•I I•I It

CISCIO'~

II

Br,andon Jaimes Carroll

RrandonJ3JRliElS. Carroll is one of U1.eeouetry's leading :iDJJs.tn.l;c~ors. Ciseo se.crnrity technclogles, teac[!lng classes that for include the CCNA, CCNP. CCSP C01!lJI.'ses,a nnmber of the CCVP COI1[Se8. as weU as. custom developed courseware. In hills6 ye:Fl!rs wrnth A:SC{DRfI,lBmnd.onhas developedand .tauga'[l m<I!nypri.v:ate Ciscocourses for Gompanies such r1s,goeing. Intel, ami Ci:SCioitse~f. He is. a OeNA, OCNP, CCSP. a:tfII.dI certifled Ci:soo :i]1ls.tntcitor;iBriUndonis the author off Cisco Access Control Se1curi1:y. Prior tn becominga tecfunical .ins.tmctor~or Ascolta, Mr. OUiI.T),u. 'Was i1I! technlcian and!: D. ADSL spfJoia]istITor GTiIE Network Services and Vel.hon Communieanons, His duties iaeolved .~SP·mllJlte~' SllirPOtti!; aed netwoly]k: design, As <I!. ]earl engillnee.r,he, testedand ma:intained Frame Relay cennections belwee[lLl]iDeJM~ .B-STDX and Clseo reuters, Hlsteasn was In charge of~Jol]b"leshooHllg ISP FmmeRdfliY to ATM C~]t-<overs fm ADElL C:~1sl·omers.. lBrnnd.on trained new employees at Ver]Zml~O the EPG in ADSL testing aml.~ml1hl!eshooti~gprooedl1~'es. and managed! a "Tekwizanf" diatilbl<lsefUI technical infiYrmaJtian and bOl1blesllOot]ng tecbniques, Mr. Carro]] [[l.Bjored illl information tec;hlnologyat SL Leo Univer,s:irry.

About thle Technical Editor
J'Cl"old SW3.D, CClIE No. 17783. CCS.P;is cnrI-e'M.·~l:y <I senior network ,e'M.,g]]1Iee:[ the SOUlrrher.ll! Indian Tr-fubeGmwtJh for Ute f'mrn.d,. here he wmb. on m~l~ngfsw]tch:i]1lg. VoIP, and seeurlty projects. P[evrum]sly he was aninstructor wah Global w K1Nlowled:ge, Wil:eJ1'ehe ta~.ght CCNA and. CCNP ,cm]l'ses .. He has :<1]&0worked .~nne;~workingin the seevice previder and h]gne;r education fields, llJe holds bach.e]o:r';s and master's degrees ..in Engli.sJi:Ifrom Stanford Unive:r.s:ity .. He lives with 11:1;s wife and son in Durango, Colorade, and .is in\!iolved :in V8!J.'.i.ous CrutdiOOf sports and Yo.hulteer search and rescue.

Introduction to Network SEM::urity Polici.e:s

Iin'troductiion to Networ'kSec'urity

IPolli,ciies

As networks growand evolve, the dsk of cO!ming under attack Increases 'Io.help counter thils threat, C]S;COhas developed the Ci:SDO :Self~.D~femliftgNetwork (SON) s:tmtegy.. '10 eJfecliv,eJy im(pleme:mt this strare,gy an o.rgru1:iZililim~ cenlevecage their compsehenslve secueitypellcies.
'To impk:me"l1lan

aJtJtack-mit'ig8Jtion
comprehensive.

w['[y a netwol]:k s.ec:~rHypo]]Gy is reqaieed, common t:echinruqlllJes. .~ranJ.lllie'ters a secure network ]:ife cy'de medel, and in the end. how to develop a the of securitypoliiCY.

effiecUVie soclJIJHy policy, you must understsnd

Requirement:s fo,r a Networlk S,e,eurity Poliiicy
In thepast, most: networks were dosed off fmm PlJib~ic: access" 'Ioday's networks ,m:e more often than [tot "'o;pen,"aNd they :!IiI.'l1: now vulnerahle to attacks from both the ]r!l,s:i(kand the outside" III additiou, as time nacs passed, hacker tools have become easilyavallsble, and the [echinica.l knowledge requiredto use s[JJchi tools has decreased ...This scenario creates quite a cli<lU,enge for thee-buslness, A balance must. be ~.111ailint.aili!n1.ed the need to ojpel1t~p a network to SUJlpO:D'[ the between evo]IUU.onof the business versus the need to protect business lntormsriou. A l1!etwmi:.
secIJElt}!PoUcy is necessary fer iii. numbw of reasoes, im:Judi:!l!g new I.EIIW:S~Jh!IJt require certain levels of tlon, <l!niNl.crease .in terrorlst activHy, and theiBlicrease:dlllsk of being hacked,

rmtoc-

IllnformaUon Assu'rance
Org~[lizaHolls use the AvaiTab~]iJtyaJmd PifOirrecUon lllEo!r'mation ~r.i~lngle.shown in Figure 1-1, to cl~s;sjfy[he of seen in <I network
i.nforma:t:ion

~Jlini.e:s FEIGILIIIR:E: 11-11 A\lii3iilalb~llilt'!i lili1d < IPirotect[Ulili o~ lll'llformmiion tliiangle.UIOa. TIle. IIl. disciplines asscciated with • System security adl.Introduction to Network SEM::urity Polici.Po~k:ieSDdprocedures snd operations.reC:~1L[lology.slraJtiol1 • FilIysic<l~Siecmjly . peopl£ iuclude the friU!OwiIJJg: .mJg NeedSllJr ProtsDll'on AYlilloablg to All PfiWile BoplOyOOS PUoJlt' mrOll'l'l\!ilI~1'l A\'1lIJable'ID AnyOne Spoalll oJ Aooess to Il1Ifmmation lll!J!GI1lJutition assusance requires a balaace between peop~.e.

the perimeter.n:mme!!1lt.ch II Recovery and. the deEe:!lJse-~!Ul-depth strategy focuses on deJend:ing the' network .ent II Key msnsgement • Readinessassessment • Sensing.QJlIc:ts II System r.s. It ~OCl]SieS cUlIpwvidl'l11g sllPiPOItffm all compmlelliCs.in play.e:s • Personsel security • Facilities CQun~er~TleaS[l:res • Acq!!li]sHion of evaluated p~'{).respmld]ng to atta. w:<tfNling. Hnd.[I) ] Introduction to Network SEM::urity Polici. . reconstltutlon Wilt[ll all thi.i. ami!. aad the clOIrliPut:ing enrv.'e.isk assessment • Seoorily po]l!c:y • Ce:rilific<lJtion <lnd aCCI.diirtmti!oNl • Securlty maagem.m:mlits infrastructure.

be done wiHll .s.ti.ity whee] 1S tlmtyou will s.Finally.hlndthe Secur.m:g.enCiqpH. .e'lilrrk:<I!ti!oru.ucan find m:<l!nyncls For thi. You want ito test.:.on. such as fEwwruls. the j:mple~TDel'lted secuc :rHy. Yo.rusion ..esteps taken by orga:l1ii- 'fheprom:ip]e be:.insecure:.rJetecUou and wm helpto valid ale. and 'Iffll'i!ous <l!uth.e effectiveness of '~he security systems.me i~t. Alollg wifrlhlill.Introduction to Network SEM::urity Polici.I'E:rifyil:lg seG~l!rHyof the netw()I[l\.ity and.putrpose at ht!tip:llwww. the F IIG IUIIR:E: 11-.an~toringthe. network.e:s Network .to nqol:li~or w:h!art: you ~avepro:tec:red" M:Cm~to:ringa:n. shewnIn Figure :1 will help you understand the process -2. tlhi. zations In 'i. the next ]ogka] slep Is.2 Securitywheell.S. ycm walllJtno impruve the overall network secueitysnd beglll the pmoess :again. methods" BeaC<I!U5e IDIJeetwmik lhre:<l!ls evelve..ecuriity Process The Sec[lrUtywheel.r:e'al-.ecure the network wHh t:edmolog~es. tj].using theinfermatirm t g8Jt:hieredin the ITIoJl!imriwg andtestlng sJeps.iJ. . of :sec~r. some degree o:fresting should take place.

rll1lnity is . ~:elre are sometips to lni. the less 'Iik:dy it I. common.e:s Network Attack Mitigatiion ln myriad. of .)~ogel feq)lIired unfiYH]]JBltion. locked upand 'Typ:icaUy.art:is l1.ve:stme'M.vid.r[ecomll.. AnaCkers need h!l:fo.e'l1'wte alarmlng <unomonitoring. hu:mid:i~. th~s. anythi. Here me some reccmmeudarions to help miti..that you might trip on a cable and bring the: whole: network dowII!.llg that ('<I1n disaipt sttack.rmatim~ about your ~dwGl:[kbefDre they caN. Make sure thet H1.frlt<I!ck. II UmH the orellports to only wl~.[[!!]JoUlil1e: .acks.to oOI1. use neat cable runs. tools.biul1Jcll access are at!tac:ks. switched 1r111'imS. An ane'l1i·-ove1'- looked m. Use antisniffer Use cryptograrhy.. and so they usetools such <ISpacket snuffers.aJUo.eede<ll. :P01ts of YOUT network devices. ensure that ycmr equ~pme.rut is.eo cameras and electronickey erutry systemsare used~or smdl I[lonitoring.. don't re~yon Rec o:nna iss arnce Attac k M~t i'Q.sider 1S alabel maker.e temperature.Introduction to Network SEM::urity Polici. and. lfmms. and pQ[~ scanness (ill thei.er h~. generators. type.. YOll also W<lint to.1 Threat IMiitigamionl that access te the equlpmentismonitored. Irs milch t easier to trace ]l1[8![~.aissa~ce<libtacJ.a:l1ld.r. III Ute end.sfJpply {UPS) systems.a:issa:I1i. 'is to trouhl!esiloot. Network attackscome nnrmal network activilty can be deemed an Physical Topeevent and Envirornmenma.ed cables. The cleaner theinslialiaHollJ.l~opratecl access.ce<IJt!t.S. In add:iUon. the easier ~t. and airflow are reglLlJ]atem. .n Recomii.tigate resonaaisaaaceanacks: II Use sll1ongaulhenticaHon • • • U se ill ..A[J:otll.:s.iJtigaHon oppo..gate these thil1e<l!ts.IifilismU uninterrupUble power . crmrrol access to the console a locked roon.

TiThe!problem w1tn] DoS .~ It can dell)' ]egUi. tfuJliIJ is.Mitigation Access attacks attempt to e'.pl YolLl:r sys. with YOUlLDliIteftlll] etwork n .red SO!!lJ['Ce (for ex. function wiU.g1tl1teaccess attacks in Ute same w<I!y as )'IOU m1tigate reeonasissanee aJtmcks.de the foUowilllg: • Not.wor!k:[J]sersrom spooflng f this po] icy. .x:p]oit known vlJlbl. fmu.access to networb. Spoofing can allow <lin attackerto successfully ~allnc.<II:l-:i~-[fue-mid.on ~lttacb" ~ll]. triesto <I1ppeiil:[ be aHJ!!lls.ms. to create lembryol1l:c.Holl aU:acks.¥ou em use eceess contml fists (ACt.pq CHAPTER lntroducnen 1 to Networ. Security Polk::les CCSP SiND Qlulc'k Re~erence by Brandon J1ames.dl'e I!Uacbi. shown in Figure 1-1. anintemal IP to addressor an extersal address. or "il:fdf-ope'lii. Types of access aUacb include p'<Issword .Rev~.as the sourC'e. ..lJs:ill!g: other networks.~e]1C1s.A:.'" connecalens.attacks. amepUng:llddlresses and.pe'lmHted thlrTI!!lIg~ fet-ewall poHcy).or m<JIte.) to establish • Preventing your 'Ille1f. spoo:fil!1lg ]S where scmeose.:illtrnch is ui:a:~you csn never ~otaUy preveut them w:ithou~ closing off all services. enforee th~spolky. Mitigation A den~l-(}:f~~:ervice(DoS) aUack cn do one off two things.tiol~ of TCP . Miltig3Jtioll tecfuJn:iqtl:es to avoid lP spoofing attacks l:l1dlLl. Denlat-of-Servlce Attack.CLsto establish <una enforce Unicast .ek Miitj. pod-'red:irec'l:i. • IJs:ing crypto. :It (l<Ji1] dflll]]nge or oonu..gati~on Shn]l~YP~]t. he]p somewhat to milig. truBt.aniJJp]e. and ibuffeE-overfllow <l!Uacks. an3Jttalc~eJ[. Attackers use the normal. You < csn miti.k.-exploHOlI.h access. Understendlng the basics of hDw these <l!Uacb. J I!IP Spoofing AUa. s\!'sle.erlijJtlUHies in certain services..dlk. Carroll Access AUa.roiId Ule t!hwee-way hacdsheke precess. attacks. • U sJll!g:Source Guard.graphy. or services .ate them.~sePWh Forwarding (uRPF). You can use O:u:tb01W[ld .

S:~l:chas uRPE COIi:f.lMiP)f]!O(x. rnos feamwes th~t verify tile Uv.affic ..qJues. 'ID'CPTiiilre. DlOoS attacks. roo.-Way H:a:ndis!i1l1ak. of DoS i!lltrnck.Althmllg1ll you.lillg.ou[-educe them: N:OTE A~lh(}ugh !In1ti'l'~rus alP~heationswnn't do much. it is :fliW: of the CillOO SNO cuniculum.~ revefl'>e :parrhl. .tlOoS and.ks directed at a target.mtlrvinJJl soUWaJre. and so l'vt: . • Use Ci. is the llistrlblded DoS (IODoS) <littackBecause these types of attack enlist other compromised machines.egress.R:E 11-3 iliree-wi3.to mitigate DoS anacks.rot 1i!Iess:age • Rate Hmit to cOI~tl1o] h'<I]f~o!peNi rep eoanections or even .fiiHers based oIJJliecommendatlolJJsin • Use .i!cEls.CCSP S~D Ql!Ii~k Re~ere:nce by Brandon James Carron TCP IFI'GIIJI.sco Re.e.ullcilmied it here. t~hey ge~1!emle hlgher volames of tr.ly p:revel~.. • Use ]llgressll!lm!d . which caa pmve [0 be e.y Ihand- slhia'ke .f atmt FQ1s 1~ Eerulal E"tmS 1-1024 A]iJ!other type. toonl'rry out atrnc.Internet Protocol (1iC. the fo]]owing methods call!help y.e a!aRt TOP TGP 8:e1"lfe. known as age:1l!1systems. can ]!lever [oo.t For eomme~l!lIts (RFC) 2267.i.vellJmare devastatingto iii. network.

