P. 1
CCNA Security Prep From Net Workers

CCNA Security Prep From Net Workers

|Views: 129|Likes:
Published by Script Kiddy

More info:

Published by: Script Kiddy on Jun 06, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/26/2011

pdf

text

original

Sections

  • Goals of This Session
  • Disclaimer
  • Changing Threats and Challenges
  • Smurf Attack
  • Ping Sweeps and Port Scans
  • One of the Sneakier Scan Methods: Idle Scanning
  • Demonstration Topology
  • Demo: Idle Scan Using Nmap
  • Man-in-the-Middle Attacks Example: ARP Cache Poisoning
  • Demo: ARP Cache Poison Using Cain
  • How Difficult Is It to Obtain Tools?
  • Agenda
  • Network Security Is a System
  • Secure Network Lifecycle
  • Security Policy
  • Reading List
  • Cryptography: What and Why
  • What Is a Hash Function?
  • Hash Example: Update Verification
  • Hash Example: Enable Secret
  • Demo: Enable Secret Dictionary Attack
  • What Is Encryption?
  • Symmetric vs. Asymmetric Encryption
  • Symmetric Encryption Algorithms
  • Anecdote on Key Length
  • Asymmetric Encryption Algorithms
  • What Is AAA ?
  • Implementing AAA
  • RADIUS vs. TACACS+
  • Cisco Secure ACS
  • AAA Router CLI ConfigExample
  • AAA
  • Cisco IOS Command Authorization Using ACS Example
  • Demo: AAA Using CSACS
  • Secure Remote Administrative Access: SSH—The Secure Shell Protocol
  • Demo: SSH
  • What Is a Firewall?
  • Packet Filtering
  • Packet Filter Limitations
  • Application Layer Gateway or Proxy Server
  • How Classic StatefulFirewall Works
  • Application Inspection Firewalls
  • Zone-Based Policy Firewall
  • Security Zone Pairs
  • Zone Rules Summary
  • Configure a ZBP Firewall
  • Security Zone Firewall Configuration CPL–Cisco Policy Language (CPL)
  • ZBP Policy Actions
  • SDM Zone Based Firewall Wizard
  • Zone-Based Policy Firewall Configuration Example
  • The Problem
  • IPSec Protocol Architecture
  • Break Down of IPSec: IKE
  • IKE Phases, Security Associations
  • IKE Authentication Methods
  • DH Exchange
  • Encapsulating Security Payload (ESP)
  • ESP tunnel mode
  • Site-to-Site IPSec VPN
  • Site-to-Site IPSec Configuration
  • Introducing the Cisco SDM VPN Wizard Interface
  • Quick Setup
  • IPSec Configuration Example
  • Some More Advanced VPN Technologies
  • IPS Deployment Options
  • IDS vs. IPS
  • IPS Attach Responses
  • Support for SDEE and Syslog
  • Signature Micro-Engines
  • Cisco IOS IPS Deployment Steps
  • IPS Policies Wizard
  • IPS Policies Wizard (Cont.)
  • Configuring Signatures Using Cisco SDM
  • Configuring Signatures Using Cisco SDM (Cont.)
  • Configuring Global Settings
  • Configuring Auto Update
  • Demo–Cisco IOS IPS in Action
  • Why Be Concerned?
  • MAC Address Concerns
  • Port Security Configuration
  • STP Manipulation
  • BPDU Guard
  • Root Guard
  • VLAN Hopping by Rogue Trunk
  • VLAN Hopping by Double Tagging
  • Mitigating VLAN Hopping Network Attacks
  • ARP Spoofing: Man-in-the-Middle Attacks
  • Private VLAN Edge
  • Some More Advanced Layer 2 Security Technologies
  • Practice Exam Item 1—SDM-Based Item
  • Practice Exam Item 1—(Cont.)
  • Practice Exam Item 2—Theory Based Item
  • Practice Exam Item 3—CLI Configuration Item
  • Practice Exam Item 4—Configuration Related Item
  • Practice Exam Item 5—Theory Based Item
  • Practice Exam Item 6—Theory Based Item
  • Practice Exam Item 7—SDM Based Item
  • Practice Exam Item 8—Configuration Related Item
  • Practice Exam Item 9—Show Output Related Item
  • Practice Exam Item 10—Configuration Related Item
  • Practice Exam Item 1
  • Practice Exam Item 2
  • Practice Exam Item 3
  • Practice Exam Item 4
  • Practice Exam Item 5
  • Practice Exam Item 6
  • Practice Exam Item 7
  • Practice Exam Item 8
  • Recommended Reading
  • Complete Your Online Session Evaluation

BRKCRT-1104 14381_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

1

CCNA Security: A New Associate Level Career Path Option

BRKCRT-1104

BRKCRT-1104 14381_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

1

Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

3

Goals of This Session
What this session will not be:
A replacement to the 5 day IINS course An exam cram session focusing on the content of the IINS exam An exact match to the content of the IINS course

What this session will include:
A discussion of security issues and technology relevant to those pursuing a career in Network Security at the associate level A presentation based on, but not limited by, the concepts covered in the IINS class A demonstration of attack methodologies and mitigation of the attack using Cisco security technology
BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

4

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

2

Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

5

Disclaimer
Do not repeat the exercises demonstrated during this presentation on any network for which you do not have complete authorization to do so. The demonstrations are carried out on an isolated network within the Global Knowledge remote labs environment. Practicing similar exercises outside of this environment requires many considerations including, but not limited to:
1. Many organizations have security policies explicitly forbidding the use of these types of tools on the their networks. Job termination and/or criminal prosecution may be the penalty. Often these types of tools are distributed with hidden malware. By installing such tools you may unknowingly also be installing keystroke loggers, back doors, or other types of malware. Use of these types of tools with targets that are owned by other entities may violate local, state and/or federal laws.

2.

3.

BRKCRT-1104 14381_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

6

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

3

All rights reserved. Inc. Inc. Cisco Systems. Cisco Public 7 Changing Threats and Challenges Where Can I Get Attached? Operating System Network Services Applications Users Attack Attack Anywhere BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public Everywhere 8 © 2006. All rights reserved. Presentation_ID.Agenda Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.scr 4 . All rights reserved. Inc.

All rights reserved. rsh/rexec BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. fingerd. 1988 Two target OS’s: BSD on DEC VAX and SunOS Intent was to gauge the size of the Internet Could (and did) infect same system multiple times. and compiled usr/tmp/sh using the appropriate object file BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc.The Morris Worm Recognized as the first Internet Worm Written by Robert Tappan Morris Released on November 2. Presentation_ID. Inc. determined host OS.scr 5 . Inc.c file.c) and one of two object files (x$$. Cisco Public 9 The Morris Worm Sendmail: Invoked debug mode Used RCPT TO: and requested data be piped to a shell The data was a shell script which created a .o and x$$.sun3. Cisco Systems.vax.o) It used 3 vectors: sendmail. All rights reserved.l1. hence ended up being a crippling issue The worm consisted of an executable file (usr/tmp/sh) created from a C program (x$$. Cisco Public 10 © 2006. All rights reserved. which it compiled with the victim’s own C compiler New executable copied the object files from attacking host.

Presentation_ID. such as username.scr 6 . it used /usr/dict/words and tried every word in the dictionary BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. last name and last name + firstname. All rights reserved. Cisco Public 11 The Morris Worm Hiding itself: Hid itself from the ps command Unlinked its files so they wouldn’t show up with the ls command Scanning for other hosts: Sequential addresses in local network netstat –r –n /etc/hosts ypcat hosts BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Systems. Cisco Public 12 © 2006. All rights reserved. but didn’t verify Vulnerability in both target OS.equiv files for trust relationships Needed to crack username/password Tried common combinations for the password. If those attempts failed.rhosts and /etc/hosts. Inc. Inc. but exploit was only written to BSD on the DEC VAX rsh/rexec Checked the local . Inc. first name.The Morris Worm fingerd & rsh/rexec Differed from sendmail vector in method of transfering files fingerd Buffer overflow–fingerd expected a max of 512 bytes of input. All rights reserved.

