Configuring Cisco Ip Security

Contents

Chapter 1: Introduction to IP Network Security

Introduction

Protecting Your Site

Typical Site Scenario

Host Security

Network Security

Availability

Integrity

Confidentiality

Access Control

Authentication

Authorization

Accounting

Network Communication in TCP/IP

Application Layer

Transport Layer

TCP

TCP Connection

UDP

Internet Layer

IP

ICMP

ARP

Network Layer

Security in TCP/IP

Cryptography

Symmetric Cryptography

Asymmetric Cryptography

Hash Function

Public Key Certificates

Application Layer Security

Pretty Good Privacy (PGP)

Secure HyperText Transport Protocol (S-HTTP)

Transport Layer Security

Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

Secure Shell (SSH)

Filtering

Network Layer Security

IP Security Protocols (IPSec)

Filtering (Access Control Lists)

Data Link Layer Security

Authentication

Terminal Access Controller Access

Control System Plus (TACACS+)

Remote Access Dial-In User Service (RADIUS)

Kerberos

Cisco IP Security Hardware and Software

Cisco Secure PIX Firewall

Cisco Secure Integrated Software

Cisco Secure Integrated VPN Software

Cisco Secure VPN Client

Cisco Secure Access Control Server

Cisco Secure Scanner Cisco Secure Intrusion Detection System

Cisco Secure Policy Manager

Cisco Secure Consulting Services

Summary

FAQs

Chapter 2: Traffic Filtering on the Cisco IOS

Introduction

Access Lists

Access List Operation

Types of Access Lists

Standard IP Access Lists

Source Address and Wildcard Mask

Keywords any and host

Keyword log

Applying an Access List

Extended IP Access Lists

Keywords permit or deny

Protocol

Source Address and Wildcard-Mask

Destination Address and Wildcard Mask

Source and Destination Port Number

Established

Named Access Lists

Editing Access Lists

Problems with Access Lists

Lock-and-Key Access Lists

Reflexive Access Lists

Building Reflexive Access Lists

Applying Reflexive Access Lists

Reflexive Access List Example

Context-based Access Control

The Control-based Access Control Process

Configuring Control-based Access Control

Inspection Rules

Applying the Inspection Rule

Configuring Port to Application Mapping

Configuring PAM

Protecting a Private Network

Protecting a Network Connected to the Internet

Protecting Server Access Using Lock-and-Key

Protecting Public Servers Connected to the Internet

Summary

FAQs

Chapter 3: Network Address Translation (NAT)

Introduction

NAT Overview

Overview of NAT Devices

Address Realm

NAT

Transparent Address Assignment

Transparent Routing

Public, Global, and External Networks

Private and Local Networks

Application Level Gateway

NAT Architectures

Traditional or Outbound NAT

Network Address Port Translation (NAPT)

Static NAT

Twice NAT

Guidelines for Deploying NAT and NAPT

Configuring NAT on Cisco IOS

Configuration Commands

Verification Commands

Configuring NAT between a Private Network and Internet

Configuring NAT in a Network with DMZ

Considerations on NAT and NAPT

IP Address Information in Data

Bundled Session Applications

Peer-to-Peer Applications

IP Fragmentation with NAPT En Route

Applications Requiring Retention of Address Mapping

IPSec and IKE

Summary

FAQs

Chapter 4: Cisco PIX Firewall

Introduction

Overview of the Security Features

Differences Between IOS 4.x and 5.x

Initial Configuration

Installing the PIX Software

Basic Configuration

Installing the IOS over TFTP

Command Line Interface

IP Configuration

IP Address

Configuring NAT and NAPT

Security Policy Configuration

Security Strategies

Deny Everything That Is Not Explicitly Permitted

Allow Everything That Is Not Explicitly Denied

Identify the Resources to Protect

Demilitarized Zone (DMZ)

Identify the Security Services to Implement

Authentication and Authorization

Access Control

Confidentiality

URL, ActiveX, and Java Filtering

Implementing the Network Security Policy

Authentication Configuration in PIX

Access Control Configuration in PIX

Securing Resources

URL, ActiveX, and Java Filtering

PIX Configuration Examples

Protecting a Private Network

Protecting a Network Connected to the Internet

Protecting Server Access Using Authentication

Protecting Public Servers Connected

to the Internet

Securing and Maintaining the PIX

System Journaling

Securing the PIX

Summary

FAQs

Chapter 5: Virtual Private Networks

Introduction

What Is a VPN?

Overview of the Different VPN Technologies

The Peer Model

The Overlay Model

Link Layer VPNs

Network Layer VPNs

Transport and Application Layer VPNs

Layer 2 Transport Protocol (L2TP)

Configuring Cisco L2TP

LAC Configuration Example

LNS Configuration Example

IPSec

IPSec Architecture

Security Association

Anti-Replay Feature

Security Policy Database

Authentication Header

Encapsulating Security Payload

Manual IPSec

Internet Key Exchange

Authentication Methods

IKE and Certificate Authorities

IPSec Limitations

Network Performance

Network Troubleshooting

Interoperability with Firewalls and Network Address Translation Devices

IPSec and Cisco Encryption Technology (CET)