. The best recommea- !iiHacks.mpone.rl of ill.:lI!re several types OF a:ppli.av01"S.h!i. U might sound harsh.m.taiifilme:nt.sis.'le types (Dff Devellopingal ·Se. Another requirement here. but l~etwO[1k. <Iindfi:reatme{[It Ill! addition to: this JJ!l"oce.eCII. desiglting •. p]al1ined.'b~lit~es.il.[ 10 ] CCSP SIND C!:uldk: Re1i'erem. l!l!oodltiO:[I.:k:s. the l!1I. !tour software Ol.~ with ymlr s.d. .c!I.nt:s of Security Design Figure 1~4 shows some cf the desigafactors .'lIctllredi.vemin <I S. and Trojan Hbns.~tyshould never hinder the business frorn be~llgill. preJ!.ifnplementing. viruses.gJm!QP Qf the mal~ingl is~'StJhat" publ idZie :(I'Pplicati(jll1!YlllhiijerabH~ties. orms.e' N'. C:isco reeommeads using the planwng.cur.1Jie. you might require all!tiv]m:s software. opemJ. the explolt:ation OF wen-knowN.a~dm.odlu.entiof:l.etworkSecurity Po:I'. lStO remain mUJie1il.Trojannorses W come in ]1I1amlY :f1.it m.ides Worms.lan:g.lre network.c types of attacks. Cisco rncmnmends. inoculation. ystems (IPS).e tlYlli. fOF the. a pmces>s of cO!l1i.aflwmJie.cati·onlayerllJut.sl in Co.lJla:[ <Ipplk<liUoilns. [IN. weaknesses inpotpl.tt:s't be stl.ana optimizing (PUIGO) modiel[o ~he desig. Virus.and the exploitatlee of Java and Acl]\'eX security vuh~!e:t1ll. isto stay . se.. intrusion detecii(m:nlj:ten~~: (lIDS). This c!litegory ofaJl:rncik:s includes. itcssi. deve~!or ]3 .ing.reIliL s d!IJtion to mitigalteaga.~tches. netwotk..im S!t!he. keel?' intrusion. amid ]aresl developments. NOltlOdy said it would be easy! Appllcatlon l. In the end.ce by Bmndo:n Jiames GallToll Int rod uctlontc N.HtiOlJl of these specifi. which wi]] assist with an aspects of this topic.. 9ill<1!ra1'lUn5. mitlg.etwo'rk !Life Cycle Model The b()Uo:m]~~iLe that I\egm:d.eeds)[ the busmess are go~[~g ( tocome before the ~!eeds OF the network.. business.'II secuee ne'ttwo'. Th mirtigl'lte worms..les.iuI'!/QI.c·.ss. se. potentiaUy a.-cur.rk.ayer Attack Mi~tigatl~on There .s of how Yol. iIllld.ilT.lar.e' Attack MI~UglalUon 'f.

iI."""". Iiui:kin&1 aim..icies 8u.]mplenu~llitill!g: • Operating • Optimizing • Oi:sposing (of secure eompouents) .m.\ ond pan"".1.rdo . Alooilori"nl! ~""~-~"9 PDIOD .:lndoJ"i Jiames CallToll Int rod uctlontc F IIG IUIIR:E: 111-4 Design uaG~ms.etworkSecurity Po:I'.Wj.g • !Designing .[ 11 ] CCSP SIND C!:liIldk Re1i'erem. N.P]~'Illl:h1.ce by Br. IFI'~ ·r -+ I: inllustl¥ Bgg! 6ernrlty PoIay llooW'ItV syQm :1 :1 'I pracbs :! :1 ii 1 SOClJttty ql9'nI tloos - ~ In_ R•• ~ ll•• ~ P.s1noos Niloos RISK ArYll.{SIS ~ ·1: 1'Ii.

[ ~2 ]
CCSP SIND QiWlIC:k Reli'ereli'!l;ce by BraT'ldo:n James Carrroll

Of these sh. phases, <l!Ullmlgh Ci:SQOdoes uot spe.dftc<l!~1y idel~tify tale last one ~d]spns:ing of secure oomronents),U neve:rUleless, flllimpDdan[ step.

is,

Planlilirngl Phase
M1HIch occurs ~n this

phase, The first step i.s~o perfonn a sec!:iIrity {Jo.stur;e asseSS1'neffi... After. Y0l.ll have a Cll:fI'ie:llt s;napsh!ot 'Of ~he current state of the Nidworlk. YDU have <linDPpO['t~lllity to <l!ll<llyz.e the effectiveness of this, policy versus ClIU'E(f]t ill<Jillstry reeommendatioas, You shou]d look alt rthi.s,from [1J1.'my different perspectives, is a simulation of
<I!

Dur:h].g the plennlng phase, you should completean ituernal assess,mem. Allill!ten~,al assessment network snack to determtne what you must do to stop .H.

real

YO[J Cffil. qU01Int:ify the security .1.1skassociated w:iltl'!l. the Internet hy perfonnlng <In extema; assessmesu, The gO<l~ here is to identify mlny services tha~ Yo(J] maybe ml~DlJillgthat .aJre s;~sceptibl,etoinhelJeiffii.t vulnerabilities.

nwireless

or d]<I~-~tP i!etworik::s re used. Y01!t hould assess them, too, and decumeat a.n~liJ:eil1![:m'~"[JI;at]on, N a s

Designing Phase
lIm.this phase, you shotLld cOiIldu.cl a dJe,s]g!JJeview :1:11. r which you. review ymlf seclIIIoity,busiaessgoels, U'le,eldstillgM"C:h~ltdllre, and cl:esi~ vullle'.rnb:i.1:ities, Afler comp1etimg this task, y,oru, can mnve Oil! to the acttutl. design deployment, during which you develop a logi:c<:l~ des;ig~l of the l]etwolrktQPo~!ogy and capabiliti,es, developa phys]cal des~g~ that spedfl:es ba~-xilwa:reand. sofitwBrereq~,i.l)eme:l1.[s~ and test, optimlze, :allicll document the design ..

ImlP leme nlti~liIgIf!hase
.bll the

thisphase, review Y'0lUimplem.ent;rut~onp]an. Confirm t~UII.tft1.,e obje.ctive is understoed, M"alkesure tftrnt yom~plm1 is wen deve~o;pedl. and ,eImS,lItre that the pmper peopleare trained El.Ocor-diingly.

,[ 13 ] CCSP SIND C!:uldk: Re1i'erem.ce by Bmndo:n Jiames GallToll

Int rod uctlontc

N,e1tworkSecurity

Po:I'.ides

Opf;~naltmrng Phase
Afler the netwm'kis ope.ralio!mll, Ui:s recommended thiart: you continue to review chi!l:llges tpedodlic<lUy mull dm.::u:meM:[3lI1Y impact an the Iflletwork .. ]n add:i.tioll. YOll WaJI1'~ id.ent:i:fya!l.d classify ]m::i.dents during Ulii.s. phflse. to :

Optimizi.ng Phase
Businesses chrnl.ge, and so It JsImperatlve that YUlI conlt:ill!lIe~o refl.eG~ those changes hil your netwodi;: security. To do so, y,ol1:must monitor security logs, aJl<l~yze: the. impact of changing business trends, aad define the criteria Eor ()ipU~l1iizin,g the network.

Oevellopinga

CompJrehe'nsive Secur'ity

P'oUC.y
as long as
yOIJl.

A]Ulloughi deve]oplllg a secur.~tYPQlky m~Bht not sound easy,. It canbe .secl]:rity pollcy should have three ~oaJs:

s.rny focused on all! end result, A

.Plill'v:idie darn conUde:lJJl:i!<1i1 Uy .Pliov:ide

dat<1i~lil:egr;iJty

!Ensure data <IwUabmty

'fo be able topeovide the reqju:in~ments ffor a[IJYof these~hree goals. you must know what traffle YOiU. dealing an:: what yuu[' networks requi:l\eme'lmts. me, forit,

with and

I'l1e:.~yp]cal.e"''!lons fOf having a. secm'itypo]icy llldulllie the need teinform users off wha~ tfuei:r requirements and ex:peG~ati.olls a:[e.~o,explain ~10Wtheserequirements CRIll. e men, and to g;a1i,i\ea baseline fO[ acquir:iIIl.g. ('o]]:Ilguri]1[g.a.d a~ld]tin.g b computer syslems. and ne~works for compliance with the secll]THy poUey,

[ 14]
CCSP SIND Cllwl.c'kReferelill:ce by BrandionJames Ganoll

Introduction

to N,eitwork SeclIIIrity POllkies

Comf;:Hlnents of a Security Policy
There is ac:~milUya h~e:rarC:hy when it comesto <I secmity po]~cy. The levels in the; hierarchy, shewn in Piglllu:: 1-5. include a g.lJvenling !I?!iUcy.tecfuinicalpoHde.:s. and. 5nd.-userpoH.des .. IF~IG IU'R,E 1HS Secullity pol'iGY
Ihieir<3JlPGhiy;

~

MI:y

I
1octmlr.al PIllicBs

I

I
Eml-lISer Pollcr8'S

TIle g:ovelfdling po]fc:y Includes coneepts ~hat:;fll)eimpol.rt:3l1i1:lo the 'company, and the intended audieuce 'I:!. mm.U1geme:nt This pcd:icy should coverint~mcti.ons between wark:g;rcmps. The t5cimucalpoHd!es a:oomete detailedand .indude topics, such <IS. aecess-eentrel ]loHey and. tphysical security, HIe. end-user policies. rel a re to policies relesant to users,

Building Cisc:o Self-Defending N,etwo:rks
In recent .l'Ii.s,tory. threats moved !;].ow]y and were easy to defe'Fld against, Today, ;th.~f:sIloknu,ger the case. Because threats have evolved and can nowprotpa;gate wmldw:i.d:e,in a matter of minutes, our ~1.etwod;::s must e::dlIi.b]l. a greater level of seendil.ypmt5cHon tillI,Ul in thepast. The Cisco S.DN strategy is designed to help TI"LSinage and nni~iga~e risks more effeotive~y. There are UlI1ee phases to the SON. TIle' tlueephsses repeeseataa awareaess some customer s :migM not: he, able to sll.n.uUa~eo1ii1s1y adopt every campcmell!t of <1£1 SON. Therefcee, 'the SIDN g:ives customers ~ndeiPe:l11dell!t~y(!lepl.ay;ab]e prodncts <lind ways to 'UIl}\; them together later.

scQ .. '\lump" W'ire~. tmst." Services .Phase[~ Integrated. TYiPk<l~ evices. you make each network e~!e:meJ]ii~ po]n'~OF secmrHy. il:ointegrfllte seC'~trU.di EJl1de'Ul!ing \p.i. IPS. you W<I!nt. andl cQntro:l: :[eal.~ Protection [NFP). threat dJefense. Bind service Y.~de[ljt:ity~.mes. in the netwerk and U1le become mare efficient tlu£1OUgh col1solidart:ion. and teehanlogies thstyou focus on in this phase lndude d B!p'pUC3Jtiou ]RSpec:Um~.y etworkwide as <I 5:ing.NA:C.-time wornll. Y'OII]add mutual awme'Ni!ess M110ng devices. and appli. endporun~ [0 networksto seclIrity ]lol:ides. vims.AJ. Netwv.le a secmtty sy:stem-tyhl!J. se. be recognized andlespeeted dynamkaUy.l!orexilmpk:.!..irtuaip'.rew~Us. ]n thlsphase.aJt d yml deal w~tlllin thisphaae Include Ci.ca~io(]m.e5s.cQr~ty.iork Ri:nu(uiali(J. Services UBNS) area. C~scP Netv<.'[ 15 ] CCSP SIND Quick: Refereliitce by Elram:lioJ"iJames Garroll lntroductiontc N. • Phase HI: Ad:alptjive tbrneQf d.etwork: Security Policles .s:sed dm:il~gt~'[i:ll phase. and s:pvwsr-.hase all1dIdentity-Based Network. are a focus d!lilring [lJii.r. TY]lic<l~ evlcesaad technologies U1.d peer-to~peer (P2P) n:elw:mlk:ing oon~mt BIbUHy~oplTh'llc:Uve]yrespond to U1IJeffIS. Ca!I!II. This phase includes a arevlew aNl. VPNs.rk AdJ'nissio~ Control [N. H: Coflaoof'aJtiive secQdty sysim}s".d h of . In thlsphase.:llIHon .nmmgeme[J!t IDevi:ces sach as fl.~.sa:ging UM)a:nu.S: phase.irtllill.rivate netwmk (VPN] capabUiHes.l"lJnlg~a:I1Idinstant .and.g. .][I this [phase.efepS'e.e mOI!i:itG.ddre.q.

Ymt can do thisin the :CiiSOO [OS using the sepurity P13HwQn:J:sm~n-~en1!!th length CamlTlillluil.e s. whk.oIl]dlll.r:.rrl1od.eclIritypo]]cy willbe Included. This device-speciflc se.al :se~LIIp. worM and theinside OF a network. symbols <l!nm S. le([Ig.<I good Mix .irl.t~n~d. muter for the first time. ]ndudes the ereatleu o:fpasswor-ds. Config.sco has crested you dhllog tihali tflke.s you thmugh fln ]nHi.uters Beeause the.of upper.m.!l nd howto secute them.11.tion.i:signolmd but is.and lowercase characters.ith a [Iehvorkwid.icy for Cisco Ro.mlde['s.~ers..these aeeess Y me.at <llong w.red when used elsewhere in apassword.acUoe~you sil.PDC)e:5 •. device-speclfic s. much empQusis 1S often placed on secur.u.tlrell'!. Se:curiin'9IAdministrativeAccess Thereare many avenues of access to Cisco devices .an on enfQ[-clng a minimum password.ing the network atthis point It is-reasonable to e"XpectU1. iCi..Ti[lals.curHypolk'y is a means o:fim!ple~]ltmH!JJg themq~uiremellits 0'1' the networkwh1e Slecmitypo:iky.y policy.These ]Ildude· console connectiens.d.hi. [~t win ]iltdy not have a config)LII:ration ]oode. f. TeJn!!et indSec. and SiO OillJ.[ Ul] CCSP SIND QiWlIC:k Reli'ereli'!l. and.lluaHcm . In addi.ecllr~t. space at the beg~mdng of a password . not igno.ll.sehspter covers m<liny of the aspects of securing it perimeter device.stp. T.auxl1:i<liry porl connections.ce by BraT'ldo:n James Carrroll Sec:uriiit:y P'lo. use alphanumeric c.re Shell (SSM) m ceanectionstc v. perimeter router is on the divkJi:l1J. a Password-Oreatlcn Rules Asa Ibe.g edge between the outside. GOlnliiguratiorn Dialog <I Wl1!~I1l stud Oil.harnc.. Itis :impomt3l1'1JtlliaJ '0iU.[h.