Inc.1. Cisco Systems. imagine how clever the they’ve become over the last 20 years! Multiple vectors Dictionary cracking Using local resources (C compiler.The Morris Worm The Main Point: If the very first internet worm was this clever. All rights reserved.255. Presentation_ID.1.1 DST=171. All rights reserved.1.0. Inc.1.1. Inc. BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 13 Smurf Attack Attacker ICMP ECHO Replies 200. All rights reserved. Cisco Public 14 © 2006.0/16 Intermediaries ICMP flooding attacks are popular due to amplification techniques: Smurf attacks use a spoofed broadcast ping to elicit a large number of responses to the target.scr 7 . dictionary file) Evasion of detection Intelligent location of other networks Attackers think outside the box.255 171.1 Target ICMP ECHO SRC=200.1. BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.

Inc. All rights reserved. Presentation_ID.Ping Sweeps and Port Scans Ping sweeps and port scans can attempt to: Identify all services on the network Identify all hosts and devices on the network Identify the operating systems on the network Identify vulnerabilities on the network BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved. IPID is unchanged Zombie 3) Attacker IPID Probe TCP SYN ACK Packet Response: IPID = n+1 TCP RST Packet Zombie Attacker IPID Probe TCP SYN ACK Packet Response: IPID = n+2 TCP RST Packet Zombie BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc.scr 8 . Cisco Public 15 One of the Sneakier Scan Methods: Idle Scanning 1) Attacker IPID Probe TCP SYN ACK Packet Response: IPID = n TCP RST Packet Zombie Target is not listening on Scan Port Attacker TCP SYN to Scan Port Spoof “from” Zombie OR Target is listening on Scan Port Attacker TCP SYN to Scan Port Spoof “from” Zombie SYN e to Packet pons Res YN ACK ket S Pac TCP RST +1 TCP ID = n IP Target Target 2) Zombie SYN e to cket a pons Res RST P TCP Zombie doesn’t respond to the RST. Cisco Public 16 © 2006. Inc. Cisco Systems. All rights reserved.

50.43.18 .10.1 2K . Presentation_ID.150.100.20.200. 17 Demo: Idle Scan Using Nmap Use Nmap to run an idle scan (-sI) with 50.1 (10) 100.0/24 (2) Outside Perimeter 200.50.10.gkl.0/24 (13) XP (4) 2K3 Security-Srv 10.10.10 10.0/24 Inside Perimeter . All rights reserved.30.nist.10.200.150. All rights reserved. Inc.0.1 .16.50 as the zombie host.20.50.10 BRKCRT-1104 14381_04_2008_c1 Global Knowledge: Cisco Security Remote Labs Cisco Public © 2008 Cisco Systems. Inc.1.50.0/30 time.1.16.1 10.2 (3) .20.1.20.200.1.Demonstration Topology Perimeter Router 150.1 10.30. Cisco Systems.15 NAT: 200.30.10.10 2K3 Data-Srv 10.10.1 DMZ Subnet 172.1 IOS-FW .10.0/24 (15) BT2 BackTrack2 (location & IP Varies) (7) XP Admin-PC 10.20 XP Site2-PC 10.50.1 10.200.com .50 BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All of the scan activity appears to be coming from 50.0/24 Data Center Subnet (5) .1.10.0/24 End User Subnet Site1-PC 10.1 DMZ-Srv 172.50.1. Inc.2 .2 L3-Switch .sru.0/24 10.0/24 (11) INTERNET 200.0/24 .10 XP User-PC 10.1.1.30.outside.244.gov 192.net .10.1.0/24 Outside-PC 150.2 200. Cisco Public 18 © 2006.2 50. All rights reserved.20.50.20 pc.30.50 www.2.2.1 2K3 (16) 50.50.10.scr 9 .1 Management Subnet(6) 10.10.10 .15 www.com Services-R-Us 2K .

C.1.B. BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.1. Inc.1.2 ? MAC for 10.C.1.1.B.1 bound to C.C 10.A.20 and it’s default gateway.A 2. Cisco Systems.1. All rights reserved.C. All rights reserved.A.1.C.1 MAC B.1. Legitimate ARP reply 10.B.B.C.1.C C Attacker ARP Table in Host C 10. Cisco Public 20 © 2006.B.2 MAC A.1.2 = MAC C.B.1.1.1.C IP 10.1.B A A C B IP 10.1.Man-in-the-Middle Attacks Example: ARP Cache Poisoning 1.1 = MAC B.1 IP 10.A 19 Demo: ARP Cache Poison Using Cain Cain is a MITM between 10. Presentation_ID.A.1 = MAC C.1.1.2 = MAC A.C ARP Table in Host B 10.1.C.1.B A = host A B = host B C = host C BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.10.1.3 MAC C. All rights reserved. Inc.C. IP 10.C.C.C. Subsequent gratuitous ARP replies overwrite legitimate replies 10.1.A. It has captured 2 FTP credential sets (displayed) as well as 4 Telnet credential sets.1.2 bound to C.10.scr 10 .1 = MAC B.B B ARP Table in Host A 10.C 3.1. Cisco Public 10.1. Inc.

Inc. Inc. All rights reserved.scr 11 . All rights reserved.org BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.How Difficult Is It to Obtain Tools? www. All rights reserved. Cisco Public 22 © 2006.remote-exploit. Presentation_ID.org www. Inc.sectools. Cisco Systems. Cisco Public 21 Agenda Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.

Operations. Presentation_ID.Network Security Is a System Firewall + AV ≠ Network Security Network security is not something you can just buy Technology will assist Policy. technologies. and best practices that work in complementary ways to provide security to information assets BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc.scr 12 . Cisco Systems. All rights reserved. All rights reserved. All rights reserved. Inc. Cisco Public 23 Secure Network Lifecycle Initiation Disposition Acquisition and Development Operations and Maintenance Security Policy Implementation BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. and Design are more important Network security system: A collection of network-connected devices. Inc. Cisco Public 24 © 2006.

Presentation_ID.scr 13 . Guidelines. All rights reserved.gov/publications/PubsSPs. Compliance Audit BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.gov/snac/ Cisco Security Design Guides: http://www.nist. Inc.org/resources/policies/ NSA Security Configuration Guides: http://www. Monitor and maintenance. Cisco Public 26 © 2006. Inc. All rights reserved.com/go/safe NIST Computer Security Division Publications: http://csrc. All rights reserved.org/wiki/Security_policy (follow the See Also links) BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.wikipedia.nsa. Inc. Cisco Public 25 Reading List SANS Security Policy Project: http://www. Standards Security System Industry Best Practices Security Operations Incident Response.sans. Cisco Systems.Security Policy Business Needs Risk Analysis Security Policy Policies.cisco.html SP800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems SP800-27a: Engineering Principles for Information Technology Security Wikipedia Security Policy: http://en.

Inc. Origin Authentication Data Integrity BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved.scr 14 . Inc. All rights reserved. encryption. Cisco Public 27 Cryptography: What and Why What: Cryptography: From the greek kryptó (hidden) and gráfo (to write) Cryptology: From the Greek kryptó (hidden) and legein (to speak) Why: Confidentiality.Agenda Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 28 © 2006. Inc. All rights reserved. Presentation_ID. privacy. Cisco Systems.

Cisco Public 30 © 2006.What Is a Hash Function? Basic requirements for a cryptographic hash function: The input can be any length The output has a fixed length H(x) is relatively easy to compute for any given x H(x) is one-way and not reversible H(x) is collision-free Examples: MD5–128 bit output SHA1–160 bit output BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved. Inc. Inc. All rights reserved. Cisco Public 29 Hash Example: Update Verification Uses the Concept of a Keyed Hash Sender Variable-length input message Update Message Time is X 1 Shared secret key Receiver Received message Shared secret key Update Message Time is X Hash function Hash function Update Message Time is X 4ehIDx67NMop9 4ehIDx67NMop9 2 4ehIDx67NMop9 Message + hash BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. All rights reserved. Cisco Systems. Presentation_ID.scr 15 .