Configuring Cisco IPSec

IPSec Manual Keying Configuration

IPSec over GRE Tunnel Configuration

Connecting IPSec Clients to Cisco IPSec

Cisco Secure VPN Client

Windows 2000

Linux FreeS/WAN

BSD Kame Project

Summary

FAQs

Chapter 6: Cisco Authentication, Authorization, and Accounting Mechanisms

Introduction

AAA Overview

AAA Benefits

Cisco AAA Mechanisms

Supported AAA Security Protocols

RADIUS

TACACS+

Kerberos

RADIUS, TACACS+, or Kerberos

Authentication

Login Authentication Using AAA

PPP Authentication Using AAA

Enable Password Protection for Privileged

EXEC Mode

Authorization

Configure Authorization

TACACS+ Configuration Example

Accounting

Configuring Accounting

Suppress Generation of Accounting Records

for Null Username Sessions

RADIUS Configuration Example

Typical RAS Configuration Using AAA

Typical Firewall Configuration Using AAA

Authentication Proxy

How the Authentication Proxy Works

Comparison with the Lock-and Key Feature

Benefits of Authentication Proxy

Restrictions of Authentication Proxy

Configuring Authentication Proxy

Configuring the HTTP Server

Configure Authentication Proxy

Authentication Proxy Configuration Example

Summary

FAQs

Chapter 7: Intrusion Detection

Introduction

What Is Intrusion Detection?

Network Attacks and Intrusions

Poor Network Perimeter/Device Security

Network Sniffers

Scanner Programs

Network Topology

Unattended Modems

Poor Physical Security

Application and Operating Software Weaknesses

Software Bugs

Web Server/Browser-based Attacks

Getting Passwords-Easy Ways in Cracking Programs

Trojan Horse Attacks

Virus or Worm Attacks

Human Failure

Poorly Configured Systems

Information Leaks

Malicious Users

Weaknesses in the IP Suite of Protocols

Layer 7 Attacks

Layer 5 Attacks

Layer 3 and 4 Attacks

Network and Host-based

Intrusion Detection

Network IDS

Host IDS

What Can't IDSs Do?

Deploying in a Network

Sensor Placement

Network Vulnerability Analysis Tools

Cisco's Approach to Security

Cisco Secure Scanner (NetSonar)

Minimum System Specifications for

Secure Scanner V2.0

Searching the Network for Vulnerabilities

Viewing the Results

Keeping the System Up-to-Date

Cisco Secure Intrusion Detection System (NetRanger)

What Is NetRanger?

Before You Install

Director and Sensor Setup

General Operation

nrConfigure

Data Management Package (DMP)

Cisco IOS Intrusion Detection System

Configuring IOS IDS Features

Associated Commands

Cisco Secure Integrated Software (Firewall Feature Set)

Summary

FAQs

Chapter 8: Network Security Management

Introduction PIX Firewall Manager

PIX Firewall Manager Overview

PIX Firewall Manager Benefits

Supported PIX Firewall IOS Version Versus

PIX Firewall Manager Version

Installation Requirements for PIX Firewall Manager

PIX Firewall Manager Features

Using PIX Firewall Manager

Configuration

Installation Errors in PIX Firewall Manager

A Configuration Example

CiscoWorks 2000 ACL Manager

ACL Manager Overview

ACL Manager Device and Software Support

Installation Requirements for ACL Manager

ACL Manager Features

Using a Structure Access Control Lists

Security Policy

Increase Deployment Time for Access Control Lists

Ensure Consistency of Access Control Lists

Keep Track of Changes Made on the Network

Troubleshooting and Error Recovery

Basic Operation of ACL Manager

Using ACL Manager

Configuration

An ACL Manager Configuration Example

Cisco Secure Policy Manager

Cisco Secure Policy Manager Overview

The Benefits of Using Cisco Secure Policy Manager

Installation Requirements for Cisco

Secure Policy Manager

Cisco Secure Policy Manager Features

Cisco Firewall Management

VPN and IPSec Security Management

Security Policy Management

Network Security Deployment Options

Cisco Secure Policy Manager Device and

Software Support

Using Cisco Secure Policy Manager

Configuration

CSPM Configuration Example

Cisco Secure ACS

Cisco Secure ACS Overview

Cisco Secure ACS Benefits

Installation Requirements for Cisco Secure ACS

Cisco Secure ACS Features

Placing Cisco Secure ACS in Your Network

Cisco Secure ACS Device and Software Support

Using Cisco Secure ACS

Configuration

Cisco Secure ACS Configuration Example

Summary

FAQs

Chapter 9: Security Processes and Managing

Cisco Security Fast Track

Introduction

What Is a Managing

Cisco Security Fast Track?

Introduction to Cisco Network Security

Network Security

Network Communications in TCP/IP

Security in TCP/IP

Traffic Filtering on the Cisco IOS

Access Lists

Standard and Extended Access Lists

Reflexive Access Lists

Context-based Access Control

Network Address Translation (NAT)

Private Addresses

Network Address Translation

Static NAT

Traditional or Outbound NAT

Network Address Port Translation (NAPT or PAT)

Considerations

Cisco PIX Firewall

Security Policy Configuration

Securing and Maintaining the PIX

Virtual Private Networks (VPNs)

L2TP

IPSec

Network Troubleshooting

Interoperability with Firewalls and Network Address

Translation Devices

Cisco Authentication, Authorization and Accounting Mechanisms

Authentication

Authorization

Accounting

Intrusion Detection

What Is Intrusion Detection?

Cisco Secure Scanner (NetSonar)

Cisco Secure NetRanger

Cisco Secure Intrusion Detection Software

Network Security Management

Cisco PIX Firewall Manager

CiscoWorks 2000 ACL Manager

Cisco Secure Policy Manager

Cisco Secure Access Control Manager

General Security Configuration Recommendations on Cisco

Remote Login and Passwords

Disable Unused Network Services

Logging and Backups

Traffic Filtering

Physical Access

Keeping Up-to-Date

Summary

FAQs

Index