suggestions will
mitigate attacks on specific areas of Layer 2 hardware and software components.
Summary
Summary
Disabling autotrunking mitigates VLAN hopping

attacks.
The root guard command and the bpdu guard command
mitigate Spanning-Tree Protocol attacks.
DAI can protect against man-in-the-middle attacks.
Private VLANs can be protected with access control
lists.
Following best practices mitigates Layer 2 attacks.

Lesson Self-Check
Q1) Match each of the following commands with the type of attack that the command will
mitigate by putting the letter of the command in the space provided beside each type of
attack. (Source: Mitigating VLAN Hopping Attacks, Preventing Spanning-Tree
Protocol Manipulation)
A) set spantree guard root
B) set trunk
C) access-list
_____ 1. VLAN hopping
_____ 2. Spanning-Tree Protocol manipulation
_____ 3. Private VLAN attacks
Q2) Explain how VLAN configuration can mitigate VLAN hopping attacks. (Source:
Mitigating VLAN Hopping Attacks)
_____________________________________________________________________
______________________________________________________________________
Q3) What is the effect of using the root guard and bpdu-guard enhancement commands?
(Source: Preventing Spanning-Tree Protocol Manipulation)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q1) A-2, B-1, C-3
Q2) Mitigating VLAN hopping attacks requires several modifications to the VLAN configuration. One of the
more important elements is to use dedicated native VLAN for all trunk ports. Also, disable all unused
switch ports and place them in an unused VLAN. Set all user ports to nontrunking mode by explicitly
turning off DTP on those ports.
Q3) The root guard and the bpdu-guard enhancement commands enforce the placement of the root bridge in
the network and enforce the Spanning-Tree Protocol domain borders.

Lesson 10
Using Catalyst Switch Security

Features
Overview
The Cisco SAFE Blueprint focuses on the whole range of threats poised against the security of
dynamic networks. The SAFE Blueprint uses existing Cisco products and uses all available
firewall, virtual private network (VPN), intrusion prevention, switching and routing
technologies. This lesson introduces the security role played by the Cisco Catalyst switch
family.
While firewalls and VPNs provide WAN security, Catalyst switches provide LAN security.
However, it is not that simple because security threats come from within and outside of the
immediately controllable network infrastructure. As the security needs for networks increase,
so does the need for flexible access to the network for remote users and customers. An ability
to access Layer 2 network vulnerabilities and appropriate mitigating solutions using embedded
Catalyst security features greatly reduces the chances of network attack.
The previous lessons focused on Layer 2 security, first from the point of view of securing the
switches and ports themselves, and then on mitigating threats posed by the way in which
various Layer 2 protocols work. This lesson looks at the security features in Cisco Catalyst
switches. While some topics may have been introduced earlier, they are presented here in the
context of Catalyst switches rather than in a Layer 2 context.
Objectives
Upon completion of this lesson you will be able to describe how to use the security features
embedded in Catalyst switches to mitigate network threats. This includes the ability to meet the
following objectives:
Match the embedded security features of Cisco Catalyst switches to the AAA requirements
of a network
Describe the function and benefit of the IBNS feature embedded in Cisco Catalyst switches
Describe the function and benefit of the Access Control List feature embedded in Cisco
Catalyst switches
Describe the function and benefit of the Port Security feature embedded in Cisco Catalyst
switches
Describe the function and benefit of the Private VLAN feature embedded in Cisco Catalyst
switches
Describe the function and benefit of the Private VLAN Edge feature embedded in Cisco
Catalyst switches
Describe the function and benefit of the Rate-limiting feature embedded in Cisco Catalyst
switches
Describe the function and benefit of the SPAN for IPS feature embedded in Cisco Catalyst
switches
Describe the function and benefit of the Management Encryption feature embedded in
Cisco Catalyst switches
Select Cisco Catalyst features to solve typical Layer 2 security issues
2-288 Securing Cisco Network Devices (SND) v1.0 Copyright © 2005 Cisco Systems, Inc.
Embedded Security Features in Cisco Catalyst
Switches
This topic shows how the security features embedded in Cisco Catalyst switches map to the
authentication, authorization, and accounting (AAA) requirements of a network.
The Switching Infrastructure and Security
Firewalls and VPNs provide WAN security

Catalyst Switching provides LAN security
Implements an added layer of protection of your
network resources (assets)
Switching devices provide infrastructure protection
through support for:
Secure connectivity
Perimeter security
Intrusion protection
Identity services
Security management
LAN security is important. Research by the FBI and Computer Security Institute (CSI)
indicates that up to 60% of attacks are initiated on LANs as opposed to WANs. Clearly, a
balanced focus on the LAN portion of any security plan is required to provide an added layer of
protection. The Cisco Catalyst switch portfolio supports secure connectivity, perimeter security,
intrusion protection, identity services and security management as key elements in the SAFE
Blueprint.

Network Security at the LAN Edge
Layer 2 security problems can be solved with

AAA:
Authentication: Who are you?
Authorization: Where are you allowed to

go?
Accounting: Who is using the network

and where are they?
LAN security problems can be solved by using features that support AAA.
Scalable Network Security
Authentication:
Identity-based network services
Authorization:
Access control lists
Port security
Private VLAN edge
Rate limiting
SPAN for IPS
Accounting:
Management encryption
Cisco Catalyst switches offer integrated security solutions for networks of every size, without
compromising performance or complicating management. Embedded security matches each
AAA component.

Identity-Based Network Services
This topic describes the function and benefit of the identity-based network services (IBNS)
features embedded in Cisco Catalyst switches.
Identity-Based Network Services
What IBNS does:

Using the 802.1x protocol
with Cisco enhancements, the network
grants privileges based on user logon
information, regardless of the user location
or device.
Benefits:
Allows different people to use the same PC
and have different capabilities
Ensures that users get only their designated
privileges, no matter how they are logged
onto the network
Reports unauthorized access
Otherwise, there is no way to control who gets

on the network and where they can go.
Using 802.1x with Cisco enhancements allows you to limit access to network resources based
on the logon identity. User privileges remain the same, no matter how or where someone logs
onto the network. IBNS the most sophisticated type of security feature and it is recommended
for organizations that have mobile users logging on using various devices from different ports.
Identity-Based Network Services (Cont.)
How IBNS works:

Each user trying to enter the network must receive authorization
based on their personal username and password.
Valid Username
Valid Password
Client Accessing TACACS+ or RADIUS

Switch Server Yes
TACACS+ or
RADIUS
No
Invalid Username
Invalid Password
The figure shows the topology and process for IBNS. IBSN works as follows:
1. Each user logging onto the network must type in their name and password. Although the
switch does not permit the person to log on to the network yet, it does pass the password
and identify to an authentication server.
2. The Terminal Access Controller Access Control System Plus (TACACS+) or Remote
Authentication Dial-In User Service (RADIUS) server looks up the name and password to
determine its validity. The server also makes a note of which port and MAC address the
person is using to log on.
3. If the name and password are correct, the authentication server sends a message to the
switch to allow the person to proceed with the login process.
4. If the name and password are not correct, the server sends a message to the switch to block
that port. Once the port has been blocked, it cannot be opened until a correct name and
password have been received.
The communications from the client to the switch use Extensible Authentication Protocol over
local-area network (EAPOL) and the communications from the switch to the AAA server use
TACACS+ or RADIUS.

Access Control Lists
This topic describes the function and benefit of the Access Control List features embedded in
Cisco Catalyst switches.
Access Control Lists
What ACLs Do:

Allows or denies access based
on the source or destination Types of ACLs
address
Routed ACL
Restricts users to designated
areas of the network, blocking Virtual LAN ACL
unauthorized access to all other Time-based ACLs
applications and information
Port-based ACLs
Benefits:
Prevents unauthorized access
to servers and applications
Allows designated users to
access specified servers.
Otherwise, authorized network
users can view any information.
Access control lists (ACL) allow you to specify what parts of the network can be used by
whom. For example, within a school campus network, an ACL can be used so all students can
have network access only to the homework servers, teachers can have access to the servers with
the homework and the grades, and the principal can have access to all of the previous servers
plus the server with the payroll information.
ACLs can be applied by routed ports in Layer 3 capable Catalyst switches, by virtual LANs, by
time of day and by ports.
Routed ACL
How ACLs work:

Controls traffic on interfaces
Standard ACLs use source

information.
Subnet A Subnet B or VLAN B

Extended ACLs include source and
destination information.
Router ACLs (RACL) control routed traffic between virtual LANs (VLANs) and are applied to
Layer 3 interfaces. You can apply one router ACL in each direction on an interface. RACLs
can be applied on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs, on
physical Layer 3 interfaces, and on Layer 3 EtherChannel interfaces.

Virtual LAN ACL
How VACLs works:

Provides granular control for limited access within a VLAN or subnet
Virtual LAN ACL (VACL), also known as VLAN maps can restrict users within a VLAN or
subnet to using only those resources available within their immediate networking domain.
VACLs are available on the Cisco Catalyst 3550, 3750 and 6500/6000 series switches running
Cisco Catalyst switch software version 5.3 or later. VACLs can be configured at Layer 2
without the need for a router (you only need a Policy Feature Card (PFC)). VACLs are
enforced at wire speed so there is no performance penalty in configuring VACLs. Since the
lookup of VACLs is performed in hardware, regardless of the size of the access list, the
forwarding rate remains unchanged.
Time-Based ACLs
How time-based ACLs work:

Controls the switching of data based on the time of day
OK to use Server 1
Not OK to use Server 2
OK to use Server 3
Not OK to use Server 4
ACL goes on ACL goes off

at 8:00 a.m. at 5:00 p.m.
Time-based access control lists are very useful in organizations such as in schools where
groups of people come and go on a schedule. Time-based access control lists can be activated
before the students arrive and removed after they leave. This way, teachers can use the same
equipment, but access different resources. The Configuring Time-Based ACLs table
describes the commands used to configure a time-based ACL.
Configuring Time-Based ACLs

1 time-range time-range-name This command identifies the time-
range by a meaningful name.
2 absolute [start time date] [end time date] In time-range configuration mode, this
and/or command specifies when the function
will start.
periodic days-of-the-week hh:mm to [days-of-
the-week] hh:mm

Port-Based ACLs
How port-based ACLs work:

The ACL defines what traffic streams or users can access
ports on a device.
Port 1434
Internet
Stopping Internet worms:

Without ACLs, worms (like
the Slammer) or other viruses
can enter port number 1434
and replicate itself to all other
servers on the network.
Port-based ACLs allow you to control traffic between ports by applying ACLs to ports on a
switch. The ACL monitors users or data streams between source and destination addresses for
specific ports. For example, in February 2003 a worm called the Slammer, attacked port 1434
(Microsoft-SQL-Monitor) in SQL servers and replicated itself to all other SQL servers. The
worm came from port 1434 and went to port 1434. An ACL set up to monitor outbound traffic
could stop outbound traffic from this port, or throttle it to a smaller, less damaging rate.
Port-based ACLs are applied on interfaces for inbound traffic only. These access lists are
supported on Layer 2 interfaces with:
Standard IP access lists using source addresses
Extended IP access lists using source and destination addresses and optional protocol type
information
MAC extended access lists using source and destination MAC addresses and optional
protocol type information
As with router ACLs, the switch examines ACLs associated with features configured on a
given interface and permits or denies packet forwarding based on how the packet matches the
entries in the ACL. However, ACLs can only be applied to Layer 2 interfaces in the inbound
direction.
Notification of Intrusions
ACL logging:
Tracks ACL violations that Network
occur in a network; the user Administrator Alert!
MAC address can be obtained Unauthorized
to assist in tracking the user User Identified
location.
MAC address notification:
Alerts network administrators
if unauthorized users come
onto the network
Unauthorized
User
Network managers need a way to monitor who is using the network and where they are.
Media Access Control (MAC) address notification allows the network administrator to monitor
the MAC addresses that are learned by the switch and the MAC addresses that are aged-out and
removed from the content-addressable memory (CAM) in the switch.
ACL logging enables an informational logging message about the packet that matches the ACL
entry to be sent to the console. Logging is not supported for ACLs applied to Layer 2
interfaces.

Port Security
This topic describes the function and benefit of the Port Security feature embedded in Cisco
Catalyst switches.
Port Security
What port security does: Benefit:
Limits the number of MAC Ensures only approved users can
addresses that are able to connect log onto the network
to a switch and ensures only
approved MAC addresses are able Otherwise, any unauthorized
user with physical access can
to access the switch log into the network.
Valid MAC Address
v
X
Invalid MAC Address
Recall that by using the Port Security feature, network managers can authorize selected MAC
addresses to use specified ports on a switch. This prevents unauthorized persons from logging
onto the network. Port security blocks input to an Ethernet, Fast Ethernet, or Gigabit Ethernet
port when the MAC address of the station attempting to access the port is different from any of
the MAC addresses specified for that port. An aging feature removes MAC addresses from the
switch after a specified time frame to allow other devices to connect to that port.
After you specify the maximum number of MAC addresses on a port, you can specify the
secure MAC address for the port manually or you can have the port dynamically configure the
MAC address of the connected devices. From an allocated number of maximum MAC
addresses on a port, you can either manually configure all, allow all to be autoconfigured, or
configure some manually and allow the rest to be autoconfigured. After addresses are manually
configured or autoconfigured, they are stored in non-volatile RAM (NVRAM) and maintained
after a reset.
After you allocate a maximum number of MAC addresses on a port, you can specify an age
time during which addresses on the specified port remain secure. After the age time expires, the
MAC addresses on the port become insecure. By default, all addresses on a port are secured
permanently.
In the event of a security violation, you can configure the port to go into shutdown mode or
restrictive mode. The shutdown mode is further configurable by specifying whether the port
will be permanently disabled or disabled for only a specified time. The default behavior during
a security violation is for the port to shut down permanently. The restrictive mode allows you to
configure the port to remain enabled during a security violation and drop only packets that are
coming in from insecure hosts.
Private VLAN
This topic describes the function and benefit of the Private VLAN feature embedded in Cisco
Catalyst switches.
Private VLAN
How private VLANs Default Gateway Default Gateway
work:
A common subnet is sub-
divided into multiple
private-VLANs. Hosts on
given Private VLAN can
only communicate with
default gateway
not with other hosts on
network.
Benefit:
Simplified mechanism x x x x
of traffic management Community Community Isolated
A B Ports
while conserving IP
Community VLAN
address space Primary VLAN
Community VLAN Isolated VLAN
Recall that private VLANs work by limiting which ports within a VLAN can communicate
with other ports in the same VLAN. Typically, private VLANs are deployed so that the hosts
on a given segment can communicate only with their default gateway and not the other hosts on
the network. For instance, if a Web server is compromised by Blaster, the server is not able to
initiate infection attempts to other devices in the same VLAN even though they exist in the
same network segment. This access control, carried out by assigning hosts to either an isolated
port or a community port, is an effective way to mitigate the effects of a single compromised
host. Isolated ports can communicate only with promiscuous ports (typically the router).
Community ports can communicate with the promiscuous port and other ports in the same
community.

Private VLAN Edge
This topic describes the function and benefit of the Private VLAN Edge features embedded in
Cisco Catalyst switches.
Private VLAN Edge
What private VLAN edge

does:
Prevents users from seeing
traffic generated by someone
else on the same switch
Benefit:
Ensures privacy for
users on the same switch
and the same VLAN
Otherwise, nosy users can view

neighboring traffic and steal
their identity.
The Private VLAN (PVLAN) Edge (protected port) feature is available on selected Cisco
Catalyst 2900 Series, Catalyst 3500 Series, and Catalyst 3700 Series switches. Briefly stated,
the PVLAN Edge feature can prevent the forwarding of traffic between ports on the same
switch. The PVLAN Edge feature differs in a number of ways from the Private VLAN feature,
but most significantly, the PVLAN Edge feature only has local significance to the switch itself,
as opposed to other devices in the network.
If there is a concern that neighbors on a switch might eavesdrop on the neighboring traffic, the
network manager can implement the PVLAN Edge feature to separate each user into their own
individual VLAN. This way, individual user traffic is kept private. This feature provides
security and isolation between ports on a switch, and ensures that traffic travels directly from
its entry point on an access port to the uplink on the switch, and cannot be redirected to another
access port. This implementation reduces the overhead on the switch, allowing larger Layer 2
networks to be built.
Because the PVLAN Edge feature only has local significance to the switch itself, there is no
isolation provided between two protected ports located on different switches. A protected port
does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a
protected port in the same switch. Traffic cannot be forwarded between protected ports at Layer
2; all traffic passing between protected ports must be forwarded through a Layer 3 device.
Configuring Protected Ports
Default Gateway Default Gateway
x x x x x x x x
Isolated Ports
Example of Protected Ports Configuration

Í©·¬½¸ý ½±²º·¹«®» ¬»®³·²¿´
Í©·¬½¸ø½±²º·¹÷ý ·²¬»®º¿½» º¿-¬»¬¸»®²»¬ðñï
Í©·¬½¸ø½±²º·¹ó·º÷ý -©·¬½¸°±®¬ °®±¬»½¬»¼
Í©·¬½¸ø½±²º·¹ó·º÷ý »²¼
There are three types of PVLAN ports: promiscuous, isolated and community. These ports can
be defined across a number of switches in the network. The PVLAN Edge feature only allows a
port to be an isolated port or a promiscuous port. Isolated ports only communicate to the
promiscuous port(s) and have Layer 2 isolation from other isolated ports while promiscuous
ports communicate to all ports. Recall that the promiscuous port is a normal VLAN access port
with no forwarding restrictions imposed on it while the isolated port is a normal VLAN access
port with forwarding restrictions imposed on it. The PVLAN Edge feature has no community
port functionality to enable a group of ports to communicate among themselves and the
promiscuous port.
The Configuring Protected Ports table provides the steps and commands required to
configure protected ports.
Configuring Protected Ports

1 ½±²º·¹«®» ¬»®³·²¿´ Use this command to enter global configuration
mode.
2 ·²¬»®º¿½» ·²¬»®º¿½»ó·¼ This command specifies the interface to

configure and enter interface configuration
mode.
3 -©·¬½¸°±®¬ °®±¬»½¬»¼ This command enables the PVLAN edge port on

the port.
4 »²¼ Use this command to return to privileged EXEC

mode.
5 -¸±© ·²¬»®º¿½»- ·²¬»®º¿½»ó·¼ This command verifies your entries.

(Optional) -©·¬½¸°±®¬
6 ½±°§ ®«²²·²¹ó½±²º·¹ -¬¿®¬«°ó This command saves your entries in the

(Optional) ½±²º·¹ configuration file.

Rate-Limiting
This topic describes the function and benefit of the Rate-limiting feature embedded in Cisco
Catalyst switches.
Rate Limiting
What rate limiting does:
Allows network managers to set bandwidth thresholds for users and by
traffic type
Benefits:
Prevents the deliberate or accidental flooding of the network
Keeps traffic flowing smoothly
50 Mbps
Rate Limiting for
Network Different Classes of Users
Manager
10 Mbps
Teachers
2 Mbps Otherwise, there can be a
deliberate or accidental
Students
slowdown or freezing of
the network. SND v1.02-18
Rate limiting (also referred to as traffic policing) controls the amount of bandwidth that each
user is allocated. Rate limiting is similar to putting an upper speed limit on a car. Rate limiting
ensures that no user can flood the network with too much traffic. Rate limiting also allows
important applications and users to maintain a minimum network priority, which is useful when
voice, video and data are all deployed on a single network.
Rate limiting enables you to assign a bandwidth restriction to a category of traffic, such as
ICMP, User Datagram Protocol (UDP), or specific connection types, as a means of limiting the
damage from a denial of service (DoS) or a distributed denial of service (DDoS) attack while
you are still working out a solution.
Switched Port Analyzer for Intrusion Prevention
Systems
This topic describes the function and benefit of the Switched Port Analyzer (SPAN) for
intrusion prevention system (IPS) feature embedded in Cisco Catalyst switches.
Switched Port Analyzer (SPAN) for IPS
What SPAN for IPS does:

Enables Cisco Intrusion Prevention Intrusion
Systems (IPS) to shut down hackers Protection System
automatically when detected
Intruder
Benefit: Alert
Stops hackers before they can do
damage
Otherwise, there is no easy way to shut

down hackers once they have entered the
network.
IPS are tailored to monitor and track activities in a network. The Cisco Catalyst 3550 supports
SPAN enhancements that allow an IPS to take action if an intruder is detected.
SPAN is used to mirror traffic to another port where a probe or Cisco IPS sensor is connected.
When a Cisco IPS detects an intruder, the IPS can send out a TCP Reset that tears down the
intruder connection within the network, immediately removing the intruder from the network.
For example, if you connect a Cisco IPS sensor to a SPAN destination port, the IPS device can
send TCP Reset packets to close down the TCP session of a suspected attacker.
Additionally, the Catalyst 3550 Switch can complement this feature through features such as
MAC Address Notification. This feature sends an alert to a management station so that network
administrators know when and where users came onto the network and can take appropriate
actions. The DHCP Interface Tracker (Option 82) feature tracks where a user is physically
connected on a network by providing both switch and port identification to a DHCP server.

Management Encryption
This topic describes the function and benefit of the Management Encryption feature embedded
in Cisco Catalyst switches.
Management Encryption
What management encryption does:

Keeps hackers from reading
usernames, passwords, and other
information on intercepted network
management packets
Benefits:
Prevents hackers from stealing
usernames and passwords to
access switches
Otherwise, snoopers can Username:

Username:@#r);
dan SNMP
break into switches and bring Password:
Password:%a)t#>
grades Management
down the network. Servers
Password and management traffic encryption is important if there are sophisticated users, who
are also pranksters, using the network. The vulnerabilities of Simple Network Management
Protocol (SNMP) can be repeatedly exploited to produce a DoS attack. SNMP version 3
(introduced in Cisco IOS Software Release 12.0(3)T) allows management traffic to be
encrypted and therefore mitigates these threats. Using encryption features guarantees that
management passwords and traffic are unreadable and unusable to anyone who views this
traffic.
While configuring SNMP is beyond the scope of this course, those familiar with SNMP
configuration can follow these steps used to setup four user groups, each with differing
privileges:
Step 1 (Optional) Assign an Engine ID for the SNMP entity.

Step 2 Define a user, userone, belonging to the group groupone and apply
noAuthentication (no password) and noPrivacy (no encryption) to this user.
Step 3 Define a user, usertwo, belonging to the group grouptwo and apply
noAuthentication (no password) and noPrivacy (no encryption) to this user.
Step 4 Define a user, userthree, belonging to the group groupthree and apply
Authentication (password is user3passwd) and noPrivacy (no encryption) to this
user.
Step 5 Define a user, userfour, belonging to the group groupfour and apply
Authentication (password is user4passwd) and Privacy (des56 encryption) to this
user.
Step 6 Define a group, groupone, using User Security Model (USM) V3 and having read
access on the v1default view (the default).
Step 7 Define a group, grouptwo, using USM V3 and having read access on the view
myview.
Step 8 Define a group, groupthree, using USM V3, having read access on the v1default
view (the default), and applying authentication.
Step 9 Define a group, groupfour, using USM V3, having read access on the v1default
view (the default), and applying authentication and privacy.
Step 10 Define a view, myview, that provides read access on the MIB-II and denies read
access on the private Cisco MIB.
Step 11 The show running command output gives additional lines for the group public,
because there is a community string read-only public that has been defined.
Step 12 The show running command output does not show the userthree.

Activity: Problems and Solutions
This topic presents a series of typical problems as a series of scenarios for consideration. Each
problem has a suggested solution that can be met by employing an embedded Cisco Catalyst
switch security feature.
Preventing Unwanted Access
Confidential
Plan
Problem:
Unauthorized users can
connect to the network and
download confidential
documents.
Unauthorized
User
Confidential
Solution: Plan
Authentication using 802.1x 802.1x Security

with Cisco Secure Access
Control Server (ACS) to
provide user authentication.
Unauthorized Cisco ACS

User Server
The figure shows the solution for preventing unwanted access.
Bringing Down the Network
Problem:
Attackers may try to bring down a
network by overloading a network
with requests and traffic.
Solution:
ACLs can be implemented and
violations can be logged to track
disruptions. DHCP Interface Tracker
can be used to track the location of Bringing down the
the user in the network by providing network
port and switch identification
information to a DHCP server which
can match the information to a
known MAC and IP address.
The figure shows how ACLs are used to prevent overloading the network.

Identity Spoofing in the Network
Cisco Secure
Problem: ACS
Identity spoofing or theft is

possible on a non-protected
enterprise network. Users can Login
access user identification and Password
password information on the
network.
Solution Alternative:
A Cisco Secure Access ACS Impersonation (Identity Spoofing)
along with 802.1x on the
switch supports strong Solution Alternative:
authentication capabilities Private VLAN Edge provides security and
(such as certificates and one isolation between ports on a switch, to ensure
time passwords) to prevent that traffic travels directly from its entry point
identity spoofing or theft. on an access port to the uplink on the switch,
to protect user information.
The figure shows how a Cisco Secure Access Control Server (ACS) can be used to prevent
identity spoofing.
Tracking Down Stolen Laptops
Problem:
Laptops are frequently stolen
due to their portable nature.
Solution:
MAC address notification
Alert
informs network administrators
when a user is using the
network and where they are;
this information can be used to
find the laptop.
The figure shows how MAC address notification can reduce laptop theft.

Limiting Access to Networked Resources
Problem:
Access to human
resources databases
should be limited to
managers.
HR employee
(Blue VLAN,
Solution: access to HR
HR Server 1:
Has confidential
Marketing
Server1) HR information
Use VLANs to specify employee
(Red VLAN;
which network resources No access to
the user may access. HR Server1)
Users are automatically
placed in the appropriate
VLAN no matter where
they log on.
You may want to differentiate among the people in your organization to determine who should
have access to what information. Some information, such as student or employee information
should only be viewed by a small number of people. Creating different VLANS allows you to
partition the network resources into either less or more sensitive areas. All employees can have
access to general information, but only a small number of people have authorization to view
specific information. For example, authorized users can have access to the network but with
User Registration Tool (URT) and Dynamic VLAN capabilities, the traffic can be segmented to
a specific VLAN. Marketing resources can be on a different VLAN than human resources and
finance can be on a different VLAN than engineering and so on.
Keeping Neighbors Separated
Problem:
Neighbors on the same switch
can view each others traffic,
including logon identification
and passwords.
Solution:
Private VLAN edge
provides isolation between
ports and VLANS on a
switch, and ensures that
traffic travels directly from
its entry point to the uplink
on the switch.
Since users on the same switch can view each others traffic, you can use the PVLAN Edge
feature to ensure users on the same switch cannot eavesdrop.

Preventing Floods
Problem:
Users may try to bring down a
network by overloading a
network with requests and
traffic.
Solution:
Each user is limited to a certain
amount of bandwidth; no one
person can swamp the network.
The number of devices on any
one port is limited.
Network traffic will not over burden the switch if configurations limit the number of devices on
each port, and if the bandwidth allocated to users is restricted.
Controlling Unauthorized Network
Expansion
Problem:
Individuals can add rogue or
unauthorized access hubs and
wireless access points.
Wireless AP
connects to
switch, but user
Solution: traffic cannot pass
Port security limits the number

of MAC addresses allowed on
a single port and allows only
one device to be connected at
a time.
The solution here is similar to the previous example. The aging function capability of the Port
Security feature, limits the number of concurrent MAC addresses on a port without preventing
different users from plugging into the port at different times.

Making Passwords Unreadable
username: dan Loss of Privacy
password: grades (Packet Sniffing)
Network
Problem: Administrator
Users can intercept
administrative Unauthorized
username: dan
information and use it in password: grades User
order to disrupt the
network.
Privacy
Solution: username: dan
password: grades (Using Encryption)
Encryption features
protect data by encrypting
administrative traffic such
as passwords and
configuration information. Unauthorized
$()^*&(*$^%@#r
$)(%&^$(*&a)t#> User
Management traffic is also vulnerable.
Summary
Summary
Embedded Cisco Catalyst security features

match AAA components.
Cisco Catalyst IBNS features provide
authentication with RADIUS and TACACS+.
RACLs, VACLs, time-based ACLs and port-
based ACLs provide secure authorization.
The Port Security feature prevents
unauthorized logon by limiting access to
approved MAC addresses.
The Private VLAN Edge features provides
privacy within and among VLANs.
Summary (Cont.)
Rate-limiting feature helps reduce floods.

The SPAN for IPS feature stops hackers
before they can do damage.
Management Encryption features prevents
hackers from stealing usernames and
passwords.
Configuring port security reduces security
violations.
A number of common security issues can
be mitigated using Cisco Catalyst switch
security features.

Lesson Self-Check
Q1) Match each of the Catalyst security features listed below to the AAA requirement by
putting the letter of the AAA requirement in the space provided by each feature.
(Source: Embedded Security Features in Cisco Catalyst Switches)
A) authentication
B) authorization
C) accounting
_____ 1. IBNS
_____ 2. RACL
_____ 3. VACL
_____ 4. Private VLAN Edge feature
_____ 5. Rate-limiting
_____ 6. Management Encryption
Q2) Indicate what Catalyst security feature must be employed to mitigate each of the
following by putting the letter of the feature in the space provided beside each security
issue. (Source: Identity-Based Network Services, Port Security, Private VLAN Edge,
Rate Limiting, Switched Port Analyzer for IPS, Management Encryption)
A) IBNS
B) Private VLAN Edge feature
C) Rate-limiting
D) Port Security feature
E) Management Encryption
F) Switched Port Analyzer for IPS
_____ 1. Nosy users can view neighbor traffic and steal identities.
_____ 2. Any unauthorized user with physical access can log onto the network.
_____ 3. There is no way to control who gets on the network and where they can go.
_____ 4. There can be a deliberate or accidental slowdown or freezing of the
network.
_____ 5. There is no easy way to shut down hackers once they have entered the
network.
_____ 6. Snoopers can break into switches and bring down the network.
Q3) In what kind of a setting is password and management traffic encryption even more
important? (Source: Management Encryption)
______________________________________________________________________
______________________________________________________________________
Q4) What are the three types of secure MAC addresses that can be configured on a Cisco
Catalyst switch port? (Source: Port Security)
______________________________________________________________________
______________________________________________________________________

Q1) 1-A, 2-B, 3-B, 4-B, 5-B, 6-C
Q2) A-2 and 3, B-1, C-4, D-2, E-6, F-5
Q3) A setting where there are sophisticated users on the network with a tendency towards pranks. Universities
are most at risk for this type of interruption.
Q4) Static secure, dynamic secure, and sticky secure MAC addresses
Module Summary
Module Summary
Secure administrative access to Cisco routers by

physically securing routers and protecting the router
administrative interface.
Use AAA for Cisco routers to help secure your network.
Cisco Secure ACS provides authentication, authorization
and accounting (AAA) services to network devices that
function as AAA clients, including a network access
server, a PIX Security Appliance or a router.
The Cisco Secure ACS for Windows provides a GUI to
configure basic administrative access, AAA clients and
users and groups.
Unused router network services and interfaces must be
disabled to reduce vulnerabilities.
Module Summary (Cont.)
Use access lists to filter traffic and protect the network.

Use syslog, SSH and SNMPv3 to implement secure
management and reporting.
Your security is only as strong as the weakest link. Layer
2 vulnerabilities are too often forgotten or ignored.
Layer 2 topology and protocol attacks can be prevented
with solutions such as DHCP Snooping, Port Security,
DAI and ACLs.
Cisco Catalyst switches have effective security features
embedded in the Cisco Catalyst switch and Cisco IOS
software.

Networks can be vulnerable to both Layer 2 and Layer 3 attacks. However, there are a number
of strategies and features which can be used to mitigate attacks. Using Cisco Catalyst switches,
and Cisco IOS security features embedded in the appliances, setting login parameters and
requirements, disabling unused services and interfaces, applying syslog and AutoSecure
features, establishing access lists, configuring AAA with the Cisco Secure ACS for Windows
server, and physically securing routers and switches are all methods that can reduce network
vulnerabilities.
References
For additional information, refer to these resources:
Cisco Systems Inc. Access Control Lists and IP Fragments.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949
b8.shtml.
Cisco Systems Inc. Configuring IP Access Lists.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080
0a5b9a.shtml.
Cisco Systems Inc. SAFE: Best Practices for Routing Protocols.
http://www.cisco.com/warp/public/cc/so/neso/vpn/prodlit/sfblp_wp.pdf.
Cisco Systems Inc. User Guide for Cisco Secure ACS for Windows Server Version 3.3,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_book0918
6a00802335e2.html.
Module 3
Cisco Security Appliances
Overview
The Cisco PIX Security Appliance plays a vital role in the Cisco strategy to use integrated
security to build a Self-Defending Network. From compact "plug-and-play" appliances for small
and home offices, to modular carrier-class gigabit appliances for enterprise and service-
provider environments, Cisco PIX Security Appliances provide robust, enterprise-class
integrated network security services that create a strong multilayered defense for fast-changing
network environments.
In this module you will learn basic configuration skills to prepare you for learning more about
the Cisco PIX Security Appliance in the future.
Module Objectives
Upon completing this module, you will be able to configure a Cisco PIX Security Appliance to
perform basic security operations on a network. This ability includes being able to meet these
objectives:
Describe firewall technology and features, including Cisco PIX Security Appliance models,
option cards and licenses
Configure the Cisco PIX Security Appliance features for secure network connectivity from
the CLI
Configure basic firewall settings using the PDM
Lesson 1
Introducing the Cisco PIX

Security Appliance Series
Overview
In previous lessons, you have learned how to configure Cisco IOS firewall features on Cisco
routers. This lesson introduces the Cisco PIX Security Appliance family. The Cisco PIX
Security Appliance family offers purpose-built network devices that provide rich security
services including stateful inspection firewalls, virtual private networking (VPN) and intrusion
detection protection in a single platform. Using the Cisco Adaptive Security Algorithm (ASA)
and PIX operating system, the Cisco PIX Security Appliance family ensures that all the users
behind it are safe and secure from threats lurking on the Internet. Its powerful stateful
inspection firewall technology keeps track of the state of authorized user network requests and
prevents unauthorized network access. By leveraging the flexible access control capabilities of
the Cisco PIX Security Appliance family, administrators can also enforce customized policies
on network traffic traversing through the firewall.
The lesson will begin with an overview of three firewall technologies. The features and benefits
of the PIX Security Appliance will be presented, followed by details descriptions of each of the
current models. Practical guidelines for licensing software options will conclude the lesson.
Objectives
Upon completing this lesson, you will be able to describe firewall technology and features,
including Cisco PIX Security Appliance models, option cards, and licenses. This ability
includes being able to meet these objectives:
Describe the operational strengths and weaknesses of the three firewall technologies
Describe PIX Security Appliance technology and features
Describe the features of each PIX Security Appliance model
Explain licensing options for PIX Security Appliances
Firewall Technologies
This topic describes the operational strengths and weaknesses of the three firewall technologies.
What Is a Firewall?
DMZ
Network
Internet
Outside Inside
Network Network
A firewall is a set of related programs located at a network

gateway server that protects the resources of a private network
from users from other networks.
By conventional definition, a firewall is a partition made of fireproof material designed to

prevent the spread of fire from one part of a building to another. It can also be used to isolate
one compartment from another.
As part of a computer network, a firewall is a set of related programs that enforces an access
control policy between two or more networks. A firewall works closely with a router program
to filter all network packets to determine whether to forward them toward their destination. In
principle, a firewall can be thought of as a pair of mechanisms: one mechanism blocks traffic,
and the other mechanism permits traffic. Specific firewall designs or concepts balance these
two functions, by either placing greater emphasis on blocking traffic or on permitting traffic.
They are often installed away from the rest of the network so that no incoming request can get
directly at private network resources.
Firewalls essentially implement an access control policy that must be defined before selecting a
particular firewall solution. Once deployed, the firewall enforces the policy on everything
behind it. The larger the network behind the firewall is, the more important the design.
There are a number of firewall screening methods. A simple one is to screen requests to make
sure they come from acceptable (previously identified) domain names and IP addresses. For
mobile users, firewalls allow remote access in to the private network by the use of secure logon
procedures and authentication certificates.
There are times that you may want remote users to have access to items on your network. For
example, if your network hosts a website, does online business, or offers FTP, you may want to
create a DMZ (Demilitarized Zone) separate from your protected network.
Firewall Technologies
Firewalls use three technologies:

Packet filtering
Proxy server
Stateful packet filtering
Good traffic
Bad traffic
Firewall operations are based on one of three technologies:

Packet filtering: Packet filtering limits information entering a network based on static
packet header information. Packet filtering is usually employed by a Layer 3 device to
statically define sets of rules and access lists that determine what traffic is permitted or
denied from being routed across the network. Packet filtering can examine protocol header
information up to the transport layer to permit or deny certain traffic. Packets that make it
through the filters are sent to the requesting system and all others are discarded.
Proxy server: Proxy servers work at the application layer and are sometimes called
application gateways. A proxy server is a special piece of software designed to relay
application-layer requests and responses between endpoints. A proxy server acts as an
intermediary between an application client, where it acts as a virtual server, and a server,
where it acts as a virtual. The client connects to the proxy server and submits an
application-layer request. The application-layer request includes the true destination and
the data request itself. The proxy server analyzes the request and may filter or change its
contents, and then open a session to the destination server by posing as a client. The
destination server replies to the proxy server. The proxy server passes the response, which
may be filtered and changed, back to the client.
Stateful packet filtering: Stateful packet filtering combines the best of packet filtering and
proxy server technologies. Firewalls using stateful packet filtering are also called hybrid
firewalls. Stateful packet filtering is the most widely used firewall technology. Stateful
packet filtering is an application-aware method of packet filtering that works on the
connection, or flow level. Stateful packet filtering maintains a state table to keep track of
all active sessions crossing the firewall. A state table, which is part of the internal structure
of the firewall, tracks all sessions and inspects all packets passing through the firewall. If
packets have the expected properties, predicted by the state table, they are forwarded. The
state table changes dynamically according to the traffic flow.
Each technology has advantages and disadvantages and each one has a best fit role to play
depending on the needs of the security policy.
Copyright 2005, Cisco Systems, Inc. Cisco Security Appliances 3-5

Packet Filtering
Outside Network Inside Network
192.165.23.124
Internet
The router is configured so

that any traffic for
192.165.23.124 can pass.
Packet filtering limits traffic into a network based on

the destination and source addresses compiled in an
ACL.
A packet filtering firewall selectively routes or drops IP packets based on information in the
network (IP) and transport (TCP/UDP) layer headers. They may be implemented on routers or
on dual-homed gateways (for example, a computer with two network interface cards).
A packet filter uses rules to accept or reject incoming (network communication) packets based
on source and destination IP addresses, source and destination port numbers, and packet type.
These rules can also be used to reject any packet from the outside that claims to come from an
address inside the network. Recall that each service relies on specific ports. By restricting
certain ports, you can restrict those services. For example, blocking port 25 for all user work
stations, prevents an infected workstation from broadcasting e-mail viruses across the Internet.
Any device that uses access control lists (ACL) can do packet filtering. Recall that ACLs are
probably the most commonly used objects in Cisco IOS router configuration. Not only are they
used for packet filtering firewalls, but they can also select specified types of traffic to be
analyzed, forwarded, or influenced in some way.
While packet filtering is fairly effective and transparent to users, there are disadvantages:
Packet filtering is susceptible to IP spoofing. Arbitrary packets can be sent that fit ACL
criteria and pass through the filter.
Packet filters do not filter fragmented packets well. Because fragmented IP packets carry
the TCP header in the first fragment and packet filters filter on TCP header information, all
non-first fragments are passed unconditionally. This process is based on the assumption
that the filter of the first fragment is accurately enforcing the policy.
Complex ACLs are difficult to implement and maintain correctly.
Some services cannot be filtered. For example, it is difficult to securely filter sessions that
use dynamic port negotiations without opening up access to a whole range of ports, which
in itself might be dangerous.
Packet Filtering Example
12.23.34.x
access-list 101 applies to
outgoing traffic Mail Server
12.23.34.3
access-list 102 applies to
incoming traffic
Internet SO 195.95.95.0 EO 12.23.34.1
X FTP Server
12.23.34.2
Allow all outgoing TCP connections

Allow incoming SMTP and DNS to mailhost
Allow incoming FTP data connections to high TCP port ( 1024)
Protect services that live on high port numbers
The figure shows a simple packet filter example using a Cisco router.
In most network topologies, the Ethernet interface connecting to the internal (inside) network
needs to be protected. The serial interface that connects to the Internet (outside) is unprotected.
In this example, the internal user addresses to protect are in the 12.23.34.x range (on the
Ethernet interface). The subnet mask is 255.255.255.0 making the IP address of the Ethernet 0
interface 12.23.34.1 255.255.255.0).
This particular network security policy allows everybody from the inside to access Internet
services on the outside. Therefore, all outgoing connections are accepted. The router only
checks packets coming from the Internet. Recall that the checking process tests access list rules
in order. Checking stops when the first match is found. There is an implicit deny rule at the end
of an access list that denies everything.

Proxy Server
Proxy Server
1. Request
4. Repackaged Response
2. Repackaged Request
3. Response
Internet
The proxy server requests connections between a

client on the inside of the firewall and the Internet.
A proxy server is a firewall device that examines packets at the application layer of the Open
Systems Interconnection (OSI) reference model. This device hides valuable data by requiring
users to communicate with a secure system by means of a proxy server. Users gain access to the
network by going through a process that establishes session state, user authentication, and
authorized policy. This means that users connect to outside services via application programs
(proxies) running on the gateway connecting to the outside unprotected zone.
The problems with proxy servers are as follows:

They must evaluate a lot of information in many packets and therefore can slow the
network performance.
A separate proxy must be installed for each application making it difficult to add new
services.
They create a single point of failure in the network so if the entrance to the network is
compromised, then the entire network is compromised.
Proxy Server Firewall Device
Gateway Controller Software

Proxy
Other Other
Proxy
Email Email
Proxy
HTTP HTTP
Proxy
FTP FTP
Bindings Bindings
TCP TCP
IP IP Inside
Internet Network
Proxy services run at the application level of the network protocol stack for each different type
of service (for example FTP, HTTP, and so on). A proxy server firewall device controls how
internal users access the outside world (the Internet) and how Internet users access the internal
network. In some cases, the proxy blocks all outside connections and only allows internal users
to access the Internet. The only packets allowed back through the proxy are those that return
responses to requests from inside the firewall. In other cases, both inbound and outbound traffic
are allowed under strictly controlled conditions. This condition is like a virtual gap that exists
in the firewall between the inside and outside networks. The proxies bridge this gap by working
as agents for internal or external users.

Stateful Packet Filtering
Internet
Stateful Inspection
Stateful
session
flow table
Stateful inspection limits information into a network, based on the

destination and source address. The packet data content is used
to determine more about the packet.
Stateful inspection then remembers certain details, or the state of
that request.
Stateful packet filtering is the method used by the Cisco PIX Security Appliance. Stateful
packet filtering overcomes many of the disadvantages of proxy servers. Unlike static packet
filtering, which examines a packet based on the information in its header, stateful inspection
tracks each connection traversing all interfaces of the firewall and makes sure they are valid. A
stateful firewall may examine not just the header information but also the contents of the packet
up through the application layer in order to determine more about the packet than just
information about its source and destination.
For example, if an outside service is accessed, the stateful packet filter firewall remembers
certain details of that request. This remembering is called saving the state. Each time a
Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) connection is
established for inbound or outbound connections, the information is logged in a stateful session
flow table. When the outside system responds to your request, the firewall server compares the
received packets with the saved state to determine if they are allowed into the network.
The stateful session flow table contains the source and destination addresses, port numbers,
TCP sequencing information, and additional flags for each TCP or UDP connection associated
with that particular session. This information creates a connection object, and consequently, all
inbound and outbound packets are compared against session flows in the stateful session flow
table. Data is permitted through the firewall only if an appropriate connection exists to validate
its passage.
Stateful packet filtering is effective because of the following:

Stateful packet filtering works on packets and connections.
Stateful packet filtering operates at a higher performance level than packet filtering or
using a proxy server.
Stateful packet filtering records data in a stateful session flow table for every connection or
connectionless transaction. This table serves as a reference point to determine if packets
belong to an existing connection or are from an unauthorized source.
However, there is a major disadvantage to stateful filtering that must always be considered.
While stateful inspection provides speed and transparency, inside packets must make their way
to the outside network. This can potentially expose internal IP addresses to potential hackers.
Some firewall designs use stateful inspection and proxies together for added security.

PIX Security Appliance Overview
This topic describes the PIX Security Appliance technology and features.
The Cisco PIX Security Appliance
Purpose-build security appliance:

Uses Finesse, a Cisco proprietary operating system
Provides stateful inspection using Cisco Adaptive
Security Algorithm
Inspection at Layer 4 to Layer 7
Optional inline intrusion detection
User-based authentication
Provides VPN services
Web-based management
Stateful failover capabilities
The PIX Security Appliance provides integrated network security services including stateful
inspection via a firewall, protocol and application inspection, virtual private network (VPN),
in-line intrusion protection, multimedia and voice protocols support, cost-effective, and easy-
to-deploy. Some of the PIX Security Appliance product highlights are as follows:
Security, performance and reliability in purpose-built security appliances
State-of-the-art stateful inspection via a firewall using patented Adaptive Security
Algorithm (ASA)
Integrated protocol and application inspection engines that examine packet streams at
Layers 4 to Layer 7
User-based authentication of inbound and outbound connections
Robust VPN for secure site-to-site and remote access connections
Simple, web-based management with PIX Device Manager (PDM)
Redundancy support using the stateful failover capabilities that ensure resilient network
protection
Dynamic and static Network Address Translation (NAT) and Port Address Translation
(PAT)
Integrated intrusion detection guards against DoS attacks
Robust remote manageability using CiscoWorks Firewall Management Center,
Telnet/Secure Shell (SSH), Simple Network Management Protocol (SNMP) and syslog
PIX Operating SystemFinesse
Cisco developed secure, real-time,

embedded operating system for PIX
There are no security holes to eliminate risks
associated with general-purpose operating
systems (UNIX or NT)
Uses Cisco Adaptive Security Algorithm to
provide stateful security
Cut-through proxy eliminates application-
layer bottlenecks
Finesse, a Cisco proprietary operating system, is a non-UNIX, non-Windows NT, Cisco IOS
software-like operating system. Use of Finesse eliminates the risks associated with the general-
purpose operating systems. Finesse enables the PIX Security Appliance to deliver outstanding
performance with up to 500,000 simultaneous connectionsdramatically greater than any
UNIX-based firewall.

Stateful Inspection Using ASA
Cisco Adaptive Security Algorithm provides stateful connection

security by:
tracking source and destination ports and addresses, TCP
sequence numbers, and additional TCP flags
randomizing initial TCP sequence numbers
By default, Cisco Adaptive Security Algorithm allows
connections originating from hosts on inside (higher security
level) interfaces.
By default, Cisco Adaptive Security Algorithm drops connection
attempts originating from hosts on outside (lower security level)
interfaces.
Cisco Adaptive Security Algorithm supports authentication,
authorization, and accounting.
The heart of the PIX Security Appliance is the ASA. The ASA maintains the secure perimeters
between the networks controlled by the firewall. The stateful, connection-oriented ASA design
creates session flows based on source and destination addresses. The ASA randomizes TCP
sequence numbers, port numbers, and additional TCP flags before completion of the
connection. This function continually monitors return packets to ensure that they are valid, and
only allows one-way (inside to outside) connections without an explicit configuration for each
internal system and application. The randomizing of the TCP sequence numbers minimizes the
risk of a TCP sequence number attack. Because of the ASA, the PIX Security Appliance is less
complex and more robust than a packet filtering-designed firewall. The ASA uses a concept of
security levels to determine whether traffic can pass between two interfaces. The higher the
security level setting on an interface, the more trusted it is.
Recall that each time a TCP connection is established for inbound or outbound connections
through the PIX Security Appliance, the information about the connection is logged in a
stateful session flow table. For a session to be established, information about the connection
must match information stored in the table. With this methodology, the stateful filters work on
the connections, not the packets. This approach makes stateful packet filtering a more stringent
security method because sessions are immune to hijacking.
The PIX Security Appliance uses stateful packet filtering as follows:

To obtain the session identifying parameters, IP addresses, and ports for each TCP
connection
To log the data in a stateful session flow table and create a session object
To compare the inbound and outbound packets against session flows in the connection
table
To allow data packets to flow through the PIX Security Appliance only if an appropriate
connection exists to validate their passage
To set up a temporary connection object until the connection is terminated
TCP InitializationInside to Outside
Private Network The PIX Security Appliance Public Network

Source Address 10.0.0.11 checks for a translation 192.168.0.20
slot. If one is not found, it
Destination Address 172.30.0.50 creates one after verifying 172.30.0.50
NAT, global, access control,
Source Port 1026
and authentication or 1026
Destination Port 23 authorization, if any. If OK, 23

a connection is created.
Initial Sequence No. 49091 49769
No. 1 Ack No. 2

Flag Syn
PIX Security Syn 172.30.0.50
10.0.0.11
Appliance
No Data Start the embryonic
No. 4 172.30.0.50
connection counter.
172.30.0.50
No. 3
10.0.0.11 The PIX Firewall follows the 192.168.0.20
Adaptive Security
23 Algorithm: 23
1026 Source IP, source port, 1026

destination IP and
IP Header 92513 destination port check 92513
TCP Header 49092 Sequence number check 49770
Syn-Ack
Translation check Syn-Ack
TCP is a connection-oriented protocol. When a session from a more secure host inside the PIX
Firewall is started, the PIX Firewall creates an entry in the session state filter. The PIX Firewall
is able to extract network sessions from the network flow and actively verify their validity in
real time. This stateful filter maintains the state of each network connection and checks
subsequent protocol units against its expectations. When a TCP session is initiated through a
PIX Firewall, the PIX Firewall records the network flow and looks for an acknowledgement
from the device with which the host is trying to initiate communications. The PIX Firewall then
allows traffic to flow between the hosts involved in the connection based on the three-way
handshake.
When a TCP session is established over the PIX Firewall, the following happens:
Step 1 The first Internet Protocol (IP) packet from an inside host causes the generation of a translation
slot. The embedded TCP information is then used to create a connection slot in the PIX
Firewall.
Step 2 The connection slot is marked as embryonic (not established yet).

Step 3 The PIX Firewall randomizes the initial sequence number of the connection, stores the delta
value, and forwards the packet onto the outgoing interface.
Step 4 The PIX Firewall now expects a synchronize/acknowledge (SYN/ACK) packet from the
destination host. Then the PIX Firewall matches the received packet against the connection slot,
computes the sequencing information, and forwards the return packet to the inside host.

TCP InitializationInside to Outside (Cont.)
Private Network Public Network

Source Address 10.0.0.11 192.168.0.20
Reset the embryonic
Destination Address 172.30.0.50 counter for this client.. It 172.30.0.50
then increases the
Source Port 1026 1026
connection counter for
Destination Port 23 this host. 23
Initial Sequence No. 49092 49770
Ack 92514 92514

PIX Security
No. 5 Flag Ack Ack No. 6
10.0.0.11
Appliance 172.30.0.50
Data Flows Strictly follows the

Adaptive Security
Algorithm
IP Header
TCP Header
Step 5 The inside host completes the connection setup, the three-way handshake, with an ACK.
Step 6 The connection slot on the PIX Firewall is marked as connected, or active-established, and data
is transmitted. The embryonic counter is then reset for this connection.
PIX Cut-Through Proxy Operation
1. The user makes a

2. The PIX Security Appliance
request to the
Internal or intercepts the connection.
IS Resource.
External
User 3. At the application layer, the PIX Security
Appliance prompts the user for a
3. Username and Password Required username and password. The PIX
PIX Security Appliance Security Appliance then authenticates
Enter username for CCO at www.com the user against a RADIUS or TACACS+
server and checks the security policy.
Cisco
User Name: student Secure IS Resource
Password: ********
123@456 4. The PIX Security Appliance
initiates a connection from
OK Cancel the PIX Security Appliance
to the destination IS Resource.
5. The PIX Security Appliance directly

connects the internal or external user
to the IS Resource via Adaptive Security
Algorithm. Communication then takes place
at a lower level of the OSI model.
Cut-through proxy is a method of transparently verifying the identity of the users at the
firewall, and permitting or denying access to any TCP- or UDP-based applications. This
process is also known as user-based authentication of inbound or outbound connections. Unlike
a proxy server that analyzes every packet at the application layer of the OSI model, the PIX
Security Appliance first challenges a user at the application layer. After the user is
authenticated and the policy is checked, the PIX Security Appliance shifts the session flow to a
lower layer of the OSI model for dramatically faster performance. This allows security policies
to be enforced on a per-user-identification basis.
Connections must be authenticated with a user identification and password before they can be
established. The user identification and password is entered via an initial HTTP, HTTPS,
Telnet, or FTP connection. This method eliminates the price performance impact that UNIX
system-based firewalls impose in similar configurations, and allows a finer level of
administrative control over connections. The cut-through proxy method also leverages the
authentication and authorization services of the Cisco Secure Access Control Server (Cisco
Secure ACS).

PIX Application-Aware Inspection
FTP
Server Client
Control Data
Data Control Port 2008 Port 2010
Port 20 Port 21 Data - Port 2010
Port 2010 OK
Data
FTP, HTTP, H.323, and SQL*Net need to negotiate connections to

dynamically assigned source or destination ports through the firewall.
The PIX Security Appliance inspects packets above the network layer.
The PIX Security Appliance securely opens and closes negotiated
ports for legitimate client-server connections through the firewall.
Many corporations use the Internet for business transactions. To keep their internal networks
secure from potential threats from the Internet, they can implement firewalls on their internal
network. Even though these firewalls help protect the corporation internal network from
external threats, firewalls cause problems as well. For example, some of the protocols and
applications that the corporations use to communicate are not allowed through the firewalls.
For example, protocols need to negotiate FTP, HTTP, H.323, and SQL*Net connections to
dynamically assigned source or destination ports, or IP addresses, through the firewall.
A good firewall must inspect packets above the network layer and do the following as required
by the protocol or application:
Securely open and close negotiated ports or IP addresses for legitimate client-server
connections through the firewall.
Use NAT-relevant instances of an IP address inside a packet.
Use PAT-relevant instances of ports inside a packet.
Inspect packets for signs of malicious application misuse.
You can configure the Cisco PIX Security Appliance to allow the required protocols or
applications to securely pass through the firewall. This configuration keeps corporate internal
networks to remain secure while day-to-day business continues over the Internet.
Web-Based PIX Management Solutions
PIX Device Firewall Management

Manager Center
The Cisco PIX Device Manager (PDM) and the Firewall Management Center (FWMC) are
browser-based configuration tools designed to help you set up, configure, and monitor your
Cisco PIX Security Appliance graphically, and without requiring an extensive knowledge of
the PIX Security Appliance command-line interface (CLI).
The PDM monitors and configures a single PIX Security Appliance. You can use the PDM to
create a new configuration and to monitor and maintain current PIX Security Appliances. You
can point your browser to more than one PIX Security Appliance and administer several PIX
Security Appliances from a single workstation.
CiscoWorks 2000 Management Center for Firewalls (Firewall MC) is a web-based interface for
configuring and managing multiple Cisco PIX Security Appliances. Firewall MC has a look
and feel similar to the PDM; however, with Firewall MC, you can configure multiple firewalls
instead of configuring only one at a time. Firewall MC centralizes and accelerates the
deployment and management of multiple PIX Security Appliances.

PIX Stateful Failover
Primary: Active
PIX Security Appliance
Internet
Secondary: Standby
Primary: Standby
Primary:Appliance
PIX Security Active
Internet
Secondary:
Secondary: Standby
Active
PIXSecurity
Appliance
Stateful failover maintains the operating state during failover.
Failover provides a redundancy mechanism for the PIX Security Appliance by allowing two
identical firewalls (hardware and software) to serve the same functionality. The active firewall
performs normal security functions, while the standby firewall acts as a monitor, and is ready to
take control should the active firewall fail.
The PIX Security Appliance can use a serial cable for short-distance failover or an Ethernet
cable for long-distance (LAN-based) failover. In both of these scenarios, the PIX Security
Appliance can be configured for stateful failover so that active connections remain when
failover occurs. When failover occurs, syslog messages that indicate the cause of the failure are
generated.
Note PIX Security Appliance models that support failover, include legacy models such as the
Cisco PIX 515 Security Appliance and the PIX 520 Security Appliance, which are not
featured in this course. Current models such as the PIX 515E Security Appliance, the PIX
525 Security Appliance, and the PIX 535 Security Appliance support failover.
PIX Security Appliance Models
This topic describes the features of each PIX Security Appliance model.
PIX Firewall Family
PIX 535
PIX 525
PIX 515E
PIX 506E Gigabit Ethernet

PIX 501
Small to
Small and Remote and
Medium Service
Home Office Branch Office Enterprise
Business Provider
(SOHO (ROBO)
(SMB)
Functionality
The Cisco PIX 500 Security Appliance series scales to meet a range of requirements and
network sizes, and currently consists of the following five models:
The PIX 501 Security Appliance has an integrated 10/100BASE-T port (100BASE-T
option available in PIX Software Release 6.3) and an integrated four-port 10/100 switch.
The PIX 506E Security Appliance has dual integrated 10/100BASE-T ports (100BASE-T
option is only available in PIX Software Release 6.3).
The PIX 515E Security Appliance supports single-port or four-port 10/100 Ethernet cards.
The PIX 525 Security Appliance supports single-port or four-port 10/100 Fast Ethernet and
Gigabit Ethernet.
The PIX 535 Security Appliance supports Fast Ethernet and Gigabit Ethernet. The PIX
515E Security Appliance, 525, and 535 models come with an integrated Virtual Private
Network Accelerator (VAC) card.
Note Prior to PIX Security Appliance Software Release 6.3, the PIX 501 Security Appliance
outside interface and the PIX 506E Security Appliance outside and inside interfaces
operated at 10BASE-T. With the upgrade to software release 6.3, the PIX 501 Security
Appliance outside interface and PIX 506E Security Appliance outside and inside interfaces
can operate at 10/100BASE-T. To enable the speed change on the interface requires a
software upgrade only.

Cisco PIX 500 Security Appliance Family
Features and uses:

Typically used for site-to-site VPNs
Restricts access to network resources
Implemented at the physical perimeter
between customer intranet and the other
companys intranet
Determines whether traffic crossing in either
direction is authorized
Contains limited Intrusion Detection System
(IDS) capability
Provides a dedicated hardware appliance
Has little or no impact on network
performance
The Cisco PIX Security Appliance plays a vital role in the Cisco strategy to use integrated
security to build a Self-Defending Network. The PIX Security Appliance is secure right out
of the box. After a few installation procedures and an initial configuration of six general
commands, your PIX Security Appliance is operational and protecting your network. These
PIX Security Appliance commands enable connections from the inside interface access to the
outside interface, and block all connections from the outside interface to the inside interface.
PIX Security Appliance Licensing
This topic explains the licensing options for PIX Security Appliances.
Feature-Based License Types
Unrestricted: Allows installation and use of the maximum

number of interfaces and RAM supported by the platform
Restricted: Limits the number of interfaces supported and the
amount of RAM available within the system
Failover: Places the PIX Security Appliance in a failover mode
for use alongside another PIX Security Appliance with an
unrestricted license
These features apply to the PIX 515 Security Appliance, the PIX
515E Security Appliance, the PIX 525 Security Appliance and the
PIX 535 Security Appliance.
Current Cisco PIX Security Appliance licensing is based on a feature-based license key
system. The PIX Security Appliance license determines the level of service it provides, its
functions in a network, and the maximum number of interfaces and memory it can support. For
the PIX Security Appliance family, the following licensing is available:
PIX 501 Security Appliance: This model is provided with a 10-user, 50-user, or unlimited
user licenses in PIX Security Appliance Software Release 6.3. Each license allows up to a
specified number of concurrent source IP addresses from your internal network to traverse
the firewall. For instance, the 50-user license allows up to 50 concurrent source IP
addresses from your internal network to traverse the firewall. If a PIX 501 Security
Appliance requires more concurrent users to traverse the firewall, the following upgrade
user licenses are available: 10-user to 50-user, 10-user to unlimited, and 50-user to
unlimited licenses.
PIX 506E Security Appliance: This model is provided with a single, unlimited-user
license.
PIX 515E Security Appliance, PIX 525 Security Appliance and PIX 535 Security
Appliance: These models are available with the following basic license types:
Unrestricted: PIX Security Appliance platforms in an unrestricted license mode
allow installation and use of the maximum number of interfaces and RAM supported
by the platform. The unrestricted license supports failover.
Restricted: PIX Security Appliance platforms in a restricted license mode limit the
number of interfaces supported and the amount of RAM available within the system.
A restricted licensed firewall does not support a redundant system for failover
configurations.

Failover: The failover (FO) license places the PIX Security Appliance in a failover
mode for use alongside another PIX Security Appliance with a UR license.
Cisco supplies an activation key with a license. The activation key is based on the type of
license and the serial number of the PIX Security Appliance. To enable the license features,
enter the activation key into the PIX Security Appliance configuration and then reboot the PIX
Security Appliance. Upon reboot, the new license features should take effect.
Note An activation key is tied to a specific PIX Security Appliance, such as PIX Security
Appliance-serial number 12345678. An activation key is not specific to a particular PIX
Security Appliance software version.
VPN Encryption License
DES license Provides 56-bit DES

3DES/AES license:
Provides 168-bit 3DES
Provides up to 256-bit AES
Applies to PIX Security Appliance Family
In addition to upgrading the PIX Security Appliance license, you may wish to add a data
encryption services, or increase the level of data encryption your PIX Security Appliance can
provide. You can fill out an online form at the PIX Security Appliance Software page on
Cisco.com to obtain a free 56-bit DES key. There is a separate form to install or upgrade to
168-bit 3DES and AES encryption. For failover configurations, the unrestricted and FO
firewalls each require their own unique corresponding DES or 3DES/AES license for failover
functionality.
Adding cryptographic services and upgrading your PIX Security Appliance license requires
obtaining and installing an activation key.

Summary
Summary
There are three firewall technologies: packet filtering,

proxy server, and stateful packet filtering.
The PIX Security Appliance features include the
following: Finesse operating system, Cisco Adaptive
Security Algorithm, cut-through proxy, stateful failover,
VPN, Web-based management, and stateful packet
filtering.
There are currently five PIX Security Appliance models
in the PIX 500 Series of security appliances.
The PIX Security Appliance license determines the PIX
Security Appliance level of service in your network and
the number of supported interfaces. There are
restricted, unrestricted, and failover licenses.
Lesson Self-Check
Q1) Which firewall technology uses a special piece of software designed to relay
application-layer requests and responses between endpoints? (Source: Firewall
Technologies)
Q2) Which firewall technology statically defines sets of rules and access lists that determine
what traffic is permitted or denied from being routed across it by examining protocol
headers information up to the transport layer? (Source: Firewall Technologies)
Q3) Which of the following statements describes a problem with packet filtering
technology? (Source: Firewall Technologies)
A) Packet filtering technology requires deep packet inspections up to the
application layer.
B) Packet filtering requires complex ACLs, which are difficult to implement and
maintain correctly.
C) Packet filtering technology requires high CPU usages to support applications
that negotiate dynamic ports
D) Packet filtering technology requires high memory requirements to maintain the
state stable.
Q4) What is the name of the Cisco proprietary operating system used on Cisco PIX Security
Appliances? (Source: PIX Security Appliance Overview)
Q5) What is the name of the security algorithm used by Cisco PIX Security Appliances?
(Source: PIX Security Appliance Overview)
Q6) Name two browser-based configuration tools that can be used to set up, configure and
monitor a single Cisco PIX Security Appliance. (Source: PIX Security Appliance
Overview)
Q7) What are the three types of PIX Security Appliance license types? (Source: PIX
Security Appliance Licensing)

Q1) Proxy server
Q2) Packet filtering
Q3) B
Q4) Finesse
Q5) Adaptive Security Algorithm (ASA)
Q6) PIX Device Manager (PDM) and Firewall Management Center (FWMC)
Q7) Unrestricted, restricted and failover
Lesson 2
Configuring a Cisco PIX

Security Appliance from the
CLI
Overview
The Cisco PIX Security Appliance contains a command set, based on Cisco IOS software
technologies, that provides four administrative access modes. The tasks and basic commands
needed to configure basic networking for the appliance in each mode will be described and
illustrated.
Setting the security levels in the Cisco Adaptive Security Algorithm will be described.
Adaptive Security Algorithm is the technology used by the PIX Security Appliance to provide
stateful packet inspection on traffic leaving the appliance. Finally, the tasks and commands
needed to make the PIX Security Appliance operational will be described. The lesson ends with
a lab exercise in configuring a PIX from the command-line interface (CLI).
Objectives
Upon completing this lesson, you will be able to configure the Cisco PIX Security Appliance
for secure network connectivity from the CLI. This ability includes being able to meet these
objectives:
Explain how to use the commands in each of the four PIX Security Appliance access
modes
Explain the basic tasks used to configure the PIX Security Appliance
Explain the levels and function of the Adaptive Security Algorithm
Explain the basic commands needed to make the PIX Security Appliance operational
Explain how to examine the status of the PIX Security Appliance
PIX Security Appliance Access Modes
This topic explains how to use the commands in each of the four PIX Security Appliance
access modes.
Access Modes
The PIX Security Appliance

has four administrative
access modes:
Unprivileged mode °·¨º·®»©¿´´â
Privileged mode °·¨º·®»©¿´´ý
Configuration mode °·¨º·®»©¿´´ø½±²º·¹÷ý

Monitor mode ³±²·¬±®â
The PIX Security Appliance contains a command set based on Cisco IOS software, and
provides these four administrative access modes:
Unprivileged mode: This mode is available when you first access the PIX Security
Appliance. The > prompt is displayed. This mode provides a restricted and limited view of
PIX Security Appliance settings.
Privileged mode: This mode displays the # prompt and enables you to change the current
settings. Any unprivileged command also works in privileged mode.
Configuration mode: This mode displays the (config)# prompt and enables you to change
system configurations. All privileged, unprivileged, and configuration commands work in
this mode.
Monitor mode: This is a special mode that enables you to update the image over the
network or to perform password recovery. While in the monitor mode, you can enter
commands specifying the location of the TFTP server and the PIX Security Appliance
software image or password recovery binary file to download.
Within each access mode, you can abbreviate most commands down to the fewest unique
characters for a command. For example, you can enter the write t command statement to view
the configuration instead of entering the full command write terminal. You can enter en
instead of the enable command to start privileged mode.
Help information is available from the PIX Security Appliance command line by entering the
help command or entering a question mark (?) to list all commands. If you enter the help
command or enter a question mark (?) after a command (for example, route?), the command
syntax is listed. The number of commands listed when you enter a question mark (?) or the
help command differs by access mode. Unprivileged mode offers the least commands and
configuration mode offers the greatest number of commands. In addition, you can enter any
command by itself on the command line and then press Enter to view the command syntax.
Note You can create your configuration on a text editor and then cut and paste it into the
configuration. You can paste the configuration in one line at a time, or the entire
configuration at once. Always check your configuration after pasting large blocks of text to
be sure that everything has been copied.
Copyright © 2005, Cisco Systems, Inc. Cisco Security Appliances 3-31

Access Privilege Modeenable and enable
password Commands
°·¨º·®»©¿´´â
»²¿¾´» Å°®·ªÁ´»ª»´Ã
Enables you to enter other access modes
°·¨º·®»©¿´´ø½±²º·¹÷ý
»²¿¾´» °¿--©±®¼ °© Å´»ª»´ °®·ªÁ´»ª»´Ã

Å»²½®§°¬»¼Ã
Used to control access to the privileged mode
°·¨º·®»©¿´´â »²¿¾´»
°¿--©±®¼æ
°·¨º·®»©¿´´ý »²¿¾´» °¿--©±®¼ ½·-½±ïîí
When first accessing a PIX Security Appliance, the administrator is presented with the
pixfirewall> prompt in the unprivileged mode enabling you to view restricted settings. In a
previously configured PIX Security Appliance, the pixfirewall > prompt may be replaced with
a network specific host name prompt such as Paris> or London>. To get started with the PIX
Security Appliance, the first command you must know is the enable command. This command
provides entrance to the privileged access mode. After you enter the enable command, the PIX
Security Appliance prompts you for your privileged mode password. By default, a password is
not required, so you can press Enter at the password prompt, or you can create a password of
your choice. After you are in privileged mode, notice that the prompt has changed to ý.
The enable password command sets the privileged mode password. The password is case-
sensitive and can be from 3 to 16 alphanumeric characters long. Any character can be used
except a question mark (?), space, and colon (:).
If you create a password, write it down and store it in a manner consistent with your site
security policy. After you create this password, you cannot view it again because it is stored as
a Message Digest 5 (MD5) hash. The show enable password command lists the encrypted
form of the password. After passwords are encrypted, they cannot be reversed back to plain
text.
The syntax for the enable password command is as follows:
enable password pw [level priv_level] [encrypted]
pw Specifies a case-sensitive password of 3 to 16 alphanumeric

characters
priv_level The privilege level, from 0 to 15
encrypted Specifies that the password you entered is already encrypted
Note An empty password is also changed into an encrypted string.

Access Configuration Modeconfigure
terminal Command
°·¨º·®»©¿´´ý
½±²º·¹«®» ¬»®³·²¿´
Used to start configuration mode to enter

configuration commands from a terminal
°·¨º·®»©¿´´ý
»¨·¬
Used to exit from an access mode
°·¨º·®»©¿´´ý ½±²º·¹«®» ¬»®³·²¿´

°·¨º·®»©¿´´ø½±²º·¹÷ý »¨·¬
°·¨º·®»©¿´´ý »¨·¬
°·¨º·®»©¿´´â
Use the configure terminal command to move from privileged mode to configuration mode.
As soon as you enter the configure terminal command, the prompt changes to (config)#.
Configuration mode enables you to change system configurations. Use the exit command or
quit command to exit and return to the previous mode.
Changing the Host Name CLI Prompt
New_York
Server
Chicago
Server
Dallas
Server
°·¨º·®»©¿´´ø½±²º·¹÷ý
¸±-¬²¿³» ²»©²¿³»
Changes the host name in the PIX Security

Appliance CLI
°·¨º·®»©¿´´ ø½±²º·¹÷ý ¸±-¬²¿³» ½¸·½¿¹±

½¸·½¿¹±ø½±²º·¹÷ý
In the configuration example in the figure, the PIX Security Appliance default host name label
is pixfirewall. In a network of multiple PIX Security Appliances, it may be advantageous to
assign a unique host name label to each PIX Security Appliance. To accomplish this, use the
hostname command. The hostname command changes the host name label on the prompts.
The host name can be up to 16 alphanumeric characters, and it can be uppercase and lowercase.
In the figure, the default host name label of pixfirewall is changed to chicago using the
hostname command. The syntax for the hostname command is as follows:
hostname newname
²»©²¿³» New host name for the PIX Security Appliance prompt

Configuring the PIX Security Appliance
This topic explains the basic tasks used to configure the PIX Security Appliance.
Key PIX Configuration Tasks
Preconfigure at initial bootup

Set console timeout
Set banner
View and save configuration
Erase configuration (if required)
Reload configuration from Flash memory
Back up and restore configuration
Set TFTP parameters
Configure name-to-IP address maps
e2
Internet
e0 e1
You can configure the PIX Security Appliance by entering commands from the configuration
mode on your console computer or terminal that are similar in context to those that you use
with Cisco routers. The following figures explain some of the basic PIX configuration
commands.
Default Setup Dialog
Ð®»ó½±²º·¹«®» Ð×È Í»½«®·¬§ ß°°´·¿²½» ²±© ¬¸®±«¹¸

·²¬»®¿½¬·ª» °®±³°¬- Å§»-Ãá äÛ²¬»®â
Û²¿¾´» Ð¿--©±®¼ Åä«-» ½«®®»²¬ °¿--©±®¼âÃæ ½·-½±ïîí
Ý´±½µ øËÌÝ÷
Ç»¿® ÅîððîÃæ äÛ²¬»®â
Ó±²¬¸ Åß«¹Ãæ äÛ²¬»®â
Ü¿§ ÅîéÃæ ïî
Ì·³» ÅîîæìéæíéÃæ ïìæîîæðð
×²-·¼» ×Ð ¿¼¼®»--æ ïðòðòðòï
×²-·¼» ²»¬©±®µ ³¿-µæ îëëòîëëòîëëòð
Ø±-¬ ²¿³»æ ½¸·½¿¹±
Ü±³¿·² ²¿³»æ ½·-½±ò½±³
×Ð ¿¼¼®»-- ±º ¸±-¬ ®«²²·²¹ Ð×È Ü»ª·½» Ó¿²¿¹»®æ ïðòðòðòïï
Ë-» ¬¸·- ½±²º·¹«®¿¬·±² ¿²¼ ©®·¬» ¬± º´¿-¸á Ç
When a nonconfigured PIX Security Appliance boots up, you are prompted to preconfigure it
through interactive prompts. If you press Enter to accept the default answer of yes, you are
presented with a series of prompts that lead you through the basic configuration steps. The
figure shows an example of how to respond to the prompts.
The setup dialog was designed to preconfigure the PIX Security Appliance to interact with the
Cisco PIX Device Manager (PDM). The PIX Security Appliance requires some
preconfiguration before PDM can connect to it. PDM is a GUI that can be used to configure
and monitor the PIX Security Appliance.
The setup dialog can also be accessed by entering the setup command. The following are the
prompts found in the setup dialog:
Enable Password: Specifies an enable password for this PIX Security Appliance
Clock (UTC): Sets the PIX Security Appliance clock to Universal Coordinated Time
(UTC)also known as Greenwich Mean Time (GMT)
Year: Specifies the current year, or defaults to the year stored in the host computer
Month: Specifies the current month, or defaults to the month stored in the host computer
Day: Specifies the current day, or defaults to the day stored in the host computer
Time: Specifies the current time in hh:mm:ss format, or defaults to the time stored in the
host computer
Inside IP address: The inside network interface IP address of the PIX Security Appliance
Inside network mask: A network mask that applies to the inside IP address
Host name: The host name that you want to display in the PIX Security Appliance CLI
prompt
Domain name: The Domain Name System (DNS) domain name of the network on which
the PIX Security Appliance runs; for example, example.com

IP address of host running PIX Device Manager: IP address on which PDM connects to
the PIX Security Appliance
At the end of the setup dialog, you are asked if you want to write the configuration to Flash
memory. If you answer yes, the configuration you just entered is saved to Flash memory. If you
answer no, the setup dialog repeats using the values already entered as the defaults for the
questions.
Note You can escape the setup dialog by pressing Ctrl-Z.
console timeout Command
TFTP Server
Console
Session
°·¨º·®»©¿´´ø½±²º·¹÷ý
½±²-±´» ¬·³»±«¬ ²«³¾»®

Idle time in minutes (0 to 60) after which the
serial cable console session ends
°·¨º·®»©¿´´ø½±²º·¹÷ý ½±²-±´» ¬·³»±«¬ îð
Note: By default there is no timeout

By default, there is no timeout value for console session users. If a console user walks away
from an open session, the session remains open. Therefore, it may be prudent to configure an
idle timeout value in the PIX Security Appliance. If there is no activity for a predefined time,
the PIX Security Appliance ends the console session.
The console timeout command sets the timeout value for any authenticated, privileged mode,
or configuration mode user session when accessing the firewall console through a serial cable.
The default value is zero, which means no timeout; this , and no time out presents a security
risk. By setting the number to a nonzero number, the user is logged out after the specified
period of inactivity. This timeout does not alter the Telnet or Secure Shell Protocol (SSH
Protocol) timeouts; these access methods maintain their own timeout values.

banner Command
The banner command

configures a banner to
Unauthorized access is prohibited.
display. Violators will be prosecuted
exec Type help or ? for available

commands
login chicago>
motd
½¸·½¿¹± ø½±²º·¹÷ý ¾¿²²»® »¨»½ Ë²¿«¬¸±®·¦»¼ ¿½½»-- ·-

°®±¸·¾·¬»¼ò
½¸·½¿¹± ø½±²º·¹÷ý ¾¿²²»® »¨»½ Ê·±´¿¬±®- ©·´´ ¾»
°®±-»½«¬»¼ò
The banner command enables the administrator to define messages in the PIX Security
Appliance. There are three types of banner commands: exec, login, and motd. Each banner
command type is used as follows:
exec: Configures the system to display a banner before displaying the privilege mode
prompt
login: Configures the system to display a banner before the password login prompt when
accessing the firewall using telnet
motd: Configures the system to display a Message-of-the-Day banner (MOTD)
The banner command configures a banner to display for the option specified. The text string
consists of all characters following the first white space (space) until the end of the line
(carriage return or line feed). Spaces in the text are preserved. However, tabs cannot be entered
through the CLI. Multiple lines in a banner are handled by entering a new banner command for
each line that you wish to add. Each line is then appended to the end of the existing banner.
In the figure, the administrator wants to add a legal statement to the login process. The banner
command enables the administrator to preface all console sessions with the following
statement: Unauthorized access is not permitted. Violators will be prosecuted.
To replace a banner, use the no banner command before adding the new lines. The no banner
{exec |login | motd} command removes all the lines for the banner option specified. The no
banner command does not selectively delete text strings; therefore,. Therefore any text entered
at the end of the no banner command is ignored.
The clear banner command removes all the banners.
The show banner {motd | exec | login} command displays the specified banner option and all
the lines configured for it. If a banner option is not specified, all the banners are displayed.
Viewing and Saving Your Configuration
The PIX Security Appliance has two configuration memories:

running configuration
startup configuration
-¬¿®¬«°ó ®«²²·²¹ó Configuration

½±²º·¹ ½±²º·¹ changes
(saved)
Use these commands to view or save your configuration:

‹ -¸±© ®«²²·²¹ó½±²º·¹
¡ -¸±© -¬¿®¬«°ó½±²º·¹
¡ ©®·¬» ³»³±®§
There are two configuration memories in the PIX Security Appliance: running configuration
and startup configuration. The show running-config command displays the current
configuration in the PIX Security Appliance RAM on the terminal. Any changes made to the
PIX Security Appliance configuration are written into the running configuration. This is
volatile RAM. If the PIX Security Appliance looses power, or is rebooted, any changes to the
running configuration that were not previously saved are lost. You can also display the current
running configuration with the write terminal command.
The write memory command saves the current running configuration to the Flash memory
startup configuration. Using this command is the same as answering yes to the setup dialog
prompt asking if you wish to save the current configuration. When the configuration is written
to Flash memory, either you can view it with the show startup-config command or show
configure command.
Another useful command is show history, which displays previously entered commands. You
can examine commands individually with the Up Arrow key and the Down Arrow key or by
entering Ctrl-P to view previously entered lines or Ctrl-N to view the next line.
The write erase command clears the startup configuration. When you issue this command, you
are prompted to confirm if you want to erase the startup configuration. If you enter yes, the
startup configuration is erased. At this point, you can power cycle, or reboot the PIX Security
Appliance. The PIX Security Appliance reverts to the default configuration. You can copy the
running configuration to Flash memory by issuing the write memory command.