Presentation_ID. All rights reserved. but it found “san-fran” was a match for this enable secret hash BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.5 million words. All rights reserved. All rights reserved. Inc. Cisco Public 32 © 2006. Inc. Cisco Systems.5 million words. Inc.Hash Example: Enable Secret router(config)# enable secret password Hashes the password in the router configuration file Uses a strong hashing algorithm based on MD5 Boston(config)# enable secret Curium2006 Boston# show running-config ! Salt Hash hostname Boston Phrase Value ! no logging console enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ ! BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.scr 16 . It took it a couple of minutes to go through the first 2. Cisco Public 31 Demo: Enable Secret Dictionary Attack Cain used it’s dictionary of 3.

Decrypt cisco plaintext Cisco Public 33 Symmetric vs. Asymmetric Encryption If the encryption keys used for both encryption and decryption are the same. all parties involved must have the same keys When the encryption key used to encrypt is different from the one used to decrypt. the keys are said to be asymmetrical. the keys are said to be symmetric.What Is Encryption? Encryption is the conversion of plain text into cipher text using a pre-determined algorithm Generally the cipher text is the same length as the plain text Often a key is used to generate a cipher text from an algorithm for a particular plain text cisco plaintext Encrypt !@$!& ciphertext !@$!& ciphertext BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. So. PKI uses asymmetric keys with the ‘public’ key used for encryption and ‘private’ key for decryption. The two keys are mathematically related but cannot be derived from each other BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved. All rights reserved.scr 17 . Cisco Public 34 © 2006. Inc. Presentation_ID. Cisco Systems. All rights reserved. Inc.

Inc. To put that into perspective. Inc. specialized "DES Cracker" machines were built that could recover a DES key after a few hours. What is the chance that someone could use the "DES Cracker"like hardware to crack an AES key? In the late 1990s.htm 16. In other words. All rights reserved. the universe is believed to be less than 20 billion years old BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.gov/public_affairs/releases/aesq&a. then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. try 255 keys per second). RC2/4/5/6. by trying possible key values. Cisco Public 36 © 2006. Cisco Public 35 Anecdote on Key Length From AES Questions and Answers http://www.scr 18 . Presentation_ID. IDEA BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.nist. Inc..e.Symmetric Encryption Algorithms Sender and receiver must share a secret key Usual key length of 40-256 bits DES. Cisco Systems. the hardware could determine which key was used to encrypt a message Assuming that one could build a machine that could recover a DES key in a second (i. All rights reserved. All rights reserved. AES. 3DES.

Cisco Systems. DSA BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved. Inc. All rights reserved. All rights reserved. Cisco Public 37 Agenda Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.Asymmetric Encryption Algorithms Use Public/Private key pair: A private key is a key which is only known to the individual who owns it Public key is known to everyone but still belongs to a unique individual Data encrypted using my public key can only be decrypted using my private key (provides confidentiality) Data encrypted using my private key can only be decrypted using my public key (provides authenticity) Usual key length: 360 bit to 4096 bit RSA. Inc. Inc.scr 19 . Presentation_ID. Cisco Public 38 © 2006.

Accounting—Provides the method for collecting and sending security server information used for billing. All rights reserved. and reporting. auditing. Presentation_ID.scr 20 . Cisco Public 40 © 2006. Inc.What Is AAA ? AAA provides a method to control and configure these three independent security functions: Authentication—Provides the method of identifying users and who are allowed for access. BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. It includes traditional username and password dialog and more secure methods (like CHAP and OTP) Authorization—Provides a method for controlling which services or devices the authenticated user has access to. Cisco Systems. All rights reserved. Inc. All rights reserved. Inc. Cisco Public 39 Implementing AAA Using the Local Database: Usernames defined in the configuration Privilege levels defined in the configuration Role-Based CLI defined in the configuration Using an AAA Server: RADIUS —Remote Authentication Dial In User Service TACACS+—Terminal Access Controller Access Control System BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.

All rights reserved. but declined TACACS+ offers multiprotocol support. submitted to IETF. Requires use of privilege levels or CLI View RADIUS is recommended as the protocol suitable for controlling the access of users/employees to the network. TACACS+ RADIUS RADIUS uses UDP RADIUS encrypts only the password in the access-request packet RADIUS combines authentication and authorization.RADIUS vs. BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc.1) BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.scr 21 . Cisco Systems. All rights reserved. NetBIOS Frame Protocol Control protocol. Inc. TACACS+ provides authorization control of router commands TACACS+ is recommended as the protocol suitable for controlling administrative access by IT staff to Cisco devices themselves. which separates authentication.25 PAD connections RADIUS does not allow users to control which commands can be executed on a router. accounting is separate RADIUS is the industry standard (created by Livingston) RADIUS does not support ARA access. Cisco Public 42 © 2006. NASI and X. Inc. more secure TACACS+ uses the AAA architecture. All rights reserved. authorization and accounting Cisco developed. Cisco Public TACACS+ TACACS+ uses TCP TACACS+ encrypts the entire body of the packet. 41 Cisco Secure ACS TACACS+ RADIUS AAA Client (Network Access Server) Local or Variety of External Databases Cisco Secure ACS for Windows (IINS class uses ACS v4. Presentation_ID.

Cisco Public 44 © 2006. All rights reserved. Cisco Public 43 AAA Adding TACACS+ Server Using SDM BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved. Cisco Systems. Inc. Inc.11 key Secretf0rAcs ! line vty 0 4 login authentication TACACS_ONLY BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.AAA Router CLI Config Example aaa ! aaa aaa aaa aaa aaa aaa aaa new-model authentication login default group tacacs+ local authentication login TACACS_ONLY group tacacs+ authorization exec default group tacacs+ local authorization commands 1 default group tacacs+ local authorization commands 15 default group tacacs+ local accounting exec start-stop tacacs+ accounting network start-stop tacacs+ ! tacacs-server host 10. Inc. All rights reserved.scr 22 .0.1. Presentation_ID.

Cisco Systems.scr 23 . Presentation_ID. All rights reserved. Inc. Cisco Public 46 © 2006. Inc. Inc. All rights reserved.AAA Login Authentication Method List BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 45 AAA ACS—Adding the AAA Client (Router) BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved.

Cisco Public 48 © 2006. only deny the show running-config command. All rights reserved. Inc. Inc. Cisco Public 47 Cisco IOS Command Authorization Using ACS Example Permitting the group to execute any router's commands except the show running-config command: Any IOS commands not matching the show command will be permitted AND Within the show command. Cisco Systems.scr 24 . All rights reserved.AAA ACS—Groups and Users BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. all other show command's arguments are permitted Group Setup router(config)#aaa authorization exec default group tacacs+ BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. Presentation_ID. All rights reserved.

Presentation_ID.scr 25 . Inc. All rights reserved. Cisco Public 50 © 2006. Inc. bulk encryption encryption. IOS-FW#debug snmp packet SNMP packet debugging is on IOS-FW#undebug all All possible debugging has been turned off IOS-FW# BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.Demo: AAA Using CSACS Authentication: Username and password required for login. Username: netop Password: IOS-FW>en Password: IOS-FW#debug ip packet Command authorization failed. Inc. HMAC Uses Diffie-Hellman key exchange Knowledge of the server’s public key is required for Origin Authentication BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Authorization: Specific command sets are assigned to different user groups. All rights reserved. Accounting: Commands entered by adminstrators are tracked. % Incomplete command. Cisco Systems. Authentication and Connection Protocols Strong HMAC Negotiates algorithms for PKI. All rights reserved. Cisco Public 49 Secure Remote Administrative Access: SSH—The Secure Shell Protocol SSH v1 Architecture Integrity Check Security Negotiation Session Key One Monlithic Protocol Weak CRC-32 Only negotiates bulk cipher Uses server’s public key to protect session key provided by client SSH v2 Separate Transport.