the ecusele PQr~ <II mu.ce by BraT'ldo:n James Carrroll • The eonsole 'pOlItis . 'MialiIl~e secret createsaa • Cisco lOS a~ltomatically prompt'> enc~'YiP~edassword used to access enable mode. • Use thefogin commaedto AlJIxil~iaryline Password • Con:figiure s:hnilm:]y to the consoie. • Use thelogi. o(]3T1lIl]a:]1Jd to createa password on the auxiliarypert .~er. o for a password Vty Passwords • There are Five vty parts by d... • Use the.n comnn:mui to :instrud ClsCQ.gumtiJe:nNl.Pl!ISswam accessed l(J. . • The cam~.e:rrsiQ[ls OF Ci.but some v. :ilWltrud C]sCQ]OS~o cJl:ueck fo.r a.pm. • The vty ports begin at port !(l Access them with tale coanma:[tdlin~vlly 0 4. p when YOll enter enable m.o check apasswerd. arollovee cable conaeetedto mode.0 Ernabllle· Secret Password • The enable secret password is &:lashed :inthe output of the cOll!fi. de.SWOIITIon fhe vty ports.EUIS cheek fOllf <IP!8!ssw(]II'n:L 1'.assword.namil. 0111 Pl'lJtcct It Inlil1e>-oonng:uralt:ian • Use thepasSWOilcd command to create a password on line ceasole O.[H] CCSP SIND QiWlIC:k Reli'ereli'!l. fOlf • Use thelngin command to :i~strud Cisco ]DlSt.sco~OS [1:3'1'iemore.sing.passwonl.ef<l!ld~. • Use thepasswurd eommand to create a.

e vbe fearlJU:re.crYlPtkn1i.nypted.0ep.ll!Ss·. 1 to.ce by BraT'ldo:n James Carrroll Palsswom IEncryp. • .eiffil. Levels.a:iw .trnon • Rdatively weak .fIlJ.e:ll. • lJse.]f disabled.(]is predefined as usermode. s:HUlJe:m. Tlrrtaouts • Configured on the eonsoleportaad • Use the .l'ord)"eJlc!rJ'ption .enlicatioll faii~I[JJ["t'!ratJeocmTIInud.vels • .]4 call he. clIst. Log'rnrn Failure Rate.Le'ii'el .e'ge Le.o[l'ILlzed.[ '18 ] CCSP SiND QiWlIC:k Reli'ereli'!l.] when people look over ymtr sJlOulde:r.n.De:r ofunsuccessfhlleglns.Applies:a I 5-sec:o[ld delay ti:me. .thlLte0uft commend to en thealll:d~~ary port a:pply.r.RIIJJUJ. • Use thegTohal cOl!lfigllration Serli'i.s • Control s tlh:elllm. . Privi I. aU previously ell!lcryp~edlpa:sswords comm~nd to iBnabl. • Level 15 is • predefined as enable mode. • Confiig)l] red using the socurity .ex:ec.

clllnle· exc.telnet.l[l!ghe t writ~ ·cml:lm..~'W config~re terainal !pillr:s. traceroute.iew [aU]1 exdlJ:~e} [aU. .Pal"s!lr-mode {ilnclflllIie : iw. authoriZ{ltion. and configiUfe IF addresses .liiIsbe exit .!] access global omil:fig!!l:ration mode. mul accmuding {AAA) ~M.]s. C<I[I be entered on a router.]1 [:linl'er'iface :iinter-'!'. T. yisjbJIe Use.Js a:re a way to ma:l1lage thecummands that.'e'oIi 'lame] s. fDnowi~~. createan access list" enter :ildedaoe c01rl:figllraHoll mode.~d comallnllll!!.lie!£aut:hef~iication.le'ol:ll.he user Crull rub.gcommands.[UI] CCSP SIND C!:liIldk Re1i'erem. and! save the cOMfigllratiJe:n1l IJIs.u1d .s. enabled by c..er'ol:ll.me 1)(IIllIJI!lfHl!] Bxample 2-1 demoustrates a vkw being created !()H tl'i!eeLl catled MyView~ The cmnmsnds that <I user call! elJ!te. show cOFl1LITI<lnd.exi1i: enatl.ace-.le ['li.ce by Br. t:he. a view en~b]es users 10 ·deflne which comm<l!nds are acoertedl Hnd wln!!t cQ'nflgMfii!JtiQo hlfOrm:jJltiWll is.de the ability taping..re~Jti[l!. ill! the mollowing order. A role-based eLm .11le le'nciIi"VP1ted Jl'lIs!!il!o.rwhen us:inlg MyViewi:lldru.. view an the muter: enatl.gdiffereut "views' • Reqmi. WIse all. to enable ill.:lndoJ"i Jiames CallToll Roh~-Based cu Role-based Cl.ho'l' parser lI. a ]i[utshel~.e'W view set selcl'e115 11I1l.

tel[J'B't (Hmneo.i!i.iewi~"is5 1"0ute r (ciIJol1f:ii.! .Lew My\l':dlew IMyViewP3.Ili.U II.'".U illillte:rlil.mIll1ilIlld5: ennf igrulle elllabiLe Ente r 00 Ilfig'Ulra1tio {Jill n m. 1"0LiteF'#? Exeo ca.(collf.ii:1.Ilrl output.leSecr.iew} #collimall'l lis 1 1"0ute r (ciIJollf .mi 111111 .g -viffi't) #cllllmaJn.l:!:In IrllC'l~ .1'197: ''bflMliSHi.ew) #Cllllm8!IHls 1"0ute r (ci[iof'lf . JI!l1'l to ve~if~!.[.c'tHlIIfi'Elul""e' 1"0ute r (col1f viell' MiyView exee ele.cJlllnle ill:l.dis lurn JII".et 1: rlli!: erCi'liIte illilicJillli:le II'ri'l:e illll.U'B[IIed exit ping show te]neil: traceroLlte Exit1irom S'end echo SthOIli' the EXEC m:e·sS<'3!gles mal( B.etPas:sW'Clrd it:er.ii:QI llp.cJlIOl.v.he VLEiW to see.l:l.tl"s H er Floute rif.c]IIlI!ie ill'lc]lllIilIe p:ling aU.ii'Qi.i!!: l"outer·ifellil~lJble NOTE ¥Olil Pa.it while YOLli configuring it It's 9.i:lec: onifiLg11II're :iLnclud'~ incIuo'e' 111'1:: cess ·l. :s.ss:I'iID.vi.view) #collmall:l. II!> shoWII in the rul~owing s}' al:3:45~03 .1t ym. I'I:mniAg sys:tem :iilniioNnllil:icm route to diestinat:iiillill Oill'ena .ii.{I[:lie oOIlWll!lIll.ew) #Cllllm8!IHls 'It.ss:I'iID.20 ] CCSP SIND Cllwl.IJ3-\i'I12I'ii SWHCIH: - slucces.ii:QI-viffi't) #collimal:l!:ls 1"0ute r (Ci[i'l1f .ilIsconfrigIl1re:iLncluo1e.t.ellli'l.Viffi't) #cllllima~ul:!l 1"0ute r.!"d: II.ii.ii'Qi.vi.'g vievr:~ #Cllllmalrn!is 1"0ute r (col1f:ii. ensbled .sifuUy set to \i'.i:s:t conf:ilglUlre configl~'re II.ii.h""3]'~ best tn test y01l1" workl Use !he ? to verify Lhul you 8ee on ly ""rh.e ip' e .c'k Referelill:ce by BrandionJames Canoll Fiouterifelllabl:e Pa..view) #collma~uls raute r.how 1"0ute r (ci[i'l1f .Lew IMy·Ena..(amlfi.ievr) #:IOe'cre1t 0 My\l.'g v.!: exee ele!: exee ele!: ilnc]ru!le lln.ds 1"0ute r {C!Ilof1f 9 .tew ·t~1yVie!N·.'g 1"0ute r (col'lf .g .!"d: iII W ~ can log vi~w a~e 1"0ute r·/f.

rl}l..ock-Ior .. command .'i. comma:liid.ela!. a ]ogi!n delay af one second i.fuQl!!lfat.gl!!lf-e exrt inteirface' ip Select Gllnba.wg]oliJal coIl!ifi.s'!I!II~m~:n1It±cany enforced.g!!lf€' lilP O(]ll1f.s. is.Delsjs ca.s.i!. A dJeilav 1hetwe.cammand.I111H:le To run exee eemnands In {lulilfig CIHlfi.i!.Irmlt'Bril1c1onf:il!lu I'e ill el'.el~. • Via the 3JQto seeare eeurmandt if you enable all~tosecure.thiat enables you te specify the • VIa the log!inlldock-for oommand . commaNd be~ol. You must ..as fast as OOMIlecUO:rJJS.thi. a]ogin dlela!Y af one second . canbe precessed.ctyour .ml Sl.IIIY command.'eis.ys: f • VIa "the log!in .igur-e {iIGimllIands:.pt virtual DOImnect]O'I"IS.i..g[lra~iml mode. .[~eol~rom apossib]e dicUOrEi.IbC{lmmJ8l:1ds Enhanced Virtual login Support A Cisco lOS device can il!GOO. Add en aneeas Exit fllOIlI lIIccess -Jlis.ogi[J] .How>e. helpsb p:mte.(IieJ].l an ilntelrilllc'B ito clI]flf .ler~ d if Y0l] enter only the logiinbl.uiIltJ.enter thiis. .:11be enabled :in Olle of U'le:se Wtu. <IIu~omifl!lka]:ly enforeed.. nsmber of seeonds.lo~in 8UeI1ll~ts. "[hiene.1:Iry att<l!ck.:ilnanL Irl()!lIiber I( conf ig .t do list eRtry Illod!e' .~ If? CUl'lif.! Ole l.

e m.I:h'l¥Na:llf. for • Cisco SOM call recommend an optimuDlIl seculfity iDol!lfig~]r:8ition .OO! t()ol~Qr deployment <lindmana~e'me'l1itof :?I~rv:i. users with UmHe.lrity D'ellice lltilw~ager (SUM) ls .'l:!lJi!i5. It ]50 designed tn s:implify conUgumHon 'by using smsrt wizards • S]1Ilia!lt izards in Cisco SDM have ib!!1i.Se.U. CiSDO lOS ('on1f:lgu:rnllons. S~tc[~. W • C]SCO SHM. AN aeceas. 'To run Cisco SDM." as LAN • C~:?ICO SOM Includes featuees such <IS WAN and! V!PN~[()ulble.. .a muter based 011 detec~i!oll of for and WAN cO!Nfnectinns. web~lbm:.-ln Intelligence about Clsce Technkal Assistian'C'e Censer (TAC)w recommended.ml1!llfactUD'\:l C1Jefaul oo:nJiJJg file IDOii tt1)]HJter) the II sdmcoIl!fi.clUriity IOevii'ce Mlanager' The Clseo Sec.eC!!1rity audit. • C]SCO SHM.!'IA~. area. 1)T6 !1Q!IWIF • C~Slco.. #ICI . YO·tll nlIU. different use sceasrics.router s.2--{'~ <l!ndlarer.ces C1sco on lOS routers .[ 2:2 ] Ciisco .. .sho(JUM.r.S[ have the~o]low!l1g files: (U1.d CU know]edge and 8e(u"ity espertiseto tpower~OQbl iDollfig:~ue. Cisoo lOS Re]ease 12~.c~g • 1>dm. • C]SOCOSOM manages one d!e:vicefjt it time.and securityteehaolegy. and one-step loekdown thar leverage ilieintegmtion of rDuti]1lg.. Nl~:ri IPiOebpgli!&i@!l.g-modlelxxx.SUM haesIN lmpad!)JlI DR AM or cpr I.. :supporl:s.ba:sk: network secmHy • Ci:?ICo SOM has thflltimpmveproductirv~~:y.tar.fl.helps ]mp]e(me(!l!tm[~OIUi.g.

soo SDM EXPJ. aU chJanges happell luthe fl:][~ versien of Ci:soo SDM. This is the fact.ddl.in]t:i<l!~.ldl) AlIt!h. SDMlExp.ro~.elltb.tar • home.cl!I!!l-e-en'er) To log In to Cisco SDM frema new router.tar To set up your router to use Cisco 8DM..1.er camm. ymllwi. <I! 2810 would be leaded with sdmconflg. you must oonfig~n1e.in. ethedfor m Clsco 5011.er Cisco SIDM has been ]]1~st<l!Ue:d) < • commea.2810.(Jni ccmmaad) eaabled {msing fhe ip bUp serv.lO.F~gllJ[e 2-.g til1J!ep' http 8uU.se.n nCi~see H agaliu.iIJ).~ll~!Ol~.ess~ offiJ~i!ona] I!fi:. use the IP address thst is config!l[red on the interface off therouter.~ow:ing: • Privilege 1:5user (using lhel!l!ser.es.er the~Pa. Theinterface of C]SCO de:rnldt rourer cOl1!figl1!l'<uUonfile.entimt~oll i server local ooln:l1lJ:aMd) • Secure Sackets Layer (SSL) (using the iphUp .m.. After you. have glll1Je thml1. tl1e.ill!te:rrnce for Cisco SOM Bxpress.1 (us.:] in ymli!:" web browser.1)' defaolt.gb Cisco 3DM Express one time.name .css10'.rnr . Wekome Wlu1!l!d aee on~yseenif a router is loaded wl!t1l1 factory tbe example.tru[ (for Ci. just.\e. From it :preconflguredi muter.shows the. At that point.:ijamepr'ivileg~ Jl5 • HTTP • server S9CI'et passw.o.:.res:s and Us . ent.

:"'D! "_!!-I~:M!!!I.1.u11i!ilHiIl: ways" The Ei:rstuses the brewser.[24] f~GiURE .:. [hie f1lllH SDM ill two menu interfaee.lF~g:tEreJ-2 SJIO'\!'{iS rthe SDM full ¥cm can access..ce.S.]y. I •• 1".om. to the same pl.I.. E:Hfue:rway.get E1DC:eS.2-11 He Cioco S!DM Exprecss irn1erf<lioe and menu!]".hlh.pp]et that is installed loca]]y. c'1'iI:CIJ '0'" ·a..1 -~1i!9Ii!Ij M"III .BI.II... as d:iscu:5sempl!ev:i. :. Web:star~a.p: iI!o_l'lk~~~I':' I"'''L>I~'''''' .IT. . yo:]]. and the second uses a Java.