Erasing Your Configuration
°·¨º·®»©¿´´ø½±²º·¹÷ý
©®·¬» »®¿-»
Clears the start-up configuration in Flash
memory
½¸·½¿¹± ý ©®·¬» »®¿-»
Û®¿-» Ð×È ½±²º·¹«®¿¬·±² ·² Ú´¿-¸ ³»³±®§á
Å½±²º·®³Ã
The write erase command clears the startup configuration. When you issue this command, you
are prompted to confirm if you want to erase the startup configuration. If you enter yes, the
startup configuration is erased. At this point, you can power cycle, or reboot the PIX Security
Appliance. The PIX Security Appliance reverts to the default configuration. You can copy the
running configuration to Flash memory by issuing the write memory command.
Reload the Configuration
reload Command
°·¨º·®»©¿´´ø½±²º·¹÷ý
®»´±¿¼ Å²±½±²º·®³Ã
Reboots the PIX Security Appliance

and reloads the configuration
½¸·½¿¹± ý ®»´±¿¼
Ð®±½»»¼ ©·¬¸ ®»´±¿¼áÅ½±²º·®³Ã §
Î»¾±±¬·²¹òòò
Ð×È Þ·±- Êîòéòò
The reload command reboots the PIX Security Appliance and reloads the configuration from
Flash memory. You are prompted with Proceed with reload? for confirmation before the
reload process begins. Any response other than no causes the reboot to occur.
Configuration changes not written to Flash memory are lost after reload. Before rebooting,
store the current configuration in Flash memory with the write memory command.
The noconfirm command option permits the PIX Security Appliance to reload without user
confirmation. The PIX Security Appliance does not accept abbreviations to the keyword
noconfirm.
If you wish to return the PIX Security Appliance back to the factory default configuration, use
the write erase command and the reload command. The write erase command clears the
startup configuration and reverts to the factory default parameters. The reload command
reboots the PIX Security Appliance using the startup configuration, which, in this case, is the
factory default configuration.
An administrator can back up or restore a PIX Security Appliance configuration. The write net
command stores the current configuration into a file on a TFTP server elsewhere in the
network. The configure net command restores the configuration from the server to the PIX
Security Appliance. To complete the backup or restore, the administrator must supply
information such as the IP address and the file pathname of the TFTP server.

Configuration Backup and Restore
write net and configure net
©®·¬» ²»¬
TFTP Server Configuration

- IP address: 10.0.0.11
10.0.0.11 - Path: pixfirewall/config
- File: test_config
½±²º·¹«®» ²»¬
°·¨º·®»©¿´´ø½±²º·¹÷ý
©®·¬» ²»¬ Å-»®ª»®Á·°ÃæÅº·´»²¿³»Ã

½±²º·¹«®» ²»¬ Å-»®ª»®Á·°ÃæÅº·´»²¿³»Ã
Stores the current running configuration to a file
on a TFTP server
Downloads a configuration file from a TFTP server
°·¨º·®»©¿´´ø½±²º·¹÷ý ©®·¬» ²»¬ ïðòðòðòïïæñ
°·¨º·®»©¿´´ñ½±²º·¹ñ¬»-¬Á½±²º·¹
The write net command enables you to store the current configuration to a file on a TFTP
server elsewhere in the network. The configure net command merges the current running
configuration with the TFTP configuration stored at the IP address that you specify and from
the file that you name. To use the configure net and write net commands, you must specify
both the server IP address and the full path in the tftp-server command.
If you have an existing PIX Security Appliance configuration on a TFTP server and store a
shorter configuration with the same filename on the TFTP server, some TFTP servers will leave
some of the original configuration after the first end mark. This loss of configuration text
does not affect the PIX Security Appliance because the configure net command stops reading
when it reaches the first end mark; however, it may cause confusion if you view the
configuration and see extra text at the end of the configuration. This issue does not occur if you
are using Cisco TFTP Server version 1.1 for Microsoft Windows NT.
The example in the figure specifies the TFTP server address as 10.0.0.11 and the path to the file
test_config as pixfirewall/config. Because the interface where the TFTP server resides is not
specified, the inside interface is assumed. The write net command tells the PIX Security
Appliance to store the configuration in the test_config file.
The syntax for the write net command is write net [server_ip]:[filename], and the syntax for
the configure net command is configure net [server_ip]:[filename].
TFTP Server Parameters
tftp-server Command
TFTP Server Parameters

- IP address: 10.0.0.11
10.0.0.11 - Path: Pixfirewall/config
- File: Test_config
°·¨º·®»©¿´´ø½±²º·¹÷ý
¬º¬°ó-»®ª»® Å·ºÁ²¿³»Ã ·°Á¿¼¼®»-- °¿¬¸
Specifies the IP address of a TFTP configuration

server
Specifies the path and filename
°·¨º·®»©¿´´ø½±²º·¹÷ý ¬º¬°ó-»®ª»® ïðòðòðòïï
°·¨º·®»©¿´´ñ½±²º·¹ñ¬»-¬Á½±²º·¹
°·¨º·®»©¿´´ø½±²º·¹÷ý ©®·¬» ²»¬
Rather than write the full server IP address and file pathname every time the configuration is
backed up or restored, the PIX Security Appliance enables the administrator to split the
command into two commands, the write net or config net commands and the tftp-server
command. The write net and config net commands back up the current configuration, and
restore a configuration from the TFTP server, respectively. The tftp-server command defines
the IP address and the file pathname of the TFTP server. The write net and config net
command relies on the server IP address and file pathname specified in the tftp-server
command. The information that you specify in the tftp-server command is appended to the
config net and write net commands. The more you specify of a file and pathname with the
tftp-server command, the less you need to specify with the config net and write net
commands. If you specify the IP address and full path and filename in the tftp-server
command, the config net and write net commands can be represented with a colon (:), as write
net : or config-net :.
The no tftp-server command disables access to the server, and the clear tftp-server command
removes the tftp-server command from your configuration. The show tftp-server command
lists the tftp-server command statements in the current configuration.
The syntax for the tftp-server command is as follows:
tftp-server [if_name] ip_address path
if_name This is the interface name on which the TFTP server resides. If
not specified, an internal interface is assumed. If you specify the
outside interface, a warning message informs you that the
outside interface is insecure.
ip_address This is the IP address or network of the TFTP server.
Note: The PIX Security Appliance supports only one TFTP

server.

path This is the path and filename of the configuration file. The format
for path differs by the type of operating system on the server. The
contents of the path are passed directly to the server without
interpretation or checking. The configuration file must exist on the
TFTP server. Many TFTP servers require the configuration file to
be world-writable to write to it and world-readable to read from it.
Note If you erase the configuration, you must reenable and set an IP address on the interface
connected to the TFTP server before the PIX Security Appliance can read a new
configuration from the TFTP server.
Host Name-to-IP Address Mapping
name Command
bastionhost
172.16.0.2
.2
172.16.0.0
e2 .1 insidehost
10.0.0.0
10.0.0.11
e0 .1 e2 .11
°·¨º·®»©¿´´ø½±²º·¹÷ý
²¿³» ·°Á¿¼¼®»-- ²¿³»

Configures a list of name-to-IP address
mappings on the PIX Security Appliance
½¸·½¿¹±ø½±²º·¹÷ý ²¿³»-
½¸·½¿¹±ø½±²º·¹÷ý ²¿³» ïéîòïêòðòî ¾¿-¬·±²¸±-¬
½¸·½¿¹±ø½±²º·¹÷ý ²¿³» ïðòðòðòïï ·²-·¼»¸±-¬
Use of the name command enables you to configure a list of name-to-IP address mappings on
the PIX Security Appliance. This mapping allows the use of names in the configuration instead
of IP addresses. In the figure, the server and PC IP addresses are mapped to the names
bastionhost and insidehost. Bastionhost and insidehost can be used in place of an IP
address in any PIX Security Appliance command reference; for example, with the ping
command ping insidehost.
The syntax for the name command is as follows:
name ip_address name
ip_address The IP address of the host being named
name The name assigned to the IP address
Allowable characters for the name are a to z, A to Z, 0 to 9, a hyphen (-), and an underscore (_).
The name cannot start with a number. If the name is over 16 characters long, the name
command fails. After the name is defined, it can be used in any PIX Security Appliance
command reference in place of an IP address. The names command enables the use of the
name command. The clear names command clears the list of names from the PIX Security
Appliance configuration. The no names command disables the use of the text names, but does
not remove them from the configuration. The show names command lists the name command
statements in the configuration.
Note Most commands can be removed or disabled by placing the word no in front of the
command. For example, the no form of the names command shown previously disables the
use of names.

Adaptive Security Algorithm Security Levels
This topic describes the levels and function of the Adaptive Security Algorithm.
The Heart of the PIX Security Appliance

(Adaptive Security Algorithm)
Proprietary function of the Cisco PIX Security Appliance.

Stateful approach to securityevery inbound packet is
checked .
Allows one-way (outbound) connections with a minimum
number of configuration changes.
Monitors return packets to ensure that they are valid.
Randomizes the first TCP sequence number to minimize
the risk of attack.
Maintains the secure perimeters between the networks
controlled by the PIX Security Appliance .
Uses a concept of security levels to control traffic
between interfaces.
The PIX uses Adaptive Security Algorithm to perform stateful packet inspection on traffic
leaving the firewall. The PIX uses a real-time, embedded operating system to track the
propriety of thousands of simultaneous connections. Adaptive Security Algorithm is a stateful
approach to security. Every inbound packet (the packet originating from a host on a less-
protected network and destined for a host on a more-protected network) is checked against the
Adaptive Security Algorithm and against connection state information in the PIX Security
Appliance memory.
Adaptive Security Algorithm allows one-way (outbound) connections with a minimum number
of configuration changes. An outbound connection is a connection originating from a host on a
more-protected interface and destined for a host on a less-protected network. Adaptive Security
Algorithm is always in operation. It monitors return packets to ensure they are valid. Adaptive
Security Algorithm actively randomizes the first TCP sequence number to minimize the risk of
TCP sequence number attacks.
Connection and Translation Tables

Adaptive Security Algorithm uses two tables to track traffic flowing through the PIX Security
Appliancethe connection table and the translation table. The connection table contains a
reference to the session connection between the two computers that are talking. The translation
table maintains a reference between the inside IP address and the translated global IP address.
Adaptive Security Algorithm compares fields in either or both the TCP or User Datagram
Protocol (UDP) headers and IP headers in the incoming packet. A match for a packet coming
from a lower security level toward a higher security level has to exist in both the translation
table and the connection table.
Adaptive Security Algorithm Security
Levels
Adaptive Security Algorithm uses a concept of security levels to
control traffic between interfaces.
DMZ Network
e2
Security level 50
Interface name = DMZ
e2
Internet
e0 e1

Untrusted Trusted
e0 e1
Security level 0 Security level 100
Interface name = outside Interface name = inside
A PIX Security Appliance has a very simple mechanism to control traffic between interfaces.
The Adaptive Security Algorithm uses a concept of security levels to determine whether traffic
can pass between two interfaces. The higher the security level setting on an interface, the more
trusted it is.
The security level designates whether an interface is trusted (and more protected) or untrusted
(and less protected) relative to another interface. An interface is considered trusted in relation to
another interface if its security level is higher than the other interface security level, and is
considered untrusted in relation to another interface if its security level is lower than the other
interface security level.
The primary rule for security levels is that an interface with a higher security level can access
an interface with a lower security level. Conversely, an interface with a lower security level
cannot access an interface with a higher security level unless an access control list (ACL)
allows exceptions. Security levels range from 0 (lowest) to 100 (highest). As shown in the
figure, security level 100 is set behind the firewall, the inside network and security level 0 is
assigned outside the firewall. the outside network. In this example, the Demilitarized Zone
(DMZ) has been assigned a security level of 50.
Security Level Definitions
Security Level Applicability
Security level 100 This is the inside interface default setting for the PIX Security Appliance and
cannot be changed. Because 100 is the most trusted interface security level,
your corporate network should be set up behind it so that no one else can access
your network, unless they are specifically given permission, and so that every
device. Devices behind this interface can have access outside the corporate
network.
Security levels 1 to These security levels can be assigned to the perimeter interfaces connected to
99 the PIX Security Appliance. Security levels are assigned based on the type of
access that each device needs.

Security Level Applicability
Security level 0 This is the outside interface default setting for the PIX Security Appliance and
cannot be changed. Because 0 is the least-trusted interface security level, you
should set your most untrusted network behind this interface so that it does not
have access to other interfaces unless it is specifically given permission. This
interface is usually used for Internet connections.
The Security Level Operation table summarizes the way that traffic flows through interfaces
assigned various security levels.
Security Level Operation
Situation Guideline
More secure interface to a Traffic originating from the inside interface of the PIX Security Appliance
less secure interface with a security level of 100 to the outside interface of the PIX Security
Appliance with a security level of 0 follows this rule:
Allow all IP-based traffic unless restricted by ACLs, authentication, or
authorization.
Less secure interface to a Traffic originating from the outside interface of the PIX Security
more secure interface Appliance with a security level of 0 to the inside interface of the PIX
Security Appliance with a security level of 100 follows this rule:
Drop all packets unless specifically allowed by an ACL command.

You can further restrict the traffic if authentication and authorization
is used.
Between two interfaces with No traffic flows between two interfaces with the same security level.
the same security level
The figure shows a simple configuration with three different security levels assigned to three
ports. The Security Level Settings table summarizes the security level settings.
Security Level Settings
Relative Interface
Relationship for
Interface Pair Configuration Guidelines
Ethernet 2 (DMZ)
Interface
Outside security 0 to DMZ DMZ is considered Static routes and ACLs must be
security 50 trusted. configured to enable sessions
originated from the outside interface to
the DMZ interface.
Inside security 100 to DMZ DMZ is considered Global IP Address pools and Network
security 50 untrusted. Address Translation (NAT) are
configured to enable sessions
originated from the inside interface to
the DMZ interface. Static routes may
be configured for the DMZ interface to
ensure that service hosts have the
same source address.
Note The PIX Security Appliance can support up to ten interfaces depending on the model and
license.
Basic PIX Security Appliance Operational
Commands
This topic explains the basic commands needed to make the PIX Security Appliance
operational.
PIX Security Appliance Basic Commands
nameif
interface
ip address
e2
nat Internet
e0 e1
global
route
The following are some of the primary configuration commands for the PIX Security
Appliance:
nameif: Assigns a name to each perimeter interface and specifies its security level
interface: Configures the type and capability of each perimeter interface
ip address: Assigns an IP address to each interface
nat: Shields IP addresses on the inside network from the outside network by performing
Network Address Translation.
global: Creates a pool of one or more IP addresses for use in NAT and port address
translation (PAT)
route: Defines a static or default route for an interface

Assign an Interface Name and Security
Levelnameif Command
ethernet2
Interface name = DMZ
Security level = sec50
e2
Internet
e0 e1
ethernet0 ethernet1
Interface name = outside Interface name = inside
Security level = sec0 Security level = sec100
°·¨º·®»©¿´´ø½±²º·¹÷ý
²¿³»·º ¸¿®¼©¿®»Á·¼ ·ºÁ²¿³» -»½«®·¬§Á´»ª»´
Assigns a name to each perimeter interface on the

PIX Security Appliance and specifies its security
level
½¸·½¿¹±ø½±²º·¹÷ý ²¿³»·º »¬¸»®²»¬î ¼³¦ -»½ëð
The nameif command assigns a name to each interface on the PIX Security Appliance and
specifies its security level (except for the inside and outside PIX Security Appliance interfaces,
which are named by default). The first two interfaces have the default names inside and
outside. The inside interface has a default security level of 100; the outside interface has a
default security level of 0. In the figure, interface ethernet2 was assigned a name of DMZ with
a security level of 50. The syntax for the nameif command is as follows:
nameif hardware_id if_name security_level
hardware_id This is the hardware name for the network interface that specifies
the slot location of the interface on the PIX Security Appliance
motherboard. For more information on PIX Security Appliance
hardware configuration, refer to the Cisco PIX Security Appliance
Hardware Installation Guide.
A logical choice for an Ethernet interface name is ethernetn.

These names can also be abbreviated with any leading
characters in the name, for example, ether1 or e2.
if_name This name describes the perimeter interface. This name is

assigned by you and must be used in all future configuration
references to the perimeter interface.
security_level This indicates the security level for the perimeter interface. Enter
a security level of sec1 to sec99.
interface Command
ethernet2
100full
e2
Internet
e0 e1
ethernet0 ethernet1
100full 100full
°·¨º·®»©¿´´ø½±²º·¹÷ý
·²¬»®º¿½» ¸¿®¼©¿®»Á·¼ Å¸¿®¼©¿®»Á-°»»¼Ã Å-¸«¬¼±©²Ã
Enables an interface and configures its type and speed
½¸·½¿¹±ø½±²º·¹÷ý ·²¬»®º¿½» »¬¸»®²»¬ð ïððº«´´

½¸·½¿¹±ø½±²º·¹÷ý ·²¬»®º¿½» »¬¸»®²»¬ï ïððº«´´
½¸·½¿¹±ø½±²º·¹÷ý ·²¬»®º¿½» »¬¸»®²»¬î ïððº«´´
The interface command identifies hardware, sets its hardware speed, and enables the interface.
The shutdown command option disables an interface. When you first install the PIX Security
Appliance, all interfaces are shut down by default. You must explicitly enable them by entering
the interface command without the shutdown command option. In the figure, interfaces e0, e1,
and e2 are set for 100-Mbps full-duplex communications.
The syntax for the interface command is as follows:
interface hardware_id [hardware_speed] [shutdown]
hardware_id This specifies an interface and its slot location on the PIX
Security Appliance. This is the same variable that was used
during the nameif command.
hardware_speed This determines the connection speed. Possible Ethernet values

are as follows:
10baset: Set for 10-Mbps Ethernet half-duplex communication
10full: Set for 10-Mbps Ethernet full-duplex communication
100basetx: Set for 100-Mbps Ethernet half-duplex

communication
100full: Set for 100-Mbps Ethernet full-duplex communication
1000sxfull: Set for 1000-Mbps Gigabit Ethernet full-duplex

operation
1000basesx: Set for 1000-Mbps Gigabit Ethernet half-duplex
operation
1000auto: Set for 1000-Mbps Gigabit Ethernet to

autonegotiate full-duplex or half-duplex (It is recommended
that you do not use this option to maintain compatibility with
switches and other devices in your network.)

aui: Set for 10-Mbps Ethernet half-duplex communication with

an attachment unit interface (AUI) cable interface
auto: Set for Ethernet speed automatically (The auto keyword

can only be used with the Intel 10/100 automatic speed
sensing network interface card.)
bnc: Set for 10-Mbps Ethernet half-duplex communication with
a BNC cable interface
Possible Token Ring values are as follows:
4mbps: 4-Mbps data transfer speed (You can specify this as

4.)
16mbps: (Default) 16-Mbps data transfer speed (You can

specify this as 16.)
-¸«¬¼±©² Administratively shuts down the interface
Although the hardware speed is set to automatic speed sensing by default, it is recommended
that you specify the speed of the network interfaces. This enables the PIX Security Appliance
to operate in network environments that may include switches or other devices that do not
handle auto sensing correctly.
Assign Interface IP Address
ip address Command
ethernet2
dmz
172.16.0.1
172.16.0.1 e2
Internet
e0 e1
°·¨º·®»©¿´´ø½±²º·¹÷ý
·° ¿¼¼®»-- ·ºÁ²¿³» ·°Á¿¼¼®»-- Å²»¬³¿-µÃ
Assigns an IP address to each interface
½¸·½¿¹±ø½±²º·¹÷ý ·° ¿¼¼®»-- ¼³¦ ïéîòïêòðòï

îëëòîëëòîëëòð
Each interface on the PIX Security Appliance must be configured with an IP address. Use the
ip address command for this purpose. If you make a mistake while entering this command,
reenter it with the correct information. The clear ip command resets all interface IP addresses
to no IP address. In the figure, the dmz interface is configured with an IP address of 172.16.0.1
and a mask of 255.255.255.0. The syntax for the ip address command is as follows:
ip address if_name ip_address [netmask]
if_name This describes the interface. This name is assigned by you, and
must be used in all future configuration references to the
interface.
ip_address This specifies the IP address of the interface.
netmask This specifies the network mask of an IP address. If a network

mask is not specified, the default network mask is assumed.

DHCP Assigned Address
DHCP
Assigned
e2
Internet
e0 e1
ethernet0
outside
DHCP assigned
°·¨º·®»©¿´´ø½±²º·¹÷ý
·° ¿¼¼®»-- ±«¬-·¼» ¼¸½° Å-»¬®±«¬»Ã Å®»¬®§ ®»¬®§Á½²¬Ã
Enables the DHCP client feature on the outside

interface
½¸·½¿¹±ø½±²º·¹÷ý ·° ¿¼¼®»-- ±«¬-·¼» ¼¸½°
Instead of manually configuring an IP address on the PIX Security Appliance outside interface,
you can enable the PIX Security Appliance DHCP client feature to have the PIX Security
Appliance dynamically retrieve an IP address from a DHCP server. With the PIX Security
Appliance configured as a DHCP client, a DHCP server can configure the PIX Security
Appliance outside interface with an IP address, subnet mask, and, optionally, a default route.
Use the ip address dhcp command to enable this feature. In the figure, the PIX Security
Appliance is configured to receive an IP address on the outside interface via DHCP.
Use the show ip address dhcp command to view current information about your DHCP lease.
Reentering the ip address dhcp command with the ip address outside dhcp form enables you
to release and renew a DHCP lease from the PIX Security Appliance. The clear ip command
can also be used to release and renew the DHCP lease, but this clears the configuration of every
PIX Security Appliance interface. To delete the DHCP leased IP address from the outside
interface only, use the command clear ip address outside dhcp. The debug dhcpc packet |
detail | error command provides debugging tools for the DHCP client feature.
DHCP Assigned Address Commands
Command Description
·° ¿¼¼®»-- ·ºÁ²¿³» This command identifies addresses for network interfaces, and
·°Á¿¼¼®»-- Å²»¬³¿-µÃ enables you to set the number of times that the PIX Security
Appliance will poll for DHCP information.
if_name: This describes the interface. This name is assigned by

you, and must be used in all future configuration references to the
interface.
ip_address: This specifies the IP address of the interface.
netmask: This specifies the network mask of ip_address. If a

network mask is not specified, the default network mask is
assumed.
Command Description
·° ¿¼¼®»-- ±«¬-·¼» ¼¸½° Use this command to receive DHCP information from the ISP.
Å-»¬®±«¬»Ã Å®»¬®§
®»¬®§Á½²¬Ã outside: Specifies the interface from which the PIX Security
Appliance will poll for information
dhcp: Specifies that the PIX Security Appliance will use DHCP to
obtain an IP address
setroute: Tells the PIX Security Appliance to set the default route
using the default gateway parameter that the DHCP server
returns
retry: Enables the PIX Security Appliance to retry a poll for

DHCP information
retry_cnt: Specifies the number of times the PIX Security

Appliance will poll for DHCP information (The values available
are 4 to 16. If no value is specified, the default is 4.)
½´»¿® ·° ¿¼¼®»-- ±«¬-·¼» The clear ip command stops all traffic through the PIX Security
¼¸½° Å-»¬®±«¬»Ã Å®»¬®§ Appliance unit.
®»¬®§Á½²¬Ã
Note The PIX Security Appliance DHCP client does not support failover configurations.

Network Address Translation
NAT
192.168.0.20 10.0.0.11
Internet
10.0.0.11
200.200.200.11
Outside Inside
Global Pool Local 10.0.0.4
Translation Table
192.168.0.20 10.0.0.11
NAT enables you to keep your internal IP addressesthose behind the PIX Security
Applianceunknown to external networks. NAT accomplishes this by translating the internal
IP addresses, which are not globally unique, into globally accepted IP addresses before packets
are forwarded to the external network. NAT is implemented in the PIX Security Appliance with
the nat and global commands.
When an outbound IP packet sent from a device on the inside network reaches a PIX Security
Appliance with NAT configured, the source address is extracted and compared to an internal
table of existing translations. If the device address is not already in the table, it is then
translated. A new entry is created for that device, and it is assigned an IP address from a pool of
global IP addresses. This global pool is configured with the global command. After this
translation, the table is updated and the translated IP packet is forwarded. After a user-
configurable timeout period (or the default of 3 hours), and if there have been no translated
packets for that particular IP address, the entry is removed from the table, and the global
address is freed for use by another inside device.
In the figure, host 10.0.0.11 starts an outbound connection. The PIX Security Appliance
translates the source address to 192.168.0.20. Packets from host 10.0.0.11 are seen on the
outside as having a source address of 192.168.0.20.
nat Command
Internet
10.0.0.11
X.X.X.X 10.0.0.11
NAT
10.0.0.4
°·¨º·®»©¿´´ø½±²º·¹÷ý
²¿¬ Åø·ºÁ²¿³»÷Ã ²¿¬Á·¼ ¿¼¼®»--

Å²»¬³¿-µÃÅ¼²-ÃÅ³¿¨Á½±²²-Ã Å»³¾Á´·³·¬Ã
Enables IP address translation
½¸·½¿¹±ø½±²º·¹÷ý ²¿¬ ø·²-·¼»÷ é ðòðòðòð

ðòðòðòð ð ð
The first step in enabling NAT on a PIX Security Appliance is entering the nat command. The
nat command can specify dynamic translation for a single host or a range of hosts. The nat
command has two major components, nat_id and IP address or range of IP addresses. A nat_id
is a number from 1 to 2147483647 that specifies the hosts for dynamic address translation. The
dynamic addresses are chosen from a global address pool created with the global command.
The nat command nat_id number must match the nat_id number in the global command if you
want to use that specific global pool of IP addresses for the dynamic address translation.
For example, the nat (inside) 1 10.0.0.0 255.255.255.0 command means that all outbound
connections from a host within the specified network, 10.0.0.0/24, can pass through the PIX
Security Appliance (with address translation). The nat (inside) 1 10.0.0.11 255.255.255.255
command means that only outbound connections originating from the inside host 10.0.0.11 are
translated as the packet passes through the PIX Security Appliance. You can use 0.0.0.0 to
allow all hosts to be translated. The 0.0.0.0 can be abbreviated as 0. As shown in the example,
all inside hosts making outbound connections with the nat (inside) 1 0.0.0.0 0.0.0.0 command
are translated. The nat_id identifies the global address pool the PIX Security Appliance uses for
the dynamic address translation.
The syntax for the nat command is as follows:
nat Åøif_name)Ã nat_id address [netmask] [dns][max_conns] [emb_limit]
if_name The name of the interface attached to the network to be

translated
nat_id A number greater than zero (0) that specifies the global address
pool you want to use for dynamic address translation
address The IP address to be translated
(You can use 0.0.0.0 to allow all hosts to start outbound

connections. The 0.0.0.0 can be abbreviated as 0.)

netmask Network mask for the address
(You can use 0.0.0.0 to allow all outbound connections to

translate with IP addresses from the global pool.)
dns Specifies to use the created translation to rewrite the DNS

address record
max_conns The maximum number of simultaneous connections that the

local_ip hosts are to allow (Idle connections are closed after the
idle timeout specified by the timeout conn command.)
emb_limit The maximum number of embryonic connections per host
(An embryonic connection is a connection request that has not

finished the necessary handshake between source and
destination.)
Set a small value for slower systems, and a higher value for
faster systems. The default is 0, which allows unlimited
embryonic connections.
global Command
Internet
10.0.0.11
192.168.0.20 10.0.0.11
NAT
°·¨º·®»©¿´´ø½±²º·¹÷ý
10.0.0.4
¹´±¾¿´Åø·ºÁ²¿³»÷Ã ²¿¬Á·¼ ¥¹´±¾¿´Á·°Åó¹´±¾¿´Á·°Ã

Å²»¬³¿-µ ¹´±¾¿´Á³¿-µÃ£ ¤ ·²¬»®º¿½»
Works with the nat command to assign a registered or public IP

address to an internal host when accessing the outside network
through the firewall (e.g., 192.168.0.20-192.168.0.254)
½¸·½¿¹±ø½±²º·¹÷ý ²¿¬ ø·²-·¼»÷ é ðòðòðòð ðòðòðòð

½¸·½¿¹±ø½±²º·¹÷ý ¹´±¾¿´ ø±«¬-·¼»÷ é ïçîòïêèòðòîðó
ïçîòïêèòðòîëì
In a PIX Security Appliance configuration, there may be more than one global pool configured.
Each outbound NAT is associated with a NAT ID. Each global pool has a corresponding NAT
ID. The PIX uses the NAT IDnat id of the outbound IP packet to identify which global pool of
addresses to from which to select a translation IP address. The NAT ID of the outbound packet
must match the NAT ID of the global pool. The PIX Security Appliance assigns addresses from
the designated global pool starting from the low end to the high end of the range specified in
the global command. The pool of global IP addresses is configured with the global command.
In the figure, host 10.0.0.11 starts an outbound connection. The NAT ID of the outbound
packet is 1. In this instance, a global IP address pool of 192.168.0.20-254 is also identified with
a NAT ID of 1. The PIX assigns an IP address of 192.168.0.20. It is the lowest available IP
address of the range specified in the global command. Packets from host 10.0.0.11 are seen on
the outside as having a source address of 192.168.0.20. The syntax for the global command is
as follows:
global [(if_name)] nat_id {global_ip [-global_ip] [netmask global_mask]} | interface
if_name Describes the external network interface name where you will use
the global addresses
nat_id Identifies the global pool and matches it with its respective nat
command
global_ip Single IP addresses or the beginning IP address for a range of

global IP addresses
global_ip A range of global IP addresses

global_mask The network mask for global_ip
If subnetting is in effect, use the subnet mask (for example,

255.255.255.128). If you specify an address range that overlaps
subnets with the netmask command, this command will not use
the broadcast or network address in the pool of global addresses.
For example, if you use 255.255.255.128 and an address range
of 192.150.50.20–192.150.50.140, the 192.150.50.127 broadcast
address and the 192.150.50.128 network address will not be
included in the pool of global addresses.
interface Specifies Port Address Translation (PAT) using the IP address at

the interface.
If the nat command is used, the companion command, global, must be configured to define the
pool of translated IP addresses.
Use the no global command to delete a global entry; for example, no global (outside) 1
192.168.1.20 192.168.1.254 netmask 255.255.255.0.
Note The PIX Security Appliance uses the global addresses to assign a virtual IP address to an
internal NAT address. After adding, changing, or removing a global statement, use the clear
xlate command to make the IP addresses available in the translation table.
Configure a Static Route
route Command
Default Route Static Route
Internet
10.0.1.11
192.168.0.1 10.0.0.102
°·¨º·®»©¿´´ø½±²º·¹÷ý 10.0.1.4
®±«¬» ·ºÁ²¿³» ·°Á¿¼¼®»-- ²»¬³¿-µ ¹¿¬»©¿§Á·° Å³»¬®·½Ã

Defines a static or default route for an interface
½¸·½¿¹±ø½±²º·¹÷ý ®±«¬» ±«¬-·¼» ðòðòðòð

ðòðòðòð ïçîòïêèòðòï ï
½¸·½¿¹±ø½±²º·¹÷ý ®±«¬» ·²-·¼» ïðòðòïòð
îëëòîëëòîëëòð ïðòðòðòïðî ï
Use the route command to enter a static route for an interface. To enter a default route, set
ip_address and netmask to 0.0.0.0, or the shortened form of 0. In the figure, a route command
with the IP address of 0.0.0.0 identifies the command as the default route. The PIX transmits all
destination packets not listed in its routing table out the outside interface to the router at IP
address 192.168.0.1.
Create static routes to access specific networks beyond the locally connected networks. The
effect of a static route is like stating to send a packet to the specified network, give it to this
router. For example, in the figure, the PIX Security Appliance sends all packets destined to the
10.0.1.0 255.255.255.0 network out the inside interface to the router at IP address 10.0.0.102.
This was accomplished by using the following static route command: route inside 10.0.1.0
255.255.255.0 10.0.0.102 1. The router knows how to route the packet to the destination
network of 10.0.1.0.
The syntax for the route command is as follows:
route if_name ip_address netmask gateway_ip [metric]
if_name Describes the internal or external network interface name
ip_address Describes the internal or external network IP address (Use

0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be
abbreviated as 0.)
netmask Specifies a network mask to apply to the IP address (Use 0.0.0.0

to specify a default route. The 0.0.0.0 netmask can be
abbreviated as 0.
gateway_ip Specifies the IP address of the gateway router (the next-hop

address for this route)

metric [Optional] Specifies the number of hops to gateway_ip
If you are not sure, enter 1. Your WAN administrator can supply
this information or you can use a traceroute command to obtain
the number of hops. The default is 1 if a metric is not specified.
All routes entered using the route command are stored in the configuration when it is saved.
You can use the IP address of one of the PIX Security Appliance interfaces as the gateway
address. If this is done, the PIX Security Appliance broadcasts an Address Resolution Protocol
(ARP) request for the MAC address of the destination IP address in the packet instead of
broadcasting a request for the MAC address of the gateway IP address.
Inside-to-Outside Configuration Example
ethernet2 - 100full
Interface name - dmz
172.16.6.0 Security level - 50
IP address - 172.16.6.1
.1
192.168.6.0 10.0.6.0 10.1.6.0
Internet .2 .1 .1
ethernet0 - 100full ethernet1 - 100full
Interface name - outside Interface name - inside
Security level - 0 Security level - 100
IP address - 192.168.6.2 IP address - 10.0.6.1
©®·¬» ¬»®³·²¿´
·²¬»®º¿½» »¬¸»®²»¬ð ïððº«´´
·²¬»®º¿½» »¬¸»®²»¬ï ïððº«´´
·²¬»®º¿½» »¬¸»®²»¬î ïððº«´´
²¿³»·º »¬¸»®²»¬ð ±«¬-·¼» -»½«®·¬§ð
²¿³»·º »¬¸»®²»¬ï ·²-·¼» -»½«®·¬§ïðð
²¿³»·º »¬¸»®²»¬î ¼³¦ -»½«®·¬§ëð
·° ¿¼¼®»-- ±«¬-·¼» ïçîòïêèòêòî îëëòîëëòîëëòð
·° ¿¼¼®»-- ·²-·¼» ïðòðòêòï îëëòîëëòîëëòð
·° ¿¼¼®»-- ¼³¦ ïéîòïêòêòï îëëòîëëòîëëòð
The figure shows the initial part of a basic PIX Security Appliance configuration. There are
three basic configuration commands in the example: interface, nameif, and ip address. Using
the interface command, each of the interfaces is set for 100-Mbps full-duplex communications;
ethernet0 and ethernet1 are set for their default name configuration (for example, nameif
ethernet0 outside security0). Using the nameif command, the additional interface, ethernet2,
is configured as follows: nameif ethernet2 dmz security50. The last command is the ip
address command. Each of the three interfaces is assigned an IP address and subnet mask; for
example, ip address outside 192.168.6.2 255.255.255.0.

Inside-to-Outside Configuration Example
(Cont.)
bastionhost
172.16.6.2
Default Route 172.16.6.0 .2 insidehost
Static Route
10.1.6.11
.1
192.168.6.0 10.0.6.0 10.1.6.0
Internet
.1 .2 .1 .102 .1
Global Pool 10.0.0.0

192.168.6.20 - 254
°¿--©¼ îÕÚÏ²¾Ò×¼×òîÕÇÑË »²½®§°¬»¼

¸±-¬²¿³» ½¸·½¿¹±
²¿³»-
²¿³» ïéîòïêòêòî ¾¿-¬·±²¸±-¬
²¿³» ïðòïòêòïï ·²-·¼»¸±-¬
²¿¬ ø·²-·¼»÷ é ðòðòðòð ðòðòðòð ð ð
¹´±¾¿´ ø±«¬-·¼»÷ ï ïçîòïêèòêòîðóïçîòïêèòêòîëì
®±«¬» ±«¬-·¼» ðòðòðòð ðòðòðòð ïçîòïêèòêòï ï
®±«¬» ·²-·¼» ïðòïòêòð îëëòîëëòîëëòð ïðòðòêòïðî ï
In this figure, four features are configured, host names-to-ip-address mapping, NAT, and static
routes. The host name feature allows the administrator to define the PIX CLI prompt, chicago.
The administrator can apply a name to any of the hosts; for example, name 10.1.6.11
insidehost. The global and nat commands enable the dynamic NAT feature in the PIX Security
Appliance. In the example, outbound packets from any inside host, 0.0.0.0 0.0.0.0, are
translated to one of the global pool IP addresses, 192.168.6.20192.168.6.254. The last
command is the route command. In the example, a default route to the router at IP address
192.168.6.1 is added. The hosts on the 10.1.6.0 network by default cannot be reached by the
PIX Security Appliance. To access these devices, a static route to the router at IP address
10.0.6.102 is defined. Any PIX packets bound for the 10.1.6.0 network are forwarded to the
router at IP address 10.0.6.102.
Examining PIX Security Appliance Status
This topic explains the basic show commands needed to examine the status of the PIX Security
Appliance.
Examining PIX Security Appliance Status
Examine PIX Security Appliance status with these commands:

show memory
show cpu usage
show conn
show version
show ip address
show interface
show nameif Note: Unlike Cisco IOS
show nat software, PIX software allows
show global you to enter the show
show xlate command within the
ping configuration mode.
The command syntax and sample scripts for these commands are illustrated in the figures:
show conn
show nat
show global
show xlate

show conn Command
°·¨º·®»©¿´´ý
-¸±© ½±²²
Displays all active connections
½¸·½¿¹±ø½±²º·¹÷ý -¸±© ½±²²
ê ·² «-»ô ê ³±-¬ «-»¼
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðì ·¼´» ðæððæðð Þ§¬»-
ïïíçï º´¿¹- ËØ®×Ñ
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðë ·¼´» ðæððæðð Þ§¬»- íéðç
º´¿¹- ËØ®×Ñ
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðê ·¼´» ðæððæðï Þ§¬»- îêèë
º´¿¹- ËØ®×Ñ
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðé ·¼´» ðæððæðï Þ§¬»- îêèí
º´¿¹- ËØ®×Ñ
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðí ·¼´» ðæððæðð Þ§¬»-
ïëïçç º´¿¹- ËØ®×Ñ
ÌÝÐ ±«¬ îðìòíïòïéòìïæèð ·² ïðòíòíòìæïìðè ·¼´» ðæððæðð Þ§¬»- îêèè
º´¿¹- ËØ®×Ñ
ËÜÐ ±«¬ ïçîòïëðòëðòéðæîì ·² ïðòíòíòìæïìðî ·¼´» ðæðïæíð º´¿¹- ¼
ËÜÐ ±«¬ ïçîòïëðòëðòéðæîí ·² ïðòíòíòìæïíçé ·¼´» ðæðïæíð º´¿¹- ¼
ËÜÐ ±«¬ ïçîòïëðòëðòéðæîî ·² ïðòíòíòìæïíçë ·¼´» ðæðïæíð º´¿¹- ¼
In this example, host 10.3.3.4 on the inside has accessed a web site at 204.31.17.41. The global
address on the outside interface is 192.150.50.70. The flags indicate that the first five TCP
connections are up (U), for HTTP (H), in use (r), and that data has gone in and out. The last
three UDP connections are in dump (clean up) state.
show interface Command
½¸·½¿¹±ý -¸±© ·²¬»®º¿½»

·²¬»®º¿½» »¬¸»®²»¬ð þ±«¬-·¼»þ ·- «°ô ´·²» °®±¬±½±´ ·- «°
Ø¿®¼©¿®» ·- ·èîëëç »¬¸»®²»¬ô ¿¼¼®»-- ·- ððëðòëìººòêëí¿
×Ð ¿¼¼®»-- ïçîòïêèòðòîô -«¾²»¬ ³¿-µ îëëòîëëòîëëòð
ÓÌË ïëðð ¾§¬»-ô ÞÉ ïððððð Õ¾·¬ º«´´ ¼«°´»¨
ì °¿½µ»¬- ·²°«¬ô îèî ¾§¬»-ô ð ²± ¾«ºº»®
Î»½»·ª»¼ ð ¾®±¿¼½¿-¬-ô ð ®«²¬-ô ð ¹·¿²¬-
ð ·²°«¬ »®®±®-ô ð ÝÎÝô ð º®¿³»ô ð ±ª»®®«²ô ð ·¹²±®»¼ô ð ¿¾±®¬
îð °¿½µ»¬- ±«¬°«¬ô ïîìî ¾§¬»-ô ð «²¼»®®«²-
ð ±«¬°«¬ »®®±®-ô ð ½±´´·-·±²-ô ð ·²¬»®º¿½» ®»-»¬-
ð ¾¿¾¾´»-ô ð ´¿¬» ½±´´·-·±²-ô ð ¼»º»®®»¼
ð ´±-¬ ½¿®®·»®ô ð ²± ½¿®®·»®
·²°«¬ ¯«»«» ø½«®®ñ³¿¨ ¾´±½µ-÷æ ¸¿®¼©¿®» øïîèñïîè÷ -±º¬©¿®» øð
±«¬°«¬ ¯«»«» ø½«®®ñ³¿¨ ¾´±½µ-÷æ ¸¿®¼©¿®» øðñï÷ -±º¬©¿®» øðñï÷
The show interface command enables you to view network interface information. This is one
of the first commands that you should use when trying to establish connectivity.
The following are explanations of the information that is displayed after entering the show
interface command:
Ethernet: Indicates that you have used the interface command to configure the interface.
The statement indicates whether the interface is inside or outside, and whether the interface
is available (up) or not available (down).
Line protocol up: A working cable is plugged into the network interface.
Line protocol down: Either the cable plugged into the network interface is incorrect, or it
is not plugged into the interface connector.
Network interface type: This identifies the network interface.
Interrupt vector: The PIX Security Appliance uses interrupts to get Token Ring
information, but polls Ethernet cards. For that reason, it is acceptable for interface cards to
have the same interrupts.
MAC address: Intel cards begin with i and 3Com cards begin with 3c.
Maximum transmission unit (MTU): This is the maximum packet size, in bytes, that a
particular interface can handle.
Packets input: This indicates that packets are being received in the PIX Security
Appliance.
Packets output: This indicates that packets are being sent from the PIX Security
Appliance.
Line duplex status: This indicates whether the PIX Security Appliance is running either
full duplex (simultaneous packet transmission) or half duplex (alternating packet
transmission).

Line speed: 10BASE-T Ethernet is listed as 10,000 kbps. 100BASE-TX is listed as
100,000 kbps.
The following are explanations of the show interface command output that can indicate
interface problems:
No buffer: This indicates that the PIX Security Appliance is out of memory or slowed
down because of heavy traffic and cannot keep up with the received data.
Runts: These are packets with less information than expected.
Giants: These are packets with more information than expected.
Cycle redundancy check (CRC): This indicates packets that contain corrupted data
(checksum error).
Frame errors: This indicates framing errors.
Ignored and aborted errors: This information is provided for future use, but is not
currently checked; the PIX Security Appliance does not ignore or abort frames.
Underruns: This is shown when the PIX Security Appliance is overwhelmed and cannot
get data to the network interface card fast enough.
Overruns: This is shown when the network interface card is overwhelmed and cannot
buffer received information before more needs to be sent.
Unicast rpf drops: This is shown when packets sent to a single network destination using
reverse path forwarding are dropped.
Output errors: (Maximum collisions) This indicates the number of frames not transmitted
because the configured maximum number of collisions was exceeded. This counter should
only increment during heavy network traffic.
Collisions: (Single and multiple collisions) This indicates the number of messages
retransmitted because of an Ethernet collision. This usually occurs on an overextended
LAN when the Ethernet or transceiver cable is too long, there are more than two repeaters
between stations, or there are too many cascaded multiport transceivers. A packet that
collides is counted only once by the output packets.
Interface resets: This indicates the number of times that an interface has been reset. If an
interface is unable to transmit for 3 seconds, the PIX Security Appliance resets the interface
to restart transmission. During this interval, the connection state is maintained. An interface
reset can also happen when an interface is looped back or shut down.
Babbles: This indicates that the transmitter has been on the interface longer than the time
taken to transmit the largest frame. This counter is unused.
Late collisions: This indicates the number of frames that were not transmitted because a
collision occurred outside the normal collision window. A late collision is a collision that is
detected late in the transmission of the packet. Normally, these should never happen. When
two Ethernet hosts try to talk at once, they should collide early in the packet and both back
off, or the second host should see that the first one is talking and wait.
If you get a late collision, a device is jumping in and trying to send packets on the Ethernet
while the PIX Security Appliance is partly finished sending the packet. The PIX Security
Appliance does not resend the packet, because it may have freed the buffers that held the
first part of the packet. This is not a real problem because networking protocols are
designed to cope with collisions by resending packets. However, late collisions indicate that
a problem exists in your network. Common problems are large repeated networks and
Ethernet networks running beyond the specification.
Deferred: This indicates the number of frames that were deferred before transmission
because of activity on the link.
Lost carrier: This indicates the number of times that the carrier signal was lost during
transmission.
No carrier: This counter is unused.
Input queue: This is the input (receive) hardware and software queue.
Hardware: (Current and maximum blocks) This is the number of blocks currently
present on the input hardware queue, and the maximum number of blocks previously
present on that queue.
Software: (Current and maximum blocks) This is the number of blocks currently
present on the input software queue, and the maximum number of blocks previously
present on that queue.
Output queue: This is the output (transmit) hardware and software queue.
Hardware: (Current and maximum blocks) This is the number of blocks currently
present on the output hardware queue, and the maximum number of blocks
previously present on that queue.
Software: (Current and maximum blocks) This is the number of blocks currently
present on the output software queue, and the maximum number of blocks
previously present on that queue.
Note The following counters are only valid for Ethernet interfaces: output errors, collisions,
interface resets, babbles, late collisions, deferred, lost carrier, and no carrier.
Note Starting with PIX Security Appliance software version 6.0(1), FDDI, PIX Security Appliance
Private Link 2 (PL2), and Token Ring interfaces are not supported.

show nat Command
Internet
10.0.0.11
X.X.X.X 10.0.0.X
NAT
10.0.0.4
°·¨º·®»©¿´´ý
-¸±© ²¿¬
Displays a single host or range of hosts to be

translated
½¸·½¿¹±ø½±²º·¹÷ý -¸±© ²¿¬

²¿¬ ø·²-·¼»÷ é ïðòðòðòð îëëòîëëòîëëòð ð ð
Use the show nat command to display a single host or range of hosts to be translated. In the
figure, all hosts on the 10.0.0.0/24 network are translated when traversing the PIX Security
Appliance. The NAT ID is 1.
show global Command
Internet
10.0.0.11
10.0.0.X
Global Pool
192.168.0.20-192.168.0.254
10.0.0.4
°·¨º·®»©¿´´ý
-¸±© ¹´±¾¿´
Displays the pool of global addresses
½¸·½¿¹±ø½±²º·¹÷ý -¸±© ¹´±¾¿´

¹´±¾¿´ ø±«¬-·¼»÷ é ïçîòïêèòðòîðóïçîòïêèòðòîëì
²»¬³¿-µ îëëòîëëòîëëòð
The show global command displays the global pool (or pools) of addresses configured in the
PIX Security Appliance. In the figure, there is currently one pool configured. The pool is
configured on the outside interface. The pool has an IP address range of 192.168.0.20 to
192.168.0.254. The NAT ID is 1.

show xlate Command
Internet
10.0.0.11
192.168.0.20 10.0.0.11
Outside Inside
Global Pool Local
Xlate table 10.0.0.4
192.168.0.20 10.0.0.11
°·¨º·®»©¿´´ý
-¸±© ¨´¿¬»
Displays the contents of the translation slots
½¸·½¿¹±ø½±²º·¹÷ý -¸±© ¨´¿¬»

ï ·² «-»ô ï ³±-¬ «-»¼
Ù´±¾¿´ ïçîòïêèòðòîð Ô±½¿´ ïðòðòðòïï
The show xlate command displays the contents of the translation slot. In the figure, the number
of currently used translations is 1 with a maximum count of 1. The current translation is a local
IP address of 10.0.0.11 to a global IP address of 192.168.0.20.
Summary
Summary
The PIX Security Appliance has four administrative

access modes: unprivileged, privileged, configuration,
and monitor.
The PIX Security Appliance can be configured through
the CLI with the following commands: setup, console
timeout, banner, show running-config, show startup-config,
and write memory. The name command enables you to
configure a list of name-to-IP address mapping on the
PIX Security Appliance .
Summary (Cont.)
PIX Security Appliance uses Adaptive Security

Algorithm for security. Interfaces with a higher security
level can access interfaces with a lower security level,
while interfaces with a lower security level cannot
access interfaces with a higher security level unless
given permission.
The basic commands necessary to configure the PIX
Security Appliance are the following: nameif, interface, ip
address, nat, global, and route. The nat and global
commands work together to translate IP addresses.
Use the PIX Security Appliance show commands to
examine the status of the PIX Security Appliance .

Lesson Self-Check
Q1) Which PIX Security Appliance access mode is available when the # prompt is
displayed? (Source: PIX Security Appliance Access Modes)
A) unprivileged mode
B) restricted mode
C) configuration mode
D) shutdown mode
E) privileged mode
F) monitor mode
Q2) Which PIX Security Appliance access mode is available when the > prompt is
displayed? (Source: PIX Security Appliance Access Modes)
A) unprivileged mode
B) restricted mode
C) configuration mode
D) shutdown mode
E) privileged mode
F) monitor mode
Q3) Which of the following commands is used to move from the privileged mode to the
configuration mode? (Source: PIX Security Appliance Access Modes)
A) enable configuration
B) configure terminal
C) enable
D) wr mem
Q4) What is the default console idle timeout value for the PIX Security Appliance? (Source:
Configuring the Firewall)
A) zero
B) 10 seconds
C) 20 seconds
D) 30 seconds
Q5) Which of the following security levels is the default setting for the outside interface of
the PIX Security Appliance? (Source: Adaptive Security Algorithm Security Levels)
A) level 100
B) level 0
C) levels 1 to 99
Q6) What is the default security level of the inside interface for a PIX Security Appliance?
(Source: Adaptive Security Algorithm Security Levels)
A) 50
B) 0
C) 100
D) 110
Q7) Which of the following primary configuration commands for the PIX Security
Appliance creates a pool of one or more IP addresses for use in NAT and PAT?
(Source: Basic PIX Security Appliance Operational Commands)
A) nameif
B) interface
C) ip address
D) nat
E) global
F) route
Q8) Which of the following primary configuration commands for the PIX Security
Appliance can specify translation for a single host or a range of hosts and shields IP
addresses on the inside network from the outside network? (Source: Basic PIX Security
Appliance Operational Commands)
A) nameif
B) interface
C) ip address
D) nat
E) global
F) route
Q9) Which of the following output from a show interface command indicates that a packet
has been received with less information than expected? (Source: Examining PIX
Security Appliance Status)
A) no buffer
B) runts
C) giants
D) cycle redundancy check
E) underruns
F) overruns
Q10) Which of the following output from a show interface command indicates that the PIX
Security Appliance is overwhelmed and cannot get data to the network interface card
fast enough? (Source: Examining PIX Security Appliance Status)
A) no buffer
B) runts
C) giants
D) cycle redundancy check
E) underruns
F) overruns

Q1) E
Q2) A
Q3) B
Q4) A
Q5) B
Q6) C
Q7) E
Q8) D
Q9) B
Q10) E
Lesson 3
Configuring a PIX Security

Appliance with the Cisco PDM
Overview
Even administrators familiar with Cisco IOS software find that configuration of PIX Security
Appliance from the console is a challenging daunting task. Security may suffer if the PIX
Security Appliance is not configured properly because of a lack of command-line interface
(CLI) skills. Cisco has provided the PIX Device Manager (PDM) so that complex
configuration, management, and monitoring tasks can be configured in a secure manner from a
browser. This lesson will show you how to use the PDM so you can complete the tasks in the
following lab exercise.
Objectives
Upon completing this lesson, you will be able to configure basic firewall settings using the
PDM. This ability includes being able to meet these objectives:
Describe the features and limitations of the PDM
Describe the PIX Security Appliance, browser and platform requirements for the PDM
Explain how to set up the PIX Security Appliance to use the PDM
Describe the layout, options and purpose of the Startup Wizard and the PDM Home
window
PDM Overview
This topic describes the features and limitations of the PDM.
What Is PDM?
Internet
SSL Secure Tunnel
PDM is a browser-based configuration tool

designed to help configure and monitor your
PIX Security Appliance.
The PDM is a browser-based configuration tool designed to help you set up, configure, and
monitor your Cisco PIX Security Appliance graphically, without requiring an extensive
knowledge of the PIX Security Appliance CLI.
The PDM monitors and configures a single PIX Security Appliance. You can use the PDM to
create a new configuration and to monitor and maintain current PIX Security Appliances. You
can point your browser to more than one PIX Security Appliance and administer several PIX
Security Appliances from a single workstation.
Note The PDM can also be used to configure and monitor the Firewall Services Module (FWSM)
on a Cisco Catalyst 6500 Switch.
PDM Features
The PDM has the following features:
Works with PIX Security Appliance Software Release 6.0 and
higher
Operates on the PIX 500 Series of security appliances
Implemented in Java to provide robust, real-time monitoring.
Runs on a variety of platforms
Does not require a plug-in software installation
Comes preloaded into Flash memory on new PIX Security
Appliances running versions 6.0 and higher
Works with SSL to ensure secure communication with the PIX
Security Appliance
To upgrading from a previous version of PIX Security Appliance,

download the PDM from Cisco and then copy it to the PIX Security
Appliance via TFTP.
The PDM is secure, versatile, easy to use, works with PIX 500 Series Security Appliances, and
runs on a variety of platforms.
The PDM enables you to securely configure and monitor your PIX Security Appliance
remotely. Its ability to work with the Secure Socket Layer (SSL) protocol ensures that
communication with the PIX Security Appliance is secure, and because it is implemented in
Java, it is able to provide robust, real-time monitoring.
The PDM works with PIX Security Appliance Software Version 6.0 and higher and comes
preloaded into Flash memory on new PIX Security Appliances running Software Version 6.x
and higher. If you are upgrading from a previous version of the PIX Security Appliance, you
can download PDM from Cisco and then copy it to the PIX Security Appliance via TFTP.
The PDM runs on Microsoft Windows, Sun Solaris, and Linux platforms and requires no plug-
ins or complex software installations. The PDM applet uploads to your workstation when you
access the PIX Security Appliance from your browser.

PDM Operating Requirements
This topic describes the PIX Security Appliance browser and platform requirements for the
PDM.
PDM PIX Security Appliance Requirements
A PIX Security Appliance must meet the

following requirements to run PDM:
Software version compatible with the PDM
software version you plan to use
Hardware model compatible with the PDM software
version you plan to use
Activation key that enables DES or 3DES
At least 8 MB of Flash memory
Configuration less than 100 KB
A PIX Security Appliance must meet the following requirements to run PDM:
Note New PIX Security Appliances that contain version 6.0 also have a preinstalled Data
Encryption Standard (DES) activation key. If you are using a new PIX Security Appliance,
you have all the requirements discussed in this topic and you can continue to the next topic.
You must have an activation key that enables DES or the more secure Triple-Data
Encryption Standard (3DES), which PDM requires for support of the SSL protocol. If your
PIX Security Appliance is not enabled for DES, you can have a new activation key sent to
you by completing the form at the following web site: http://www.cisco.com/kobayashi/sw-
center/internet/pix-56bit-license-request.shtml.
Verify that your PIX Security Appliance meets all requirements listed in the release notes
for the PIX Security Appliance software version you are using.
Verify that your PIX Security Appliance hardware model, PIX Security Appliance software
version, and PDM version are compatible. Refer to the PDM Version table to ensure
compatibility. You can download PIX Security Appliance software and the PDM software
from the following web site: http://www.cisco.com/cgi-bin/tablebuild.pl/pix.
PDM Version
PDM Version PIX Security Appliance PIX Security Appliance Model Number
Software Version
1.0 6.0 or 6.1 506, 515, 520, 525, 535
1.1 6.0 or 6.1 506, 515, 520, 525, 535
2.0 6.2 501,506, 506E, 515, 515E, 520, 525, 535
2.1 6.2 501, 506, 506E, 515, 515E, 520, 525, 535
3.0 6.3 501, 506, 506E, 515, 515E, 520, 525, 535
You must have at least 8 MB of Flash memory on the PIX 501 Security Appliance and the
PIX 506 Security Appliance or PIX 506E Security Appliance.
You must have at least 16 MB of Flash memory on the PIX 515 Security Appliance or PIX
515E Security Appliance, the PIX 520 Security Appliance, the PIX 525 Security
Appliance, and the PIX 535 Security Appliance.
Ensure that your configuration is less than 100 KB (approximately 1,500 lines).
Configurations over 100 KB cause PDM performance degradation.

PDM Browser Requirements
To access PDM from a browser, you must

meet the following requirements:
JavaScript and Java must be enabled.
Browser support for SSL must be enabled.
To access the PDM from a browser, you must meet the following requirements:
JavaScript and Java must be enabled. If these are not enabled, the PDM helps you enable
them. If you are using Microsoft Internet Explorer, your Java Development Kit (JDK)
version should be 1.1.4 or higher. To check which version you have, launch PDM. In the
main PDM menu, click Help > About Cisco PIX Device Manager. When the About PDM
information window opens, it displays your browser specifications in a table, including
your JDK version. If you have an older JDK version, you can use the latest Java Virtual
Machine (JVM) to enable Java to run on your computer. Download the product named
Virtual Machine from Microsoft to obtain this capability.
Browser support for SSL must be enabled. The supported versions of Internet Explorer and
Netscape Navigator support SSL without requiring additional configuration.
Supported Platforms
Microsoft Windows
Sun Solaris
Linux
The PDM can operate in browsers running on Microsoft Windows, SUN Solaris, or Linux
operating systems.
Microsoft Windows Requirements

The following requirements apply to the use of the PDM with Microsoft Windows:
Windows 2000 (Service Pack 3), Windows NT 4.0 (Service Pack 4 and higher), Windows
98, Windows ME, or Windows XP.
The supported browsers are Internet Explorer 5.5 or higher, and Netscape Communicator
4.7x or 7.0x. PDM does not support Netscape 6.x.
Any Pentium or Pentium-compatible processor running at 450 MHz or higher.
At least 256 MB of RAM.
A 1024 x 768 pixel display with at least 256 colors.
PDM does not support use on Windows 3.1 or Windows 95.
Note The use of virus checking software may dramatically increase the time required to start
PDM. This is especially true for Netscape Communicator on any Microsoft Windows platform
or Windows 2000 running any browser.
SUN Solaris Requirements

The following requirements apply to the use of PDM with Sun SPARC:
Sun Solaris 2.8 or 2.9 running CDE window manager
SPARC microprocessor
Netscape Communicator 4.78

At least 128 MB of RAM
A 1024 x 768 pixel display with at least 256 colors
Note PDM does not support Solaris on IBM PCs.
Linux Requirements
The following requirements apply to the use of PDM with Linux:
Red Hat Linux 7.0, 7.1, 7.2, or 7.3 or 8.0 running the GNOME or KDE 2.0 desktop
environment
Netscape Communicator 4.7x on Red Hat 7.x. or Mozilla 1.0.1 on Red Hat 8.0
At least 128 MB of RAM
A 1024 x 768 pixel display with at least 256 colors
General Guidelines
The following are a few general guidelines for workstations running PDM:
You can run several PDM sessions on a single workstation. The maximum number of PDM
sessions you can run varies depending on your workstation resources such as memory,
CPU speed, and browser type.
The time required to download the PDM applet can be greatly affected by the speed of the
link between your workstation and the PIX Security Appliance. A minimum 56-kbps link
speed is required; however, 384 kbps or higher is recommended. After the PDM applet is
loaded on your workstation, the link speed impact on PDM operation is negligible.
The use of virus-checking software may dramatically increase the time required to start the
PDM. This is especially true for Netscape Communicator on any Windows platform or
Windows 2000 running any browser.
Note If your workstation resources are running low, you should close and reopen your browser
before launching PDM.
Prepare for the PDM
This topic explains how to set up the PIX Security Appliance to use the PDM.
Configure the PIX Security Appliance to

Use PDM
Before you can use or install PDM, you need to enter

the following information on the PIX Security
Appliance via a console terminal:
Password
Time
Inside IP address
Inside network mask
Host name
Domain name
IP address of host running the PDM
You must also enable the HTTP server on the PIX
Security Appliance.
The PIX Security Appliance must be configured with the following information before you can
install or use the PDM. Either you can preconfigure a new PIX Security Appliance through the
interactive prompts, which appear after the PIX Security Appliance boots, or you can enter the
commands covered in the previous lesson.
If you are installing the PDM on a PIX Security Appliance with an existing configuration, you
may need to restructure your configuration from the PIX Security Appliance CLI before
installing PDM in order to obtain full PDM capability. There are certain commands that PDM
does not support in a configuration. If these commands are present in your configuration, you
will only have access to the Monitoring tab. This is because PDM handles each PIX Security
Appliance command in one of the following ways, each of which is explained in detail in the
document PDM Support for PIX Security Appliance CLI Commands on Cisco.com:
Parse and allow changes (supported commands)
Parse and only permit access to the Monitoring tab (unsupported commands)
Parse without allowing changes (commands PDM does not understand but handles without
preventing further configuration)
Only display in the unparsable command list (commands PDM does not understand but
handles without preventing further configuration)

Setup Dialog for Pod 6
Ð®»ó½±²º·¹«®» Ð×È Ú·®»©¿´´ ²±© ¬¸®±«¹¸ ·²¬»®¿½¬·ª»
°®±³°¬- Å§»-Ãá äÛ²¬»®â
Û²¿¾´» Ð¿--©±®¼ Åä«-» ½«®®»²¬ °¿--©±®¼âÃæ ½·-½±°·¨
Ý´±½µ øËÌÝ÷æ
Ç»¿® ÅîððíÃæ äÛ²¬»®â
Ó±²¬¸ ÅÍ»°Ãæ äÛ²¬»®â
Ü¿§ ÅïðÃæ ïè
Ì·³» ÅîîæìéæíéÃæ ïìæîîæðð
×²-·¼» ×Ð ¿¼¼®»--æ ïðòðòêòï
Ø±-¬ ²¿³»æ °·¨ê
Ü±³¿·² ²¿³»æ ½·-½±ò½±³
×Ð ¿¼¼®»-- ±º ¸±-¬ ®«²²·²¹ Ð×È Ü»ª·½» Ó¿²¿¹»®æ
ïðòðòêòïï
Ë-» ¬¸·- ½±²º·¹«®¿¬·±² ¿²¼ ©®·¬» ¬± º´¿-¸á Ç
An unconfigured PIX Security Appliance starts in an interactive setup dialog to enable you to
perform the initial configuration required to use the PDM. You can also access the setup dialog
by entering the setup command at the configuration mode prompt.
The dialog asks for several responses, including the inside IP address, network mask, host
name, domain name and PDM host. The host name and domain name are used to generate the
default certificate for the SSL connection.
The example in the figure shows how to respond to the setup command prompts. Pressing the
Enter key instead of entering a value at the prompt accepts the default value within the
brackets. You must fill in any fields that show no default values, and change default values as
necessary. After the configuration is written to Flash memory, your PIX Security Appliance is
ready to start the PDM.
Note The clock must be set for the PDM to generate a valid certification. Set the PIX Security
Appliance clock to Universal Coordinated Time (UCT) (also known as Greenwich Mean Time
(GMT)).
The following list explains each prompt in the setup dialog (prompts are in bold):
Enable password: This prompt enables you to specify an enable password for this PIX
Security Appliance.
UTC: Accurate system time is essential for monitoring, problem diagnosis, and forensics.
This prompt enables you to set the PIX Security Appliance clock to Universal Coordinated
Time, which is also known as Greenwich Mean Time.
Year [system year]: This prompt enables you to specify the current year, or return
to the default year stored in the host computer.
Month [system month]: This prompt enables you to specify the current month, or
return to the default month stored in the host computer.
Day [system day]: This prompt enables you to specify the current day, or return to
the default day stored in the host computer.
Time [system time]: This prompt enables you to specify the current time in
hh:mm:ss format, or return to the default time stored in the host computer.
Inside IP address: The Inside IP address will be the interface that resides on the
protected network. Generally, this is a private address that is translated when traversing the
PIX to the outside network.
Inside network mask: A network mask that applies to the inside IP address. Use
0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.
Host name: The hostname you want to display in the PIX Security Appliance
command line prompt.
Domain name: The DNS domain name of the network on which the PIX Security
Appliance runs (for example, cisco.com).
IP address of host running PIX Device Manager: This is the IP address on which PDM
connects to the PIX Security Appliance. The address entered here will be the only host that
can access the PDM until additional addresses are specified. Under most circumstances, it
is recommended that only addresses on the internal network be allowed access to the PDM.
The PIX, however, will allow hosts or networks from any interface to access the PDM if it
is configured to do so.
Use this configuration and write to Flash: At this point, the PIX CLI will give a
summary of the information that has been entered and give the option to use the
summarized configuration and save it to flash memory. This prompt is the same as the
write memory command. If the answer is yes, the inside interface is enabled and the
requested configuration is written to Flash memory. If the user answers anything else, the
setup dialog repeats using the values already entered as the defaults for the questions.

Configure the PIX Security Appliance Using the
PDM
This topic describes the layout, options and purpose of the Startup Wizard and the PDM Home
window.
Startup Wizard
The PDM Startup

Wizard enables
you to easily
perform basic
configuration of
the PIX Security
Appliance.
The PDM Startup Wizard is an easy way to begin the process of configuring your PIX Security
Appliance. The wizard steps you through such tasks as the following:
Enabling the PIX Security Appliance interfaces
Assigning IP addresses to the interfaces
Configuring a host name and password
Configuring Point-to-Point Protocol over Ethernet (PPPoE)
Configuring Auto Update
Configuring Network Address Translation (NAT) and Port Address Translation (PAT)
Configuring the DHCP server
You can run the Startup Wizard at any time by choosing Tools > Startup Wizard.
PDM Home Window
Main Toolbar
Device Interface
Information Status
VPN Status
Traffic
System Status
Resources
The PDM Home window enables the administrator to view important PIX Security Appliance
information such as the status of the interfaces, the version running, licensing information, and
performance. Many of the details available on the PDM Home window are available elsewhere
in the PDM, but the Home window provides a useful and quick way to see how the PIX
Security Appliance is running. All information on the Home window is updated every ten
seconds, except for the Device Information. The administrator can access the Home window
any time by clicking the Home button on the main toolbar.
The following sections are included in the PDM Home window:

Main toolbar: This toolbar provides quick access to the Home window, configuration
panels, PDM monitoring, and context-sensitive help. The administrator can also save the
running configuration to Flash memory by clicking the Save button, or reload the running
configuration from Flash by clicking the Refresh button.
Device Information: This section displays the host name, PIX Security Appliance version,
device type, license, PDM version, total memory, and total Flash.
VPN Status: This section displays the status of virtual private network (VPN) tunnels, if
they are configured.
System Resources Status: This section displays CPU and memory usage.
Interface Status Interface: This section displays the interface, IP address and mask, and
link status.
Traffic Status: This section displays the number of TCP and User Datagram Protocol
(UDP) connections that occur each second. Their sum is displayed as the total number of
connections. The outside Interface Traffic Usage area displays the traffic going through
the outside interface in kilobits per second.

Overall Layout
PDM consists
of five major
configuration areas:
Access Rules
Translation Rules
VPN
Hosts/Networks
System Properties
The following five PDM tabs enable you to configure various aspects of the product:
Access Rules: Shows your entire network security policy
Translation Rules: Enables you to view all the address translation rules applied to your
network
VPN: Enables you to create VPNs using IPSec
Hosts/Networks: Enables you to view, edit, add to, or delete from the list of hosts and
networks defined for the selected interface
System Properties: Enables you to configure many aspects of the PIX Security Appliance
Access Rules Tab
From the Access Rules tab, you can view, edit, add, and delete ACLs and bind
them to interfaces. You can also create service groups and view, enable, or
disable Java and ActiveX filtering.
The Access Rules tab shows your entire network security policy expressed in rules. This tab
includes a panel for Access Rules, as well as for authentication, authorization and accounting
(AAA) Rules and Filter Rules. When you click the Access Rules option button, this tab lets you
define access control lists (ACLs). You can control the access of a specific host or network to
another host or network, including the protocol or port that can be used, if this feature is
supported by the PIX Security Appliance.
This tab also enables you to define AAA rules, and filter rules for ActiveX and Java. The
configuration edits you perform on the Access Rules tab are captured by the PDM but are not
sent to the PIX Security Appliance until you click Apply. This applies to all configuration
performed with the PDM, including those performed in the Translation Rules tab, the
Hosts/Networks tab, and the System Properties tab. Always click Apply to send your
configuration edits to the PIX Security Appliance. Also, remember, it is very important to save
your configuration to Flash memory by choosing File > Write Configuration to Flash from the
main menu or clicking the Save icon in the toolbar.
Note You can also use the Access Rules tab to create object groups and apply them to ACLs.

Translation Rules Tab
From the Translation Rules tab, you can view, edit, create, and delete static and
dynamic address translation rules.
The Translation Rules tab lets you view all the address translation rules or NAT exemption
rules applied to your network. Before you can designate access and translation rules for your
network, you must first define each host or server for which a rule will apply by clicking the
Hosts/Networks tab.
When you are working in either the Access Rules tab window or the Translation Rules tab
window, you can access the task menus used for modifying rules three ways:
The PDM toolbar
The Rules menu
Right-clicking anywhere in the rules table
Note The order in which you apply translation rules can affect the way the rules operate. The PDM
lists the static translations first and then the dynamic translations. When processing NAT, the
PIX Security Appliance first translates the static translations in the order they are configured.
You can use the Insert Before or Insert After command from the Rules menu to determine
the order in which static translations are processed. Because dynamically translated rules
are processed on a best-match basis, the option to insert a rule before or after a dynamic
translation is disabled.
The Manage Global Address Pools window enables you to create global address pools to be
used by NAT. From this window, you can also view or delete existing global pools. You can
access the Manage Global Address Pools window from the Manage Pools button on the
Translation Rules tab.
Remember that it is necessary to run NAT even if you have routable IP addresses on your
secure networks. This is a unique feature of the PIX Security Appliance. You can do this by
translating the IP address to itself on the outside.
VPN Tab
From the VPN

tab, you can
create site-to-
site and
remote access
VPNs.
From the VPN tab, you can create site-to-site or remote access VPNs.