991: SSH3: starting SSH control process *Apr 4 02:45:30.707: SSH3: starting shell for vty BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 52 © 2006.991: SSH3: sent protocol version id SSH-1.695: SSH3: SSH_CMSG_AUTH_PASSWORD message received *Apr 4 02:45:52. Cisco Public 51 Agenda Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.119: SSH3: authentication request for userid admin *Apr 4 02:45:35.211: SSH3: keys exchanged and encryption on *Apr 4 02:45:35.707: SSH3: SSH_CMSG_EXEC_SHELL message received *Apr 4 02:45:52.019: SSH: RSA decrypt started *Apr 4 02:45:31. Inc.5-PuTTY_Release_0.703: SSH3: authentication successful for admin *Apr 4 02:45:52.requested: length 24.143: SSH: RSA decrypt finished *Apr 4 02:45:31.015: SSH3: SSH_SMSG_PUBLIC_KEY msg *Apr 4 02:45:31.019: SSH3: SSH_CMSG_SESSION_KEY msg .Demo: SSH IOS-FW#debug ip ssh Incoming SSH debugging is on IOS-FW# *Apr 4 02:45:30. Inc. Inc. All rights reserved. All rights reserved. width 80.127: SSH3: SSH_SMSG_FAILURE message sent *Apr 4 02:45:47.207: SSH: RSA decrypt finished *Apr 4 02:45:31. All rights reserved. Presentation_ID.703: SSH3: setting TTY .119: SSH3: SSH_CMSG_USER message received *Apr 4 02:45:35.58 *Apr 4 02:45:31. type 0x03 *Apr 4 02:45:31.SSH-1.211: SSH3: sending encryption confirmation *Apr 4 02:45:31. width 80 *Apr 4 02:45:52.011: SSH3: protocol version id is .scr 26 . Cisco Systems.99-Cisco-1. set: length 24.143: SSH: RSA decrypt started *Apr 4 02:45:31.703: SSH3: requesting TTY *Apr 4 02:45:52.length 144.25 *Apr 4 02:45:31.

Inc. Inc. ports. Cisco Public 54 © 2006.What Is a Firewall? A firewall is a system or group of systems that enforce an access control policy between two networks Three basic classes of firewalls include: Packet Filters Proxy Servers Stateful Firewalls Good Traffic Bad Traffic BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 53 Packet Filtering Packet filtering limits packets into a network based on the destination and source addresses. Presentation_ID. Cisco Systems. Inc. and other flags compiled in an ACL BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved.scr 27 . All rights reserved. All rights reserved.

0.gov access-list 100 permit udp host 192.0.168.0.0.0.255 echo-reply access-list 100 remark Allow FTP data channels requested from inside access-list 100 permit tcp any eq ftp-data 200.15.255 access-list 100 remark Allow NTP replies to return from time.200.15 eq www access-list 100 remark Allow echo replies to return access-list 100 permit icmp any 200.nist. Cisco Public 56 © 2006.255 any log access-list 100 deny ip 192. Inc.255.16.1.255.43.0 0.0 0.255 any log access-list 100 deny ip 172.scr 28 .0 0.18 eq ntp any access-list 100 remark deny and log all else access-list 100 deny ip any any log BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Systems.Packet Filter Limitations They Must Examine Packets in Isolation: access-list 100 remark The following denies RFC 1918 addresses access-list 100 deny ip 10.255 established access-list 100 remark permit DMZ server access access-list 100 permit tcp any host 200.255.255 any log access-list 100 remark The following permits existing TCP connections access-list 100 permit tcp any 200.0. All rights reserved. Inc.0.244.1.0 0.15 eq ftp access-list 100 permit tcp any host 200.200. with no knowledge of previous flow Is the reply really in response to an echo? Was this really requested in a valid FTP control channel? Might someone spoof time. All rights reserved.0 0.gov’s IP address? 55 Application Layer Gateway or Proxy Server BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.1. Cisco Public Checks for ACK or RST.200.0 0.0.200.1. All rights reserved. Presentation_ID.0.nist.255.0.1.0. Inc.200.

Inc. Port 3575 State Table Inbound ACL S0 Port 80 internet inside 10.scr 29 .How Classic Stateful Firewall Works 1. Cisco Systems. Sessions in the state table are permitted bidirectionally.1. Attacker BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. 3.1 VoIP applications. Inc. Cisco Public 57 Application Inspection Firewalls Have features of a stateful firewall Work with NAT Monitor sessions to determine port numbers for secondary channels Engage in deep packet inspection and filtering for some protocols. All rights reserved. a state table entry is created.168.1.12/24 Fa0/0 outside Inside user initiates a HTTP session to the Internet. as long as the rules of the session protocol are obeyed. 2. All rights reserved. SQL-Net and 192. Examples include FTP. All rights reserved. Inc.0. For example: SMTP commands HTTP commands and tunnels FTP commands Have the following advantages: Are aware of Layer 4 and Layer 5 states Check the conformity of application commands on Layer 5 Can check and affect Layer 7 Can prevent more types of attacks than stateful firewalls BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 58 © 2006. Valid dynamic connections that are negotiated in an authorized control channel are also allowed. ACLs specify policy for new sessions. If the ACLs permit the first packet in the session. Presentation_ID. 4.

not interfaces A zone is a collection of interfaces BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Systems. Inc. Inc. Cisco Public 59 Security Zone Pairs not in any security zones E2 S4 E0 Self-Zone Zone Z1 Zone Z2 S3 E1 Security Zone Pair Source = Z1 Destination = Z2 BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved. Presentation_ID.scr 30 . Inc. Cisco Public 60 © 2006.Zone-Based Policy Firewall Private-DMZ Requests DMZ Trusted Public-DMZ Requests Untrusted Internet Default DENY ALL Zone-Based Policy introduces a new firewall configuration model Policies are applied to traffic moving between zones. All rights reserved. All rights reserved.

and traffic to any interface on the router If two interfaces are not in zones. traffic will not flow between the interfaces until a policy is defined to allow that traffic All of the IP interfaces on the router are automatically made part of the “self” zone when zone-based policy firewall is configured By default. Inc. All rights reserved. Associate class-maps with policy-maps to define actions applied to specific policies 6. traffic cannot flow between them If two interfaces are in two different zones.scr 31 . Assign policy-maps to zone-pairs BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 61 Configure a ZBP Firewall 1. Presentation_ID. All rights reserved. Set up zone pairs for any policy other than deny all 4. and another interface is not in a zone. Inc. except traffic to or from other interfaces in the same zone. Cisco Systems.Zone Rules Summary An interface can be assigned to only one security zone All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone. Determine the required traffic flow between zones in both directions 3. traffic flows freely between them If one interface is in a zone. Define class-maps to describe traffic between zones 5. All rights reserved. Cisco Public 62 © 2006. Identify interfaces with similar policy requirements and group them into security zones 2. traffic to and from the router itself is permitted BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc.

Apply policy-map to zone pair (used to activate the inspection policy) BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 64 © 2006.Security Zone Firewall Configuration CPL–Cisco Policy Language (CPL) Class-Map (used to select traffic for inspection policies) Policy-Map (used to apply policy to traffic class) (e. Cisco Public 63 ZBP Policy Actions Inspect Monitor outbound traffic according to permit/deny policy Anticipate return traffic according to session table entries Drop Analogous to deny Pass Analogous to permit No stateful capability BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.scr 32 . Inc. All rights reserved. Presentation_ID. Inc.g. Inc. All rights reserved. Cisco Systems. inspect/pass/drop policy) Service-Policy . All rights reserved.