.ill"iI"I':II"..ilIM.-.! iP"SK..:..:Ulliit..i.:iMj:j.i:l1:I·M. .I_IiIt! I.~~·~ °u ....Afrer ycm have logged Icon OIl tile meniU.RI~~ EiiL. II~~~ i ~:i..:IIIi::iiIK'!".:.'b::ll~~ ~~:Jii11.l:.o access the task: panel._II.M wtioUllI~l: i-lio...:.2-3 lfli1...gh smal!1 wizards when eonflgurlng your rtmter's security poUey.2-2 TIM:eS!DM full memll iillllmr.. cUC:kthe fllGIUAE ..I T.. OO!l1lliig!UlI'81M.e SID:M menu b:L!Jt1i:ons.~<loe ana m:eIil:U1S.::iliii'li: -""'" 1i"lj'. i1lblffl' •• 1.fI~lfmll.IIi'Il ir.{fiIiilil: j...)li •• nilril ..-&Ii.[ 25] fllGIUAE .. . I li:.. ..:IIil:r:J.. Use tile task pfI!nelto work t thro[lJ. 2-4 show the menu ami taskpanel..mJi Jill..liI..II!IW: iMi~IiIT.>: io!-Itlllill..•• 11.iw. _- .....i~Ii.Ii. Figures 2-3 and....·. l~iII~IIiil!li~'M_~ .ut ~i:itJ~ MI gar \::~ ~r~~~ WI __ 'EM 1~·""~T1 H1 ii:HY!i'.: ~Fiilllo""'.

• Fcmr types ofVPNs: sJle~tQ-iSite..e:itner route..~1I' ~OOIlon the.s . icon on the tas. 'or stane .uitipoint VP'N (BMVPN). Ro. • ROi~]ti[JgiDor Open Soortest. ym] can CO!ll!f. ]1ll:enlllJ meaitee to lug interface.erlor Gatmt'ay . • Interfaces arnd commect:ians.'IDS~lf!lodule.utimgProtocol (mIGRP). and .SCO access .mUltelJ. • ["PS dependling: . nlaJlY tile . • SeclIlilily audits for .Prolvcol (RIP). Enha-nced Int.r seol.Ro.[ 26] IFmiGURIE: .Fhth First (OSPF) Protocol. and on etherroutes you Inlgi:ut have a CI.kp<unel10 OOlIfi!g:~l!IJe advaneed options that me not performed i1~ aspects of you:!: router: Figure 2-5 shows monitor- Click theMoni!l.D}'OOmk C M.~one I[DMZ]) • Fi:rewaU services ill e:ithlerfl.oil the version. Bask {twoi!l!te:rface) omrfigl!JJraHoll.y V!PNrenlole. or Adwnced (demilitarized . isco &s. On some rcmte:rs.igure fuis on a per-interface basis.routes.rn'l-atiotl ..!Easy VPN server.4 lihe 8DM task. Click the Add~ttonal1"asks the smart wizards .[['ity ~~di1ts or ol1e-s:teplockidowns.In/o. Cssco . panell. • NAT translation rules and thneours.2.utimg .iIlcl~]d:i]1lg LAN <uno WAN" conrfigurntk:m.

. [ "'_H~:M!!!I.1. •• I ::Ul:.:.I..1 Cisco Secure ACS Sotuti.I!f'!11!1 N='.[ 27 ] f~GiURE .r:: Configuring AAA Ftu'Ictions Ciscolmpleneeata AAA on tJ}.on ENgines .:"'~ "=Ii tl[Ll-IJHriilii~(I! rII-.:~:IWiiI"= r [ ti:III:I!iJIlIIIII.g w I--~'_' .'e:.P: tI1_Hlr.IIliL!F ~aHiIJt:!!l·P~T'!!!I~ tih.I:.j.ii -'" I .ir mll~ler.:lI.i~!I.tnJi Server (AJeS) for Windows .::I:."" • . -~Ii!~ M':.f~i:lh..2-5 8DM mmllirl:af OVeirv~ew.I.!ii]ilhree ways: t • SeJf-Don'milined AAA • Cisco Secure AccesS' Con..

[213,]

a database thai lS s;~O'l)ed~!O(:a:nyourr'he :r-outer ..AAA w:ithi Clsce Secure AeSfiaf W]llrnows U'rl:e Cisco Secure ACS SQ~utianEn,gine uses apretocol S;~liC.l]as 'fACACS+ or RADIUS~o go "offbo·x" to [lJuthe!lJtiGate users, 'Ute real d~ff.fen~I!K:e between. the two is thfl't the SollLllNoNllE:ngine aa;on:H.ng~o Ci.f>CQ.oonl is, "it hl~~llly scalable. l-rack~~n]Jt liedi.cmited pkllifionn tha~ serVie;s ~S' a high-per.licml'[lll!1ce .A:CS S,t1p:portillg centrnJi.zed RAIDIUS or TACACS+.'" So in other words, it's am appllanee versus <JJ SJoi'lwmeserver <Ipplk<I!U()'I1I installed on <I. Windows server .. hl. the ,e'Dldi. they are very sim]]<Ir;
Self-oof:l~D:i:l1.ernAAAaocesses

Server

01'

Methods of AlLltllhe,nticatiorn
There iiLre nl.3ny metheds of .[lJunl:ie.I1!Ucatian"lEac;bmethod has ]tsbenefits and Us'drawbacks,. The beneifilit to using token cards oOrsoft tDke:ns using Of1e'-ti:1'ne passw.ortiS (llP) is. thal:i~ ls the strongeet fcnn of[IJu~hentk:altian. The~ drawback is, that it is notas 5<1SY to use as ]]Jot having spasswcrd :iIil thefi:rstplaoe,Pi:gQlil)e 2:~6 shows, same d][fererul authentication
methods.

IF:IIGlUI R E ,2-6
Autiruemi:cation met!hods,.

SiKIJI,Q,eS1

o,

~1Il------------------------------------------------o i illl u_s_e_~_m_···_e_an_a_p_ .._._w_.~_._(_~g_.I~_._) ~ ___
,S
=I
CI!

Sfd(iB~tOT? lOr .ermlnal login)

~11l--------------------------------------... ~.
H[i!rl'l

Usermme

ana PasllJ,l,!lJf(l (sfaIIC)

we~

[ 29 ]

fior a~]II]fmJticaHon to Clsco ~m]te:['£, there are· two access type!>: • Remote admiE1is;~mt].veaccess, whicJ!! includes Ciharnder >e:l1ltryandis ElomlmHy coof!gured mode, The eommen AAA eemmends :indIldelog~n. ·exec, and enaibt.e.. • Remote network access, which usespackets [interface mode}.
OM.

the: line or

]M.

exec

CO:rl,fi.guring AAA Aun~len~ic8JUo>1In !Login
To beg]n cO!l'ilfl:gming AAA mil Cisco mllite:r:s.erntelJ;' aaa. new -HJ10del command ~Il g~olba]oornfig[lmHonmorn.e. After t[iie AAA has beenenabled, in .i.s.recom.me'll!ded that YOll create <I ]m::aI1l]OO'riIlill1l1e and oOlllfigm\e the, dJefalll]t: login method. If YOUI fa]] to do this:iI:und Inse ycmr comm]e connection, Y0l] oould get ]ocked O[IJt of tJh!erm]ter al1m have to 'pedorm a password .reDov·e:r. 'To enable AAA em Ciscnrourers,
sd:m-I"itl"{ GOrJihgl)il':aaa

use theffJoUowlng:

lIIew-model

To create
sd1m-l"tl"{

alocal usernameand password, use the fo]]owallg:
GClrllifigl)lflilserlilame bob

seclwoet

c11ScO

To configure
sdlm-lr'tl"
>(

the default login method, use the foUowi:ng: authentication login defau.nl.t
.m!Oca ill

CCinttFigl )ifaaa

AHe:r ymll have omlfig~uem [lJuthe!lJtTc:ates," or example. F using the .~ocall]sem<lme

the de:multt login methodl, you C<LnOOl.lfigllJl1e na:m.ed me[hioG .~.istsand control the way thfll10urer yOIlJl Gall auitll~e]l~kifljte: the c()inso~.epm1IL1:Sing t[l.e enafurepacsswolid a[JJd. <lCCeJlS lo[he "Iy ports iUW P!@s.sword.This is all centrolled via methodlists.

[30]

NOTE
With regard. to

too

'Ioconfiguse

AAA <l!uti1ellt:ic.IJklUl methods, on
alulthe,lIItiJCail:.t(lon iLc.g in 1I1J1t:he.lllt:iJcail:.ta.n [()Il in

C]SCOIiOUit.ef&, :tc.caJ!

use the :l"onow~ng:

preeediug coefigurations,

sdlll- :rtr (coniF i!J) #!Ula sdlD - Irt If (c,onif i!J) #IUlill

lJISE LOCAL

everything ill uppercase is a name, not part oJ !he
syntax.

liSE. ENA'BUi enable
.Une

sdlll- r t If (c{miF ig) #,!lJ8a illlJIthnticait.taon

lllc.gin IJISE _lItU;

'To oonf]gme
IOllowmg:

AAA to use: rh!e loc<l!~. :se:r.l1!ame·ndpil:SSwOId u a
Ibc.b pa;uw,IH'd
'yeitrile Hili

whe:llyoll

COI1~.ect to the COEl:sok, .pmt of the,muter.

use U'te

sdlll- :rtr (coniF i!J) #llIsern'aJIle sdlD-Irtlf(c,[lnifi!J)#Urne

iC'(ln 0

sdlll- r-t If ({N)nif i!J) JiiholQI£nauit liIemiJt :!.C<l:UIfl:1ilIlISE_ ~OCAI.

sdlll-rtr(G{lliIifig)#en,ilJi:IJlI~ sdlll-r11f({]I[lliIifig)#Ulne

seIl:l"e'i:' M:u:s,tIll1eHa.rd2glet! iii 'Ca.H II} iC,![t::l.1fl1il IlISE.J~,NMlE

sdlll- r-t r (c{mif i!J) UOI;I!ln!lJutlilem11

sdlll- r-t If ({N:mifi!J) Jiihi!n e e aon , sdlll- r t If (c'oniF ig) #:pa;uw!c""d :;>dlll-r-t If (conlfig) Fun2b@'M'l'k! IlISE UNIE

#iloglll.nlJuUemhc<l:UID:1II

Co:nrfi,guring AAA

Aun~len~ic8JUo,tlflfbr IPpp
PfJ'

To specify ane or mare AAA methods an &e:ri;fl~. inrrer:faoes that u:sePP;P el1ca:ps!l.ilaJt:io!l, use the asalllQ!thelllticartron g]oba:l cOJ1!!fi.guraftic}I1. commsnd, Th:i:s works sim:i.lfirDy to the lUtlli fll1:ltheil1lUC8ltioulogin ·c:ol.mlllm.uJi.

u:r.ed 11 secure rcuiers: 0 • noors server • C~~coBisCioveryPro:tocol .ge exec mode.st of services shouldbe ccnsldered and potentirmy dJi.s.guring AA.izatiO:I1!~[or <Inuetwork-related • exec (used to r1uthm"]u. use the Hlil. comm<l!l1d euables you to send acoountiJnginfarmaHon :OiisabUng Unus.e:t:work Ser'vices and Iinterfac.aJl:lI.A.e each command <I :~p.de:s <lillitl!lol.onF'mmlfl the AAA server) • deFaullt (uses the listed HllJJtne:lilti. access tOo the exec shell) .cat]OI1J methods as the default list ofmeihods The 3a8acc!lllmdiing corrnfigurnHoll ffm~ fUurl1lori. US~l!1lg the aaa 8Jldhori.gtlring AA.oommands (used to <I!utft1IO[1z. (hThdl:l. s PFP) user enters) • reve:JI'se.~: service requests.s (used to authmi.es The foUowing li.ll!fUIrlillU!ll!:n ~down]oc8ids the oonfiglU8Jt:i.A Aun~lelil~k::8JUo.fi. you loseaccess toe:!l!ab~!e' mode ]f you fail te set ~L Co.nfi.nEnalble To instruct AAA [0 determinewhether a [llseFhas aecess to the prfvih'l.ze :reverse Telnet eonnections) • oonfi. II rile~w~lI'k.u~eSl.guration commaad. Th:i:s is an hTlpmlmll eommand to conflgure.:zatiifIllil YOM!can autiThod:re li11._a.[31 ] CO:rl.ed N.:mtioll) to the AAA server. Eor exampfe. auth:elltieatiio:ne:nable g]oba:l cCIJ1!fl. AUn~iOrizatmon and Accountlnq C!OU]]l:l1ll!ud.efoUow:inge:lemelliJ.

) service • DEC Maintenance • Secure MfI!nage:me:l:Ut Reporting and ~'[!lHn<lgemenl services The fonorwi:ng cOimmollJ]Y cO]i[ifigm'edi • SNMP II HTTP SleJ1"Ver • DNS :shHJuld be disabled if Ila~ in use: lIEnsm~epliithintegr]ty by diisabling: the. User Datagram Pro£'ocol (HDP) minOT servk:es Operations Protocol (MOP.mb.f~'Protocol (NIP.ce • Racket asse.ow:ing services: • ICMP redire:cls II 1P seurce r'Outing .lerld'isasse~nble.[32 ] • Cmllifi:gUfaUOIl flutoload]][g • .r (PAD) • roC]> <lnd..) servioe Slervi. foll.FTPserver II TFrP £er'!'!~r • Network nli'1.

scans by turning off these services: • Finger • ICMP' UD1!l!efldlabl!e ]TlotlrJi]cal]ons.ssecurity by cD:lll1guri:l1J. visit ht1t1p:!lvrww .·ected broadcast. (ARP) <uno prevent polelldal.glbu!kfpuo]ic:ficeklS.gtheffollow]t'llg: • lP :iilleM~~fi.. Disab]e IP-rnu. and prox.comffi":Le<llfni:l1J. • ICMP mask. nis<lb]egrat~~]t~o~us.ni~<Ih]eprebes and.I8ICRlst:artJutml.dsco.y Address Resol~ti(m Protoeo. ~'ep]y I8:nsllre~eliJ:~li:inlillaoces..attm::iks. .s()usslmll.caHollservice • Tefl keepalives. ~(]r a more detailed di.

p:/fwww.) • lJ:se pl:liv. ports.AN Devii.ID:isflb]e userports from <uutamati:cal.native VlAN • App]y that ]S fUJI a user \lLAN.~:l is imperart:ive that security administestors understand how to OO]ii~[o.u.an:l other ne:~wolfli. anempts. .Whell! pralecting network :switches..esi1tillodi.a.aJt:e VlANS.: evices.ii_ configu rliltion_e~ iiimple09 I S6i3008. d a1mi sysreIns on the network..ly tml1!king.~tJ(ml.gprotec:~~!oms: • Set SNMPlo read O[l]Y.ce by Br. • On trunk pods use .loO'k.ab]e unneeded • Log unanthetlzed NOTE Fo:r more jnfDnTI8110n . ]ac~(i.:lndoJ"i Jiames CallToll S.ce..IDis. Securiiit:y P.JSflechitk3B9ltk 6S'9Aedl!oolQgie. refer 1. hopping about private YlANS.er 2.eC:lJlrHyimplicaHous are OYe:r.dg.. [but oftE:r1their s.gatoo. These devices sre 'open tosrtaeks that are inherent to L~y~r 2.lay.~es trafflc seglJe.o.[34 ] CCSP SIND C!:liIldk Re1i'erem. you need to pmv:ide tJl1efonoW]l'il..ed.licie:s on Network Swiiitches Swiitches are targets.I access. • . an unused VLAN tnaltunused 'Oil • Uo:n"t rely VLAN:s to keep peop.e"eu:r'iing LAN and WL.Q 1. (VLAN is still areund.ay's networks operate at .0 hu.alITl. resist <uUad::s.dsco_ com/e:n1'l. services. Many dievi<:.