Hosts/Networks Tab
From the Hosts/Networks tab, you can view, edit, add, or delete hosts, networks,
and network groups.
The PDM requires that you define any host or network that you intend to use in ACLs and
translation rules. These hosts or networks are organized below the interface from which they
are reachable. When defining either type of rule, you can reference a host or network by
clicking the Browse button in the appropriate add or edit rule window. Additionally, you can
reference the host or network by name if a name is defined for that host or network. It is
recommended that you name all hosts and networks.
In addition to defining the basic information for these hosts or networks, you can define route
settings and translation rules (NAT) for any host or network. You can also configure route
settings in the Static Route panel on the System Properties tab and translation rules on the
Translation Rules tab. These different configuration options accomplish the same results. The
Hosts/Networks tab provides another view to modify these settings on a per host and per
network basis.
The information provided in this window enables the basic identification information for that
host or network. This includes values for the IP address, netmask, interface, and name of the
host or network. The PDM uses the name and IP address and netmask pair to resolve references
to this host or network in the source and destination conditions of access rules and in translation
rules. The PDM uses the interface value to apply access and translation rules that reference this
host or network to the correct interface. The interface delivers network packets to the host or
network; therefore, it enforces the rules that reference that host or network.
System Properties Tab
From the System Properties
tab, you can configure such
features as the following:
Interfaces
Failover
Routing
User accounts for
command authorization
DHCP server
Privilege level for
command authorization
Logging
AAA
URL filtering
Remote management
Intrusion detection
Turbo ACLs
Multicast
The System Properties tab enables you to configure many aspects of the PIX Security
Appliance, including the following:
Interfaces: In addition to their names, the Interfaces panel displays and enables you to edit
additional configuration information required for each interface. You can configure a PIX
Security Appliance interface with a static IP address, VLAN ID, or you can configure it to
use DHCP or PPPoE.
Note Your configuration edits are captured by the PDM but not sent to the PIX Security Appliance
until the Apply to PIX button is clicked.
Failover: This section enables you to enable, disable, and configure serial and LAN-based
failover and stateful failover.
Routing: The routing panel is divided into the following four sections dealing with
different routing configurations:
Routing Information Protocol (RIP)
Static routes
Proxy Address Resolution Protocols (ARPs)
Open Shortest Path First (OSPF)
DHCP Services: The DHCP Services panel enables you to configure the PIX Security
Appliance as a DHCP server or configure the PIX Security Appliance as a DHCP relay
agent. You cannot configure both simultaneously on the same PIX Security Appliance.
PIX Administration Users: This panel enables you to create local user accounts.
PIX Administration: This panel contains the following sections:
Device
Password

Authentication/Authorization
User Accounts
Banner
Console
PDM/HTTPS
Telnet
Secure Shell
Management Access
Simple Network Management Protocol (SNMP)
ICMP
TFTP Server
Clock
Network Time Protocol (NTP)
Logging: This panel is divided into the following sections:
Logging Setup
PDM Logging
Syslog
Others
AAA: This panel contains the following sections:
URL Filtering
Auto Update
Intrusion Detection: This panel is divided into the following two sections:
Intrusion Detection System (IDS) Policy
IDS Signatures
Advanced: This panel is made up of the five panels listed below, with the FixUp panel
having further selections nested beneath it.
Fixup
CTIQBE (Computer Telephony Interface Quick Buffer Encoding)
Encapsulating Security Payload - Internet Key Exchange (ESP-IKE)
FTP
H.323 H.225
H.323 registration, admission and status (RAS)
HTTP
ICMP Error
Internet Locator Service (ILS)
Media Gateway Control Protocol (MGCP)
Point-to-Point Tunneling Protocol (PPTP)
Remote shell protocol (RSH)
Real-Time Streaming Protocol (RTSP)
Session Initiation Protocol (SIP) over TCP
SIP over UDP
Skinny
SMTP
SQL*Net
Anti-Spoofing
Fragment
TCP Options
Timeouts
Turbo Access Rules
Multicast: This panel has three sections:
Stub Multicast Routing
IGMP
MRoute
History Metrics: This panel enables the PIX Security Appliance to keep a history of many
statistics, which can be displayed by the PDM through the Monitoring tab.
Note If PDM History Metrics is not enabled, the only view available in the Monitoring tab is the
"Real-time" view. PDM History Metrics is enabled by default.

Monitoring Button
The Monitoring
button enables you
to monitor per-
interface statistics,
such as packet
counts and bit
rates, for each
enabled interface
on the PIX Security
Appliance.
Many different items can be monitored using thePDM, including but not limited to the
following:
PDM log
Secure Shell (SSH) sessions
Telnet console settings
PDM users
VPN statistics
System performance graphs
Connection graphs
Interface graphs
Interface Graphs Panel
The Interface
Graphs panel
enables you to
monitor
per-interface
statistics, such as
bit rates, for each
enabled interface
on the PIX Security
Appliance.
The Interface Graphs panel enables you to monitor per-interface statistics, such as packet
counts and bit rates, for each enabled interface on the PIX Security Appliance.
The list of graphs available is the same for every interface. Each graph can be viewed as a line
graph and in table form. Each graph can also be viewed with different time horizons.
Note If an interface is not enabled using the Interfaces panel under the System Properties panel,
no graphs will be available for that interface.

Tools and Options
Among the tasks you can
perform from the drop-
down menus in PDMs main
window are:
Enable the Preview
commands before
sending to the firewall
option to enable you to
preview any proposed
configuration changes
before they are applied.
Use a text-based tool to
send CLI commands to
the PIX Security
Appliance and to
display responses.
Use the Ping tool to
verify the operation of
your PIX Security
Appliance and
surrounding
communications links.
The following tasks can be performed from the Tools and Options drop down menus:
If you want to preview any commands generated by any panel before they are sent to the
PIX Security Appliance, choose Options > Preferences > Preview Commands Before
Sending to PIX.
If you want to enter CLI commands to be sent to the PIX Security Appliance, choose Tools
> Command Line Interface to enter CLI commands.
If you want to access the ping tool from the tools menu, choose Tool > Ping.
Summary
Summary
The PDM is a browser-based tool used to

configure your PIX Security Appliance.
The PDM can be run on Microsoft Widows,
SUN Solaris, and Linux operating systems.
Setup on the PIX Security Appliance is
required to run PDM.
The Startup Wizard and the PDM Home
page contain several tools to help you
configure your PIX Security Appliance.

Lesson Self-Check
Q1) Which of the following operating systems requires 356 MB or RAM in order to
operate? (Source: PDM Operating Requirements)
A) Microsoft Windows
B) SUN Solaris
C) Linux
Q2) Which six of the following tasks does the PDM Startup Wizard help you with? (Choose
six.) (Source: Configure the PIX Security Appliance Using the PDM)
A) writing the configuration to Flash memory
B) enabling the PIX Security Appliance interfaces
C) assigning IP addresses to the interfaces
D) assigning the DNS domain name of the network on which the PIX Security
Appliance runs
E) configuring a hostname and password
F) configuring PPPoE
G) setting the PIX Security Appliance clock to UCT
H) configuring NAT and PAT
I) configuring the DHCP server
Q3) Which of the following sections of the PDM Home window displays CPU and memory
usage? (Source: Configure the PIX Security Appliance Using the PDM)
A) Main toolbar
B) Device Information
C) VPN Status
D) System Resources Status
E) Interface Status Interface
F) Traffic Status
Q4) Which of the following five tabs on the PDM enables you to configure many aspects of
the PIX Security Appliance? (Source: Configure the PIX Security Appliance Using the
PDM)
A) Access Rules
B) Translation Rules
C) VPN
D) Hosts/Networks
E) System Properties
Q5) Which of the following five tabs on the PDM enables you to define AAA and filter
rules? (Source: Configure the PIX Security Appliance Using the PDM)
A) Access Rules
B) Translation Rules
C) VPN
D) Hosts/Networks
E) System Properties
Q6) PDM History Metrics is enabled by default. (Source: Configure the PIX Security
Appliance Using the PDM)
A) True
B) False
Q7) When are no interface graphics available on the Interface Graphics Panel? (Source:
Configure the PIX Security Appliance Using the PDM)

Q1) A
Q2) B, C ,E, F, H, G
Q3) D
Q4) E
Q5) A
Q6) A
Q7) If an interface is not enabled using the Interfaces panel under the System Properties panel, no graphs will
be available for that interface.
Module Summary
Module Summary
Cisco offers a full range of PIX Security

Appliances to meet the needs of large and
small networks.
The PIX Security Appliance provides secure
network connectivity that can be configured
via the CLI.
The PDM handles complex configuration,
management and monitoring tasks and can
be configured via a brower.
References
Cisco Systems Inc. Cisco PIX Firewall Configuration Guide, Version 6.0.
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_
guide_book09186a0080143567.html.
Cisco Systems Inc. PIX Device Manager 1.1 User Guide.

http://www.cisco.com/application/pdf/en/us/guest/products/ps2032/c1626/ccmigration_091
86a0080129fb0.pdf.

Module 4
Securing Networks with Host-

and Network-Based IPS
Overview
In technology environments, Internet worms and viruses can spread across the world in a matter
of minutes. Without the luxury of time to react, the network must possess the ability to
instantaneously recognize and mitigate these threats. A networking architecture paradigm shift
is required to defend against these fast moving attacks. It is no longer possible to contain these
intrusions at a few points in the network. Intrusion prevention is required throughout the entire
network to detect and stop an attack at every ingress and egress point in the network. The only
scalable and cost effective way to accomplish this is by integrating intrusion prevention
systems (IPS) into the access points of the network.
IPS detect inappropriate, incorrect, or anomalous activity originating outside a network, and
then take action to prevent damage. Systems that operate on a host to detect malicious activity
on that host are called host-based intrusion prevention systems (HIPS), and systems that
operate on network data flows are called network-based IPS.
With the increasing complexity of security threats, achieving efficient network intrusion
security is critical to maintaining a high level of operational effectiveness. Cisco has designed
host- and network-based IPS to protect data and information infrastructure. This module
provides an introduction to Cisco IPS the products and technologies.
Module Objectives
Upon completing this module, you will be able to secure a network with host- and network-
based IPS. This ability includes being able to meet these objectives:
Describe the underlying IDS and IPS technology embedded in the Cisco IDS/IPS solution
Complete basic sensor configuration tasks using the IDM
Describe the features and functions of the Cisco Security Agent
Manage host-based intrusion prevention policies across the network with the CSA MC
Lesson 1
Introducing Intrusion
Prevention Systems
Overview
This lesson introduces intrusion detection systems (IDS) and intrusion prevention systems
(IPS). The features and functions of the technologies and components is described. Attention is
paid to the way in which signatures are used in mitigating attacks and the processes that are
initiated when a signature is triggered.
Objectives
Upon completing this lesson, you will be able to describe the underlying IDS and IPS
technology embedded in the Cisco IDS/IPS solution. This ability includes being able to meet
these objectives:
Define commonly used terms associated with intrusion detection and prevention
Explain IPS technologies, attack responses and monitoring options
Describe the features of network-based IPS
Describe the features of a HIPS
Describe the characteristics and function of Cisco IPS signatures
Describe how Cisco IPS sensors use signature engines to tune and create signatures
Describe how various alarm levels are triggered by Cisco IPS signatures
Describe the features of Cisco IPS Sensor Software version 5.0
Explain the factors to consider when selecting and deploying Cisco IDS/IPS sensors
Intrusion Detection and Prevention Terminology
This topic provides definitions and explanations for commonly used terms associated with
intrusion detection and prevention.
Intrusion Detection and Intrusion

Prevention
Network sensing involves

Real-time monitoring of network packets, which involves
packet capture and analysis.
Monitoring of syslog traffic from a managed Cisco router.
Intrusion Detection System

Taps network traffic
Responds after the attack
Uses IDS Version 4.x software
Intrusion Prevention System
Works inline
Stops attacks before they enter the network
Uses IPS Version 5.0 software
A sensor captures network packets with one of its own interfaces, then reassembles and
compares this data against a rule set that indicates typical intrusion activity. The syslog traffic
is sent to UDP port 514, and is analyzed by the Sensor intrusion detection engine.
When a Cisco IDS analyzes network data, it looks for patterns of misuse. Patterns can be as
simple as an attempt to access a specific port on a specific host, or as complex as sequences of
operations distributed across multiple hosts over an arbitrary period of time. The first type of
pattern is termed an atomic pattern; the second, a composite pattern.
A Cisco IDS searches for patterns of misuse by examining either the data portion or the header
portion of network packets. Content-based attacks derive from the data portion, and context-
based attacks derive from the header portion.
An IDS detects attacks against a network, including attacks against hosts and devices. When a
sensor detects unauthorized activity it sends alarms to the management console(s) along with
details of the activity. An IDS can only respond after an attack is detected. In the case of an
atomic attack where malicious content is contained in a single packet, the malicious packet can
reach its target before a response action can be taken. Intrusion detection is the ability to detect
misuse, abuse, and unauthorized access to networked resources.
An IPS represents a significant advance over IDS. Older Cisco IDS sensors such as the Cisco
IDS 4250 XL Sensor and the Cisco IDS 4215 Sensor, provide intrusion detection. Newer Cisco
IPS Sensors such as the Cisco IPS 4255 Sensor and the Cisco IPS 4240 Sensor, as well as
current Cisco IOS software, can be deployed inline to provide intrusion prevention. By default,
the monitoring interface of a Cisco IPS sensor works in promiscuous mode, which means that it
monitors all traffic on the local network through a network device that captures traffic for the
sensor.
In contrast to a sensor in promiscuous mode, an inline sensor processes packets as they flow
through the network data forwarding path and can make the decision to forward or drop packets
based on what is detected. An inline sensor is, therefore, an IPS. Inline IPS provides an added
level of protection from worms and atomic attacks where malicious content is contained in a
single packet.
The term intrusion protection is often used in a generic sense, and although some Cisco
literature still refers to intrusion protection, the term can be confusing and should be avoided.
Copyright 2005, Cisco Systems, Inc. Securing Networks with Host- and Networked-Based IPS 4-5
Signatures and Signature Algorithms
Network intrusion: A sequence of activities

by a malicious individual that results in
unauthorized security threats to a target
network
Signature: A set of conditions that indicate
some type of intrusion event
Algorithm: Based on the intrusion
prevention methodologies discussed in
this lesson.
The term "signature" in this lesson refers to a set of conditions that when met, indicate some
type of intrusion event is occurring or has occurred.
Cisco IDS and IPS use over a hundred signatures to detect patterns of misuse in network traffic
to identify of the most common attacks. Simple signatures check the value of a header field.
More complex signatures may track the state of a connection or perform extensive protocol
analysis on the traffic. Cisco IDS/IPS signatures provide the ability to customize embedded
signatures as well as to write new signatures to meet specific threats. This ability will be
described later in this lesson.
IDS/IPS Alarms
Alarms are a crucial component of IDS/IPS operation.

False positive: This type of alarm occurs in a situation in which
normal traffic or a benign action causes the signature to fire.
False negative: This type of alarm occurs in a situation in
which a signature is not fired when offending traffic is
detected. An actual attack is not detected.
True positive: This type of alarm occurs in a situation in which
a signature is fired properly when the offending traffic is
detected. An attack is detected as expected.
True negative: This type of alarm occurs in a situation in which
a signature is not fired when nonoffending traffic is detected.
Normal traffic or a benign action does not cause an alarm.
A network IDS/IPS signature is a pattern in traffic that indicates an intrusion attempt has
occurred. Signatures are configured manually or automatically in IDS/IPS devices. The ability
of IDS/IPS products to accurately detect an attack or a policy violation and generate an alarm is
critical to its functionality.
Attacks can be classified in the following ways:

False Positive: A false positive is an alarm from normal traffic or a benign action.
Consider the following scenario: a signature exists that generates alarms if the enable
password of any network devices is entered incorrectly. A network administrator attempts
to log in to a Cisco router but enters the wrong password. The IDS cannot distinguish
between a rogue user and the network administrator, and it generates an alarm.
False Negative: A false negative occurs when a signature is not fired when offending
traffic is detected. Offending traffic ranges from someone sending confidential documents
outside of the corporate network to attacks against corporate web servers. False negatives
are bugs in the IDS/IPS software and should be reported.
True Positive: A true positive occurs when an IDS/IPS signature is correctly fired when
offending traffic is detected and an alarm is generated. For example, consider a Unicode
attack. Cisco IDS/IPS sensors have signatures that detect Unicode attacks against Microsoft
Internet Information Server (IIS) web servers. If a Unicode attack is launched against
Microsoft IIS web servers, the sensors detect the attack and generate an alarm.
True Negative: A true negative occurs when a signature is not fired when non-offending
traffic is captured and analyzed. In other words, the sensor does not fire an alarm when it
captures and analyzes normal network traffic.
Note A false negative should only be considered a software bug if the IDS/IPS has a signature
that has been designed to detect the offending traffic.
Intrusion Prevention Technologies
This topic explains IPS technologies, attack responses and monitoring options.
Intrusion Prevention Methodologies
Cisco IPS sensors use a blend of

technologies
Profile-based intrusion detection
Signature-based intrusion detection
Protocol analysis intrusion detection
Among the many vendors of IDS and IPS, there is marked variation on what constitutes a
network intrusion. This variation has led to many confusing claims by vendors about the best
methodologies and solutions. Cisco IPS sensors use a blend of detection technologies, which
are described in this lesson.
Profile-Based Intrusion Detection
Also known as anomaly detectionActivity deviates

from the profile of normal activity
Requires creation of statistical user and network
profiles
Prone to high number of false positivesDifficult to
define normal activity
Profile-based intrusion detection generates an alarm when activity on the network goes outside
the profile. Anomaly-based signatures are typically geared to look for network traffic that
deviates from what is seen "normally". With anomaly detection, profiles are created for each
user or user group on your system. Examples of user and network activity are used to build
profiles of normal activity. These profiles are then used as a baseline to define normal user and
network activity. For example, a web server farm would typically generate web traffic using
HTTP. A profile could be created to monitor web traffic. Another example is a network
segment where the users are helpdesk technicians. The help desk technician primary function is
to monitor e-mail requests. A profile could be created to monitor mail traffic using Simple Mail
Transfer Protocol (SMTP).
The problem with this method of intrusion detection is that users do not feel a responsibility to
follow a profile. Humans do not consistently keep to a normal pattern; consequently, what may
be defined as normal activity today might not be normal activity tomorrow. There is too much
variation in the way users act on the network for this type of detection to be effective. For
example, some help desk technicians may access the web or telnet to systems in order to
troubleshoot problems. Based on the profile created, this type of network activity would trigger
alarms, which are likely to be benign.
Signature-Based Intrusion Detection
Also known as misuse detection or pattern

matchingMatches pattern of malicious activity
Requires creation of signatures
Less prone to false positivesBased on the ability
of the signature to match malicious activity
Signature-based intrusion detection is less prone to false positives when detecting unauthorized
activity. A signature is a set of rules pertaining to typical intrusion activity. Highly skilled
network engineers research known attacks and vulnerabilities and develop signatures to detect
these attacks and vulnerabilities. These attack signatures encompass specific traffic or activity
based on known intrusive activity.
A pattern matching approach looks for a fixed sequence of bytes in a single packet. As its name
suggests, it is a fairly rigid but simple to employ approach. In most cases, the pattern is
matched against a packet only if the suspect packet is associated with a particular service or,
more precisely, destined to or from a particular port. For example, a signature might be based
on a simple pattern-matching approach such as this:
×º ä¬¸» °¿½µ»¬ ·- ×Ðªì ¿²¼ ÌÝÐâ ¿²¼ ä¬¸» ¼»-¬·²¿¬·±² °±®¬ ·- îîîîâ ¿²¼
ä¬¸» °¿§´±¿¼ ½±²¬¿·²- ¬¸» -¬®·²¹ •º±±Œâ ¬¸»² äº·®» ¿² ¿´¿®³âò
A Cisco IPS implements signatures that can look at every packet going through the network
and generate alarms when necessary. A Cisco IPS generates alarms when a specific pattern of
traffic is matched or a signature is triggered. You can configure a Cisco IPS to exclude
signatures and modify signature parameters to work optimally in your network environment.
Protocol Analysis
Intrusion detection analysis is performed on

the protocol specified in the data stream
Examines the protocol to determine the validity of
the packet
Checks the content of the payload (pattern
matching)
Signature-based intrusion detection uses signatures based on values in IP, TCP, User Datagram
Protocol (UDP) and Internet Control Message Protocol (ICMP), headers. Protocol analysis-
based intrusion detection is similar but it performs a more in-depth analysis of the protocols
specified in the packets. A deeper analysis examines the payloads within TCP and UDP
packets, which contain other protocols. For example, a protocol such as Domain Name System
(DNS) is contained within TCP or UDP, which itself is contained within IP.
The first step is to decode the packet IP header information and determine whether the payload
contains TCP, UDP or another protocol. For example, if the payload is TCP, then some of the
TCP header information within the IP payload is processed before the TCP payload is accessed
(DNS data for example). Similar actions are mapped for other protocols.
Protocol analysis requires that the IPS sensor knows how various protocols work so that it can
more closely analyze the traffic of those protocols to look for suspicious or abnormal activity.
For each protocol, the analysis is based not only on protocol standards, particularly the RFCs,
but also on how things are implemented in the real world. Many implementations violate
protocol standards, so it is very important that signatures reflect common and accepted practice
rather than the RFC-specified ideal: otherwise false positives and negatives can occur. Protocol
analysis techniques trigger an alert when the traffic does not meet the expected protocol
operations.
For example, assume an attack has been launched against a server. The attacker sends an IP
packet with a protocol type, which, according to an RFC, should not contain any data in the
payload. A protocol analysis-based IPS detects the attack based on the knowledge of the
protocol and sets off an alarm.
IPS Attack Response Options
Reactive IPS can respond to an attack in any

of the following ways:
Terminate session (TCP resets)
Block offending traffic (ACL)
Create session log files (IP logging)
Restrict access
Intrusion detection technology is traditionally considered a passive monitoring tool. Earlier

IDSs simply monitored the network for suspicious activity or parsed system log files. Modern
IPS offers much more reactive responses and preventive measures when an intrusion or
malicious activity is detected. The common IPS reactive responses are as follows:
Terminate the TCP session: The IPS sends TCP packets with the reset bit set to both the
source address of the attack and the destination address of the target.
Block offending traffic: The IPS communicates with the network device and applies an
access control list (ACL) entry specifying that the source address of the attack be denied.
Create session log files: The IPS creates a session log file capturing the data transmitted
from the source address of the attack so that the data can be used to analyze the attack.
Restrict access: The IPS blocks access to the relevant realm or domain.
IPS Monitoring Options
Network-based intrusion prevention systems

Sensor appliances are connected to
network segments to monitor many
hosts.
Host-based intrusion prevention systems

A centrally managed software agent is
installed on each host.
Monitoring intrusive activity can occur at two locations:

Network-based IPS: Instead of looking for intrusive activity at the host level, network-
based monitoring systems examine packets that are traveling through the network for
known signs of instructive activity. Because these systems are watching network traffic,
any attack signatures detected may succeed or fail. It is usually difficult if not impossible
for network-based monitoring systems to assess the success or failure of the actual attacks.
They only indicate the presence of intrusive activity.
Host-based IPS (HIPS): A host-based monitoring system examines information at the
local host or operating system. It can be complex and examine actual system calls, or it can
be simple and just examine system log files. Some host-based monitoring systems can halt
attacks before they can succeed, whereas others report only on what has already happened.
Network-Based vs. Host-Based IPS
Host-Based IPS
Application-level encryption protection

Policy enhancement (resource control)
Web application protection
Buffer overflow
Network attack and reconnaissance prevention
Denial of Service Prevention
Network-Based IPS
The figure shows how network-based IPS and HIPS complement one another. While network-
based IPS focuses on detecting buffer overflows, attacks on Web servers, network
reconnaissance, and DoS attacks, HIPS focuses on application and host resource protection.
Network-Based Intrusion Prevention Systems
This topic describes the features of network-based IPS.
Network-Based IPS Features
Sensors are connected to network segments. A

single sensor can monitor many hosts.
Sensors are network appliances tuned for
intrusion detection analysis
The operating system is hardened.
The hardware is dedicated to intrusion
detection analysis.
Growing networks are easily protected
New hosts and devices can be added without
adding sensors.
New sensors can be easily added to new
networks.
Network-based IPS involves the deployment of monitoring devices, or sensors, throughout the
network to capture and analyze the traffic. Sensors detect malicious and unauthorized activity
in real time and can take action when required. Sensors are deployed at designated network
points that enable security managers to monitor network activity while it is occurring,
regardless of the location of the target of the attack.
Network-based IPS sensors are usually tuned for intrusion detection analysis. The underlying
operating system of the platform on which the HIPS software is mounted is stripped of
unnecessary network services, and essential services are secured. The hardware includes the
following components:
Network interface card (NIC): Network-based IPS must be able to connect into any
network (Ethernet, Fast Ethernet, Gigabit Ethernet, Token Ring, and Fiber Distributed Data
Interface (FDDI) are common.)
Processor: Intrusion detection requires CPU power to perform intrusion detection protocol
analysis and pattern matching.
Memory: Intrusion detection analysis is memory intensive. Memory directly impacts the
ability of a network-based IPS to efficiently and accurately detect an attack.
Network-Based IPS Deployment
Corporate
Network
Sensor
Sensor Firewall
Router
Untrusted
Network
Sensor
Management WWW DNS
Server Server Server
Network-based IPS gives security managers real-time security insight into their networks
regardless of network growth. Additional hosts can be added to protected networks without
needing more sensors. When new networks are added, additional sensors are easy to deploy.
Additional sensors are only required when their rated traffic capacity is exceeded, when their
performance does not meet current needs or when a revision in security policy or network
design requires additional sensors to help enforce security boundaries.
The figure illustrates a typical network-based IPS deployment. Sensors are deployed at network
entry points that protect critical network segments. The network segments have internal and
external corporate resources. The sensors report to a central management and monitoring server
located inside the corporate firewall.
The advantages and disadvantages of a network-based IPS are as follows:

Advantages of network-based IPS: A network-based monitoring system has the benefit
of easily seeing attacks that are occurring across the entire network. Seeing the attacks
against the entire network gives a clear indication of the extent to which it is being
attacked. Furthermore, because the monitoring system is only examining traffic from the
network, it does not have to support every type of operating system that is used on the
network.
Disadvantages of network-based IPS: Encryption of the network traffic stream can
essentially blind network-based IPS. Reconstructing fragmented traffic can also be a
difficult problem to solve. Possibly the biggest drawback to network-based monitoring, is
that as networks become increasingly larger (with respect to bandwidth), it becomes more
difficult to place a network-based IPS at a single location in the network and successfully
capture all the traffic. Eliminating this problem requires the use of more sensors throughout
the network. However, this solution increases costs.
Host-Based Intrusion Prevention Systems
This topic describes the features of a HIPS.
HIPS Features
Agent software is installed on each

host.
HIPS provides individual host detection
and protection.
HIPS does not require special hardware.
A HIPS audits host log files, host file systems, and resources. A significant advantage of HIPS
is that it can monitor operating system processes and protect critical system resources,
including files that may exist only on that specific host. HIPS combines behavioral analysis and
signature filters. HIPS can also combine the best features of anti-virus, network firewalls and
application firewalls in one package.
A simple form of HIPS enables system logging and log analysis on the host. However, this
approach can be extremely labor intensive. Contemporary HIPS software requires Cisco
Security Agent (CSA) software to be installed on each host to monitor activity performed on
and against the host. The CSA performs the intrusion detection analysis and protects the host.
HIPS Operation
Application HIPS Kernel

X
1. An application calls 2. HIPS checks the call 3. Requests are

for system resources against the policy allowed or denied
HIPS intercepts operation system (OS) and application calls.

Rules control application and network stacks .
Processor controls limit buffer overflow, registry updates,
writes to the system directory, and the launching of
installation programs.
Behavior based.
Recall that HIPS operates by detecting attacks occurring on a host on which it is installed. HIPS
works by intercepting operating system and application calls, securing the operating system and
application configurations, validating incoming service requests, and analyzing local log files
for after-the-fact suspicious activity.
HIPS uses rules based on a combination of known attack signatures and a detailed knowledge
of the operating system and specific applications running on the host. These rules enable HIPS
to determine abnormal or out-of-bound activity and therefore prevent the host from executing
commands that do not fit the correct behavior of the operating system or application.
HIPS improves the security of hosts and servers by using rules that control operating system
and network stack behavior. Processor control limits activity such as buffer overflows, registry
updates, writes to the system directory, and the launching of installation programs. Regulation
of network traffic can help ensure that the host does not participate in accepting or initiating
FTP sessions, can rate-limit when a DoS attack is detected, or can keep the network stack from
participating in a DoS attack.
Because HIPS does not rely solely on the signatures of known attacks to provide protection, it
also protects servers against unknown attacks by non-standard detecting behaviors.
Cisco HIPS Deployment
Corporate
Network
Application
Agent Server
Agent Firewall
Untrusted
Network
Agent Agent Agent

Agent
Agent Agent Agent
SMTP
Server Console WWW DNS
Server Server
The figure illustrates a typical HIPS deployment. Agents are installed not only on publicly
accessible servers, corporate mail servers, and application servers, but also on user desktops.
The Agents report events to a central console server located inside the corporate firewall.
The advantages and disadvantages of HIPs are as follows:

Advantages of HIPS:
The success or failure of an attack can be readily determined. A network-based IPS
sends an alarm on the presence of intrusive activity, but can not always ascertain the
success or failure of such an attack.
HIPS does not have to worry about fragmentation attacks or variable time-to-live
attacks because the host stack takes care of these issues.
If the network traffic stream is encrypted, HIPS has access to the traffic in
unencrypted form.
Disadvantages of HIPS: Two of the major drawbacks to HIPS are the following:
HIPS does not provide a complete network picture. Because HIPS examines
information only at the local host level, HIPS has difficulty constructing an accurate
network picture or coordinating the events happening across the entire network.
HIPS has a requirement to support multiple operating systems. HIPS needs to run on
every system in the network. This requires verifying support for all of the different
operating systems used.
Cisco IPS Signatures
This topic describes the characteristics and function of Cisco IPS signatures.
Signature Characteristics
A network IPS signature is a set of rules used to

detect intrusive activity.
Cisco IDS/IPS sensors use the following types
of signatures:
Built-in signatures: Known attack signatures that
are included in the sensor software
Tuned signatures: Built-in signatures that you
modify
Custom signatures: New signatures that you
create
A signature is a set of rules that network-based IPS and HIPS use to detect typical intrusive
activity, such as DoS attacks. As sensors scan network packets, they use signatures to detect
known attacks and respond with actions that you define.
The sensor compares its list of signatures to network activity. When it finds a match, the sensor
takes action. A sensor enables you to modify existing signatures and define new ones.
The following features provide a general description of Cisco IPS signatures:

Minimizing false positives: Signature-based intrusion detection can produce false
positives because some normal network activity can be misinterpreted as malicious. For
example, some network applications or operating systems may send out numerous ICMP
messages, which a signature-based detection system might interpret as an attempt by an
attacker to map out a network segment. You can minimize false positives by tuning your
sensors.
Enabling IDS/IPS signatures: You must enable the signature to monitor network traffic.
The most critical signatures are enabled by default. When an attack that matches an enabled
signature is detected, the sensor generates an alert event and stores it in the EventStore. The
alert events, as well as other events, may be retrieved from the EventStore by web-based
clients. By default, the sensor logs all alarms at the informational level or higher.
Subsignatures: Some signatures have subsignatures. This means that the signature is
divided into sub-categories. When you configure a sub-signature, changes made to the
parameters of one sub-signature apply only to that sub-signature.
Built-in signatures: Built-in signatures are included in the sensor software. You cannot
add to or delete from the list of built-in signatures. You also cannot rename them. Many
built-in signatures are based on known attacks, but some provide information about your
sensor. For example, signature 993 (Missed Packet Count) alerts you if the sensor is
dropping packets. This signature also tells the percentage dropped to help you tune the
traffic level you are sending to the sensor. If the alarms show that there are no dropped
packets or a very small percentage of dropped packets, the sensor is able to monitor the
quantity of traffic being sent. If you see signature 993 alerts with a high percentage of
dropped packets, your sensor is oversubscribed. If signature 993 is firing with 100 percent
packet loss, the sensor is not generating alarms and there is a problem. If you have the most
recent version, contact the Cisco Technical Assistance Center (TAC) to report the problem.
Tuning built-in signatures: You can tune built-in signatures by adjusting several signature
parameters. Built-in signatures that have been modified are called tuned signatures. You
can also create new signatures, which are called custom signatures.
Signature Features
Regular expression string pattern matching

Response actions
Alarm summarization
Threshold configuration
Anti-evasive techniques
The Cisco IPS signatures are also capable of the following:

Regular expression string pattern matching: This capability enables the creation of
string patterns using regular expressions.
Response actions: This capability enables the sensor to take an action when the signature
is triggered.
Alarm summarization: This feature enables the sensor to aggregate alarms to limit the
number of times an alarm is sent when the signature is triggered.
Threshold configuration: This capability enables a signature to be tuned to perform
optimally in a network.
Anti-evasive techniques: This feature enables a signature to defeat evasive techniques
used by an attacker.
Sensor Signature Examples
Attack Method Signature Characteristics

Attempt to connect from a Sensor checks the source address field in an IP
reserved IP address header
Illegal TCP flag combination Sensor compares the flags set in a TCP header
against known good or bad flag combinations
Email infected with a virus Sensor compares the subject of email messages
to the subject of known email messages
associated with the viruses, or it can look for a
specific attachment
DNS buffer overflow attempt The sensor can parse the DNS fields and check
contained in the payload of a their length, or look for exploit shellcode
query sequences in the payload
Denial of service attack on a The sensor signature keeps track of how many
server times the command is issued and sends an alert
if that number exceeds the set threshold
Unauthorized access to an The sensor would use a state-tracking signature
FTP server to monitor FTP traffic for a authorized login. An
alert would be sent if unauthorized commands
were issued before the user had been properly
authenticated
The figure lists some examples of some of the methods that signatures use to identify certain
types of attack.
Regular Expressions Syntax
Regular expressions can be entered from the CLI to

detect simple and complex text patterns in the traffic.
Syntax uses special characters.
Metacharacter Name Description

() Parenthesis Used to limit the scope of other
metacharacters
| Alternation, or Matches either expression it
separates
[abc] Character class Any character listed
You can configure IDS and IPS signatures from the command-line interface (CLI). Regular
expressions are text patterns used for string matching. They are strings that contain a mix of
plain text and special characters to indicate what should be matched. For example, if you are
looking for a numeric digit, the regular expression to search for is "[0-9]". The brackets indicate
that the character being compared should match any one of the characters enclosed within the
bracket. The dash (-) between 0 and 9 indicates that it is a range from 0 to 9. Therefore, this
regular expression will match any character from 0 to 9. To search for a specific special
character, you must use a backslash before the special character. For example, the single
character regular expression "\*" matches a single asterisk.
Regular expressions (regex) constitute a powerful and flexible notational language that allows
you to describe text in IDS and IPS signatures. In the context of pattern matching, regular
expressions allow a succinct description of almost any arbitrary pattern.
The Regex Expressions table lists the IDS and IPS regular expressions syntax.
Regex Expressions
? Question mark Repeat 0 or 1 time
* Star or asterisk Repeat 0 or more times
+ Plus Repeat 1 or more times
{x} Quantifier Repeat exactly X times
{x,} Minimum quantifier Repeat at least X times
. Dot Any one character except new line (0x0A)
[abc] Character class Any character listed
[^abc] Negated character class Any character not listed
[a-z] Character range class Any character listed inclusively in the range
() Parenthesis Used to limit the scope of other metacharacters
| Alternation or or Matches either expression it separates
^ Caret The beginning of the line
\char Escaped character Whether char is a metacharacter or not, matches

the literal char
char Character When char is not a metacharacter, matches the

literal char
\r Carriage return Matches the carriage return character (0x0D)
\n New line Matches the new line character (0x0A)
\t Tab Matches the tab character (0x09)
\f Form feed Matches the form feed character (0x0C)
\xNN Escaped hexadecimal Matches character with the hexadecimal code

character 0xNN (where 0<=N<=F)
\NNN Escaped octal character Matches the character with the octal code NNN
(where 0<=N<=8)
Examples of Regex Patterns
Required Match Regular Expression
Hacker or hacker [Hh]acker
Either hot or cold hot|cold

Any number of occurrences of
a*
the letter a, including none
Requires at least one letter a to
a+
be in the string to be matched
The Regex Patterns table shows examples of regex patterns.
Regex Patterns
To Match Regular Expression
Hacker Hacker
Hacker or hacker [Hh]acker
Variations of bananas, banananas, Ba(na)+s

banananananas
The words hot and cold on the same line hot.*cold

with anything except a new line between them
Either hot or cold hot|cold
Either moon or soon (m|s)oon
a* Any number of occurrences of the letter a, including

none
a+ Requires that at least one letter a be in the string to

be matched
ba?b The string bb or bab:
\** Any number of asterisks (*):
(ab)* Any number of the multiple-character string ab
Note: Enclose the pattern in parentheses to use

multipliers with multiple-character patterns.
([A-Za-z][0-9])+ One or more instances of alphanumeric pairs, but

not none (that is, an empty string is not a match)
Signature Responses
When triggered, Cisco IPS signatures can

take one or all of the following actions:
Terminate the TCP session between the source of
an attack and the target host
Log subsequent IP packets from the source of an
attack
Initiate the blocking of IP traffic from the source of
an attack
Cisco IPS signatures can take one or all of the following actions when triggered:
TCP reset: Terminates the TCP session between the source of an attack and the target host
IP log: Logs subsequent IP packets from the source of an attack
Block: Initiates the blocking of IP traffic from the source of an attack, either a block on the
host or the connection
Note The current list of IPS signatures can be found at:

http://www.cisco.com/cgi-bin/front.x/csec/idsAllList.pl.
Cisco IPS Signature Engines
This topic describes how Cisco IPS sensors use signature engines to tune and create signatures.
Engine Overview
A signature engine is a component of the

sensor that supports a category of
signatures.
Cisco IPS signature engines enable you to
tune and create signatures unique to your
network environment.
Cisco IPS signature engines enable the network security administrator to tune and create
signatures unique to their network environment. Each signature is created using a signature
engine specifically designed for the type of traffic being monitored. A signature engine is a
component of the sensor that supports a category of signatures. An engine is composed of a
parser and an inspector. Each engine has a set of legal parameters that have allowable ranges or
sets of values.
Categories and Uses
Engine Category Use
Atomic Used for single-packet conditions
Flood Used to detect attempts to cause a DoS
Used when services with Layer 5, 6, and 7 require protocol

Service
analysis
Used for state-based and regular expression-based pattern
State.String
inspection and alarming functionality for TCP streams
Used for regular expression-based pattern inspection and alarm
String
functionality for multiple transport protocols
Sweep Used to detect network reconnaissance
Traffic Used to detect traffic irregularities
Trojan Used to target nonstandard protocols
OTHER Used to group generic signatures
There are several general categories of Cisco IPS signature engines, each with a particular use.
The use and selection of signature engines is dependent on several variables. The Signature
Engines table provides a list of engine categories and a description of the use of each engine.
Signature Engines
Engine Engine Use

Category
Atomic This engine category is used to perform per-packet inspection. The Atomic engines
support signatures that trigger alarms based on the analysis of a single packet.
Flood Used to detect attempts to cause a DoS
Service Used when services with Layer 5, 6, and 7 require protocol analysis
State.String Used for state-based and regular expression-based pattern inspection and alarming
functionality for TCP streams
String Used for regular expression-based pattern inspection and alarm functionality for multiple
transport protocols including TCP, UDP, and ICMP
Sweep Used to detect network reconnaissance
Traffic Identifies traffic irregularities
Trojan Used to detect BackOrifice Trojan horse traffic and Tribal Flood Network 2000 (TFN2K)
Trojan or distributed denial of service (DDoS) traffic
OTHER Used to group generic signatures so common parameters may be changed
Engine Parameters
An engine parameter is a name and value pair.

The parameter name is defined by its engine.
Parameter values have limits that are defined by the
engine.
The parameter name is constant across all
signatures in a particular engine, but the value can
be different for the various signatures in an engine
group.
Engine parameters have the following attributes:
Protected: The parameter cannot be changed for the
default signatures.
Required: The parameter value must be defined for all
signatures.
An engine parameter is a name and value pair. The name is defined by each engine. The value
has limits that are defined by the engine so that only values falling in a particular range are
valid. The parameter name is constant across all signatures in a particular engine, but the value
can be different for the various signatures in an engine group.
Engine parameters have the following attributes:

Protected: If a parameter is protected, you cannot change it for the default signatures. You
can modify it for custom signatures.
Required: If a parameter is required, you must define it for all signatures, both default
signatures and custom signatures.
Master and Local Parameters
Cisco IPS signature engines have master and local

parameters.
The most common parameters are the master
parameters.
The master signature engine parameters exist in
each engine.
Local signature engine parameters are engine
specific.
Cisco IPS signature engines have master and local signature parameters. Master parameters are
common to most signatures and exist in most signature engines. Local signature parameters are
engine specific. For example, the local signature parameter IcmpCode exists in the
Atomic.ICMP signature engine, and the local signature parameter IPOption exists in the
Atomic.IPOptions signature engine.
The Master Signature Parameter table provides the value and description of each master
signature parameter.
Master Signature Parameters
Master Signature Value Description

Parameters
AlarmDelayTimer 1 to 3000 This parameter sets the number of

seconds to delay further signature
inspection after an alarm.
AlarmInterval 2 to 1000 This parameter provides special handling

for time events. Use AlarmInterval Y with
MinHits X for X alarms in a Y-second
interval.
AlarmSeverity High This parameter sets the severity of the

Medium alert reported in the alarm.
Low
Informational
Parameters
AlarmThrottle FireOnce: Sends the first alarm and This technique is used to limit alarm
then deletes the inspector firings.
FireAll: Sends all alarms
Summarize: Sends an
IntervalSummary alarm
GlobalSummarize: Sends a
GlobalSummary alarm
AlarmTraits 0 to 65535 These are user-defined traits that further
describe the signature.
CapturePacket True Enables the alarm data (evAlert) to

False contain a copy of the packet that triggered
it.
ChokeThreshold 0 to 2147483647 This sets the threshold value of alarms

per interval to autoswitch AlarmThrottle
modes. If ChokeThreshold is defined, the
sensor switches AlarmThrottle modes
when a large number of alarms are
viewable in the ThrottleInterval.
Enabled True: Enables the signature This is used to enable or disable a

False: Disables the signature signature.
EventAction Log This is the action to perform when the

Reset alarm is fired.
ShunHost
ShunConnection
ZERO
FlipAddr True When true, this swaps the source and
destination information in the alarm event.
False
MaxInspectLength 0 to 2147483647 This defines the maximum number of

bytes to inspect.
MaxTTL 0 to 1000 This defines the maximum number of

seconds to inspect a logical stream.
MinHits 0 to 2147483647 This defines the minimum number of

times the signature is triggered before an
alarm event is sent.
Protocol Frag This defines the protocol to be inspected.

IP
TCP
UDP
ICMP
ARP
Cross
Zero
Custom
ResetAfterIdle 2 to 1000 This defines the number of seconds to
wait to reset signature counters after the
host or hosts were idle.
ServicePorts <set list> This defines a list of ports or port ranges

where the target service resides.
Parameters
SigComment <string> This defines miscellaneous information

about the signature.
SIGID 993 to 19999: The range for default This defines the numeric value assigned
signatures to the signature.
20000 to 50000: The range for
custom signatures
SigName <string> This defines the alphanumeric name
assigned to the signature.
SigStringInfo <string> This defines the extra information included

in the alarm message.
SigVersion <string> This defines the signature version in which

the signature appears.
StorageKey xxxx This defines the type of address key used

Axxx to store persistent data.
xxBx
AxBx
AaBb
Axxb
STREAM
DOUBLE
ZERO
SubSig 0 to 2147483647 This defines the number assigned to the
subsignature.
SummaryKey AaBb This defines the storage type on which to

AxBx summarize this signature.
Axxb
Axxx
xxBx
ThrottleInterval 0 to 1000 This defines the period of time used to
control alarm summarization.
WantFrag TRUE: Only fragmented packets This controls the inspection of fragmented
trigger an alarm packets.
FALSE: Only non-fragmented
packets trigger an alarm
<blank>: Fragmented and non-
fragmented IP traffic trigger an
alarm
The FlipAddr parameter is useful in situations in which the traffic that triggers the signature is
return traffic from the target system (the system being attacked). Normally, the traffic that
triggers a signature originates from the attacker IP address, so the source IP address in the
resulting alarm is that of the attacker. However, some signatures rely on return traffic from the
target to determine whether an attack is taking place. For example, ResetPortSweep looks for
the target sending back multiple resets from various ports to determine that a port sweep is
taking place. Without the FlipAddr parameter, the source address in the resulting alarm would
be that of the target. Setting the FlipAddr parameter to true causes the alarm to display the
correct attacker and target addresses.
Cisco IPS Alarms
This topic describes how various alarm levels are triggered by Cisco IPS signatures.
Alarm Overview
1. The Cisco IDS/IPS Sensor generates an alarm

when a signature is triggered.
2. The alarm event is stored on the sensor and can
be pulled to a host running IPS Event Viewer
(IEV) or the CiscoWorks Monitoring Center for
Security.
3. The alarm severity level is determined by the
level assigned to the Cisco IPS signature
(informational, low, medium and high).
The following should be considered when tuning a signature:

The sensor generates an alarm when an enabled signature is triggered.
Alarms are stored on the sensor. A host can pull the alarms from the sensor. Pulling alarms
from a sensor allows multiple hosts to subscribe to the event feed To allow a host or
hosts to subscribe on an as-needed basis.
The level assigned to the signature determines the alarm severity level. When tuning a
signature, you may assign a severity level to a signature, which in turn will make the alarm
severity level the same as that of the signature.
A Cisco IPS signature will be assigned one of the following severity levels:
Informational: Activity that triggered the signature is not considered an immediate threat,
but the information provided is useful information.
Low: Abnormal network activity was detected that could be perceived as malicious, but an
immediate threat is not likely.
Medium: Abnormal network activity was detected that could be perceived as malicious,
and an immediate threat is likely.
High: Attacks used to gain access or cause a DoS were detected, and an immediate threat is
extremely likely.
Cisco IPS Sensor Software Version 5.0
This topic describes the features of Cisco IPS Sensor Software version 5.0.
Cisco Sensor Platforms
1000
IDS 4250 XL
600
500
Catalyst 6500
IDSM-2
IPS 4255
250
IPS 4240
80
IDS 4215
45
IDS Network
Module
10/100/1000 TX 10/100 TX 10/100/1000 TX 10/100/1000 TX or
Switched 1000 1000 SX
1000 SX
Network Media
Recall that the Cisco IDS/IPS portfolio includes the Cisco IDS/IPS 4200 Sensor family,
modules for the Cisco Catalyst 6500 switch and Cisco 7600 router, Cisco IDS Network Module
for the Cisco 2600 Series, 3600 Series, and 3700 Series routers, as well as the router sensor
embedded in Cisco IOS software solution and the firewall sensor embedded in PIX Security
Appliance software. Together, these products provide network managers with a wide range of
IDS/IPS solution options.
IDS capabilities are available using Cisco Sensor software version 4.2, Cisco IOS versions 12.0
and higher, and PIX Security Appliance Software versions 5.2 and later.
IPS capabilities are available using Cisco Sensor software version 5.0, and Cisco IOS versions
12.3 and higher.
Cisco IPS Sensor Software v5.0
Public Services Segment
MAIN CAMPUS
Attacker
Hybrid IDS and IPS Sensor

Sensor deployed
services allow a single in IDS mode
deployed in IPS
mode
device to be deployed in
IDS mode at the network Internet
edge and simultaneously
Sensor deployed
in the IPS mode to stop in IPS mode
worms identified
internally.
Sensor deployed in a
hybrid mode to provide
SERVICE PROVIDER,
IDS outside the router
PARTNER or BRANCH
and IPS inside the
OFFICE NETWORK
firewall
Cisco IPS Software version 5.0 is a significant and feature packed software release anchored to
new and existing Cisco IDS products by in-line intrusion prevention functionality. This new
software allows users to stop worms and viruses (among other threat types) at ingress.
Additionally, IPS Software version 5.0 allows users to turn on more prevention actions on a
broader range of threats without the risk of dropping legitimate traffic. This release includes
more than 20 major new features that provide key enhancements to attack prevention, advanced
application control, extensions to threat classification, and critical high availability
considerations.
Cisco IPS Software version 5.0 has been developed to meet ever increasing security threats.
What worked in the past is no longer sufficient to meet present threats. It is no longer
considered good enough to simply react to attacks. Solutions must be automated and proactive.
Standalone security devices do not provide the same degree of critical protection as integrated
security services in the network infrastructure. Integrated devices can enable centralized
monitoring, management, and control to facilitate a coordinated response. New devices can be
used throughout the network to provide multiple layers of defense. New security solutions have
moved away from individual security products or services that operate independently from one
another, to layered and integrated models that operate as part of a cohesive security system.
Cisco IPS Software version 5.0 provides the ability to link endpoint security solutions with
network-based solutions and services.
Deploying Cisco IDS/IPS Sensors
This topic explains the factors to consider when selecting and deploying a Cisco IDS/IPS
sensor.
Sensor Selection Factors
Network media: Ethernet, Fast Ethernet, and

Gigabit Ethernet
Intrusion detection analysis performance: Bits per
second
Network environment: T1/E1, switched, multiple
T3/E3, OC-12, and Gigabit
Organizational, financial, and technical factors affect the decisions made when selecting
sensors for a Cisco IDS/IPS solution. For the purposes of this discussion, the focus is on the
technical factors to consider when selecting sensors for a Cisco IDS/IPS solution. The
following are the technical factors to consider when selecting sensors:
Network media: Sensor selection is affected by the network media and environment. Cisco
IDS/IPS sensor network interface cards range from Ethernet to Gigabit Ethernet.
Intrusion detection analysis performance: The performance for the sensors is rated by
the number of bits per second that can be captured and accurately analyzed. Cisco IDS/IPS
sensor performance ranges from 45 Mbps to 1000 Mbps.
Network environment: Cisco IDS/IPS sensors are suited for networks that have network
speeds ranging from 10/100BASE-T Ethernet to Gigabit Ethernet.
Sensor Deployment Considerations
Number of sensors
Sensor placement
Management and monitoring options
External sensor communications
Deploying a Cisco IDS/IPS solution requires a well thought-out design. The following are the
important design issues to take into consideration:
Your network topology: Knowledge of your network topology helps you determine how
many IDS/IPS appliances are required, the hardware configuration for each IDS/IPS
appliance (for example, the size and type of network interface cards), and how many
IDS/IPS management workstations are needed. The IDS/IPS appliance monitors all traffic
across a given network segment. Given these facts, you should consider all the connections
to the network that you want to protect. Before you deploy and configure your IDS/IPS
appliances, you should understand the following about your network:
The size and complexity of your network
Connections between your network and other networks, including the Internet
The amount and type of network traffic on your network
Sensor placement: It is recommended that sensors be placed at those network entry and
exit points that provide sufficient intrusion detection coverage. Determine the type of
location you have in order to determine which segments of the network you want to
monitor. Keep in mind that each IDS/IPS appliance maintains a security policy configured
for the segment it is monitoring. The security policies can be standard across the
organization or unique for each IDS/IPS appliance. You may consider changing your
network topology to force traffic across a given monitored network segment. There are
always operational trade-offs when going through this process. The result should be a
rough idea of the number of IDS/IPS appliances required to protect the desired network.
You can place an IDS/IPS appliance in front of or behind a firewall. Each position has its
benefits and drawbacks. These benefits and drawbacks are discussed later in this lesson.
Management and monitoring options: Review the management and monitoring options
described earlier to select those most appropriate for your network. Keep in mind that the
number of sensors that you deploy is directly correlated to the type of management console
you select. The recommended sensor-to-IDS Event Viewer (IEV) ratio is 5:1. For the
Management Center for IDS/IPS Sensors (IDS MC), the ratio is 300:1.
External sensor communication: Traffic on the communication port between sensors and
external systems must be allowed through firewalls to ensure functionality. The Managing
or Monitoring Ports table shows the ports used by the various management and
monitoring applications for communications with sensors.
Managing or Monitoring Ports
Managing or Monitoring Protocol Default Port

System
IDS MC Secure Shell Protocol (SSH TCP 22 or 443

Protocol) or Secure Socket Layer
(SSL)
Security Monitor SSL TCP 443
Intrusion Detection System SSL TCP 443

Device Manager (IDM)
IEV SSL TCP 443
Deploying Sensors
Business CTREliminates false alarms,
Extranet Partner escalates real attacks, and aids Internet protection
protection remediation of costly intrusions Complements firewalls
(NIPS)Monitors and VPNs by
partner traffic
Users monitoring traffic for
where trust is malicious activity
implied but not
assured
Corporate
Data Office
Center
Internet
Intranet and internal

protection
NAS
(NIPS/HIPS)
Protects data Server farm
centers and critical Remote access protection protection (HIPS) DMZ
systems from (NIPS)Hardens Protects e-business Servers
internal threats perimeter control by servers from attack
monitoring remote users and compromise
As you examine your network topology to determine how many IDS/IPS appliances are
required, consider all the network connections you want to protect. As illustrated in the figure,
locations that need to be protected generally fall into five basic categories:
Internet protection: A sensor between your perimeter gateway and the Internet
complements the firewall and virtual private network (VPN) by monitoring traffic for
malicious activity.
Extranet protection: A sensor between your network and extranet connections, such as
connections with a business partner, monitors traffic where trust is implied but not assured.
Intranet and internal protection: Sensors on your intranet protect data centers and critical
systems from internal threats.
Remote access protection: A sensor on your remote access network hardens perimeter
control by monitoring remote access users.
Server farm protection: Companies are deploying Internet servers on their Demilitarized
Zone (DMZ) networks. These servers offer Internet services such as Web access, Domain
Name System (DNS), FTP, and Simple Mail Transfer Protocol (SMTP). Cisco Security
Agents (CSAs) are installed on these servers. The Cisco Security Agent Management
Center (CSA MC) is installed on an internal network.
In addition, customers are increasingly challenged by false alarms. Cisco Threat Response
(CTR), technology can reduce false alarms by up to 95 percent, escalate real attacks, and
eliminate costly intrusions. Using unique intelligent threat investigation techniques, CTR
conducts detailed, "just-in-time" system investigations, to capture forensic evidence and
automate manual processes of intrusion investigation for fast and cost-effective results.
A complete Cisco IPS includes the installation of a network-based IPS and host-based IPS
(HIPS). Network-based IPS sensors are installed at network entry points to provide broader
coverage, and HIPS Agents are installed on critical network servers.
Summary
Summary
IPS technology represents the next generation IDS but is

separate. Firewalls need IDS and networks need IPS. Each
technology is dependent on each other. Alarms are used to
indicate that a signature match has been made. A vulnerability is a
weakness and an exploit is a mechanism.
Sensors use profile based, signature based, and protocol analysis
intrusion detection to determine if an attack is taking place and if
so, either terminates the session, blocks offending traffic, creates
session log files or restricts access.
Network-based intrusion prevention systems use sensors
throughout the network. These sensors monitor the entire
network. Larger networks require more sensors.
Host-based intrusion prevention systems works with CSA to
perform intrusion detection and analysis and protect the host.
Summary (Cont.)
Cisco IPS signatures may be built-in, tuned or custom. IDS sensor

signatures can be configured from the CLI. Regex expressions are
used to describe text in IPS signatures. Cisco IPS signatures can
terminate the TCP session, log subsequent IP packets from an
attack source, or block packets from an attack source.
Categories of IPS signature engines provide a unique signature
for specific traffic. Engine parameters can be master or local.
Cisco IPS alarms can be informational, low, medium or high.
Cisco IPS Sensor Software version 5.0 provides more flexibility
and additional features to ensure network security.
Network media, intrusion detection, analysis performance and
network environment are factors to consider when selecting a
sensor. Deployment will depend on topology, sensor placement
(location), management and monitoring options and external
sensor communication.
Lesson Self-Check
Q1) Explain the difference between a false positive alarm and a false negative alarm using
an example. (Source: Intrusion Prevention Terminology)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q2) Explain the difference between a true positive alarm and a true negative alarm. (Source:
Intrusion Prevention Terminology)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q3) What three network attack detection methodologies are embedded in Cisco IPS
signatures? (Choose three.) (Source: Intrusion Prevention Technologies)
A) signature-based detection
B) host-based detection
C) protocol analysis intrusion detection
D) pattern matching
E) profile-based intrusion detection
F) network-based detection
Q4) Which one of the following needs statistical user and network profiles? (Source:
Intrusion Prevention Technologies)
A) profile-based intrusion detection
B) signature-based intrusion detection
C) protocol analysis intrusion detection
D) protocol analysis intrusion prevention
Q5) Which of the following is also called misuse detection or pattern matching? (Source:
Intrusion Prevention Technologies)
A) profile-based intrusion detection
B) signature-based intrusion detection
C) signature-based intrusion prevention
D) protocol analysis intrusion detection
Q6) Describe the advantage of network-based IPS. (Source: Network-Based Intrusion
Prevention)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q7) Describe the disadvantages of HIPS. (Source: Host-Based Intrusion Prevention)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q8) Match the following engine categories with its use by putting the letter of the category
in the blank provided before the description of its use. (Source Cisco IPS Signature
Engines)
A) Atomic
B) Flood
C) Service
D) String
E) Sweep
F) OTHER
G) State String
_____ 1. This engine category is used to group generic signatures so common
parameters may be changed.
_____ 2. This engine category is used for regular expression-based pattern

inspection and alarm functionality for multiple transport protocols
including TCP, UDP, and ICMP.
_____ 3. This engine category is used to perform per-packet inspection.
_____ 4. This engine category is used to detect attempts to cause a DoS.
_____ 5. This engine category is used to detect network reconnaissance.
_____ 6. This engine category is used for state-based and regular expression-based
pattern inspection and alarming functionality for TCP streams
_____ 7. This engine category is used when services with Layer 5, 6, and 7 require
protocol analysis
Q9) What signature characteristic can a sensor signature use to address a connection attempt
from a reserved IP address? (Source: IPS Signatures)
Q10) What signature characteristic can a sensor signature use to address email containing a
particular virus? (Source: IPS Signatures)
Q11) What signature characteristic can a sensor signature use to address a DNS buffer
overflow attempt contained in the payload of a query? (Source: IPS Signatures)
Q12) What signature characteristic can a sensor signature use to address a DoS attack on a
POP3 server caused by issuing the same command thousands of times? (Source: IPS
Signatures)
Q13) What signature characteristic can a sensor signature use to address a file access attack
on an FTP server by issuing file and directory commands to it without first logging in?
(Source: IPS Signatures)
Q14) Describe the new features of Cisco IPS Sensor Software version 5.0. (Source: Cisco
IPS Sensor Software version 5.0)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q15) What is a disadvantage of placing an IDS appliance in front of a firewall? (Source:

Deploying Cisco IDS/IPS Sensors)
______________________________________________________________________
Q1) A false positive occurs when the IPS generates an alarm from normal traffic or a benign action. One
example of a false positive is when an IDS raises a SYN flood alarm because it sees a large number of
SYN packets directed at a busy web server and mistakenly concludes it is under attack. Another example
of a false positive would be an IDS raising a SMTP Wiz attack alarm when it observes the string
DEBUG in the body of an SMTP message. A false negative is a situation in which a signature is not
fired when offending traffic is detected. An example of a false negative might be the failure of an IDS to
detect a web-server buffer directory traversal attack because the attacker developed a previously unknown
way of obscuring the filename that is being requested. Another example might result from the failure of an
IDS to capture all the packets necessary to accurately reassemble an attack action due either to network
load or changes in routing topology.
Q2) A true positive is a situation in which a signature is fired properly when offending traffic is detected and
an alarm is generated. A true negative is a situation in which a signature is not fired when non-offending
traffic is captured and analyzed.
Q3) A, C, E
Q4) A
Q5) B
Q6) A network-based IPS has the benefit of easily seeing and coordinating attacks that are occurring across the
entire network. Seeing the attacks against the entire network gives a clear indication of the extent to which
it is being attacked. Furthermore, because the monitoring system is only examining traffic from the
network, it does not have to support every type of operating system that is used on the network.
Q7) HIPS provides an incomplete network picture and must be configured to support multiple operating
systems. By examining information only at the local host level, HIPS has difficulty constructing an
accurate network picture or coordinating the events happening across your entire network. Also, HIPS
needs to run on every system in the network. This requires verifying support for all of the different
operating systems used
Q8) 1-F, 2-D, 3-A, 4-B, 5-E, 6-G, 7-C
Q9) This is easily identified by checking the source address field in an IP header to ensure it is not a reserved
address.
Q10) The IPS can compare the subject of each email to the subject associated with known virus-laden email
messages, or it can look for a specific attachment.
Q11) By parsing the DNS fields and checking their length, the sensor can identify buffer overflow attacks using
a DNS field. Another approach might be to look for exploit shell code sequences in the payload.
Q12) A simple signature for this attack keeps track of how many times the command is issued and sends an alert
when that number exceeds the set threshold.
Q13) A state-tracking signature could be developed which would monitor FTP traffic for a successful login and
would alert if certain commands were issued before the user had authenticated properly.
Q14) IPS Sensor Software version 5.0 allows users to stop worms and viruses (among other threat types) at
ingress. Additionally, IPS Sensor Software version 5.0 allows users to turn on more prevention actions on
a broader range of threats without the risk of dropping legitimate traffic. This release includes more than
20 major new features that provide key enhancements to attack prevention, advanced application control,
extensions to threat classification, and critical high availability considerations.
Q15) The IDS appliance does not detect traffic that is internal to the network. An internal attacker taking
advantage of vulnerabilities in network services would remain undetected by the external IDS appliance.
Lesson 2
Configuring the Sensor Using

the IDM
Overview
The Cisco intrusion detection system (IDS) and the intrusion prevention system (IPS) sensors
are high-performance network-based, real-time intrusion detection system or intrusion
prevention devices. You can use the command-line interface (CLI), the IDS Device Manager
(IDM) version 4.1 for IDS deployments, the IDM version 5.x for IDS or IPS deployments, or
the Management Center for IDS Sensors to configure the Cisco Sensor Software version 4.1.
Whether you are deploying the sensor as an IDS using Cisco Sensor Software version 4.x, or as
an IPS using Cisco IPS Sensor Software version 5.x, the CLI configuration tasks are essentially
the same, although the syntax of some commands differs.
This lesson begins by describing the initial configuration and administrative tasks in the initial
setup of a Cisco sensor using the IDM. The Intrusion Detection System Device Manager (IDM)
is then introduced. You will use the IDM to manage configurations for Cisco IDS/IPS sensors
in a small to medium network. This lesson will guide you through a selected number of
common configuration tasks using IDM version 4.1. These tasks would be completed in a
similar manner when using IDM version 5.0 for sensors in an IPS deployment. Some additional
configuration tasks will be included in a lab activity.
Objectives
On completing this lesson you will be able to complete basic sensor configuration tasks using
the IDM. This ability includes being able to meet these objectives:
Describe the features and functions of the CLI
Describe how functions are assigned to user accounts according to account roles
Describe the subsets of commands to which each command modes provides access
Describe the purpose of sensor setup and CLI configuration tasks
Describe features of IDM version 4.1
Explain how to configure network settings using the IDM
Explain how configure allowed hosts using the IDM
Explain how to set the time using the IDM
Explain how to create user accounts using the IDM
Explain how to configure interfaces using the IDM
Explain how to restore default settings using the IDM
The Sensor Command Line Interface
This topic describes the features and functions of the CLI.
CLI Overview
The sensor CLI provides access to the sensor via

Telnet, SSH, serial interface connections, and console
connections.
CLI structure is similar to Cisco IOS software CLI.
The Cisco Sensor Software CLI includes the following
features:
Help
Tab completion
Command abbreviation
Command recall
User interactive prompts
Not case sensitive
The CLI for Cisco IDS Sensor Software version 4.1 and IPS Sensor Software version 5.0
provides a user interface that enables you to access the sensor through Telnet, Secure Shell
Protocol (SSH Protocol), and serial interface connections. Use an SSH version 1.5 client to
access the CLI over the network. The IPS/IDS Sensor Software CLI resembles the Cisco IOS
Software CLI, but it has fewer Cisco IOS configuration commands than Cisco IOS Software. It
also has additional configuration modes and commands.
The Cisco IPS/IDS Sensor Software CLI features the following components:
Help: Entering ? after the command displays command help. Help only displays
commands available in the current mode.
Tab completion: If you are unsure of the complete syntax for a command, enter a portion
of the command and press Tab to complete the command. If multiple commands match for
tab completion, nothing is displayed. The terminal repeats the line you entered. Only
commands available in the current mode are displayed by tab completion.
Command abbreviation: The CLI recognizes shortened forms of many common
commands. You have to enter only enough characters for the sensor to recognize the
command as unique. For example, entering sh ver executes the show version command.
Command recall: Pressing the Up Arrow or Down Arrow keys or Ctrl-P recalls the
commands entered in a mode. Help and tab complete requests are not reported in the recall
list.
User interactive prompts: The CLI displays user interactive prompts when the system
displays a question and waits for user input. The default input is displayed within brackets.
Pressing Enter accepts the default input.
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host-and Network-based IPS 4-49
The CLI is not case sensitive, but it does echo the text exactly as you entered it. The following
steps provide an example:
Step 1 Enter CONF at the privileged EXEC prompt as follows:

-»²-±®ý ÝÑÒÚ
Step 2 Press the tab key. The sensor displays the following:
-»²-±®ý ÝÑÒÚ·¹«®»
The interactive prompt, More, indicates that the terminal output exceeds the allotted
display space. Press the Spacebar to display the next page of output, or press the Enter to
display the output one line at a time. Press Ctrl-C to clear the current command line contents
and return to a blank command line.
You can usually disable features or functions by using the no form of a command. Use the
command without the keyword no to enable a disabled feature or function. For example, the
shutdown command disables an interface, the no shutdown command enables the interface.
Refer to the individual commands for a complete explanation of the no form of that command.
Configuration commands that specify a default value in the configuration files, such as to
service and tune micro engines, can have a default form. The default form of a command
returns the command setting to the default value.
Using the CLI to Complete Tasks
The CLI can be used to perform the following

tasks:
Sensor initialization tasks
Configuration tasks
Administrative tasks
Troubleshooting
Commands available for use depend on:
User role
Command mode
The CLI can be used to perform the following tasks:

Sensor initialization: Sensor initialization tasks include such tasks as assigning the sensor
IP address, specifying trusted hosts, and creating user accounts.
Configuration: Configuration tasks include such tasks as tuning signature engines and
defining the ports where web servers are running.
Administrative: Administrative tasks include such tasks as backing up and restoring the
current configuration file.
Troubleshooting: Troubleshooting tasks include such tasks as verifying statistics and
settings.
The CLI allows you to use commands depending on the user role and command mode:
User role: The CLI for Cisco IDS Sensor Software version 4.1 supports three user roles:
administrator, operator, and viewer. The privilege levels for each role are different;
therefore, the menus and available commands vary for each role.
Command mode: Each command mode provides access to a subset of commands.
Command modes and user roles will be described in later topics.
User Accounts and Account Roles
This topic describes how functions are assigned to user accounts according to account roles.
User Accounts and Account Roles
Users access a sensor by logging in to a

user account.
User accounts are created on the sensor.
Multiple accounts can be created.
The authentication application configures
and manages authentication.
User accounts are assigned roles.
Roles determine user privileges.
Users access a sensor by logging in to a user account. User accounts are created on the sensor.
Management consoles may maintain user accounts independently from sensors. In other words,
you can create and log in to accounts that exist only on a management console. The sensor
allows multiple local user accounts to be created.
User Account Roles
Role Functions
Administrators Add users and assign passwords
Enable and disable control of physical interfaces and
interface groups
Assign physical sensing interfaces to interface groups
Modify the list of hosts allowed to connect to the sensor as
configuring or viewing agents
Modify sensor address configuration
Tune signatures
Assign virtual sensor configuration to interface groups.
Manage routers
Operators Modify their passwords
Tune signatures
Manage routers
Viewers Modify their passwords
User accounts have roles that determine the operations that the user is allowed to perform. For
example, an administrative user can perform all of the operations on a sensor, while a user with
a viewer role can only view events and some sensor configuration information. The following
roles can be assigned to an account:
Administrator: A user that can perform all operations on the sensor.
Operator: A user that can perform all viewing and some administrative operations on a
sensor.
Viewer: A user that can perform all viewing operations, such as viewing events and
viewing some configuration files. The only administrative operation available to users with
the viewer role is setting their own passwords.
CLI Command Modes
This topic describes the subsets of commands to which each command modes provides access.
CLI Command Modes
The Cisco IDS/IDS Sensor Software CLI has the

following modes:
Privileged EXEC mode
Global configuration mode
Interface command-control configuration mode
Interface group configuration mode
Interface sensing configuration mode
Service mode
Virtual sensor configuration mode
Alarm channel configuration mode
Tune micro engines mode
Tune alarm channel mode
The CLI supports the following command modes. Each command mode provides access to a
subset of commands.
Privileged EXEC mode: EXEC mode is the first level of the CLI. You enter EXEC mode
by logging in to the CLI. EXEC mode is denoted by the prompt sensor#.
Global configuration mode: Global configuration mode is the second level of the CLI.
You enter global configuration mode by first logging in to the CLI and then entering the
configure terminal command. Global configuration mode is denoted by the prompt
sensor(config)#.
Interface command-control configuration mode: Interface command-control
configuration mode is a third-level CLI mode. You enter interface command-control
configuration mode by first entering global configuration mode and then entering the
interface command-control command. Interface command-control configuration mode is
denoted by the prompt sensor(config-if)#.
Interface group configuration mode: Interface group configuration is a third-level CLI
mode. You enter interface group configuration mode by first entering global configuration
mode and then entering the interface group <number> command where number is the
group number. Interface group configuration mode is denoted by the prompt sensor(config-
ifg)#.
Interface sensing configuration mode: Interface sensing configuration is a third-level CLI
mode. You enter interface sensing configuration mode by first entering global
configuration mode and then enter the interface sensing <name> command where name is
the logical interface name. Interface sensing configuration mode is denoted by the prompt
sensor(config-ifs)#.
Service mode: Service mode is a generic command mode used to edit a service
configuration. A service is a related set of functionality provided by an IDS application. An
IDS application may provide more than one service. You enter service mode by first
entering global configuration mode and then entering the service <serviceName>
command where serviceName identifies the actual service you are trying to access. Service
mode is denoted by the prompt sensor(config-<serviceName>)#.
Virtual sensor configuration mode: Virtual sensor configuration is a third-level CLI
mode. You enter virtual sensor configuration mode by first entering global configuration
mode and then entering the service virtual-sensor-configuration command followed by
the logical virtual sensor configuration name. Currently, the only allowed name is
virtualSensor. Virtual sensor configuration mode is denoted by the prompt sensor(config-
vsc)#.
Alarm channel configuration mode: Alarm channel configuration is a third-level CLI
mode. You enter alarm channel configuration mode by first entering global configuration
mode and then entering the service alarm-channel-configuration command followed by
the logical alarm channel configuration name. Currently, the only allowed name is
virtualAlarm. Alarm channel configuration mode is denoted by the prompt sensor(config-
acc)#.
Tune micro engines mode: Tune micro engines is a fourth-level CLI mode. You enter
tune micro engines mode by first entering virtual sensor configuration mode and then
entering the tune-micro-engines command Tune micro engines mode is denoted by the
prompt sensor(config-vsc-virtualSensor)#.
Tune alarm channel: Tune alarm channel is a fourth-level CLI mode. You enter tune
alarm channel mode by first entering alarm channel configuration mode and then entering
the tune-alarm-channel command. Tune alarm channel mode is denoted by the prompt
sensor(config-acc-virtualAlarm)#.
Sensor Setup and CLI Configuration Tasks
This topic describes the purpose of sensor setup and CLI configuration tasks.
Sensor Setup and CLI Configuration Tasks

Log in to the sensor
Initialize the sensor
Assign and enable the sensing interface (needed in version
4.1)
Create user accounts
Create a service account
Change passwords and privileges
Add a user
Remove a user
Add trusted hosts
Add known hosts to the SSH known hosts list
Configure the sensor to use an NTP server as its time
source
Configure a Cisco router to be an NTP server
The figure lists the key configuration tasks you can complete from the CLI:
Log in to the sensor: The methods used to get administrative access to the sensor will be
explained.
Initialize the sensor: After you have installed the sensors on your network, you must
initialize them using the setup command.
Assign and enable sensing interfaces: An interface group provides a way to group
sensing interfaces into one logical virtual sensor. Only interface group 0, is supported.
Depending on the configuration of your sensor, you may need to assign the sensing
interface to interface group 0 and enable the interface. You can add or delete interfaces
from the group from the configuration mode using the interface group command. This
step is automatic in Cisco IPS Software version 5.0.
Create a service account: You can create a service account for TAC to use during
troubleshooting. Although more than one user can have access to the sensor, only one user
can have service privileges on a sensor. The service account is for support purposes only.
Change a password: The password command updates the password on the local sensor.
You can also use this command to change the password for an existing user or to reset the
password for a locked account.
Add a user: You can add a new user, set the privilege level (administrator, operator,
viewer) and set the password for the new user. Use the username command to create users
on the local system. Use the no form of this command to remove a user from the system.
The username command provides username and password authentication for login
purposes only. You cannot use this command to remove a user who is logged in to the
system.
Remove a user: You can delete a user and thus prevent access to the sensor with the no
username command.
Add trusted hosts: You can identify hosts (trusted hosts) that are allowed to connect to the
sensor with the service host command.
Add known hosts to the SSH known hosts list: You must add hosts to the SSH known
hosts list so that the sensor can recognize the hosts that it can communicate with through
SSH. These hosts are SSH servers that the sensor needs to connect to for upgrades and file
copying, and other hosts, such as Cisco routers, Cisco PIX Security Appliances, and Cisco
Catalyst switches. To add a host to the SSH known hosts list, use the ssh host-key
command.
Configure the sensor to use a Network Time Protocol (NTP) server as its time source:
The sensor requires a consistent time source. We recommend that you use an NTP server.
Configure the sensor to use the NTP server as its time source from the service host mode.
Configure a Cisco router to be an NTP server: The sensor requires an authenticated
connection with an NTP server if it is going to use the NTP server as its time source. The
sensor supports only the Message Digest 5 (MD5) hash algorithm for key encryption. It is
recommended that you activate a Cisco router to act as an NTP server and use its internal
clock as the time source.
Initializing the Sensor for Management
Access
Use the setup command to initialize your

sensor.
Gain management access through:
Console port
Monitor and keyboard
Telnet
SSH
HTTPS
Once you have installed the sensors on your network, you must initialize them using the setup
command. The sensors must be initialized before the IDM can be used.
You can gain management access to a sensor using any of the following methods:
Console port: This method requires the use of the RS-232 cable provided with the sensor
and a terminal emulation program such as HyperTerminal.
Monitor and keyboard: This method requires connecting a monitor and a keyboard
directly to the sensor.
Telnet: This method requires an IP address that has been assigned to the command and
control interface via the CLI setup command. Telnet must be enabled to allow Telnet
access. Telnet is disabled by default.
Secure Shell (SSH): This method uses a supported SSH client and requires an IP address
that has been assigned to the command and control interface via the CLI setup command.
The SSH server in the sensor is enabled by default.
HTTPS: This method uses a supported web browser and requires an IP address that has
been assigned to the command and control interface via the CLI setup command. HTTPS
is enabled by default but can be disabled.
Sensor Initialization Tasks
Follow the setup command prompts to complete

these initialization tasks:
Assign a name to the sensor
Assign an IP address and netmask to the sensor
command and control interface
Assign a default gateway
Enable or disable the Telnet server
Specify the web server port
Create network ACLs
Set the date and time
Sensor initialization tasks are completed using an interactive dialog initiated by the setup
command. The tasks are as follows:
Assign a name to the sensor
Assign an IP address and a subnet mask to the command and control interface
Assign a default route
Enable or disable the Telnet server
Specify the web server port
Add and remove access control list (ACL) entries that specify which hosts are allowed to
connect to the sensor
Set the date and time
Note If you later change the sensor IP address, you will need to generate a self-signed X.509
certificate. This certificate is needed by HTTPS communications.
setup Command
Most of the initialization tasks are accomplished using the sensor setup command. The CLI
walks you through configuring the host name, IP address, netmask, gateway, and
communications options. After you enter the setup command, the default settings are
displayed. Pressing the Spacebar and answering yes to the next question allows you to
continue.
Configuration Dialog
The figure shows the configuration dialog presented by setup. The configuration dialog is a
series of interactive prompts that enables you to configure the following settings:
Host name: The host name is a case-sensitive character string of up to 256 characters.
Numbers, _ and - are valid, but spaces are not acceptable. The default is sensor.
IP address: An IP address is a 32-bit address written as four octets separated by periods,
X.X.X.X, where X is 0 to 255. The default is 10.1.9.201.
Netmask: The netmask is a 32-bit address written as four octets separated by periods,
X.X.X.X, where X is 0 to 255. The default for a Class C address is 255.255.255.0.
Default gateway: The default gateway is the default router IP address for the appliance.
The default is 10.1.9.1.
Telnet server status: You can disable or enable Telnet services. The default is disabled.
Web server port: The web server port is the TCP port used by the web server (1 to
65535). The default is 443. If you change the web server port, you must specify the port in
the URL address of your browser in the format https://sensor_ ip_address: port (for
example, https://10.1.9.201:1040), when you connect to the IDM.
Network access lists: The network access list specifies hosts and networks that are allowed
to access the sensor. If you answer yes when prompted to modify the network access list,
the current access list entries are displayed. You are then prompted to delete entries from
the current list. Enter the number corresponding to the entry you want to delete. Repeat this
step until you have deleted all the entries that you want to delete from the access list. The
access list entries contain a default network address entry, 10.0.0.0/255.0.0.0. Remove this
entry, and modify the access list to suit your network. Pressing Enter without entering a
number retrieves the Permit prompt, which enables you to enter addresses of hosts or
networks allowed to access the sensor. Enter the IP address to add only a single host to the
list. Enter the IP address and netmask to add a network address to the list. Repeat this step
until you have entered all the addresses you want to add to the access list. Pressing Enter at
this point without entering a number retrieves the prompt to modify the system clock
settings.
System clock settings: Answering yes when prompted to modify the system clock settings
enables you to configure NTP, summer time settings, and the system time zone.
System date and time: If you answer yes when prompted to modify the system date and
time, the local date prompt is displayed. Enter the date in the format YYYY-MM-DD.
When presented with the local time prompt, enter the time in 24-hour format.
After you respond to the system clock settings prompt, your configuration appears with three
options. If you select [2] to save your configuration, you are prompted to modify the system
date and time. The three options are as follows:
[0]: Go to the command prompt without saving this config.
[1]: Return back to the setup without saving this config.
[2]: Save this configuration and exit setup.
Assign and Enable Interfaces
Monitoring int0 int2 Monitoring