Inc. All rights reserved. Inc. Cisco Systems.SDM Zone Based Firewall Wizard BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 65 Zone-Based Policy Firewall Configuration Example class-map type inspect match-any myprotocols match protocol http match protocol smtp match protocol dns ! policy-map type inspect myfwpolicy class type inspect myprotocols inspect ! zone security private zone security public ! interface fastethernet 0/0 zone-member security private ! interface fastethernet 0/1 zone-member security public ! zone-pair security priv-to-pub source private destination public service-policy type inspect myfwpolicy ! Define the list of services in the firewall policy Apply action (inspect = stateful inspection) Configure Zones Assign Interfaces to Zones Apply inspection from private to public zones BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.scr 33 . All rights reserved. Cisco Public 66 © 2006. Inc. Presentation_ID. All rights reserved.

All rights reserved. All rights reserved. Cisco Public 67 Demo–Packet Filter and Zone Based Firewall 2) Packet Filter permitting all TCP established packets and ICMP echo to 200. including dynamic NAT systems BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. Cisco Public 68 © 2006. Inc.1. Cisco Systems. All rights reserved.Demo–Packet Filter and Zone Based Firewall 1) No Access-Control: A simple ping sweep using ICMP Echo finds everything.200.scr 34 .15: Simple ping sweep using ICMP Echo only finds 200. Inc.200.1.15 BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Presentation_ID.

Inc.5) Packet Filter permitting TCP established and ICMP echo to 200. a “ping” sweep using TCP ACKs still finds everything! BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 69 Demo–Packet Filter and Zone Based Firewall 3) Turn on Stateful Firewalling: TCP ACK ping can no longer find hosts behind firewall BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved.200. Cisco Public 70 © 2006. Presentation_ID.15: But. Inc.1. All rights reserved.Demo–Packet Filter and Zone Based Firewall 2. Cisco Systems. Inc.scr 35 . All rights reserved.

Cisco Public 71 The Problem Site A Internet Site B The hosts on the Site A and Site B networks use legacy. All rights reserved. Inc. Inc. Presentation_ID.Agenda Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. so you need the routers to use VPN technology to protect data transmitted between the sites © 2008 Cisco Systems. insecure protocols such as SMTP. All rights reserved. All rights reserved. POP. Inc.scr 36 . HTTP and Telnet This is OK for intra-site communications on the protected internal networks It is not acceptable across the Internet Changing the protocols used by the hosts is not an option. Cisco Public BRKCRT-1104 14381_04_2008_c1 72 © 2006. Cisco Systems.

IPSec Protocol Architecture IPSec Uses IKE for Key Maintenance and ESP and/or AH for Protection of Data Internet Key Exchange (IKE) provides a mechanism to derive keying material and negotiate security associations Encapsulating Security Payload (ESP) provides Confidentiality. All rights reserved. Presentation_ID. Cisco Public 74 © 2006. SKEME Defines the mechanism to derive authenticated keying material and negotiate security associations (used for AH. Inc. Cisco Systems. Data Integrity and Origin Authentication AH provides Data Integrity and Origin Authentication BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 73 Break Down of IPSec: IKE Hybrid protocol: ISAKMP. All rights reserved. Oakley Key exchange. All rights reserved. Inc.scr 37 .DH) Authenticates both sides Manages keys after exchange BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. ESP) Uses UDP port 500 Defined in RFC 2409 Internet Key Exchange protocol Negotiates protocol parameters Exchanges public keys (Diffie Hellman . Inc.

Inc. requires prior knowledge of peer’s public key. requires PKI. All rights reserved. limited support on Cisco hardware ISR(config)# crypto isakmp policy 1001 ISR(config-isakmp)# authentication ? pre-share Pre-Shared Key rsa-encr Rivest-Shamir-Adleman Encryption rsa-sig Rivest-Shamir-Adleman Signature BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Presentation_ID. All rights reserved. Inc. Inc. authenticated channel for IKE communications Main mode or aggressive mode accomplishes a phase 1 exchange Phase 2 exchange: security associations are negotiated on behalf of IPSec services. All rights reserved. Quick mode accomplishes a phase II exchange Each phase has its SAs: ISAKMP SA (Phase 1) and IPSec SA (Phase 2) BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Public-key encryption (rsa-nonce) Similar security to rsa-sig. Security Associations ISAKMP SA Site A Internet IPSec SA IPSec SA Site B Two-Phase protocol: Phase 1 exchange: two peers establish a secure.scr 38 . Cisco Public 76 © 2006. Cisco Public 75 IKE Authentication Methods Pre-shared key Easy to deploy.IKE Phases. Cisco Systems. not scalable Public-key signatures (rsa-signature) Most secure.

YA Private Value.scr 39 . Inc.DH Exchange Alice Private Value. Cisco Systems. Inc. Cisco Public Data integrity (does not cover ip header) HMAC-MD5 HMAC-SHA Only the IKE authenticated peer can use the negotiated keys Sequence no. Inc. YB Bob YA =g XA mod p YA YB YB = g XB mod p YB mod p = zz (Alice calculated) XA XB XA YA XB mod p = zz (Bob calculated) zz = shared secret = g BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved. Cisco Public mod p 77 Encapsulating Security Payload (ESP) Data confidentiality Data origin authentication Anti-replay detection Use IP protocol 50 Defined in RFC 2406 ISR(config)#crypto ipsec transform-set test ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-seal ESP transform using SEAL cipher (160 bits) esp-sha-hmac ESP transform using HMAC-SHA auth © 2008 Cisco Systems. XA Public Value. & Sliding window DES 3DES AES SEAL BRKCRT-1104 14381_04_2008_c1 78 © 2006. All rights reserved. Presentation_ID. All rights reserved. XB Public Value.

scr 40 . 2. Cisco Systems. The IPsec tunnel is terminated. IKE Phase 2 IPSec SA Information is exchanged via IPsec tunnel. BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. IPSec SA 4. Inc. All rights reserved.3 10.3 1.2.1.ESP tunnel mode Original IP datagram IP header IP payload New IP header IP datagram with ESP Tunnel ESP header Original IP header IP payload encrypted Integrity checked ESP transport mode Original IP datagram IP header IP payload IP header IP datagram with ESP Transport ESP header IP payload encrypted Integrity checked BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.1. Inc. IKE Phase 1 IKE SA Routers A and B negotiate an IKE Phase 2 session. Inc.2. All rights reserved. Cisco Public 79 Site-to-Site IPSec VPN Host A RouterA RouterB Host B 10. Cisco Public 80 © 2006. Presentation_ID. Routers A and B negotiate an IKE Phase 1 session. IKE SA 3. All rights reserved. IPSec Tunnel 5. Host A sends interesting traffic to Host B.

4. Cisco Public 81 Introducing the Cisco SDM VPN Wizard Interface 1 3 2 Wizards for IPsec Solutions Individual IPsec Components 4 5 1. Cisco Public © 2008 Cisco Systems. 5.Site-to-Site IPSec Configuration Step 1: Ensure that access lists are compatible with IPSec Step 2: ISAKMP (IKE) policy Step 3: IPSec transform set Step 4: Cryptographic access list Step 5: Create and apply the cryptographic map BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. 82 © 2006. 2. Choose the desired VPN wizard (VPN type). Choose the VPN implementation subtype. Presentation_ID. Inc. BRKCRT-1104 14381_04_2008_c1 Enter the configuration page. All rights reserved.scr 41 . Choose the VPN page. All rights reserved. 3. Start the wizard. Cisco Systems. All rights reserved. Inc. Inc.