IMii't:iga.g VLAN hoppilng.ch Spoofin. This w. section diseusses common Layer '2 attaeksand how to mirOgate them.~ access cnnilwol·toprivilege mooe.onfile. • another VLA. Atiits .. and JI.:lndoJ"i Jiames CallToll Of the two lesels of access user models level land prl!vHege mode lS ]eve~ tS. theattacks m:e one Wily.Ung ILayer'2A:U:a. Everything ln between Is user definable.w~U1l.i]] be encrypted in the cOiJrnfigul'<ilrri. Dds. • Cha[lgepas:swcmds every 90 days" • The password YOll use as the enable secret password should aot be usedfor a1l!yth:ing else . the enable secret configumt~o'I!Icommand.. A:vo!i.ls for one to access data Of deviceslocated !(lID!. The two methods used toho[p a VLAN <lire sw!:tc1b spoofing and double tagging.N.ce by Br. ~I!i. 1M malllYcases.cks There are many types of Layer 2 attacks. VLAN Hopping with Sw~m.Pi!lSswmds • !Don't us should be alt least ]0 characters long. it :mIl111oe![ as the fi~iSt cha:rncter. User mode does not allow much access to' do <Inything. Of rather the goal of VLAN hOlppi:l1ig.gives you access to ev.OS[ basic.d] using the clear-tex! ver:sionemlll])lepasswordL .r!vUegemode ..[35 ] CCSP SIND C!:liIldk Re1i'erem.erytlliJing. You can 8e. • Use special characters.

off.[36 ] CCSP SIND C!:liIldk Re1i'erem.. <I. . acesss to. the second ]ay.e:r (tag) ]sIe:fI: o t remaining.wilt:ches.:lndoJ"i Jiames CallToll A swH.l'og~lletrunik: see thatthe attacker has accessto VLAN he wants because he has eoanected to FIIGIiJI'R:E: 3. effectively cn:!IIl!giIDlg the VilAN that the trafficis on. all VIlA!N"!5 {HI Ii.tion Tu ~n:liiUgate LAN hopping.-11 VlA.N 'hOlPping with! a Irog!je~runk part FW!)tI9 "fIUIl~Port • A~ r Ius.~Ilfilgu:re pm't J"] yO'll aliog~~e switch to (lain <I netwesk that has tmnking. VI. Whe'l1!he first buyer (tag) is stripped . This explo~ts' ill common fuactson of s.ii~chp!Ilrt_Qdle IliCCesSeaIorerfaces that do not require tllIlddng.AN Hopping Mitiga.ch-iSpooUnganaek can be launcbed tn one of two W<I!)'s: • Spoofing Dyl't(Jmic Trrmking Protocol (D'IP}me:llsage:s 0[1 a switch port Ulanis cO'Mflgllre:dlfior DIP .A dO.hia~ nly do enelevelof de-encapsulation. turned tlFU)1 O!l1i. 'l:.. ..ce by Br.luilMlother. ml!l'DOn11@Llf'flCl port 'lIL'in DW enl§ltJf9d' VlAN H:oppwng with Double Tag'9ling . perfio[~1flI Y sw.]JIlh~e-taggingattaek ha:ppens when a secend 802"lq tag: is placed behi.]ntmdlJldng.

. ~opo~ogy clIM1i.e pmtocoi data rlJuls (HP'DU) with jill the layer 2. other s.. the event tlmt the portreceives <I !BPlOn ThelaUer..spannilJl!g:4ncle w I!I'O['Kias. allows the pm~~o p!~l[lkipa:re 1h~'1 wi. and a new .grIUL[w.ge t a notification is sent out. perfoJm theffoUowillg: • • Swi~cI'lli(co!l1fig)iftspaDnil1!g-tme iP~rtfru.rderencepo1lnt may be determined. s(p!3Jl!lning-hl'!ee ..g ~1!1i[[qdlLicedio the Ni:e<tworik.g bridg.hpor~DIi".vlan-J'lMmbe.. HPOUs!l!tte~1J]pts.[37 ] CCSP SIND C!:liIldk Re1i'erem.tree guaninw.ee Protoco.l!1nk n8lItivev~3. network . beoonle t[l1emot bridge.111 M~~mi~pUlla1ttion Spa]']joing tree detesmlnes Bll'efm1ePl!cepoil'l!t caned til.IJ hlock: mmnmnk!l!t:ion ]t in spaooilfDgtree Ff it n~ceiyesfl:P[)Us. ill disable a pod that is. topology end tlh:eflow of network tmlinc. thus ch<ling:ing the Layet 2.t The firstpmtection mechanism.h{coMfig-in#S'Wiitc.root.n!lsed..etmnk SwiN.:lndoJ"i Jiames CallToll • • Switd1(Coil1i.r Spalnni rng Tr.}Jtion attacks. corn!figllredi with the command .fig-if}#SWiilc..ingTree Protocol (STP) manrnpUll. Manipulaticm MWgatirm '[0 militigate Span1'J.nu. HPDU fiUe:n::ing.~o the . ~f tale device SlePl!d~l1S.eg~lJiaJ!te • Switch( cO'M. root !bridge by .ti~.fDg-if)#swiilc.hpodft[.ce by Br.wllche:s Spanning Tree' Protoco.t bpdugmurd Switd'lli(CO!lilfig-iij#sp. In the event off another switch beb~.lIpodnoD.exch<uogin.annling.

it (the atta(:ker) as the de:fauHgareway.g rhepackets to be. otherlnformetion. such as. . aUil!l!cker to sniff data also known as ARPpo]S!oning frames on the network l.These frsmes contain a false MAC addsesses.~on BhernetILAN . HHCP server or an uiPUnl\:~owiurlthe UHCP server.l'Ies.aJi! nnn::. perform the ro]]owillg: Switd~(CQM..op the traffic used to aJ1ack an Ethetnet network. frames :ill!tendedfotr one macbine.:lndoJ"i Jiames CallToll OIHCP Snooping DHCP stpoofing happens w]]e:11J <InBltit:ack. Wilen used as EI msn-is-the-mlddle attack. can he mi.s. trusted interfaces. The eharacterlstles aee as follows: • UllItmsted ports c. 0[" "spoofed. snuffed) or . As <Ii result.dbcp sn.[38 ] CCSP SIND C!:liIldk Re1i'erem. DHCP' S:poofing .~tse .of ARP spooflng and alla]Y21edtDo[' passwords and.ef. s~]. • Trusted ports can be directly atm.g~s.8'Uon 'with DNCP Snooping I'he DHCP snoolP.ce by Br.. respesd to DHCP[eq~]ests.n' III tedlinique st.m be the source of DHCP requests mdy." ARP ~m~ssll. eonfusing network devices.c:]] s the ooE1l!ullgateW<lY. This C~lIS1e'" a man-ln-the-middleatteek.clP snooping. which mayallow an <I~~oget[l.Eic:l'lafukhost (a DOSaJ!rnck).cl'led to Th enable HHCP snooping • 011 <I.~akenlysenttoasether a (allo'Wil1.ing fealhue determines whi"chport:scan • Apm1.fig}tl:ip. The principDe ofARP spcmfing Isto send :fake. neMo~'k sw]lc.er ads as a IDHCP server in <lin atte!l1ll!ptto fool machines into using.fig-if)#ilP dh. is Ol. is eithe:r~msted or unrl:nlsred.AUack Mitig. trQd ARP Spoofing and Dynamic AR:Plnspectkm ARP spoofing.otiIping • Swi~Dl'iJ!(co!l1fig)lj'fip dbcp snoopingl'la:n vian4 • Switd'iJ!(co!FJ. all traffic is forwarded througha host with tlh:e.

1I GlIDUlt!JUl! !!.' .[39 ] CCSP SIND C!:liIldk Re1i'erem. Dynamic ARP . DHCP s.mltms:~edilJ!te:rfaces" • • • SWi~Dl1l!(cO[llfig)lj'#jp:lUl.ting ARP Spoofing AU'acKS' with DA.speoo~.t Wl1J!e'lii. Is. Sl'IIllDtl DDn8IJl~s 1tiU3 n H>GP snooping Blndl~ .RP [s S8m II) au~t ctJa1ilQ91~ to I P .lmspectw.:lndoJ"i Jiames CallToll Mitiga...Afuro1rnr aoas mit matw_ Gat9way Is H2.x (where x is. Like DHCP sriI!ooring.nv~an Switd1(config)mnlie:rifsJGe Swi~ch(coltilfig-tf)#ipalr.n {DAl) us>esU1.ce by Br.3(U..noopiug ls enabled it binding table ]s created on the switch between MAC addresses and .<It tatdetoverify lJlrevalidity of an ARP :reply. .2 DA~ilili <lc1i!iorn.PjD.3-. the VLAN In whieh HAl should watch) m!3 inspecti!llollJJbriQst IF~GIiJIR:E .UI' addresses .a!l::lrew 10 MAD tllil!llf1l1lS. DA] uses trusted alld.

IBB£CCC. USER_A has the MAC address of AAAA .exoept the o!llJ.d!IJelSSie1l..~1l! a CAM table overflow attaek.ATTliICtuEJI .BBSB.e. the ISwitc:fu moods. COil1illiBCred I topOI!'~Fa0l1 of <I switch. w~t~1. W[len USER. BB.CCSP SIND C!:liIldk Re1i'erem. IFUlIIJRE3-3 M!AG sp oofing. when U tries to' make MAC Spoo.otl:ier real hast: ami the CAM ruble Isfull (and does notcontain entries forthe real addresses).e ULereal tm:llk alld sniff out passwords and other confBdenHal data. to flU up the CAM tab~e.e.o. tha:~ traffic o:u:~of every port .:lndoJ"i Jiames CallToll Content-addl'essable memo. betore.ce by Br. liSiERJB . di]:ffelierut MAC ad.-B tries to cemnunricate with USER_A. Figure 3-3 shows the"ihefore"~oPQlogy.es to' I cOnll. f1Ll:iI2. switch with mrmerous (me~nlJing thcl'Uts<l!nds) Df ftl~e·fu~mes.DCl:DD [a{J.OOCG.GOCG 8BBB.llJlmk:ale witha:ll. the switch consults ~t5CAM Itabl. all irute:rt'oce ol!" the. If the CAMtElhie :usFllll.. De g1(la1is. . the sttacker can c8fVtm. AsslIme Umt USER_A is.ry (CAM) tables aee where MAC addresses <Irestored andthen rderenoedi by your switch ill forw<I!rdilllgtfilrerliug dooj:sio[l.Ml.eit camei:1] 0]11.d ~heinl!m·''1'II:ds frames to pont FaOfl.W~1l!e:ll Irea] hos·~tri. Thus.ddn::s:se:s tothe tabl..MACa.. Tlris csuses the real traffic to' be: flooded to the port with the attacker. CAMTABL!E AAAA.a MAC spoofing attack.fing b~. the switch ca:IJJ[la~add real. aD nUjjcl(er!llPQds.

A.d I ShlUitd. U'le ·'af[eF'~opology.CAM:TJlElLE AAA.secudty • Switch(oOMllg-if)#Switcllpodport.ElElBB.ce by Br. destined fo:[ USER_A to be seIl!tto the attacker. l'.kk the s.tIThe CAM table <limit [mt addresses me assigned to a portIs by lLls:ing port seclIrlty.f-this-inte.ft-to-le'arn violafj~n {protect Ir.will cause traffic.OIJDD fillll:l le[lf2.O'wn} .1R88B.gil. Use tn fhUoww :h~gto cOll1l. USEIR_El IUSEliLA AAAA.e' Overfrlow8 and MAG Spoofi~:ng with Port Security TIle bestway to conncl .f)#Swi'cll(!»ort l1ll0deallCUS • Switch( oc!]1[llg-i:f)lswitdlportport.. .wilitcbilT~O think:inSj that USER_A has moved to a different port.ue 3.lD mlLl-#-o!MA.r:!ac.CS-ymi-Wal1.Jlsof USER A nm spoof this MAC and U1llIS: tr.OQGC AITACKJElFI Mitigam.estri.secudty maxiDlU. an FIIGIlIIIRE3-41 MAG ispooting\ aUe[.-secudty • Swil:ch(oOM:fig·-i:l')#SwilcllPOrtPOrt.-4 shows.Pi.!'iCCC 1188B.flgUire port security.[41 ] CCSP SIND C!:liIldk Re1i'erem.:lndoJ"i Jiames CallToll An attacker UUlitblows the MAC mdrE'.hi.CCCC.s. .ing CAM 'tabl. • Sw:itch(omlfig-i.

cIUI.ures A number of secl1il':ity features aee embedded into Cisco swrtcbes.w.An:alyzers (SPAN) • Secure She.f)#s.ices (IBNS) • VL4NACL • VLANs • MAC address.ddress-th.n-thi:s-inte1jaC'e m.ort-seolUiity • Swi~c!h(co]iLfig-.rity Fea:t.yed Ne.ac-9!d!dress. notificaHons .wit:ch Se.t . MAC-£1.ce by Br.iilcIrpodpod-seelil:liity m.twork Sen.is-a1t(}weid-o.fig-iij#S'W. 2' (SSHv2) • SNMIPv3 .a~-.:lndoJ"i Jiames CallToll • Switc['iJ!(co!liI.ll \ler8i01I.a:ta~yst ..i.[42] CCSP SIND C!:liIldk Re1i'erem.ac-9!d!d~ sUC:ky Cisco C.identUy-Ba.iilchpor~.~tate Uvn:i1ting • Switched J!or.lJdillg the ~ol1DW]ng: • .S.inch.