Interface Interface
Command and int1 4215 Sensor

Control Interface
The figure illustrates the following sensor interface characteristics:

There is only one command and control interface per sensor.
You can configure up to five monitoring interfaces depending on the type of sensor.
Multiple monitoring interfaces enable simultaneous protection of up to five different
network subnets.
All monitoring interfaces use the same configuration.
After the setup is complete, interfaces must be assigned and enabled. Cisco IDS/IPS Sensor
Software version 4.1 and version 5.0 use the setup command for initialization. However, in
IDS Sensor Software version 4.1, you must configure interfaces after running setup. In IPS
Sensor Software version 5.0, interface configuration is included in the setup command
interactive prompts.
You do not need to enable all interfaces. Enable only those interfaces that you want to use.
Each sensor has only one command and control interface, but you can configure up to five
monitoring interfaces depending on the type of sensor you have. Multiple interfaces enable
simultaneous protection of up to five different network subnets, which is like having five
sensors in a single appliance.
All monitoring interfaces use the same configuration. There is only one virtualSensor, so no
mapping of virtualSensor configurations to interfaces is required.
A monitoring interface must be part of Interface Group 0 and must be enabled. Sensors with
factory-installed Cisco IDS Sensor Software version 4.1 are shipped with all monitoring
interfaces added to Interface Group 0 and disabled. You must enable the monitoring interfaces
in order for the sensor to monitor your networks. Upgrades from IDS Software version 4.0 to
4.1 may leave some interfaces enabled that are not assigned to a group. Either disable these
interfaces or add them to Group 0 to prevent inconsistencies in reporting to the sensor.
IDS Device Manager Overview
This topic describes feature of the IDM version 4.1.
IDS Device Manager
Web-based device configuration tool

Software installed on the sensor by default
For small-scale sensor deployments
A Cisco IDS network sensor appliance can be managed via the IDM. IDM is a web-based tool
that resides on your sensor and enables you to configure and manage the sensor. IDM is
accessed securely via Secure Sockets Layer (SSL) and Transport Layer Security (TLS) using a
Netscape or Internet Explorer web browser. Because IDM resides on your sensor, it can only
manage one sensor at a time. It is best suited for small-scale sensor deployments where there
are no more than five sensors.
Note Cisco IPS sensors running Cisco IPS Software version 5.0 use IPS Device Manager (IDM)
version 5.0.
IDM Features and Benefits
Web-based embedded architecture

Secure communication (TLS and SSL)
Task-based GUI
Signature grouping
Signature customization
Sensor system administration
IDM enables you to securely manage sensors remotely from any workstation that has a
compatible web browser. The graphical user interface (GUI) was designed to simplify sensor
configuration tasks.
IDM enables you to complete the following from a remote station:
Re-start the sensor
Power down the sensor
IDS Manager Interface
Path Bar
Sub-area Information
Toolbar
Bar Window
Table of
Contents
Area Bar
Content
Area
The IDM GUI provides you with an intuitive approach to configuring sensors. The GUI has the
following sections:
Path Bar: This section displays the current selection. In the figure, the path selected is
Configuration > Sensing Engine.
Area Bar: This section lists the available sensor configuration items. The available sensor
configuration items are Device, Configuration, Monitoring, and Administration. Each
configuration item has sub-options, which are listed in the sub-area bar.
Sub-area Bar: This section lists the available sensor configuration sub-options for the item
selected from the area bar. In the figure, the available configuration options are Sensing
Engine, Blocking, Auto Update, and Restore Defaults.
Table of Contents (TOC): This section lists the available options for the item selected
from the sub-area bar. In the figure, the TOC displays the options for the Sensing Engine.
Toolbar: This section lists the available user functions. The available user functions are
Logout, Help, NSDB, and About.
Content Area: This section displays the information associated with the option selected or
an action associated with a user function.
Information Window: This area displays a description or instructions associated with the
option selected.
Configuring Network Settings
This topic explains how to configure network settings using the IDM.
Configuring Network Settings
Sensor Device
Setup tab
Network Enable
TLS/SSL
Host Name Web Server

Port
IP Address
Use Default
Ports
Netmask
Default
Route
Reset
Apply to
Sensor
After you use the setup command to initialize the sensor, the parameter values appear on the
Network Settings page in the IDM. If you need to change these parameters, you can do so from
the Network Settings page. However, changing the network settings may disrupt your
connection to the sensor and force you to reconnect.
Only a user with administrator privileges can configure the network settings of the sensor. The
communication parameters of a sensor can be changed by choosing Device > Sensor Setup >
Network. When the Network Settings panel appears, you can configure the following settings:
Sensor Name: The sensor name is a case-sensitive character string up to 256 characters.
Numbers, underscores (_) and dashes (-) are valid, but spaces are not acceptable.
IP Address: This setting is the IP address of the sensor.
Netmask: This setting is the netmask for the sensor.
Default Route: This setting is the default route IP address for the sensor.
Enable TLS/SSL: This setting enables TLS and SSL in the web server when this box is
checked. This option is enabled by default. TLS and SSL are protocols that enable
encrypted communications between a web browser and a web server. When TLS/SSL is
enabled, you connect to the IDM using https://sensor_ip_address. If you disable TLS/SSL,
connect to the IDM using http://sensor_ip_address: port_number.
Web Server Port: This setting is the TCP port used by the web server (1 to 65535).
Use Default Ports: This setting enables the web server to use the default port when this
box is checked You can enter a TCP port to be used by the web server in the Web Server
Port field or you can check this check box to use the default port. The default port for http
is 80. The default port for https is 443. If you change the web server port, you must specify
the port in the URL address of your browser when you connect to the IDM.
After you have made the necessary configuration entries, you can save and apply your changes
by clicking the Apply to Sensor button. The Reset button allows you to reset the form.
Configuring Allowed Hosts
This topic explains how configure allowed hosts using the IDM.
Configuring Allowed Hosts

Device
Tab
Sensor
Setup
Allowed
Hosts Delete
Reset
Select
All
Deselect
Add Edit
All
You can give a host or network permission to access the sensor through the network by adding
the host or network as an allowed host. In order to use management and monitoring hosts, you
must add them as allowed hosts. Otherwise, they are not able to communicate with the sensor.
By default, only hosts on the 10.0.0.0 network are permitted access. If you delete the default
network and you do not add any hosts to the list, no hosts are permitted.
You can add, edit, or delete allowed hosts by choosing Device > Sensor Setup > Allowed
Hosts. The Allowed Hosts page provides the following options:
Select All: Enables you to select all host and network entries simultaneously
Deselect All: Enables you to deselect all host and network entries simultaneously
Add: Enables you to access the Adding page, where you can add allowed hosts
Edit: Enables you to edit the IP addresses and netmasks of specific hosts
Delete: Enables you to delete hosts from the allowed list
Reset: Enables you to reset the form
Caution When adding, editing, or deleting allowed hosts, make sure that you do not delete the IP
address used for remote management of the sensor.
Configuring Allowed Hosts (Cont.)
IP
Address
Netmask
Apply to
Cancel Reset
Sensor
If you choose Add from the Allowed Hosts page, the Adding page appears. This page enables
you to enter the following settings for the allowed host:
IP Address: The IP address of the host that you are permitting to access the sensor
Netmask: The netmask of the network or host that you are permitting to access the sensor
If you want to reset the form, click the Reset button; otherwise, click Apply to Sensor to save
and apply your changes. The Allowed Hosts page appears again with the host information that
you entered.
Setting the Time
This topic explains how to set the time using the IDM.
Setting the Time
Time
Settings
Standard
Time Zone
NTP Server
Daylight Savings Time
Daylight Savings Time

Duration
Apply Time
to Sensor Reset
Apply Settings to Sensor Refresh

You can define the time, time zone, and daylight savings time (DST) for the sensor by choosing
Device > Sensor Setup > Time. The Time Settings page enables you to configure the following
settings:
Time Settings:
– Time: Enter the current time in hh:mm:ss format. Time indicates the time on the local
host. To see the current time, click the Refresh button. If you accidentally specify the
incorrect time, stored events will have the wrong time stamp and you must clear the
events.
– Date: Enter the current date in the format mm:dd:yyyy. The Date indicates the date on
the local host.
Standard Time Zone:
– Zone Name: Enter the local time zone to be displayed when summer time is not in
effect. The default value is Universal Coordinated Time (UTC).
– UTC Offset: Enter the offset in minutes from UTC (in the format mm). The default
value is 0.
NTP Server:
– Server IP: Enter the Network Time Protocol (NTP) server IP address if you are using
an NTP server to set the sensor time. If you define an NTP server, the sensor time is set
by the NTP server, and the command-line interface (CLI) clock set command will
produce an error. However, you can still set the time zone and daylight saving time
parameters.
– Key: Enter the NTP server key value if you specified an NTP server.
– Key ID: Enter the NTP server key identify, (a value from 1 to 4294967295) if you
specified an NTP server.
Daylight Savings Time:
– Enabled: Choose the Enabled check box to enable daylight saving time (DST, or
summer time). The default is Off.
– DST Zone Name: The name of the zone (1 to 32 characters of text) to be displayed
when summer time is in effect.
– Offset: The number of minutes to add during the summer time in mm format. The
default is 60 minutes.
– Start Time: The time (in hh:mm format) to apply the summer time setting. The default
is 02:00.
– Stop Time: The time (in hh:mm format) to remove the summer time setting. The
default is 02:00.
Daylight Savings Time Duration
– Recurring: Click the Recurring radio button to indicate that summer time should start
and end on the specified days every year. The default is Off.
– Start Week/Day/Month: The week, day, and month of the year to apply summer time.
The defaults are 1, Sunday, April. Use the drop-down menus to choose the week, day,
and month.
– End Week/Day/Month: The week, day, and month of the year to remove summer time.
The defaults are last, Sunday, October. Use the drop-down menus to choose the week,
day, and month.
– Date: Click the Date radio button to indicate that summer time should start on a
specific date.
– Start: The month, date, and year to start summer time. Use the drop-down menu to
choose the month. Enter the date and year in the format mm:hh:yyyy.
– End: The month, date, and year to stop summer time. Use the drop-down menu to
choose the month. Enter the date and year in the format mm:hh:yyyy.
When you have entered the appropriate settings, you can click the Apply to Sensor button to
save the settings; otherwise reset the form, by clicking the Reset button.
Note Cisco IDS Software version 4.1 has been evaluated against the Intrusion Detection System
Protection Profile, version 1.4, February 4, 2002, using the Common Criteria Evaluation and
Validation Scheme found at http://niap.nist.gov/cc-scheme/. In the evaluated configuration,
the sensor uses internal resources for time setting and timekeeping. You cannot use an NTP
server. See Common Criteria Evaluated Configuration for more information.
If you set the time incorrectly when you first configure the options in the Time page, your
stored events will have the incorrect time because they are stamped with the time the event was
created. The eventStore time stamp is always based on UTC. If during the original sensor setup,
you set the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m., when you do correct
the error, the corrected time will be set backwards. Consequently, new events could have times
older than old events.
For example, if during the initial setup, you configure the sensor as central time with daylight
saving time enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 CDT and
has an offset from UTC of -5 hours (01:04:37 UTC, the next day). A week later at 9:00 a.m.,
you discover the error: the clock shows 21:00:23 CDT. You then change the time to 9:00 a.m.,
and now the clock shows 09:01:33 Central Daylight Time (CDT). Because the offset from UTC
has not changed, it requires that the UTC time now be 14:01:33 UTC, which creates the time
stamp problem.
To insure the integrity of the time stamp on the event records, you must clear the event archive
of the older events by using the clear events command from the CLI.
Creating User Accounts
This topic explains how to create user accounts using the IDM.
Creating User Accounts
Device
Tab
Delete
Sensor
Setup
Users Reset
Select Deselect
Add Edit
All All
Create and remove users from the local sensor by choosing Device > Sensor Setup > Users.
The Users page displays all currently configured user accounts. If you click Add in the Users
page, the Adding page appears. The Adding page enables you to add a user.
Creating User Accounts (Cont.)
User
Name
Password
Password
Again
User Apply to
Cancel Reset
Role Sensor
To add a user, complete the Adding page as follows:

User Name: Enter the new username. This name can contain 1 to 16 alphanumeric
characters.
Password: Enter the password associated with the user. The password must be at least
eight characters long and must not be a dictionary word.
Password Again: Enter the password associated with the user. Enter the password again in
this field.
User Role: Choose one of the following roles for the user from the User Role drop-down
menu:
– Viewer
– Operator
– Administrator
– Service
After you have completed the appropriate entries you can click the Apply to Sensor button to
save your changes or you can Reset the form by clicking the Reset button.
The IDM permits only one user to log in at a time. If a second user attempts to log in, a
message is displayed indicating that the user limit has been reached. If the second user has
equal or greater privileges than the first user, the login can be forced, but this process logs out
the first user. If the first user is forced out, all unsaved changes are lost.
Configuring Interfaces
This topic explains how to configure interfaces using the IDM.
Configuring the Interfaces
Device
Tab
Sensing
Engine
Group Virtual Alarm Sensing

Number Sensor Channel Interfaces
Interface
Groups
Enabled
Select Deselect Edit Reset

All All
Enable Disable
You can enable an interface only if the interface belongs to an interface group. You will receive
the following error message if you attempt to enable an interface that is not part of a group:
Ì¸·- ±°»®¿¬·±² ·- ·´´»¹¿´ ¾»½¿«-» ·²¬»®º¿½»ô ·²¬ðô ¼±»- ²±¬ ¾»´±²¹ ¬±
¿² ·²¬»®º¿½» ¹®±«°ò
An interface group provides a way to group monitoring interfaces into one logical
virtualSensor. Only Group 0 is supported. Multiple monitoring interfaces can be assigned to the
interface group at any given time, but you cannot assign the command and control interface to
the interface group.
Note Interface 0 (int0) on the Cisco IDS-4250-XL Sensor cannot be a monitoring interface
because it is used to send TCP resets.
You can add an interface to an interface group and enable an interface group by choosing
Configuration > Sensing Engine > Interface Groups. The Interface Groups page appears with
the following information displayed:
Group Number: This number specifies the logical number associated with the group. You
must use 0 for current IDS software versions.
Virtual Sensor: This item specifies the virtualSensor assigned to this group. You must use
virtualSensor for current IDS software versions. Only one virtualSensor is supported.
Alarm Channel: This item specifies the Alarm Channel assigned to this group. You must
use alarmChannel for current IDS software versions. Only one Alarm Channel is
supported.
Sensing Interfaces: This item specifies the interfaces that belong to the group. There is no
default.
Enabled: This item defines whether the group is enabled or disabled. The default is Yes.
You can enable or disable the interface group by checking the check box next to the group and
then clicking the Enable or Disable button. Add interfaces to an interface group by checking the
check box next to the group and then clicking the Edit button. If you click the Edit button, the
Editing page appears.
Configuring the Interfaces (Cont.)
Group
Number
Virtual Alarm
Sensor Channel
Reset
Sensing Apply to
Cancel
Interfaces Sensor
In the Editing page, you can choose one or more sensing interfaces to add to the group. For
current IDS software versions, the only option you can edit is the Sensing Interfaces option. To
choose multiple interfaces, press the Ctrl key while choosing each additional interface.
Choosing the command and control interface results in an invalid configuration. Do not choose
the command and control interface as a sensing interface. The command and control interface is
interface 1 (int1) on most sensors; however, it is int0 on the router network module.
You can reset the form by clicking the Reset button; otherwise, click the Apply to Sensor
button to save and apply your changes. When you click the Apply to Sensor button, the
following message is displayed:
Ý±²º·¹«®¿¬·±² «°¼¿¬» ·² °®±¹®»--ò Ì¸·- °¿¹» ©·´´ ¾» «²¿ª¿·´¿¾´» º±® ¿
º»© ³·²«¬»-ò
You can display the Interface Groups page and view any changes you made by choosing
Configuration > Sensing Engine > Interface Groups.
Configuring the Interfaces (Cont.)
Reset
Select Deselect Disable

All All
Enable
To enable sensing interfaces, choose Configuration > Sensing Engine > Interfaces. The Sensing
Interface page lists the known interfaces and allows you to enable or disable them. The
following information is displayed:
The interface name
The device name
Whether the interface is enabled or disabled
Whether the interface is command and control or monitoring (sniffing)
Which type of interface it is (SX, TX)
To enable or disable an interface, check the check box next to the interface and click the Enable
button or click the Disable button. While the configuration is taking place the following
message is displayed:
Ý±²º·¹«®¿¬·±² «°¼¿¬» ·- ·² °®±¹®»--ò Ì¸·- °¿¹» ©·´´ ¾» «²¿ª¿·´¿¾´» º±®
¿ º»© ³·²«¬»-ò
When configuration is complete, the Sensing Interface page reappears and the changes are
displayed.
Restoring Default Settings
This topic explains how to restore default settings using the IDM.
Restoring the Default Settings
Configuration Restore
Tab Defaults
Apply to
Sensor
You can restore the default configuration to your sensor. Restoring the default configuration
removes the current application settings and restores the default settings. Your network settings
also return to the defaults and you immediately lose connection to IDM and the CLI. The
following settings, however, are not reset:
User accounts
Passwords
Time
If you need to restore the default configuration, choose Configuration > Restore Defaults.
When the Restore Defaults page appears, click the Apply to Sensor button to restore the sensor
to the default configuration.
Summary
Summary
Initialization, configuration, administration and

troubleshooting tasks can all be completed from the CLI.
User accounts are assigned different user roles, and each
role is allowed access to different privilege levels.
Each CLI command mode provides access to a different
subset of commands.
The setup command provides access to a dialog used to
complete the initialization process.
The IDM is a web-based tool that enables you to remotely
and security configure and manage your sensor. The IDM
uses a GUI.
Summary (Cont.)
An administrator can use the IDM to change setup

parameters after the sensor has been initialized.
Give a host or network permission to access the sensor
through the network with the IDM
The IDM is used to define the time, time zone, and
daylight saving time for the sensor.
The IDM is used to create and remove users from the
local sensor.
You can configure up to five monitoring interfaces
depending on the type of sensor you have. All monitoring
interfaces use the same configuration.
The IDM allows you to restore the default configuration to
your sensor.
Lesson Self-Check
Q1) Which of the following user account roles is a special role that allows the user to log
into a native, operating system shell rather than a CLI shell? (Source: User Accounts
and Account Roles)
A) administrator
B) operator
C) viewer
D) service
Q2) Which two of the following methods of gaining management access to a sensor require
an IP address and are enabled by default. (Choose two.) (Source: Sensor Initialization)
A) HTTPS
B) Secure Shell
C) Telnet
D) monitor and keyboard
E) console port
Q3) What four tasks can be completed using the CLI? (Source: CLI Command Modes)
______________________________________________________________________
Q4) Which five of the following CLI modes is a third level CLI mode? (Choose five.)
(Source: CLI Command Modes)
A) Privileged EXEC
B) Global configuration
C) Interface command-control configuration
D) Interface group configuration
E) Interface sensing configuration
F) Service
G) Virtual sensor configuration
H) Alarm channel configuration
I) Tune micro engines
J) Tune alarm channel
Q5) Which of the following CLI modes is where initializing the sensor and displaying
system settings are performed? (Source: CLI Command Modes)
A) Privileged EXEC
Q6) Which of the following CLI modes is where creating user accounts and reimaging the
application partition are performed? (Source: CLI Command Modes)
A) Privileged EXEC
Q7) Which of the following CLI modes is where you reset signature settings to the default
configuration? (Source: CLI Command Modes)
A) Privileged EXEC
C) Virtual sensor configuration
D) Alarm channel configuration
Q8) The eventStore time stamp is always based on CDT (Source: Setting the Time)
A) True
B) False
Q9) There is only one command and control interface for each sensor. (Source: Configuring
Interfaces)
A) True
B) False
Q10) You can enable an interface only if the interface belongs to an interface group. (Source:
Configuring Interfaces)
A) True
B) False
Q11) When you restore the default configuration, the user account, passwords and time will
need to be reset. (Source: Restoring the Default Settings)
Step 3 True
C) False
Q1) D
Q2) A, B
Q3) Sensor initialization tasks, configuration tasks, administrative tasks, and troubleshooting
Q4) C, D, E, G, H
Q5) A
Q6) B
Q7) C
Q8) B
Q9) A
Q10) A
Q11) B
Lesson 3
Introducing the Cisco Security

Agent
Overview
Cisco Security Agent (CSA) provides threat protection for server and desktop computing
systems. It helps to reduce operational costs by identifying, preventing, and eliminating known
and unknown security threats. Cisco Security Agent acts like a personal firewall and host-based
intrusion prevention systems (HIPS), providing many firewall and HIPS features including the
following:
Intrusion detection and prevention of attacks from recognized and unrecognized locations
Port blocking at inbound and outbound vulnerable ports
Buffer overflow prevention against known and unknown buffer overflow attacks
Protection against worm attacks and other suspicious email content
Application masquerade prevention and blockage of application DLL injections
Creation of an active content sandbox to isolate Java, JavaScript and ActiveX applications
utilized in potential web-based attacks
Vigilant application activity tracking that controls which application versions can run
Correlation of the local and global activities of applications
This lesson introduces the CSA and describes how you can create rules and policies to deploy
all of its features.
Objectives
Upon completing this lesson, you will be able to describe the features and functions of the
Cisco Security Agent This ability includes being able to meet these objectives:
Describe the operation, function, positioning, endpoint security functions and features of
the CSA
Describe how the behavior-based architecture of the CSA and its INCORE technology
work to deny malicious activity before damage can be done
Match the response mechanism of each of the four CSA interceptor types to the probe,
penetrate, persist and propagate phases of an attack
Describe the two models for developing a security policy in terms of how they address
specific security threats
Describe the five steps taken to build a CSA policy
Explain how to create rules to match each level of interception
The Cisco Security Agent
This topic describes the operation, function, positioning, endpoint security functions and
features of the CSA.
Cisco Security Agent
ping addresses

scan ports
guess passwords Subject to Mutation
guess mail users
mail attachments
buffer overflows
activeX controls
11 Probe network installs
compressed messages
22 Penetrate backdoors
Cisco
Prevents 33 Persist create new files
modify existing files
4 Propagate weaken registry security settings
mail copy of attack
install new services
5 Paralyze web connection
register trap doors
IRC
delete files FTP
modify files infect file shares
drill security hole
crash computer
denial of service Fairly Stable
steal secrets
The CSA provides threat protection for server and desktop computing systems. These
components are also known as endpoints. The CSA identifies and prevents malicious behavior,
thereby eliminating known and unknown ("Day Zero") security risks and reducing operational
costs. The CSA aggregates and extends multiple endpoint security functions by providing host
intrusion prevention, distributed firewall capabilities, malicious mobile code protection,
operating system integrity assurance, and audit log consolidationall within a single product.
Because the CSA analyzes behavior rather than relying on signature matching, it provides
robust protection, which further reduces operational costs.
As recent high-visibility attacks like Code Red and the Structured Query Language (SQL)
Slammer worm have shown, traditional technologies are limited in their abilities to combat the
effects of new and evolving attacks. Customers require host security that protects throughout all
stages of an attack and that provides important protection against new and unknown threats.
Assaults on network systems typically go through stages. Cisco recognizes that only a layered
approach is effective against security breaches that can occur at any stage. The CSA proactively
defends against damage to a host, throughout all stages of the attack, whereas other
technologies provide early-stage protection and only then when a signature is known. The
Cisco Security Agent is specifically designed to protect against new attacks where there is no
known signature.
All threats and attacks follow the same logical progression. The five phases of this progression
are as follows:
Probe phase: The attacker identifies vulnerable targets in this phase. The goal of this phase
is to find computers that can be subverted. Internet Control Message Protocol (ICMP) ping
Copyright © 2005, Cisco Systems, Inc. Securing Networks with Host- and Network-Based IPS 4-89
scans are used to map networks, and application port scans identify operating systems and
vulnerable software. Passwords can be obtained through social engineering, a dictionary
attack, a brute-force attack, or network sniffing.
Penetrate phase: In this phase, exploit code is transferred to the vulnerable target. The
goal of this phase is to get the target to execute the exploit code via an attack vector like a
buffer overflow, ActiveX or Common Gateway Interface (CGI) vulnerabilities, or an e-
mail virus.
Persist phase: Once an exploit has been successfully launched into memory, the exploit
code tries to persist on the target system. The goal of this phase is to ensure that the
attacker code is running and available to the attacker even if the system reboots. The
exploit code achieves this goal by modifying system files, making registry changes,
installing new code, and so forth.
Propagate phase: After establishing a beachhead in the organization, the attacker attempts
to extend the attack to other targets. This phase looks for vulnerable neighboring machines.
Propagation vectors would include e-mailing copies of the attack to other systems,
uploading files to other systems using file shares or FTP services, active web connections,
and file transfers via Internet Relay Chat (IRC).
Paralyze phase: This is the phase in which actual damage is done to the system. Files can
be erased, systems can be crashed, information can be stolen, and DDoS attacks can be
launched.
As shown in the figure, there is a major dividing line between the penetrate phase and the
persist phase. The first two phases are subject to mutation with the attack footprint continually
changing. They are also subject to being hidden from defenses using evasion techniques
including the Unicode encoding of web strings or overlapping packet fragments. Since attack
identification at the penetrate phase requires a certain amount of interpretation in how the target
computer handles network packets, it tends to be a large generator of false alarms.
The last three stages, in contrast, are highly stable over time. There are a limited number of
malicious activities that an attacker can complete. They can modify the operating system, add a
new user account, open up an outgoing network connection, and delete files. This list has
remained remarkably stable over long time periods. For example, the Morris Worm of 1988 did
the same types of damage as the NIMDA Worm of 2001. Also, because modification of
operating system binaries is highly remarkable and unusual, it is much easier to identify attacks
accurately at these stages.
The unfortunate lesson here is that if you try to identify attacks at the early stages of the
process, each attack will look different, and you will be caught in an update race. If you look
for attacks in the final three stages of the process, attacks will look very similar to what has
been seen over the past 15 years. The best hope for true proactive security is by focusing in
depth
Cisco Security Agent Positioning
SSL Events
Alerts Security Policy CSA

Management
Center (CSA MC)
Administration
Workstation
CSA CSA CSA
CSA CSA CSA CSA

The CSA is deployed as shown in the figure. There are two components in a CSA deployment:
The Cisco Security Agent Management Center (CSA MC) allows the administrator to
divide network hosts into groups by function and security requirements, and then to
configure security policies for those groups. The CSA MC can maintain a log of security
violations and send alerts via e-mail or pager. The CSA MC includes a web server, a
configuration database, and a web-based user interface.
The CSA software that is installed in the host systems (for example, workstations, laptops,
servers, and so on) across the network. This software continually monitors local system
activity and analyzes the operations of that system. The CSA takes proactive action to
block attempted malicious activity and polls the CSA MC at configurable intervals for
policy updates.
CSA is administered from any workstation connecting securely to the CSA MC using a Secure
Sockets Layer (SSL)-enabled web interface.
When an application needs access to system resources, the application makes an operating
system call to the kernel. The CSA intercepts these operating system calls and compares them
to the cached security policy. If the request does not violate policy, the request is passed to the
kernel for execution.
CSA Aggregates Multiple Endpoint Security
Functions
Conventional
Distributed Conventional
CSA Firewall HIDS
Desktop and laptop protection X X
Block incoming network requests X X
Block outgoing network requests X X
Stateful packet analysis X X

Detect and block port scans X X
Detect and block network DoS attacks X X
Detect and prevent malicious applications X X

Detect and prevent known buffer overflows X X
Detect and prevent unknown buffer overflows X X
Detect and prevent unauthorized file X X

modification
Operating system lockdown X X
The CSA delivers the protection of both conventional distributed firewalls and conventional
host-based intrusion prevention systems (HIPS). The following are examples of these two
functions:
Port scan detection: The CSA network-wide correlation provides unique functionality in
the detection of distributed port scans. Low-level port scans are used by hackers to
systematically scan single ports to map a network. For example, server 1 would be scanned
on port 1, server 2 on port 2, and so on. When these scans occur, each Agent reports the
activity to the CSA MC. By correlating events from distributed Agents, the CSA MC is
able to discern that a distributed port scan is taking place.
Malicious application detection and prevention: The CSA can also catch new Trojan
horse attacks by looking for actions commonly exhibited by Trojans. These actions include
writing into the address space of other processes making themselves invisible in the process
table, monitoring keystrokes to capture passwords, and receiving User Datagram Protocol
(UDP) packets on high-numbered ports. The CSA prevents the executable file from
executing its intrusion.
The CSA also complements traditional desktop antivirus software. For example, in the case of
an e-mail worm attack, the CSA may detect the malicious nature of the worm only after a
sequence of file, network, registry, or COM operations has occurred on at least one host. Once
detection has occurred, a report of an event is sent to the CSA MC. The CSA MC detects and
stops the malicious code at other servers and desktops by correlating the events sent from the
various distributed Agents. A policy telling all Agents not to open the offending file is created,
thus quarantining that file and preventing further damage. The result is that you are then faced
with only a few desktop machines that need to be rebuilt, rather than a whole network.
Note A personal firewall is a standalone product; a distributed firewall refers to a firewall on hosts
that are centrally managed. In both types of firewalls, the functionality occurs on the end
nodes.
Cisco Security Agent Features
Active protection
Protects applications and operating systems against known and unknown
attacks
Provides preventive protection against entire classes of attacks including port
scans, buffer overflows, Trojan Horses, malformed packets, and e-mail worms
Uses behavior-based technology to provide "Zero Update" prevention for known
and unknown attacks
Prevents access to server resources before unauthorized activity occurs
Centralized Management
Automatic and transparent Agent deployment to up to 5000 endpoints
Active update capabilitiesSecurity policy and software updates
propagated to Agents without operator intervention
5 to 10 percent Agent CPU overhead
The Cisco HIPS, CSA, complements the Cisco Network-based intrusion detection system by
protecting the integrity of applications and operating systems. The CSA blocks malicious
activity before damage is done. It protects against attacks including SYN floods, port scans,
buffer overflows, Trojan horses, and malformed packets. The CSA also protects against worm
attacks such as Code Red, which targets Web servers, SirCam, which targets corporate
desktops, and Nimda, which targets both. By focusing on the behavior of applications, the CSA
protects not only against known attacks such as those mentioned but also against new attacks
for which there is no known signature.
The CSA MC installation automatically builds Agent kits, so it is not necessary to log in to the
CSA MC to deploy Agents to servers or workstations. Agent kits can be deployed to up to
5,000 Agent hosts by user logon scripts, software deployment products, e-mail distribution of a
web link to an Agent kit, or software image replication. In the event that identical software
images are distributed, the CSA MC automatically ensures that each new Agent is registered
with a unique identifier.
Because the CSA offers the option for Agent kits to install silently and transparently to end
users, no end-user interaction is required. Users do not have to answer any questions, and users
cannot bypass the installation. Agents automatically register with the CSA MC after
installation, so configuration is also transparent to the end user.
Agents communicate with the CSA MC via Secure Sockets Layer (SSL) for rules updates with
no user intervention. When Agents poll into the CSA MC at a configurable time interval, any
change to the security policy is automatically propagated. Software updates are also
automatically propagated to the Agents without the need for operator intervention.
CSA events can be reported to the Cisco Security Monitor, which is a tool that captures, stores,
views, correlates, and reports on events.
The CSA does not inspect content; therefore it has a negligible impact on performance.
CSA Architecture
This topic describes how the behavior-based architecture of the CSA and its INCORE
technology work to deny malicious activity before damage can be done.
Behavior-Based Architecture
Reference Desktop/Server
Windows and Solaris platforms Model Suite
Server and desktop Agents HTTP

Malicious mobile code protection
Web E-mail
and OS lockdown in one Agent Application
Server Clients
Layer
Default and customizable Custom Instant
policies Web Apps Messaging
Buffer overflow protection Intrusion COM Interceptor

protection
Web server protection Shims
O/S
Instant messenger security Layer
Comprehensive kernel
interceptor shims
Approximately 2 percent CPU Device
overhead Layer Hardware I/O
Shim
The CSA behavior-based technology has application visibility because it resides at the kernel
level within the operating system. When an application attempts an operation, the CSA checks
the operation against the security policy for that application and makes a real-time decision to
allow or to deny the operation. Administrators can create custom policies and modify the
default CSA policies in the CSA MC. False positives are reduced because the CSA makes real-
time decisions within the context of overall application behavior.
The Intercept Correlate Rules Engine (INCORE) architecture intercepts all system calls to file,
network, Component Object Model (COM), and registry sources and then applies intelligence
to correlate the behaviors of such system calls to the security policy. This correlation and
understanding of an application behavior is what allows the software to prevent new intrusions.
INCORE enables the CSA to act as an intrusion detection and prevention agent, a file integrity
monitoring agent, and an application sandbox. (Sandboxing is a technique that prevents access
to server resources not specifically allowed by the operating system or application.)
The CSA is a HIPS that intercepts all operation system (OS), file system, configuration,
registry, and network requests to impede malicious activity. The system inserts shims into an
OS that intercept OS service requests and compares them against corporate policy. The shims
pass allowable requests to the OS for servicing and deny non-allowable requests.
The CSA also provides a network shim for monitoring traffic coming into the host. If the
network shim identifies a port scan, it might deny a response to that scan.
INCORE Technology
Intercept Correlate Rules Engine
CSA intercepts application OS calls

and invokes ALLOW or DENY
response through Zero Update
INCORE architecture.
CSA uses proprietary INCORE architecture to implement intrusion prevention.
When an application needs access to system resources, the application makes an OS call to the
kernel. INCORE intercepts these OS calls, and compares them with a cached policy (this policy
was centrally defined on the CSA MC and downloaded by the agent when the agent polled the
CSA MC). INCORE correlates this particular OS call with others made by that application or
process, and correlates these events to detect malicious activity. If the request does not violate
policy, it is passed to the kernel for execution. If the request violates policy, it is blocked (not
passed to the kernel), an appropriate error message is passed back to the application, and an
alert is generated and sent from the agent to the CSA MC.
INCORE provides many different security capabilities using the following four types of
interceptors:
File system interceptor: All file read or write requests are intercepted and allowed or
denied based on the security policy.
Network interceptor: Network driver interface specification (NDIS) changes are
controlled and network connections are cleared through the security policy by port and IP
address pairs. The number of network connections allowed with a specified time can also
be limited to prevent denial of service (DoS) attacks.
Configuration interceptor: Read or write requests to the registry on Windows or to rc
files on UNIX are intercepted. Because modification of OS configuration is highly unusual,
it is tightly controlled by the CSA.
Execution space interceptor: This interceptor deals with maintaining the integrity of each
application dynamic run-time environment. Requests to write to memory not owned by the
requesting application are detected and blocked by this interceptor. Attempts by one
application to inject code, such as a shared library or dynamic link library (DLL), into
another are also detected and blocked. Buffer overflow attacks are detected by this
interceptor as well. The result is that not only is the integrity of dynamic resources, such as
the file system and configuration, preserved, but the integrity of highly dynamic resources
such as memory and network I/O is also preserved.
The following two examples illustrate how CSA works:

Example 1: A web server is serving HTML web pages. As incoming web requests are
received, the web server generates file system I/O and network packet I/O requests. As long
as these requests are within the bounds of the policy (for example, web server applications
have read access to web pages), no security events are generated. If a known attack such as
a UNICODE directory traversal attack that is hidden via SSL encryption, tries to make the
application act outside this policy (for example, read a command shell like CMD.EXE), the
request is blocked. An error such as the following is generated to the remote user:
ìðìæ Ò±¬ Ú±«²¼
Example 2: Suppose an attacker were to try an unknown, never-before-seen attack like a
buffer overflow attack. Again, this could be hidden via SSL encryption or evasion
techniques. The execution space interceptor detects the application violating its own or
another execution space or environment. In this case, it would detect code executing from
data space, and block the execution. Because this behavior violates policy, no update would
be needed to block the new attackthus the name Zero Update.
CSA Interceptor Functionality
Execution
Network File System Configuration
Security Application Space
Interceptor Interceptor Interceptor
Interceptor
Distributed Firewall X
Host Intrusion Detection X X
Application Sandbox X X X
Network Worm Prevention X X
File Integrity Monitor X X
By intercepting communications between applications and the underlying system, the CSA
combines the functionality of the following traditional security approaches:
Distributed firewall: The network interceptor does the duties of a host firewall.
HIDS: The network interceptor teams with the execution space interceptor to provide the
alerting capability of a HIDS with the proactive enforcement of a security policy.
Application sandbox: An application sandbox is an execution space where suspect
programs can be run with less than normal access to system resources. This security service
is provided by a combination of the file system, configuration, and the execution space
interceptors.
Network worm prevention: The network and execution space interceptors provide Day
Zero worm prevention without a need for updates.
File integrity monitor: The file system and configuration interceptors act as a file integrity
monitor.
The default policies preconfigured on the CSA implement all of these security features.
Customers can easily create or change policies, but the default policies provide all of these
protections at once.
Attack and Interceptor Response
This topic matches the response mechanism of each of the four CSA interceptor types to the
probe, penetrate, persist and propagate phases of an attack.
Attack and CSA Response

Probe phase:
Ping scans
Phases of the Attack
Port scans
Server
Penetrate phase: Protected by
Buffer overflow
CSA
E-mail attachment
Persist phase:
Install new code
Modify configuration
Network
File system interceptor
Server
Propagate phase: Network interceptor
Attack other targets Configuration interceptor
Execution space interceptor
Paralyze phase:
Erase files
Crash system
Steal data
Malicious attacks come in thousands of varieties and new attacks are constantly being devised
to exploit newly discovered vulnerabilities. However, their basic goals have remained nearly
constant over time.
There are significant differences between the attack mechanisms used at the probe and
penetrate phases and attack mechanisms used at the persist phase. Because consistently
identifying attacks at the early phases of a newly developed exploit can be nearly impossible,
the CSA focuses on providing proactive security by controlling access to system resources.
This approach avoids the race to update defenses to keep up with the latest exploit and protects
hosts even on Day Zero of a new attack. For example, the Nimda and Slammer worms did
millions of dollars in damage to enterprises in the first day of their appearance, before updates
were even available, but the CSA stopped these attacks without any updates by identifying their
behavior as malicious.
When an application attempts to write to a file, make registry changes, or access system
resources in any way, it must make an OS call to the kernel. The CSA provides complete
enforcement of your security policy by policing these requests from applications to the kernel.
The CSA intercepts OS calls and compares them with a cached policy that is centrally defined
on the CSA MC. If the request does not violate policy, it is passed to the kernel for execution.
However, if the request does violate policy, it is blocked. An alert is then generated by the host
CSA and sent to the CSA MC.
By controlling behavior at the OS call level, the CSA blocks attacks at the persist, propagate,
and paralyze phases without the constant updates required at the probe and penetrate phases.
Selecting a Security Policy Model
This topic describes two models for developing a security policy in terms of how they address
specific security threats.
Selecting a Security Policy Model
Security Policy
Security Policy Action
Model
Permissive Deny malicious actions and allow
all other actions
Restrictive Allow required actions and deny
all other actions
Customized Tailor deny or allow policies

according to the security
requirements of different groups
A corporate security policy should temper business concerns with security concerns. This
policy should allow the user community to access required resources, while protecting that
community from the dangers those resources can introduce. To achieve this goal, it is crucial to
have in place, a carefully planned network security policy that safeguards valuable
organizational resources and information.
Before configuring your policies, it is important to understand which network resources and
services you want to protect and which threats concern you most. The first step in planning a
security policy is identifying the resources that your user community requires to do business.
Resources could include specific applications, protocols, network servers, and web servers.
Collect this information and use it to design the main features of your policy.
Caution To maintain the integrity of the preconfigured policies shipped with the CSA MC, it is
recommended that you do not change them. If you are using preconfigured policies but want
to edit them slightly to meet the needs of your own site, you should instead create a new
policy and add that policy to the preconfigured group policy.
As you determine the network resources that are required by your user community, you can
identify some of the threats posed to those resources. For example, while putting together a
security plan, you might find it beneficial to limit access to some resources based on various
parameters such as traffic direction and allowed file types.
After examining past breaches of security, you could determine that e-mail attachments and
Internet file downloads pose the greatest threat to your network. In this case, you would want to
develop policies to diminish the danger of accessing these particular resources. Your security
plan should then incorporate policies for commonly used services such as HTTP, Post Office
Protocol Version 3 (POP3), Internet Message Access Protocol (IMAP) for e-mail, and FTP.
You could take two approaches to enforcing your security plan, depending on the immediacy of
any perceived threats and your basic corporate philosophy toward security. Both approaches are
equally valid. For example, you might choose to enforce known good behaviors and selectively
add targeted restrictions. This approach would be a more permissive security model because it
facilitates uptime, but it may be less secure. Conversely, you could decide to shut everything
down and then slowly add targeted permissions. This approach is far more restrictive and some
legitimate requests could be rejected. However, this approach may be suitable for highly
secured environments. You could also use both approaches, and choose the approach that is
suited to different groups.
Building a CSA Policy
This topic describes each of the five steps taken to build a CSA policy.
Steps for Building a CSA Policy
1. Protect the application executables

2. Restrict the application processes
3. Protect application-specific data
4. Permit network access as required
5. Protect application registry keys
Once you know how an application works, you can begin forming a policy to protect that
application. There are five general areas that you need to address for each resource you are
protecting. By addressing the security needs of these five areas, you can configure a
well-formed policy to protect the resources that you are targeting.
When you are building a policy to protect a designated resource, refer to the following steps to
help you address each resource area:
Protect the application executables
Restrict the application processes
Protect application specific data
Permit network access as required
Protect application registry keys
You must prevent writing to the application executables themselves to maintain the integrity of
the executables. The only time that an executable should change is when you are upgrading the
application. This type of rule would prevent a Trojan from naming itself netscape.exe to
disguise itself as the Netscape executable.
Dictate what applications can and cannot do. For example, you will likely want specific
applications to write only to their own file types. To restrict an application, you must determine
the type of files needed by the application, and then restrict the application to accessing those
files only. This type of rule would prevent a buffer overrun from compromising a running
application and damaging other components on the system.
When applications are invoked, they often spawn other processes as part of the action that they
are performing. It may be desirable to place different restrictions on spawned processes.
Therefore, when you analyze an application in preparation for writing rules, the CSA MC gives
you the option of including or excluding child processes created by the original application.
You can also restrict the child processes of an application and create a rule to address only
those processes.
Restrict access to specified data by other applications. For server policies, you will want to
protect information in certain directories on the server, allowing restricted access to specific
files and blocking all outside access to other files. To correctly formulate this rule, you must
examine which other applications (if any) need to access the application data. This type of rule
would keep certain applications from retrieving sensitive data from a server, such as credit card
information or a password file.
If an application requires network connectivity, you should only enable specifically required
network services. Components that are network visible are especially vulnerable to attacks. It
is important to control what these network-accessible applications (and their spawned
processes) can do.
Restrict access to sensitive application-specific registry keys. You want to allow the specific
application to write to its own registry keys, but prevent all other applications from writing to
those registry keys.
As your security plan evolves, you can refine your policies, making them more or less granular
to keep pace with the needs of your user community. Your network system security depends on
your implementing security policies carefully, and checking to see that they work as intended.
Creating CSA Policy Rules
This topic explains how to create rules to match each level of interception.
Creating Rules to Match Interceptor Types
Allow or deny according to what is being tried against files, the

network, the registry or execution space (COM) components.
Rules Action Application Operation Direction Service Address

File Access x x x
Network Access x x x x x
Registry x x
Windows COM
x x
Components
Rules are the foundation of your security policies. Creation of each rule type requires you to
enter information specifying the desired behavior. Use the following guidelines when
developing rules:
Use file access control rules to allow or deny the operations (read, write) that the selected
applications can perform on files. Consider your needs as follows:
The action you are allowing or denying
The application attempting to access the file
The operation (read, write) attempting to act on the file
Use network access rules to control access to specified network services according to the
following:
The action that you are allowing or denying
The application that is attempting to access the service or address
The direction (client, server) of the communication
The service that a system is attempting to use
The address of the system with which to communicate
Use registry access control rules (Windows only) to allow or deny writing to specified
registry keys by selected applications according to:
The application that is attempting to write to the registry keys and values
Use Component Object Model (COM) component access control rules (Windows only) to
allow or deny access to specified COM components by selected applications according to:
The application that is accessing the COM component
Other types of policies shipped with the CSA MC provide event correlation and heuristic
features that can be enabled on a per-group basis. Examples of these features are: port scan
detection, SYN flood protection, the prevention of predictable TCP sequence numbers, and the
blocking of malformed IP packets.
Summary
Summary
CSA provides threat protection for endpoints. Attacks progress
through five logical phases. The two components in a CSA
deployment are the CSA and the CSA MC.
CSA behavior-based technology and INCORE architecture
eliminates known and unknown security risks before damage
can be done.
CSA uses file system, network, registry and execution space
interceptors to stop malicious activity.
Interceptors respond to each of the probe, penetrate, persist and
propagate phases of an attack.
Security policies can be developed by balancing permissive and
restrictive models according to the threat.
CSA policies are built following a best practice methodology.
Rules are created to meet the requirements of each interception
level.
Lesson Self-Check
Q1) Describe the difference in stability between the first two phases and the last three
phases in a network attack. (Source: The Cisco Security Agent)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q2) What are the two components in a CSA deployment? (Source: The Cisco Security
Agent)
Q3) Which five of the following security functions are provided by the CSA but not by a
conventional distributed firewall? (Choose five.) (Source: The Cisco Security Agent)
A) detect or prevent malicious applications
B) block incoming network requests
C) block outgoing network requests
D) stateful packet analysis
E) detect or prevent unauthorized file modification
F) detect or block network DoS attacks
G) desktop and laptop protection
H) detect or prevent known buffer overflows
I) detect or prevent unknown buffer overflows
J) detect or block port scans
K) operating system lockdown
Q4) Which six of the following security functions are provided by the CSA but not by a
conventional HIDS? (Choose six.) (Source: The Cisco Security Agent)
A) detect or prevent malicious applications
B) block incoming network requests
C) block outgoing network requests
D) stateful packet analysis
E) detect or prevent unauthorized file modification
F) detect or block network DoS attacks
G) desktop and laptop protection
H) detect or prevent known buffer overflows
I) detect or prevent unknown buffer overflows
J) detect or block port scans
K) operating system lockdown
Q5) What four types of interceptors does INCORE use to provide security? (Source: CSA
Interceptors)
______________________________________________________________________
Q6) Describe three approaches can you take to enforce a security plan? (Source: Selecting
Security Policy Models)
______________________________________________________________________
______________________________________________________________________
Q7) Which of the following access rules would guide a policy regarding the network
service a system is attempting to use? (Source: Creating CSA Policy Rules)
A) file access
B) network access
C) registry
D) Windows COM components
Q1) The first two phases are subject to mutation with the attack footprint continually changing. They are also
subject to being hidden from defenses using evasion techniques including the Unicode encoding of web
strings or overlapping packet fragments. The last three stages, in contrast, are highly stable over time.
There are a limited number of malicious activities that an attacker can complete.
Q2) The CSA and the CSA MC
Q3) A, E, H, I, K
Q4) B, C, D, F, G, J
Q5) File system interceptor, network interceptor, configuration or registry interceptor, and execution space
interceptor.
Q6) Permissive security model: You might choose to enforce known good behaviors and selectively add
targeted restrictions. This approach would be a more permissive security model.
Restrictive security model: You could decide to shut everything down and then slowly add targeted
permissions. This approach is far more restrictive and some legitimate requests could be rejected, but it
may be suitable for highly secured environments.
Both models: You could use both approaches, choosing the approach suited to different groups.
Q7) B
Lesson 4
Deploying HIPs with the CSA

MC
Overview
The Cisco Security Agent Management Center (CSA MC) is one of many components of
CiscoWorks VPN/Security Management Solution (VMS). CSA MC provides a central means
of defining and distributing policies, providing software updates, and maintaining
communications to the Cisco Security Agent (CSA) distributed across your network.
This topic describes how to use the CSA MC to build, distribute and manage CSA.
Objectives
Upon completion of this lesson, you will be able to manage host-based intrusion prevention
policies across the network with the CSA MC. This ability includes being able to meet these
objectives:
Describe the function and supporting architecture of the CSA MC
Describe how CSA MC is configured across a network
Explain how to use the CSA MC interface to configure and administer the CSA database
Describe how to install the CSA on host devices
Explain how groups are created to ease host management and security policy deployment
Explain how to build an Agent kit for a newly created group
Explain how to manage hosts by modifying group membership
Introducing Cisco Security Agent Management
Center
This topic describes the function and supporting architecture of the CSA MC.
Cisco Security Agent Management Center
All CSA policies are configured and

deployed through a web-based
user interface.
The CSA MC provides a reporting
tool to view network enterprise
health and status.
The CSA MC provides management
access from any browser,
anyplace.
A menu bar provides easy
navigation through administrator
task items.
Drop down menus display
configurable items.
Properties and status of
configurable items are displayed.
The CSA MC provides all management functions for all Agents in a centralized manner, from
the CiscoWorks VMS platform. The CSA MC role-based, Web browser manage from
anywhere access makes it easy for administrators to create Agent software distribution
packages, create or modify security policies, monitor alerts, or generate reports. Since the CSA
MC ships with more than 20 fully configured default policies, administrators find it easy to
deploy thousands of Agents across the enterprise. The manager also allows customers to deploy
Agents in IDS Mode (promiscuous) where intrusive activity is alerted but not blocked.
CSA MC offers simple but powerful customization capabilities and includes a tuning wizard
that allows administrators to quickly fit default policies to their environment. Administrators
can easily modify rules or create entirely new rules to meet custom needs and requirements. To
aid audit compliance requirements, an explain rules feature prints out a description of what
specified rules or policies do.
Agents are deployed to servers and desktops directly from CSA MC, and are controlled and
updated from there. Each Agent operates autonomously if communications with the CSA MC
is not possible. For example, if a remote laptop user has not yet connected via the VPN the
Agent continues to enforce the security policy. All security alerts are cached by the Agent and
uploaded to the manager when communications are restored.
CSA MC Architecture
Report
Generator
Web
Browser
GUI Page SSL

Generator Web Server
Database
Server
SSL
Configuration
Manager
Database Global Event

Manager Cisco
Security
Alerts Agent
The CSA MC architectural model consists of a central management center that maintains a
database of policies and system nodes, all of which have CSA software installed on their
desktops and servers. When Agents register with the CSA MC, the CSA MC checks its
configuration database for a record of the system. When the system is found and authenticated,
the CSA MC deploys a configured policy for that particular system or grouping of systems. The
CSA software now continually monitors local system activity and polls the CSA MC for policy
updates at configurable intervals. The CSA software also sends triggered event alerts to the
CSA MC global event manager. The global event manager examines system event logs, and
based on that examination, may trigger an alert notification to the administrator or cause the
Agent to take a particular action.
Product Deployment
CSA MC
Network Administrator
with Web Browser
Agent Agent Agent Agent
Agent Agent Agent Agent
The CSA product contains the following two components:

The CSA MC: This component installs on a secured server and includes a web server, a
configuration database, and a web-based user interface.
The CSA (the Agent): This component installs on desktops and servers across your
enterprise and enforces security policies on those systems. Administrators configure
security policies on the CSA MC using the web-based interface. Administrators distribute
these policies to Agents installed on end user systems and servers. Policies can allow or
deny specific system actions. The Agents check policies before allowing applications
access to system resources.
CSA MC Configuration Roadmap
This topic describes how CAS MC is configured across a network.
CSA MC Configuration Roadmap
Step Details
Install CSA MC Installation includes both CSA MC and CSA kit creation features.
Create groups These groups remain empty until the agents register. Use these
group classifications when creating agent kits. Agents download
kits for their specific group.
Build and distribute agent kits Build kits according to the groups you have configured. Provide
the URL to the host systems instructing them to download kits for
their specific group(s).
Agents register with CSA MC Agent registration is automatic.
Configure policies Create rules and use them to build policies. Configure a common
variable to use for creating rules.
Attach policies to groups Policies are configured by combining access control rules and/or
system correlation rules under a common name. That policy name
is then attached to a group of hosts and it uses the rules that
comprise the policy to control the actions that are allowed and
denied on those hosts.
Generate rules Make a final check of all modifications and launch the generate
tool.
A review of the configuration road map helps develop an understanding of the CSA MC
operation. The figure illustrates the CSA MC configuration roadmap.
There are several elements you must configure to create the policies that are distributed to the
Agents. First, you must configure host groups and create CSA kits. Once Agents are installed
on systems throughout your network, they register with CSA MC. Once this occurs they are
automatically placed into their assigned groups. When you generate rules, Agents receive the
policies intended for them.
The CSA MC Interface
This topic explains how to use the CSA MC interface to configure and administer the CSA
database.
CSA MC Interface
All Cisco Security Agent policies are configured and deployed through the CSA MC web-
based user interface. CSA MC also provides a reporting tool to generate reports with varying
views of network health and status. The HTML web-based user interface allows an
administrator to access CSA MC from any machine running a web browser and that is
connected to the Internet. The CSA MC provides a menu bar for easy navigation among the
administrator configuration task items. Configuration items are displayed in drop-down menus
that appear when you move the mouse over a category in the menu bar. When you click on an
item, the properties and status for that item are displayed.
CSA MC supports editing of the database by multiple administrators. The CSA MC also
provides role-based administration, allowing some administrators to edit configurations while
others can only monitor status. All changes to the database are logged. The logged information
includes a summary description of the modification, the time the changes were made, and the
identity of the administrator who made the changes.
The CSA MC supports editing of the database by multiple administrators. Administrators must
identify themselves and authenticate to CiscoWorks before they can access any CSA MC
configuration data. The CSA MC web-based user interface provides secure access to the
database from anywhere on the network. Again, all changes are logged.
Menu Bar
The menu bar at the top of the CSA MC window provides links to all configuration windows
and list views. Arrows indicate that there are subcategories that you can choose. The
subcategories appear when you move the mouse over the main item. The configuration options
available from each menu bar item are as follows:
Monitor: This list provides tools for viewing system status and log files. You can also set
alerts and alert parameters from here.
Systems: This list lets you configure the groups where Agent host systems are placed when
they register with the CSA MC.
Configuration: This list allows you to access most of the windows you need to configure
your policies for Agents. This list provides links to the rule windows you use to develop
your policies, as well as links to application classes and variables. Variables such as file
sets and network addresses are the building blocks for policies. Variables are accessible
from the cascading menu that appears when you move your mouse over the Variables
option in the Configuration drop-down list.
Maintenance: This list lets you build Agent kits, import and export configuration files,
distribute software updates, and back up your database configuration. When you move your
mouse over the Export/Import and Software Updates options, you can choose further
options from the cascading menus that appear.
Reports: This list lets you generate reports by categories such as event severity level, by
the group or groups that generated the event, or by individual host systems.
Profiler: This list lets you configure analysis jobs for the purpose of analyzing applications
and creating policies.
Search: Use this list options to search for a specific configuration item in the CSA MC
database. You can specify a search of Hosts, Groups, Policies, Rules, Variables,
Application Classes, or All, by choosing one of those options from the Search drop-down
list. Each option has its own search criteria.
CSA MC Button FrameCreating, Saving,
and Deleting Data
CSA MC
Button Frame
All CSA MC action items appear in a frame at the bottom of the CSA MC window. The buttons
in this frame change in accordance with the actions available for the window that you are
viewing. Available CSA MC buttons and links are as follows:
Generate rules (pending changes): When you are ready to deploy your configuration
(policies, rules, variables, and so on) to systems, you must click this link in the button
frame to view and then generate all pending database changes. In most list view windows
in the CSA MC, there are New, Clone, and Delete buttons. (Clone is not present in all list
view windows because you can clone only certain configurations.)
New: Use the New button to create a new configuration item within the list view you have
chosen. Click the New button, and a new item appears in the list view. Click the new item
link to access the configuration window for that item.
Clone: Use the Clone button in conjunction with the check boxes beside each list view
item. To clone a particular configuration, click its check box and then click the Clone
button. You can clone one item at a time. New links to the cloned configurations appear in
the list view. When you clone an item, such as a policy that contains variable items like file
sets or network services, the cloned rule uses the same variables used in the original rule.
The variables themselves are not cloned.
Delete: Use the Delete button in conjunction with the check boxes beside each list view
item. To delete a configuration, click its check box (you can click several at once) and then
click the Delete button. All checked items are deleted. To quickly choose all check boxes,
click the top check box in the list view heading bar. Clicking the Delete button then deletes
all items.
Save: When you enter configuration information, whether you are entering new data or
editing existing data, you must click the Save button to save your configuration in the CSA
MC database after you have finished. If you do not click Save before moving to another
window in the CSA MC, your data is lost. Although your information is stored in the
database when you click Save, it is not distributed to the Agents across your network until
you generate rules.
Compare: Policies, Variables, and Application Classes provide a Compare button in their
list views. When you click the check boxes next to two items, (you cannot compare more
than two configurations at a time) and click the Compare button, the CSA MC displays the
configurations side by side and highlights the differences in red. After you have examined
how the configurations compare, you can choose to merge them. The purpose of the
Compare tool is to assist you after you have imported configurations or upgraded the CSA
MC. These processes can cause you to have duplicate or very similar configuration items.
Comparing and merging configurations can help you to consolidate duplicate items more
easily.
Tip: To display a shortcut menu for performing the tasks provided by buttons on that
window and for additional configuration tasks not as easily accessible from your current
window you can right-click your mouse on a CSA MC window.
Installing CSA on Host Devices
This topic describes how to install the CSA on host devices.
Installing CSA on Host Devices
Step 1: Log in to CiscoWorks

Step 2: Verify SSL on CiscoWorks
Step 3: Select a default group
Step 4: Send Agent kit URL to host
Step 5: Install CSA on the host
The following are the basic steps required for configuring a host with CSA MC:
Step 1 Log into CiscoWorks: Configuring the CSA MC requires a CiscoWorks

administrator login.
Step 2 Verify SSL on CiscoWorks: CiscoWorks is required to have SSL enabled for
communication with the CSA MC. SSL is enabled automatically during the
installation of the CSA MC. You should never disable SSL in CiscoWorks after
installing the CSA MC.
Step 3 Choose a default group: Groups reduce the administrative burden of managing a
large number of Agents. Grouping hosts together lets you apply the same policy to a
number of hosts with similar security requirements.
Step 4 Send the Agent kit URL for the group: The user or administrator of the host can use
the Agent kit URL to register with the CSA MC and install the CSA software.
Step 5 Install CSA on the host: The local administrator enters the Agent kit URL and
follows the prompts.
CSA default Agent kits, groups, policies, and configuration variables are designed to provide a
high level of security coverage for desktops and servers. These default Agent kits, groups,
policies, and configuration variables cannot anticipate all possible local security policy
requirements specified by the management of an organization, nor can they anticipate all local
combinations of application usage patterns. It is recommended that you deploy CSA using the
default configurations and then monitor and tune it for your environment.
Logging in to CiscoWorks
Login:
Name
Password
When the installation is complete and the system has rebooted, the CSA MC interface is
available on the local system that is hosting. You can open the CiscoWorks software GUI by
choosing Start>Programs>CiscoWorks>CiscoWorks. The next step is to log in to CiscoWorks.
Administrators can have different levels of CSA MC database access privileges. The initial
administrator created by the CiscoWorks installation automatically has configuration
privileges.
CSA MC administrator roles are as follows:

Configure: This role provides full read and write access to the CSA MC database.
Deploy: This role provides full read and partial write access to the CSA MC database.
Administrators can manage hosts and groups, attach policies, create kits, schedule software
updates, and perform all monitoring actions.
Monitor: This role provides administrators with read access to the entire CSA MC
database. Administrators can also create reports, alerts, and event sets.
Initiating Secure Communications
The CSA MC uses SSL to secure all communications locally and remotely to the CSA MC user
interface. All configuration data travels over secure channels regardless of the location of the
CSA MC host system.
During installation, the CSA MC generates private and public keys that are used for secure
communications between any system accessing the CSA MC user interface and the CSA MC
itself. To access the CSA MC user interface from CiscoWorks, you must have SSL enabled in
CiscoWorks for the connection to be allowed.
Caution SSL is enabled during the installation of the CSA MC. Do not disable SSL under
CiscoWorks, or the CiscoWorks management console can become inaccessible.
Note When your browser connects to the server, it receives the server certificate. You are then
prompted to accept this certificate. It is recommended that you import the certificate into
your local certificate database so that you are not prompted to accept the certificate each
time that you log in.
Accessing the CSA MC Interface
To access the CSA MC interface on the system running CiscoWorks, choose the VPN/Security
Management Solution>Management Center>Security Agents option as shown in the figure.
To access the CSA MC from a remote system, launch a browser on the remote host and enter
the following URL: https://(ciscoworks system hostname):1741. In the figure, the host name is
stormcenter. Then, log into CiscoWorks and choose the VPN/Security Management
Solution>Management Center>Security Agents option.
Selecting a Default Group
Host groups reduce the administrative burden of managing a large number of Agents. Grouping
hosts together lets you apply the same policy to hosts with similar security requirements. A
group is the only element required to build Agent kits. When hosts register with the CSA MC,
they are automatically put into their assigned group or groups. Once hosts are registered, you
can edit their grouping at any time.
In the Quick Start configuration example used in this lesson, you will use the Web Servers for
Windows group. The Web Servers group requires no additional configuration, but the Windows
default groups preconfigured policies can be examined by choosing Systems>Groups and
clicking the Web Servers link as shown in the figure.
Selecting a Default Group (Cont.)
The Systems>Groups>Web Servers window displays deployment configuration options and the
policies attached to this group.
Note CSA MC ships with preconfigured Agent kits you can use if they meet your initial needs
(accessible by choosing Maintenance>Agent Kits in the menu bar). CSA MC includes
prebuilt kits for desktops, servers, intrusion detection system (IDS) servers, and CSA MCs.
These kits place hosts in the corresponding groups and enforce the associated policies of
each group.
Caution It is recommended that you allow the installation program to install the preconfigured CSA
MC Agent kit on the CSA MC system. The installation program provides the appropriate
security policies for protecting the CSA MC.
Sending Agent Kit URL to Host
You can obtain the Agent kit URL for the Web Servers group by choosing Maintenance>Agent
Kits and then clicking the Web_Server_V4.0.0.119 name in the lower (for Windows) box.
Sending Agent Kit URL to Host (Cont.)
You can distribute this URL, via e-mail to the host systems for which the kit is designated. Host
systems access the URL to download and then install the kit. This method of distribution is the
recommended method of Agent kit distribution. However, you may also point users to a URL
for the CiscoWorks system. The CiscoWorks URL (http://<ciscoworks system
name>/csamc/kits) allows them to see all the kits that are available.
If you are pointing users to the agent kit URL and you have multiple Agent kits listed there, be
sure to tell users which kits to download.
Note If you type the URL rather than cutting and pasting it, remember that the spaces that appear
between the characters in the URL are actually underscore characters.
Installing CSA on a Host
You must have local administrator privileges to install CSA on a host. To begin installation,
enter the Agent kit URL in your browser or click Start>Run and enter the URL on the run line.
A succession of alert messages may open. Click the Yes and Open buttons to proceed with the
installation.
Once you successfully download and install Agents, the system informs you that it will reboot
in 2 minutes. When the system restarts, the Agent service starts immediately, and the flag icon
appears in the system tray. At this time, the Agent automatically and transparently registers
with the CSA MC. The Agent is now ready to receive rules and begin protecting the host.
Agent User Interface
To open the Agent user interface, end users can double-click the flag icon in their system trays.
The user interface opens on the desktop. Most fields are read-only status displays.
You can view successfully registered hosts by choosing Systems>Hosts from the menu bar on
the CSA MC.
Creating Groups
This topic explains how to create groups to ease host management and security policy
deployment.
Building Groups and Agent Kits
Group
Agent Kits Policies
Network Rules
Groups
Shim
Variables
Application
Classes
Actions
Hosts
The figure illustrates the components that work together to create Agent kits. The components
are described as follows:
Variables, Application Classes, and Actions: These elements are combined to create
rules.
Rules: Rules contain variables, application classes, and actions and are combined to form
policies.
Policies: Policies contain rules and are applied to a group or multiple groups.
Groups: Groups contain associations with policies and can accept hosts as members.
Agent Kits: Agent kits contain groups and (optionally) the network shim. Agent kits are
deployed to hosts to install the CSA software and all of the policies and rules that have
been built into them.
Configuring Groups
Desktops
Group Web Servers Group
Web Servers
Group Policies
Desktops Group
Policies
Mail Servers
Group Policies
Mail Servers Group
System hosts across your network, including mobile systems in the field, must download CSA
software and register with CSA MC to receive the security policies configured for them. Place
hosts into common groups to streamline the process of assigning policies to several hosts at
once. Using groups can reduce the administrative burden of managing a large number of
Agents.
In order to place hosts into groups, you must first analyze the security needs of each host
system and map out a security plan. Hosts with similar requirements can then be grouped
together.
CSA MC ships with several preconfigured groups you can use. If the included groups do not
suit your needs, use the instructions in this lesson to configure new groups or to edit existing
ones.
Advantages to Forming Hosts into Groups
Groups allows administrators to:

Apply the same set of policies across multiple host
systems.
Apply alerts and event set parameters based on
group configurations.
Use test mode to try out policies on groups of
hosts before you actively enforce those policies.
Grouping individual host systems together provides the following advantages:

Administrators can apply the same set of policies consistently across multiple host systems.
Rather than configuring a security policy on each host, a common policy can be deployed
to any number of hosts grouped by administrator-selected criteria.
Grouping eases deployment of alerts by applying alerts to many hosts at once. The use of
groups sharpens the filtering granularity of event sets, which improves the analysis of
network events.
Administrators can use test mode to try policies on many hosts before they enforce those
policies in production.
Grouping Criteria
Hosts can be grouped by:

System function
Business groups
Geographical or topological location
Importance to your enterprise
Hosts can be grouped together based on many different criteria. Some possible criteria are as
follows:
System function: For example, you can create a security policy that corresponds
specifically to the needs of your Web servers, and distribute it to that group.
Business group: You can distribute policies based on the needs of each business group,
such as finance, operations, or marketing.
Geographical or topological location: For reporting purposes, you can group hosts based
on their subnet, office, or data center location.
Importance to your enterprise: You can place mission-critical systems into a common
group that can receive critical alertlevel configurations.
Note Hosts may belong to multiple groups and automatically receive policies that are attached to
every group to which they belong. You can add hosts to a group or remove them at any
time. However, the policy configuration of a host that is moved to another group will not take
effect until you generate your rule programs and distribute them.
Groups Window
When hosts across your network download and install Agent kits, they automatically and
transparently register with the CSA MC. Hosts inherit membership to the groups that were
associated with the Agent kit that they installed.
The first step to configure a group is to choose Systems>Groups from the main menu bar. A list
of existing groups is displayed in the left column of the window. Clicking the New button
allows you to create a new group entry. (This group is empty until hosts install Agents and
register.)
Note If you have All designated as the operating system type for your administrator session, you
are prompted to choose whether this is a Windows or a UNIX group. You cannot combine
UNIX and Windows hosts in the same group.
Groups Configuration Window
STEP 1
STEP 2
STEP 3
The following steps are required to configure a new group:
Step 1 Provide a unique name for this group of hosts. Names are case insensitive, must start
with an alphabetic character, can be up to 64 characters long, and can include
alphanumeric characters, spaces, hyphens, and underscores. A naming convention
that lets you quickly recognize groups in the CSA MC group list view makes
management easier.
Step 2 The description line helps to identify this particular group. You can click the
+Detailed link if you wish to enter a longer description.
Step 3 (Optional) Check the Test Mode check box for this group if you want to test the
effect of this policy.
Caution In test mode, the CSA will not deny any action even if an associated policy says it should be
denied. Instead, the Agent will allow the action but log an event (if logging is chosen for the
rule). This feature helps you to understand the impact of deploying a policy on a host before
it is enforced.
Groups Configuration Window (Cont.)
STEP 6
STEP 4
STEP 5
STEP 7
Step 4 (Optional) Check the Verbose logging mode check box if you want to change the
event log timer to log all recurring events rather than suppressing duplicates.
Step 5 (Optional) Check the No user interaction check box (available on Windows groups
only) if you do not want end users to interact with CSA MC using a local Agent
interface (clearing the cache, polling, and self-protection and rule queries). Clicking
this box ensures that no Agent user interface or query popup windows appear on
end-user systems.
Note To restrict end users from fully interacting with the Agent, you could combine the No user
interaction check box with using the Agent service control rule and the quiet software update
capability.
Step 6 (Optional) You can change the default polling interval from 600 seconds (10
minutes) to any value between 10 seconds and 86,400 seconds. This setting controls
how often Agents in this group poll the CSA MC for policy updates. Shortening the
polling time can be useful when you are trying out new policies.
Note If you change the polling interval for a group, that new interval time will not take effect until
the host polls in again for new rules. Therefore, it may take as long as the previous polling
interval setting before hosts begin polling using the new setting.
Step 7 When you have entered all required information, click the Save button to save your
group in the CSA MC database. After you have attached policies to specific groups,
the configuration window for the group displays a table listing all the rules, in order
of precedence, that are applied to that group. From this table, you can navigate to
those rules and policies.
The No User Interaction Check Box
The effects of the No User Interaction check box

are as follows:
The user is still prompted before installation of software
updates, but popup window remains until the user approves
the installation.
There are no query user popup windows; default action is
taken immediately.
There are no messages to inform the user that actions have
been denied and why.
There is no ability to clear cache or re-enable logging.
There is no fast polling ability.
There is no end user contact information sent to CSA MC.
Clicking the No user interaction check box for a group has the following effects:
Software updates:
Not automatic: Popup window prompts still appear to prompt the user to install
updates. The user must click the OK button in the popup window to begin the
update. However, the popup window will remain on the screen until the user
performs the update.
Automatic: Update behavior is unchanged.
When no Agent interface is present, no query user popup windows are displayed. The
default value is taken immediately on all query user rules and heuristics in the assigned
policies. The default value of allow or deny is taken on all query user access control rules
and the default value of terminate or no is taken on all heuristics (Trojan detection, network
worm, and so on) unless specific application-class exceptions are made for heuristic rules.
No popup windows provide messages to inform users that actions have been denied and
why.
The user does not have the ability to clear the cache or re-enable logging.
The user cannot initiate fast polling.
No end-user contact information can be sent to CSA MC.
Building an Agent Kit
This topic explains how to build an Agent kit for a newly created group.
Building an Agent Kit
STEP 1
STEP 2
The CSA MC allows the creation of custom CSA installation kits that greatly reduce the
administrative burden of deploying CSA software to new systems. At the time you create the
Agent kit, it can be associated with one or more groups. The particular Agent kit that a host
installs determines its initial group placement. You can create as many Agent kits as necessary
to distribute your policies to targeted hosts.
After a kit is installed on a host, the Agent running on that host registers itself with the CSA
MC. The CSA MC then automatically places the host in the groups that were associated with
the installed kit.
Note The CSA MC ships with preconfigured Agent kits that you can use if they meet your initial
needs. There are prebuilt kits for desktops, servers, and many more. These kits place hosts
in the corresponding groups and enforce the associated policies of each group. (If you use a
preconfigured Agent kit, you do not have to build your own kit.)
The following steps are required to create Agent kits:
Step 1 Choose Maintenance>Agent Kits from the main menu bar. The Agent kits that
were preconfigured or that have been added are displayed.
Step 2 Click the New button to create a new Agent kit.
Building an Agent Kit (Cont.)
STEP 3
STEP 4
STEP 5
In the Agent kit configuration window, enter a name for this kit in the Name field. You must
use a unique name without spaces. A well-designed naming convention will make it
easier to recognize Agent kits.
Enter a description in the Description field. The description is an optional line of text that is
displayed in the Agent kit list view and helps you to identify this particular kit.
Choose the group or groups that will download and install this kit from the Select the groups
with which this kit should be associated pane. To choose multiple items in a list,
press the Ctrl key as you choose each item. To deselect a single item, press the Ctrl
key when you click that item. Press the Shift key when you click an item to choose
multiple successive items.
Building an Agent Kit (Cont.)
STEP 9
Step 3 Choose whether or not to have Agents install quietly on end-user systems (Windows
only). Check the Quiet Install check box to require users to download the self-
extracting executable. Leaving the box unchecked also requires users to download
the self extracting executable. However no prompts appear and the user is not
required to enter any information or choose any options. Leaving the Quiet Install
check box cleared causes users to be prompted for installation options, such as
enabling the network shim, and the reboot prompt.
Step 4 For Windows Agent kits, if you choose Quiet Install, you can also choose whether
or not the network shim is installed during the installation.
Caution In some circumstances, you may not want users to enable the network shim on their
systems as part of the Agent installation. For example, if users have virtual private network
(VPN) software or a personal firewall installed on their systems, the network shim port scan
detection, SYN flood protection, and malformed packet detection capabilities may not be
needed. To allow users to enable the network shim installation, create kits without checking
the Quiet Install check box. Not enabling the network shim does not mean that network
access control rules will not work. It only means that the system hardening features are not
enabled.
Step 5 If you choose Quiet Install, you can also choose whether the system is automatically
rebooted once the installation is complete. (Even if an end user is present when the
installation is finished, this reboot cannot be stopped.)
Note In some cases, you may not want a system to reboot after the installation has been
completed. If a reboot does not occur after the Agent installation, partial security is enforced
immediately. Full security is enforced after the first reboot.
Step 6 Click the Make kit button.
After you click the Make kit button, CSA MC produces a bundled kit for distribution. Choose
Maintenance>Agent Kit to see the URL for the kit. The URL may be distributed to users via
e-mail. This method is the recommended deployment procedure. Alternatively, you may point
users to a URL on the CSA MC where all Agent kits are available. The URL to access all
Agent kits on the CSA MC is https://<ciscoworks system name>/csamc/kits.
Note You must regenerate your rule program after Agent kits are created.
Silent Install and Uninstall of Agent Kits
Scripted install
You can use a script to copy and silently install the
agent kit on systems.
Scripted uninstall
Use the CSA_uninstall.bat file in the client
system32 directory to remotely and silently
uninstall the agent.
You can use scripts to silently install and uninstall Windows Agents on end-user systems as
follows:
Scripted install: The Agent kit is a self-extracting executable placed in the following
directory on the server: %Program Files%\CSCOpx\CSA MC\bin\webserver\htdocs\
deploy_kits. (Retrieve the kit from this directory or download it from the server.) You can
then use a script to copy and silently install the Agent kit on systems. Note that you must
check the Quiet Install check box when you build the kit if you are planning to install it via
a script.
Scripted uninstall: The Agent installation places a .bat file in the system32 directory.
Administrators may use a script to remotely and silently uninstall the Agent by invoking
the CSA_uninstall.bat file in the system32 directory. You must also pass a parameter to the
file for the Agent to uninstall silently regardless of whether the original Agent kit was a
quiet install. Enter the following: CSA_uninstall.bat 3.
Note Before silently uninstalling the Agent via a script and stopping the Agent service, you must
disable any Agent service control rules that deny or query administrators.
Notify End Users
STEP 10
Step 7 When an Agent kit is ready for distribution, you can notify end users to download
and install the kit from the URL produced by the CSA MC when the kit was made.
When the kit installation is complete, the Agent of each individual host
automatically and transparently registers with the CSA MC. Each kit is created for
particular groups based on the policies that will be attached to those groups.
Registration Control is accessible from the Maintenance drop-down list of the main menu bar.
Entering a range of addresses to be allowed to register with the CSA MC blocks Agent hosts
with other addresses from registering successfully. The default setting is for all addresses to be
allowed to register. This feature can be used to prevent unauthorized hosts from downloading
Agent kits and receiving rules.
Managing Hosts
This topic explains how to manage hosts by modifying group membership.
Viewing Hosts
Active
Protected
Latest Software
Test Mode
Last Poll
You can see which hosts have successfully registered with the CSA MC by choosing Systems>
Hosts. Use the drop-down menu on the right side of the window to view an abbreviated host
status in the following categories:
Active: A host is active if it polls into the management server at regular intervals. A host
that has missed three polling intervals or that has not polled into the server for at least one
hour is considered an inactive host.
Protected: A system is not protected if it does not belong to a group or if it belongs to a
group that has no policies attached.
Latest Software: If an Agent is not running the latest software, you will want to deploy a
software update.
Test Mode: When you choose this viewing option, a yes in that column indicates
running in test mode and a no indicates not running in test mode.
Last Poll: When you choose this viewing option, the time and date of the most recent poll
for the host is displayed. By default, Agents poll the management server every 10 minutes
for updated policies.
Host Detail
Available Information
Database information from host:

Name and description
Contact information
Events in last 24 hrs
Verbose logging mode
Click the hostname link for detailed host information. In the host detail window, the following
additional options and information are available:
Clicking the Modify group membership link in the host detail window adds this host to a
group or removes it from a group.
The CSA MC provides an explanation, in paragraph form, of the policies attached to each
host. Clicking the Explain rules link allows you to view this explanation.
After hosts are registered, they automatically receive policies from the CSA MC.
When host Agents register with the CSA MC, the database receives the following information
on each host:
Name and Description: These fields are populated with information received from the
Agent system when it registers. The name shown is the name that identifies this host
system on the network.
Contact information: Click this link to view the contact information provided to the
Agent by the user. (The available fields for the user are first name, last name, e-mail,
telephone, and location.)
Events issued in the past 24 hours: This is the number of events (rule triggers) that have
occurred on the host system in the given time frame.
Verbose logging mode: This field can read as either Off or On, which indicates whether
this feature is enabled for this host. This feature is configurable through the Groups
window.
Host Detail (Cont.)
Polling interval
Registration time
Time since last poll
Last known IP address
Host ID
UID
Configuration version
Operating system
Product information
Software
Test mode
Polling interval (seconds): The value shown in this field indicates the time interval at
which this system polls into the CSA MC. This feature is configurable through the Groups
window.
Registration time: This is the time that the Agent registered with the CSA MC.
Time since last poll: This is the interval that has elapsed since the host system last polling
request.
Last known IP address: This is the IP address of the host. If Dynamic Host Configuration
Protocol (DHCP) addressing is used, this is the last known address of the host. (Up to five
IP addresses can be listed.)
Host ID: The CSA MC assigns each registering host a unique ID number by which the
database identifies it.
UID: This is a globally unique ID for your Agent that is obtained from the Agent kit.
Different kits present different IDs. All hosts that install a particular kit will have the same
registration ID. After a host has registered, however, that host receives a unique global ID.
Configuration version: This field reads Up-to-date or Not up-to-date, which indicates
whether the Agent has the latest policy configuration from the CSA MC.
Note By default, Agents poll into the CSA MC every 10 minutes for updated policies.
Operating System: This is the operating system installed on this particular machine.
Product Information: This is the Agent version for this particular machine.
Software: This is the version of Agent software the system is running. If there is a software
update available for this host, this field provides that information. If an update for a host is
scheduled but not installed yet, this field provides that information as well.
Test Mode: If this host is part of a group operating in test mode, that information is
displayed in this field.
Allow Agent user interaction: This indicates whether the end user has an Agent interface.
Profiler enabled: This item appears if the CSA Profiler is enabled on the end-user system.
Last Profiler data upload: If the Profiler is enabled on the end-user system, this field
indicates the time of the most recent upload of analysis logging data.
You can enter contact information, such as username, location, e-mail address, and telephone
number, for each host system. If an Agent is generating alerts, having this contact information
readily available can expedite troubleshooting. The host view also displays a table listing all the
rules and policies that are applied to that host. This table provides links allowing you to view
those rules and policies.
Adding Hosts to a Group
When a host registers with the CSA MC, it is automatically placed into the group or groups you
designate for it. There is no need to add a host to a group initially. You only need to add hosts
to groups when you are changing the group designation of the hosts after they have registered.
Hosts may belong to multiple groups and will receive the policies that are attached to every
group to which they belong.
Caution You can add hosts to a group or remove them at any time. If you do change host group
assignments, the policy configuration of a host that has been moved to another group will
not take effect until you generate your rule programs and distribute them.
There are several ways to add a host to a group:

To add a host to multiple groups, choose Hosts>Modify group membership.
To add multiple hosts to a single group, choose Groups>Modify host membership.
To move or copy all hosts in one group to another group, use the bulk transfer feature
accessible from the Groups>Modify host membership window.
Complete the following steps to add one or more hosts to a single group:
Step 1 Choose Systems>Groups to add hosts to a particular group by accessing the edit
view of that group.
Step 2 Click the link for the group to which you want to add hosts. This action brings you
to the edit view of that group.
Step 3 Click the Modify host membership link to display a window containing a list of
host systems that are in this group (if any). Hosts in the group are listed in the
Attached hosts pane to the right. Hosts listed in the Unattached hosts pane to the left
are not in the group.
Step 4 To add a host to this group, choose the host in the left pane and click the Add button
to move it to the right pane. It is now a part of the group.
To choose multiple items in a list, press the Ctrl key as you choose each item.
To deselect a single item, press the Ctrl key while you click that item. Click the
Select all link to choose all items in the Unattached hosts pane. Click the Add
button to add all selected items.
To remove a host from a group, choose the host that you wish to remove in the
Attached hosts pane to the right. Click the Remove button. The host will be
moved to the Unattached host pane to the left.
Step 5 Use the bulk transfer feature to easily move or copy all hosts from the group you
choose from the available drop-down menu into the group that you are currently
viewing. When you click the OK button beside the group selection field, all hosts in
the selected group are moved or copied.
Step 6 When you click the Generate rules link, policies associated with this group will no
longer be applied to the removed hosts. The removed hosts are not deleted from the
database; they are just no longer part of the group.
Caution When you configure new groups and policies or make changes to existing configurations,
they are saved in the database when you click the Save button, but they are not distributed
to the Agents across your network. When your configuration changes are complete, you
must click the Generate rules link to first view all new and edited configurations and then
distribute them to the Agents.
Summary
Summary
CSA MC provides role-based administration of host-based security

policies across the network.
Knowing how CSA MC is installed and deployed across the network
helps develop an understanding of how it works.
The CSA MC interface provides web-based tools for configuring,
deploying and managing policies across a network.
CSA default groups can be deployed quickly with information available
under Agent kits.
Organizing hosts into groups makes administration of security
policies for the hosts easier.
Creating custom CSA installation kits reduces administrative burdens.
CSA MC provides all the necessary tools to effectively and efficiently
manage hosts.
Lesson Self-Check
Q1) Put the following five steps required to install CSA on host devices in the correct order
by numbering them from 1 to 5 in the space provided. (Source: Installing CSA on Host
Devices)
A) Verify SSL on CiscoWorks. _____
B) Log in to CiscoWorks. _____
C) Select a default group. _____
D) Install CSA on the host. _____
E) Send Agent kit URL to host. _____
Q2) Which of the following CSA MC administrator roles provides full read and partial
write access to the CSA MC database? (Source: Installing CSA on Host Devices)
A) configure
B) deploy
C) monitor
Q3) Why is it recommended that you allow the installation program to install the
preconfigured CSA MC kit on the MC system? (Source: Installing CSA on Host
Devices)
Q4) Which three of the following components combine to form the rules in an Agent kit?
(Choose three.) (Source: Creating Groups)
A) variables
B) policies
C) application classes
D) groups
E) actions
F) Agent kits
Q5) What are three advantages of grouping host systems together? (Source: Creating
Groups)
______________________________________________________________________
______________________________________________________________________
Q6) List eight information items that are included in the database when a host Agent
registers with the CSA MC. (Source: Managing Hosts)
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Q1) A-2, B-1, C-3, D-5, E-4
Q2) B
Q3) It provides the appropriate security policies for protecting the CSA MC.
Q4) A, C, E
Q5) Grouping allows administrators to apply the same set of policies consistently across multiple host systems.
Rather than configuring a security policy on each host, a common policy can be deployed to any number of
hosts grouped by administrator-selected criteria.
Grouping eases deployment of alerts by applying alerts to many hosts at once. The use of groups sharpens
the filtering granularity of event sets, thus improving analysis of network events.
Administrators can use test mode to try policies on many hosts before enforcing those policies in
production.
Q6) Any eight of the following fields:
– Name and Description

– Contact information
– Events in last 24 hrs
– Verbose logging mode
– Polling interval
– Registration time
– Time since last poll
– Last known IP address
– Host ID
– UID
– Configuration version
– Operating system
– Product information
– Software
– Test mode
Module Summary
Module Summary
Cisco Intrusion Prevention Systems include host-based and network-

based IPS. Signatures and alarms are a first line of defense in
preventing many attacks. The Cisco IDS/IPS portfolio includes the
Cisco 4200 IDS/IPS Series sensors, switch and router sensors, and
firewall sensors.
The CLI can be used to configure sensor hardware and software.
Configuration tasks include initializing the sensor appliance, and
configuring, administering, troubleshooting and upgrading software.
The IDM can be used for basic sensor configuration tasks such as
network settings, allowed hosts, time setting, new users, configuring
interfaces and restoring default settings.
The CSA is an effective tool for mitigating attacks at the probe,
penetrate, persist and propagate phases of an attack. Developing a
CSA policy is critical for effective implementation of the CSA.
The CSA MC provides for host-based intrusion prevention
implementation and management.
Host- and network-based IPS protects data and information infrastructure. This module
provided an introduction to Cisco IPS the products and technologies and the tools used to
configure and manage IDS/IPS in your network. Cisco IDS/IPS products and technologies
work together to provide a comprehensive security package.
References
Cisco Systems, Inc. Cisco Intrusion Detection System Sensor Installation and Safety Note.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/sensor/7016_04.htm. or
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps4077/products_release_and_i
nstallation_notes09186a00800eea60.html.
Cisco Systems, Inc. Cisco Intrusion Detection System Command Reference Version 41.
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_command_reference_c
hapter09186a008019d6cf.html.
Cisco Systems, Inc. Cisco Secure Software.
http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/.
Cisco Systems, Inc. Installing and Using the Cisco Intrusion Detection System Device
Manager and Event Viewer Version 4.1.
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_confi
guration_guide_book09186a008014a20c.html.
Cisco Systems, Inc. Intrusion Detection Systems.
http://www.informit.com/articles/article.asp?p=25334&seqNum=1.
Cisco Systems, Inc. SAFE: Worm Mitigation.
http://www.cisco.com/en/US/partner/netsol/ns340/ns394/ns171/ns128/networking_solution
s_white_paper09186a00801e120c.shtml.
Cisco Systems, Inc. The Science of Intrusion Detection System Attack Identification.
http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/idssa_wp.htm.
Cisco Systems, Inc. Using Management Center for Cisco Security Agents 4.0.
http://www.cisco.com/application/pdf/en/us/guest/products/ps5212/c1629/ccmigration_091
86a008019b755.pdf.
Module 5
Building IPSec VPNs
Overview
Virtual Private Networks (VPNs) are a cost-effective way to provide connectivity over the
public network to remote locations, while reducing network operation costs. Site-to-site VPNs
bring office operations together securely and cost-effectively, and enable businesses to avoid
the expenses associated with leased lines. Remote access VPNs are a cost-effective replacement
for traditional remote access servers, and provide faster, more convenient network access to
employees who work from home or on the road.
The Cisco products and technologies presented in this module are specifically positioned to
provide reliable and secure connectivity to meet a wide range of business requirements. You
will find them relatively easy to deploy, configure, operate and maintain.
Module Objectives
Upon completing this module, you will be able to build an IPSec VPN network using Cisco
products and technologies. This ability includes being able to meet these objectives:
Explain how IPSec technologies are used to build secure VPNs
Describe how Cisco VPN concentrators, VPN-enabled routers, security appliances and
VPN clients can be used to provide secure IPSec VPNs
Configure a Cisco VPN 3000 Series concentrator for remote assess using the Quick
Configuration feature
Configure user and group parameters on a Cisco concentrator for remote access
Configure the Cisco VPN Software Client for Microsoft Windows
Lesson 1
Introducing IPSec VPNs
Overview
A Virtual Private Network (VPN) uses public telecommunications networks to conduct private
data communications. VPNs use a variety of specialized protocols to support private
communications over a completely open and insecure public Internet. VPN architecture uses a
client and server approach. VPN clients authenticate users, encrypt data, and otherwise manage
sessions with VPN servers using a technique called tunneling.
IP Security Protocol (IPSec) is a collection of protocols developed by the Internet Engineering

Task Force (IETF) to support a secure exchange of packets at the IP layer. IPSec details the use
of various methods to achieve confidentiality, authentication and integrity for data
transmissions over IP networks. Knowing the terminology used in IPSec implementations is an
important part of planning and deploying an IPSec VPN.
This lesson introduces IPSec VPN technology and explains the components that make up the
IPSec protocol
Objectives
Upon completing this lesson, you will be able to explain how IPSec technology is used to build
secure VPNs. This ability includes being able to meet these objectives:
Describe the building blocks of IPSec and the security functions that it provides
Describe how Cisco VPN routers use IPSec open encryption standards to provide
confidentiality
Describe how IPSec establishes data integrity using HMAC
Describe how IPSec establishes origin authentication using digital signatures, peer
authentication, pre-shared keys, RSA signatures and RSA-encrypted nonces
Describe the anti-replay function of IPSec
Explain how encryption, integrity and authentication are applied to the IPSec protocol suite
Explain the five steps of IPSec operation
IPSec Overview
This topic describes the building blocks of IPSec and the security functions that it provides.
What Is IPSec?
Main Site
Business Partner
with a Cisco Router
IPSec Perimeter
Router
Concentrator PIX
POP Security
Regional Office with Appliance
a PIX Security
Mobile Worker with a
Appliance
Cisco VPN Client
SOHO with a Cisco on a Laptop Corporate
ISDN/DSL Router
IPSec acts at the network layer protecting and authenticating IP packets

Based on a framework of open standards - algorithm independent
Provides data confidentiality, data integrity, and origin authentication
Spells out the rules for secure communications
Relies on existing algorithms to implement the encryption, authentication, and key exchange
IPSec operates at the network layer to protect and authenticate IP packets between participating
IPSec devices (peers), such as PIX Security Appliances, Cisco routers, Cisco VPN 3000 Series
concentrators, Cisco VPN Clients, and other IPSec-compliant products. IPSec is not bound to
any specific encryption or authentication algorithms, keying technology, or security algorithms.
IPSec is a framework of open standards. By not binding IPSec to specific algorithms, IPSec
allows for newer and better algorithms to be implemented without patching the existing IPSec
standards. IPSec provides data confidentiality, data integrity, and origin authentication between
participating peers at the IP layer.
IPSec supports two encryption modes: transport and tunnel. Transport mode encrypts only the
data portion (payload) of each packet, but leaves the IP header untouched. The more secure
tunnel mode encrypts both the IP header and the payload. On the receiving side, an IPSec-
compliant device decrypts each packet.
IPSec Building Blocks
Component Role
Authenication Header IP header that provides a cryptographic
(AH) checksum on the packet
Used to achieve data authentication and
integrity
Separate from the ESP header
Encapculating Security Header applied after the packet has been
Payload (ESP) encrypted
Provides data confidentiality in transit
Provides for data authentication and
integrity
Security Association Specifies cryptographic parameters
(SA) needed before any two devices can
communicate using IPSec
IPSec consists of the following components:

Authentication Header (AH): This is an IP header added to an IP packet that provides a
cryptographic checksum on the entire IP packet. It is used to achieve data authentication
and integrity, to insure that the packet has been sent by the correct source and has not been
modified in transit. This header is separate to the ESP header described below.
Encapsulating Security Payload (ESP): This is a header applied to an IP packet after the
packet has been encrypted. It provides for data confidentiality so that the original packet
cannot be read in transit. This header can also provide for data authentication and integrity
checking as well, making the Authentication Header less necessary in certain
circumstances.
Security Association (SA): These are the building blocks of IPSec communication. Before
any two devices can communicate via IPSec, they must first establish a set of Security
Associations. These associations specify the important cryptographic parameters that must
be agreed upon before data can be transferred securely.
Copyright © 2005, Cisco Systems, Inc. Building IPSec VPNs 5-5

IPSec Implementation Framework
IPSec
Framework
Choices:
ESP ESP AH
IPSec Protocol +AH
Encryption 3
DES AES
DES
Authentication MD5 SHA
Diffie-Hellman DH1 DH2 DH5
The figure shows four IPSec framework squares to be filled. IPSec provides the framework,
and the administrator chooses the algorithms that are used to implement the security services
within that framework. The four sections of the IPSec framework are as follows:
When configuring the security services that are provided by an IPSec gateway, you first
must choose an IPSec protocol. The choices are as follows:
Authentication Header (AH).
Encapsulating Security Payload (ESP).
ESP with AH. Although AH is an important component of the IPSec protocol suite,
few deployments of IPSec have this protocol turned on. In general, much of the AH
functionality is embedded in ESP.
The second square is an encryption algorithm. Choose one of the following encryption
algorithm that is appropriate for the level of security desired:
Data Encryption Standard (DES): An algorithm that is used to encrypt and decrypt
packet data.
Triple Date Encryption Standard (3DES): An algorithm that effectively doubles
encryption strength over 56-bit DES. With 3DES, the resultant total key length is
56*3=168 bits.
Advanced Encryption Standard (AES): An algorithm that is a newer cipher
algorithm designed to replace DES. AES has a variable key length between 128 and
256 bits.
The third square is authentication. Choose one of the following authentication algorithms to
provide data integrity:
Message Digest 5 (MD5): An algorithm that is used to authenticate packet data
Secure Hash Algorithm 1 (SHA-1): An algorithm that is used to authenticate packet
data.
The last square is the Diffie-Hellman (DH) algorithm group. DH is a public-key
cryptography protocol that allows two parties to establish a shared secret key used by
encryption and hash algorithms (for example, DES and MD5) over an insecure
communications channel. Choose which group to use: DH1, DH2, or DH5.
IPSec spells out the rules for secure communications. In turn, IPSec relies on existing
algorithms to implement the encryption, authentication, and key exchange.

IPSec Security Functions
Function Benefit
Encryption prevents eavesdropping

Confidentiality and reading of intercepted data.
Receiver can verify data was

Data integrity
transmitted unchanged or altered.
Receiver can guarantee and certify the

Origin authentication data source.
Each packet is verified as unique. Late

Anti-replay protection
and duplicate packets are dropped.
IPSec services provide four critical functions. In general, local security policy dictates the use
of one or more of these services:
Confidentiality (encryption): The sender can encrypt the packets before transmitting them
across a network. By doing so, no one can eavesdrop on the communication. If intercepted,
the communications cannot be read.
Data integrity: The receiver can verify that the data was transmitted through the Internet
without being changed or altered in any way.
Origin authentication: The receiver can authenticate the source of the packet,
guaranteeing and certifying the source of the information.
Anti-replay protection: Anti-replay protection verifies that each packet is unique, not
duplicated. IPSec packets are protected by comparing the sequence number of the received
packets and a sliding window on the destination host, or security gateway. Packets whose
sequence number is before the sliding window is considered late or a duplicate. Late and
duplicate packets are dropped.
IPSec Critical Function 1Confidentiality
This topic describes how Cisco VPN routers use IPSec open encryption standards to provide
confidentiality.
IPSec Critical Function 1Confidentiality
This quarterly
report does not look
so good. I wonder
why?
Server Earnings off by 15%
Internet
The good news is that the Internet is a public network. The bad news is that the Internet is a
public network. IPSec provides confidentiality with encryption and an exchange of keys.
Encryption: Clear text data transported over the public Internet can be intercepted and
read. In order to keep the data private, the data can be encrypted. Digitally scrambling, the
data renders the data unreadable.
Key Exchange: For IPSec to work, the sending and receiving devices must share a public
key. Sharing is accomplished through a protocol known as Internet Security Association
and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to
obtain a public key and to authenticate the sender using digital certificates.
Public asymmetric key cryptographic systems use two key, a public key known to everyone,
and a private or secret key, known only to the recipient of the message. When User A wants to
send a secure message to User B, the public key for B is used to encrypt the message. User B
then uses a private key to decrypt it. An important element to the public key system is that the
public and private keys are related in such a way that only the public key can be used to encrypt
messages and only the corresponding private key can be used to decrypt them. Moreover, it is
virtually impossible to deduce the private key if you know the public key.

Confidentiality with Encryption
Basic Premise: Both the sender and receiver need to

know the rules used to transform the
original message into its coded form.
Key Key
Encryption Key Decryption Key
Encrypt Decrypt
4ehIDx67NMop9eR
Pay to Terry Smith $100.00
Pay to Terry Smith $100.00 U78IOPotVBn45TR
One Hundred and xx/100
For encryption to work, both the sender and receiver need to know the rules used to transform
the original message into its coded form. Rules are based on an algorithm and a key. An
algorithm is a mathematical function, which combines a message, text, digits, or all three with a
string of digits called a key. The output is an unreadable cipher string. Decryption is extremely
difficult or impossible without the correct key.
In the example, someone wants to send a financial document across the Internet. At the local
end, the document is combined with a key and is run through an encryption algorithm. The
output is undecipherable cyber text. The cyber text is then sent through the Internet. At the
remote end, the message is recombined with a key and sent back through the decryption
algorithm. The output is the original financial document.
There are two types of encryption keys:

Symmetric: With symmetric key encryption, each peer uses the same key to encrypt and
decrypt the data.
Asymmetric: With asymmetric key encryption, the local end uses one key to encrypt, and
the remote end uses another key to decrypt the traffic.
The degree of security depends on the length of the key. If someone tries to hack the key
through a brute-force attack, guessing every possible combination, the number of possibilities
is a function of the key length. The time to process all the possibilities is a function of the
computer processing power. Therefore, the shorter the key, the easier it is to break. A 64-bit
key with a relatively sophisticated computer can take approximately 1 year to break. A 128-bit
key with the same machine can take roughly 1019 years to decrypt.
Encryption Algorithms
Algorithm Description and Use

DES Developed by IBM and uses a 56-bit key
DES is a symmetric key algorithm
3DES A symmetric key variant of the DES
Processes each block three times
AES Adopted to replace DES encryption in cryptographic devices
Stronger than DES and is more efficient than 3DES
Supported on Cisco VPN 3000 Series Concentrators v4.0 and
later using a SEP-E module
RSA Uses asymmetric keys for encryption and decryption.
Each end generates a private key and a public key.
The remote end encrypts messages with its own private key.
The message is decrypted with the sender public key.
Used for digital signatures.
Some of the encryption algorithms are as follows:

Data Encryption Standard (DES): DES was developed by IBM. DES uses a 56-bit key to
ensure high-performance encryption. DES is a symmetric key algorithm.
Triple Data Encryption Standard (3DES): The 3DES algorithm is a variant of the 56-bit
DES. 3DES operates similarly to DES, in that data is broken into 64-bit blocks. 3DES then
processes each block three times, each time with an independent 56-bit key. 3DES
effectively doubles encryption strength over 56-bit DES. 3DES is a symmetric key
algorithm.
Advanced Encryption Standard (AES): The National Institute of Standards and
Technology (NIST) recently adopted AES to replace the existing DES encryption in
cryptographic devices. AES provides stronger security than DES and is computationally
more efficient than 3DES. AES offers three different key strengths: 128-, 192-, and 256-bit
keys. Cisco now supports VPN encryption from version 4.0 of the Cisco VPN 3000 Series
concentrator software and the addition of a SEP-E module. The older SEP modules perform
hardware encryption on DES and 3DES but not on AES. Cisco ISR platforms use built-in
VPN hardware acceleration which supports DES, 3DES, AES 128-, 192-, and 256-
encryption. Cisco is the first industry vendor to implement AES on all its VPN-enabled
platforms
Rivet, Shamir, and Adelman (RSA): RSA is an asymmetrical key cryptosystem. RSA
uses a key length of 512, 768, 1024, or larger. IPSec does not use RSA for data encryption.
Internet Key Exchange (IKE) only uses RSA encryption during the peer authentication
phase.

Key ExchangeHow Do You Share the Secret?
IPSec
Framework
Choices:
ESP
IPSec Protocol ESP AH
+AH
Encryption 3
DES AES
DES
Authentication MD5 SHA
Diffie-Hellman DH1 DH2 DH5
DES, 3DES, AES, and also the two authentication algorithms, MD5 and SHA-1, all require a
symmetric shared secret key to perform encryption and decryption. The question is how do the
encrypting and decrypting devices get the shared secret key?
The keys can be sent by e-mail, courier, overnight express or public key exchange. The easiest
method is DH public key exchange. The DH key agreement is a public key exchange method
that provides a way for two peers to establish a shared secret key that only they know, although
they are communicating over an insecure channel.
Public key cryptosystems rely on a two-key system: a public key, which is exchanged between
end-users, and a private key, which is kept secret by the original owners. The DH public key
algorithm states that if user A and user B exchange public keys and a calculation is performed
on their individual private key and on the public key of each other, the end result of the process
is an identical shared key. The shared key is used to derive encryption and authentication keys.
The DH Key Exchange Algorithm
Peer A Peer B
1. Generate large integer p 1. Generate large integer q

Send p to Peer B Send q to Peer A
Receive q Receive p
Generate g Generate g
2. Generate private key XA 2. Generate private key XB
3. Generate public key 3. Generate public key
YA = g ^ XA mod p YB = g ^ XB mod p
4. Send public key YA 4. Send public key YB
5. Generate shared secret 5. Generate shared secret
number ZZ = YB^ XA mod p number ZZ = YA^ XB mod p
6. Generate shared secret key 6. Generate shared secret key
from ZZ (DES, 3DES, or AES) from ZZ (DES, 3DES, or AES)
There are variations of the DH key exchange algorithm, known as DH group 1 through 7. DH
groups 1, 2, and 5 support exponentiation over a prime modulus with a key size of 768, 1024,
and 1536 respectively. Cisco VPN Clients support DH groups 1, 2, and 5. DES and 3DES
encryption supports DH groups 1 and 2. AES encryption supports DH groups 2 and 5. The
Certicom wireless VPN Client supports group 7. Group 7 supports elliptical curve cryptography
that reduces the time needed to generate keys. VPN peers negotiate which DH group to use
during the tunnel setup.
Security is not an issue with the DH key exchange. Although someone may know the public
key for a user, the shared secret cannot be generated because the private key never becomes
public.
DH is used in IKE negotiations to allow the peers to agree on a shared secret that is used to
generate keying materials for subsequent use. With DH, each peer generates a public and a
private key pair. The private key generated by each peer is kept secret and never shared. The
public key is calculated from the private key by each peer and is exchanged over the insecure
channel. Each peer combines the other public key with its own private key, and computes the
same shared secret number. The shared secret number is then converted into a shared secret
key. The shared secret key is never exchanged over the insecure channel.

RSA Encryption
Local Remote
Key Key
Remote Remote
Public Key Private Key
Pay to Terry Smith $100.00 Pay to Terry Smith $100.00

Encrypt Decrypt
One Hundred and xx/100 One Hundred and xx/100
KJklzeAidJfdlwiej47
DlItfd578MNSbXoE
RSA is an encryption technique that is used for digital signatures. RSA encryption uses
asymmetric keys for encryption and decryption. Each end, local and remote, generates two
encryption keys, a private and public key. They keep their private key and exchange their
public key with people they wish to communicate with.
To send an encrypted message to the remote end, the local end encrypts the message using the
remote public key and the RSA encryption algorithm. The result is an unreadable cyber text.
This message is sent through the Internet. At the remote end, the remote end uses its private key
and the RSA algorithm to decrypt the cyber text. The result is the original message. The only
one who can decrypt the message is the destination that owns the private key.
With RSA encryption, the opposite also holds true. The remote end can encrypt a message
using its own private key. The receiver can decrypt the message using the sender public key.
IPSec Critical Function 2Data Integrity
This topic describes how IPSec establishes data integrity using hash-based message
authentication code (HMAC).
IPSec Critical Function 2 - Data Integrity
Yes, I am
Alex Jones.
Internet
Pay to Terry Smith $100.00 Pay to Teri Smyth $1000.00
One Hundred and xx/100 One thousand and xx/100
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changes
No match = Alterations
The next VPN-critical function is data integrity. VPN data is transported over the public
Internet. Potentially, this data could be intercepted and modified. A VPN must provide a means
to check the integrity of information transmitted over the Internet. Mechanisms that provide
such integrity use a secret key usually called a "message authentication code" (MAC).
Typically, two parties use message authentication codes that share a secret key to validate
information transmitted between them. Based on cryptographic hash functions, hash-based
message authentication code (HMAC) attaches a hash to each message to guard against lose of
integrity. If the transmitted hash matches the received hash, the message has not been tampered
with. However, if there is no match, the message was altered.
In the example in the figure, someone is trying to send Terry Smith a check for $100. At the
remote end, Alex Jones is trying to cash the check for $1000. As the check progressed through
the Internet, it was altered. Both the recipient and dollar amounts were changed. In this case,
the hashes did not match. The transaction is no longer valid.
Data integrity is synonymous to authentication. The packets are authenticated using the hash
that is attached to each packet. Two main algorithms facilitate data integrity within the IPSec
framework, MD5 and SHA-1.

HMAC
Local Remote
Shared
Variable-Length Received Secret
Input Message Message Key
Pay to Terry Smith $100.00 Shared Pay to Terry Smith $100.00
One Hundred and xx/100 Secret Key One Hundred and xx/100
1
Hash Hash
Function Function

2
4ehIDx67NMop9 4ehIDx67NMop9 4ehIDx67NMop9
Message + Hash
The figure illustrates how HMAC works. At the local end, the message and a shared secret key
are sent through a hash algorithm, which produces a hash value. The message and hash are sent
over the network. At the remote end, there is a two-step process.
Step 1 The received message and shared secret key are sent through the hash algorithm,
resulting in a re-calculated hash value.
Step 2 The receiver compares the re-calculated hash with the hash that was attached to the
message. If the original hash and re-calculated hash match, the integrity of the
message is guaranteed. If any of the original message is changed while in transit, the
hash values are different.
Basically, a hash algorithm is a formula used to convert a variable length message into a single
string of digits of a fixed length. Hash is a one-way algorithm. A message can produce a hash,
but a hash cannot produce the original message. It is analogous to dropping a plate on the floor.
The plate can produce a multitude of pieces, but the pieces cannot be recombined to reproduce
the plate in its original form.
HMAC Algorithms
HMAC algorithms
Hash
HMAC-MD5
Function
HMAC-SHA-1

4ehIDx67NMop9 4ehIDx67NMop9
There are two common Hashed Message Authentication Code (HMAC) algorithms:
HMAC-MD5: Uses a 128-bit shared secret key. The variable length message and 128-bit
shared secret key are combined and run through the HMAC-MD5 hash algorithm. The
output is a 128-bit hash. The hash is appended to the original message and forwarded to the
remote end.
HMAC-SHA-1: HMAC-SHA-1 uses a 160-bit secret key. The variable length message
and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash
algorithm. The output is a 160-bit hash. The hash is appended to the original message and
forwarded to the remote end.
HMAC-SHA-1 is considered cryptographically stronger than HMAC-MD5. HMAC-SHA-1 is

recommended when the security of HMAC-SHA-1 over HMAC-MD5 is important.

IPSec Critical Function 3Origin Authentication
This topic describes how IPSec establishes origin authentication using digital signatures, peer
authentication, pre-shared keys, RSA signatures and RSA-encrypted nonces.
IPSec Critical Function 3Origin

Authentication
Local Remote
Internet
28d2mgjlx12ngadw Pay to Terry Smith $100.00
Pay to Terry Smith $100.00 ondyhe0tlfhgg6544 Hash
4ehIDx67NMop9 4ehIDx67NMop9
Match
Encryption Decryption
Algorithm Hash
Algorithm
Private
Key
Hash
Hash Public
Algorithm Key

The last critical function is origin authentication. In the middle ages, a seal guaranteed the
authenticity of an edict. In modern times, a signed document is notarized with a seal and a
signature. In the electronic era, a document is signed using the sender private encryption key
a digital signature. A signature is authenticated by decrypting the signature with the sender
public key.
In the example in the figure, the local device derives a hash and encrypts it with its private key.
The encrypted hash (digital signature) is attached to the message and forwarded to the remote
end. At the remote end, the encrypted hash is decrypted using the local end public key. If the
decrypted hash matches the re-computed hash, the signature is genuine. A digital signature ties
a message to a sender and the sender is authenticated. It is used during the initial establishment
of a VPN tunnel to authenticate both ends to the tunnel.
There are two common digital signature algorithms: RSA and Directory System Agent (DSA).
RSA is used commercially and is the most common. DSA is used by U.S. Government
agencies and is not as common.
Peer Authentication
Remote Office
Corporate Office
Internet
HR
Servers
Peer
Authentication
Peer authentication methods:

Pre-shared keys
RSA signatures
RSA encrypted nonces
When conducting business long distance, it is necessary to know who is at the other end of the
phone, e-mail, or fax. The same is true of IPSec VPN networking. The device on the other end
of the VPN tunnel must be authenticated before the communication path is considered secure.
There are three peer authentication methods:
Pre-shared keys: A secret key value entered into each peer manually authenticates the
peer.
RSA signatures: The exchange of digital certificates authenticates the peers.
RSA encrypted nonces: Nonces (random numbers generated by each peer) are encrypted
then exchanged between peers. The two nonces are used during the peer authentication
process.

Pre-Shared Keys
Local Peer Remote Router
Auth. Key
+ ID
Information
Auth. Key
+ ID
Information
Hash
Internet Hash
Authenticating hash
(Hash_I)
Computed
hash
(Hash_R)
=
Received
hash
(Hash_I)
With pre-shared keys, the same pre-shared key is configured on each IPSec peer. At each end,
the pre-shared key is combined with other information (like the DH generated secret key) to
form the authentication key. Starting at the local end, the authentication key and the identity
information (device-specific information) are sent through a hash algorithm to form Hash_I.
The local IKE peer provides one-way authentication by sending Hash_I to the remote peer. If
the remote peer is able to independently create the same hash, the local peer is authenticated.
The authentication process continues in the opposite direction. The remote peer combines its
identity information with the pre-shared-based authentication key and sends them through a
hash algorithm to form Hash_R. Hash_R is sent to the local peer. If the local peer is able to
independently create the same hash from its stored information and pre-shared-based
authentication key, the remote peer is authenticated. Each peer must authenticate its opposite
peer before the tunnel is considered secure. Pre-shared keys are easy to configure manually, but
do not scale well. Each IPSec peer must be configured with the pre-shared key of every other
peer with which it communicates.
RSA Signatures
Local Remote
Auth. Key + ID Auth. Key + ID
Information Information
Hash
Hash
Digital
2
Hash_I Signature
Private
Key Hash
1
Encryption Internet =
Algorithm Decryption
Algorithm Hash_I
Public
Digital Digital Digital
Cert. + Signature
Key
Cert.
With RSA signatures, Hash_I and Hash_R are authenticated and digitally signed. Starting at the
local end, the authentication key and identity information (device-specific information) are sent
through a hash algorithm to form Hash_I. The Hash_I is then encrypted using the local peer
private encryption key. The result is a digital signature. The digital signature and a digital
certificate are forwarded to the remote peer. The public encryption key for decrypting the
signature is included in the digital certificate exchanged between peers.
At the remote peer, local peer authentication is a two-step process.
Step 1 The remote peer verifies the digital signature by decrypting it using the public
encryption key enclosed in the digital certificate. The result is Hash_I.
Step 2 The remote peer independently creates Hash_I from stored information. If the
calculated Hash_I equals the decrypted Hash_I, the local peer is authenticated as
After the remote peer authenticates the local peer, the authentication process begins in the
opposite direction. The remote peer combines its identity information with the authentication
key and sends this information through a hash algorithm to form Hash_R. Hash_R is encrypted
using the remote peer private encryption key, which is a digital signature. The digital signature
and certificate are sent to the local peer. The local peer performs two tasks; it creates the
Hash_R from stored information, and it decrypts the digital signature. If the calculated Hash_R
and the decrypted Hash_R match, the remote peer is authenticated. Each peer must authenticate
its opposite peer before the tunnel is considered secure.

RSA Encrypted Nonces
Local Remote
Auth. key + ID
Information
+ ID
Auth. key
Information
Hash
Internet Hash
Authenticating Hash
(Hash_I)
Computed
Hash
(Hash_R)
=
Received
Hash
(Hash_I)
RSA encrypted nonces require that each party generate a nonce. The nonces are then encrypted
and exchanged. The nonces are encrypted by the initiator using the receiver public key. The
public keys need to be exchanged between the peers before IKE negotiation begins. When the
nonce is received, each end formulates an authentication key made up of the initiator and
responder nonces, the DH key, and the initiator and responder cookies. The nonce-based
authentication key is combined with device-specific information and runs through a hash
algorithm. The local IKE peer provides one-way authentication by sending Hash_I to the
remote peer. If the remote peer is able to independently create the same hash from stored
information and its nonce-based authentication key, the local peer is authenticated as shown in
the figure.
After the remote end authenticates the local peer, the authentication process begins in the
opposite direction. The remote peer combines its identity information with the nonce-based
authentication key and sends them through a hash algorithm to form Hash_R. Hash_R is sent to
the local peer. If the local peer is able to independently create the same hash from stored
information and the nonce-based key, the remote peer is authenticated. Each peer must
authenticate its opposite peer before the tunnel is considered to be secure.
IPSec Critical Function 4Anti-replay
This topic describes the anti-replay function of IPSec.
IPSec Critical Function 4Anti-replay

Anti-replay ensures packets are not intercepted,
changed and reinserted into the data stream.
Anti-replay is implemented by IPSec framework
protocols:
AH
ESP
Anti-replay mechanism works by keeping track of the
sequence number allocated to each packet as it arrives
at the VPN endpoint.
Each time a packet is sent, the receiver verifies that the
sequence number is not that of a previously sent
packet.
Packets with duplicate sequence numbers are
discarded.
IPSec uses anti-replay mechanisms to ensure that IP packets cannot be intercepted by a third
party or man-in-the-middle and then be changed and reinserted into the data stream. This is
implemented in IPSec by:
The AH protocol
The ESP protocol
The anti-replay mechanism works by keeping track of the sequence number allocated to each
packet as it arrives at the VPN endpoint. When a security association (SA) is established
between two VPN endpoints, the sequence counter is set to 0. The packets that are encrypted
and transmitted over the VPN are sequenced starting from 1. Each time a packet is sent, the
receiver of the packet verifies that the sequence number is not that of a previously sent packet.
If the receiver receives a packet with a duplicate sequence number, the packet is discarded, and
an error message is sent back to the transmitting VPN endpoint to log this event.
Note AH implements anti-replay by default, although ESP implements anti-replay only when data
authentication is turned on (for example, MD5 or SHA-1) in the IPSec transform-set.

IPSec Protocol Framework
This topic explains how encryption, integrity, and authentication are applied to the IPSec
protocol suite.
IPSec Security Protocols

AH
Router A Router B
All data is in clear text
Authentication Header provides:

Authentication
Integrity
ESP
Router A Router B
Data payload is encrypted
Encapsulating Security Payload provides:

Encryption
Authentication
Integrity
IPSec is a framework of open standards. IPSec spells out the messaging to secure the
communications but relies on existing algorithms, such as DES, 3DES and AES, to implement
the encryption and authentication. The two main IPSec framework protocols are as follows:
Authentication Header (AH): AH is the appropriate protocol to use when confidentiality
is not required or permitted. AH provides data authentication and integrity for IP packets
passed between two systems. AH provides a means of verifying that any message passed
from Router A to Router B has not been modified during transit. AH verifies that the origin
of the data was either Router A or Router B. AH does not provide data confidentiality
(encryption) of packets. All text is transported in the clear.
Encapsulating Security Payload (ESP): A security protocol may be used to provide
confidentiality (encryption) and authentication. ESP provides confidentiality by performing
encryption at the IP packet layer. IP packet encryption conceals the data payload and the
identities of the ultimate source and destination. ESP provides authentication for the inner
IP packet and ESP header. Authentication provides data origin authentication, and data
integrity. Although both encryption and authentication are optional in ESP, at a minimum,
one of them must be selected.
Authentication Header
Router A Router B
All data is in clear text
Ensures data integrity

Provides origin authentication (ensures
packets definitely came from the peer)
Uses keyed-hash mechanism
Does not provide confidentiality (no encryption)
Provides anti-replay protection
Authentication is achieved by applying a keyed one-way hash function to the packet to create a
hash or message digest. The hash is combined with the text and transmitted. Changes in any
part of the packet that occur during transit are detected by the receiver when it performs the
same one-way hash function on the received packet. Because the one-way hash also involves
the use of a symmetric key between the two systems, authenticity is guaranteed.

AH Authentication and Integrity
IP Header + Data + Key

Router B
Hash
Authentication Aata IP HDR AH Data

(00ABCDEF)
Internet IP Header + Data + Key
IP HDR AH Data Hash
Received Re-computed
Hash Hash
Router A (00ABCDEF) = (00ABCDEF)
The AH function is applied to the entire datagram, except for any mutable IP header fields that
change in transit (for example, Time to Live [TTL] fields that are modified by the routers along
the transmission path). AH supports two algorithms:
HMAC-MD5
HMAC-SHA-1
The following steps outline how AH works:
Step 1 The IP header and data payload is hashed.
Step 2 The hash is used to build an AH header, which is appended to the original packet.
Step 3 The new packet is transmitted to the IPSec peer.
Step 4 The peer hashes the IP header and data payload.
Step 5 The peer extracts the transmitted hash from the AH header.
Step 6 The peer compares the two hashes. The hashes must match exactly. If one bit is
changed in the transmitted packet, the hash output on the received packet changes
and the AH header does not match.
Encapsulating Security Payload
Router A Router B
Data payload is encrypted
Data confidentiality (encryption)

Data integrity
Data origin authentication
Anti-replay protection
ESP provides confidentiality by encrypting the payload. ESP supports a variety of symmetric
encryption algorithms. The default algorithm for IPSec is 56-bit DES. Cisco products also
support the use of 3DES and AES for stronger encryption.
ESP can be used alone or in combination with AH. ESP with AH also provides integrity, and
authentication of the data grams. First, the payload is encrypted. Next, the encrypted payload is
sent through one of the following hash algorithms: HMAC-MD5 or HMAC-SHA-1. The hash
provides origin authentication and data integrity for the data payload.
Alternatively, ESP may also enforce anti-replay protection by requiring that a receiving host set
the replay bit in the header to indicate that the packet has been seen.

ESP Protocol
Internet
Router Router
IP HDR Data IP HDR Data
ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth
Encrypted
Authenticated
Provides confidentiality with encryption

Provides integrity with authentication
The original payload is well protected between two security gateways because the entire
original IP data gram is encrypted. An ESP trailer is added to the encrypted payload. With ESP
authentication, the encrypted IP datagram and the ESP header or trailer are included in the
hashing process. Finally a new IP header is appended to the front of the authenticated payload
(when using tunnel mode). The new IP address is used to route the packet through the Internet.
When both ESP authentication and encryption are selected, encryption is performed before
authentication. One reason for this order of processing is that it facilitates rapid detection and
rejection of replayed or bogus packets by the receiving node. Prior to decrypting the packet, the
receiver can authenticate inbound packets. By doing this, it can detect the problems and
potentially reduce the impact of denial of service (DoS) attacks.
Modes of UseTunnel vs Transport Mode
IP HDR Data
Transport mode
ESP ESP
IP HDR ESP HDR Data Trailer Auth
Encrypted
Authenticated
Tunnel mode
ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth
Encrypted
Authenticated
ESP and AH can be applied to IP packets in two different ways, transport mode and tunnel
mode: These two modes are described as follows:
Transport mode: Transport mode protects the payload of the packet and higher layer
protocols, but leaves the original IP address in the clear. The original IP address is used to
route the packet through the Internet. ESP transport mode is used between two hosts, when
the final destination is the host itself. Transport mode provides security to the higher layer
protocols only.
Tunnel mode: ESP tunnel mode is used when either end of the tunnel is a security
gateway, a concentrator, a VPN-enabled router, or a PIX Security Appliance. Tunnel mode
is used when the final destination is not a host, but a VPN gateway. The security gateway
encrypts and authenticates the original IP packet. Next, a new IP header is appended to the
front of the encrypted packet. The outside, new, IP address is used to route the packet
through the Internet to the remote end security gateway. Tunnel mode provides security for
the whole original IP packet.

IPSec Operation
This topic explains the five primary steps of IPSec operation.
IPSec Operation
Host A Host B
Router A Router B
Step 1 Interesting TrafficThe VPN devices recognize the

traffic to protect.
Step 2 IKE phase 1The VPN devices negotiate an IKE
security policy and establish a secure channel.
Step 3 IKE phase 2The VPN devices negotiate the IPSec
security policy used to protect IPSec data.
Step 4 Data transferThe VPN devices apply security
services to traffic and then transmit the traffic.
Step 5 Tunnel terminatedThe tunnel is torn down.
The goal of IPSec is to protect the desired data with the needed security services. IPSec
operation can be broken down into five simple steps.
Step 1 Interesting traffic: Traffic is deemed interesting when the VPN device recognizes
that the traffic you want to send needs to be protected.
Step 1 IKE phase 1: A basic set of security services are negotiated and agreed upon
between peers. This basic set of security services protects all subsequent
communications between the peers.
Step 2 IKE phase 2: IKE negotiates IPSec SA parameters and sets up matching IPSec SAs
in the peers. These security parameters are used to protect data and messages
exchanged between endpoints. The final result of IKE phase 1 and phase 2 is a
secure communications channel between peers.
Step 3 Data transfer: Data is transferred between IPSec peers based on the IPSec
parameters and keys stored in the SA database.
Step 4 IPSec tunnel termination: IPSec SAs terminate through deletion or by timing out.
Step 1Interesting Traffic
Host A Host B
Router A Router B
Apply IPSec
10.0.1.3 10.0.2.3
Bypass IPSec
Discard
There are three choices for every inbound and

outbound datagram
Apply IPSec
Bypass IPSec
Discard the datagram
Part of formulating a security policy for the use of a VPN is to determine what traffic needs to
be protected and what traffic can be sent in the clear. For every inbound and outbound
datagram, there are the following three choices:
Apply IPSec
Bypass IPSec
Discard the data gram
For every datagram protected by IPSec, the system administrator must specify the security
services applied to the datagram. The security policy database specifies the IPSec protocols,
modes, and algorithms applied to the traffic. The services are then applied to traffic destined to
each particular IPSec peer. With the VPN client, you use menu windows to select connections
that you want secured by IPSec. When interesting traffic transits the IPSec client, the client
initiates the next step in the process: negotiating an IKE phase 1 exchange.

Step 2IKE Phase 1
Host A Host B
Router A Router B
IKE Phase 1:
10.0.1.3 Main Mode Exchange 10.0.2.3
Negotiate the Negotiate the

policy policy
DH exchange DH exchange
Verify the peer Verify the peer

identity identity
The basic purpose of Internet Key Exchange (IKE) phase 1 is to negotiate IKE policy sets,
authenticate the peers, and set up a secure channel between the peers. IKE phase 1 occurs in
two modes: main mode and aggressive mode.
Main mode has three two-way exchanges between the initiator and receiver:
First exchange: The algorithms and hashes used to secure the IKE communications are
negotiated.
Second exchange: A DH exchange generates shared secret keys.
Third exchange: This exchange verifies the identity of the other side to make sure they are
communicating with the devices with which they think they are communicating.
In the aggressive mode, fewer exchanges are done and with fewer packets. On the first
exchange, almost everything is squeezed in: the IKE policy set negotiation, the DH public key
generation, a nonce that the other party signs, and an identity packet that can be used to verify
their identity via a third party. The receiver sends back everything that is needed to complete
the exchange. The only thing left is for the initiator to confirm the exchange. While aggressive
mode is faster, it does not provide identity protection and is therefore not recommended.
First and Second ExchangeIKE Policy
Sets and Establishing a Shared Secret
Host A Host B
Router A Router B
10.0.1.3 Negotiate IKE proposals 10.0.2.3
ISAKMP Policy 10 ISAKMP Policy 15

DES DES
MD5 MD5
pre-share IKE Policy Sets pre-share
DH1 DH1
lifetime lifetime
ISAKMP Policy 20
3DES
SHA
pre-share
DH1
lifetime
Negotiates matching IKE transform sets to protect IKE exchange.

A DH exchange is performed to establish a shared secret.
First Exchange
During the first exchange the algorithms and hashes that secure the IKE communications are
negotiated and agreed upon between peers. When trying to make a secure connection between
Host A and Host B through the Internet, IKE security proposals are exchanged between Router
A and Router B. The proposals identify various values being negotiated. Under each proposal,
the originator must delineate which algorithms are employed in the proposal (for example, DES
with MD5). Rather than negotiate each algorithm individually, the algorithms are grouped into
IKE policy sets. A policy set delineates which encryption algorithm, authentication algorithm,
mode, and key length are proposed. These IKE proposals and policy sets are exchanged during
the IKE main mode first exchange phase. If a policy set match is found between peers, the main
mode continues. If no match is found, the tunnel is torn down.
In the figure, Router A sends IKE policy sets 10 and 20 to Router B. Router B compares its set,
policy set 15, with those received from Router A. As shown in the figure, there is a match; the
Router A policy set 10 matches the Router B policy set 15.
In a point-to-point application, each end may only need a single IKE policy set defined.
However, in a hub and spoke environment, the central site may require multiple IKE policy sets
to satisfy all the remote peers.
Second Exchange
The second exchange uses a DH exchange to generate shared secret keys and to pass nonces to
the other party. These nonces are signed and returned to prove their identity. The shared secret
key is used to generate all the other encryption and authentication keys.

Third ExchangeAuthenticate Peer Identity
Remote Office Corporate Office
Internet
HR Servers
Peer
Authentication
Peer authentication methods:

Pre-shared keys
RSA signatures
RSA encrypted nonces
The third and last exchange is used to authenticate the remote peer. The primary outcome of the
main mode is a secure communication path for subsequent exchanges between the peers.
Without proper authentication, it is possible to establish a secure communication channel with a
hacker who is now stealing all your sensitive material. There are three data origin
authentication methods:
Pre-shared keys: A secret key value that is entered into each peer manually and is used to
authenticate the peer.
RSA signatures: Uses the exchange of digital certificates to authenticate the peers.
RSA encrypted nonces: Nonces are basically long numbers that are used with private and
public key combinations and that also require a lot of manual configuration. Nonces are a
bit more secure than pre-shared keys, but less scaleable, so not widely used. Nonces are
encrypted and then exchanged between peers. Two nonces are used during the peer
authentication process.
Step 3IKE Phase 2
Host A Host B
10.0.1.3 Router A Router B 10.0.2.3
Negotiate IPSec
security parameters
Once the IKE SA is established in IKE Phase 1, session SAs are negotiated for securing normal
VPN traffic. The purpose of IKE phase 2 is to negotiate the IPSec security parameters used to
secure the IPSec tunnel. IKE phase 2 performs the following functions:
Negotiates IPSec security parameters and IPSec transform sets
Establishes IPSec SAs
Periodically renegotiates IPSec SAs to ensure security
Optionally performs an additional DH exchange
IKE phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established
the secure tunnel in phase 1. It negotiates a shared IPSec transform, derives shared secret
keying material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode
exchanges nonces that are used to generate new shared secret key material (perfect forward
secrecy (PFS)) and prevent replay attacks from generating bogus SAs.
Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires.
Quick mode is used to refresh the keying material used to create the shared secret key based on
the keying material derived from the DH exchange in phase 1.

IPSec Transform Sets
Host A Host B
Router A Router B
10.0.1.3 Negotiate transform sets 10.0.2.3
Transform Set 30 Transform Set 55

ESP ESP
3DES 3DES
SHA IPSec Transform Sets SHA
Tunnel Tunnel
Lifetime Lifetime
Transform Set 40
ESP
DES
MD5 A transform set is a combination of
Tunnel
Lifetime
algorithms and protocols that enact
a security policy for traffic.
The ultimate goal of IKE phase 2 is to establish a secure IPSec session between endpoints.
Before that can happen, each pair of endpoints negotiates the level of security required (for
example, encryption and authentication algorithms for the session). Rather than negotiate each
protocol individually, the protocols are grouped into sets called an IPSec transform set. IPSec
transform sets are exchanged between peers during quick mode. If a match is found between
sets, IPSec session-establishment continues. If no match is found, the session is torn down.
In the example in the figure, Router A sends IPSec transform set 30 and 40 to Router B. Router
B compares its set, transform set 55, with those received from Router A. In this instance, there
is a match. Router A transform set 30 matches Router B transform set 55 as shown in the
figure. These encryption and authentication algorithms form a SA.
Security Association
Security Association
BANK
Security Policy Database
Encryption Algorithm
192.168.2.1 Authentication
SPI12 Algorithm
ESP/3DES/SHA
tunnel Mode
28800
Key lifetime
SA Database
Internet
Destination IP address
SPI
192.168.12.1
SPI39 Protocol (ESP or AH)
ESP/DES/MD5
tunnel
28800
When the security services are agreed upon between peers, each VPN peer device enters the
information in a Security Policy Database (SPD). The information includes the encryption and
authentication algorithm, destination IP address, transport mode, key lifetime, and so on. This
information is referred to as the SA. The SA is a one-way logical connection that provides
security to all traffic traversing the connection. Because most traffic is bi-directional, two SAs
are required: one for inbound traffic, and one for outbound traffic. The VPN device indexes the
SA with a number called the Security Parameter Index (SPI). Rather than send the individual
parameters of the SA across the tunnel, the source gateway, or host, inserts the SPI into the ESP
header. When the IPSec peer receives the packet, it looks up the destination IP address, IPSec
protocol, and SPI in its SA database (SAD), and then processes the packet according to the
algorithms listed under the SPD.
The IPSec SA is a compilation of the SAD and SPD. SAD is used to identify the SA destination
IP address, IPSec protocol, and SPI number. The SPD defines the security services applied to
the SA, encryption and authentication algorithms, and mode and key lifetime.
In the corporate-to-bank connection shown in the figure, the security policy provides a very
secure tunnel using 3DES, SHA, tunnel mode, and a key lifetime of 28800. The SAD value is
192.168.2.1, ESP, and SPI-12. For the remote user accessing e-mails, a less secure policy is
negotiated using DES, MD5, tunnel mode, and a key lifetime of 28800. The SAD values are a
destination IP address of 192.168.12.1, ESP, and an SPI-39.

SA Lifetime
Data-Based Time-Based
Like passwords on your company PC, the longer you keep it, the more vulnerable it becomes.
The same is true of keys and SAs. For good security, the SA and keys should be changed
periodically.
There are two parameters:

Lifetime type: How is the lifetime measured? Is it measured by the number of bytes
transmitted or the amount of time transpired?
Duration: The unit of measurekilobytes of data or seconds of time.
An example is a lifetime based on 10,000 KB of data transmitted or 28,800 seconds of time

expired. The keys and SAs remain active until their lifetime expires or until an external event
such as the client dropping the tunnelcauses them to be deleted.
Step 4IPSec Session
Host A Host B
Router A Router B
10.0.1.3 10.0.2.3
IPSec Session
SAs are exchanged between peers.

The negotiated security services are applied to the
traffic.
After IKE phase 2 is complete and quick mode has established IPSec SAs, traffic is exchanged
between Host A and B via a secure tunnel. Interesting traffic is encrypted and decrypted
according to the security services specified in the IPSec SA.

Step 5Tunnel Termination
Host A Host B
Router A Router B
10.0.1.3 10.0.2.3
IPSec Tunnel
A tunnel is terminated
By an SA lifetime timeout
If the packet counter is
exceeded
Removes IPSec SA
IPSec SAs terminate through deletion or by timing out. A SA can time out when a specified
number of seconds has elapsed or when a specified number of bytes has passed through the
tunnel. When the SAs terminate, the keys are also discarded. When subsequent IPSec SAs are
needed for a flow, IKE performs a new phase 2, and, if necessary, a new phase 1 negotiation. A
successful negotiation results in new SAs and new keys. New SAs are usually established
before the existing SAs expire, so that a given flow can continue uninterrupted.
Summary
Summary
IPSec building blocks consist of AH, ESP and SA. The

Framework consists of IPSec Protocol, Encryption,
authentication and the Diffie-Hellman cryptography protocol.
VPN routers use IPSec open encryption standards to provide
confidentiality. Encryption algorithms used are DES, 3DES,
AES and RSA.
HMAC provides data integrity.
IPSec establishes origin authentication using digital
signatures, peer authentication, pre-shared keys, RSA
signatures and RSA-encrypted nonces.
Summary (Cont.)
IPSec uses anti-replay mechanisms to ensure that IP packets

cannot be intercepted by a third party or man-in-the-middle and
then be changed and reinserted into the data stream. This is
implemented in IPSec by the AH protocol and the ESP protocol.
The anti-replay mechanism works by keeping track of the
sequence number allocated to each packet as it arrives at the
VPN endpoint.
IPSec is a framework of open standards. IPSec spells out the
messaging to secure the communications but relies on existing
algorithms, such as DES, 3DES and AES, to implement the
encryption and authentication. The two main IPSec framework
protocols are AH and ESP. ESP and AH can be applied to IP
packets in transport mode and tunnel mode.
There are five steps in the IPSec process: interesting traffic,
IKE phase 1, IKE phase 2, IPSec encrypted traffic, and tunnel
termination.

Lesson Self-Check
Q1) What HMAC algorithm is considered cryptographically stronger? (Source: IPSec and
Data Integrity)
Q2) Which of the following encryption algorithms is only used by IKE? (Source: IPSec and
Encryption)
A) DES Algorithm
B) 3DES Algorithm
C) Advanced Encryption Standard (AES)
D) RSA
Q3) Explain the difference between symmetric and asymmetric encryption keys. (Source:
IPSec and Encryption)
Q4) What two protocols does IPSec implement to prevent man-in-the-middle attacks?
(Choose two.) (Source: IPSec Critical Function 4 Anti-replay)
A) Authentication Header
B) Internet Key Exchange (IKE)
C) Encapsulating Security Payload
D) Diffie-Hellman
E) Hash-based Message Authentication Code
Q5) Put the following steps in the correct order by writing 1-6 in the space provided.
(Source: IPSec Protocol Framework)
_____ 1. The peer hashes the IP header and data payload.
_____ 2. The IP header and data payload is hashed.
_____ 3. The peer compares the two hashes.
_____ 4. The hash is used to build an AH header, which is appended to the original
packet.
_____ 5. The peer extracts the transmitted hash from the AH header.
_____ 6. The new packet is transmitted to the IPSec peer.
Q6) What mode, when applied to AH and ESP, leaves the original IP address in clear?
(Source: IPSec Protocol Framework)
A) tunnel mode
B) transport mode
Q7) What are the two modes of IKE phase 1? (Choose two.) (Source: IPSec Operation)
A) main mode and agressive mode
B) tunnel mode and transport mode
C) encrypted mode and unencrypted mode
D) secure mode and hash mode
Q8) Explain the purpose of IKE phase 1 and IKE phase 2. (Source: IPSec Operation)

Q1) HMAC-SHA-1 is considered cryptographically stronger than HMAC-MD5.
Q2) D
Q3) With symmetric key encryption, each peer uses the same key to encrypt and decrypt the data. With
asymmetric key encryption, the local end uses one key to encrypt, and the remote end uses another key to
decrypt the traffic.
Q4) A and C
Q5) 2, 4, 6, 1 5, 3
Q6) B
Q7) A
Q8) The basic purpose of Internet Key Exchange (IKE) phase 1 is to negotiate IKE policy sets, authenticate the
peers, and set up a secure channel between the peers. The purpose of Internet Key Exchange (IKE) phase 2
is to negotiate the IPSec security parameters used to secure the IPSec tunnel.
Lesson 2
Building Cisco VPN Solutions
Overview
Cisco implementation if IPSec technology provides a wide range of virtual private network
(VPN) solutions using VPN concentrators, VPN-enabled routers, security appliances and VPN
Clients. The Cisco VPN Client provides a user interface for setting up and using a VPN. The
Cisco VPN Software Client is available as a free download for use with Cisco VPN products.
As well there is a Cisco VPN 3002 Hardware Client available for specific applications.
Hardware products were introduced earlier in the course. This lesson presents an overview of
hardware deployments in various VPN solutions as well as an overview of Cisco VPN Clients.
Objectives
Upon completing this lesson, you will be able to describe how Cisco VPN concentrators, VPN-
enabled routers, security appliances and VPN Clients can be used to provide secure IPSec
VPNs. This ability includes being able to meet these objectives:
Describe how to build Cisco IPSec VPNs using Cisco VPN-enabled routers, VPN
concentrators and security appliances
Describe the features of the Cisco VPN Software Client
Describe the features of the Cisco VPN 3002 Hardware Client
Describe how to choose between the VPN Software Client or VPN 3002 Hardware Client
depending on the requirements
Describe the features of the Certicom VPN Client designed to support cell phones, PDAs
and similar wireless appliances
Describe how the Cisco VPN Client supports Smartcard technologies
Cisco IPSec VPNs
This topic describes how to build Cisco IPSec VPNs using Cisco VPN-enabled routers, VPN
concentrators and security appliances.
IPSec VPNs
Mobile
User
Central Site Remote

Dial, Broadband
or Wireless Site
Server
Internet
IPSec Tunnel Remote

Site
A VPN is an encrypted connection between private

networks over a public network such as the Internet.
An IPSec VPN uses IPSec to build an encrypted connection between private networks over a
public network such as the Internet. The V and N stand for virtual network. The information
from a private network is securely transported over a public network, the Internet, to form a
virtual network. The P stands for private. To remain private, the traffic is encrypted to keep the
data confidential. A VPN is a private virtual network.
There are three IPSec VPN solutions supported by Cisco products and technology:
Remote access VPN
Site-to-site VPN
Firewall-based VPN
Remote Access VPNs
Central Site
Remote Access Client
DSL
Cable or
POP
Telecommuter Internet or
Router
POP
Mobile
Extranet
Consumer-to-Business
Remote Access VPN is an extension and evolution of

dial-up access applications.
Remote access VPNs are targeted to mobile users and home telecommuters. In the past,
corporations supported remote users via dial-in networks and, access to the corporation network
often necessitated a toll or toll-free call. With the advent of VPNs, a mobile user can use a dial-
up or broadband connection to their ISP then use IPSec to access the corporation via the
Internet. Remote access VPNs support the needs of telecommuters, mobile users, extranet
consumer-to-business, and so on. The ubiquity of the Internet, combined with VPN
technologies, allows organizations to cost-effectively and securely extend the reach of their
networks to anyone, anyplace, anytime.
VPNs have become the logical solution for remote access connectivity because they provide the
following:
Secure communications with access rights tailored to individual users including employees,
contractors, and partners
Enhanced productivity by extending corporate network and applications
Reduced communications costs and increase flexibility

Site-to-Site VPNs
Central Site
Remote Site
DSL
Cable POP or
Internet
Router
Extranet
Business-to-Business
Intranet
Site-to-site VPN is an extension of a classic WAN.
VPN site-to-site can be used to connect corporate sites. With Internet access, leased lines and
frame relay lines can be replaced with site-to-site VPN for network connection. VPN can
support company intranets and business partner extranets. Site-to-site VPN is an extension of
the classic WAN.
Firewall-Based VPN Solutions
Central Site
Remote Site
Internet
Intranet
Firewall-based VPNs support:

remote access VPNs, and
Extranet
Business-to-Business site-to-site VPNs
The last solution is based on the capabilities of existing firewalls that can support both remote
access and site-to-site VPN requirements. Firewall-based VPN solutions are based more on
management issues rather than on technical issues. The difference is in who manages the VPN
network, the owner or the service provider? If corporate security manages the VPN network, a
firewall-based VPN may be the VPN solution of choice. Corporations can enhance their
existing firewall systems to support VPN services.

Building Cisco IPSec VPNs
Product Remote Access Site-to-Site VPN

Choice VPN
VPN 3000 Series Primary role Secondary role
Concentrator
VPN-Enabled Secondary role Primary role
Router
PIX Security Enhance your existing The security
Appliance PIX Security Appliance organization owns
with the VPN remote the VPN solution.
access solution.
Three product groups support VPN technology. These are shown in the left column of the table
in the figure. The top row of the matrix shows the two VPN applications. You can select the
most appropriate product using this matrix. For example, if your primary requirement is for a
site-to-site VPN that allows for some remote access, a VPN-enabled router is the appropriate
product choice. Similarly, if the primary need is to provide remote access VPN with some site-
to-site connectivity, a VPN 3000 Series concentrator is the product of choice. The VPN
Products table provides details of available product choices.
VPN Products
VPN Application Appropriate Cisco Product Choice
Dedicated VPN Cisco VPN 3000 Series concentrators for remote access
Cisco 7200 Series routers
VPN-enabled routers series Cisco SOHO 70 Series and 800 Series routers
Cisco 1700 Series and 2600 Series routers
Cisco ISR 1800 Series, 2800 Series and 3800 Series routers
Catalyst 6500 Series switch or Cisco 7600 Series router
Firewall VPN PIX 500 Series of security appliances
Remote Access VPNsVPN 3000 Series
Concentrator
Hardware and Central Site Cisco

Software VPN VPN 3000
Clients at Concentrators
Remote Sites
Telecommuters
POP Internet
Mobile Customers and

Partners
Remote access connections using dial-up,

broadband or wireless from remote sites, users,
customers and partners
The Cisco VPN 3000 Series concentrator provides a family of purpose-built, remote access
VPN platforms and VPN Client software that incorporates high availability, high performance,
and scalability with the most advanced encryption and authentication techniques available
today. The Cisco VPN 3000 Series concentrator is unique to the industry because it is the only
scalable platform to offer field-swappable and customer-upgradeable components. These
components, called Scalable Encryption Processing (SEP) modules, enable companies to easily
add capacity and throughput.
The Cisco VPN Client software with unlimited distribution licensing is provided with all
versions of the Cisco VPN 3000 Series concentrator. The Cisco VPN 3000 Series concentrator
is available in redundant or load-balancing configurations, which enables customers to build the
most robust, reliable, and cost-effective VPNs possible.
The Cisco VPN 3002 Hardware Client is a network appliance that is used to connect small
office home office (SOHO) LANs to the VPN. This appliance comes in either a single port or
eight-port switch version. The VPN 3002 Hardware Client replaces traditional VPN Client
applications on individual SOHO computers.
Concentrators, Cisco VPN-enabled routers and PIX Security Appliances can communicate with
three types of IPSec clients:
The Certicom IPSec Client: This client is a wireless client that is loaded on wireless
personal digital assistants (PDAs) such as the Palm operating system, HP Jornada, Compaq
iPAQ, and so on.
The Cisco VPN Software Client: This client is a software client that is loaded on an
individual PC.
The Cisco VPN 3002 Hardware Client: This client is a standalone client that is located in
small offices and home offices.

Cisco VPN 3000 Series Concentrator
Positioning
VPN 3030 Concentrator

Regional Office
VPN 3060 Concentrator or

3080 Concentrator
Central Site

or 3015 Concentrator
Branch Office Internet

Regional Office
Cisco VPN 3000 Series concentrators consist of the following models:

Cisco VPN 3005 Concentrator and VPN 3015 Concentrator:
Appropriate for a small branch office
Supports up to 100 simultaneous sessions
Cisco VPN 3030 Concentrator:
Appropriate for a regional office
Supports up to 1,500 simultaneous sessions
Appropriate for a large central site
Appropriate for a large central site or ISP
Scalable Site-to-Site VPN Router Solutions
Cisco 1700 Series Cisco 7000 Series routers

routers and 1800 Remote and 3800 Series ISRs:
Series ISRs: Office VPN-enabled routers that connect
VPN-enabled router that dedicated VPN head-end and hybrid
connect remote offices at private WAN and VPNs
T1/E1 speeds
Main Office
Branch
Office Internet
Cisco 2600 Series,

3600 Series, 3700
Series routers, and Cisco SOHO Series, 800
1800 Series and 2800 Series, and 900 Series
Series ISRs: routers:
Small Office/ VPN-enabled routers to connect
VPN-enabled routers that ISDN, DSL, and cables
connect branch and regional Home Office
offices at nxT1/E1 speeds
Site-to-site VPNs provide cost benefits relative to private WANs and enable new applications
such as extranets. However, site-to-site VPNs are still an end-to-end network and are subject to
the same requirements such as scalability, reliability, security, multi-protocol, and so on, that
exist in the private WAN. Because VPNs are built on a public network infrastructure, they have
additional requirements such as heightened security and advanced quality of service (QoS)
capabilities, and a set of policy management tools to manage these additional features.
The Cisco suite of VPN-enabled routers cover a range of VPN applications from telecommuter
applications using the Cisco 800 Series routers to enterprise headquarters applications using the
Cisco 3745 Router. VPN-enabled routers provide VPN solutions for hybrid VPN environments
where modularity, port density, and flexibility are required for private WAN aggregation and
other classic WAN applications. Cisco IOS Software running in Cisco routers combines rich
VPN services with industry-leading routing, to deliver a comprehensive solution. These Cisco
VPN-enabled products provide high performance for site-to-site, intranet, and extranet VPN
solutions.

Cisco VPN Software Client
This topic describes the features of Cisco VPN Software Client.
Client Support
Web Server
Secure VPN Session
Internet Corporate Office
File
Server
Clients Access Media Tunneling Protocols

Windows Analog IPSec
Linux ISDN L2TP over IPSec
Solaris
DSL PPTP
Mac
Certicom Cable L2TP
Wireless
The Cisco VPN Client is simple to deploy and operate, and allows organizations to establish
end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or
teleworkers. This thin design, IP security (IPSec)-implementation is compatible with all Cisco
VPN products.
The Cisco VPN Client can be preconfigured for mass deployments, and initial logins require
little user intervention. The Cisco VPN Client supports Windows 98, ME, NT 4.0, 2000, XP;
Linux (Intel); Solaris (UltraSparc 32- and 64-bit); and Mac OS X, 10.1, and 10.2. The Cisco
VPN Client is compatible with the following Cisco products:
Cisco VPN 3000 Series Concentrators

Cisco IOS Software releases 12.2(8)T and higher
Cisco PIX Software version 6.0 and higher
The Cisco VPN Client is included with all models of Cisco VPN 3000 Concentrators and most
Cisco PIX 500 Security Appliances.
Cisco VPN Windows Software Client
Works on Windows 98 and higher

Works with VPN 3000 Concentrator, PIX and IOS routers
12.2(8)T and higher
The Cisco VPN Client allows organizations to establish end-to-end, encrypted VPN tunnels for
secure connectivity for mobile employees or teleworkers. This thin design, IPSec-
implementation is compatible with all Cisco VPN products and is simple to deploy and operate.
The Cisco VPN Client can be preconfigured for mass deployments, and initial logins require
little user intervention. It supports the innovative Cisco Easy VPN capabilities deliver uniquely
scalable, cost-effective, and easy-to-manage remote access VPN architectures that eliminate the
operational costs associated with maintaining a consistent policy and key management method.