0 0.30.0.0.0.0.0 0.255 10.0.0. Cisco Public 84 © 2006.30.0 Site 2 Internet 10. Inc.scr 42 .6.12 R1# show running -config B 172.1. Cisco Public 83 IPSec Configuration Example Site 1 10.2 255.30.0 0.1. Inc.255.12 R6# show running -config crypto isakmp policy 110 encr 3des hash md5 authentication pre -share group 2 lifetime 36000 crypto isakmp key cisco1234 address 172.2 ! crypto ipsec transform -set SNRS esp -des ! crypto map SNRS -MAP 10 ipsec -isakmp set peer 172.1.0.2 172.0. All rights reserved.6. Inc.2 10.0.1.2 set transform -set SNRS match address 101 ! interface Ethernet 0/1 ip address 172.30.2 set transform -set SNRS match address 101 ! interface Ethernet 0/1 ip address 172.6.0.0.0.30.255.1.30.0.0. All rights reserved.0 crypto map SNRS -MAP ! access-list 102 permit ip 10.30.6.255 BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.1.2 ! crypto ipsec transform -set SNRS esp -des ! crypto map SNRS -MAP 10 ipsec -isakmp set peer 172.255.0 crypto map SNRS -MAP ! access-list 102 permit ip 10.6.0 0. Cisco Systems.6.0.255.0 R1 A R6 10.2 255. Presentation_ID.1.6. All rights reserved.1.0.30.Quick Setup Configure all parameters on one page BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.6.255 crypto isakmp policy 110 encr 3des hash md5 authentication pre -share group 2 lifetime 36000 crypto isakmp key cisco1234 address 172.255 10.

All rights reserved. All rights reserved. Inc. Cisco Public 85 Agenda Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.Some More Advanced VPN Technologies Public Key Infrastructure (PKI) and Digital Certificates Remote Access VPN Web VPN Dynamic Multipoint VPN (DMVPN) BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. Presentation_ID. All rights reserved. Inc. Cisco Public 86 © 2006. Cisco Systems.scr 43 .

All rights reserved. All rights reserved. IPS IDS (promiscuous mode) Analyzes copies of the traffic stream Does not slow network traffic because it is not inline Allows some malicious traffic in since it can’t stop attacks inline IPS (inline mode) Works inline in real time to monitor network traffic and content Needs to be able to handle the network traffic inline Prevents malicious traffic entering the network.IPS Deployment Options Promiscuous Sensor CSA MC CS MARS IOS Firewall with IOS IPS Agent Agent Agent Untrusted Network Inline Sensor Agent Agent Agent Agent SMTP Server Agent Agent Web Server DNS Server BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. since it is inline.scr 44 . All rights reserved. Presentation_ID. Inc. Inc. Inc. Cisco Systems. Cisco Public 88 © 2006. it can stop the trigger packet BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 87 IDS vs.

Cisco Public 89 Support for SDEE and Syslog Network Management Console Alarm SDEE Protocol Alarm Syslog Syslog Server BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved. Cisco Systems. Inc. Cisco Public 90 © 2006. Inc. Inc. All rights reserved. Presentation_ID. All rights reserved.scr 45 .IPS Attach Responses Deny attacker inline Deny connection inline Deny packet inline Log attacker packets Log pair packets Log victim packets Produce alert Produce verbose alert Request block connection Request block host Request SNMP trap Reset TCP connection BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.

Inc.Signature Micro-Engines Cisco IPS relies on signature micro-engines to support IPS signatures All the signatures in a signature micro-engine are scanned in parallel Each signature micro-engine does the following: Categorizes a group of signatures (and each signature detects patterns of misuse in network traffic) Is customized for the protocol and fields it is designed to inspect Defines a set of legal parameters that have allowable rangers or sets of values Uses router memory to compile. Inc. Presentation_ID.cisco. and merge signatures BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 92 © 2006. All rights reserved.scr 46 . Inc. load. Cisco Systems. Cisco Public 91 Cisco IOS IPS Deployment Steps Step 1: Latest Cisco IPS signature package http://www. All rights reserved.com/cgi-bin/tablebuild.4 to customize your signature list: Select additional signatures as desired Delete signatures not relevant to the applications you’re running Tune actions of individual signatures (e. All rights reserved. add “drop” action) as desired Test your custom signature set in a lab setting before actual deployment BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.pl/ios-v5sigup This package contains a digitally signed signature file that includes all the signatures for entire Cisco IPS product line Step 2: Select one of the two recommended signature categories (list of signatures): IOS-Basic or IOS-Advanced Step 3: Use IOS CLI or SDM 2.g..

Cisco Systems. Inc. All rights reserved.scr 47 . Cisco Public 94 © 2006. Cisco Public 93 IPS Policies Wizard (Cont. Presentation_ID. Inc. All rights reserved.IPS Policies Wizard BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved.) BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc.

Inc. Cisco Public Signature Event Actions 96 © 2006. Cisco Systems. All rights reserved. All rights reserved. Inc.Configuring Signatures Using Cisco SDM BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.) Signature Alarm Severity BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Presentation_ID. Inc.scr 48 . All rights reserved. Cisco Public 95 Configuring Signatures Using Cisco SDM (Cont.

Configuring Global Settings

BRKCRT-1104 14381_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

97

Configuring Auto Update

BRKCRT-1104 14381_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

98

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

49

Demo–Cisco IOS IPS in Action
Deobfuscation: The sensor decodes the URL as an HTTP daemon would. %6F represents the ASCII code for “o” in Hex. The sensor determines that R%6F%6FT.eXe is really an attempt to access root.exe.

BRKCRT-1104 14381_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

99

Demo–Cisco IOS IPS in Action
Metasploit successfully exploits a buffer overflow vulnerability to get a shell prompt on the remote server
msf 3com_3cdaemon_ftp_overflow(win32_reverse) > exploit [*] Starting Reverse Handler. [*] Attempting to exploit Windows 2000 English [*] Got connection from 150.150.1.20:4321 <-> 200.200.1.15:1573 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Program Files\3Com\3CDaemon>

With IOS IPS enabled, the router detects a suspiciously long user name field in the FTP control stream. The shell connection is not successful, and the event is logged.
msf [*] [*] [*] msf 3com_3cdaemon_ftp_overflow(win32_reverse) > exploit Starting Reverse Handler. Attempting to exploit Windows 2000 English Exiting Reverse Handler. 3com_3cdaemon_ftp_overflow(win32_reverse) >

BRKCRT-1104 14381_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

100

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

50

Agenda
Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key
BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

101

Why Be Concerned?
If one layer is hacked, communications are compromised without the other layers being aware of the problem. Security is only as strong as your weakest link. When it comes to networking, Layer 2 can be a very weak link.
Application Presentation Session Transport Network Data Link Physical
BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Application Stream

Application Presentation Session

Compromised

Protocols and Ports IP Addresses Initial Compromise MAC Addresses Physical Links

Transport Network Data Link Physical
102

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

51

Cisco Public 104 © 2006. Cisco Public 103 Port Security Configuration Switch(config-if)# switchport mode access switchport port-security switchport port-security maximum value switchport port-security violation {protect | restrict | shutdown} switchport port-security mac-address mac-address switchport port-security mac-address sticky switchport port-security aging {static | time time | type {absolute | inactivity}} BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. Inc. All rights reserved. Inc. All rights reserved.MAC Address Concerns Unauthorized MAC addresses MAC Address Spoofing Bridge Table Overflow Attacks MAC A Desired behavior: 0/1 0/2 0/3 MAC A MACs 1-1. Presentation_ID. All rights reserved.000.scr 52 . Cisco Systems.000 Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C MAC F Attacker 1 BRKCRT-1104 14381_04_2008_c1 Attacker 2 © 2008 Cisco Systems.