.I all'l~ ..:lndoJ"i Jiames CallToll IBNS C:i:sco mNSIll.. 1101 pe.es 802. the credentials to t[1!e. they are a:ppHed ~D 8. VAClLs. AeSI. message is sent to the.S!er's qmdf'intijjl~5.!vhn 111 ~13 Switch (ccl1In1fig)f.·lis.·list Switch ('con'ffig}I.N.~l!IIy ·eq lIlnif i!lllly 3in. nDt justteaffic :In an applied directi.ln Switch (con.s: ·li!:iI.g <I.an.s -1!!llp tClr.wUih .Il!v.2 Switch (con1fig)#VLOIn 11~ &wit ch ( GOIl1iig).A.is <ISfollows: 11..!v. swltehto VACLs as.aec ess -mask) #im!li1l: chiJ. Oece authenticated .Il!.!:a. notes the. muter .. RAmus. frlle [Lehvork via tile user :SW.p addl"·ess 110'1 ..llly "".coln1f'ig.1iig)f.a. 41.Bybeirn.lS:~ enter lit usemame and password.pp]]edtn a Vl.L.uthenticationPro'tOcol (BAP) C to determine its wd~dity and. VLA.'ri.hn 11.p eq eq A!L'I!.. over 2.l1!ll1.L!ln 110 Switch (ccm1iig}h. portssnd allow flocess .Hm:it access to a net.!:aJcces:s.AN~ they filter all traffic an that. isco ACS us]ng Extef~sible .L.JCLsare.rillli'l: tCIP tc.s.work Oil'lnJeiwgr\ I'eSOLlrces btJ§ed on ijill].H:c:JJJ.PlllsseS.[43] CCSP SIND C!:liIldk Re1i'erem.ce by Br.all bej[lg applied to an Interface i Switch (ccm1iig}l. 1i:mtr:illtfu:erIil].iii !ftI1ii _iii 110'1 !)e.ooks up the username :.cce:u. It: <IUOWSmllnip~e usersto use the same PC and :stm have dlifferelTl prlvilege:s .clles.. The user accessing . The s.y ill. VLAN .'uig)f.uld password ...rillH &wit eh (ccm1iig }. 1101 pe riliH &wit ch (cc)Il.OW_WEI!~@n 1111 Y &witch (.!v.l1epl1ocess .lnacce·s.. 3.MAC address tile user is logg~ng in frnna..T.A.1]( tOo ... m:e simmar~o router ACLs.

l!noi~her..ce by Br. ne. This featare sends an SNMIP trap 1.L!1Il1·Ust 1illl-14 &wit ch tCDrl'uig .[44] CCSP SIND C!:liIldk Re1i'erem.~ ()1M B! common subnet thst apmm]SCUOUS 1S sabdlvided ~ll~O umltlple "]lrivate" VIANs. tahle.lmu'nli.~os.l:I::) #acit iL9n fO.I!'WIll"d -Ima. on aprivat:e VLAN >C~ln(m.ivare VLAN s have the < folknwing charecteristics: • The users are .1t. To conflgure this feature.:lndoJ"i Jiames CallToll Switch (GDlltig .rnu]tgateway only by means of an isolated pod (lIostsj o commttn!cilIJting with port (garew:<uy).Plr.This feilture prevents iii.n be Isolated from O~lle.aecess -lma:s.1work .notificat1Jons.lds for USiefS based an trnffk from beIng Hooded and! maintains smooth trnffic: flows. Rille..0 a network ITulIll<lge:me:llt stetiou when addresses are added or deleted.g e:nabl. fH1t'er ALILOW~WEI!_5INIV Ii'.0l!1 cammamiL Rate Limi~iliingl li:miti:IiJ. subnet.sk) #exi.!'!.e:s yO!] to set bitlndw]dllh thres:l!'lo. enable Y0l] to mOil1ii~o"MAC addresses added too!!' removed fU>]11the eAM.nlte· W~U]ttle d!e.L!ln Private VLANs Private VLAN:s <I1. Inac-:a:ddn~ss~tab]!e noiiifiiealti.k}w dievices to be in a common VLAN but sti. types .I.!ICCen Switch (cDIl1iig}I. !lJJ8e the. • Ad!dn:::ss space is cOililse[yedl~beczmse all usees are O!1l8 common MAC adlire·ss.

:lndoJ"i James GallToll SPAN SPAN .ellit the SNMPv] to ma:nagenlen1t traffic.intrusloll! detectlon seI[lsor OY a protocol OO~.ch.ha:~are sent to the s:w~t.remot.[45] C.I.oces:silmg the CU becauseit uses strung em::ryp:ti!oll to pmreC:~!lll1iy IlHswDriJIs.aUltJiThe!!1lticatio!lii. Th]s . SSIHv2' SSHVL:pmvides.ielired .c tD a]!i. <Inn encryrtti!on servicesto . t SNMP'v3 SNMPv3is all e:ll!hal1!ce~]l.e oOl~:l1!e:ct~y~ty~othe switch .method ofremo~ely !I.emapIlHcati.Uve confi.. ellrered 011 the sw. Blndprovide.alls.mr traffic seen all! oiITI!e rart.s.CSP SIND C!:liIldk Reference by Br.r for t[(mlbl!e~hooUNi.itch ~nd se!!1l.lct pm~ocol and <Issocl<lt.enables yon to mir.g!Jj:mt]olJJS.tdyze.Suseful for d~recthllg trnffi.rport. to <I&lanhe. SSHv2: shcmld be tIThe p:relf.i.g.iIl! a similar fashion as the l'd.s message ~lf!lreJr!l]ty.

s The Cisoo lOS. The types o.ec'0itumd li1rew<lU s/O]ill~iollfor customers tha~ db not wann (us..a:Il. H~.[ 46] Firew.(:iIIUSOO iii.tBction f1gainsl today's vl. • St~te:fi]! packetf]]t:ers .oFfirewalls has oe'l'ilR]1l1y increased .<1[1:: a simple concept. mu! the W<I!y tJl1ey have evolved. but w. damage vim! can happenbetween suhnets ln the event of .t the eutbreak.~tha fir-ewa]] you can mnhli:nit 1 As time haspassed. also show the evolution of fil.lf:I1:rew<lUswhid!J.ties. homes.]3. We ~[Qi. fll]~l-f. Much of it ~sall about contaimneut.waUs)are as follcws: ( • St~tic packet 1fi~ter:s • C]rc::~]itlevel • Applk~t~mii layer • Dyuernlc packet I]]ters.dore d]ving ]!l'~o the [eatUlresin GSlCQ mos.m}(~.e:l1l. it's important to understand the types of fil1ewa]]s avaJ~albk'<.:Ill!1J.ght 1!Ot be <IMe 110 prev.. RI!e. however.y .f[~opla.uaHy because of financial conshaiEJ!ts)b deploy lit firewall app~janoo. This is sJm]]<If~o:l'i.levolution of the firewall.'€. and office buildings.alill Techno. ~The'Y slse pmvl!de an inva]uahle amOi~1nt OfpliQ.erabw]i.~l1e flri. the sophistk:fI't~o:m . Afirewall is designed to ]im~t the.Di:fferelmt Ideas have come :il. ]og~ciil.wa]]s in themselves .1llSl0l1we have firewalls. N ow firewalls pmv:i!de mnre rt]]aM j list oonmillmel~~ services.l1ewrl]]sin cam.ewaU provides iii.lllogiie. outbreak.

• _me !Sp0Cffi\0Cl: 195.t IRllil:erlli1Jg Filrewalilis [s 'rIIl.not In:<iitdJJ the FIGIIJR'E 4-.0 .::md network mJdd:res:stmns]aHon:sins:idie.9ffiCl base(i 011 rul~ • Unl!lJWWn ~ralllc ~ onlY ~IImNBllI()L®jfIr 3.cket 'fHte. what ]]a:ppens te t!I"flffic. U'l:e. that use dJ>!~m. • Simple permit or deruy ststements • Pw~ocob. tr'5wredio:n.[ 47] Sta:tic IPa. static tuters" om:rfIro~.95:95.rs II Packetsare filtered al Layer :3 of the OiSm model.packe~ m:igbit . Static Packe.1 Static packet fjl~ers.k lrorls.

lillld:sh.l-l!eNeilgatew<I!Ys.ievelifirew[liit CI:rcu~it ILevel F~lre.e.[-I.d:l)cui.wa.wa]] verifles eonnections at the 'IlRa:lS:p01t II VaHdat.-~.g trnffic the <I! .e¥elHn:.lIs ® 11 SUSSIaI1 ~ N~ Datal lIro: iI' I I ~I" I' .m • Appear to be the device p'<Is.41-2 Cireuit.iNJ. Circuir-leselflrewallsperftem the IDoUow:ung tasks: TIlls.GtltullS hiding internal network) • M<I!inrnin sessioa state in table F~GIU:RE.[48] Ciocu:i.waUs @[iealso ca]]ecl. layer. type offil\e.. that sessions have EOUOWed al!egiti.mafue TCP I.

[ 49 ] Ap:plicatiiofl Layer' . contents efa packet FII'GII.ffialloo &ai:s'lm ~ NIItwOOc [lata lIrik .. susceptible to that host opernting syste:rrn's v!lli~[Uemb:i!U~ie:s.ervices.-]aye!f!fh.de ilie.e following clmmcterisUc£: • They manageliegue. layer.ilrewaili.y serveris 'I!heMicmso:fi: TSA Server.b~eto the Internet filter 0[' change the. • They validate data at the Application • An Ap!pI.JRE:4-3 Applrica~ion-i[aJiler f. ~(\) PH.ApiPUc~[ioM.Appli.~ - - .An ex1u]]ple of aplox. A:ppHcation":l<lyer firelMlUs lliave!Jh.l'uigfu:est]e¥el of conrfi:ro].i.pmv.k<I!t~cli!]!-laye~'ruliewruUis the • They CB:I1J.Jgg.'ewa:ns. They <l!fe IJIsual!]y:insta~Fed on top of another operating ~y~t:em andare sometimes.sil'. OlfIl~y mevk'e· vis:i. fOI[ specific s.ls are often called pm:xy servers. ..___ ~I .cation-Iayern:rewa]. SlICi'! as FlP 'I'll: HTIP.

SI{:B1 F1Dw"filiOI~ .. A :swt:e table is u..AppICaJlDiIl PJ{8S9fl~loo ~ ~ NQtwt)!l ® .l packet flhersarethe gUQS.lIIlch... If tih. Stateful inspection functions at the Network ]<uye:r and)tracks an cenneetions. the pElckd is dropped. St:aterullpac~et [mers <I1:'e d YI1:811"[lic nahwe.QI1]Y d)~pk~yed.lcomlll. ]rewa]]s todJay.e ex:pec~ed p:[Qperli!~ gl].. ma~ch.orert]es. statann S~I'I nata PitJy. If [hey d!mil't:match..[50] Sta:teful Packet Fiilters Slatdu.etft'ler apac!kers eX\peclelll pmlPelties. ~ 1L1n&. IFUlllilRE 4-.: e -. so in they dl!!u1Ige as the flows change.sed to de~emrline w~~. They aremere versatile vll1Bn the other technolof gies.the packet is valid and :L~ passed...41 Sta~etullpaiG'k:et mien: Stilltieful Packet FllteJi'llngl fr-'- F= .. 'frhe ex::pec:~edpl'. discussed here.

"iiS through tl]efin~- waU: • NAT operates at Layer 3alt1l. P[:Qxy tbrough [l]efirewaU tedlllOhlgy tbul perm!lt::.pa. and 7 of the OSI model Tli:le.lgh alldbentiC::3Iti.Addreu Tm..Hi.y . To configure NAlTin tbeAdla:ptive.flltees.e>NAT>!8.e.n!datim~ (PAT)M:ea wayto translate addresses Inside of ill packet as tftThe. • NAT allows the use of prlvate addressing (RFC]918). 'b [lQnstm:a:tdmrl pori: numbers.ay.er.al topology.ted Task IIAdv8!1lCed Applicatiioll1 .el' after rIThei]1i.jei:ary IN.s]CP qr POP CQ[]Deptiqn based ona us-er'saJlJIthe:llJtiiJcatian. or OleMi.s:pan::nt[0 the us. aDd same app~.kali.dlLaye:r4l.:nspec1ltion at Layers 3.ed above the. l]]~s Gl1t-tboughplioxy ]S tra]TI. Network ~.PiJn.Cut":T'l1rough Proxy The cut-tbl!QJ. <l!p:plk<lHons need tn beNAT". 5:.an.\eimporl:M~~ because not a]] protocols canbe :pmteot:ed with s:imp]e packet.ons: ne'goti<lteports dynamicaliy oreve[l redirect conneCl]Oil1is. Aipp]]caJtion-]'IlrspecUOl~ firewalls operate .al tecbl~Q~Qg)1 is a C'isQQpmp.se firewalls B!I. 4.lIger (AS OM)" chouse Co:nfigur.ru. • NAT hides fhe :inte:.AT/PAT NATa:l1d .asiic NAT>Lllunch filE!! Selsc. Sec:w]rityDevice Mo. Some.

'Olm.. a:n.{)iI1l.I[I h!irredaoe~ but they C<I!n also be used by featuees such as QoS.A:Ct.when dfevek:np... Base yOi~]r ACt..s.d NAT.. Set up a develepmenr system. ~o]]ow these gUi~deHlles.AJCLs.CiUI be e:ithe:r standard from thetop down. OF N" amed . cam be used.. 2.. .. An ..rDLlt:ing pm~ocJQ]s. Wdte HOlI]t 3. To pl'Dvi<JJesmt~G Flrewanfi~nct~.your securlty ~]iqy.l-dam IP ..AieL Confiigulr'i:ng ACILs. extended.&I99 me slm.<I]ilty. • ACLs: numbered • 100 thm~]gh199 an'.use<I!n ACL~e[e are some facts you need tn know beiore (:oI]EigociNl.scornOs bask p~cket-fi]ltel['nllg carpabmties.ACt.ing ACLs: 1. to not only permlit or de'l1y traffic that passe:!> thmugh f. exie:naeri :rnpACt.g ACLs: • ACLs numbered 1 th:roug.s. 4. VPNs. Apply and test. • ACLsawefiHere:di • Plece specfflc statements at:the top of 'rr&le .[ 52 ] Cisco ACL:s Ciseo ACLs give Ci.