Cisco VPN Windows Client
Firewall Features
AYT Answer
Are You
There AYT
Internet
(AYT)?
Yes
Push CPP
Centralized
Protection Internet
Policy (CPP)
Push CPP
The Cisco VPN Client (Windows) offers support for a firewall feature. The firewall feature is
designed to enhance security for Microsoft Windows-based PCs running the Cisco IPSec Client
Release 3.5 and higher. The feature is applied in one of the following three modes:
Are you there (AYT): For security reasons, a network administrator may require remote
PCs to be running a firewall application before allowing VPN tunnels to be built. The AYT
feature verifies the presence of a firewall and reports that information back to the
concentrator. Depending on the PC response, the concentrator can permit or deny the PC
IPSec tunnel.
Stateful firewall (always on): The stateful firewall module can only be enabled or
disabled by the remote client. With this mode, a default policy is loaded on the firewall.
The default firewall filter blocks all traffic inbound (to the client) that is not related to an
outbound session (from the client). Once the user enables the stateful firewall, it is always
on even when there are no established VPN tunnels.
Centralized protection policy (CPP): Enables network administrators to define a set of
rules (policies) to allow or drop traffic on connected VPN Clients. These policies are
pushed from the concentrator to the Cisco VPN Client (Windows) at connection time. The
VPN Client passes this policy to the firewall module on the client PC. The concentrator can
push policy to the Cisco Integrated Client (CIC) firewall and the Zonelabs, Zone Alarm and
Zone Alarm-Pro, firewall applications. CPP is only enforced while the Cisco VPN Client is
connected.
Cisco VPN Software Clients for Linux,
Solaris and Mac
Cisco VPN Cisco VPN

Solaris and Linux Clients Mac OS X Client GUI
Certificate management
Profile management
Connection management
Log management
The Cisco VPN Client software base has expanded to include Linux, Solaris, and Mac
operating systems. The system requirements for Linux, Solaris and MAC are listed in the
System Requirements table.
System Requirements
Linux Solaris UltraSPARC MAC
Operating Red Hat version 6.2 32-bit or 64-bit Mac OS X version
Systems (OS) Linux (Intel), or Solaris kernal 10.1.0 or later
compatible distribution, operating system
using kernel version version 2.6 or later
2.2.12 or later
Connection Point-to-Point Protocol PPP and Ethernet Ethernet only

Type (PPP) and Ethernet
Tunneling IPSec IPSec IPSec

Protocol
User RADIUS, Rivest, RADIUS, RSA RADIUS, RSA
Authentication Shamir, and Adleman SecurID, Windows SecurID, Windows
(RSA) SecurID, NT Domain, VPN NT Domain, VPN
Windows NT Domain, internal user list, and Internal user list, and
VPN Internal user list, PKI digital certificates PKI digital certificates
and Public Key
Infrastructure (PKI)
digital certificates
VPN Client Command line only Command line only GUI and command-
Administration line interface (CLI)
Hard Disk 50 MB 50 MB 50 MB
Space
Memory 32 MB 32 MB

This topic describes the features of the Cisco VPN 3002 Hardware Client.
VPN 3002 VPN 3002-8E
Private
Power Power
Public Public Private
Hardware Hardware
Reset Reset
Console Console
The Cisco VPN 3002 Hardware Client has built in client software. This feature enables the
VPN 3002 Hardware Client to emulate the Cisco VPN 3000 Software Client. With the VPN
3002 Hardware Client, you can plug in remote site PCs, instead of having to load the Cisco
VPN Client Software, or additional applications on remote site PCs.
There are two versions of the Cisco VPN 3002 Hardware Client:
3002: One private and one public interface
3002-8E:
One public interface, and the private interface is a built-in 8 port 10/100BaseT
Ethernet switch (switch is locked in, not configurable)
Auto MDIX, which eliminates crossover cables
There are two modes of operation for the Cisco VPN 3002 Hardware Client:
In client mode, the hardware client uses port address translation (PAT) to hide its private
network. PCs connected behind the VPN 3002 Hardware Client are invisible to the outside.
In network extension mode, the PCs connected behind the VPN 3002 Hardware Client are
uniquely addressable behind this hardware client. Most companies use the VPN 3002
Hardware Client in the network extension mode because it enables the benefits of a site-to-
site VPN.
Choosing a VPN Client
This topic describes how to choose between the VPN Software Client or 3002 Hardware Client
depending on the requirements.
VPN Hardware Client vs. VPN Software

Client
SOHO
Software Client Hardware Client

Used by a road warrior Small office or home office
Loaded on an individual PC Built into hardware, (the
Only supports an individual end-user does not have to
device touch a PC)
The tunnel is launched Supports multiple devices
by a user. behind the hardware client
The hardware client
launches a tunnel
automatically.
You must decide which Cisco VPN Client to employ in the network. You can employ a
hardware client, software client, or both. The two following fictitious companies are
characterized to better explain the clients:
Delicious Donuts: If you have a customer who wants to take advantage of the savings of a
VPN and they have 10,000 small office/home office (SOHO) sites within the US, you
would want to choose the Cisco VPN 3002 Hardware Client. The Cisco VPN Software
Client is built into this hardware client. The VPN Software Client can be pre-configured
and sent to remote offices where it can be plugged in to the local LAN and is ready to go.
The VPN 3002 Hardware Client supports multiple devices on the local LAN, and no
applications must be loaded on any of the local PCs. The VPN 3002 Hardware Client is
smart enough to launch a tunnel for any traffic bound for the corporate network.
MetaRay System Engineers: You have a company that has system engineers (road
warriors) who need to call back to the home office while on the road. To do so, they would
use the Cisco VPN Software Client, because the system engineer can load this software
client on the PC and launch it only when it is necessary. The Cisco VPN 3002 Hardware
Client is not feasible because the system engineer would need to physically carry it
wherever they may be.

Certicom VPN Client Support
This topic describes the features of the Certicom VPN Client designed to support cell phones,
personal digital assistants (PDAs) and similar wireless appliances.
Certicom VPN Client Support
Internet VPN 3000

Tunnel
Corporate
Network
Certicom IPSec
VPN Client
Certicom offers technology through the original equipment manufacturer (OEM) model of
embedding security solutions in a wide variety of third-party products. They have implemented
an IPSec client to run on cell phones, personal digital assistants (PDAs), and similar wireless
appliances. When these devices perform standard IPSec, it is very CPU-intensive. Diffie-
Hellman (DH) groups 1 and 2 take minutes to generate a key. Because of this, Certicom
developed DH Group 7, Elliptic Curve Cryptography (ECC) support, to provide a key that can
be generated in a short time (less than five seconds).
You must have the following to use Certicom VPN Client support:
Certicom VPN Client software
ECC (DH Group 7) protocol
A concentrator to terminate an IPSec client-to-LAN tunnel
However, the Certicom Client does not support load balancing when load balancing requires
the client to accept and interpret IKE redirect messages.
Cisco VPN Client Smartcard Support
This topic describes how the Cisco VPN Client supports Smartcard technologies.
Cisco VPN Client (Windows)Smartcard

Support
Internet
Digital Certificate on a
Smartcard
A Smartcard can be used to store information, such as a digital certificate. Most digital
certificates are stored on a computer, but with a Smartcard, you can bring your authentication
with you (the user, not just the computer, can be authenticated). To use a Smartcard, a user
must have a Smartcard reader and driver software required to support the Smartcard reader
installed on their computer. The Smartcard is inserted into the reader and the user provides a
PIN to gain access to the card. Smartcards do not replace digital certificates; they act as a
secure and portable storage mechanism for digital certificates. The Cisco VPN Client
(Windows) supports Gemplus, Aladdin, and Activcard Smartcards.

Summary
Summary
Cisco provides VPN solutions using VPN concentrators, VPN-

enabled routers, security appliances and VPN clients to build
remote access, site-to-site and firewall-based IPSec VPNs.
The Cisco VPN Client supports a range of operating systems,
access media and tunneling protocols.
The Cisco VPN 3002 Hardware Client eliminates the need for
remote clients to load VPN software to meet the needs of some
branch office applications.
Factors affecting the choice of software or hardware clients
center primarily on the mobility and flexibility of users.
Certicom technology embeds an IPSec client in cell phones,
personal digital assistants (PDAs), and similar wireless
appliances.
The Cisco VPN Client Smartcard acts as a secure and portable
storage mechanism for digital certificates.
Lesson Self-Check
Q1) Which of the following type of VPN networks is best when corporate security manages
the VPN network? (Source: Cisco IPSec VPNs)
A) remote access VPN network
B) site-to-site VPN network
C) firewall-based VPN network
D) IPSec VPN
Q2) If the primary role is to perform as a remote access VPN with a few site-to-site
connections which of the following product is best choice? (Source: Cisco IPSec
VPNs)
A) VPN-enabled router
B) PIX Security Appliance
C) Cisco VPN 3000 Series concentrator
E) Cisco VPN 3002
Q3) What are the primary roles of Cisco VPN concentrators and VPN-enabled routers?
(Source: Cisco IPSec VPNs)
Q4) What Cisco products are supported by the Cisco VPN Client? (Source: Cisco VPN
Software Client)
Q5) Describe the are you there (AYT) firewall feature of the Cisco VPN Client. (Source:
Cisco VPN Software Client)
Q6) What are the uses for the two modes of operation for a Cisco VPN 3002 Hardware
Client? (Source: Cisco VPN 3002 Hardware Client)
Q7) Explain the use of a Smartcard to store digital certification information. (Source: Cisco
VPN Client Smartcard Support)
______________________________________________________________________

Q1) C
Q2) C
Q3) VPN concentrators can be configured to provide site-to-site VPNs, they are best suited to support remote
access VPNs. Site-to-site VPN requirements are best met using VPN-enabled routers.
Q4) The Cisco VPN Client supports Cisco VPN 3000 Series Concentrators, Cisco IOS Software releases
12.2(8)T and higher, and Cisco PIX Software version 6.0 and higher.
Q5) The AYT feature verifies that remote PCs are running a firewall before allowing a VPN connection.
Q6) Unlike most digital certificates that are stored on a computer, with a Smartcard, you bring your
authentication with you (the user, not just the computer, can be authenticated). To use a Smartcard, a user
must have a Smartcard reader and driver software required to support the Smartcard reader installed in
their computer. When a Smartcard is inserted in to the reader, the user must know a PIN to gain access to
the card. Smartcards do not replace digital certificates; they act as a secure and portable storage mechanism
for them.
Q7) Client mode is used to hide the private network. The network extension mode allows hosts that are
connected behind the client to be addressable, thus providing the benefits of a site-to-site VPN.
Lesson 3
Completing the Quick

Configuration of a Cisco VPN
3000 Series Concentrator
Overview
Integrated Web-based management on Cisco VPN 3000 Series concentrators provides a simple
interface to configure and monitor all remote-access users. This lesson explains how to
complete basic configuration tasks with the Quick Configuration feature embedded in the Cisco
VPN 3000 Concentrator Series Manager.
Objectives
Upon completing this lesson, you will be able to configure a Cisco VPN 3000 Series
concentrator for remote access using the Quick Configuration feature. This ability includes
being able to meet these objectives.
Describe how a remote-access VPN can be implemented with the Cisco VPN 3000 Series
concentrator and the Cisco VPN Software Client
Complete the Quick Configuration tasks using the Cisco VPN 3000 Concentrator Series
Manager
Describe the Cisco VPN 3000 Concentrator Series Manager GUI
Implementing a Remote Access VPN
This topic describes how a remote-access VPN can be implemented with the Cisco VPN 3000
Series concentrator and the Cisco VPN Software Client.
Remote Client-to-LAN Access
Telecommuter
Internet Service
File Server Telecommuter
Provider
Corporate Office Internet

Telecommuter
Web Server Telecommuter
Consider the following scenario. Remote users need to dial into the corporate office and access
e-mail, corporate presentations, order entry, and engineering. In addition, Corporate
Information Services wants remote users to access corporate resources fast, inexpensively, and
as securely as possible.
Implementing a remote-access virtual private network (VPN) with the Cisco VPN 3000 Series
concentrator and the Cisco VPN Software Client is the right choice. A remote-access VPN
enables remote users to access the corporate resources they require. With this choice, Corporate
Information Services can meet their speed, expense, and security requirements.
IPSec Client-to-LAN Components
Telecommuter
with the Cisco
Concentrator ISP ISP VPN 3000 Series
Application Concentrator
Internet Client
Server
PPP Connectivity
Dial Access
IPSec Tunnel or Session

Client software
PPP
IPSec standards
VPN concentrator
The Client-to-LAN VPN consists of the following four components:

IPSec client software: The IPSec client software is not native to the Microsoft Windows
operating system and must be loaded on the PC. Once loaded, it is used to encrypt,
authenticate, and encapsulate data. IPSec client software also terminates one end of the
tunnel.
PPP: For dial-up remote access applications, the PC relies on PPP to establish a dial-up
modem connection to the local ISP for Internet access. For ease of explanation we will
include the various connection options used by broadband service providers including
static IP addresses, Dynamic Host Configuration Protocol (DHCP), Layer Two Tunneling
Protocol (L2TP), Point-to-Point Protocol over ATM (PPPoA), and the Point-to-Point
Protocol over Ethernet (PPPoE).
IPSec standards: After the ISP authenticates the remote user, the user launches the IPSec
client. IPSec establishes a secure tunnel or session through the Internet to the concentrator.
Concentrator: The concentrator terminates the opposite end of the tunnel. The
concentrator decrypts, authenticates, and de-encapsulates the data.

IPSec Client-to-LAN Tunneling
Telecommuter with
the Cisco VPN 3000
VPN Private IP Series Concentrator
Address Client
10.0.1.5 ISP
Internet
192.168.1.5 Adapter (NIC) IP Address
VPN Public IP 172.26.26.1 172.26.26.1
Application 192.168.1.5 ESP
10.0.1.10 Client IP Address
Server
10.0.1.20 10.0.1.20
10.0.1.10
Data
In the figure, a telecommuter needs to access information on the corporate server, with an IP
address of 10.0.1.10. The source address is the virtual IP address of the client, (10.0.1.20). The
concentrator or the Dynamic Host Configuration Protocol (DHCP) server usually supplies
virtual IP addresses to the software client, which gives the client the appearance of being
resident on the VPN.
Any data flowing from the server to the client must be protected as it traverses the Internet.
Therefore, information flowing between the server and the software client is encrypted,
authenticated, and encapsulated using the Encapsulating Security Payload (ESP) header to
maintain confidentiality and data integrity.
However, this practice presents an issue. If the payload is encapsulated and encrypted, the
routers in the Internet are unable to read the source and destination addresses of the packet and
are unable to route the packet. To solve this problem, tunnel mode is used with an additional IP
header added to the ESP-encapsulated data. In this way, client-to-server data is sent over the
Internet using an IP-in-IP encapsulation. The outside IP header is used to route the information
through the network using a routable address. The source address is the network interface card
(NIC) of the clients PC. The destination address is the public interface of the concentrator.
Upon receipt, the concentrator strips the outer IP header, decrypts the data, and forwards the
packet according to the inside IP destination address.
Cisco VPN Software Client
for Windows
Cisco VPN Software Client for Windows
Installed on
Windows System
Recall that the Cisco VPN Software Client for Windows works with the concentrator to create a
secure connection, called a tunnel, between your computer and the private network. Internet
Key Exchange (IKE) and IPSec tunneling protocols are used to make and manage the secure
connection.
Some of the operations that the Cisco VPN Software Client for Windows performs may be
invisible to you. These operations include the following:
Negotiating tunnel parameters such as addresses, algorithms, lifetime, and so on
Establishing tunnels according to the parameters
Authenticating users through usernames, group names, passwords, and digital certificates
Establishing user access rights such as hours of access, connection time, allowed
destinations, allowed protocols, and so on
Managing security keys for encryption and decryption
Establishing the IPSec session
Authenticating, encrypting, and decrypting data through the tunnel

Completing Quick Configuration of a Cisco VPN
3000 Series Concentrator
This topic describes how to complete the Quick Configuration tasks using the Cisco VPN 3000
Concentrator Series Manager.
Configuration Tasks
Step 1 From the console, set the system time, date, and time
zone.
Step 2 From the console, configure the VPN concentrator
Ethernet 1 interface to your private network.
Step 3 Configure other Ethernet interfaces.
Step 4 Enter system identification information.
Step 5 Specify tunneling protocols and encryption options.
Step 6 Specify methods for assigning IP addresses to clients
as a tunnel is established.
Step 7 Choose and identify the user authentication server.
Step 8 Populate the internal authentication server databases.
Step 9 Change the admin password for security.
Step 10 Save the configuration file.
When the concentrator is powered on for the first time, the factory default configuration boots
up and a Quick Configuration option is offered. The data requested by the Quick Configuration
mode is enough to make the concentrator operational. Once you have the basic configuration
entered through this mode, you can fine-tune the configuration through normal menu options.
The VPN Concentrator Series Manager (also known as the Manager) is an HTML-based
interface that lets you configure, administer, monitor, and manage the concentrator with a
standard web browser. To use it, you need only to connect to the concentrator using a PC and
browser on the same private network as the concentrator.
The initial configuration requires Steps 1 and 2 to be completed from the console.
Step 1 From the console, set the system time, date, and time zone.
Note IP addresses are not preprogrammed into the concentrator at the factory. Use the console
port to program in the correct IP addresses for the VPN private IP address. The serial
console port needs to be configured for 9600 bps, 8 data bits, no parity, and 1 stop bit (8N1).
When the addresses have been programmed, the operator can access the concentrator via
the browser.
Step 2 From the console, configure the concentrator Ethernet 1 interface to your private
network. From this point you can use a browser to complete Quick Configuration
with the VPN 3000 Concentrator Series Manager. Although you can continue with
the console, we recommend using a browser.
Once these steps are completed, the Concentrator is re-booted and options for continuing the
configuration using the CLI or Quick configuration option are presented. The following steps
can be completed using the Quick Configuration and its GUI interface:
Step 3 Configure the other Ethernet interfaces that are connected to a public network or an
additional external network.
Step 4 Enter system identification information: system name, date, time, DNS, domain
name, and default gateway.
Step 5 Specify tunneling protocols and encryption options.
Step 6 Specify methods for assigning IP addresses to clients as a tunnel is established.
Step 7 Choose and identify the user authentication server: the internal server, RADIUS,
Windows NT Domain, SDI, or Kerberos (or Active) Directory.
Step 8 If using the internal authentication server, populate the internal user database.
Step 9 Change the admin password for security.

Step 10 Save the configuration file. When you complete this step, Quick Configuration is
done.

VPN 300 Concentrator Series Configuration
Manager
Once Steps 1 and 2 have been completed, and the Concentrator has been re-booted, the screen
shown in the figure will appear. At this point, the concentrator can be configured via Quick
Configuration or via the main menu. This lesson focuses on the Quick Configuration option.
Quick Configuration enables you to configure the minimum parameters for operation and
automatically enables remote IPSec client connections via an ISP for a single user group. The
main menu is used to add additional IPSec user groups and to configure all features
individually. Using Quick Configuration, an IPSec remote access application can be
programmed by accessing six windows. Using the main menu, the same application requires
the operator to access 12 or more windows.
Note You can run Quick Configuration only once. You must reboot to the factory default
configuration to run it again.
Step 3Configure IP Interfaces
Ethernet 1 (Private IP Address) Ethernet 2 (Public IP Address)

10.0.3.5 192.168.4.5
In this example, the private LAN interface was initially configured using the CLI. To configure
the public LAN interface (toward the Internet), click the public interface hyperlink to access the
public interface configuration window.
The figure contains an example of the first Quick Configuration window. It displays the current
configuration of the following IP interfaces:
Private (Ethernet 1): Interface toward the internal network
Public (Ethernet 2): Interface toward the public network (Internet)
External (Ethernet 3): Interface toward the external network or DMZ

Step 3 (Cont.)Configure Public IP Interface
Ethernet 1 (Private IP Address) Ethernet 2 (Public IP Address)

10.0.3.5 192.168.1.5
The window displayed in the figure is used to configure the public IP interface. The public IP
interface can be configured in one of the following three ways: disabled, set as a DHCP client,
or configured to use a static IP address. The public IP interface parameters are as follows:
Disabled radio button: This radio button disables the interface.
DHCP Client radio button: This radio button enables this interface and uses DHCP to
obtain an IP address. In the System Name field, you can enter a name (such as VPN01 for
the concentrator). This name must uniquely identify this device on your network.
Static IP Addressing radio button: This radio button enables this interface and sets the
static IP address. The IP Address field is where the IP address for this interface is entered.
Use dotted decimal notation (for example, 192.168.1.5). Ensure that no other device is
using this address on the network. The Subnet Mask field is where the subnet mask for this
interface is entered. Use dotted decimal notation (for example, 255.255.255.0). The
Manager automatically supplies a standard subnet mask appropriate for the IP address you
just entered. For example, the IP address 192.168.1.5 is a Class C address, and the standard
subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is
not allowed.
Public Interface check box: A public interface is an interface to a public network, such as
the Internet. For example, you must configure a public interface before you can configure
NAT and IPSec LAN-to-LAN. You should designate only one concentrator interface as a
public interface. If the interface is a public interface, check the Public Interface check box.
MAC Address field: This field displays the MAC address for this interface.
Filter drop-down menu: Click this menu arrow and choose the public (default) filter, to
allow only non source-routed inbound and outbound tunneling protocols and Internet
Control Message Protocol (ICMP). The public filter is the default filter for Ethernet 2
(Public Interface).
Speed drop-down menu: Keep the default value to let the concentrator automatically
detect and set the appropriate speed, either 10 or 100 Mbps (default). Ensure that the port
on the active network device (hub, switch, router, etc.) to which you connect this interface
is also set to automatically negotiate the speed. Otherwise, choose the appropriate fixed
speed.
Maximum transmission unit (MTU) field: The MTU value specifies the packet size, in
bytes, for the interface. Valid values range from 68 to 1500. The default value, 1500, is the
MTU for Ethernet.

Step 4Enter System Information
To configure basic information about the Cisco concentrator, use the

Configuration>Quick>System Info window and complete the following fields:
System Name: Enter a name (such as VPN01) for the concentrator in this field. This name
must uniquely identify this device.
New Time and drop-down menus: Set the correct time. The correct time ensures that
logging and accounting entries are accurate. The fields show the current date and time on
the device. The values shown in the New Time fields are the time on the browser PC, but
any entries you make apply to the concentrator. Enter the year as a four-digit number.
Domain Name System (DNS) Server: Enter the IP address of your local DNS server,
using dotted decimal notation (for example, 10.0.1.10). Specifying a DNS server lets you
enter Internet hostnames (for example, vpn.company.com).
Domain: Enter your Internet domain name.
Default Gateway: Enter the IP address or hostname of the system to which the
concentrator should route packets that are not explicitly routed. In other words, if the
concentrator has no IP routing parameters (Routing Information Protocol [RIP], Open
Shortest Path First [OSPF], or static routes) that specify where to send a packet, the
concentrator sends the packet to the gateway specified in this field. This address must not
be the same as the IP address configured on any concentrator interface (for example, a
default gateway may be the gateway to the perimeter router at 192.168.1.1).
Step 5Specify Tunneling Protocols and
Encryption Options
IPSec
Internet
Use the Configuration>Quick>Protocols window to configure the supported remote access

protocols. Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and
IPSec are the three supported remote access protocols. The concentrator can support all three
protocols simultaneously. Configure IPSec remote access, as shown in the figure, by checking
the IPSec check box. You cannot use Quick Configuration to configure IPSec LAN-to-LAN
applications.

Step 6Assign IP Addresses to Clients
Internet
DHCP Server
10.0.1.10 DHCP Address
In the remote access PC, there are two IP addresses: the NIC address and the virtual IP address.
The Configuration>Quick>Address Assignment window allows you to define how the remote
PC receives the second IP address. There are four possible methods for obtaining the virtual IP
address from which you must choose:
Client Specified: This method enables the client to specify its own IP address. For
maximum security, it is recommended that you control IP address assignments and not use
the client-specified IP addresses.
Per User: This method assigns IP addresses retrieved from an authentication server on a
per-user basis. If you are using an authentication server (external or internal) that has IP
addresses configured, this method is recommended.
DHCP: This method uses the DHCP server to assign IP addresses.
Configured Pool: This method uses the concentrator to assign IP addresses from an
internally configured IP address pool.
Step 7Select the Authentication Server
User
Authentication Cisco VPN
NT 3000 Series
Internet
Domain Concentrator
10.0.1.10 Client
Computer Name: BOSTON

Domain: Domain_BOSTON
Before remote users can gain access to the private corporate network, they must be
authenticated. Use the Configuration>Quick>Authentication window to define the types of
authentication servers:
Server Type drop-down menu: The drop-down arrow provides a choose of one of the
following:
RADIUS: An external Remote Authentication Dial-In User Service (RADIUS)
server.
Windows NT Domain: An external Windows NT domain server. Use the computer
name, not the domain name. If you are unsure of the NT server computer name,
refer to Start>Control Panel>System>Network Identification on your PC or ask your
network administrator.
SDI: An external Rivest, Shamir, and Adleman (RSA) Security Inc. SecurID server.
Kerberos/Active Directory: Supports authentication to Kerberos/Active Directory,
which is the default authentication mechanism in Microsoft Windows 2000 and
Windows XP.
Internal Server: The internal concentrator authentication server (a maximum of
100 groups and users).
Authentication Server Address field: The IP address of the Windows NT domain
authentication server (for example, 10.0.1.10).
Domain Controller Name field: The Windows NT primary domain controller hostname
for this server (for example, Boston). Do not use the domain name.

Step 8Populate Authentication Server
Databases (Users and Groups)
Groups: Users:
Departments Individuals
Base Group:
Corporate MIS VP of
/Base/Sales MIS
Customer Service
/Base/Service
Finance VP of
/Base/Finance Finance
Within a corporation, not everyone has the same access requirements: customer service
engineers may require seven-day, 24-hour access; sales entry personnel need five-day, eight-
hour access; and contract help might need access from 9 a.m. to 5 p.m., with restricted server
access. The concentrator can accommodate different access and usage requirements. You can
define different rights and privileges on a group basis.
Within the concentrator user management configuration tree, there are three group categories:
Default group: The default group is a default template. The majority of the corporation
access rights and privileges are defined in this group.
Groups: Individual groups inherit the attributes of the default group, and you can then
customize rights and privileges to meet the needs of specific groups.
Users: An individual user may require a unique set of privileges.
By configuring the default group first, specific groups second, and users third, you can quickly
manage access and usage rights for large numbers of users.
Step 8 (Cont.)Populate Authentication
Server Databases (Users and Groups)
Access rights and

privileges are assigned to
the remote user.
You can configure group attributes on a group-by-group basis by providing appropriate

information in the following fields in the Group>General window:
Access Hours drop-down menu: Use the drop-down arrow to choose the named hours
when group users can access the concentrator (for example, MF, 9–5).
Simultaneous Logins: Indicate the number of simultaneous logins that group users are
permitted.
Minimum Password Length: Provide the minimum number of characters for group user
passwords. Allow only alphabetic passwords. Check the check box to allow base-group
user passwords with alphabetic characters only (the default).
Idle Timeout: Provide the time (in minutes). If there is no communication activity on the
connection in this period, the system terminates the connection. Entering 0 disables timeout
and allows an unlimited idle period.
Maximum Connect Time: Provide the time in minutes. At the end of this time, the system
terminates the connection. Entering 0 (the default) allows unlimited connection time.
Filter drop-down menu: Use the drop-down arrow to choose a filter option. You can
restrict the access of a group to the network based on the client source address, destination
address, or protocol.
Inherit check boxes: Check the appropriate check boxes if you want the corresponding
attributes to be inherited from the default group configuration. If you uncheck a check box,
you must enter or change any corresponding value.

Step 8 (Cont.)Populate Authentication
Server Databases (Group Database)
Cisco VPN 3000

Series Concentrator
Client
Internal
Server
Group:
Internet Training
The Configuration>Quick>IPSec Group window enables you to enter a group name or

username and password. The client is authenticated by group to determine the concentrator
access and usage rights of that group. To do so, you must enter information in the following
fields:
Group Name: Enter a unique name for this specific group. The maximum is 32 characters.
Password: Enter a unique password for this specific group. The minimum is 4 characters,
and the maximum is 32 characters. The field displays only asterisks. The password is the
IKE pre-shared key.
Verify: Re-enter the group password to verify it. The field displays only asterisks.
Step 9Set the Admin Password
The window shown in the figure is the last Quick Configuration window. It is used to change
the administrative password. To change the administrative password, enter information in the
following fields:
Password: Enter or edit the unique password for this administrator. The maximum number
of characters is 31. The field displays only asterisks.
Caution The default password that Cisco supplies is the same as the username. It is strongly
recommended that you change this password in a production environment. (Do not change
the password in the classroom environment.)
Verify: Re-enter the password to verify it. The field displays only asterisks.
When you are finished with the configuration window and click Apply, the configuration takes
effect immediately. Click the Save Needed icon to save the changes to memory. If you reboot
without saving, your configuration changes are lost.

Cisco VPN 3000 Concentrator Series Manager
GUI
This topic describes the Cisco VPN 3000 Concentrator Series Manager GUI.
VPN 3000 Concentrator Series Manager
Table of Toolbar
Contents
Manager
Screen
The top frame contains the Cisco VPN 3000 Concentrator Series Manager toolbar. This toolbar
provides quick access to VPN 3000 Concentrator Series Manager functions.
The main frame displays the Cisco VPN 3000 Series Concentrator Series Manager window.
You can navigate the Cisco VPN 3000 Concentrator Series Manager using either the table of
contents (TOC) in the left frame or the toolbar at the top of the frame. To navigate from the
TOC, select a title on the left frame of the window, and the concentrator opens the VPN 3000
Series Concentrator Series Manager window for that topic in the main frame.
The primary tool for navigating the VPN 3000 Concentrator Series Manager is the table of
contents in the left frame. The Table of Contents allows access to the three major sections and
their many subsections:
Configuration: Setting all the parameters for the Cisco VPN 3000 Series concentrator that
govern its use and functionality as a VPN device:
Interfaces: Ethernet and power-supply interface parameters
System: Parameters for system-wide functions such as server access, address
management, IP routing, built-in management servers, event handling, and system
identification
User Management: Attributes for groups and users that determine their access to
and use of the VPN
Policy Management: Policies that control access times and data traffic through the
VPN via filters, rules, and IPSec Security Associations (SAs)
Tunneling and Security: Attributes for Point-to-Point Tunneling Protocol (PPTP),
Layer 2 Tunneling Protocol (L2TP), IPSec, Secure Shell (SSH) Protocol, SSL, and
WebVPN
Administration: Managing higher-level functions that keep the Cisco VPN 3000 Series
concentrator operational and secure, such as who is allowed to configure the system, what
software runs on it, and managing its digital certificates
Monitoring: Viewing routing tables, event logs, system light emitting diodes (LEDs) and
status, data on user sessions, and statistics for protocols and system functions

Summary
Summary
The Cisco VPN 3000 Series Concentrator and

Cisco VPN Software Client provide client-to-LAN
remote access.
The Cisco VPN 3000 Concentrator Series Manager
is first accessed through the console.
Initial configuration is completed using the Quick
Configuration feature.
Subsequent configuration is best completed
through the Cisco VPN 3000 Concentrator Series
Manager GUI.
Lesson Self-Check
Q1) How can routers read IP addresses from encrypted and encapsulated data payloads?
(Source: Implementing a Remote Access VPN)
A) The AH includes the IP address in an unencrypted format.
B) An additional IP header is added to the ESP-encapsulated data containing the
source and final destination network addresses.
C) An additional IP header is added to the ESP-encapsulated data containing the
address of the network interface card (NIC) of the client PC and the public
interface of the concentrator.
D) Using IP-in-IP encapsulation, the concentrator does not need an IP address
before forwarding the packet according to the inside IP destination address.
Q2) The Quick Configuration process can be run as often as necessary. (Source:
Completing Quick Configuration of a Cisco VPN 3000 Series Concentrator)
A) True
B) False
Q3) In Quick Configuration, NAT and IPSec LAN-to-LAN can only be configured if the
Public Interface check box is checked. (Completing Quick Configuration of a Cisco
VPN 3000 Series Concentrator)
A) True
B) False
Q4) Interface speeds default to 10 or 100 Mbps unless otherwise configured. (Completing
Quick Configuration of a Cisco VPN 3000 Series Concentrator)
A) True
B) False
Q5) The concentrator can be configured to support PPTP, L2TP or IPSec, but not all three
simultaneously. (Completing Quick Configuration of a Cisco VPN 3000 Series
Concentrator)
A) True
B) False
Q6) Group and user access is configured in the order default group, specific groups and
then users. (Completing Quick Configuration of a Cisco VPN 3000 Series
Concentrator)
A) True
B) False

Q1) C
Q2) B
Q3) A
Q4) A
Q5) B
Q6) A
Lesson 4
Configuring the Cisco VPN

3000 Series Concentrator for
Remote Access
Overview
The Quick Configuration process described in the previous lesson allows you to configure the
basic operational settings of the concentrator. However, you have not yet configured group and
user parameters. Those settings are made using features in the configuration menus in the Cisco
VPN 3000 Concentrator Series Manager.
This lesson explains how to configure group and user parameters for a Cisco concentrator.
While this process can be done from the console, it is recommended you use the Cisco VPN
3000 Concentrator Series Manager. This lesson will show you how to use the tools in the
manager to complete the tasks needed to configure remote access.
Objectives
Upon completing this lesson, you will be able to configure user and group parameters on a
Cisco concentrator for remote access. This ability includes being able to meet these objectives.
Describe the characteristics and uses of the two types of preshared keys
Describe how Cisco concentrators check parameters to authenticate users and groups
Define two types of VPN network authentication
Explain how to activate IKE proposals to match client software authentication requirements
Describe how to configure base-group parameters included under the General and IPSec
tabs
Explain how to configure base-group IPSec parameters
Explain how to configure base-group parameters that apply to remote-access IPSec client
connections
Explain how to configure client parameters that will be pushed to clients during IPSec
tunnel creation
Explain how to configure the appropriate split tunneling policy for remote clients
Describe how to configure DNS server addresses to allow split tunneling
Pre-shared Keys
This topic describes the characteristics and uses of the two types of pre-shared keys.
IPSec Key Exchange

Host A Host B
10.0.1.3 10.0.2.3
IPSec Tunnel
IPSec SA
IPSec SA 10.0.2.3
Router A IKE Session Router B
Security associations are:

unidirectional
established per security protocol (AH or ESP)
set up through IKE using unique or group preshared keys
IPSec uses encryption technology to provide data confidentiality, integrity, and authenticity
between participating peers in a private network. IPSec provides secure tunnels between two
peers, such as two routers. These tunnels are sets of security associations (SAs) established
between two IPSec peers. SAs define which protocols and algorithms should be applied to
sensitive packets and specify the keying method to be used by the two peers.
You will also recall that an IPSec operation has five steps:
Step 1 Interesting traffic
Step 2 IKE phase 1

Step 3 IKE phase 2
Step 4 Data transfer
Step 5 IPSec tunnel termination

In Step 3, Internet Key Exchange (IKE) negotiates IPSec SA parameters and sets up matching
IPSec SAs in the peers. These SAs are used to protect data and messages exchanged between
endpoints. SAs are unidirectional and are established per security protocol (Authentication
Header (AH) or Encapsulating Security Payload (ESP)). If no SAs exist that IPSec can use to
protect this traffic to the peer, IPSec uses the IKE protocol to negotiate with the remote peer to
set up the necessary IPSec SAs on behalf of the data flow. IKE provides security SA
management. IKE authenticates each peer in an IPSec transaction, negotiates security policy,
and handles the exchange of session keys. The negotiation uses information specified in the
crypto map entry as well as the data flow information from the specific access list entry.

Types of Pre-shared Keys
Type Characteristics
Unique Tied to a specific IP address
Most secure type of key
Impractical for VPNs
Group Associated with a specific group of users
Used for remote access VPNs
Can be the Base Group or any other group
Should be used to establish IKE and IPSec
settings
Can use internal or external databases
There are two methods of exchanging keys: using pre-shared keys or using a certificate
authority (CA). From a procedural perspective, it is easier to configure a Cisco concentrator
using pre-shared keys because the client only needs to know the address of the concentrator and
the shared secret key.
Remote access virtual private network (VPN) connections require both device and user
authentication. Normally user authentication is achieved using Remote Authentication Dial-In
User Service (RADIUS) or Terminal Access Controller Access Control System Plus
(TACAC+) that can authenticate users through an internal database. Such internal
authentication requires a username and password for each user, as well as assigning each user
to a group that is to be used for IPSec device authentication. Once the devices have established
the IPSec tunnel, the user is prompted to enter a username and password to continue. Failure to
authenticate causes the tunnel to drop.
Device authentication can be established using pre-shared keys or digital certificates. With pre-
shared keys, the system administrator chooses the key and then shares that key with users or
other system administrators. In this lesson, two types of pre-shared keys will be considered:
Unique: A unique pre-shared key is tied to a specific IP address. A unique key is the most
secure type of key. Since the majority of ISPs use dynamically assigned IP addresses, it is
impractical for remote VPNs.
Group: Cisco concentrators use group pre-shared keys for remote access VPNs. A group
pre-shared key is associated with a specific group of users. The group can be the base
group or any other group that you define. It is good practice to use groups to establish IKE
and IPSec settings and to provide other capabilities that are unique to a specific set of users.
If you choose to use the Cisco concentrator internal database for user authentication, you
can assign your users to specific groups, which makes the process of managing pre-shared
keys much easier.
User and Group Authentication
This topic describes how Cisco concentrators check parameters to authenticate users and
groups.
User and Group Authentication
Users and groups are core concepts in VPN 3000 Series

concentrator configuration and are used to simplify system
management:
Groups and users have specifically configured parameters.
Users are members of groups, and groups are members of
the base group.
New groups inherit common parameters first configured in
the base group.
Each group has specified access to specified parts of the
VPN.
A small number of groups and users can reside in the VPN
3000 Series Concentrator internal authentication server
database.
RADIUS and other external authentication servers allow for
more groups.
Groups and users are core concepts in managing the security of VPNs and in configuring the
Cisco concentrator. Groups and users have attributes that are configured via parameters and
that determine their access to and use of the VPN. Users are members of groups, and groups
are members of the base group. If you do not assign a user to a particular group, that user is by
default a member of the base group.
Groups simplify system management. To streamline the configuration task, the concentrator
provides a base group that you configure first. The base-group parameters are those that are
most likely to be common across all groups and users. As you configure a group, you can
simply specify that it inherit parameters from the base group. Similarly, a user can inherit
parameters from a group. Thus, you can quickly configure authentication for large numbers of
users.
Of course, if you decide to grant identical rights to all VPN users, then you do not need to
configure specific groups. However, VPNs are seldom managed that way. For example, you
might allow a finance group to access one part of a private network, a customer support group
to access another part, and a management information system (MIS) group to access other
parts. Further, you might allow specific users within MIS to access systems that other MIS
users cannot access.
You can configure detailed parameters for groups and users on the concentrator internal
authentication server. External RADIUS authentication servers can also return group and user
parameters that match those on the concentrator. Other authentication servers do not; they can
however, authenticate users. The concentrator internal authentication server is adequate for a
small user base.

The maximum number of groups and users (combined) that you can configure in the internal
server depends on your concentrator model. For larger numbers of users, we recommend using
the internal server to configure groups (and perhaps a few users) and using an external
authentication server (Remote Authentication Dial-In User Service [RADIUS], Windows NT
Domain, and Serial Digital Interface [SDI]) to authenticate the users.
VPN 3000 Series Concentrator Model Maximum Number of Groups and Users
(Combined)
VPN 3000 Series concentrator Model Maximum Groups and Users Allowed in the
Internal Database
3005 100
3015 100
3020 250
3030 500
3060 1000
3080 1000
VPN Concentrator Authentication Order
First: User parameters

If any are missing, then
Second: Group parameters
Third: IPSec tunnel-group parameters
Last: Base-group parameters
The concentrator checks authentication parameters in this order:

1. User parameters: If any parameters are missing, the system looks at group parameters.
2. Group parameters: If any parameters are missing, the system looks at IPSec tunnel-group
parameters.
3. IPSec tunnel-group parameters:
IPSec tunnel-group parameters are the parameters of the IPSec group used to create
the tunnel. The IPSec group is configured on the internal server or on an external
RADIUS server.
If any parameters are missing, the system looks at base-group parameters. For VPN
3002 Hardware Client parameters, which enable or disable interactive hardware
client authentication and individual user authentication, the IPSec tunnel group
parameters take precedence over parameters set for users and groups.
4. Base-group parameters.
Because of the way authentication occurs, it is recommended that groups and users be
configured in this order:
1. Base-group parameters
2. Group parameters
3. User parameters

VPN Network Authentication
This topic defines the two types of VPN network authentication.
VPN Network Authentication
Concentrator
Authentication
Internal
Server
Group
Internet
Network
Authentication
(Xauth)
Authentication Type Purpose

Concentrator authentication Used to set up user rights and privileges
as they relate to the concentrator
Network authentication Used to control access to the corporate
network (also called Xauth)
There are two types of authentication in the VPN network:

Concentrator authentication: Used to set up user rights and privileges as they relate to
the concentrator (for example, hours of operation, simultaneous logins, filters, and
inactivity timeout). These rights and privileges are set using the Configuration > User
Management > Base Group Screen. The General tab lets you configure general security,
access, performance, and protocol parameters that apply to the base group
Network authentication: Used to control access to the corporate network. Corporations
typically require a secondary level of authentication before allowing users onto their
networksnetwork authentications. An end user is prompted for a username and password,
which in turn is verified by an authentication server. Only after being authenticated, is an
end user granted access to the corporate network. Network authentication is referred to as
Extended Authentication (Xauth).
Note With the original Cisco VPN Client version 2.5, Xauth was performed after IKE Phase 1 was
completed. Beginning with the Cisco VPN Client version 3.0, Xauth is performed during IKE
Phase 1. For the client to talk to the concentrator, the correct IKE proposals must be defined
for each Cisco VPN Client.
Activating Client Authentication
Before the concentrator can interface with clients, the appropriate IKE proposal must be
properly activated. This topic explains how to activate IKE proposals to match client software
authentication requirements.
Activating Client Authentication

First, activate the IKE proposal
3002, 3.x or
4.x Client
2.5 Client
Certicom
Client
Active Inactive
Proposals Proposals
The type of client resident on the remote PC is identified in the vendor identification field of an
IKE message. The IKE proposal on the concentrator must match the requirements of the client.
The concentrator can handle several types of remote clients: the Cisco VPN Client version 3.0
or higher, the Cisco VPN Client version 2.5, and the Certicom client. Before the concentrator
can interface with these clients, you must make sure that the appropriate IKE proposal is
configured, activated, and prioritized.
IKE proposals are sets of parameters for Phase 1 IPSec negotiations. During Phase 1, the two
peers establish a secure tunnel within which they then negotiate the Phase 2 parameters. Use
the Configuration > System > Tunneling and Security > IPSec > IKE Proposals window to
activate IKE proposals.
In remote access connections, the client sends IKE proposals to the concentrator. The
concentrator functions only as the responder. As the responder, the concentrator checks the
active IKE proposal list, in priority order, to see if it can find a proposal that matches the
parameters in the proposed Security Association (SA) of the client. If a match is found, the
establishment of a tunnel continues. If no match is found, the tunnel is torn down.
Each IKE proposal in the IKE Proposals window is a template. The parameters assigned to
the template are applied to the individual remote connection.

Activating Client Authentication (Cont.)
Then, check IKE proposal
As described, individual IKE templates were displayed under the Active Proposals column. By
selecting an IKE proposal and then clicking Modify, the administrator can view or modify the
individual parameters of the IKE proposal, or template. Use the Configuration > System >
Tunneling Protocols > IPSec > IKE Proposals > Modify window to check the IKE proposals to
make sure that you have the correct IKE parameters for a particular client type.
Clicking the Authentication Mode drop-down arrow allows you to choose the proper
authentication mode:
Pre-shared Keys (Xauth) for Cisco VPN Client version 3.0 or later applications
Pre-shared Keys for the Cisco VPN Client version 2.5.
Pre-shared Keys with DH7 for Certicom client applications
Clicking on the Diffie-Hellman Group drop-down arrow allows you to choose the correct
DH group for each Software Client:
Group 1 (768 bits) for Cisco VPN Client version 2.5s using digital certificates
Group 2 (1024 bits) for Cisco VPN Client version 2.5s using pre-shared keys
Group 5 (1536 bits) for clients using Advanced Encryption Standard (AES)
encryption
Group 7 (Elliptic Curve Cryptosystem [ECC]) for the Certicom client
Clicking on the Encryption Algorithm drop-down arrow allows you to choose the proper
encryption algorithm from among DES-56, 3DES-168, AES-128, AES-192 (AES-192 is
not supported on either the Cisco VPN Software or Hardware Clients), and AES-256.
Configuring Base-Group Parameters
This topic describes how to configure base-group parameters included under the General and
IPSec tabs.
Configuring Base-Group Parameters
Group and users inherit

parameters from the base
group.
Access Rights and Privileges
DNS and WINS
Tunneling Protocols
Base-group parameters streamline the configuration task and are likely to be common across all
groups and users. Groups can inherit parameters from this base group, and users can inherit
parameters from their group or the base group. You can override these parameters as you
configure groups and users. Users who are not members of a group are, by default, members of
the base group.
For example, the figure shows the screen that is used to configure general parameters including
security, access, performance, and protocols. Using the General tab, you can configure general
security, access, performance, and protocol parameters that apply to the base group. There are
three main sections in this window:
The top section defines access rights and privileges.
The center section is for Windows Internet Name Service (WINS) and Domain Name
System (DNS) information used by the client.
The bottom section defines the tunneling protocols that are supported by this group.
Access rights and privileges parameters can be set as follows:

Access Hours drop-down menu: This menu allows you to choose the hours when group
users can access the concentrator. The following options are available:
No Restrictions: No restrictions on access hours
Never: No access at any time
Business Hours: Access from 9 a.m. to 5 p.m., Monday through Friday

Simultaneous Logins field: In this field you enter the number of simultaneous logins that
group users are permitted. The minimum is 1 and the default is 3. Although there is no
maximum limit, allowing several could compromise security and affect performance.
Minimum Password Length field: In this field you enter the minimum number of
characters for group user passwords. The minimum is 1, the default is 8, and the maximum
is 32.
Allow Alphabetic-Only Passwords check box: If you check this check box you allow
user passwords with alphabetic characters only. To maintain security, it is strongly
recommended that you do not allow such passwords.
Idle Timeout field: In this field, you enter the group idle timeout period in minutes. If
there is no communication activity on the connection in this period, the system terminates
the connection.
Maximum Connect Time field: In this field, you enter the group maximum connection
time in minutes. At the end of this time, the system terminates the connection.
Filter drop-down menu: Filters are used to restrict a group access to the network based on
source address, destination address, and protocol.
WINS and DNS information used by the client can be set as follows:
Primary DNS field: Enter the IP address of the primary DNS server for this group.
Secondary DNS field: Enter the IP address of the secondary DNS server for this group.
Primary WINS field: Enter the IP address of the primary WINS server for this group.
Secondary WINS field: Enter the IP address of the secondary WINS server for this group.
Scalable Encryption Processing (SEP) Card Assignment check boxes: These boxes
depend on concentrator model. It is recommended that you leave all four check boxes
selected (for redundancy).
Tunneling protocols can be set as follows:

Tunneling Protocols check boxes: These are check boxes for the tunneling protocols that
the user Software Clients can use.
Strip Realm check box: If you check this check box, authentication is based on the
username alone. The realm qualifier at the end of the username is removed (for example,
service is stripped from bob@service). If this check box is not checked, authentication
is based on a full string (for example, username@realm).
DHCP Network Scope field: In this field, you enter the IP subnetwork that the DHCP
server should assign to users in this group; for example, 200.0.0.0. DHCP Network Scope,
indicates the range of IP addresses from which to assign addresses to users in this group.
Configuring Base-Group IPSec Parameters
If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the General
Parameters tab, the next step is to select the Configuration > User Management > Base Group
Screen > IPSec Tab. This topic describes how to configure base-group IPSec parameters.
Base Group IPSec Configuration
IPSec Parameters
IPSec
NT Internet
Domain
User
Server
Authentication
Remote Access Parameters
The IPSec tab enables you to configure IPSec parameters that apply to the base group. This
window is divided into two sections: IPSec Parameters and Remote Access Parameters.
IPSec Parameters can be set as follows:

IPSec SA drop-down menu: Choose the IPSec SA assigned to the IPSec clients for this
group by clicking the drop-down arrow. During tunnel establishment, the IPSec client and
server negotiate an SA that governs authentication, encryption, encapsulation, key
management, and so on. You can view or modify IPSec SAs in the Configuration > Policy
Management > Traffic Management > Security Associations window.
IKE Peer Identity Validation drop-down menu: This option applies only to tunnel
negotiations based on digital certificates.
IKE Keepalives check box: Check this check box to enable the IKE Keepalive feature.
(IKE keepalives are enabled by default.) This feature allows the concentrator to monitor the
continued presence of a remote peer and to report its own presence to that peer. If the peer
becomes unresponsive, the concentrator initiates removal of the connection. Enabling IKE
keepalives prevents hung connections when rebooting either the host or the peer. For this
feature to work, both the concentrator and its remote peer must support IKE keepalives.
Confidence Interval: This field applies only to Easy VPN compliant clients that are using
IKE keepalives.
Tunnel Type drop-down menu: This menu allows you to choose the remote access tunnel
type. If you select Remote Access, you must configure the Remote Access Parameters.

Base Group IPSec Configuration (Cont.)
IKE KeepalivesDead Peer Detection
Client
Application Internet
Server
Receive
data Worry
timer
DPD message (Are you there) expires
DPD message (Are you there ACK)
Dead peer detection (DPD) messages enable VPN devices to detect tunnel failure on the
devices located at the other end of a tunnel (for example, when you reboot one device and lose
an Internet connection). A worry metric determines how often a DPD message is sent in the
absence of data received from the IKE peer. When data is received, the worry timer is reset. If
the worry timer expires, a DPD message is sent. The worry timers for Cisco VPN 3000 Series
concentrator products are as follows:
For both Version 3.0 or later software and hardware client, the worry timer is set for 20
seconds.
For the concentrators, the worry timer is set for 5 minutes.
If you are configuring a group of mixed peers, and some of those peers support IKE keepalives
while others do not, enable IKE keepalives for the entire group. During IKE negotiation, each
of the clients identify whether DPD messages are supported. Both ends must support the
feature. The feature has no effect on the peers that do not support it.
Note To reduce connectivity costs, disable IKE keepalives if this group includes any VPN clients
connecting via ISDN lines. ISDN connections normally disconnect if the ISDN is idle.
However, the IKE keepalive mechanism prevents connections from idling out and
disconnecting.
Configuring Base-Group Remote Access
Parameters
If you select Remote Access, you must configure the Remote Access Parameters. This topic
describes how to configure base-group parameters that apply to remote-access IPSec client
connections.
Base Group Remote Access Parameters
Configure these parameters for

remote access IPSec client
connections:
Group lock
Authentication
Authorization Type
DN Field
IP compression
Default Preshared Key
Reauthentication on Rekey
Client Type & Version Limiting
Mode Configuration
Group Lock check box: Checking this check box locks users into a specific group. (For
example, RADIUS allows you to lock specific users to a group.) You can lock a user to a
group based on the organizational unit (OU) of a certificate or by using the RADIUS class
attribute OU = group name. For example, according to the RADIUS server, Joe is a
member of the Training group. If Joe tries to log in as a member of the IS group, which has
different access rights, the connection fails.
Authentication drop-down menu: In the concentrator, remote users are authenticated
twice. This parameter pertains to the private network authentication, which determines how
users within the group are authenticated and whether a Windows NT, SDI, or RADIUS
server will authenticate them.
Authorization Type drop-down menu: If members of this group need authorization in
addition to authentication, you can choose an authorization method. The following options
are available:
None: Do not authorize users in this group.
RADIUS: Use an external RADIUS authorization server to authorize users in this
group.
Lightweight Directory Access Protocol (LDAP): Use an external LDAP
authorization server to authorize users in this group.
Authorization Required check box: If you are using authorization, you can make it
mandatory or optional.

DN Field drop-down menu: If users in this group are authenticating by means of digital
certificates and require LDAP or RADIUS authorization, you can choose which
distinguished name (DN) field from the certificate uniquely identifies the user to the
authorization server.
IPComp drop-down menu: IP compression runs inside IPSec. Outbound data is
compressed and then encrypted. At the remote end, data is decrypted and then
decompressed. The IP compression uses fewer bytes per transmission. On a low-speed line,
fewer bytes to transmit equates to faster transmission of the message. For example, you
might put all modem users into a group and enable IP compression, which should speed up
the transmissions. However, there is a processing penalty for compression. At higher
speeds, 64 Kbps and above, IP compression tends to slow transmission due to the
processing delays, compression, and decompression. Do not enable IP compression for
high-speed users. Doing so would slow the performance of the PC and the Concentrator.
Default Pre-shared Key: Enter the pre-shared secret. Use a minimum of four and a
maximum of 32 alphanumeric characters. This option allows the following VPN clients to
connect to the concentrator:
VPN clients that use pre-shared secrets but do not support the concept of a "group,"
such as the Microsoft Windows XP L2TP/IPSec client.
VPN router devices that are creating inbound connections from non-fixed IP
addresses using pre-shared secrets.
Reauthentication on Rekey check box: When this check box is selected, the concentrator
prompts the user for identification and a password whenever a rekey occurs. This feature is
disabled by default.
Client Type and Version Limiting: Construct rules to permit or deny clients according to
their type and software version.
Mode Configuration check box: Checking this check box enables the concentrator to
push information to the client.
Mode Configuration
Push
Internet
NT
Domain
Server WINS
DNS
Virtual IP Address
Mode configuration allows configuration parameters to be

exchanged with the client while negotiating SAs so the client
is relieved of configuration tasks.
Recall that mode configuration allows all client configuration parameters to be passed to the
client. Most of the configuration issues in a remote access network originate at the remote PC.
There are a large number of parameters to be programmed on the remote user PC and not
everyone can perform the needed changes. The Internet Engineering Task Force (IETF) IPSec
Working Internet Group solved the issues by using mode configuration. The end user or IT
department loads a minimum IPSec configuration in the end-user PC. During IPSec tunnel
establishment, the concentrator pushes the remaining information to the PC.
IPSec uses mode configuration to pass all configuration parameters such as WINS and DNS IP
address information and virtual IP addresses, and so on, to a client. You must check the Mode
Configuration box to use mode configuration. Otherwise, those parameterseven if configured
with entriesare not passed to the client.
The WINS and DNS information is programmed in the Groups > General tab.
The virtual IP address and network mask originate at the concentrator, a DHCP server, or a
RADIUS server.
The virtual IP address source is configurable in the Configuration > System > Address
Management window.

Mode Configuration Checkbox
Mode configuration is one of the

IPSec parameters to be set.
This box must be

checked to pass
parameters to clients.
Check the Mode Configuration check box to use mode configuration with IPSec clients (also
known as the Internet Security Association and Key Management protocol (ISAKMP)
Configuration Method or Configuration Transaction). This option exchanges configuration
parameters with the client while negotiating SAs. If you check this box, configure the desired
mode configuration parameters. If you ignore these boxes, they are checked by default. To use
split tunneling, this box must be checked. To use L2TP over IPSec do not check this box.
Configuring Client Configuration Parameters
This topic explains how to configure client parameters that will be pushed to clients during
IPSec tunnel creation.
Client Configuration Parameters
Cisco Client
Parameters
Microsoft Client
Parameters
Common Client
Parameters
The figure shows three groups of client parameters that must be set. The three groups are as
follows:
Cisco client parameters
Microsoft client parameters
Common client parameters
Recall that the end user or IT department can load a minimum IPSec configuration in the end-
user PC. Using mode configuration, the concentrator pushes any and all necessary remaining
information to the PC during IPSec tunnel establishment.
The administrator can program client parameters under the Configuration > User Management
> Groups > Client Config tab.

Cisco Client Parameters
Push
NT
Internet
Domain
Server
During IPSec tunnel establishment, the concentrator pushes the software client information to
the PC. These parameters include a login banner, split tunneling, IPSec over User Datagram
Protocol (UDP), and so on.
The following Cisco VPN Client parameters can be set from the Client Config tab:
Banner field: When a client logs into the VPN, the banner that you enter in this field is
displayed. It can be up to 510 characters and can consist of multiple lines of text instead of
a single line (the text wraps). Enter a period (.) in the command line interface (CLI) to
finish the entry and set the banner. If you enter more than 510 characters, the software
client will see an error during login.
Note Each line break uses two characters.
Allow Password Storage on Client check box: Password storage on the client is not
recommended for security purposes.
IPSec over UDP check box: IPSec packets are wrapped in UDP so firewalls and routers
can perform Network Address Translation (NAT).
IPSec over UDP Port field: To enable IPSec over UDP, a UDP port number must be
assigned.
IPSec Backup Servers drop-down menu: You can enable a hardware client to connect to
the central site when the primary central-site concentrator is unavailable. Configure backup
servers for a hardware client either on the hardware client or on a group basis at the
primary central-site concentrator. If you configure backup servers on the central-site
concentrator, that concentrator pushes the backup server policy to the Hardware Client in
the group.
Configuring Client Split Tunneling Policy
This topic explains how to configure the appropriate split tunneling policy for remote clients.
Client Configuration Split Tunneling

Policy
The client cannot reach

Option1: the network printer.
Tunnel Everything
Encrypt Client
Everything
Option 2: Tunnel Everything

Except Local LAN Traffic Clear Text
Encrypted Client
www.news.com
Clear
Text
Option 3: Split Tunneling Clear Text
Encrypted Client
Split tunneling lets an IPSec client conditionally direct packets over an IPSec tunnel in
encrypted form, or to a network interface in clear text form. Packets not bound for destinations
on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel,
decrypted, and then routed to a final destination. Therefore, split tunneling eases the processing
load, simplifies traffic management, and speeds up untunneled traffic.
The administrator must decide which tunneling option is correct for each group of remote
clients. There are three tunneling options available to the network administrator:
Tunnel everything: Once an IPSec tunnel is established, all traffic is encrypted and sent
down a single tunnel.
Tunnel everything except local LAN traffic: Everything is encrypted and sent through
the tunnel except traffic destined for the local LAN. There are occasions when the remote
user needs to print out spreadsheets locally. For this group of users, tunneling everything
except local LAN traffic is the correct option.
Split tunneling: With split tunneling, a remote user can simultaneously send clear text to a
printer, download images from a web site, and send an encrypted report to headquarters.
The default is to tunnel everything.

Split Tunneling Option 1Tunnel
Everything
Encrypt
Everything
Client
After the VPN tunnel is launched, all traffic is directed through the VPN tunnel. The VPN
tunnel everything option allows only IP traffic to and from the secure gateway and prohibits
any IP traffic to and from resources on a local network (for example, printer, fax, and shared
files on another system). While the IPSec tunnel is established, any Internet-bound traffic is
forced through the tunnel to the central site.
The Tunnel everything radio button is found within the Split Tunneling Policy row in the
Group > Client Config tab.
Split Tunneling Option 2Local LAN
Everything mode
with Clear text
local LAN option
Encrypted Client
The local LAN access option, on the other hand, provides access to resources on a local LAN
while the VPN tunnel is established. The local LAN addresses are pushed to the software client.
These IP addresses are added to the access control list (ACL) of the software client driver.
These bypass addresses route ahead of the VPN tunnel encryption algorithm. Any data bound
for, or received from, the addresses specified in the mode configuration message is sent or
received in the clear. This practice allows access to the local LAN while the IPSec tunnel is
running. All other traffic is encrypted and forwarded to the central site. For security purposes,
the user has the ability to disable local LAN access when using an unsecured local network (for
example, in a hotel).
Two steps are required to configure the option:
Step 1 Enable this feature by choosing the Allow the networks in the list to bypass the
tunnel radio button, which is located within the Split Tunneling Policy row.
Step 2 Supply the referenced IP address list by choosing VPN Client Local LAN (Default)
from the Split Tunneling Network List drop-down menu.

Local LAN Option 2Defining a Network
List
10.0.1.X
192.168.1.X
Encrypted Client
A local LAN network address list is required for the local LAN option. Use the Configuration >
Policy Management > Traffic Management > Network Lists window to configure the LAN
address. The address list pushed to the client is 0.0.0.0/0.0.0.0. This is a special feature that
directs the client to interpret the network address or subnet mask of the LAN interface over
which the VPN connection is made as the local LAN address. Route all locally addressed LAN
packets in clear text. The 0.0.0.0/0.0.0.0 network address list is referred to as the client LAN
(default) list.
In the example in the figure, the client resides on the 192.168.1.0 network. Having received a
192.168.1.0/0.0.0.255 network list, the client routes all 192.168.1.0/24 traffic in clear text. All
other traffic is encrypted and sent down the tunnel.
Option 3Split Tunneling
www.news.com
Clear
Text
Before
Split
Tunneling
Encrypted Client
www.news.com
Clear
Text
After Split
Tunneling
Encrypted Client
Split tunneling enables remote users to access Internet networks without requiring them to
tunnel through the corporate network. Before split tunneling is enabled, all traffic originating
from the client is encrypted and routed through the secure tunnel. This traffic includes both
secure and Internet browsing traffic. The secure traffic is terminated, while Internet traffic is
routed back out to the Internet. A large percentage of the corporate backbone bandwidth is used
for redirected web browsing traffic from remote users.
Split tunneling addresses the redirect issue, because split tunneling routes secure encrypted
traffic through the tunnel. Nonsecure traffic (for example, web browsing) is sent in the clear.
The ISP can route the traffic accordingly (for example, secure traffic goes to the corporate
network, and web browsing goes to the ISP).
An advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth
as Internet traffic does not have to pass through the VPN server. A disadvantage of split
tunneling is that it essentially renders the VPN vulnerable to attack as it is accessible through
the public, non-secure network.

Configuring a Split Tunneling Policy
www.news.com
Clear
Text
Clear Text
Encrypted Client
The concentrator pushes specific IP addresses to the client to implement split tunneling. Traffic
bound for one of these addresses is encrypted and sent to the concentrator. If the IP address is
different from the pushed addresses, the message is sent in the clear and is routable by the ISP.
Configuring split tunneling requires two steps:
Step 1 Enable split tunneling by clicking the Only tunnel networks in the list radio button
within the Split Tunneling Policy row.
Step 2 Choose the appropriate list from the Split Tunneling Network List drop-down menu.
This menu presents a predefined list of secure network addresses.
Split TunnelingAdding a Network List
www.news.com
Clear
Text
Clear Text
10.0.1.0
Encrypted Client
The concentrator pushes specific IP addresses to the client. Traffic bound for one of these
addresses is encrypted and sent to the concentrator. These addresses are defined under
Configuration > Policy Management > Traffic Management-Network Lists. Assign a name for
the list in the List Name field, and supply the network and wildcard mask in the Network List
field. In the figure, the administrator wants to send clear text to the Internet and local printer.
The administrator also wants to send encrypted traffic to the headquarters (the 10.0.1.0/24
network). In the Network List field, the administrator defines a network list and configures the
private network IP address and wildcard mask (10.0.1.0/0.0.0.255). As a result, any traffic
bound for a host on the 10.0.1.0/24 network is encrypted and sent down the IPSec tunnel. All
other traffic is sent in plain text.

Split DNS Server Configuration
This topic describes how to configure DNS server addresses to allow split tunneling.
Split DNS Servers
No Match for
cisco.com
www.news.com
www.cisco.com
Clear Text
DNS DNS
Server
Match for
10.0.1.0 Tunneled
cisco.com
DNS Client
Split DNS lets an internal DNS server resolve a list of centrally-defined local domain names,
while ISP-assigned DNS servers resolve all other DNS requests. Split DNS is used in split-
tunneling connections. The client resolves whether a DNS query packet is to be sent in clear
text or is to be encrypted and sent down the tunnel. If the packet is encrypted and sent down the
tunnel, a corporate DNS server resolves the DNS query. Clear text DNS requests are resolved
by ISP-assigned DNS servers. In other words, the internal DNS server resolves the domain
names for traffic through the tunnel, and the ISP-assigned DNS servers resolve DNS requests
that travel in the clear to the Internet.
The client receives a comma-delimited list of split-DNS names from the concentrator via mode
configuration. When the client receives a DNS query packet, the domain name is compared and
sequentially checked against the split-DNS names. A case-insensitive domain name comparison
starts at the end of each domain name string and continues toward the beginning of each string,
resulting in a match or no match. Query packets passing the comparison have their destination
IP address rewritten and tunneled using the primary DNS IP address configured on the
concentrator.
As an example, the query bob.cisco.com is compared against the split-DNS name of

cisco.com and results in a match. The cisco.com portion of bob.cisco.com matches the split-
DNS string of cisco.com. The bob.cisco.com DNS query is encrypted and sent to the primary
DNS server. The primary DNS server resolves the IP address of bob.cisco.com. Failover in the
case of an unreachable primary split-DNS server results in the use of a secondary split-DNS
server to resolve further queries. Packets not matching the split-DNS list pass through the client
untouched and are transmitted in clear text. As an example, the query news.com, when
compared against the split-DNS name cisco.com, results in a mismatch. The news.com DNS
query is sent in clear text. The ISP-assigned DNS servers resolve the IP address.
Split DNS Server Configuration
www.cisco.com www.news.com
Clear Text
DNS DNS
Server
10.0.1.0 Tunneled
Client
DNS
In the figure, the corporate DNS server resolves all cisco.com DNS name requests. The
ISP-assigned DNS server resolves all clear text DNS requests. Once split tunneling is
configured, configuring split DNS is a two-step process:
Step 1 Assign the names of the corporate DNS servers in the Split DNS Names field (for
example, cisco.com) in the Configuration > User Management > Groups > Client
Config tab window. Commas, without spaces, separate the names for multiple
entries.
Step 2 Define the primary and secondary DNS server IP addresses in the Configuration >
User Management > Groups > General tab window. The primary and secondary
DNS servers resolve the encrypted DNS queries.

Summary
Summary
The Cisco VPN 3000 Series concentrator uses preshared keys

for remote access.
Groups and users are core concepts in managing the security
of VPNs. The configuration order is: base-group parameters,
group parameters, and then user parameters.
There are two types of authentication in the VPN network:
concentrator authentication and network authentication.
Before the concentrator can interface with clients, the
appropriate IKE proposal must be properly activated.
Base-group parameters streamline the configuration task and
are likely to be common across all groups and users. You can
override inherited parameters parameters as you configure
groups and users.
Summary (Cont.)
The IPSec Parameters and Remote Access Parameter in the

IPSec tab enables you to configure IPSec parameters that
apply to the base group.
If you select Remote Access, you must configure the Remote
Access Parameters.
There are three groups of client parameters that must be set:
Cisco client parameters. Microsoft client parameters and
common client parameters.
Split tunneling lets an IPSec client conditionally direct packets
over an IPSec tunnel in encrypted form, or to a network
interface in clear text form.
The internal DNS server resolves the domain names for traffic
through the tunnel, and the ISP-assigned DNS servers resolve
DNS requests that travel in the clear to the Internet.
Lesson Self-Check
Q1) Pre-shared keys are to device authentication as _________ and ______are to user
authentication. (Source: Pre-shared Keys)
Q2) Give two reasons why Cisco concentrators use less secure group pre-shared keys rather
than more secure of unique pre-shared keys. (Source: Pre-shared Keys)
______________________________________________________________________
Q3) By default, a user not assigned to a group is part of the base group. (Source: User and
Group Authentication)
A) True
B) False
Q4) Only when specific rights need to be granted to users, are groups needed. (Source: User
and Group Authentication)
A) True
B) False
Q5) All external authentication servers return group and user parameters to match those on
the concentrator. (Source: User and Group Authentication)
A) True
B) False
Q6) If you need to configure more than 250 groups and users on a Cisco VPN 3020
concentrator, an external is needed. (Source: User and Group Authentication)
C) True
D) False
Q7) Parameters are authenticated in the same order in which they are configured. (Source:
User and Group Authentication)
A) True
B) False
Q8) Explain why the concentrator needs to know what type of client is negotiating an IKE
proposal? (Source: Activating Client Authentication)
______________________________________________________________________
______________________________________________________________________

Q9) Match the required task to the menu screen that provides the appropriate window, tab
or checkbox by putting the number of the task beside the correct menu screen item.
(Source: Activating Client Authentication, Configuring Base-Group Parameters,
Configuring Base-Group Remote Access Parameters, Mode Configuration)
Task Menu Screen
1 Prevent users from selecting Configuration > System > Tunneling

passwords with alphabetic Protocols > IPSec > IKE Proposals >
characters only Modify
2 Override inherited group parameters Configuration > User Management > Base
as you configure groups and users Group > (tab?) (Checkbox)
3 Select authorization method for Configuration > User Management > Base
members of a group Group > (tab?) (Checkbox)
4 Modify the individual parameters of Configuration > User Management > Base
the IKE proposal or template Group > (tab?)
5 Enter the pre-shared secret Configuration > User Management > Base
Group > (tab?)
6 Enable the IKE Keepalive feature Configuration > System > Address
Management
7 Configure the virtual IP address for Configuration > User Management > Base
mode configuration Group > (tab?) > (checkbox?)
Q10) What are the three choices to be considered when configuring split tunneling, and
which is the default? (Source: Configuring Client Split Tunneling Policy)
Q11) When split tunneling is configured, does the concentrator tell the client what addresses
will be tunneled or does it tell the client what addresses will not be tunneled? (Source:
Configuring Client Split Tunneling Policy)
Q1) RADIUS and TACACS+
Q2) Two reasons are:
A) Since the majority of ISPs use dynamically assigned IP addresses, it is impractical for remote
VPNs; and
B) Assigning users to groups makes the process of managing pre-shared keys much easier.
Q3) A
Q4) A
Q5) B
Q6) A
Q7) B
Q8) The IKE proposal on the concentrator must match the requirements of the client. For example, under Cisco
VPN Client 2.5, Xauth was completed after IKE phase 1. With Cisco VPN Client 3.5 and newer, Xauth is
performed during IKE phase 1.
Q9) This table shows the correct matches with additional information.
Task Menu Screen
1 Prevent users from selecting passwords 4 Configuration > User Management > Base Group
with alphabetic characters only > General > Allow Alphabetic-Only Passwords
2 Override inherited group parameters as 5 Configuration > User Management > Base Group
you configure groups and users > General
3 Select authorization method for 3 Configuration > User Management > Base Group
members of a group > IPSec > Authorization Type
4 Modify the individual parameters of the 2 Configuration > System > Tunneling Protocols >
IKE proposal or template IPSec > IKE Proposals > Modify
5 Enter the pre-shared secret 6 Configuration > User Management > Base Group
> IPSec > Default Pre-shared Key
6 Enable the IKE Keepalive feature 7 Configuration > User Management > Base Group
> IPSec > IKE Keepalives
7 Configure the virtual IP address for 1 Configuration > System > Address Management
mode configuration
Q10) Tunnel everything, tunnel everything except local LAN traffic, split tunneling. The default is to tunnel
everything.
Q11) When split tunneling has been configured, concentrator pushes specific IP addresses to the client to
implement split tunneling. Traffic bound for one of these addresses is encrypted and sent to the
concentrator. If the IP address is different from the pushed addresses, the message is sent in the clear and is
routable by the ISP.

Lesson 5
Configuring the Cisco VPN

Software Client for Windows
Overview
This lesson explains how to configure the Cisco VPN Software Client for Windows Release
4.6.
Objectives
Upon completing this lesson, you will be able to configure the Cisco VPN Software Client for
Microsoft Windows. This ability includes being able to meet these objectives.
Describe the features of the Cisco VPN Software Client for Windows
Describe the main VPN Client window and the tools, tabs, menus and icons for navigating
the user interface in the Simple Mode and Advanced Mode
Describe the functions available from the Advanced Mode menus
Describe the right-click tab menus from the Connection Entries tab, the Certificates tab,
and the Log tab for frequently performed operations
Describe the process required to create a new connection
Describe the remote-user preconfiguration process
Describe additional programs available from the Microsoft Windows Start menu
Describe the session monitoring features of the VPN 3000 Series concentrator
The VPN Software Client for Windows
This topic describes the features of the Cisco VPN Software Client for Windows.
VPN Client for Windows Applications
Feature Purpose
Help Displays an online manual

SetMTU Changes the size of the MTU
VPN Client Configures the client
Uninstall VPN Client Safely removes the VPN Client software
The Cisco VPN Software Client for Windows (referred to in this lesson as VPN Client) runs on
a Windows-based PC. On a remote PC, the VPN Client creates a secure connection over the
Internet. Through this connection, you can access a private network through a virtual private
network (VPN). The server verifies that incoming connections have up-to-date policies in place
before establishing these networks. Cisco IOS routers, Cisco VPN 3000 Series concentrators,
and Cisco PIX Security Appliance central-site servers can all terminate VPN connections from
VPN Clients.
The following VPN Client applications can be selected from the Programs menu:
Help: This application displays an online manual with instructions on using the
applications.
SetMTU: This application lets you manually change the size of the maximum transmission
unit (MTU). (See VPN Client Administrator Guide, Chapter 6.)
VPN Client: This application lets you configure connections to a VPN server, start
connections, enroll for certificates to authenticate connections to VPN servers, and display
events from the log.
Uninstall VPN Client: This application lets you safely remove the VPN Client software
from your system and retain your connection and certificate configurations.
Note You can install the VPN Client through either the InstallShield wizard or the Microsoft
Installer. If you install the VPN Client through the Microsoft Installer, the Programs menu
shown in the figure does not contain the Uninstall application.
How the VPN Client Works
IKE and IPSec tunneling protocols establish

and manage secure connections:
Step 1 Negotiating tunnel parameters
Step 2 Establishing tunnels
Step 3 Authenticating
Step 4 Establishing user access rights
Step 5 Managing security keys for encryption and
decryption
Step 6 Authenticating, encrypting, and decrypting
data through the tunnel
The VPN Client works with a Cisco VPN server to create a secure connection, called a tunnel,
between your computer and the private network. The VPN Client uses Internet Key Exchange
(IKE) and IPSec tunneling protocols to make and manage secure connections. Some of the
steps include:
Step 1 Negotiate tunnel parameters such as addresses, algorithms, lifetime, and so on.
Step 2 Establish tunnels according to the parameters.
Step 3 Authenticate users via usernames, group names and passwords, and X.509 digital
certificates to make sure users are who they say they are.
Step 4 Establish user access rights such as hours of access, connection time, allowed
destinations, allowed protocols, and so on.
Step 5 Manage security keys for encryption and decryption.
Step 6 Authenticate, encrypt, and decrypt data through the tunnel.
For example, to use a remote PC to read e-mail at your organization, you connect to the
Internet, then start the VPN Client and establish a secure connection through the Internet to the
organization private network. When you open your e-mail, the Cisco VPN server uses IPSec to
encrypt the e-mail message. The VPN server then transmits the message through the tunnel to
your VPN Client, which decrypts the message so you can read it on your remote PC. If you
reply to the e-mail message, the VPN Client uses IPSec to process and return the message
through the private network to the Cisco VPN server.

Navigating the VPN Client User Interface
This topic describes the main VPN Client window and the tools, tabs, menus and icons for
navigating the user interface in Simple Mode and Advanced Mode.
Navigating the VPN Client User Interface
The figure shows the VPN Client window. This window allows you to do the following:
Enable accessibility options
Choose a run mode simple or advanced
Use toolbar action buttons
Use main tab menus
Use advanced mode menus
Use right-click menus
Get help
Run Modes Simple or Advanced
Use the menu or

Toggle Ctrl-M
Default is
Advanced Mode
You can run the Cisco VPN Client in Simple Mode or in Advanced Mode. The default is
Advanced Mode, although your network administrator might have configured simple mode as
the default.
Use simple mode if you only want to start the Cisco VPN Client application and connect to a
VPN device using the default connection entry.
Use advanced mode for the following tasks:

Managing the Cisco VPN Client
Configuring connection entries
Enrolling for and managing certificates
Viewing and managing event logging
Viewing tunnel routing data
You can toggle between Advanced Mode and Simple Mode by pressing Ctrl-M. Alternatively,
you can choose your mode from the Options menu.

Advanced Mode Main Window
Tabs Action Buttons
1
2
The figure shows the VPN Client window and the primary navigation areas. The navigation
areas are as follows:
1. VPN Client version information.
2. Menu bar.
3. Toolbar action buttons. The buttons that are available depend on which tab is forward.
4. Main tabs for managing the VPN Client.
5. Display area for the main tabs.