Inc.STP Manipulation Root Bridge Priority = 8192 MAC Address= 0000. All rights reserved. Presentation_ID.00C0.scr U PD 0 PB = ST iority Pr Attacker Root Bridge © 2008 Cisco Systems. All rights reserved. Cisco Public 105 F F F F F B BPDU Guard Enabled Attacker STP BPDU Globally enables BPDU guard on all ports which have portfast enabled © 2008 Cisco Systems. Cisco Systems. Inc. All rights reserved. Cisco Public 106 53 .1234 F F F F F B F F ST Pr P BP ior ity DU =0 F B F F BRKCRT-1104 14381_04_2008_c1 BPDU Guard Root Bridge Switch(config)# spanning-tree portfast bpduguard default BRKCRT-1104 14381_04_2008_c1 © 2006. Inc.

Inc. Inc.scr 54 . Cisco Public 107 VLAN Hopping by Rogue Trunk 802.1234 spanning-tree guard root Enables root guard on a per-interface basis BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Systems. Inc. All rights reserved. All rights reserved. Cisco Public 108 © 2006. All rights reserved. Presentation_ID.1Q Trunk VLAN 20 VLAN 10 k un Tr Q 2.1 80 Server Attacker sees traffic destined for servers Server BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.0c45.0c45.Root Guard Root Bridge Priority = 0 MAC Address = 0000.1a5d F F F F Root Guard Enabled F F B Attacker Switch(config-if)# STP BPDU Priority = 0 MAC Address = 0000.

1Q. Cisco Systems. Inc. Frame 3 Fra m e Trunk (Native VLAN = 10) 4 Note: This attack works only if the trunk has the same native VLAN as the attacker. The attacker sends double-encapsulated 802.8 02 . All rights reserved. Cisco Public 109 Mitigating VLAN Hopping Network Attacks Example 1: If no trunking is required on an interface Switch(config-if)# switchport mode access Configures port as an access port. Victim (VLAN 20) Note: There is no way to execute these attacks unless the switch is misconfigured. Cisco Public 110 © 2006. 1Q . Only unidirectional traffic is passed. BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.scr 55 .10 2.VLAN Hopping by Double Tagging 1 20 80 . Presentation_ID. The switch performs only one level of decapsulation. All rights reserved.1 Q The first switch strips off the first tag and sends it back out. Inc. All rights reserved. Example 2: If trunking is required Switch(config-if)# switchport mode trunk Switch(config-if)# switchport nonegotiate Enables trunking but prevents DTP frames from being generated. Inc.1Q frames. Attacker on VLAN 10 2 20 802. The attack works even if the trunk ports are set to “off”. BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. This disables trunking on the interface. Switch(config-if)# switchport trunk native vlan vlan_number Sets the native VLAN on the trunk to an unused VLAN.

1 = MAC C.1.1.A.C. Inc.1.C.ARP Spoofing: Man-in-the-Middle Attacks 1. Cisco Public 10.1. layer 2 frames are only allowed between a pair of non-protected ports or a protected port and a non-protected port.1 IP 10. All rights reserved.C C Attacker ARP Table in Host C 10.1.1 = MAC B. Subsequent gratuitous ARP replies overwrite legitimate replies 10.1.B.1.1.1.A 111 Private VLAN Edge Within a VLAN. one per line. Presentation_ID.2 = MAC A.scr 56 .C.2 bound to C.A.1.1 MAC B.C IP 10.2 ? MAC for 10.A 2.B.1.1 bound to C. Legitimate ARP reply 10.C.C ARP Table in Host B 10.1. Cisco Systems.B.C.1.1.B. L3-Sw(config)#interface range fa0/2 .1.3 MAC C.2 MAC A.4 L3-Sw(config-if-range)#switchport protected L3-Sw(config-if-range)#end BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.1.B.C.C.B A A C B IP 10. Inc.1.1. All rights reserved. All rights reserved.C. IP 10. Inc.1 = MAC B.C.1.1. End with CNTL/Z. Frames are not allowed between a pair of protected ports. L3-Sw#config t Enter configuration commands.A.C 3.1.2 = MAC C. Cisco Public 112 © 2006.1.1.1.B A = host A B = host B C = host C BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.B.B B ARP Table in Host A 10.A.C 10.C.

Cisco Public 114 © 2006. Inc. All rights reserved. Cisco Systems.scr 57 . Inc. Inc. DHCP Snooping Dynamic ARP Inspection BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Presentation_ID. Cisco Public 113 Agenda Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved.Some More Advanced Layer 2 Security Technologies Full-fledged Private VLANs–uses the concept of promiscuous ports and isolated ports and adds the concept of community ports. All rights reserved.

Presentation_ID.scr 58 . Inc.) BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Systems. All rights reserved. Inc. Cisco Public 116 © 2006.Practice Exam Item 1—SDM-Based Item BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. All rights reserved. All rights reserved. Cisco Public 115 Practice Exam Item 1—(Cont.

Inc. All rights reserved. Cisco Public 117 Practice Exam Item 2—Theory Based Item Encrypting the plaintext using the private key and decrypting the ciphertext using the public key provides which functionality? A. Authenticity C.Practice Exam Item 1—(Cont. Inc.) Based on the zone base firewall SDM configuration windows shown. Confidentiality and Authenticity BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. All rights reserved. Presentation_ID. All traffic sourced from out-zone and destined to the in-zone will be inspected D.scr 59 . Cisco Public 118 © 2006. which statement is correct? A. Confidentiality B. All rights reserved. All traffic sourced from the in-zone destined to the out-zone to be denied (dropped) C. Integrity and Confidentiality D. Cisco Systems. The “sdm-inspect” policy applies to the bi-direction traffic flow between the in-zone and the out-zone B. The “sdm-inspect” policy classify traffic into four traffic classes (including class-default) BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.

Inc.sdf D. Inc.0. BRKCRT-1104 14381_04_2008_c1 aaa authentication login default tacacs+ local aaa authentication login default local adding the “local’ option after “aaa authentication login name tacacs+” adding the “default’ option after “login authentication name” in the vty config mode © 2008 Cisco Systems. D. Cisco Public 120 © 2006. C. advanced C.1 tacacs-server key Secretf0rAcs ! line vty 0 5 login authentication name ! A.sdf BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.Practice Exam Item 3—CLI Configuration Item What additional configuration is required to enable the VTY users to be authenticated using the local database on the router if the ACS server is down? ! username admin privilege 15 secret harDt0CrackPw ! aaa new-model ! aaa authentication login name tacacs+ ! tacacs-server host 10. Inc. B. 128MB. All rights reserved. 256MB. Cisco Public 119 Practice Exam Item 4—Configuration Related Item What are the two IOS IPS signatures categories based on version 5. All rights reserved. Presentation_ID.scr 60 .x signatures? (Choose two) A. Cisco Systems. All rights reserved.1. basic B.

Pre-shared Key D. All rights reserved. Presentation_ID. ARP table BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. State table D. Inc. SHA BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. All rights reserved. Routing table C. All rights reserved. RSA signature C. Cisco Systems.scr 61 . Cisco Public 121 Practice Exam Item 6—Theory Based Item Stateful firewall uses which table to track the connection status? A. Forwarding table (CEF) E. ACL table B. Inc. Cisco Public 122 © 2006.Practice Exam Item 5—Theory Based Item Which IKE authentication method is the least scalable? A. AAA E. ACS B.

SHA B. which encryption method is used to provide data confidentiality? A. Inc. Cisco Public 124 © 2006. MAC address table C. Cisco Systems.Practice Exam Item 7—SDM Based Item Referring to the IPSec transform set configuration shown. All rights reserved. HMAC D. AES E. Inc. All rights reserved. DES C.scr 62 . Cisco Public 123 Practice Exam Item 8—Configuration Related Item When implementing Port Security on Cisco switches. All rights reserved. NVRAM BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. startup configuration D. ARP table B. ESP BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. the “sticky MAC address” option will save the secure MAC address to what location? A. running configuration E. Presentation_ID.