~ To configure an e'.'Ioconfiguse access-list a stmuilanl . Routers such <ISthe Cisco '!200 series snd the C:i. fo]]ows. permits any type of lP traffic fi..I!oad a[l I!ookllps when lIJI~si:lJJg 1<1!rgerACLs. Thie eq 22 at the end of tlte ACLiIl!di.cl!mdlyfiUer tfI!lffiJC.i.160. ApplyiinglACLs to. that we De l'[!Iilt:chilllt.permit I de~y command as. host t92.any source to the spocUk mesHnaHolJI of]92.x'IDendiedACL. I.1.1 eq 22 This extelitded ACLperm:its the SSH pm~oo(d fromll:l .: This S:~aN. .1..IJbo ACLs tn search ACLs in a ]ookl.1.dant ACt.AiCL. In! add:iJtion.ed.SDO 7300 series can use TI. SSH.pacee:!!s-gnIlQIP' command. OM traffic where the port number is equal to 22. l'his can sig)!li:ficaIUUy :impHot :penol'mMl!ce.16:8 J .. the lfume fOlf <I! lookup isfix.Routers. This !reduces tile CPU .'om 192:. Inter'f:aces Use the i.1sa. use theaeeess-Iisr 1 permit host 192. use ~e aeeess-list {UIUj}-19~] lPenlilit I deny mm]l'1mldi as follows: access-list 101 permit tcp an. toapp]y 'Iohave the ACLs a. search tile ACL ina lineae fashion.1 fll~~:!r~ . the ACL in eltheran lnbeund 0[' <lin outboend fashion.l:p table. they mllllst beapplied to eninterface. or whatis othe:['I'dSie known as. 68. ::>oifUte:ncy in p[oces'§i]]g ]s redUJ!ced .cail:es. as follows: ip acce&s-grG~p 101 in Optilmiizh"gl ACLs with Tu II" be AC'L:s .

i:p aidldressHi.l:k'y for~ra:ffic p~s.11. <l!ml.: Iiloslmallle !Fl11 Irrter-f .2..pe:rfmm thefollowwn.l1st compHed WOirkin'QIACL IE:x.3JCle' nelrlll t01 (il H e . These ACILs control Inflnage:mewt access.Gti:#s. :255 an::.e: The foHowing COIl!flgU[iilt~on on R l a:emorlS.255.3J !Ill 255 ar-ea 1 .[54] 'Ioconfiguse Turon ACU. !Ill network Hi..~heydefine the secUlrity po. -list cOlllpiled To verify ycmr .giUutioIl!. ip acc!B'ss.0.11.1~ ip ac:c'e's~HgroIlJP 1:215 in interface' H hern et0 1'1 2..si:l11g tJl1trol]g.pe:DilJImthefol]ow]ug: Switt. 0 . 1.0.eo:n:l1..onriFigl) l'tac:cesG.255. 25. Marny common frhn:als t aFe mTtigared with theiSe ACts..5. ~iUL0.0 0'.g: Swi it c:hi>( c.~he ]llIte[faoe.255..!Il1 ip acdldl"essl:6.ampl.-grorup router ospf 44 1:219 in netwo rk 1'6.1. L1255.tJl11!tes U1e use of ml!lln:iple ACL s ona Ciscc router. 2255.liIlow access·.

.)!'IP p:lcll!ret:!!I cOlllta.255.ve:r oommuility snmp-ll:ost1 ~. dellY ill l. deny:i. 0 10 •.0.2:55 255 .t:l lLoll'pback 1.ol"k.Jc.e. ( .B0 lIl..re'loielll1tlSIIUII.t access -list .. Tlili:s.10..:3. c.5 S'i.:ilnil1.Uo!lt:iLng prevenil:s Do:S·TCP S'lfN AU!lc.st 126.How:iLng 1Ir'e'vetnlts 126 deny .pl. (:)~! 0 .l H:e!!t:WlWks to JSlnmp -se. . Acc. m!(jJII'T.255 .010.1t e In.irect ]lugl .255 ~[)g .1 !iil'ly llost1i6.26 deln:vtpt27.26 den:vtp 1.255 .B0 lPenllit host HL:2.'0 0.J!l log esh:tlli.26 dellY .0 126 dellYip172 126 dellY i.st access -Li.!:! PlI'iLIfI8..ip 0.26 dellY .5any iLog .ft of elnitr.)elow j:I.0..:2 .x:terna.0'.sl 0 r H.! 1I111oW'.s ~. el1ltry 126 belol'i IPII'IEi''o!ellltsany III Iplllc:i!:eil:s cenil:aillnimlg the· SOllillrC'!l' addres.s:t 81 81l. °.lter allmess-l..255 '"2~j.Hst Iilo aeueas .• 15.11.2.st.f'liic th.255 .1aog • Hl.s lIccess-lht access -list aecess-Ltst access -Li.:2.~:s. Tlile foliLowingfi.my Ji:[)~ .:l!pplltes tnleitW'orl!: or to to tl"3.f any . dellY .ies tlJ.:2.15..255 !lillY l. Ttile· fO.[II e'.i3Jnylog 0.H$t 126.Iddres.e I"{) rQlliJtl~'r itself no access-list l.s: S access .st 1IllJcess-lht aecess-Li.1.p10" 0 . 19. aecess-Ltst 126 dellY ip 116.ch .·.0 1.11.0.0 .sliled ]lo.rllliit host 11:1.255. 25!5.c. 2!i5 .llJnylo:g IDoS.~Ce .(:) to SHM.ltenl access -Lts t 126.~Ily .etW'JCu'k~3.I?' IiIQ.s list ~: 1tlile In1terlll!ll 12:6 .0.100.mp3i11'l any iBDlilo lo'~ aeoess -Li.255 .:2·. 1310 UoW'iLng ·fI"Q.i!:s 126 permit top <llny 1'6.255 .:2)55 •. t 1.1 ~: Tlile fo.5 10MI' ~.i.0.H.0. '!HIIi.ernaJl l'l:osil:.[ 55] ~.255.ed110 access 1I:his rCH.2 .any log .255 .0.2 Hl!L 10.!Il1:) 10 .is.25. Acc'~:SIS .et".tnill:tg i 1tlile iHlMl]iidl l.og ~..!ttack. 1.iemp any alllY f'e:d.1111110L'IInd to Ih.!IS the access -lis. 1:li'Ii.st slJ.ip ]i!ne any llost1t1.1l 224..tes I.

19 ~()g 10'1:11 any source-qu~l'Ich 1Iny any range' 1.Ues to 1.g 126. 0.0 .255 acee8s-list access -Li..l access -Lts t 129 permit icmp 16.tc 'fl"oJIl to l.!!' to no i1Icoess-list th'~' roCllllil:!8'r .UseID:f ace ess -list ace ess -Li. dellY lu.t access -list ace ess -list ace ess -Li. 1135 1:3.~pp.o icmp 16.345 12348 iLo.0 0..-lis.29 1213 pel'llli.l:Jjl1le.0. dellY t. dellY i.tW'ork ~.any packet -too-b:iJg aecess -list 12!l pereut iomp Hl.11.10..Gimp 1'111'1 any 1II11$lk: - re.01.t access -list access-Est access -list access 126 permit 1.2.2. dellY t cp any an..10 0.23 126 dellY top .0 ace e8S -Li.9 l'og 128 dellY top . lOll! aoy any eq 66.·t 1.10 ~.29 dellY t.rk.10.0 0spf HL L 0.0 0 85535 aecess-Ltst 126 dellY top . Acce:s's 129 .~.55 liIo. 1 . eq 31337 secess -Li.1.0 .t 18.0.255 1.any any roaJlge' 112.e.:2 126. dellY udlp .:2.s o.st 1213 dellY tep 0.:2:.26 dellY udlp any any eq 21337 126.s t 126.1.2&5 anyecl:J. dellY .'0.i.10.t 128 permit tl'a:n..s. lOQl 128 delny tea aoy any rang. 344'00 log H1.0.p Ust 1\1 ny .ep 1Iny any Irange' 60100 e06~.any 126..67 lLog lOll 0. iE!Jx:'i:e'rn.1.og 10. ill .any allY eq 445 ].any nlnille 10 65535 alllY r.255 gtUl<.1.H8:t ace e8S ....2!i5 anYjJ<llirametelr-·problem .[ 56] access -Lt.1.al'lge -Lt.:255 .st icmp 11l..e:p any any eq 4a 1Iny any eq 9~.:2:.s t 126..st access -list ace ess -list access-Ltst access .2.s.lIl'1ge 0 65535 iLog log f'lLowiing '1!lilleiintlH'nd lI'I.~g .dlp1ll!lY any Irange' 33400.0 126 dellY IHlp 1Iny any eq 20<49 log 1.255 gt1023 log 126.26 permit 126..any r<l!n(lle 10 615535 <'lilY r.list lIceess-lis.10 0.lllL neb'f<D.. permit !lIdp <l!ny e'Qi 53 log 0.:2~.0.11.•0".st 126 permit tep alllY 'EMll :2'0 116" 2.~.2:55 .st 129 dellY tep lIceess. delny tea icmp any 16 .

.re.1. of Ute ACL those statetDP ments that mit':'used.1.0.p Iii ny secess -Li.2.2.2515.ci.st • • You don't see fheimplidt dLe!l'[yat the end o.23 any eq 513 0 dellY t ep !liny any eq 540 ]og tcp 0.[ 57 ] access -11s t 12!l dellY tcp ace e8S -list access-Hs.list access-Ltst access 129 1.a.2615 <llny 129 pe mit 129 pe I'lllit rang e 33.limited. 1 . . ..'4 11 <.'0". ACLs fl!re.danl.al'lge 0 65536 lLog nlnille '0 65535 allY r.0< 0 .ff the ]:ist.400..llg at tJl!i:e. Stan.lIl'1ge 0 66535 iLog ..0. but :it is the:.0. no:~ frhe~ype of traffic.'0" 0.og gt 11022 ilfcl~{lit 102.any any 16.t access -list ace ess .any iLog 12!l -118:t 12!l dellY !Hlpilny dellyi.fiHer:ing are evaluated only the source of the traffic.You 'by pl. !ildp HL:2.B 1. 34400 log. 129 dellY top . cal] iucrease pertormance II ACLs [learn the top down.265 gt !ildp 16". mOISt often.ill 0.0 nll'l!J!B' 512 61.29 pemit .any r<lln(lle '0 65535 '-'illY r.

CCI]]!fi. Figure 4-5.ilypo]ic:y • Do. ad <in ad!viMllced :fnrewa]] uses <'II DMZIEI:lThd. extre~lf!. (ONS)ffO'f name resolution II A preview of the canfigu:r<l!t]Oi!'l .Sin SDM sre just tbfl!t.liigo:wt]o]i[ c~n [be perlonned hy the SDM. and the.UOM.lBm.pedJ'y 1]TI. you click the :lMun.e]y heJipfi]]' Spend some tlmebecoming :Ilanl'liMa:r 'wlt1h. you The .l]Jlwaces" .a.. If' you.. s.. . seeond option is for an advaeeed flrewall. of firewall !con. 'fhefirsl op~i!Ol11 is.s:pecl]m!l rules . medium.main Nmne Sys. .g this nl'ewaU.By so doing.SDM firewaU Wiz. Toperjerm ill must have "It least two :llJ!teliaces co~figunool with IF addressing. guides YUlI tihlooughthe following: II Interfaces • oonl].. YOll this conmglImHon. you ]els.g!U:ralial1 (defini.at:e the BasicBrewall Colllfigumtim!l WiZiltnxll.. lniti. The step-by-step help screeJll.ch the SeJected 'Fas!k b~l. for a ibasi!cllrewall.siic f irewallh. This scenario ~ndudes a firewnn with. A bask: nmwa]! uses de:fm:drt m. dick t111!eBasij~Fir'ewa~~ bunoniu SDM" you arepreseeted with a Use Case scenario. as s. O'flow levels lnterfaces) SeclJI[.~!es.I1!owl1J. " section.llg trusted and untrusted based on high.gur.tenl. iB.]::bbegi~.~he "How Do m .ardSelecliion Two types.k FiIew<I!U GonfigQ]fation Wiz:llird..llm. just two :i.

. 4\·. con~]. conlf. fIiIuit'-?ilH'ill'lllHdKi."'.J wt.-j .MiI!Im ~".d the LlIIl!I!nclt~he Se~lI()ted Task buttes . ~I..lu .l:rat]olJJ... t<t Hjll'''.~~::.'I .I~ " nun ItII!..111IY l.seel~ in tiw BasecFirewall Wizam. By se doing. .di.d~OiiiI~1IiL ~1I~:I"1'=-". :t. This seensrlo :i]lJ.!rr.'Ji..HdDMZ h.II'iLf.in the o to ...g1J..(JDi'" Li ..:.gured with mp addJre-ssing.addJiUQEli the two Dn:Ule:rlaces. . Y01lll nitiate the Advanced i fi[\e.r-~(k_ .5 Basic IFirewalll1 COF1l1liguJffiiIOI1lI \l\i'iz..~ • Advanced Fi.wa]1 CO]l!figuralknu W:izard..iIdI1.fIII_~~1 ~='1~:~~..hldie. .f~:'~d' ~R:iIJ'f'1I' :IDilililnlfMrtlU'l ~ I'Uril ~:tI'I'J"aJ~l-. To beg.....c. YOIl must have aJt least twollilteiffaces con:l':'i.. ... 1'11"I1.lkn'IlI<...s a firewall.:u 'llIo::IJUt ~iit.. button In 8DM... ~rli: •jI"':i"'t.l:terface· b1l.. wHh .rr:~!~~~~r.aEli r~k)l. ~i-:Hr.....[ 59 ] FIIGIURE. To perform [hrns.iguratiolI!1 of this firewalJl..rew.Inl lid . yO!Ua!l~ presented with <I Use Case seeasrlo..aliis If you.ard.a . as shown in Figure 4~6..I...~ r.' tl:ilo "I". eliek the AdV3iHlcedFi:rewall..

""".llt M 0ilJ !ti.""'.i:Ulrn""_liil ·.....'.:irl iil..ii'Rll'~~F~I' b_"''''~~'' lhiIa:i....k1iiu'mpl:l 'l'l'lIiMhllj.1.llritypoliJcy based on high. ...]I.ii'il/alllu b ~~i.<lIIow""to wE:! pW...on:l]giU:mHollJ Wi. N'1ih:oI1:r: ..tl"'W1.......1..[60] f~Gill.u .:frrl~"~ ~iM.. F~I.... l't"tl<'lkl...lii~ i'lUIIIL'IUIOIIi .~".gumUon . • foIiiJrIlllp J ..l1itenaoo DO]1[fiJg1J...~aJtiOIl yOi~] thm1l1lgl'iJ.... ~MlI ... i/o "torlol t."'t.'N"IIH~tl7I"" rnNJ~t.Irfl'":'I&o'ir7r v" .tlil. ..._a: "1"r:(I:Ip'Ti"P)INi:. ."""""U' lillb.....1 .o.~rIloi.". jl.:~ The Adw:!I'miced Firewall C.. I"IJjlJl' ~"II~. or low levels • nNE..1..•1"..l... for mume reselatlon • A preview of the .fJii A'1riIITIi1 'oIMlul'1i'~_1 ~lnl:is.n~E-6 4 Advanoedl FirewaJ! Configuration Wi!Za:rct .. ..<10.Uil\'jh(-I-s..lQ ...00.W. llill... ~1~.eonfi. thefonowing: interfaces] (del!1nh~g trusted.zmd. <lind DMZ • URLIUter1rllg • Secl. gllrdes ..r.fN"~"th:n ffliIf1~1iilJ :iji:n'l:. medium....". untrusted.nIINI~. IOMliq":'i>:il... t.:~i:ll~I!lQZlr.c~IW. h:'III'NIW IIIILI ~'[JI::iI!I'Ri"lIlWI'l'lw"::~l]r..i.r..