6. The currently active connection entry (if the Connection Entry area is showing).
7. Connection status bar. The left side of the status bar shows the connection entry name and
connection status. When connected, the right side shows the connection time for this VPN
session. Use the Down Arrow key to display the number of bytes in and out, and the IP
address of the VPN device.
The main tabs are described as follows:

Connection Entries tab: This tab displays the list of current connection entries, the host,
which is the VPN device that each connection entry uses to gain access to the private
network, and the transport properties that are set for each connection entry.
Certificates tab: This tab displays the list of certificates in the VPN Client certificate store.
Use this tab to manage certificates.
Log tab: This tab displays event messages from all processes that contribute to the client-
peer connection: enabling logging, clearing the event log, viewing the event log in an
external window, and setting logging levels.
Using the Advanced Mode Menus
This topic describes the functions available from the Advanced Mode menus.
Advanced Mode Connection Entries Menu
Use the Connection Entries menu as a shortcut to frequently used connection entry operations.
The following submenus and options are available:
Connect to: Connects to a VPN device using the selected connection entry. If the
Connections tab is not selected, a submenu, which lists all available connection entries, is
displayed.
Disconnect: Disconnects your current VPN session.
Create Shortcut: Creates a shortcut on your desktop for the current connection entry.
Modify: Allows you to edit the current connection entry.
Delete: Allows you to delete the current connection entry.
Duplicate: Allows you to duplicate the selected connection entry. This menu choice lets
you create a new connection entry using the configuration from a current connection entry
as a template.
Set as Default Connection Entry: Makes the current connection entry the default.
New: Creates a new connection entry.
Import: Brings in a new connection entry profile from a file.
Exit VPN Client: Closes the Cisco VPN Client application.

Advanced Mode Status Menu
Use the Status menu to display routes and notifications and to reset the statistics display. The
following commands are available:
Statistics: Allows you to view tunnel details, route details, and firewall information for the
current VPN session.
Notifications: Allows you to view notices from the VPN device to which you are currently
connected.
Reset Stats: Allows you to clear the statistics from the statistics displays and start over.
Advanced Mode Certificates Menu
Use the Certificates menu to enroll and manage certificates. The following submenus and
options are available:
View: Allows you to view the properties of the selected certificate
Import: Allows you to imports a certificate file from a specified file location
Export: Allows you to export the selected certificate to a specified file location
Enroll: Allows you to enroll with a Certificate Authority (CA) to obtain a certificate
Verify: Verifies that a certificate is still valid
Delete: Removes the selected certificate
Change Certificate Password: Allows you to change the password that protects the
selected certificate in the Cisco VPN Client certificate store
Retry Certificate Enrollment: Allows you to retry a previously attempted certificate
enrollment
Show CA/RA Certificates: Displays digital certificates issued by either a CA or a
Registration Authority (RA)

Advanced Mode Log Menu
Use the Log menu to manage the log. The following submenus and options are available:
Enable or Disable: Clicking enable starts collecting events; clicking disable stops
collecting events.
Clear: Erases the events displayed on the log tab (and log window).
Log Settings: Allows you to change the logging levels of event classes.
Log Window: Displays a separate window that shows events. From this window, you can
save the display, edit logging levels by event class, and clear both log displays. This
window shows more events than the display area of the main advanced mode window.
Search Log: Displays a dialog box where you enter the exact string to be matched. The
search string is not case sensitive, and wild cards are not supported. Matched instances are
highlighted on the log tab, not the log window.
Save: Stores the current log in a specified log file.
Advanced Mode Options Menu
Use the Options menu to perform actions such as launching an application. The following
submenus and options are available:
Application Launcher: Allows you to start an application before connecting to a VPN
device.
Windows Logon Properties: Allows you to control logon features for the Windows NT
platform. The following logon features are available:
Ability to start a connection before logging on to a Windows NT system
Permission to launch a third-party application before logging on to a Windows NT
system
Control of autodisconnect behavior when logging off
Stateful Firewall (Always On): Enables and disables the internal stateful firewall.
Simple Mode: Switches to simple mode.
Preferences: Allows you to sets the following features:
Save window settings: Saves any changes you make to the Cisco VPN Client
window
Hide upon connect: Places the Cisco VPN Client window in the dock when the
VPN connection is established
Enable tool tips: Enables tool tips for the toolbar action buttons

Using the Advanced Mode Tab Right Click Menus
This topic describes the right-click tab menus from the Connection Entries tab, the Certificates
tab, and the Log tab for frequently performed operations.
Connection Entries TabRight Click Menu
The figure shows the right-click menu options available when a connection entry is highlighted
on the Connection Entries tab display. The menu options are as follows:
Connect: Uses the selected connection entry to connect to a VPN device.
Disconnect: Ends the current VPN session.
Duplicate: Makes a copy of the selected connection entry. This action allows you to create
a new connection entry using the configuration from a current connection entry as a
template.
Delete: Erases the selected connection entry.
Create Shortcut: Places a link to the connection entry on your desktop.
Modify: Allows you to edits the properties of the current connection entry (for example, its
name, host name, and so on).
Erase Saved User Password: Deletes the user password that is saved on the VPN Client
workstation and forces the VPN Client to prompt you for a password each time you
establish a connection.
Set as Default Connection Entry: Uses the selected connection entry as the default.
Certificates TabRight Click Menu
The figure shows the right-click menu options available when the Certificates tab is forward
and a certificate entry is highlighted. The menu options are as follows:
View: Allows you to view the properties of the selected certificate.
Export: Allows you to send the selected certificate to a specified file location.
Verify: Verifies that the selected certificate is valid.
Delete: Erases the selected certificate.
Change Certificate Password: Allows you to update the password that protects the
certificate in the VPN Client certificate store.
Retry Certificate Enrollment: Allows you to try a previous certificate enrollment again.

Log TabRight Click Menu
The figure shows the right-click menu options available when the Log tab is forward. The
menu options are as follows:
Copy: Removes the selected item from the current context and saves a copy to the
clipboard.
Select All: Selects the entire contents of the log file, usually in preparation for another
operation.
Creating a New Connection
This topic describes the process required to create a new connection.
Creating a New Connection

Authentication
Concentrator
Authentication
The end user
never sees this
after initial
configuration.
To use the VPN Client, you must create at least one connection entry that identifies the
following information:
The VPN device: The remote server to access.
Preshared keys: The IPSec group to which the system administrator assigned you. Your
group determines how you access and use the remote network. For example, your group
specifies access hours, number of simultaneous logins, user authentication method, and the
IPSec algorithms that your VPN Client uses.
Certificates: The name of the certificate that you are using for authentication.
Optional parameters: Parameters that govern VPN Client operation and connection to the
remote network.
You can create multiple connection entries if you use your VPN Client to connect to multiple
networks (not simultaneously) or if you belong to more than one VPN remote access group.
Clicking New from the toolbar or the Connection Entries menu displays the Create New VPN
Connection Entry window. The following parameters must be entered:
Connection Entry: You must use any unique name to identify this connection (for
example, Engineering). The name can contain spaces, and it is not case sensitive.
Description: This field is optional, but it helps further identify this connection (for
example, Connection to Engineering remote server).
Host: You must provide the host name or IP address of the remote VPN device you want to
access.

Under the Authentication tab, you must choose whether you are going to be using group or
certificate authentication and fill in the required fields as follows:
Name: The name of the IPSec group to which you belong. This entry is case sensitive.
Password: The password (which is also case sensitive) for your IPSec group. The field
displays only asterisks.
Confirm Password: Verify your password by entering it again.
For certificates to be exchanged, the Certificate radio button must be clicked. In the Name
drop-down menu, any personal certificates loaded on your PC are listed. Choose the certificate
to be exchanged with the Concentrator during connection establishment. If no personal
certificates are loaded in your PC, the drop-down menu is blank. Clicking the Validate
Certificate button checks the validity of the Software Client certificate.
Creating a New ConnectionTransport
Tunneling
options
Transparent tunneling allows secure transmission between the Cisco VPN Client and a secure
gateway through a router that is acting as a firewall, and that may also be performing Network
Address Translation (NAT) or Port Address Translation (PAT). Transparent tunneling
encapsulates Protocol 50 Encapsulating Security Payload (ESP) traffic within User Datagram
Protocol (UDP) packets and can allow for both IKE (UDP 500) and Protocol 50 traffic to be
encapsulated in TCP packets before it is sent through the NAT or PAT devices or firewalls. The
most common application for transparent tunneling is behind a home router performing PAT.
The central-site group in the Cisco VPN device must be configured to support transparent
tunneling. This parameter is enabled by default. Disable this parameter by unchecking the
check box under the Transport tab. It is recommended that you always keep this parameter
selected. Not all devices support multiple simultaneous connections behind them. Some cannot
map additional sessions to unique source ports. Be sure to check with the vendor of your device
to verify whether this limitation exists. Some vendors support Protocol 50 (ESP) PAT (IPSec
pass-through), which might let you operate without enabling transparent tunneling.
You must choose a mode of transparent tunneling, over UDP or over TCP. The mode you use
must match that used by the secure gateway to which you are connecting. Either mode operates
properly through a PAT device. Multiple simultaneous connections might work better with
TCP. If you are in an extranet environment, then in general, TCP mode is preferable. UDP does
not operate with stateful firewalls; in that case, you should use TCP.
The following transport tunneling options are available:

Using IPSec over UDP (NAT/PAT): Enable IPSec over UDP (NAT/PAT) by clicking the
IPSec over UDP (NAT/PAT) radio button. With UDP, the port number is negotiated. UDP
is the default mode.
Using IPSec over TCP (NAT/PAT/Firewall): Enable IPSec over TCP by clicking the
Using IPSec over TCP radio button. When using TCP, you must also enter the port number
for TCP in the TCP port field. This port number must match the port number configured on
the secure gateway. The default port number is 10000.

Creating a New ConnectionAllowing
Local LAN Access
This screen is found via Status > Statistics > Route Details.
In a configuration of multiple network interface cards, local LAN access pertains only to
network traffic on the interface on which the tunnel was established. The Allow Local LAN
Access parameter gives you access to the resources on your local LAN (printer, fax, shared
files, and other systems) when you are connected through a secure gateway to a central-site
VPN device. When this parameter is enabled and when your central site is configured to permit
it, you can access local resources while you are connected. When this parameter is disabled, all
traffic from your Cisco VPN Client system goes through the IPSec connection to the secure
gateway.
To enable this feature, check the Allow Local LAN Access check box; to disable this feature,
uncheck the check box. If the local LAN you are using is not secure, you should disable this
feature. For example, you would disable this feature when you are using a local LAN in a hotel
or airport.
A network administrator at the central site configures a list of networks at the VPN Client side
that you can access. You can access up to ten networks when this feature is enabled. When
local LAN access is allowed and you are connected to a central site, all traffic from your
system goes through the IPSec tunnel except traffic to the networks excluded from doing so (in
the network list).
When this feature is enabled and configured on the Cisco VPN Client and permitted on the
central-site VPN device, you can see a list of the local LANs available by looking at the Routes
table.
Adjusting the Peer Response Timeout
Value
The Cisco VPN Software

Client uses dead peer
detection (DPD) to check
the availability of the VPN
device on the other side of
an IPSec tunnel.
The Cisco VPN Client uses a keepalive mechanism called dead peer detection (DPD) to check
the availability of the VPN device on the other side of an IPSec tunnel. If the network is
unusually busy or unreliable, you might need to increase the number of seconds to wait before
the Cisco VPN Client decides that the peer is no longer active. The default number of seconds
to wait before terminating a connection is 90 seconds. The minimum number you can configure
is 30 seconds, and the maximum is 480 seconds.
Adjust the setting, by entering the number of seconds in the Peer response timeout field. The
Cisco VPN Client continues to send DPD requests every 5 seconds, until it reaches the number
of seconds specified by the peer response timeout value.

Creating a New ConnectionBackup
Servers
The private network may include one or more backup VPN servers to use if the primary server
is not available. Your system administrator tells you whether to enable backup servers.
Information on backup servers can download automatically from the Cisco VPN 3000 Series
concentrator, or you can manually enter this information.
The Backup Servers tab provides three options:

Removing backup servers: To remove a server from the backup list, select the server in
the list and click the Remove button. The VPN Client displays a dialog box asking you to
confirm the deletion. The server name no longer appears in the list. If you click Cancel in
the dialog box after a modification like Remove, the item is not removed from the .pcf file.
You must click the Save button to make any changes on any of the tabs permanent.
Changing the order of the servers: When it is necessary, the VPN Client tries the backup
servers in the order in which they appear in the backup servers list, starting at the top. To
reorder the servers in the list, select a server and click the Up Arrow key to increase the
server priority or the Down Arrow key to decrease the server priority.
Disabling backup servers: You can disable the use of backup servers without removing
backup servers from the list by unchecking the Enable Backup Servers check box.
Creating a New ConnectionDial-Up
You can enable and configure a connection to the Internet through dial-up networking by
checking the Connect to Internet via dial-up check box. This feature is not selected by default.
You can connect to the Internet using the Cisco VPN Client application in either of the
following ways:
Microsoft Dial-Up Networking (DUN): If you have DUN phonebook entries and have
enabled the Connect to Internet via dial-up feature, Microsoft DUN is enabled by default.
To link your Cisco VPN Client connection entry to a DUN entry, click the Phonebook
Entry drop-down arrow and choose an entry from the menu. The Cisco VPN Client then
uses this DUN entry to dial automatically into the Microsoft network before making the
VPN connection to the private network.
Third-party dial-up program: If you have no DUN phonebook entries and have enabled
the Connect to Internet via dial-up feature, then the third-party dial-up application is
enabled by default. Click the Browse button to enter the name of the program in the
Application field. This application launches the connection to the Internet. The string you
choose or enter in this field is the path name to the command that starts the application and
the name of the command; for example: c:\isp\ispdialer.exe dialEngineering. Your network
administrator might have set this up for you.

Preconfigure the Client for Remote Users
This topic describes the remote-user preconfiguration process.
Preconfigure Client for Remote Users
oem.ini
vpnclient.ini
.pcf
An administrator has the ability to preconfigure Cisco VPN Software Clients. A folder is placed
on the remote user PC. Inside the folder is a copy of the Cisco VPN Client software plus three
additional files:
oem.ini: Installs the client without user intervention.
vpnclient.ini: A global profile that you use to set certain standards for all profiles. If this
file is bundled with the client software, it automatically configures the client global
parameters when it is first installed.
.pcf: Creates connection entries within the dialer application. If this file is bundled with the
client software, it automatically configures the Cisco VPN Client connection parameters
when it is first installed. There is one user profile for each .pcf file.
The administrator creates these files using a text editor and places them in the local file system
of the remote user. The files must be located in the same folder as the client setup.exe file.
Note The easiest way to create a profile for the Windows platforms is to run the Cisco VPN Client
and use the Cisco VPN Client GUI to configure the parameters. When you have created a
profile in this way, you can copy the .pcf file to a distribution disk for your remote users. This
approach eliminates errors you might introduce by typing the parameters, and the group
password is automatically converted to an encrypted format.
.pcf File
.pcf fileUser profile

The .pcf file contains all the client configuration parameters. Profiles are created in two ways:
The remote user creates connection entries via the new connection wizard. The output of
the new connection wizard is a .pcf file.
The administrator creates .pcf files using a text editor and places them in the local file
system of the remote user: the C:\ProgramFiles\CiscoSystems\VPN Client\Profiles
directory.
Each connection has its own .pcf file that can be viewed and edited in Notepad. If this file is
bundled with the client software, the installer automatically configures the client when the
client is first installed.
To make a parameter read-only so that the client user cannot change it within the GUI, put an
exclamation mark (!) before the parameter name.

Silent Mode
Name of the
destination
folder
Identifies
whether or
not to restart
the system
after the
silent
installation
oem.iniInstalling the Cisco VPN Client without user intervention
The oem.ini file installs the client without user intervention. The administrator can create an
oem.ini file in Notepad. For Silent Mode, enter 0 or 1:
1: Activates silent installation (do not prompt user)
0: Prompts the user during installation
After the oem.ini file is created, identify the path name and folder to contain the client software.
The default path name to the Cisco VPN Client software is
C:\ProgramFiles\CiscoSystems\VPN Client.
To reboot the system after installation, enter 1 or 2 after Reboot. Depending on the number, the
following will occur:
If silent mode is on (1) and reboot is 1, the system automatically reboots after installation.
If silent mode is on (1) and reboot is 2, the system does not reboot after the installation.
VPN Software Client Programs
This topic describes additional programs available from the Microsoft Windows Start menu.
Some of these are packaged with the Cisco VPN Client and some are packaged with Microsoft
Windows 2000 and Microsoft Windows XP.
Client Program Menu
After the client has been installed, the client program menu is accessed by choosing Start >
Programs > Cisco Systems VPN Client. Under the Cisco Systems VPN Client menu, a number
of options are available:
Help: Accesses client help text. Help is also available by doing the following:
Pressing F1 at any window while using the Cisco VPN Client.
Clicking the Help button on windows that display it.
Clicking the logo in the title bar.
Set MTU: The client automatically sets the MTU size to approximately 1420 bytes. For
specific applications, Set MTU can change the MTU size to fit a specific scenario.
Uninstall Software Client: Only one client can be loaded at a time. When you are
upgrading, you must uninstall the old client before installing the new client. Choose this
option to remove the old client.

Setting MTU Size
The Set MTU option is used primarily for troubleshooting connectivity problems. For specific
applications where fragmentation is still an issue, Set MTU can change the MTU size to fit the
specific scenario. The Cisco VPN Client automatically adjusts the MTU size to suit your
environment; therefore, running this application should not be necessary.
The MTU parameter determines the largest packet size in bytes that the client application can
transmit through the network. If the MTU size is too large, the packets may not reach their
destination. Adjusting the size of the MTU affects all applications that use the network adapter.
Therefore, the MTU setting you use can affect the performance of your PC on the network.
MTU sizing affects fragmentation of IPSec and IPSec through NAT mode packets to your
connection destination. A large size (for example, more than 1300) can increase fragmentation.
Using a size of 1300 or smaller usually prevents fragmentation. Fragmentation and reassembly
of packets at the destination causes slower tunnel performance. Also, many firewalls do not let
fragments through.
To implement a different MTU size, choose the network adapter in the Network Adapters
(IPSec only) field. In the example in the figure, Dial-up Networking is selected. In the MTU
Options group box, set the MTU option size by clicking the appropriate radio button. You must
reboot for MTU changes to take effect.
Virtual Adapter
A virtual adapter is a software-only driver that acts as a valid interface in the system. The
purpose of a virtual adapter is to solve protocol incompatibility problems. The virtual adapter
appears in the network properties list just like a physical network adapter and displays all the
information you would usually find under any other network adapter that is installed. It is
available on Windows 2000 and XP only.

Concentrator Connection Status
This topic describes the session monitoring features of the VPN 3000 Series concentrator.
Viewing Connected ClientsConnection

Status
The VPN 3000 Series concentrator tracks many statistics and the status of many items essential
to system administration and management. Use the VPN Concentrator Series Manager
Monitoring windows to view all those status items and statistics. You can view the state of
LEDs that show the status of hardware subsystems in the device and the statistics that are
stored and available in standard MIB-II data objects.
The figure shows comprehensive data for all active user and administrator sessions on the VPN
3000 Series concentrator. It has four topics:
Session Summary: This topic gives you an overview of all the sessions as well as total
active, peak concurrent, and total concurrent sessions.
LAN-to-LAN Sessions: This topic displays individual LAN-to-LAN sessions. In the
figure, there are currently no LAN-to-LAN sessions.
Remote Access Sessions: This topic displays statistics on all the remote access sessions. In
the figure, there is currently one active session. The username is student1, and it belongs to
the Training group. The virtual IP address assigned is 10.0.1.70, and the tunneling protocol
is IPSec, using Triple-Data Encryption Standard (3DES) for encryption.
Management Sessions: This topic displays information on all the current management
users. In the figure, the IP address of the admin user is 10.0.1.70.
Viewing Connected ClientsStatus Details
The Monitoring > Sessions window displays basic information about an individual session.
However, more in-depth statistics may be required. By double-clicking the remote access
username, the administrator can access session details. Session details provide specific IKE and
IPSec session information and bandwidth statistics. They also provide a breakdown of the
authentication modes, encryption and hash algorithms, Diffie-Hellman (DH) groups, and rekey
intervals for both the IKE and IPSec sessions.
These Manager screens show detailed parameters and statistics for a specific remote-access or
LAN-to-LAN session. The parameters and statistics differ depending on the session protocol.
There are unique screens for to following:
IPSec LAN-to-LAN (IPSec/LAN-to-LAN)
IPSec remote access (IPSec User)
IPSec through UDP (IPSec/UDP)
IPSec through TCP (IPSec/TCP)
Layer 2 Transport Protocol (L2TP)
L2TP over IPSec (L2TP/IPSec)
Point to Point Tunneling Protocol (PPTP)
The Manager displays the appropriate screen when you click a highlighted connection name or
username on the Monitoring > Sessions screen. The figure shows an example of one kind of
detail screen. Depending on the type of connection you select, your detail screen might look
somewhat different from the example shown. But, each session detail screen shows three
tables: summary data, bandwidth management information, and detail data. The summary data
echoes the session data from the Monitoring > Sessions screen. The Bandwidth Statistics table
shows information about the effect of policing on that session. The session detail table shows
all the relevant parameters for each session and sub session.

Summary
Summary
The VPN Client for Windows works with the VPN server to
establish secure connections.
The VPN Client user interface provides a Simple Mode and an
Advanced Mode for establishing a VPN connection. New
connections are established through the interface.
The Advanced Mode menus allow several configuration options.
The Advanced Mode right-click menus provide shortcuts for
frequently performed configuration operations.
Administrators can preconfigure software client parameters.
Other VPN Client programs allow you to modify configurations,
set MTU size and uninstall without losing the connection or
configured parameters.
Windows includes a virtual adapter.
Client sessions can be monitored from the VPN 3000 Series
concentrator.
Lesson Self-Check
Q1) Which two of the following tasks can be completed using the Simple mode to run the
Cisco VPN Client? (Choose two.) (Source: The Software Client for Windows)
A) manage the Cisco VPN Client
B) configure connection entries
C) start the Cisco VPN Client application
D) connect to a VPN device using the default connection entry
E) enroll for and manage certificates
Q2) What does the Allow Local LAN Access parameter provide? (Source: Creating a New
Connection)
______________________________________________________________________
______________________________________________________________________
Q3) Which of the following three preconfiguration files contains the information that will
install the Cisco VPN Software Client without user intervention? (Source: Preconfigure
Client for Remote Users)
A) oem.ini
B) vpnclient.ini
C) .pdf
Q4) How can you make a parameter read-only so that the Cisco VPN Software Client user
cannot change it within the GUI? (Source: Preconfigure Client for Remote Users)
______________________________________________________________________

Q1) C, D
Q2) The Allow Local LAN Access parameter gives you access to the resources on your local LAN (printer,
fax, shared files, and other systems) when you are connected through a secure gateway to a central-site
VPN device. When this parameter is enabled and when your central site is configured to permit it, you can
access local resources while you are connected.
Q3) A
Q4) Put an exclamation mark (!) before the parameter name.
Module Summary
Module Summary
IPSec technology is used to build secure VPNs. IPSec technology

provides encryption, data integrity and authentication.
Cisco VPN solutions include products that provide remote access,
site-to-site, and firewall-based VPN solutions. These products include
the Cisco VPN 3000 Series concentrator and VPN Clients, VPN-
optimized routers and the PIX Security Appliance VPN-based product
family.
Basic operational settings for a VPN connection can be established
using the Quick Configuration feature in the Cisco VPN 3000 Series
concentrator and the VPN 3000 Concentrator Series Manager GUI.
The VPN 3000 Concentrator Series Manager is the recommended
interface for configuring group and user parameters.
The Cisco VPN Software Client for Windows is used with the Cisco
VPN server to establish a secure connection.
This module described how to use Cisco technologies and products to establish IPSec VPNs for
site-to-site, remote access and firewall VPNs.
References
Cisco Systems Inc. VPN 3000 Series Concentrator Getting Started, Release 4.1.
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_getting_starte
d_guide_book09186a00801f0e16.html.
Cisco Systems Inc. VPN 3000 Series Concentrator Reference Volume I: Configuration,
Release 4.1.
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_configuration
_guide_book09186a00801f1c6d.html.
Cisco Systems Inc. VPN 3000 Series Concentrator Reference Volume II: Administration
and Monitoring, Release 4.1.
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_administration
_guide_book09186a00801f1eb9.html.
Cisco Systems Inc. VPN Client User Guide for Windows, Release 4.6.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_book0918
6a008031f122.html.

SND
Securing Cisco
Network Devices
Version 1.0
Lab Guide
Copyright 2005, Cisco Systems, Inc. All rights reserved.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax
numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica
Croatia Cyprus Czech Republic Denmark Dubai, UAE Finland France Germany Greece
Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia
Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania
Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland
Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe
Copyright 2005 Cisco Systems, Inc. All rights reserved. CCSP, the Cisco Square Bridge logo, Follow
Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live,
Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST,
BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo,
Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering
the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive,
GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,
LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar,
Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView
Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0501R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY
OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO
SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY,
NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING,
USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be
accurate, it falls subject to the disclaimer above.
SND
Lab Guide
Overview
This guide presents the instructions and other information concerning the activities for this
course. You can find the solutions in the activity Answer Key.
Outline
This guide includes these activities:
Lab 1-1: Discovering Network Vulnerabilities and Threats
Lab 2-1: Securing Cisco Router Administrative Access
Lab 2-2: Configuring AAA for Cisco Routers
Lab 2-3: Configuring Cisco Secure ACS for Windows Server
Lab 2-4: Disabling Unused Cisco Router Network Services and Interfaces
Lab 3-1: Configuring the PIX Security Appliance with the PDM
Lab 4-1: Completing Basic Sensor Configuration with the Cisco IDS Device Manager
Lab 5-1: Configuring a Cisco VPN 3000 Series Concentrator for Remote Access Using Pre-
shared Keys
Lab 5-2: Configuring the Cisco VPN 3000 Series Concentrator using the Cisco VPN
Software Client for Windows
Copyright 2005, Cisco Systems, Inc. SND V1.0 Lab Guide 1

Lab 1-1: Discovering Network Vulnerabilities and
Threats
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity you will discover vulnerabilities that open networks to attacks. After completing
this activity, you will be able to meet these objectives:
Port scan a host using a command-line utility (Netcat)
Scan a network using a vulnerability scanner to discover network services and
vulnerabilities using Blues Port Scanner
Analyze network traffic with Ethereal
Scan a host using Microsoft Baseline Security Analyzer
Visual Objective
The figure illustrates the network topology you will use in this lab exercise.
SND Lab Topology

VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
Organization Network
rP
.150 e0/0 192.168. .0/24
DMZ .2 e0 pPp VPN Zone .5 pub

PSS .1 e2 .1 e4 .5
WWW priv
FTP
172.16.P.0/24 172.18.P.0/24
.1 e1 vP
.50
Private 10.0.P.0 /24

Super .10 .4 .100
Server sensorP
WWW PC1 RTS
FTP
10.0.P.11
This topology represents a typical enterprise network with a demilitarized zone (DMZ). You
will enter the network from your student PC (10.0.P.11) which will have a number of
management applications and clients in its image.
You will enter the network through a PIX Security Appliance and have access to the perimeter
router (pP) and the DMZ. There is a sensor protecting the Super Server (WWW, FTP, and so
on), a remote terminal server (RTS), and a concentrator located in the DMZ.
2 Securing Cisco Network Devices (SND) v1.0 Copyright 2005, Cisco Systems, Inc.
The perimeter router (rP) forms the key element in the security solution you will develop over
this course. There is also a backbone router (RBB) which connects outside and a branch office
topology (brB).
Required Resources
In this configuration, a pod consists of one learner and one laptop with access to the lab
network. These are the resources and equipment required to complete this activity:
The following software must be installed on each student PC
Netcat 1.11
Blues Port Scanner v.5
Tera Term 2.3
Command List
There are no Cisco IOS software or Cisco Catalyst switch commands in this activity.
Job Aids
These job aids are available to help you complete the lab activity.
Value Information Provided by Your Instructor
Pod Number/Router Number
REMOTE IP
REMOTE Port
REMOTE Username and Password
Task 1: Port Scan a Host Using Netcat

In this task you will use Netcat to scan the ports on a host computer.
Activity Procedure
Complete these steps:
Step 1 Change the directory to the one where Netcat resides. (The directory may vary from
PC to PC. Normally the instructor will have put it into C:\Hack101\). Start Netcat
from the DOS command prompt window.
Step 2 At the command prompt window, enter nc h. This will list all the command line
options available in Netcat. Note the meanings of the v, -z, -n and w options.
Step 3 Using the flags provided in the list of options, start a port scan on the target host or
other devices as specified by the instructor. Enter nc -v -z -n -w 3 172.16.P.50 20-
443.
Note If you specify the 20-1742 port range, it may take some time to produce the scan results. To
produce faster scan results, specify a smaller port range.

Activity Verification
After a few minutes, Netcat will display a list of open ports on the network. You have
completed this task when you attain results similar to these:
øËÒÕÒÑÉÒ÷ ÅïéîòïêòÐòëðÃ ììí ø¸¬¬°-÷ ±°»²
øËÒÕÒÑÉÒ÷ ÅïéîòïêòÐòëðÃ ïíç ø²»¬¾·±-ó--²÷ ±°»²
øËÒÕÒÑÉÒ÷ ÅïéîòïêòÐòëðÃ ïíë ø»°³¿°÷ ±°»²
øËÒÕÒÑÉÒ÷ ÅïéîòïêòÐòëðÃ èð ø¸¬¬°÷ ±°»²
øËÒÕÒÑÉÒ÷ ÅïéîòïêòÐòëðÃ îë ø-³¬°÷ ±°»²
øËÒÕÒÑÉÒ÷ ÅïéîòïêòÐòëðÃ îï øº¬°÷ ±°»²
(Where P is your pod number)
Using this information, an attacker can discover what services are running on the server
172.16.P.50.
Task 2: Scan a Network Using a Vulnerability Scanner to

Discover Network Services and Vulnerabilities
In this task you will use the student PC to scan the public services segment server for services
and vulnerabilities.
Activity Procedure
Step 1 Double-click the Blues Port Scanner icon on your desktop.
Step 2 Enter the IP address for the public services segment server in the Start field
172.16.P.50 (Where P is your pod number).
Step 3 Enter the IP address for the public services segment server in the End field
Step 4 Click the Show List button. The Ports to Scan window opens.
Step 5 Click the Check All button on the right side of the window.
Step 6 Close the window.
Step 7 Click the Start scan button.
Step 8 When the scan has completed, view the results in the main window.
The results of the port scan will appear in a window as shown in the figure. In this example, the
same services are displayed. Your results may vary.
TCP: 172.16.3.5 [21-ftp]
TCP: 172.16.3.5 [25-smtp]
TCP: 172.16.3.5 [80-www-http]
TCP: 172.16.3.5 [135-epmap]
TCP: 172.16.3.5 [139-netbios-ssn]
TCP: 172.16.3.5 [443-https]
TCP: 172.16.3.5 [445-microsoft-ds]
Task 3: Analyze Network Traffic with Ethereal

In this task, you will analyze network traffic with Ethereal.
Activity Procedure
Step 1 Double-click the Ethereal icon on your desktop.
Step 2 Choose Capture>Start. The Capture Preferences window opens.
Step 3 Click OK to start capturing the traffic.
Step 4 After about 5 minutes or when told by the instructor, click STOP.
You have completed this task when the Ethereal window is populated with the network traffic
that has been captured. Examine the traffic to see what type of information is available.

Task 4: Scan a Host Using Microsoft Baseline Security
Analyzer
In this task, you will use the student PC to scan for vulnerabilities.
Activity Procedure
Step 1 Double-click the Microsoft Baseline Security Analyzer icon on your desktop
Step 2 Click the Scan a Computer button. The Pick a Computer to Scan page is displayed
Step 3 Enter the IP address of your student PC in the IP address field 10.0.P.11 (Where P is
your pod number) and select all scanning options.
Step 4 Click the Start Scan button.
Step 5 When the scan has completed, view the results in the main window.
The scan will list a number of security vulnerabilities and look similar to the output in the
figure.
Lab 2-1: Securing Cisco Router Administrative
Access
Activity Objective
In this activity you will be able to secure Cisco router administrative access. After completing
this activity, you will be able to meet these objectives:
Complete the lab exercise setup
Configure password minimum length
Configure the enable secret password
Configure the console port line-level password
Configure the vty line-level password
Configure the auxiliary port line-level password
Encrypt clear text passwords
Test administrative access security
Configure enhanced username password security
Visual Objective
The figure illustrates what you will accomplish in this activity.
Visual Objective for Lab 2-1: Securing Cisco

Router Administrative Access
VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
rP
.150 e0/0 192.168. .0/24

PSS .1 e2 .1 e4 .5
WWW priv
FTP
172.16.P.0/24 172.18.P.0/24
.1 e1 vP
.50

Super .10 .4 .100
Server sensorP
WWW PC1 RTS
FTP
10.0.P.11
Required Resources
There is no change in the resources required to complete this activity.
Command List
The table describes the commands used in this activity.
Command Description
-¸±© ®«² Shows the running configuration on the router
½±²º·¹ ¬»®³·²¿´ Enters global configuration mode
-»½«®·¬§ °¿--©±®¼- ³·²ó This command provides enhanced security access to the
´»²¹¬¸ router by allowing you to specify a minimum password
length, eliminating common passwords that are prevalent on
most networks, such as lab and cisco. This command
affects user passwords, enable passwords and secrets, and
line passwords. After this command is enabled, any
password that is less than the specified length will fail.
»²¿¾´» °¿--©±®¼ Sets a local password to control access to various privilege

levels
»²¿¾´» -»½®»¬ Specifies an additional layer of security over the enable

password command
´±¹·² Enables password checking on login
´·²» ª¬§ Applies the configuration to vtys (virtual teletypes

terminals)
´·²» ¿«¨ Applies the configuration to auxiliary terminals
°¿--©±®¼
-»®ª·½» °¿--©±®¼ó Encrypts passwords
»²½®§°¬·±²
Job Aids
There are no additional job aids for this activity.
Task 1: Complete the Lab Exercise Setup

In this task you will setup your training pod equipment.
Activity Procedure
Complete these steps
Step 1 Ensure that your student PC is powered on and Windows 2000 Server is operational.
Your instructor will provide you with the correct username and password to log into
the student PC.
Step 2 Configure your student PC for IP address 10.0.P.11 with a default gateway of
You should be able to ping the gateway router from the Windows command prompt (C:\ping
10.0.P.1).

Task 2: Configure Password Minimum Length
In this task you will configure a minimum length for all router passwords.
Activity Procedure
Step 1 Access the RTS (IP 10.0.P.100) and connect to the console port of your perimeter
router (rP) (IP 192.169.P.150).
Step 2 Enter enable mode using a password of cisco. Your display should resemble the
following:
ÎÐâ »²¿¾´»
Step 3 Password: cisco. Your display should resemble the following:
ÎÐý
Step 4 View the router running configuration using the show run command. Your display
should resemble the following:
ÎÐý -¸±© ®«²
Q1) Can you read the enable password?

_________________________________________________________
Step 5 Enter global configuration mode using the configure terminal command. Your
display should resemble the following:
ÎÐý ½±²º·¹ ¬»®³·²¿´
ÎÐø½±²º·¹÷ý
Step 6 Configure a minimum password length of eight characters using the security
passwords command. Your display should resemble the following:
ÎÐø½±²º·¹÷ý -»½«®·¬§ °¿--©±®¼- ³·²ó´»²¹¬¸ è
Note The password length may be limited by the Cisco IOS software version.
Step 7 Return to the enable prompt. Your display should resemble the following:
ÎÐø½±²º·¹÷ý »²¼
ÎÐý
You have completed this task when you can attain these results:
Check the answer key to ensure you have replied correctly to Question 1.
The results of Step 5 will be verified in the next task.
Task 3: Configure the Enable Secret Password
In this task you will configure an encrypted password on the perimeter router (rP) (Where P is
your pod number). The rP currently has enable password protection only. This enable password
is unencrypted by default.
Activity Procedure
Step 1 Attempt to configure an enable secret password of Curium using the enable secret
command (passwords are case sensitive). Your display should resemble the
following:
ÎÐø½±²º·¹÷ý »²¿¾´» -»½®»¬ Ý«®·«³
Q2) Does the router accept the new enable secret password? Why or why not?
_________________________________________________________
Step 2 Configure an enable secret password of Curium96 using the enable secret command
(passwords are case-sensitive). Your display should resemble the following:
ÎÐø½±²º·¹÷ý »²¿¾´» -»½®»¬ Ý«®·«³çê
ÎÐø½±²º·¹÷ý »²¼
Step 3 Show the running configuration using the show run command. Your display should
resemble the following:
ÎÐý -¸±© ®«²
Q3) Can you read the enable secret password? Why or why not?
_________________________________________________________
Note Find the enable password in the router configuration listing. Notice that the enable password,
cisco, is shorter than the minimum length required of new passwords. This is because
minimum length only affects passwords created after the security passwords min-length
command is run. It has no effect on older passwords until you reboot the router. (This is an
important item for you to note when you configure your router passwords, and it is the
reason why it is a good idea to set the minimum password length first.) The next time you
reboot the router, an error message will inform you that the enable password is too short.
You have completed this task when you attain these results:
Step 3 verifies this task.
Check the answer key to ensure you have replied correctly to Questions 2 and 3.
Task 4: Configure the Console Port Line-Level Password

By default, Cisco router console ports do not require a password for administrative access. In
this task you will configure a console port line-level password. (Where P is your pod number)
Activity Procedure
Step 1 Enter console 0 line configuration mode using the line console command. Your
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý ´·²» ½±²-±´» ð
ÎÐø½±²º·¹ó´·²»÷ý
Step 2 Enable password checking on login using the login command. Your display should
ÎÐø½±²º·¹ó´·²»÷ý ´±¹·²
û Ô±¹·² ¼·-¿¾´»¼ ±² ´·²» ðô «²¬·´ •°¿--©±®¼Ž ·- -»¬
ÎÐø½±²º·¹ó´·²»÷ý
Step 3 Enter a new console line-level password of ConUser1 using the password command
(passwords are case sensitive). Your display should resemble the following:
ÎÐø½±²º·¹ó´·²»÷ý °¿--©±®¼ Ý±²Ë-»®ï
ÎÐø½±²º·¹ó´·²»÷ý »²¼
ÎÐý
Step 4 Show the running configuration and view the line con 0 section.
Q4) Can you read the console line 0 line-level password? Why or why not?
________________________________________________________
Task 5: Configure the vty Line-Level Password

By default, Cisco router vty lines do not have a line-level password for Telnet administrative
access. You must configure a vty line-level password before attempting to access the router
using Telnet. If vty login password checking is enabled, and no password is configured, the
router will not allow you to complete the Telnet connection. In this task you will configure a
vty line-level password for your router.
Activity Procedure
Step 1 Enter vty lines 0 to 4 configuration mode using the line vty command. Your display
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý ´·²» ª¬§ ð ì
ÎÐø½±²º·¹ó´·²»÷ý
ÎÐø½±²º·¹ó´·²»÷ý ´±¹·²
ÎÐø½±²º·¹ó´·²»÷ý
Step 3 Enter a new console line-level password of VTYUser1 using the password command
(passwords are case sensitive). Your display should resemble the following:
ÎÐø½±²º·¹ó´·²»÷ý °¿--©±®¼ ÊÌÇË-»®ï
ÎÐø½±²º·¹ó´·²»÷ý »²¼
ÎÐý
Step 4 Show the running configuration and view the line vty 0 4 section.
Q5) Can you read the vty line 0 4 line-level password? Why or why not?
________________________________________________________
Task 6: Configure the Auxiliary Port Line-Level Password

By default, Cisco router auxiliary ports do not require a line-level password for administrative
access. In this task you will configure an auxiliary port line-level password for your router.
Activity Procedure
Step 1 Enter auxiliary line 0 configuration mode using the line aux command. Your display
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý ´·²» ¿«¨ ð
ÎÐø½±²º·¹ó´·²»÷ý
ÎÐø½±²º·¹ó´·²»÷ý ´±¹·²
û Ô±¹·² ¼·-¿¾´»¼ ±² ´·²» êëô «²¬·´ •°¿--©±®¼Ž ·- -»¬ò
ÎÐø½±²º·¹ó´·²»÷ý
Step 3 Enter a new auxiliary port line-level password of AuxUser1 using the password
command (passwords are case sensitive). Your display should resemble the
following:
ÎÐø½±²º·¹ó´·²»÷ý °¿--©±®¼ ß«¨Ë-»®ï
ÎÐø½±²º·¹ó´·²»÷ý »²¼
ÎÐý
Step 4 Show the running configuration and view the line aux 0 section.
Q6) Can you read the auxiliary line 0 line-level password? Why or why not?
________________________________________________________

Task 7: Encrypt Clear Text Passwords

Up to this point, the only hashed password on the router has been the enable secret password.
Now that you have entered your line-level passwords for the console, vty, and auxiliary lines,
you should encrypt them as well. In this task you will encrypt the passwords you just
configured.
Activity Procedure
Step 1 Encrypt all clear text passwords using the service password-encryption command.
Your display should resemble the following:
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý -»®ª·½» °¿--©±®¼ó»²½®§°¬·±²
ÎÐø½±²º·¹÷ý »²¼
Step 2 Show the running configuration and view the passwords.
Q7) Can you read the passwords? Why or why not?

________________________________________________________
Q8) At what level (number) is the enable secret password encrypted?
________________________________________________________
Q9) At what level (number) are the other passwords encrypted?
________________________________________________________
Q10) Which level of encryption is harder to crack and why?
________________________________________________________
Q11) Is the enable (not the enable secret) password used anymore? Why or why not?
________________________________________________________
Step 3 Save your running configuration to the startup-config file using the copy run start
command. Your display should resemble the following:
ÎÐý ½±°§ ®«² -¬¿®¬
Ü»-¬·²¿¬·±² º·´»²¿³» Å-¬¿®¬«°ó½±²º·¹Ãá äÛ²¬»®â
Þ«·´¼·²¹ ½±²º·¹«®¿¬·±²›
ÅÑÕÃ
ÎÐý
Step 2 verifies this task. Step 3 saves the configuration for the next task where it will be
verified. Check the answer key to ensure you have replied correctly to Questions 7 to 11.
Task 8: Test Administrative Access Security

In this task you will test your enable secret and line-level passwords.
Activity Procedure
Step 1 Log out of the router console port connection.
Step 2 Access your router console port.
Step 3 Log in using the ConUser1 console port line-level password.
Step 4 Enter privileged-EXEC mode using the Curium96 enable secret password.
Step 5 Log out of the router console port connection.
Step 6 Leave the command prompt session window open. Open another command prompt
shell on your student PC and establish a Telnet session to the inside interface of your
router at IP address 192.168.P.150 (Where P is your pod number).
Step 7 Log in using the VTYUser1 vty line-level password.

Step 8 Attempt to enter privileged-EXEC mode using the cisco enable password.
Q12) Are you able to use the enable password? Why or why not?
________________________________________________________
Step 9 Enter privileged-EXEC mode using the Curium96 enable secret password.
Step 10 Log out of the router and close this command prompt session window.
Check the answer key to ensure you have replied correctly to Questions 12 and 13.
Task 9: Configure Enhanced Username Password Security

The service password-encryption command encrypts user passwords using a weak encryption
scheme. A safer way to encrypt your user passwords is to use MD5 hashing. In this task you
will use MD5 hashing of new user passwords.
Activity Procedure
Step 1 Log in to the router and enter global configuration mode.
Step 2 Create a new user account with MD5 hashing for the password. Your display should
ÎÐø½±²º·¹÷ý «-»®²¿³» ®¬®¿¼³·² -»½®»¬ ð ×®·¼·«³éé

Step 3 Exit global configuration mode and list the running configuration.
Q13) Can you read the password for the new user account? Why or why not?
______________________________________________________________
Q14) Which hashing method is used for the password?
______________________________________________________________
Check the answer key to confirm you have replied correctly to Questions 13 and 14.
Lab 2-1 Answer Key: Securing Cisco Router Administrative
Access
When you complete this activity, your answers will be similar to the following:.
Q1) Yes. The enable password is not yet encrypted.
Q2) No. The password is not at least eight characters in length.
Q3) No. You cannot read the enable secret password because it is automatically hashed when created.
Q4) Yes. The password is not yet encrypted.
Q7) No. The passwords have all been encrypted using the service password-encryption command.
Q8) Level 5.
Q9) Level 7.
Q10) Level 5 is harder to crack because it uses a strong MD5 hashing algorithm.
Q11) No. The enable secret password takes precedence over the enable password.
Q12) Yes. The enable secret password allows access.
Q13) No. The password is encrypted.
Q14) The password is hashed using MD5 (as noted by the number 5 in the configuration).

Lab 2-2: Configuring AAA for Cisco Routers
Activity Objective
In this activity you will configure the perimeter router to work with the local database, enable a
password and line authentication to provide authentication, authorization, and accounting
services. After completing this activity, you will be able to meet these objectives:
Configure local database authentication using AAA
Verify the perimeter router configuration
Test authentication using debug
Visual Objective
The following figure displays the configuration you will complete in this lab exercise.
SND Lab Topology

VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
rP
.150 e0/0 192.168. .0/24

PSS .1 e2 .1 e4 .5
WWW priv
FTP
172.16.P.0/24 172.18.P.0/24
.1 e1 vP
.50

Super .10 .4 .100
Server sensorP
WWW PC1 RTS
FTP
10.0.P.11
Required Resources
Command List
The table describes the commands used in this activity.
Command Description
¿¿¿ ²»©ó³±¼»´ Enables AAA features
«-»®²¿³» Å«-»®²¿³»Ã Creates a username and password

°¿--©±®¼ Å°¿--©±®¼Ã
¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² Configures login authentication to use the enable password
¼»º¿«´¬ »²¿¾´»
aaa authentication login {default To set AAA authentication at login, use the aaa
| list-name} method1 [method2...] authentication login command in global configuration
mode.
-¸±© ½´±½µ Displays the time in the router clock
-»®ª·½» ¬·³»-¬¿³°- ¼»¾«¹ Adds the date and time to debug messages
¼¿¬»¬·³» ³-»½
´±¹¹·²¹ ½±²-±´» This command enables router console logging. Arguments

control which messages are logged to the console, based on
severity.
¼»¾«¹ ¿¿¿ ¿«¬¸»²¬·½¿¬·±² Enables AAA debugging
Job Aids
Task 1: Configure Local Database Authentication Using AAA

In this section, you configure local database authentication using authentication, authorization
and accounting (AAA) for the enable, line, and local methods so you can experience the
differences between the methods.
Now that the perimeter router administrative access points are protected (except PPP), you need
to use AAA commands to prepare for migration to a Cisco Secure Access Control Server
(ACS) environment. The goal of this task is to show you that each router access point can be
secured using unique methods.
There are five access points to protect: line, vty, AUX, console, and PPP. In this task you will
configure unique method login authentication on all access points.
Activity Procedure
Step 1 Turn on AAA features using the aaa new-model command. Your display should
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý ¿¿¿ ²»©ó³±¼»´
Step 2 As an added safety measure, create a local username and password account to use in
case you lose your Telnet connection during AAA configuration. Your display

ÎÐø½±²º·¹÷ý «-»®²¿³» ¿¼³·² °¿--©±®¼ ¿¼³·²¼±±®
Step 3 Configure login authentication to use the enable password (or enable secret
password if it is configured) from the default list. This step protects all login access
instantly (except PPP). Your display should resemble the following:
ÎÐø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ¼»º¿«´¬ »²¿¾´»
ÎÐø½±²º·¹÷ý »²¼
Step 4 Log out of the router.
Step 5 Access the router console port. You should be prompted for a password.
Q1) Which password should you use, ConUser1 or Curium96? Why?

_________________________________________________________
Step 6 Using the local database, configure a specific login authentication method for the
console port. Your display should resemble the following:
ÎÐâ »²¿¾´»
Ð¿--©±®¼æ Ý«®·«³çê
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ½±²-±´»ó·² ´±½¿´
ÎÐø½±²º·¹÷ý ´·²» ½±² ð
ÎÐø½±²º·¹ó´·²»÷ý ´±¹·² ¿«¬¸»²¬·½¿¬·±² ½±²-±´»ó·²
ÎÐø½±²º·¹ó´·²»÷ý »²¼
ÎÐý
Note It is recommended that you never use admin as a username because it is too easy to
guess.
Step 8 Test the console port authentication method you just configured.
Step 9 Secure vty access for the IS department username isgroup with a password of
isdoorin1 and a new list name of is-in using the commands in the following
configuration display:
ÎÐâ »²¿¾´»
Ð¿--©±®¼æ Ý«®·«³çê
ÎÐý ½±²º·¹ ¬
ÎÐø½±²º·¹÷ý «-»®²¿³» ·-¹®±«° °¿--©±®¼ ·-¼±±®·²ï
ÎÐø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ·-ó·² ´±½¿´
ÎÐø½±²º·¹÷ý ´·²» ª¬§ ð ì
ÎÐø½±²º·¹ó´·²»÷ý ´±¹·² ¿«¬¸»²¬·½¿¬·±² ·-ó·²
ÎÐø½±²º·¹ó´·²»÷ý »²¼
This is the same idea as the console protection, but on the Telnet access via vty
ports.
Step 10 Exit privileged-EXEC mode and log out of the router.
Step 11 Leave the command prompt session window open. Open another command prompt
shell on your PC and telnet to the inside interface of your router at IP address
192.168.P.150. (Where P is your pod number)
Step 12 Test the vty line authentication method you just configured.
Step 13 Enter enable mode and copy the router running configuration to the startup
configuration.
Step 14 Log out of the router and close this command prompt window.
Use the show run command to view the configuration. At this point, your perimeter router
configuration should look similar to the following subsections.
Note This is a partial view of your router configuration containing only the sections modified in this
lab exercise. Your encrypted passwords may vary.
ÿ
¸±-¬²¿³» ÎÐ
ÿ
-»½«®·¬§ °¿--©±®¼- ³·²ó´»²¹¬¸ è
²± ´±¹¹·²¹ ½±²-±´»
¿¿¿ ²»©ó³±¼»´
ÿ
ÿ
¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ¼»º¿«´¬ »²¿¾´»
¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ½±²-±´»ó·² ´±½¿´
¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ·-ó·² ´±½¿´
¿¿¿ -»--·±²ó·¼ ½±³³±²
»²¿¾´» -»½®»¬ ë üïüòïÛÐüÌî©³ÍÉ¨êÊÇïÏê§èï-ÛÍªÒñ
»²¿¾´» °¿--©±®¼ é ðêðëðêíîìÚìï
ÿ
«-»®²¿³» ¿¼³·² °¿--©±®¼ é ïìïêïêðêðëðßîÛîìîÞíß
«-»®²¿³» ·-¹®±«° °¿--©±®¼ é ðïïßïëððëìðìïì
ÿ
´·²» ½±² ð
°¿--©±®¼ é ðéîÝîÛìîéÞïßïÝïéìê
´±¹·² ¿«¬¸»²¬·½¿¬·±² ½±²-±´»ó·²
´·²» ¿«¨ ð
°¿--©±®¼ é ðëîßïíïéïìëÚìÞïÞìè
´·²» ª¬§ ð ì
°¿--©±®¼ é ïîîÚíïîÛîéïèðçïêéÞ

´±¹·² ¿«¬¸»²¬·½¿¬·±² ·-ó·²
ÿ
»²¼
Task 2: Test Authentication Using Debug

In this task, you will use the debug command to look at the indicators for successful and
unsuccessful authentication attempts. Before beginning this section, ensure that all Telnet
sessions are disconnected. Leave the console session open.
It is important in debugging to ensure that you have a proper time reference for messages,
especially if you are logging multiple devices to a central logging system. Log in to user mode
and enter the show clock command to check the router clock. If the time and date are incorrect,
access enable mode and enter the following command: clock set HH:MM:SS DD month
YYYY (for example, clock set 10:00:00 21 March 2002).
Activity Procedure
Step 1 Enter global configuration mode and use the following commands to ensure that you
have detailed time stamp information for your debug output:
ÎÐø½±²º·¹÷ý -»®ª·½» ¬·³»-¬¿³°- ¼»¾«¹ ¼¿¬»¬·³» ³-»½
ÎÐø½±²º·¹÷ý ´±¹¹·²¹ ½±²-±´»
ÎÐø½±²º·¹÷ý »²¼
Step 2 Turn on debugging for AAA authentication. Your display should resemble the
following:
ÎÐý ¼»¾«¹ ¿¿¿ ¿«¬¸»²¬·½¿¬·±²
Step 3 Trigger an AAA authentication event by logging out of your console connection and
logging in with username admin and password admindoor.
Step 4 When you have logged in and are presented with the user mode prompt, continue in
enable mode. The debug output follows (with notes in <brackets>):
Ë-»®²¿³»æ ¿¼³·²
Ð¿--©±®¼æ äª¿´·¼ °¿--©±®¼ »²¬»®»¼ ¸»®»â
Ó¿® îï ïéæðëæððòìêïæ ßßßñßËÌØÛÒñÔÑÙ×Ò øððððððëí÷æ Ð·½µ ³»¬¸±¼
´·-¬ ù½±²-±´»ó·²ù
ÎÐâ »²¿¾´»
Ð¿--©±®¼æ <valid enable password entered here>
Ó¿® îï ïéæðëæïïòêëêæ ßßßæ °¿®-» ²¿³»ã¬¬§ð ·¼¾ ¬§°»ãóï ¬¬§ãóï
Ó¿® îï ïéæðëæïïòêëêæ ßßßæ ²¿³»ã¬¬§ð º´¿¹-ãð¨ïï ¬§°»ãì -¸»´ºãð
-´±¬ãð ¿¼¿°¬»®ãð °±®¬ãð ½¸¿²²»´ãð
Ó¿® îï ïéæðëæïïòêëêæ ßßßñÓÛÓÑÎÇæ ½®»¿¬»Á«-»® øð¨èîÞîïíèÝ÷
«-»®ãù¿¼³·²ù ®«-»®ãùÒËÔÔù ¼-ðãð °±®¬ãù¬¬§ðù ®»³Á¿¼¼®ãù¿-§²½ù
¿«¬¸»²Á¬§°»ãßÍÝ×× -»®ª·½»ãÛÒßÞÔÛ °®·ªãïë ·²·¬·¿´Á¬¿-µÁ·¼ãùðù
Ó¿® îï ïéæðëæïïòêëêæ ßßßñßËÌØÛÒñÍÌßÎÌ øíîëìéëëêçì÷æ
°±®¬ãù¬¬§ðù ´·-¬ãùù ¿½¬·±²ãÔÑÙ×Ò -»®ª·½»ãÛÒßÞÔÛ
Ó¿® îï ïéæðëæïïòêëêæ ßßßñßËÌØÛÒñÍÌßÎÌ øíîëìéëëêçì÷æ ½±²-±´»
»²¿¾´» ó ¼»º¿«´¬ ¬± »²¿¾´» °¿--©±®¼ ø·º ¿²§÷
Ó¿® îï ïéæðëæïïòêëêæ ßßßñßËÌØÛÒñÍÌßÎÌ øíîëìéëëêçì÷æ
Ó»¬¸±¼ãÛÒßÞÔÛ
Ó¿® îï ïéæðëæïïòêêðæ ßßßñßËÌØÛÒøíîëìéëëêçì÷æ Í¬¿¬«-ãÙÛÌÐßÍÍ
Ó¿® îï ïéæðëæïèòêéïæ ßßßñßËÌØÛÒñÝÑÒÌ øíîëìéëëêçì÷æ
½±²¬·²«»Á´±¹·² ø«-»®ãùø«²¼»º÷ù÷
Ó¿® îï ïéæðëæïèòêéïæ ßßßñßËÌØÛÒøíîëìéëëêçì÷æ Í¬¿¬«-ãÙÛÌÐßÍÍ
Ó¿® îï ïéæðëæïèòêéïæ ßßßñßËÌØÛÒñÝÑÒÌ øíîëìéëëêçì÷æ
Ó¿® îï ïéæðëæïèòéëëæ ßßßñßËÌØÛÒøíîëìéëëêçì÷æ Í¬¿¬«-ãÐßÍÍ
Ó¿® îï ïéæðëæïèòéëëæ ßßßñÓÛÓÑÎÇæ º®»»Á«-»® øð¨èîÞîïíèÝ÷
«-»®ãùÒËÔÔù ®«-»®ãùÒËÔÔù °±®¬ãù¬¬§ðù ®»³Á¿¼¼®ãù¿-§²½ù
¿«¬¸»²Á¬§°»ãßÍÝ×× -»®ª·½»ãÛÒßÞÔÛ °®·ªãïë
ÎÐý
Step 6 Log in again, but this time enter an invalid enable password. Your display should
Ë-»®²¿³»æ ¿¼³·²
Ð¿--©±®¼æ ävalid password entered hereâ
Ó¿® îï ïéæðéæìðòêïîæ ßßßñßËÌØÛÒñÔÑÙ×Ò øððððððëì÷æ Ð·½µ ³»¬¸±¼
´·-¬ ù½±²-±´»ó·²ù
ÎÐâ »²¿¾´»
Ð¿--©±®¼æ äinvalid enable password entered hereâ
Ó¿® îï ïéæðéæëîòïðíæ ßßßæ °¿®-» ²¿³»ã¬¬§ð ·¼¾ ¬§°»ãóï ¬¬§ãóï
Ó¿® îï ïéæðéæëîòïðíæ ßßßæ ²¿³»ã¬¬§ð º´¿¹-ãð¨ïï ¬§°»ãì -¸»´ºãð
-´±¬ãð ¿¼¿°¬»®ãð °±®¬ãð ½¸¿²²»´ãð
Ó¿® îï ïéæðéæëîòïðéæ ßßßñÓÛÓÑÎÇæ ½®»¿¬»Á«-»® øð¨èîÝÛêîÛð÷
«-»®ãù¿¼³·²ù ®«-»®ãùÒËÔÔù ¼-ðãð °±®¬ãù¬¬§ðù ®»³Á¿¼¼®ãù¿-§²½ù
¿«¬¸»²Á¬§°»ãßÍÝ×× -»®ª·½»ãÛÒßÞÔÛ °®·ªãïë ·²·¬·¿´Á¬¿-µÁ·¼ãùðù
Ó¿® îï ïéæðéæëîòïðéæ ßßßñßËÌØÛÒñÍÌßÎÌ øîíëèéïïíëê÷æ
°±®¬ãù¬¬§ðù ´·-¬ãùù ¿½¬·±²ãÔÑÙ×Ò -»®ª·½»ãÛÒßÞÔÛ
Ó¿® îï ïéæðéæëîòïðéæ ßßßñßËÌØÛÒñÍÌßÎÌ øîíëèéïïíëê÷æ ½±²-±´»
»²¿¾´» ó ¼»º¿«´¬ ¬± »²¿¾´» °¿--©±®¼ ø·º ¿²§÷
Ó¿® îï ïéæðéæëîòïðéæ ßßßñßËÌØÛÒñÍÌßÎÌ øîíëèéïïíëê÷æ
Ó¿® îï ïéæðéæëîòïðéæ ßßßñßËÌØÛÒøîíëèéïïíëê÷æ Í¬¿¬«-ãÙÛÌÐßÍÍ
û ß½½»-- ¼»²·»¼
ÎÐâ
Ó¿® îï ïéæðéæëëòïèðæ ßßßñßËÌØÛÒñÝÑÒÌ øîíëèéïïíëê÷æ
½±²¬·²«»Á´±¹·² ø«-»®ãùø«²¼»º÷ù÷
Ó¿® îï ïéæðéæëëòïèðæ ßßßñßËÌØÛÒøîíëèéïïíëê÷æ Í¬¿¬«-ãÙÛÌÐßÍÍ
Ó¿® îï ïéæðéæëëòïèðæ ßßßñßËÌØÛÒñÝÑÒÌ øîíëèéïïíëê÷æ
Ó¿® îï ïéæðéæëëòîêðæ ßßßñßËÌØÛÒøîíëèéïïíëê÷æ °¿--©±®¼
·²½±®®»½¬
Ó¿® îï ïéæðéæëëòîêðæ ßßßñßËÌØÛÒøîíëèéïïíëê÷æ Í¬¿¬«-ãÚß×Ô

Ó¿® îï ïéæðéæëëòîêðæ ßßßñÓÛÓÑÎÇæ º®»»Á«-»® øð¨èîÝÛêîÛð÷
«-»®ãùÒËÔÔù ®«-»®ãùÒËÔÔù °±®¬ãù¬¬§ðù ®»³Á¿¼¼®ãù¿-§²½ù
¿«¬¸»²Á¬§°»ãßÍÝ×× -»®ª·½»ãÛÒßÞÔÛ °®·ªãïë
ÎÐâ
Step 7 Turn off logging to the console using the no logging console command. Remember,
you will need to go into enable mode and then into config terminal mode to be able
to turn off debugging.
The output from a valid password entered in Steps 1 to 3 should match the output shown in
Step 4.
The output from an invalid password should match the output in Step5.
Lab 2-2 Answer Key: Configuring AAA for Cisco Routers
When you complete this activity, your answers will similar to the following:
Q1) Curium96 is used because the enable secret password takes precedence over the enable password.

Lab 2-3: Configuring Cisco Secure ACS for
Windows Server
Complete this lab to practice what you learned in the related module.
Activity Objective
In this activity, you will configure a Cisco Secure ACS for Windows Server to provide AAA
services. After completing this activity, you will be able to meet these objectives:
Install Cisco Secure ACS for Windows Server
Take a grand tour of Cisco Secure ACS for Windows Server
Configure the Cisco Secure ACS for Windows Server database for authentication
Configure the router to authenticate to the Cisco Secure ACS for Windows Server database
Visual Objective
The following figure illustrates the network environment that you will create.
SND Lab Topology
VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
rP
.150 e0/0 192.168. .0/24

PSS .1 e2 .1 e4 .5
WWW priv
FTP
172.16.P.0/24 172.18.P.0/24
.1 e1 vP
.50

Super .10 .4 .100
Server sensorP
WWW PC1 RTS
FTP
10.0.P.11
Scenario
You will configure an AAA server to perform AAA services to secure Telnet, EXEC, and vty
access to a Cisco perimeter router. You will configure Cisco Secure ACS to use the Cisco
Secure ACS database.
Required Resources
Command List
You will complete this activity from a GUI.
Job Aids

In this task you will setup your training pod equipment.
Activity Procedure
Step 1 Ensure that your student PC is powered on and Windows 2000 Server is operational.
Your instructor will provide you with the correct username and password to log into
the student PC.
Step 2 Configure your student PC for IP address 10.0.P.11 with a default gateway of
Step 3 If you just completed the lab exercise from the previous lesson, disable logging to
the router console using the no logging console command.
Step 4 Verify that the Kiwi daemon has been installed.
You will have properly completed this task if your PC and the default gateway have the correct
IP addresses.
Task 2: Install Cisco Secure ACS for Windows Server

In this task you will install Cisco Secure ACS for Windows Server on your Microsoft Windows
2000 Server student PC. This procedure assumes that Microsoft Windows 2000 Server is
operational.
Activity Procedure
Step 1 Log in to Microsoft Windows 2000 Server using the administrator account. Your
instructor will provide you with the correct username and password combination for
the administrator account.
Step 2 Open the CiscoApps folder on your desktop.
Step 3 Open the Cisco Secure ACS folder.
Step 4 Begin the Cisco Secure ACS installation by double-clicking the setup.exe file. The
Cisco Secure ACS for Windows Server installation wizard starts.
Step 5 Click Accept to acknowledge the terms of the Cisco Secure ACS license agreement.
Step 6 Click Next in the Welcome window.
Step 7 Click all items listed in the Before You Begin window and click Next.
Step 8 Click Next to accept the default settings in the Choose Destination Location
window.
Step 9 Complete the following sub-steps within the Authentication Database Configuration
window:
1. Check the Also check the Windows User Database check box.
2. Click Yes for the Grant dialin permission to user setting check box.
3. Click Next.
Step 10 Complete the following sub-steps within the Cisco Secure ACS Network Access
Server Details window:
1. Click TACACS+ (Cisco IOS) from the Authenticate Users Using scroll box.
2. Enter the name of your router in the Access Server Name box (for example,
R1, R2, and so on).
3. Enter the IP address of your router inside interface (192.168.P.150) in the

Access Server IP Address box (Where P is pod number).
4. Ensure the IP address of your student PC is entered in the Windows Server IP

Address field.
5. Enter ciscosecure (one word, all lowercase) in the TACACS+ or RADIUS

Key field.
6. Click Next. Setup will start installing files on your student PC.
Step 11 Check all check boxes within the Advanced Options window and click Next. It is
important that you check all check boxes as this determines what ACS options you
will be able to configure later.
Step 12 Click Next to accept the default settings within the Active Service Monitoring
window.
Step 13 Click Next to accept the default settings within the Network Access Server
Configuration window.
Step 14 Click Next to accept the default setting (no password specified) in the Enable Secret
Password window. You already specified the router enable secret password in the
previous lab exercise.
Step 15 Click Next to accept the default settings within the Access Server Configuration
window.
Step 16 Complete the following sub-steps within the NAS Configuration window:
Use the scroll bar to view all of the parameters in the command box. These
parameters are created during the installation process of the Cisco Secure ACS
software.
Do not use the Telnet Now? function at this time. The Telnet Now? function
allows you to telnet to your router and then copy and paste these parameters into
your router, saving time in the router setup process. You will be entering these
commands and parameters manually later in this lab exercise.
Click Next.
Step 17 Click Next to accept the default settings within the Cisco Secure ACS Service
Initiation window.
Step 18 Click Finish to close the Setup Complete window.
Step 19 Review the contents of the README.TXT file and close the associated window.
Step 20 Close the Internet Explorer window containing the Cisco Secure ACS main window.
Use the Windows Task Manager (Ctrl+Alt+Delete>Task Manager) to determine whether
the following services are running on your student PC:
CSAdmin
CSAuth
CSDBSync
CSLog
CSMon
CSRadius
CSTacacs
If these services are not running, restart your student PC and repeat this task. Once you are
finished, close any open windows.
Task 3: Take a Grand Tour of Cisco Secure ACS for Windows

Server
In this task you will navigate the Cisco Secure ACS for Windows Server administration
interface to change some global settings. It is important to complete each step.
Activity Procedure
Step 1 Double-click the ACS Admin desktop icon to start the ACS configuration manager.
Step 2 Click the Cisco Systems icon at the top of the left pane.
Q1) What is the full release version and build number?

________________________________

Step 3 Examine the user setup functions. Click the User Setup in the left pane. Then click
the List All Users button.
Q2) How many users are configured?

________________________________
Step 4 Examine the group setup functions. Click Group Setup in the left pane.
Q3) What group is shown in the Group: scroll list?

________________________________
Step 5 Click the Users in Group button.
Q4) How many users are in the group?

________________________________
Step 6 Click Network Configuration in the left pane.
Q5) How many routers (AAA client hosts) are configured?

________________________________
Step 7 Examine the system configuration functions. Click System Configuration in the left
pane. Click Service Control and answer the following questions:
Q6) What is the status of the Cisco Secure service, level of detail for logging, and frequency
of new file generation?
________________________________
Step 8 Click Cancel to return to the select list. Click Logging and answer the following
question:
Q7) What log targets are enabled?

________________________________
Step 9 Click Cancel to return to the select list. Click Local Password Management and
answer the following question:
Q8) What is the purpose of the password validation option?

________________________________
Step 10 Click Cancel to return to the select list. Click Cisco Secure Database Replication
and answer the following question:
Q9) What is the purpose of Database Replication Setup?

________________________________
Step 11 Click Cancel to return to the select list. Click ACS Backup and answer the
following question:
Q10) Where can the ACS user and group databases be backed up?
________________________________
Step 12 Click Cancel to return to the select list. Click ACS Restore and answer the
following question:
Q11) What components can be backed up and restored?
________________________________
Step 13 Click Cancel to return to the select list. Click ACS Service Management and
answer the following question:
Q12) What are the two ways a system administrator can be notified of logged events?
________________________________
Step 14 Click Cancel to return to the select list.
Step 15 Examine the interface configuration functions. Click Interface Configuration in the
left pane. Click User Data Configuration and answer the following question:
Q13) How are user-defined fields useful?

______________________________________________________________________
______________________________________________________________________
Step 16 Click Cancel to return to the select list. Click Advanced Options. Click all options
and answer the following question:
Q14) What is the purpose of selecting advanced options?

______________________________________________________________________
______________________________________________________________________
Step 17 Click Submit and return to the select list.
Step 18 Click TACACS+ (Cisco IOS).

Step 19 In the TACACS+ Services section, click PPP IP, PPP LCP, PPP Multilink and
Shell (exec) in both the User and Group columns.
Step 20 In the Advanced Configuration Options section, check all four options.
Step 21 Click Submit to return to the select list and answer the following question:
Q15) Where are the TACACS+ services and advanced configuration objects applied that you
configure in this window?
______________________________________________________________________
______________________________________________________________________
Step 22 Click Administration Control in the left frame and answer the following questions:
Q16) What administrator accounts are configured?

________________________________
Q17) What is the purpose of administrator control?
______________________________________________________________________
______________________________________________________________________
Step 23 Examine the external user database functions. Click External User Databases in the
left frame. Click Unknown User Policy and answer the following questions:
Q18) What two options are available if a user is not found in the Cisco Secure database?
Which one is the default?
________________________________
Q19) What external databases can be checked for the unknown user?

________________________________
Step 25 Click Database Group Mappings and view the help section.
Step 27 Click Database Configuration and answer the following question:
Q20) What do you click in the External User Database Configuration section?
________________________________
Step 29 Examine the reports and activity functions. Click Reports and Activity in the left
frame. Click Administration Audit and answer the following question:
Q21) What appears in the Administration Audit.csv file?

________________________________
Step 30 Click Online Documentation in the left pane.
Take a moment to browse the new features, software requirements, and troubleshooting
sections of the online documentation.
You have completed this task when you attain this result:
Check the answer key to ensure you correctly answered Questions 1 through 21.
Task 4: Configure the Cisco Secure ACS for Windows Server

Database for Authentication
In the previous lab exercise, you tested authentication attempts against the routers local
database where access was based on the configurations allowed on the routers various access
points. Now, you will move to a centralized authentication and authorization model. To do this,
you will change parts of the configuration on the router to reflect a more secure, consolidated
security plan using an AAA server, which includes the following policies:
Provides the IS group with access to the console and unlimited vty access for control of the
network.
Changes AUX port configurations to remove EXEC or login services.
In this task you will add a group and user to the Cisco Secure ACS for Windows Server
database.
Activity Procedure
Step 1 Create a new user group by completing the following sub-steps:
1. Click the Group Setup button in the left frame.
2. Click Group 1 from the drop-down list.
3. Click the Rename Group button to rename the group to is-in. Select the existing name,
enter the new group name, and click the Submit button.
4. Click Edit Settings and set the group settings as follows:
In the Password Aging Rules section, check the Apply age-by-date rules check
box.
Configure the apply age-by-date rule for 30 days active, a warning period of 4,
and a grace period of 4.
In the IP Assignment section, click No IP address assignment.
In the TACACS+ Settings section, click Shell (exec).
In the Enable Options section, click Max Privilege for any AAA Client and set
the level to level 15.
Leave all other sections at their default values.
Warning Click Submit + Restart.
Q22) How else can password aging be controlled when authenticating against the Cisco
Secure ACS for Windows Server database?
________________________________
Step 2 Set the router host and key value by completing the following sub-steps:
1. Click AAA Clients from the left pane.
2. Go to (Not Assigned) AAA Clients.
3. Click the router host shown.
4. Verify that the key value is ciscosecure.
5. Click Submit + Restart.
Step 3 Add and configure a user to authenticate against the Cisco Secure ACS database. Click the
User Setup button in the left pane and complete the following steps:
1. Enter a username of isadmin.
2. Click Add/Edit and ensure that Account Disabled is deselected.
3. Scroll to the User Setup area and click CiscoSecure Database for password authentication.
4. Enter a password of isuser for the user isadmin. Ensure that you enter the password twice
to confirm it.
5. Scroll to the Group to which the user is assigned section and assign the user to the is-in
group.
6. Scroll to the Account Disable section and click Disable account if and check the Failed
attempts exceed:5 check box.
7. Scroll to the Advanced TACACS+ Settings section and click Use group level setting.
Remember that the group setting is level 15.
8. Scroll to the TACACS+ Enable Password section and click the Use Separate Password
check box.

9. Enter a password of ispassword. Remember to enter it twice to confirm it.
10. Click Submit to enable the settings.
11. Click List All Users in the User Setup Select pane and verify that the user you just added is
present and correctly configured.
Q23) What is the main difference between the parameters in the user and group setups?
______________________________________________________________________
______________________________________________________________________
Step 4 Minimize the Cisco Secure ACS window.
You correctly answer Questions 22 and 23.
Task 5: Configure the Router to Authenticate to the Cisco

Secure ACS for Windows Server Database
In this task you will modify existing router AAA methods, add commands to tell the router how
to locate a Cisco Secure ACS for Windows Server system, and protect the TTY and AUX
ports.
Activity Procedure
Step 1 Log into the router using the AAA administrator account user name of admin with a password of
admindoor.
Step 2 Enter enable privileged-EXEC mode using the Curium96 password.