30.0. There are two active outbound sessions C.0.20 IP address Cisco Public © 2008 Cisco Systems. Last heard 00:00:00 ECHO request Bytes sent (initiator:responder) [98568:98568] Based on the show output shown.171. All rights reserved.255 aessha What is wrong regarding the partial S2S IPSec VPN configuration shown? A.10 and 172.30.30.2.1.16.151:23) telnet SIS_OPEN Created 00:01:32. Cisco Systems.26.1. Cisco Public 125 Practice Exam Item 10—Configuration Related Item aessha esp-sha-hmac 10.30.1:11009)=>(172. D.26. Host 172. Inc.30.151 is initiating the telnet session to host 10. E.0 0.0.2. Inc.255 20 10.172. C.1.1. Only telnet traffic will be inspected B.0.151:0) icmp SIS_OPEN Created 00:00:02.26.Practice Exam Item 9—Show Output Related Item ISR#sh policy-map type inspect zone-pair session Zone-pair: in-to-out Service-policy inspect : telnetpolicy Class-map: telnetclass (match-all) Match: protocol telnet Inspect Established Sessions Session 44C831D8 (10.0 0. B.1:8)=>(172.scr 63 .26.255.26.0.30. Presentation_ID.1 BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.0.0 0.0 0. All rights reserved.255 10.255 esp-sha-hmac 10. Last heard 00:00:16 Bytes sent (initiator:responder) [52:108] Class-map: class-default (match-any) Match: any Inspect Established Sessions Session 44C82C68 (10.26.0. Inc. which statement is correct? A.255. 126 © 2006. All rights reserved. BRKCRT-1104 14381_04_2008_c1 The transform-set name does not match between the peers The transform-set is missing the AH option The transform-set is missing the “mode tunnel” option The crypto acl is not a mirror image of the crypto acl on the other peer The crypto acl is not matching the 172.16.0. All non-telnet traffic will be dropped D.

Cisco Public 127 Practice Exam Item 1 Based on the zone base firewall SDM configuration windows shown. All rights reserved. The “sdm-inspect” policy classify traffic into four traffic classes (including class-default) Correct Answer: D BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Inc. All traffic sourced from out-zone and destined to the in-zone will be inspected D. Presentation_ID. The “sdm-inspect” policy applies to the bi-direction traffic flow between the in-zone and the out-zone B. which statement is correct? A.scr 64 . All rights reserved.Agenda Introduction Disclaimer Attack Methodologies Security Policy Cryptography Fundamentals Securing Administrative Access Firewall VPN IPS Layer 2 Security Sample Questions Answer Key BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 128 © 2006. Inc. All traffic sourced from the in-zone destined to the out-zone to be denied (dropped) C. Cisco Systems. All rights reserved. Inc.

Integrity and Confidentiality D. Inc. C. Cisco Public BRKCRT-1104 14381_04_2008_c1 130 © 2006. Authenticity C. Confidentiality B. Inc. All rights reserved.Practice Exam Item 2 Encrypting the plaintext using the private key and decrypting the ciphertext using the public key provides which functionality? A. aaa authentication login default tacacs+ local aaa authentication login default local adding the “local’ option after “aaa authentication login name tacacs+” adding the “default’ option after “login authentication name” in the vty config mode © 2008 Cisco Systems. Cisco Public 129 Practice Exam Item 3 What additional configuration is required to enable the VTY users to be authenticated using the local database on the router if the ACS server is down? ! username admin privilege 15 secret harDt0CrackPw ! aaa new-model ! aaa authentication login name tacacs+ ! tacacs-server host 10.0. All rights reserved.scr 65 . Cisco Systems. D. All rights reserved. B. Inc.1 tacacs-server key Secretf0rAcs ! line vty 0 5 login authentication name ! Correct Answer: C A.1. Presentation_ID. Confidentiality and Authenticity Correct Answer: B BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.

Cisco Public 132 © 2006. Inc. Presentation_ID. All rights reserved. ACS B. Cisco Systems. Inc. 256MB.Practice Exam Item 4 What are the two IOS IPS signatures categories based on version 5. Inc. 128MB. Pre-shared Key D. basic B.x signatures? (Choose two) A. Cisco Public 131 Practice Exam Item 5 Which IKE authentication method is the least scalable? A. All rights reserved. All rights reserved. SHA Correct Answer: C BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.sdf D.scr 66 . advanced C. AAA E. RSA signature C.sdf Correct Answer: A and B BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.

Forwarding table (CEF) E. ESP BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. which encryption method is used to provide data confidentiality? A. Inc. HMAC D. Cisco Public Correct Answer: D 134 © 2006. Cisco Public 133 Practice Exam Item 7 Referring to the IPSec transform set configuration shown. AES E. Inc.scr 67 . All rights reserved. All rights reserved. Inc. SHA B. Routing table C. ARP table Correct Answer: C BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Presentation_ID.Practice Exam Item 6 Stateful firewall uses which table to track the connection status? A. State table D. ACL table B. All rights reserved. DES C. Cisco Systems.

Inc. startup configuration D. Inc.151:0) icmp SIS_OPEN Created 00:00:02. which statement is correct? A. Last heard 00:00:00 ECHO request Bytes sent (initiator:responder) [98568:98568] Based on the show output shown. NVRAM Correct Answer: D BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. the “sticky MAC address” option will save the secure MAC address to what location? A.26.151 is initiating the telnet session to host 10.26.26. Cisco Public 135 Practice Exam Item 9—Show Output Related Item ISR#sh policy-map type inspect zone-pair session Zone-pair: in-to-out Service-policy inspect : telnetpolicy Class-map: telnetclass (match-all) Match: protocol telnet Inspect Established Sessions Session 44C831D8 (10. Last heard 00:00:16 Bytes sent (initiator:responder) [52:108] Class-map: class-default (match-any) Match: any Inspect Established Sessions Session 44C82C68 (10.30.1:8)=>(172. Cisco Systems. All non-telnet traffic will be dropped D. ARP table B. All rights reserved. Inc. All rights reserved.scr 68 .26.26. Host 172. There are two active outbound sessions C. MAC address table C.26.30. Cisco Public Correct Answer: B 136 © 2006.151:23) telnet SIS_OPEN Created 00:01:32.1:11009)=>(172.Practice Exam Item 8 When implementing Port Security on Cisco switches.30. All rights reserved. Only telnet traffic will be inspected B.30.1 BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.30.30. Presentation_ID. running configuration E.

scr 69 .0. Cisco Systems.0 0. All rights reserved. All rights reserved.0. D.1.2. C. B.1.255. 137 Q and A BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems.0. E.1.Practice Exam Item 10—Configuration Related Item aessha esp-sha-hmac 10.0 0.172. All rights reserved.16.10 and 172.1.255 10.255 esp-sha-hmac 10.2.0.0.255 aessha What is wrong regarding the partial S2S IPSec VPN configuration shown? A. Inc. Inc.16. Presentation_ID.255.0. BRKCRT-1104 14381_04_2008_c1 The transform-set name does not match between the peers The transform-set is missing the AH option The transform-set is missing the “mode tunnel” option Correct Answer: D The crypto acl is not a mirror image of the crypto acl on the other peer The crypto acl is not matching the 172.0. Cisco Public 138 © 2006. Inc.0 0.171.0 0.255 20 10.0.20 IP address Cisco Public © 2008 Cisco Systems.

Recommended Reading Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books Available Onsite at the Cisco Company Store BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Winners announced daily. Inc. Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Receive 20 Passport points for each session evaluation you complete. All rights reserved. All rights reserved. Go to the Collaboration Zone in World of Solutions or visit www. BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Presentation_ID. Cisco Public 140 © 2006. Inc. All rights reserved.com. Inc. Cisco Public 139 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes.scr 70 .cisco-live. Cisco Systems.

Inc.scr 71 .BRKCRT-1104 14381_04_2008_c1 © 2008 Cisco Systems. Cisco Public 141 © 2006. Inc. All rights reserved. Presentation_ID. Cisco Systems. All rights reserved.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->