Step 3 Enter configuration terminal mode. Your display should resemble the following:
ÎÐý ½±²º·¹ ¬
Step 4 Enter the location of the Cisco Secure ACS IP address and encryption key for TACACS+ as shown
(Where P is your pod number). Your display should resemble the following:
ÎÐø½±²º·¹÷ý ¬¿½¿½-ó-»®ª»® ¸±-¬ ïðòðòÐòïï µ»§ ½·-½±-»½«®»
Step 5 Enable AAA accounting for Cisco Secure ACS for Windows Server. Your display should resemble
the following:
ÎÐø½±²º·¹÷ý ¿¿¿ ¿½½±«²¬·²¹ ½±²²»½¬·±² ¼»º¿«´¬ -¬¿®¬ó-¬±° ¹®±«° ¬¿½¿½-õ
Step 6 Enter the following commands exactly as shown to consolidate the vty and Console:
ÎÐø½±²º·¹÷ý ²± ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ½±²-±´»ó·² ´±½¿´
ÎÐø½±²º·¹÷ý ²± ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ·-ó·² ´±½¿´
ÎÐø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ·-ó·² ¹®±«° ¬¿½¿½-õ ´±½¿´
ÎÐø½±²º·¹÷ý ´·²» ½±² ð
ÎÐø½±²º·¹ó´·²»÷ý ´±¹·² ¿«¬¸»²¬·½¿¬·±² ·-ó·²
ÎÐø½±²º·¹ó´·²»÷ý »¨·¬
Step 7 Force the use of the enable restrictions you placed in the Cisco Secure ACS for Windows Server,
and override the enable secret password on the router Enter the following command to protect the
enable password and privileged mode:
ÎÐýø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² »²¿¾´» ¼»º¿«´¬ ¹®±«° ¬¿½¿½-õ
Step 8 Change the AUX access by entering the following commands:
ÎÐø½±²º·¹÷ý ´·²» ¿«¨ ð
ÎÐø½±²º·¹ó´·²»÷ý ²± °¿--©±®¼ ß«¨Ë-»®ï
ÎÐø½±²º·¹ó´·²»÷ý ²± »¨»½
ÎÐø½±²º·¹ó´·²»÷ý »¨·¬
Step 9 If something happens and ports or access points are added to the machine, then you have to protect
them. Complete the following sub-steps on the router:
12. You already protected with the enable password. You will change this to use TACACS+.
Enter the following commands exactly as shown:
ÎÐø½±²º·¹÷ý ²± ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ¼»º¿«´¬ »²¿¾´»

ÎÐø½±²º·¹÷ý ¿¿¿ ¿«¬¸»²¬·½¿¬·±² ´±¹·² ¼»º¿«´¬ ¹®±«° ¬¿½¿½-õ
»²¿¾´»
Note You should always place an enable at the end of the aaa authentication login default
group tacacs+ enable command as shown in this step. This allows you to access
privileged-EXEC mode even if the TACACS+ server is down. The router first tries to locate a
TACACS+ server, and if it cannot find one, will default to the standard enable password.
13. Open a new command prompt shell and telnet to the inside interface of your router:
192.168.P.150 (Where P = pod number).
Note It is a good idea to open a second window and monitor the AAA debug logs as they perform
these tasks.
14. Log in using the isadmin username and the isuser password. Your router should
authenticate with the ACS and allow you to log in. If you cannot log in, recheck your work
and try again.
15. Enter privileged-EXEC mode using the ispassword password. Your router should
authenticate with the ACS and allow you to log in. If you cannot log in, recheck your work
and try again.
16. Copy the running configuration to the startup configuration using the copy run start
command. Your display should resemble the following:
ÎÐø½±²º·¹÷ý »²¼
ÎÐý ½±°§ ®«² -¬¿®¬
17. Log out of the Telnet session and close the command prompt window.
18. Log out of Cisco Secure ACS and minimize the window.
19. Return the router to the default lab configuration in preparation for the next lab.

You can locate a Cisco Secure ACS for Windows Server system and protect the TTY and
AUX ports by completing these steps:
Lab 2-3 Answer Key: Configuring Cisco Secure ACS for
Windows Server
When you complete this activity, your answers will be similr to the following:
Q2) The Cisco Secure ACS home page, version 3.2 or later.
Q3) None at this point.
Q4) The Default Group.
Q5) None; no users are configured at this point.
Q6) One.
Q7) Cisco Secure is currently running; the level is low, new file every day.
Q8) Failed Attempts, RADIUS Accounting, TACACS+ Accounting, TACACS+ Administration.
Q9) Enables control of password length when users change their password.
Q10) Enables control of database replication components, scheduling, and partners.
Q11) A local or networked directory; however the default is

\CiscoSecure\CSAuth\System Backups.
Q12) User and group database and the Cisco Secure ACS System Configuration.
Q13) Events can be logged to the NT/2000 event log, or an e-mail notification of the event can be sent to the
system administrator.
Q14) You can specify unique information that will be displayed for each user, such as location or department
and can have the information reflected in the accounting logs if desired.
Q15) You can configure the advanced features that will appear in the user interface. You click only applicable
features, reducing the complexity of the Cisco Secure ACS windows displayed.
Q16) TACACS+ Services and Advanced Configuration Objects configured in the TACACS+ (Cisco) window
are applied and appear as selectable options in the User and Group setup windows for each user and group.
Q17) No administrator accounts are configured at this time.
Q18) You can add, delete, and control administrator accounts from a web browser. You can control
administrator passwords, privileges, system configuration, reports, and activity.
Q19) It depends on the configuration that was created during the installation.
Q20) The Windows NT or Windows 2000 user database, or any configured, supported external database
(CRYPTOCard, ODBC, and so on).
Q21) The external user database you want to use for authentication.
Q22) A record of all administration actions.
Q23) By using the age-by-uses rules in the Password Aging Rules window.
Q24) Group setup parameters apply to all users assigned to the group. User setup parameters only apply to that
user. User parameters can override group parameters.

Lab 2-4: Disabling Unused Cisco Router Network
Services and Interfaces
Activity Objective
Unused Cisco router network services and interfaces present vulnerabilities to network security.
In this lab, you will describe how you address the vulnerabilities they might or might not pose.
After completing this activity, you will be able to meet these objectives:
Verify the configuration of the perimeter router
Explain how to disable unnecessary services
Visual Objective
The following figure displays the network topology you will use in this lab exercise.
SND Lab Topology

VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
rP
.150 e0/0 192.168. .0/24

PSS .1 e2 .1 e4 .5
WWW priv
FTP
172.16.P.0/24 172.18.P.0/24
.1 e1 vP
.50

Super .10 .4 .100
Server sensorP
WWW PC1 RTS
FTP
10.0.P.11
Required Resources
You will be using the application TFTP Desktop in this lab.
Command List
The commands you might use in this activity are shown in the Unused Services and Interfaces
Guidelines table.
Job Aids
The Unused Services and Interfaces Guidelines table will help you complete the lab activity.
Unused Services and Interfaces Guidelines

Task Description
1. Disable unused router interfaces Disable unused router interfaces using the shutdown
commands.
2. Disable unnecessary services Disable unnecessary services including:
The Bootp server using the no ip bootp server

command.
CDP using the no cdp run command
Configuration auto-loading using the no boot network

and no service config commands
The FTP server using the no ftp-server write-enable
and show running-config commands
The TFTP server using the no tftp-server flash

command
NTP service using the no ntp command
PAD service using the no service pad command

Small servers using the no service tcp-small-servers
and no service udp-small servers commands
MOP service using the no mop enabled command
3. Disable commonly configured Disable commonly configured management services

management services including:
SNMP using the no snmp-server community, no
snmp-server enable traps, no snmp-server system-
shutdown and no snmp-server commands
HTTP service using the no ip http server command
DNS service using the ip name-server command
4. Disable ICMP mask redirects Strengthen path integrity by:
Disabling ICMP mask redirects using the no ip redirect

command
Disabling IP source routing using the no ip source-route

command
5. Disable probes and scans Disable probes and scans including:
Disabling Finger service using the no ip finger and no

service finger commands
Disabling ICMP mask unreachable messages using the -

no ip unreachable command
Disabling ICMP mask replies, redirects and unreachable

messages using the no ip mask-reply command
6. Assure terminal access security Disable IP identification using the no ip identd command to
assure terminal access security.
7. Mitigate man-in-the-middle attacks Disable gratuitous ARPs using the no ip gratuitous-arps

command to mitigate man-in-the-middle attacks.

Task Description
8. Mitigate DoS and DDoS attacks Mitigate DoS and DDoS attacks by:
Disabling proxy ARP using the no ip proxy-arp

command
Disabling IP directed broadcast using the no ip directed-

broadcast command
Task 1: Verify Perimeter Router Configuration

In this task you will verify the configuration of your perimeter router.
Activity Procedure
Step 1 Login to your perimeter router using the username and password from the previous
exercise.
Step 2 Display the current configuration of the router using the show run command.
Step 3 Double-click the TFTP Desktop server icon on your student PC.
Step 4 Open a Window command prompt and enter C:\tftp i [host IP] GET source
[destination file]. TFTP Desktop will begin transferring your configuration to your
student PC. Follow the directions to open the file in Windows Notepad or a text
editor of your choice.
Step 5 Examine the configuration against the lists of services in the Unused Services and
Interfaces Guidelines table. Note any services and interfaces that do not comply
with these guidelines.
Your comparison should reveal a number of potential vulnerabilities from which you will
protect your network in the following tasks.
Task 2: Disable Unused Services and Interfaces

In this task you will not change any configurations. Rather you will discuss the results of Task
1 with your instructor and fellow learners.
There is no additional verification required for this activity.
Lab 3-1: Configuring the PIX Security Appliance
with PDM
Activity Objective
In this activity, you will configure the PIX Security Appliance with PDM. After completing
this activity you will be able to meet these objectives:
Install PDM and access it from the browser
Clear the PIX Security Appliance configuration and access the PDM Startup Wizard
Use the PDM Startup Wizard to configure a privileged mode password
Configure outbound access with NAT
Test connectivity through the PIX Security Appliance
Configure and test inbound access
Visual Objectives
SND Lab Topology

VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
rP
.150 e0/0 192.168. .0/24

PSS .1 e2 .1 e4 .5
WWW priv
FTP
172.16.P.0/24 172.18.P.0/24
.1 e1 vP
.50

Super .10 .4 .100
Server sensorP
WWW PC1 RTS
FTP
10.0.P.11

Note In the following lab activity, you will bypass the initial security alert regarding the site security
certificate. However, remember that when you remotely configure the PIX Security Appliance
with PDM, you can use the security certificate for secure encrypted communication between
PDM and the PIX Security Appliance. To do this, install the certificate by clicking View
Certificate in the initial Security Alert window and following the prompts. Because the
certificate is assigned to the PIX Security Appliance by name rather than by IP address, you
will need to establish the connection with the PIX Security Appliance by entering its fully
qualified domain name, rather than the IP address, in the browser. Using the name rather
than an IP address requires that name resolution is enabled through DNS or a hosts file.
Task 1: Install PDM and Access It from the Browser

In this task you will install PDM and access it from the browser.
Activity Procedure
Step 1 Load the PDM file into the PIX Security Appliance. Your display should resemble
the following:
°·¨Ðø½±²º·¹÷ý ½±°§ ¬º¬°æññïðòðòÐòïðñ°¼³óíðîò¾·² º´¿-¸æ°¼³
Step 2 Enable the HTTP server in the PIX Security Appliance. Your display should
°·¨Ðø½±²º·¹÷ý ¸¬¬° -»®ª»® »²¿¾´»
Step 3 Grant permission for the inside host to initiate an HTTP connection to the PIX
Security Appliance. Your display should resemble the following:
°·¨Ðø½±²º·¹÷ý ¸¬¬° ïðòðòÐòïï îëëòîëëòîëëòð ·²-·¼»
Step 4 Access the PDM console by completing the following substeps:
1. Open the browser and enter https://10.0.P.1.

2. In the Security Alert window, click Yes.
3. When prompted for the username and password, do not enter a username or
password. Click OK to continue.
4. Click Yes in the Security Warning window. If the Update Config window
opens, click Proceed.
Step 5 Notice that the current PIX Security Appliance configuration has been imported.
Examine the configuration by clicking the Configuration button and then complete
the following substeps:
1. Click the Access Rules tab. Notice that an access policy has been created to
correspond to the ACLs you configured earlier in the course.
2. Click the Translation Rules tab. Notice that the static mappings, NAT, and
global pools appear here.
3. Click the Hosts/Networks tab and observe the network topology.
4. Click the System Properties tab. Notice that the configuration of the PIX
Security Appliance interfaces is displayed.
Step 6 Close the browser. The Are you sure? window opens.
Step 7 Click Yes. The PDM application closes.
You have been able to access the PIX through the PDM.
Task 2: Clear the PIX Security Appliance Configuration and

Access the PDM Startup Wizard
In this task you will erase the current PIX Security Appliance configuration and access the
PDM wizard.
Activity Procedure
Step 1 In the PDM console window, erase the current PIX Security Appliance
configuration. When prompted to confirm, press Enter. Your display should
°·¨Ðø½±²º·¹÷ý ©®·¬» »®¿-»
Û®¿-» Ð×È ½±²º·¹«®¿¬·±² ·² º´¿-¸ ³»³±®§á Å½±²º·®³Ã äÛ²¬»®â
Step 2 In the Telnet window, reload the PIX Security Appliance. When prompted to
confirm, press Enter. Your display should resemble the following:
°·¨Ðø½±²º·¹÷ý ®»´±¿¼
Ð®±½»»¼ ©·¬¸ ®»´±¿¼á Å½±²º·®³Ã äÛ²¬»®â
Step 3 When prompted to pre-configure the PIX Security Appliance through interactive
prompts, press Enter.
Step 4 Agree to use the current password by pressing Enter. Your display should resemble
the following:
Û²¿¾´» °¿--©±®¼ Åä«-» ½«®®»²¬ °¿--©±®¼âÃæ äÛ²¬»®â
Step 5 Accept the default year by pressing Enter. Your display should resemble the
following:
Ý´±½µ øËÌÝ÷æ
Ç»¿® Å·²-»®¬ ½«®®»²¬ §»¿® ·² ¬¸» º±®³ ÇÇÇÇÃæ äÛ²¬»®â
Step 6 Accept the default month by pressing Enter. Your display should resemble the
following:
Ó±²¬¸ ÅÒ±ªÃæ äÛ²¬»®â

Step 7 Accept the default day by pressing Enter. Your display should resemble the
following:
Ü¿§ ÅïìÃæ äÛ²¬»®â
Step 8 Accept the default time stored in the host computer by pressing Enter. Your display
Ì·³» ÅïïæîïæîëÃæ äÛ²¬»®â
Step 9 Enter the IP address of the PIX Security Appliance inside interface. Your display
×²-·¼» ×Ð ¿¼¼®»--æ ïðòðòÐòï
Step 10 Enter the network mask that applies to the inside IP address. Your display should
Step 11 Enter the hostname you want to display in the PIX Security Appliance command
line prompt. Your display should resemble the following:
Ø±-¬ ²¿³»æ °·¨Ð
Step 12 Enter the DNS domain name of the network on which the PIX Security Appliance
runs. Your display should resemble the following:
Ü±³¿·² ²¿³»æ ½·-½±ò½±³
Step 13 Enter the IP address of the host running PDM. Your display should resemble the
following:
ïðòðòÐòïï
Step 14 Enter y at the prompt to save the information to the PIX Security Appliance Flash
memory.
Step 15 Access the PDM console by completing the following substeps:
1. In the browser, enter https://10.0.P.1 (Where P is your pod number).
2. In the Security Alert window, click Yes.
3. When prompted for the username and password, do not enter a username or
password. Click OK to continue. The Security Warning window opens.
4. Click Yes. The Update Config window opens.
5. Click Proceed. If the Preview CLI Commands window opens, click Send.
The PIX Device Manager main window opens.
The PDM window opens after Step 15.
Task 3: Use the PDM Startup Wizard to Configure a Privileged
Mode Password
In this task you will configure a privileged mode password.
Activity Procedure
Step 1 In the PIX Device Manager Startup Wizard window, click Next. The Startup Wizard
Basic Configuration group box appears.
Step 2 Verify that pixP appears in the PIX Host Name field.
Step 3 Verify that cisco.com appears in the Domain Name field.
Step 4 Click Change Enable Password within the Enable Password group box.
Step 5 Enter cisco in the New Enable Password text box.
Step 6 Enter cisco in the Confirm New Enable Password text box.
Step 7 Click Finish. The Enter Network Password window opens.
Step 8 Leave the Username field blank, enter cisco in the password field, and click OK.
The main Cisco PIX Device Manager window opens.
The PDM window opens on Step 8.
Task 4: Configure Outbound Access with NAT

In this task you will configure the PIX Security Appliance inside and outside interfaces,
establish a default route, enable NAT for the internal network, and create a global pool of
addresses for address translation.
Activity Procedure
Step 1 Click the Configuration button, then click the System Properties tab.
Step 2 Configure the inside interface by completing the following substeps:
1. Click ethernet1 in the Interfaces table and click the Edit button. The Edit
Interface window opens.
2. Verify that the Enable Interface check box is selected.
3. Verify that inside appears in the Interface Name field.
4. Verify that 10.0.P.1 appears in the IP Address field.


5. Verify that 255.255.255.0 appears in the Subnet Mask drop-down menu.
6. Verify that 100 appears in the Security Level field.
7. Click the Properties button. The Hardware Port window opens.
8. Choose auto from the Speed and duplex mode drop-down menu.
9. Click OK. You are returned to the Interface window.
10. Click OK. You are returned to the Systems Properties tab.
Step 3 Configure the outside interface by completing the following substeps:
1. Click ethernet0 in the Interfaces table, and then click the Edit button. The
Edit Interface window opens.
2. Check the Enable Interface check box.
3. Verify that outside appears in the Interface Name field.
4. Verify that the Static IP Address radio button is selected within the IP
Address group box.
5. Enter 192.168.P.2 in the IP Address field. (Where P is your pod number)
6. Choose 255.255.255.0 from the Subnet Mask drop-down menu.
7. Verify that 0 appears in the Security Level field.
8. Click the Properties button. The Hardware Port window opens.
9. Choose auto from the Speed and duplex mode drop-down menu.
10. Click OK. You are returned to the Interface window.
11. Click OK. You are returned to the System Properties tab.
12. Click Apply.
Step 4 To establish a default route, complete the following substeps:
1. Verify that the System Properties tab is still active.
2. Expand the Routing branch in the Categories tree.
3. Choose Static Route from the Routing list.
4. Click Add from the Static Route group box. The Add Static Route window
opens.
5. Choose outside from the Interface Name drop-down menu.
6. Enter 0.0.0.0 in the IP Address field.
7. Enter 192.168.P.150 in the Gateway IP field. (Where P is your pod number)
8. Enter 0.0.0.0 in the Mask drop-down menu.
9. Verify that 1 appears in the Metric field.
10. Click OK. The static route appears in the Static Route table.
11. Click Apply.

Step 5 Configure a global pool of addresses to be used for address translation by
completing the following substeps:
1. Click the Translation Rules tab.
2. Click the Manage Pools button. The Manage Global Address Pools window
opens.
3. Click Add. The Add Global Pool Item window opens.
4. Choose outside from the Interface drop-down menu.
5. Enter 1 in the Pool ID field.
6. Verify that the Range radio button is selected.
7. Enter 192.168.P.20 in the first IP address field. (Where P is your pod number)
8. Enter 192.168.P.254 in the second IP address field. (Where P is your pod

number)
9. Enter 255.255.255.0 in the Network Mask field.
10. Click OK. You are returned to the Manage Global Address Pools window.
11. Click OK. You are returned to the Translation Rules tab.
12. Click Apply.
Step 6 Configure NAT by completing the following substeps:
1. Verify that the Translation Rules tab is still active.
2. Verify that the Translation Rules radio button is selected.
3. Choose Rules>Add from the main menu. The Add Address Translation Rule
window opens.
4. Verify that the inside interface is chosen in the Interface drop-down menu.
5. Click Browse. The Select host/network window opens.
6. Verify that the inside interface is chosen in the drop-down menu.
7. Click the inside network by clicking 10.0.P.0. (Where P is your pod number)
8. Click OK. You are returned to the Add Address Translation Rule window.

9. Verify that outside is chosen in the Translate address on interface drop-down
menu.
10. Verify that Dynamic is selected in the Translate Address to group box.
11. Choose 1 from the Address Pool drop-down menu.
12. Verify that the global pool you configured earlier

(192.168.P.20–192.168.P.254) appears under Address. (Where P is your pod
number)
13. Click OK in the Add Address Translation Rule window. The new rule
appears on the Translation Rules tab.
14. Click Apply.
Each of the steps includes the necessary substeps to ensure it has been properly verified.
Task 5: Test Connectivity Through the PIX Security Appliance

In this task you will test interface connectivity and NAT.
Activity Procedure
Step 1 Test interface connectivity by completing the following substeps:
1. Choose Tools>Ping.
2. In the IP Address field, enter 10.0.P.1.

3. Click Ping.
4. Observe the following output in the Ping Output window. The output should
appear similar to the following: (Where P is your pod number)
5. 10.0.P.1 response received -- 0ms
8. Click Clear Screen.

Step 2 Repeat Step 1 for the following IP addresses. You should receive responses for all
pings:
The inside host: 10.0.P.11 (Where P is your pod number)
The outside interface: 192.168.P.2 (Where P is your pod number)
The backbone router: 192.168.P.150 (Where P is your pod number)
Step 3 Click Close.to exit the Ping window by
Step 4 Test the operation of the global and NAT you configured by originating connections
through the PIX Security Appliance. To do this, complete the following substeps:
1. Open a web browser on the student PC.
2. Use the web browser to access the Super Server at IP address 172.26.26.50 by
entering http://172.26.26.50.
Step 5 Observe the translation table by completing the following substeps:
1. Choose Tools>Command Line Interface. The Command Line Interface

window opens.
2. In the Command field, enter show xlate.
3. Click Send.
4. Observe the output in the Response field. Your display should resemble the
following:
Î»-«´¬ ±º ¬¸» Ð×È ½±³³¿²¼æ •-¸±© ¨´¿¬»Œ
ï ·² «-»ô ï ³±-¬ «-»¼

Ù´±¾¿´ ïçîòïêèòÐòîð Ô±½¿´ ïðòðòÐòïï
Note A global address chosen from the low end of the global range has been mapped to the
student PC.
Step 6 Exit the Command Line Interface window by clicking Close.
If the results of Step 6 are similar to those shown.
Task 6: Configure and Test Inbound Access

In this task you will configure the PIX Security Appliance to permit inbound access to hosts on
the inside interface.
Activity Procedure
Step 1 Enable command preview by completing the following substeps:
1. Choose Options>Preferences from the main menu. The Preferences window

opens.
2. Click Preview commands before sending to firewall.

3. Click OK.
Step 2 Create a static translation for the inside host by completing the following
substeps:
1. Click the Translation Rules tab.
2. Click the Add New Rule icon in the toolbar. The Add Address Translation
Rule window opens.
3. Verify that the inside interface is chosen in the Interface drop-down menu.
4. Click Browse. The Select host/network window opens.
5. Verify that the inside interface is chosen in the drop-down menu.
6. Click the inside host: 10.0.P.11. (Where P is your pod number)
7. Click OK. You are returned to the Add Address Translation Rule window.
8. Verify that outside is chosen in the Translate Address on interface drop-down

menu.
9. Click Static in the Translate address to group box.
10. Enter 192.168.P.10 in the IP Address field.(Where P is your pod number)
11. Click OK. The new rule appears on the Translation Rules tab.
12. Click Apply. The Preview CLI Commands window opens.
13. Click Send.

Step 3 Clear current translations by completing the following substeps:

window opens.
2. Enter clear xlate in the Command field.
3. Click Send.
Step 4 Verify that the output in the Response field is similar to the following. Your display
Î»-«´¬ ±º º·®»©¿´´ ½±³³¿²¼æ •½´»¿® ¨´¿¬»Œ
Ì¸» ½±³³¿²¼ ¸¿- ¾»»² -»²¬ ¬± ¬¸» º·®»©¿´´ò
Step 5 Ping a peer pod inside host from the internal host. The ping should fail because the
peer pod policy presently prevents pinging. Your display should resemble the
following:
ÝæÄâ °·²¹ ïçîòïêèòÏòïð
Ð·²¹·²¹ ïçîòïêèòÏòïð ©·¬¸ íî ¾§¬»- ±º ¼¿¬¿æ
Î»¯«»-¬ ¬·³»¼ ±«¬ò
Î»¯«»-¬ ¬·³»¼ ±«¬ò
Î»¯«»-¬ ¬·³»¼ ±«¬ò
(where Q is your peer pod number)
Step 6 Close the Ping window.
Step 7 Configure an ACL to allow pinging through the PIX Security Appliance by
1. Click the Access Rules tab.
2. Choose Rules from the main menu.
3. Click Add. The Add Rule window opens.
4. Verify that permit is chosen in the Select an action drop-down menu.
5. Choose outside from the Interface drop-down menu in the Source

Host/Network group box.
6. Choose inside from the Interface drop-down menu in the Destination

7. Click ICMP in the Protocol or Service group box.
8. Verify that any is selected in the ICMP type group box.
9. Click OK. The new rule appears on the Access Rules tab.
11. Observe the ACLs to be sent to the PIX Security Appliance.
12. Click Send.
Step 8 Ping a peer pod inside host from the internal host. Be sure to coordinate with the
peer pod. Your display should resemble the following:
ÝæÄâ °·²¹ ïçîòïêèòÏòïð
Ð·²¹·²¹ ïçîòïêèòÏòïð ©·¬¸ íî ¾§¬»- ±º ¼¿¬¿æ
Î»°´§ º®±³ ïçîòïêèòÏòïðæ ¾§¬»-ãíî ¬·³»äïð³- ÌÌÔãïîëâ
(where Q is your peer pod number)
Step 9 Close the Ping window.
Step 10 Configure an ACL to allow Web access to the inside host from the outside by
1. Click the Access Rules tab.
2. Choose Rules>Add. The Add Rule window opens.
3. Verify that permit is chosen in the Select an action drop-down menu.

4. Choose outside from the Interface drop-down menu within the Source
5. Choose inside from the Interface drop-down menu within the Destination
6. Click Browse in the Destination Host/Network group box. The Select

host/network window opens.
7. Verify that inside is chosen in the interface drop-down menu.
8. Click the IP address of the inside host: 10.0.P.11 (Where P is your pod
number).
9. Click OK. The Add Rule window becomes active.
10. Click TCP in the Protocol and Service group box.
11. Verify that = is chosen in the Service drop-down menu within the Source Port
group box.
12. Verify that any appears in the Service field within the Source Port group box.
13. Verify that = is chosen in the Service drop-down menu within the Destination
Port group box.
14. Click the ellipsis button within the Destination Port group box. The Service
window opens.
15. Choose http from the Service list.
16. Click OK. You are returned to the Add Rule window.
17. Click OK.
19. Observe the ACLs to be sent to the PIX Security Appliance.
20. Click Send.

Step 11 View current translations by completing the following substeps:
1. Click Clear Response in the Command Line Interface window.
2. Enter show xlate in the Command field.
3. Click Send.
4. Verify that the output in the Response field is similar to the following. Your
Î»-«´¬ ±º º·®»©¿´´ ½±³³¿²¼æ •-¸±© ¨´¿¬»Œ
ð ·² «-»ô í ³±-¬ «-»¼
5. Click Close in the Command Line Interface window.
Step 12 Test Web access to the inside hosts of opposite pod groups by completing the
following substeps:
1. Open a web browser on the student PC.
2. Use the web browser to access the inside host of the peer pod group
http://192.168.Q.10 (where Q is your peer pod number). You should be able
to establish a Web connection to the peers inside host.
Step 13 Test FTP access to the inside hosts of other pod groups by completing the following
substeps:
1. On the client PC, use FTP to get into the inside host of another pod group by
choosing Start>Run>ftp 192.168.Q.10 (where Q is your peer pod number).
You should be unable to access the peers inside host via FTP.
2. Have an opposite pod group use FTP to attempt to get into the inside host.
Step 14 Observe the transactions by completing the following substeps:

window opens.
2. Enter show arp in the Command field.
3. Click Send.
4. Verify that the output in the Response box is similar to the following:
®»-«´¬ ±º º·®»©¿´´ ½±³³¿²¼æ •-¸±© ¿®°Œ
±«¬-·¼» ïçîòïêèòÐòï ðððíòê¾¿ìò½¿êð

·²-·¼» ïðòðòÐòïðî ððëðò¼¿íïòêïíð
5. Click Clear Response.
6. Enter show conn in the Command field.
7. Click Send.
8. Verify that the output in the Response field is similar to the following:
®»-«´¬ ±º º·®»©¿´´ ½±³³¿²¼æ •-¸±© ½±²²Œ
ð ·² «-»ô ê ³±-¬ «-»¼
ÌÝÐ ±«¬ ïçîòïêèòÏòïðæèð ·² ïðòïòÐòïïæ íèçí ·¼´» ðæððæðé Þ§¬»-
ìêí º´¿¹- Ë×Ñ
ÌÝÐ ±«¬ ïçîòïêèòÏòïðæèð ·² ïðòïòÐòïïæ íèçí ·¼´» ðæððæðé Þ§¬»-
ìêí º´¿¹- Ë×Ñ
9. Click Clear Response.
10. Enter show xlate in the Command field.
11. Click Send.

12. Verify that the output in the Response field is similar to the following:
®»-«´¬ ±º º·®»©¿´´ ½±³³¿²¼æ •-¸±© ¨´¿¬»Œ
î ·² «-»ô í ³±-¬ «-»¼

Ù´±¾¿´ ïçîòïêèòÐòïð Ô±½¿´ ïðòðòÐòïï
13. Click Close.
The results of Step 6 are similar to those shown.
Lab 4-1: Completing Basic Sensor Configuration
with the Cisco IDS Device Manager
Activity Objective
In this activity, you will complete initial setup of a Cisco sensor using the IDS Device Manager
(IDM). After completing this activity, you will be able to meet these objectives:
Assign sensor IP settings from the CLI
Access and navigate the IDM
Assign the sensor network settings
Enable the sensor sensing interface
Set the time and date
Create and test user accounts
Display events
Display statistics
Visual Objective
The following illustration displays the lab topology for your classroom environment.
SND Lab Topology

VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
rP
.150 e0/0 192.168. .0/24

PSS .1 e2 .1 e4 .5
WWW priv
FTP
172.16.P.0/24 172.18.P.0/24
.1 e1 vP
.50

Super .10 .4 .100
Server sensorP
WWW PC1 RTS
FTP
10.0.P.11

Note The P in an IP address, name, or command indicates your pod number. Make sure to
replace it with your pod number. The Q in an IP address, name, or command indicates the
pod number of a peer pod assigned by the instructor. Make sure to replace it with your peer
pod number.
Setup
Before starting this lab exercise, your instructor will provide you with the IP address of the
terminal server and instructions to access the sensor. Verify that your PC is able to ping the
terminal server.
Task 1: Assign the Sensor IP Network Settings

This task involves configuring the following: sensor hostname, IP address for the sensor
command and control interface, default route, Telnet server status, and web server port. In this
task you will assign the sensor IP network settings.
Activity Procedure
Step 1 Access the terminal server as directed by your instructor.
Step 2 Access the sensor via its console port as directed by your instructor. Your display
®¬-â-Ð
Step 3 Log in to the CLI. Your display should resemble the following:
-»²-±® ´±¹·²æ ½·-½±
Ð¿--©±®¼æ ·¿¬¬¿½µ«î
Step 4 Enter the setup command and press the space bar. The System Configuration Dialog
will be displayed, although results may vary from pod to pod. Your display should
-»²-±®ý -»¬«°
óóó Í§-¬»³ Ý±²º·¹«®¿¬·±² Ü·¿´±¹ óóó
ß¬ ¿²§ °±·²¬ §±« ³¿§ »²¬»® ¿ ¯«»-¬·±² ³¿®µ ùáù º±® ¸»´°ò
Ë-»® ½¬®´ó½ ¬± ¿¾±®¬ ½±²º·¹«®¿¬·±² ¼·¿´±¹ ¿¬ ¿²§ °®±³°¬ò
Ü»º¿«´¬ -»¬¬·²¹- ¿®» ·² -¯«¿®» ¾®¿½µ»¬- ùÅÃùò
Ý«®®»²¬ Ý±²º·¹«®¿¬·±²æ
²»¬©±®µÐ¿®¿³-
·°ß¼¼®»-- ïðòïòçòîðï
²»¬³¿-µ îëëòîëëòîëëòð
¼»º¿«´¬Ù¿¬»©¿§ ïðòïòçòï
¸±-¬²¿³» -»²-±®
¬»´²»¬Ñ°¬·±² ¼·-¿¾´»¼
¿½½»--Ô·-¬ ·°ß¼¼®»-- ïðòðòðòð îëëòðòðòð
»¨·¬
¬·³»Ð¿®¿³-
-«³³»®Ì·³»Ð¿®¿³-
¿½¬·ª»ó-»´»½¬·±² ²±²»
»¨·¬
»¨·¬
-»®ª·½» ©»¾Í»®ª»®
¹»²»®¿´
°±®¬- ììí
»¨·¬
»¨·¬
Ý«®®»²¬ ¬·³»æ Ú®· Ñ½¬ í ïéæðîæðï îððí
Í»¬«° Ý±²º·¹«®¿¬·±² ´¿-¬ ³±¼·º·»¼æ Ú®· Ñ½¬ í ïçæíêæîë îððí
Ý±²¬·²«» ©·¬¸ ½±²º·¹«®¿¬·±² ¼·¿´±¹áÅ§»-Ãæ

Step 5 Press Enter when prompted to continue with the configuration dialog. Your display
Ý±²¬·²«» ©·¬¸ ½±²º·¹«®¿¬·±² ¼·¿´±¹á Å§»-Ãæ äÛ²¬»®â
Step 6 Assign a name to the sensor. Your display should resemble the following:
Û²¬»® ¸±-¬ ²¿³»Å-»²-±®Ãæ -»²-±®Ð
(Where Pis your pod number)
Step 7 Assign an IP address to the sensor command and control interface. Your display
Û²¬»® ×Ð ¿¼¼®»--ÅïðòïòçòîðïÃæ ïðòðòÐòì
Step 8 Assign a netmask for the IP address. Your display should resemble the following:
Û²¬»® ²»¬³¿-µÅîëëòîëëòîëëòðÃæ îëëòîëëòîëëòð
Step 9 Assign a default gateway. Your display should resemble the following:
Û²¬»® ¼»º¿«´¬ ¹¿¬»©¿§ÅïðòïòçòïÃæ ïðòðòÐòï

Step 10 Press Enter to accept the default setting for Telnet services. Your display should
Û²¬»® ¬»´²»¬ó-»®ª»® -¬¿¬«-Å¼·-¿¾´»¼Ãæ äÛ²¬»®â
Step 11 Press Enter to accept the default web server port. Your display should resemble the
following:
Û²¬»® ©»¾ó-»®ª»® °±®¬ÅììíÃæ äÛ²¬»®â
Step 12 Enter yes when prompted to modify the current ACL. The current ACL entries
appear:
Ó±¼·º§ ½«®®»²¬ ¿½½»-- ´·-¬á Å²±Ã §»-
Ý«®®»²¬ ¿½½»-- ´·-¬ »²¬®·»-æ
ÅïÃ ïðòðòðòð îëëòðòðòð
Ü»´»¬»æ
Step 13 Enter 1 to delete the default ACL entry. Your display should resemble the following:
Ü»´»¬»æ ï
Ü»´»¬»æ
Step 14 Press Enter again. Your display should resemble the following:
Ü»´»¬»æ äÛ²¬»®â
Ð»®³·¬æ
Step 15 Enter the IP address of your student PC. Your display should resemble the
following:
Ð»®³·¬æ ïðòðòÐòïï
Ð»®³·¬æ
Step 16 Press Enter again. Your display should resemble the following:
Ð»®³·¬æ äÛ²¬»®â
Step 17 Press Enter to answer no when prompted to modify system clock settings. Your
Ó±¼·º§ -§-¬»³ ½´±½µ -»¬¬·²¹-áÅ²±Ãæ äÛ²¬»®â
Ì¸» º±´´±©·²¹ ½±²º·¹«®¿¬·±² ©¿- »²¬»®»¼ò
²»¬©±®µÐ¿®¿³-
·°ß¼¼®»-- ïðòðòÐòì
¼»º¿«´¬Ù¿¬»©¿§ ïðòðòÐòï
¸±-¬²¿³» -»²-±®Ð
¿½½»--Ô·-¬ ·°ß¼¼®»-- ïðòðòÐòïï ²»¬³¿-µ îëëòîëëòîëëòîëë
»¨·¬
¬·³»Ð¿®¿³-
-«³³»®Ì·³»Ð¿®¿³-
¿½¬·ª»ó-»´»½¬·±² ²±²»
»¨·¬
»¨·¬
-»®ª·½» ©»¾Í»®ª»®
¹»²»®¿´
°±®¬- ììí
»¨·¬
»¨·¬
ÅðÃ Ù± ¬± ¬¸» ½±³³¿²¼ °®±³°¬ ©·¬¸±«¬ -¿ª·²¹ ¬¸·- ½±²º·¹ò

ÅïÃ Î»¬«®² ¾¿½µ ¬± ¬¸» -»¬«° ©·¬¸±«¬ -¿ª·²¹ ¬¸·- ½±²º·¹ò
ÅîÃ Í¿ª» ¬¸·- ½±²º·¹«®¿¬·±² ¿²¼ »¨·¬ -»¬«°ò
Û²¬»® §±«® -»´»½¬·±²ÅðÃæ
Step 18 Enter 2 to select Save this configuration and exit setup. Your display should
Û²¬»® §±«® -»´»½¬·±²ÅðÃæ î
Ý±²º·¹«®¿¬·±² Í¿ª»¼ò
öïéæðêæîê ËÌÝ Ú®· Ñ½¬ ðí îððí
Ó±¼·º§ -§-¬»³ ¼¿¬» ¿²¼ ¬·³»áÅ²±Ãæ
Step 19 Enter yes to modify the system date and time. Your display should resemble the
following:
Ó±¼·º§ -§-¬»³ ¼¿¬» ¿²¼ ¬·³»áÅ²±Ãæ §»-
Step 20 Enter todays date in the following format: YYYY-MM-DD. Your display should
Ô±½¿´ Ü¿¬»ÅÃæ äÇÇÇÇóÓÓóÜÜâ
Step 21 Use 24-hour time to enter the current time in the following format: hh:mm:ss. Your
Ô±½¿´ Ì·³»ÅÃæ ä¸¸æ³³æ--â
-»²-±®ý
Step 22 Reboot the sensor. Your display should resemble the following:
-»²-±®ý ®»-»¬
É¿®²·²¹æ Û¨»½«¬·²¹ ¬¸·- ½±³³¿²¼ ©·´´ -¬±° ¿´´ ¿°°´·½¿¬·±²- ¿²¼
®»¾±±¬ ¬¸» ²±¼»ò
Ý±²¬·²«» ©·¬¸ ®»-»¬á æ
Step 23 Enter yes to continue rebooting the sensor. Your display should resemble the
following:
É¿®²·²¹æ Û¨»½«¬·²¹ ¬¸·- ½±³³¿²¼ ©·´´ -¬±° ¿´´ ¿°°´·½¿¬·±²- ¿²¼
®»¾±±¬ ¬¸» ²±¼»ò
Ý±²¬·²«» ©·¬¸ ®»-»¬á æ §»-
There is no verification necessary for this task.

Task 2: Access and Navigate the IDM
In this task you will access and navigate the IDM.
Activity Procedure
Step 1 Confirm that the sensor is be initialized and that you are able to ping the sensor.
Step 2 Open your web browser and specify the sensor as the location. To do this, enter the
following URL field in your web browser:
¸¬¬°-æññïðòðòÐòì
Step 3 Click Yes when the Security Alert panel appears asking if you want to proceed.
Step 4 Log in to the IDM as user admin. The admin password is adminpass.
Step 5 Choose Device > Sensor Setup.
Step 6 Click Network from the TOC. The network settings for your sensor are displayed in
the Network Settings panel.
Step 7 Click the Configuration tab and observe the configuration options that are available.
Step 8 Click the Monitoring tab and observe the options that are available.
Step 9 Click the Administration tab and observe the options that are available.
There is no verification required for this task.
Task 3: Configure Sensor Network Settings

In this task, you will configure the network settings. After you initialize the sensor, the
parameter values appear on the Network Settings page.
Step 1 Select Device > Sensor Setup > Network. The Network Settings page appears.
Step 2 In the Host Name field, enter the name of the sensor, SensorP, Where P is the pod
number.
Step 3 In the IP Address field, enter the IP address of the sensor, 10.0.P.4, Where P is the
pod number.
Step 4 In the Netmask field, enter the netmask for the sensor, 255.255.255.0.
Step 5 In the Default Route field, enter the default route IP address for the sensor, 10.0.P.1,
Where P is the pod number.
Step 6 In the Web Server Port field click the Use Default Ports check box to use the
default port. The default port for http is 80. The default port for https is 443.
Step 7 Click Apply to Sensor to save and apply your changes.
Task 4: Enable the Sensor Sensing Interface
After configuring system information, you are ready to assign interfaces, configure signatures,
set up blocking, set up automatic signature updates, and restore defaults. In this task you will
enable the sensor sensing interface.
Activity Procedure
Step 1 Choose Configuration > Sensing Engine from the IDM. The Sensing Engine
window opens.
Step 2 Click Interfaces from the TOC. The Interfaces page is displayed.
Step 3 Check the checkbox for int0 and click Enable. The following message is displayed:
Ý±²º·¹«®¿¬·±² «°¼¿¬» ·- ·² °®±¹®»--ò Ì¸·- °¿¹» ©·´´ ¾»
«²¿ª¿·´¿¾´» º±® ¿ º»© ³·²«¬»-ò
Step 4 Click OK. The Interfaces page is displayed with the following message:
Ý±²º·¹«®¿¬·±² «°¼¿¬» ·- ·² °®±¹®»--ò Ì¸·- °¿¹» ©·´´ ¾»
«²¿ª¿·´¿¾´» º±® ¿ º»© ³·²«¬»-ò
Step 5 Click Interfaces from the TOC. The Interfaces page is refreshed.
The int0 displays Yes in the Enabled column.
Task 5: Setting the Time and Date

In this task, you will define the time, time zone, and daylight savings time (DST) for the sensor.
The instructor will ensure every pod uses the same time settings throughout.
Step 1 Select Device > Sensor Setup > Time. The Time Settings page appears.
Step 2 In the Time field under Time Settings, enter the current time (hh:mm:ss).
Step 3 In the Date field under Time Settings, enter the current date (mm:dd:yyyy).
Step 4 Click Apply Time to Sensor to apply your settings.
Step 5 In the Zone Name field under Standard Timezone, enter the local time zone to be
displayed when summer time is not in effect.
Step 6 If you are using an NTP server to set the sensor time, enter the NTP server IP
address in the NTP Server IP field.
Step 7 Choose Enabled under Daylight Savings Time to enable daylight savings time. In
the DST Zone Name field, enter the name of the zone (text 1 to 32 characters) to be
displayed when summer time is in effect. In the Start Time field, accept the default
of 2:00.
Step 8 In the Stop Time field, accept the default of 2:00.

Step 9 Select the Recurring radio button under Daylight Savings Time Duration to indicate
that summer time should start and end on the specified days every year.
Step 10 In the Start Week/Day/Month field under Daylight Savings Time Duration enter the
week (1 to 5, last), day (Sunday to Saturday), and month (January to December) of
the year to apply the DST. The default is 1, Sunday, April.
Step 11 In the End Week/Day/Month field under Daylight Savings Time Duration enter the
week (1 to 5, last), day (Sunday to Saturday), and month (January to December) of
the year to remove DST. The default is last, Sunday, October.
Step 12 Select the Date radio button under Daylight Savings Time Duration to indicate that
summer time should start on a specific date.
Step 13 In the Start field enter the month, date, and year (mm:hh:yyyy) to start DST.
Step 14 In the End field enter the month, date, and year (mm:hh:yyyy) to stop DST.
Step 15 Click Apply to Settings Sensor to save the settings.
There is no additional verification for this task.
Task 6: Create and Test User Accounts

In this task you will add users with different privilege levels as shown in the New Users
Table.
New Users Table
Username Password User Role
User 1 service servpass service
User 2 admin adminpass administrator
User 3 view viewpass viewer
User 4 oper operpass operator
Step 1 Choose Device > Sensor Setup > Users. The Users page appears.
Step 2 Click Add to add the User 1. The Adding page appears.
Step 3 In the User Name field, enter the new username service.
Step 4 In the Password field, enter the password servpass.

Step 5 In the Password Again field, enter the password again.
Step 6 Choose one of the Service role for User 1.
Step 7 Repeat these steps for the remaining three users.

Step 8 Click Apply to Sensor to save your changes.
Step 9 Log off the sensor by clicking on Logout at the top of the window.
Step 10 Log into the Viewer account.
Step 11 At this point repeat Step 1 and view the current list of users.
Step 12 Test user accounts by attempting to make changes to settings from different
privilege levels. The following table outlines the subtasks you must complete.
Record the results in the table as appropriate.
Task Login as and attempt to
12.a. view Choose Configuration > Sensing Engine > Interfaces.
Results:
12.b. view Attempt to add a TLS Trusted Host with IP address 10.0.P.12
by choosing Device > Sensor Setup > Allowed Hosts
Results:
12.c. oper Attempt to configure an interface by choosing Configuration >

Sensing Engine > Interfaces.
Results:
12.d. oper Change your password to newoperpass.
Results:
12.e. admin Change the password for User 4, who is an operator, to

operpass
Results:
Step 13 Check your results against those in the Results Table.
Results Table
Task Result
12.a. A Viewer will not be able to reach this page.
12.b A Viewer will not be able to reach this page.
12.c An operator cannot configure interfaces.
12.d You should be able to complete this task.
12.e You should be able to complete this task.

There is no additional verification for this activity.
Task 7: Display Events

In this task you will display events in varying degrees of detail that have occurred over the
period of the course. The Display Event Parameters table provides the parameters you will
use to configure the events Display page.
Display Event Parameters

Event Display Task
Parameter
Event Display 1 Event Display 2 Event Display 3
Show Alerts Informational Low High
Show Debug Unchecked Checked Unchecked
Show Error Events Warning Error Fatal
Log Events Checked Unchecked Checked
Show NAC Events Unchecked Unchecked Unchecked
Show Status Events Checked Unchecked Checked
Start Time 8:00 am on Day 1 of 8:00 am on Day 2 of 8:00 am on Day 3 of

the course the course the course
End Time 12:00 PM on Day 4 12:00 PM on Day 4 12:00 PM on Day 4

of the course of the course of the course
End Date Date 4 of the course Date 4 of the course Date 4 of the course
Step 1 Select Monitoring > Events. The Events Display page appears.
Step 2 Complete the check boxes using the parameters in the Event Display 1 column.
Click Apply to Sensor to save your changes. The Events page lists the events you
just selected. Note the types of information that is displayed.
Step 3 Repeat Step 2 using the parameters in the Event Display 2 column. Note how this
information differs from the previous Event Display.
Step 4 Repeat Step 2 using the parameters in the Event Display 3 column. Note how this
information differs from the previous Event Display.
There is no additional verification required.
Task 8: Display Statistics

In this task you will view and interpret sensor statistics.
Activity Procedure
Step 1 Select Monitoring > Statistics. The Statistics page appears.
Step 2 In a discussion with your instructor, summarize the meaning of these statistics. You
can jot down some notes on the Statistics Table.
Statistics Table
Statistic Category Meaning
WebServer
TransactionSource
TransactionServer
NAC
Logger
Host
EventStore
EventServer
AnalysisEngine
Authorization
Step 3 To update statistics as they change, click Statistics again or click Reload in your
browser.
There is no additional verification required.

Lab 5-1: Configure the Cisco VPN 3000 Series
Concentrator for Remote Access Using Pre-
Shared Keys
Activity Objective
In this activity you will work with your lab activity partner to configure the Cisco VPN Client
and the Cisco VPN 3000 Series Concentrator to enable IPSec-encrypted tunnels using pre-
shared keys. After completing this activity, you will be able to meet these objectives:
Return the concentrator to factory settings
Configure the concentrator private interface using the CLI
Configure the concentrator public interface using the CLI
Configure the concentrator default gateway using the CLI
Configure the concentrator using the Cisco VPN 3000 Series Concentrator Manager
Verify the concentrator IKE proposal
Verify the concentrator group parameters
Modify the concentrator public filter
Apply the concentrator public filter
Visual Objective
SND Lab Topology
VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
rP
.150 e0/0 192.168. .0/24

PSS .1 e2 .1 e4 .5
WWW priv
FTP
172.16.P.0/24 172.18.P.0/24
.1 e1 vP
.50

Super .10 .4 .100
Server sensorP
WWW PC1 RTS
FTP
10.0.P.11
Scenario
Your company wants to implement a VPN using remotely located Cisco VPN Clients
terminating at centrally located concentrators. You must configure both the remote Cisco VPN
Clients and the concentrators for remote access using pre-shared keys for authentication.
In this first exercise, you will configure the concentrator. You will configure the VPN client
after completing the next lesson.
The Network Parameters Used in Lab 4-1 and 4-2 table contains the recommended device
and interface IP addresses and subnet masks used in this lab exercise. Verify these values with
your instructor before proceeding with the lab exercise.
Network Parameters Used in Lab 4-1 and 4-2
Parameter IP Address Subnet Mask
Student PC primary 172.26.26.P 255.255.255.0
Student PC default gateway 172.26.26.150
Concentrator public interface 192.168.P.5 255.255.255.0
Concentrator private interface 172.18.P.5 255.255.255.0
DHCP server 10.0.P.10
Remote terminal server 172.26.26.100
Backbone router (private) 192.168.P.150
Backbone router (public) 172.26.26.50

In this task you will verify that your equipment is set up.
Activity Procedure
Step 1 Ensure that your student PC is powered on.
Step 2 Ensure that your student IP addresses are configured correctly:
Primary IP address: 172.26.26.P (Where P is your pod number)
Default gateway IP address: 172.26.26.150
Step 3 Ensure that your concentrator is powered on.
Step 4 Uninstall the Cisco VPN Client if it is installed. Choose Start>Programs>Cisco
Systems VPN Client>Uninstall VPN Client to remove the Cisco VPN Client.
Respond to the questions appropriately.
There is no verification of this task.
Task 2: Return the Concentrator to Factory Settings

The instructor will provide you with the procedures for access to the concentrator console port,
because this procedure will vary according to your connectivity. This procedure assumes that
Windows 2000 is already running on the student PC.
After you access the concentrator console port, the concentrator login prompt appears. In this
task you will return the concentrator to the factory settings.
Activity Procedure
Step 1 Log in to the concentrator CLI using the administrator account. Your display should
Ô±¹·²æ ¿¼³·²
Ð¿--©±®¼æ ¿¼³·²
If you get a Quick prompt for the system time or date parameters, the device has
already been rebooted to factory defaults. In that case, skip this task and proceed
directly to Task 3.
Step 2 Access the Administration menu. Your display should resemble the following:
Ó¿·² óâ î
Step 3 Access the System Reboot menu. Your display should resemble the following:
ß¼³·² óâ í
Step 4 Access the Schedule Reboot menu. Your display should resemble the following:
ß¼³·² óâ î
Step 5 Click Reboot ignoring the Configuration file. Your display should resemble the
following:
ß¼³·² óâ í
Step 6 Click Reboot Now. Your display should resemble the following:
ß¼³·² óâ î
The Reboot scheduled immediately message appears, followed by the Rebooting
VPN 3000 Series Concentrator now message. Do not attempt to log in to the first
login prompt you see because it takes several moments for the concentrator to
complete the reboot function. A login prompt appears when the reboot is complete.
Step 7 Leave the CLI session open.
The CLI session is open after Step 6.
Task 3: Configure the Concentrator Private Interface Using the

CLI
This procedure assumes that the CLI session is still active from the previous task. If the CLI
session is not active, complete Steps 1 to 6 of the previous task before proceeding.
In this task you will configure the concentrator private LAN interface using the CLI Quick
Configuration mode.
Activity Procedure
Ô±¹·²æ ¿¼³·²
Ð¿--©±®¼æ ¿¼³·²
Note When an administrator reboots a concentrator CLI, as in the previous task, menus open in a
slightly different order. If the system parameters prompt appears, press Enter through the
time, date, time zone, and Daylight Savings Time (DST) prompts to accept the default
values.
Step 2 Enter the concentrator private interface IP address. Your display should resemble the
following:
Ï«·½µ Û¬¸»®²»¬ ï óâ ÅðòðòðòðÃ ïéîòïèòÐòë
Step 3 Enter the concentrator private interface subnet mask. Your display should resemble
the following:
Ï«·½µ Û¬¸»®²»¬ ïóâ ÅîëëòðòðòðÃ îëëòîëëòîëëòð

Step 4 Accept the default Ethernet speed of 10/100 Mbps Auto Detect. Your display should
Ï«·½µ Û¬¸»®²»¬ ïóâ ÅíÃ äÛ²¬»®â
Step 5 Accept the default duplex mode of Auto. Your display should resemble the
following:
Ï«·½µ Û¬¸»®²»¬ ïóâ ÅïÃ äÛ²¬»®â
Step 6 Accept the default MTU size. Your display should resemble the following:
Ï«·½µ Û¬¸»®²»¬ ïóâ ÅïëððÃ äÛ²¬»®â
Step 7 Save the changes to the configuration file. Your display should resemble the
following:
Ï«·½µ óâ í
Step 8 Exit the CLI. Your display should resemble the following:
Ï«·½µ óâ ë
If you do not exit, the CLI continues its quick configuration script. You will use the
standard CLI menus for the remaining parameters.
Step 9 Leave the CLI session open.
The CLI session is open after Step 8.
Task 4: Configure the Concentrator Public Interface Using the

CLI
In this task you will configure the concentrator public interface.
Activity Procedure
Ô±¹·²æ ¿¼³·²
Ð¿--©±®¼æ ¿¼³·²
Step 2 Click the Configuration menu. Your display should resemble the following:
Ó¿·² óâ ï
Step 3 Click the Interface Configuration menu. Your display should resemble the
following:
Ý±²º·¹ óâ ï
Step 4 Click the Configure Ethernet #2 (Public) menu. Your display should resemble the
following:
×²¬»®º¿½»- óâ î
Step 5 Click the Interface Setting menu. Your display should resemble the following:
Û¬¸»®²»¬ ×²¬»®º¿½» î óâ ï
Step 6 Accept the default setting to Enable using Static IP Addressing. Your display should
Û¬¸»®²»¬ ×²¬»®º¿½» î óâ ÅíÃ äÛ²¬»®â
Step 7 Enter the concentrator public interface IP address. Your display should resemble the
following:
Û¬¸»®²»¬ ×²¬»®º¿½» î óâ ÅðòðòðòðÃ ïçîòïêèòÐòë
Step 8 Accept the default setting for the subnet mask. Your display should resemble the
following:
Û¬¸»®²»¬ ×²¬»®º¿½» î óâ ÅîëëòîëëòîëëòðÃ äÛ²¬»®â
Note Several messages appear, indicating the condition of the Ethernet #2 (public) interface.
Disregard the messages.
Step 9 Click the Select IP Filter menu. Your display should resemble the following:
Û¬¸»®²»¬ ×²¬»®º¿½» îóâ í
Step 10 Choose 0 (no filter) on the Ethernet #2 (public) interface. Your display should
Û¬¸»®²»¬ ×²¬»®º¿½» î óâ ÅÐ«¾´·½ øÜ»º¿«´¬÷Ã ð
Note In this lab exercise, you have disabled filtering on the public LAN interface to allow access to
the HTTP-based Cisco VPN 3000 Series Concentrator Manager from your student PC.
Never select 0 (no filter) in a live network, because doing so could facilitate a security
breach.
Step 11 Return to the top-level menu by using the following shortcut. Your display should
Û¬¸»®²»¬ ×²¬»®º¿½» î óâ ¸
Step 12 Save changes to the configuration file. Your display should resemble the following:
Ó¿·² óâ ì
Step 13 Do not exit the CLI. Leave the Command Prompt window open, because it will be
used to complete the tasks that follow.
Save the changes to the configuration file.

Task 5: Configure the Concentrator Default Gateway Using the
CLI
In this task you will start from the CLI top-level menu, to set the default gateway parameter of
the concentrator to the IP address of the backbone router.
Activity Procedure
Step 1 Click the Configuration menu. Your display should resemble the following:
Ó¿·² óâ ï
Step 2 Click the System Management menu. Your display should resemble the following:
Ý±²º·¹ óâ î
Step 3 Click the IP Routing menu. Your display should resemble the following:
Í§-¬»³ óâ ì
Step 4 Click the Default Gateways menu. Your display should resemble the following:
Î±«¬·²¹ óâ î
Step 5 Click the Set Default Gateway menu. Your display should resemble the following:
Î±«¬·²¹ óâ ï
Step 6 Enter the backbone router IP address. Your display should resemble the following:
Î±«¬·²¹ óâ ïçîòïêèòÐòïëð
Step 7 Click the Set Default Gateway Metric menu. Your display should resemble the
following:
Î±«¬·²¹ óâ î
Step 8 Accept the Default Gateway Routing Metric of 1. Your display should resemble the
following:
Î±«¬·²¹ óâ ÅïÃ äÛ²¬»®â
Step 9 Return to the top-level menu. Your display should resemble the following:
Î±«¬·²¹ óâ ¸
Step 10 Save changes to the configuration file. Your display should resemble the following:
Ó¿·² óâ ì
Step 11 Exit the CLI session. Your display should resemble the following:
Ó¿·² óâ ê
Step 12 Close the Command Prompt window.
You have saved your changes to the configuration file.
Task 6: Configure the Concentrator Using the Cisco VPN 3000
Series Concentrator Manager
Earlier you configured both the private and public interfaces using the CLI feature of the
concentrator. This procedure assumes that Windows 2000 is already running on the student PC
Complete the following steps to complete the concentrator configuration using the Cisco VPN
3000 Series Concentrator Manager.
Activity Procedure
Step 1 Double-click the Internet Explorer icon to launch the program.
Step 2 Enter a concentrator public interface IP address in the Internet Explorer Address
field: 192.168.P.5 (Where P is your pod number). Internet Explorer connects to the
Cisco VPN 3000 Series Concentrator Manager.
Step 3 Log in to the Cisco VPN 3000 Series Concentrator Manager using the administrator
account. Your display should resemble the following:
Ô±¹·²æ ¿¼³·²
Ð¿--©±®¼æ ¿¼³·²
Note The username (login) and password are always case sensitive.
Step 4 In the main window, click the click here to start Quick Configuration link.
Step 5 From the Configuration>Quick>IP Interfaces window, complete the following

substeps:
1. Verify the IP addresses of Ethernet 1, 172.18.P.5, and Ethernet 2,

192.168.P.5, which you configured via the CLI (Where P is your pod
number).
2. If you want to make any changes, click on the appropriate interface, make
your changes, and click Apply. When you are back to this screen, click
Continue.
Step 6 From the Configuration>Quick>System Info window, complete the following

substeps:
1. Enter vpnP in the System Name field.

2. Your instructor will provide you with the values to complete the following
table:

Parameter Value
Time (Hour:Minute:Second
AM/PM)
(for example, 2:45:00 PM.)
Date (Month/Day/Year)
(for example, July/6/2001.)
Time zone (offset in hours from

GMT)
(for example, (GMT05:00) EST.)
Enable DST Support? (circle one) SELECT DE-SELECT
3. In the System Info window, enter the correct time, date, and time zone from
the previous table.
4. Check or uncheck the Enable DST Support check box, depending on which
action has been circled in the previous table.
5. Leave the DNS Server IP Address field set to 0.0.0.0.
6. Enter cisco.com in the Domain field.
7. Leave a backbone router IP address in the Default Gateway field:

192.168.P.150.
8. Click Continue.
Step 7 From the Configuration>Quick>Protocols window, complete the following substeps:
1. Uncheck the PPTP check box.
2. Uncheck the L2TP check box.
3. Check the IPSec check box.
4. Click Continue.
Step 8 From the Configuration>Quick>Address Assignment window, complete the
following substeps:
1. Click DHCP.
2. Enter a DHCP server IP address in the Specify Server field: 10.0.P.10.

3. Click Continue.
Note If no DHCP server is available, the Configured Pool option can be used (For example, with
a range of 172.18.P.100 to 172.18.P.150)
Step 9 From the Configuration>Quick>Authentication window, complete the following:
4. Verify that Internal Server is selected from the Server Type drop-down menu.
5. Click Continue.
Step 10 From the Configuration>Quick>User Database window, complete the following
substeps:
Note These entries are all case sensitive. Create all entries in lowercase form only.
1. Enter studentP in the User Name field.

2. Enter studentP in the Password field.

3. Enter studentP in the Verify field.

4. Click Add the new user to the database. The new username should appear
in the Current Users window.
5. Click Continue.
Step 11 From the Configuration>Quick>IPSec Group window, complete the following

substeps:
Note These entries are all case sensitive. Create all entries in lowercase form only.
1. Enter training in the Group Name field.
2. Enter training in the Password field.
3. Enter training in the Verify field.
4. Click Continue.
Step 12 From the Configuration>Quick>Admin Password window, click Continue.

Normally you would change your password, but for lab exercise consistency, leave
the password at the default value.
Step 13 From the Configuration>Quick>Done window, complete the following substeps:
1. Click the Save Needed icon, in the upper right corner of the window. The
Save Successful window opens.
2. Click OK.
Step 14 Leave Internet Explorer open and continue to the next task.

Task 7: Verify the Concentrator IKE Proposal
In this task you will verify the IPSec IKE proposal.
Activity Procedure
Step 1 From the Configuration menu tree, choose System>Tunneling
Protocols>IPSec>IKE Proposals.
Step 2 Ensure that the CiscoVPNClient-3DES-MD5 proposal appears first under the Active
Proposals list.
Step 3 If you need to make changes, click the Save Needed icon. Always click
CiscoVPNClient-3DES-MD5 when using the Cisco VPN 3.x or 4.x Client. Always
click IKE-3DES-MD5 when using the Cisco VPN 2.5 Client.
Task 8: Verify the Concentrator Group Parameters

In this task you will verify the concentrator group parameters set previously.
Activity Procedure
Step 1 From the Configuration menu tree, choose User Management>Groups.
Step 2 Choose training from the Current Groups list.

Step 3 Click Modify Group. It may take a few moments for the text to appear.
Step 4 Click the Identity tab.
Step 5 Verify that Group Name is set to training.

Step 6 Click the IPSec tab.
Step 7 Verify that Authentication is set to Internal.
Step 8 Scroll to the bottom of the window, and click Cancel.

Task 9: Modify the Concentrator Public Filter

This task is for lab exercise purposes only. For security reasons, this task should never be
completed in a production environment.
Filtering must be enabled on the public interface in order for the Cisco VPN Client to connect
to the concentrator. By definition, the filter permits only tunnel and ICMP traffic to pass
through the interface. This filter excludes any HTTP traffic from your student PC. However, for
this lab exercise, the public filter can be modified to permit HTTP traffic to travel both inbound
and outbound. With a modified filter, you can configure and monitor the network from the
public side of the network. In this task you will modify the public filter of the concentrator.
Activity Procedure
Step 1 From the Configuration menu tree, choose Policy Management>Traffic
Management>Filters.
Step 2 Choose the Public (Default) filter from the Filter list.
Step 3 Click Assign Rules to Filter within the Actions group box.
Step 4 Choose Incoming HTTP In (forward/in) from the Available Rules list.
Step 5 Click Add.
Step 6 Choose Incoming HTTP Out (forward/out) from the Available Rules list.
Step 7 Click Add.

Step 8 Click Done.
Task 10: Apply the Concentrator Public Filter

For the Cisco VPN Client to connect to the concentrator, filtering must be applied to the public
interface. Earlier you temporarily set the public interface filter to 0 (none) so you could
configure the concentrator via HTTP. In this task you will configure the public interface in the
same way with one exception: instead of setting the IP filter to 0 (none), set it to 2 (public).
Activity Procedure
Step 1 From the Configuration menu tree, choose Interfaces>Ethernet 2 (Public).
Step 2 Select the General tab.
Step 3 Choose Public (Default) from the Filter drop-down menu.

Step 4 Click Apply.
Step 5 Save the changes to the configuration.
Step 6 Log out of the concentrator.
Step 7 Close Internet Explorer.

Lab 5-2: Configure the Cisco 3000 VPN Series
Concentrator with the Cisco VPN Software Client
for Windows
Complete the following lab activity to practice what you learned in the related module.
Activity Objective
In this activity you will configure the Cisco VPN 3000 Series Concentrator for remote access
with the Cisco VPN Client. After completing this activity, you will be able to meet these
objectives:
Install the Cisco VPN Client
Configure the Cisco VPN Client
Verify the Cisco VPN Client properties
Open the Cisco VPN Client
Verify the Cisco VPN connection status
Monitor the concentrator statistics
Visual Objective
SND Lab Topology

VPN Client
172.26.26.P Pod P (110)
Public .150 172.26.26.0/24
RBB
.1 172.30.P.0/24
.2 e0/1
rP
.150 e0/0 192.168. .0/24

PSS .1 e2 .1 e4 .5
WWW priv
FTP
172.16.P.0/24 172.18.P.0/24
.1 e1 vP
.50

Super .10 .4 .100
Server sensorP
WWW PC1 RTS
FTP
10.0.P.11

Scenario
This exercise carries on from the previous one. Recall your company wants to implement a
VPN using remotely located Cisco VPN Clients terminating at centrally located concentrators.
You have configured the concentrators, and now must configure both the remote Cisco VPN
Clients.
Task 1: Verify the Lab Exercise Setup

There is no additional setup required. In this task you will verify the lab setup.
Activity Procedure
Step 1 Ensure that your student PC is powered on.
Step 2 Ensure that your student IP addresses are configured correctly:
Primary IP address: 172.26.26.P (Where P is your pod number)
Default gateway IP address: 172.26.26.150
Step 3 Ensure that your concentrator is powered on.
Step 4 Uninstall the Cisco VPN Client if it is installed. Choose Start>Programs>Cisco

Systems VPN Client>Uninstall VPN Client to remove the Cisco VPN Client.
Respond to the questions appropriately.
There is no verification necessary for this task.
Task 2: Install the Cisco VPN Client

The Cisco VPN Client is typically installed from the Cisco VPN 3000 Series Concentrator CD-
ROM, using the instructions supplied with the CD-ROM. In this lab exercise, the source files
for the Cisco VPN Client already reside on the hard disk drive of the student PC. In this task
you will install the Cisco VPN Client.
Activity Procedure
Step 1 Open the Cisco VPN Client folder found on the student PC desktop.
Step 2 Double-click the setup.exe file from the Cisco VPN Client folder. If this is the first
time that the Cisco VPN Client is being installed on this PC, a window opens and
displays the following message: Do you want the installer to disable the IPSec
Policy Agent?
Step 3 If the disable IPSec policy agent message appears, click Yes. The Welcome window
opens.
Step 4 Read the Welcome window and click Next. The License Agreement window opens.
Step 5 Read the license agreement and click Yes. The Destination Folder Location window
opens.
Step 6 Accept the defaults by clicking Next. The Program Folders window opens.
Step 7 Accept the defaults by clicking Next. The Start Copying Files window opens.
Step 8 The files are copied to the hard disk drive of the student PC and the InstallShield
Wizard Complete window opens.
Step 9 Click Yes, I want to restart my computer now, and click Finish. The student PC
restarts.
Step 10 Log in to the student PC.
Step 11 Close the Cisco VPN Client folder.
You have successfully completed this task when you attain these results:
If when you choose Start>Programs>Cisco Systems VPN Client>VPN Client, the Cisco
Systems VPN Client window opens.
Close the window and move to Task 3.
Task 3: Configure the Cisco VPN Client

This procedure assumes that Windows 2000 is already running on the student PC. In this task
you will configure the networking parameters of the new Cisco VPN Client.
Activity Procedure
Step 1 Choose Start>Programs>Cisco Systems VPN Client>VPN Client. The Cisco

Systems VPN Client window opens.
Step 2 Click New. The Create New VPN Connection Entry window opens.
Step 3 Enter studentP in the Connection Entry field.

Step 4 Leave the description field blank.

Step 5 Enter a concentrator public interface IP address in the Host field: 192.168.P.5.
(Where P is your pod number).
Step 6 Verify that the Group Authentication radio button is selected and complete the
substeps listed here. The following entries are always case sensitive. Use lowercase
characters for this lab exercise.
1. Enter training as a group name.
2. Enter training as a group password.
3. Confirm training as the password.

Step 7 Click Save and leave the Cisco Systems VPN Client window open.

Review the entries and ensure you entered the information exactly as directed. These
settings will be verified in the next task.
Task 4: Verify the Cisco VPN Client Properties

In this task you will verify the Cisco VPN Client parameters that you just configured.
Activity Procedure
Step 1 Ensure that the Cisco VPN Client window is open. If the Cisco VPN Client window
is not open, choose: Start>Programs>Cisco Systems VPN Client> VPN Client.
Step 2 Click studentP within the Connection Entry group box and click Modify.
Step 3 Verify that the IP address of the remote server is set to a concentrator public
interface IP address: 192.168.P.5.
Step 4 Click the Authentication tab and verify the spelling of the group name. If
necessary, you can edit the group name and password here.
Step 5 Click the Transport tab and view the available options. Do not make any changes to
the default settings.
Step 6 Click Save if you have made any changes.
Step 7 Close the Cisco Systems VPN Client window.
There is no additional verification needed.
Task 5: Open the Cisco VPN Client

In this task you will open the Cisco VPN Client on your student PC and create an IPSec tunnel.
Activity Procedure
Step 1 Choose Start>Programs>Cisco Systems VPN Client>VPN Client.

Step 2 Verify that the connection entry is studentP (Where P is your pod number).
Step 3 Verify that the IP address of the remote server is set to that of a concentrator public
interface IP address: 192.168.P.5 (Where P is your pod number).
Step 4 Click Connect. Complete the following substeps:
1. When prompted for a username, enter studentP.

2. When prompted to enter a password, enter studentP.
Step 5 Click OK. The following messages flash by quickly at the bottom of the window:
×²·¬·¿´·¦·²¹ ¬¸» ½±²²»½¬·±²
Ý±²¬¿½¬·²¹ ¬¸» -»½«®·¬§ ¹¿¬»©¿§ ¿¬
ß«¬¸»²¬·½¿¬·²¹ «-»®
The window closes and a Cisco VPN Client icon appears in the system tray.
Task 6: Verify the Cisco VPN Connection Status

A Cisco VPN Client Connection Status window is available to the end user. By double-clicking
the Cisco VPN Client icon, the end user can view general connection information and
connection statistics. In this task you will view the Cisco VPN Client connection information.
Activity Procedure
Step 1 Double-click the Cisco VPN Client icon in the system tray and answer the
following questions:
Q1) What window opened?
____________________________
Step 2 Click the Status>Statistics menu option and answer the following questions.
Q2) What encryption scheme was used?
_____________________________
Q3) What authentication method was used?
_____________________________
Q4) What client IP address was assigned to you?
_____________________________
Step 3 Click Close.
You have completed this task when attain this result:
You have correctly answered the four questions.
Task 7: Monitor the Concentrator Statistics

Remote access information is available on the concentrator. The administrator can view event
messages that detail the connection process from start to finish. Once established, the

administrator can view session statistics. In this task you will monitor the concentrator
statistics.
Activity Procedure
Step 1 Double-click the Internet Explorer icon.
Step 2 Enter a concentrator private interface IP address in the Internet Explorer Address
field: 10.0.P.5 (Where P is your pod number). Internet Explorer connects to the
Cisco VPN 3000 Series Concentrator Manager.
Step 3 Log in to the Cisco VPN 3000 Series Concentrator Manager using the following
administrator account:
Ô±¹·²æ ¿¼³·²
Ð¿--©±®¼æ ¿¼³·²
Step 4 From the Monitoring menu, choose Routing Table.
Q5) Which networks are visible?
_____________________________
Step 5 From the Monitoring menu, choose Filterable Event Log.
Step 6 Click Clear Log.
Step 7 Disconnect your VPN session if it is still active by using the Cisco VPN Client icon
in the system tray of the student PC.
Step 8 Re-establish your VPN session.
Step 9 From the Monitoring menu, choose Filterable Event Log.
Step 10 Click the |<< button and answer the following questions:
Q6) What is the group name of the remote client?
_____________________________
Q7) What is the username of the remote client?
_____________________________
Q8) For what SA is the IKE remote peer configured?
_____________________________
Step 11 From the Monitoring menu, choose Sessions and answer the following question:
Q9) Fill in the blanks:

Username __________________________
Assigned IP address __________________
Public IP address ____________________
Group _____________________________
Protocol ___________________________
Encryption _________________________
Login time _________________________
Duration ___________________________
Client type _________________________
Client version _______________________
Step 12 Click studentP (Where P is your pod number). More information is displayed. Use
this information to answer the following questions:
Q10) The IKE session used:

Encryption algorithm: ________________________
Hashing algorithm: __________________________
Q11) The IPSec session identification (ID2) used:

Remote address: ____________________________
Local address: ______________________________
Encryption algorithm: ________________________
Hashing algorithm: ___________________________
Step 13 Log out of the concentrator.
Step 14 Disconnect your VPN session if it is still active by using the Cisco VPN Client icon
in the student PC system tray).
Step 15 Close Internet Explorer.
Warning It is very important that you log out of the Cisco VPN 3000 Series Concentrator Manager
when finished. Failing to log out before exiting the manager interface leaves an administrator
session open. Eventually, all possible administrator sessions will be used, and you will not
be allowed to log in again. Also, only the first administrator session has read and write
access. The remaining administrator sessions have read-only access.
You will have completed this task when you attain this result:
Answer Questions 5 to 11 correctly. Check the answer key for the correct responses.


Securing Cisco Network Devices (SND) (v1 0)

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Securing Cisco Network Devices (SND) (v1 0)

Caricato da

Copyright:

Formati disponibili

SND

Learner Skills and Knowledge

Learner Skills and Knowledge

 Cisco Certified Network Associate (CCNA)

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03

To perform basic task to secure network devices

Securing Cisco Network Devices

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.04

Build an IPSec VPN network using Cisco products and technologies

Day 1 Day 2 Day 3 Day 4 Day 5

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05

Copyright © 2005, Cisco Systems, Inc. Course Introduction 3

Cisco Icons and Symbols

Laptop IOS Firewall

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.06

Cisco Glossary of Terms

Cisco Career Certifications:

Expand Your Professional Options

Professional level recognition in network security

Recommended Training Through

Cisco SAFE Implementation*

Copyright © 2005, Cisco Systems, Inc. Course Introduction 5

Cisco Security Specialist Recommended Training Through Cisco

Cisco Firewall Specialist Recommended Training Through Cisco Learning

Cisco IPS Specialist Recommended Training Through Cisco Learning

Cisco VPN Specialist Recommended Training Through Cisco Learning

© 2005 Cisco Systems, Inc. All rights reserved.

Cisco Qualified Specialist (CQS) focused certifications demonstrate significant competency in

Planning a Secure Network

The Closed Network

Remote Site Frame relay

Attacks from inside the network remain a threat.

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-4

Copyright 2005, Cisco Systems, Inc. Introduction to Network Security 1-5

Low 1980 1990 2000

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-5

The Role of Security Is Changing

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-6

Copyright 2005, Cisco Systems, Inc. Introduction to Network Security 1-7

Internet E-Commerce Supply Chain Customer

Workforce E-Learning Business security

Expanded Access, Heightened Security Risks

E-business requires mission-critical networks that accommodate ever-increasing constituencies

 New laws are requiring

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-8

Copyright 2005, Cisco Systems, Inc. Introduction to Network Security 1-9

Network attacks can be as

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-9

There are four general categories of security

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-10

Copyright 2005, Cisco Systems, Inc. Introduction to Network Security 1-11

All of the following can be used to

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-11

There are four types of network attacks:

A vulnerability is a weakness that compromises either

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-12

A vulnerability is a weakness that compromises either the security or the functionality of a

An exploit is the mechanism used to leverage a vulnerability to compromise the security or

Copyright 2005, Cisco Systems, Inc. Introduction to Network Security 1-13

A security policy is a formal statement of the rules by which

RFC 2196, Site Security Handbook

© 2005 Cisco Systems, Inc. All rights reserved.

Cisco Certified Network Associate (CCNA)

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.03

To perform basic task to secure network devices

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.04

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.05

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.06

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-4

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-5

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-6

New laws are requiring

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-8

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-9

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-10

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-11

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-12

A security policy is a formal statement of the rules by which

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-15

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-16

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-17

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-18

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-19

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-20

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-21

The components of a complete security policy are:

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-22

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-3

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-4

Insecure installations or physical access threats can be generally classified as follows:

Monitor and control closet entry

Use security cameras.

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-5

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-6

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-7

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-8

© 2005 Cisco Systems, Inc. All rights reserved. SND v1.01-3