Cis. enable the n:nde'f' tD i. AU rules aadpolieles calll be edited. S~aJtefli] firewa]] opHon[:or CI~o mos [TIlJ1te:rs" he fit-ewall ca:paitlH]ties alugme[IJt:he staadard T t of ill. TIre re.compose the Cisco semuUy app:li. a]]owed oilly lij[ H :i:s a reply to a. traffic and ensure Ibn' tber are the same trnffic lype that is spec~f]ed i.nspect the :[etul'rll.n Ule.etwoln~k.i:m:pect:iollJ rule.[151 ] lnspecticn Rule. These ndes..~~]m trnffic: is. ym] will see both! types.Most standard Cisco mas functions are still avaUa'il]e.ing the fnUowing: • Ciseo lOS Firewall II Cisco . lOS HrewaUi:s .rewall Service M.test fmm thepro:tec~. [outer . th!ese in detail.500 series SleclJlr.ed TIJ.amce fmllily. This createsa stfllteJiulpmoe.P]X .ce The following sections discuss.ss. Ciisco lOS FirewaU The Ci:stDO fllllrlct]O:l'l a.duct Family A number afappUimces .(Jduh: (FWSM) • Cisen A5A 5:500 series Adaptive Secl]:rHy Ap\pliaTIi.co Securiity Appilliance P'ro.ity appliaD1!oo • c]~CO CElta~)'3t 6iS{)[) series . There are both defuldil:iIlspoctlon rules that M1llPIUvided[:or YO!]andinspection rules that ym] create. When you view these rules in SOM.Fi. indud. valid ·outb01L11!Uft rcq]J.s l[lspect:iO:I1! rulesarea means to aUowtraffic to :retuIfllio your setwork.

leml.io. agaJJ'lbstworms.~ (ICSA}-ce.~s. QlS.hTOughany . • Nm1l. other traffic applicatimlfiH:elillg Instant mes3enge:r andpeer-2-:pee:r • "'alP [pmtlJcolfilrewaUing • • Bandwidth Vlrtualized l]jiage proteetienvia ilnregratiml with world-class Cisco [OS QoS I virtual ro!itiJ~gmui}o1W:ariling (VRf)fi:rewaUi. Firewall include the :l"onowh~g: of • • Integreted perimeter and branch defense leveraglug Proven Cisco [QiS touting.sco Cisea routers tl~effonow:il1J. the Clsco lOS. exploits of traffi.g: mas Firewall include • inten'lalwnal Computer Security .LANIWANinterface O!IiJ.cp3ssing ~. of the Ci.[ 62 ] lElellefl. viruses.Assodat. e-mafl.fie'atures.Pro~eclk)]TI.1k:y frnmewm~fo:r Intnltlve poHcy Immagemerut Applk<llimllfirewaUi.etwOIi::/ap\plic<l!Hon • Inspection threats and. and.ng • Whe]ess ~lIte~w~Hon . and a large variety of :Iii.ll.M1Id voiceand wireless technologies threat ]l'1iHg~ticon • Dlstrlbuted networkwlde • Ease of nl)janDge~"[lellt and depFoyment • Lowtotal cost 'IJ.1f ownership .sWAN interface choices .ng for web.r~ified stateful fimwaU • • • Zone-oosedpo.

SM) d II Fitewall mOi[li.e System (CS-MARS).i~.lJpport c~sco PIX 500 S.h):r..nl1ent using 5. A. • Typical use for site-to-site ViPN • Restrlctsaecess to critical net\v()i[li..lJi.nalysis.nc:e The market-leadlng Cisco P[X Security Appllaace series dldive:rs[oli:nlls.ntent .ngModule «(.• Statefl.xy • Fimwall v]rtua]~zaJtian .e·ries Secur'ityAiPpUa.!..0M 01' Co.:11eSOUTCe. aad secure mnneDtivity servicesin cost-effective. and R. • Suppcrt for AAA II Cut-throu. • Local. URL whiliJt:eBst1hlackUst s.flls.tlve evioe m<ul!age.s f1eatmes olf the Clsco prnx JOO series Security Applianceinclude the ~ollow~ng.g using Cisco Security MO'flito'ri~g.i~L'hi. SNMP Message lfif'Ol'm.sW.ghpro.lI. easy-te-deploy :so.tESp'O. <!lui SOM.]~ ffaHover • lllitll. ITIiIJIltivecter attackprotection.luUon:s .a~.on Base (MlB).t user <lindappUcaHal1J policy enforcement..

le (AIP-SSM).Enhmcedilli1:siPectio~ with! Ant:l-x ediHOI.0 S.. .eculity services in a. Des. .BSS.m]iza[~ons to Iower their overaU mepl!oyme:mtu.N. and coateat s.atey eompoaent OF the Cisoo SDN.nced Jnspe.500 serles appliances <t[ee.Bene:llts of the Ci.sco ASA .as.cticm m~d P:rel!el~iiot~ . serles providesi:lltellige:rul threat defense .1'ortec:n ne:h¥ol[}(s.mxy Firewall.ur. IPS.5500 series inc]ud)e the f.Ciisco A:SA 5. the Cisco ASA :5500 series enables mg.llianc'e Clsco ASA 5. l.ic<l!li. • . Secure Sockets Layer (SSt.igned <Is.ed commnnicat tions (voicesvideo) security.flexible. v~rtua]]zaJt:ion • TimnspDc-enl[irewaU • WetNPN • Gigabit Ethemet ports. firewall.oifll:s services th<l!t stop attacbbefa[e they ]mpact business .50.Security 1 Ap:p.ity Services .UOiIl!S.y-h)-d\eJp~oy :SOl~l.and the Jntranet ofpartner compsnies • Support fer AAA • • Cut-through p.slgnerl! to p.and secure Clm1nmu~. o:fall sizes.of the network betwee!l1l eusmmer intraness . De.Maau.1 (eSC-SSM) or IPS e.) and IPsec VP.Sec.e:onlhmrty.d operations costs while melivering oomp[clte'lls~ive multilsyer security . hat integrate WO[~d-·Cl].mliEi. modl[l!<I!rpmiJl:m::~ family.Ad:rJa.dlil1!OTI .e:ries.oU!owing: • Physlcal device at the perhneter . the C:i:soo ASA :5:500.

CiscoF\VSM offers large enterprises and service prDviders mnmatched secU!r'ity.~Hy to 20 Gllps per ch<l!ss:is.mm CPS.int.egrated fil'eNm]] module fOf Cisco Cata]yst 6500 s.lOO. because it uses time-res~ed!PIX Lower cost of owner"Shi:p..e fastest firewall Urio fotuPWS. Ease of use.g:: • It's an ]ntegnrrem medule in the 63.taJt any time. • Efficiency fie. The trans:pa:rent: fil:ewBI]1feature oOlIfi!g~~l1es the FWSM to act.rga:]"[~.1Hp]efirewaUs.e!ns~llring tha~ one security coute. and 1M C{)IlCUm.l1. nd Clsco 7600 series rawt:e. Layer 2 blidgingfirew. and! performance.<lmlgeITIIU. The Ci:soo F\VSMindudes a ]llmlfllibe1i advaneed features tJl'a<lJthdpl1edu:ce costs ami operationel comiP~exitywhl]e of enebling o.w~tC:hes.'![J!t OC}n. • De:s]g:l1edto • • • Reliable ~ul[ldl.aU. andprodiucti:vHy ga:ins.rsa data rates in theindJl. .QlIrce as mE!nage:r heJp Olllanirnitiansnmil thereS'iouroe.ghrp~]t.~ RnorGated~o lILTIfy SieclIrUy COil]te:x. t]]lIS .f1tmes o[ the Cisce F\VSM include an tile nUljo!!' features prevlously Ilssed for the Clsco app]ianc:e.Z'ill!ti'o!lilS.Ms . mana@emen'~p]illt[onn.g in minimal changes to network topology. lBue:d on Ciseo P[X RI!e. [he..PWSM Include U1. :[dw<I!bHity.[ 65] Ciisco fWSM The FWSM-a high-speed. prnx :500' series seC:~lln:ity . ~1!l.wa]]technology. technoiogy. resuUl!n.liJ does ~!othuede:re with aDO'lhe:r.I.call be :ins.eJollowln. Benefits of the Clsca . provides tJ11l.ectioos. pmvid!]ng scmlabi.m]]ed ~]ll:a :S±llgJe cll<ls:si:s. as <I.OOa:!1ld7600 series.bJ vbe res. to FeBlmr-e:s S~llC.s.~[y: 5 Gb:ps lful'ou.e: expJills]on.from the same.

eunltial wac:ktet s:t:iiU There are many s:imi]:aD'itiJesbetween IDSud IPS . eoasidesed IPSlrnnS.I1<IJt moaltors tile network is c<I[]e:d a nellwark Erg mrnDS. Wl':lat can IPSlrnDS seiIl!SOJS.::tiamtlUy of the Cisco e3Jt:n~.[ 66] Securing Network. AlP-SSM installed.ora specific hoot Au IPS/lOS ~.eclItraffic.es.Ei!i~dy because IPS is the e\'\o]iI]~iJoll f lOS teehno.1 Ill)S Versus IPS A~a:~yze. .l1intOl"S a :specific hm:~is caned a hest-basedIf'S or IDS.v:iJty. c I:Ila!kes it tilro!igh. Cisco ]OIS muter c<I'nrun a seftwsre ye:rn~O:BlJ enahles sensing of malicious network act:i. 1ililiese o types .oft:edmolog'ies ere de!ployed as.s. be. An [PSIIDS that mOl.yst:6$00 ser.lech:l1lJo]ogies typkaUy mQ[lit:01f the l1!etwoit1k. Otlrer devices include the Cisco ASAw~nl a!:I1l.'i orpi. Orl1.. with Chico IDS IPS Seclurin'gl INletworks wiith Cisco IIOS IIIPS IDS Versus liPS 'TA:BILlE5-. tn. sensors because they "'Se:IJJ5-e'" malicious acfivilty on a network segmeet. which is a moril:lI]e tha!t enhances the fum. IPSfIDS.This ~s m.i..es swifrch.a.? A number of devices can be. OlE HlP'S .. for ellample.ea~ that IPSlmS devices ~ndud:e purpase-built devices such as the Cisco 41200 series IPS se[Jso!rS Oir Ute Cisco iflt1'usiofl Prevention Moilule (mSM-2). orNI[)'S.~ogy.

In sig'l1latlurepaUe.""'".<uUer11ls."."'="'"..iofHe based. A [l!e·Molfl!c-·b~seodP'S/~PS o I i.. A compos:ite pattern comprises a :seqJuence of operat:i.-'11 liPS inUne mode. The main differenee betweenthe two is tliwe. of twnapproaches.st)lpicaUy Sii!!~.etr' atomic patterns. invo]ves. meaning the attaok jsin the form of packet.[ 61 ] Securing Netwark.nt CG'Ilsolli 1rl3fg81 . The seoona.. M\§il'l!flggmg.o:fi1e.am. T1he l1nl. I ~". the IPSlIDS looks for dl:lllI.DINre b!1l8!edl. as sltown in Figure $-2.re pattern.mSis deploye. the !!liSle..s. uitsrdelbe pr. or a compas:i.as shown in Figilne 5-1. 1F~'GIlJIR'E 5. .e.with Chico IDS IPS IPSII..mS 1:5tYlliGa]]YP. and IPS IFuliiUc:tlo.n:a1 .. Aw IPS 1:5depliayedinline. <lind a hess-based IPSl.~:lIJp[lIioad1inv~:dves the use of :s]gll!at~]re:sin de!~eding paUel'll:oS of ml:5u:se.d O!!llt of bend. eployme'l1lt method d a:n.DS lechIiio]ogies typkaUy take one.rn m<l!tciling. ofpl1Ofiles ito .(Jellied p. ill slDlgl.

eachhas !itsadlvall!tagesand dis:SldV<l!ntages .1 'Types.f I.: • Folky hased .e~nsors There are fourtypes of lOS/IPS sensors. are as • SignaJuFe ha:sed [:0 Uows.RE5. Those Four types.OS/I: PSS.Securing Netwark.18 "TI3rgg.2 IIIPS out of iY. with Chico IDS IPS F~GII.s.o...nsa.lJIlmEm~ Go.-. OlJtc~' B:1i1'llll II.tal1a. and.II.aIFlid.

The.eelpcurrent [puts ym]I' network at risk. d~mrn}' HI!PS HIPS is-used on host devlcestoprevent malicious activity.' !1Il}.l. not a sigmutLltre-'ba:sed .gent pmvides day-. with Chico IDS IPS • Anomaly bflsed..:s" or ano:m3:~.ckis the Polley-bwed sensors .stEi1]ed default on maRY Cisco by server-based predeets such as C<lUM<lina~e:[<lnd Ciseo SeC:~liIily M. The Ci.. ~Imfile ()if ·'normal. The Cis~o SeC'lllra.UaUy theycanfloed you withfalse :posirt~ves" I:n addition.nnwn jj!ttaciks.a:mI.ual]y based ona proflle.. iilrf WIS}I used for quite some time and lsgenem]]y Ose lirawha. yog haveIDQ rtJ]]ykieep up with tftl.re..ie and CfUn deled Unikllii!OWlil ciUHp<I!rtl(. 'f.ty AgenE Is.jf IJsh!J.s. rdea is.-.rem pnJtecHon ag<lin:st unknown <BURCk:!!.s.[ 69 ] Securing Netwark.eid seD:!lgylJ.f.sco Sec:mrily A:gell~ is. :nolil. There <Ilie.~ilno:nJJ'Hlily-lilasedSle'l1i. The ]1~08t diffl- servel'S..c. Fail~]lie~Q k.HIPS. reUalhle.r)i'l1i. IPS .mulger. one of these. ]11 behavior. headless <l!gents (ageats tlliat do net report to a managemem serve.di ]ni." IJeh~v]()!r . ace easy to O0]1:f-fugurl.sorsi:!l~tting .~~y generic. C]fiCO Security A.Aftomaly-lmsed sensors.ne s.~ey leek for normal behavior and 31e:!iI:~Qanything til1. .sign.The sign<J!tm'e design has been a good de:.ait: mevlflltes. S'fgNl('!frim-hm.based all accurate atJta. On the downside. a . • HOlley potbillsed to cQD!figure:!l:lildi hav. tfuatif a userattacks <J:cllivity.pre. of updates). Y0llmcan monitor that reg:me:Jl!lmm' maliclous sensors are s:imply used to distract attackers. TIThe.e fewer f'<l~se~sJtives t!uln others. c~'eaJti[m new signahn'e5 (or at mini~I1iUn1isiglla~lI:]re.e.imp1e and generally 011]tp'Ii'~ 1s. t~ey can'l see or d.ete:ct '"day-zelio" QI.licmey {)o.

ofTCP well as !'Sweeps and floods" These slguetares IPFrag~u.d:l1!i.iJLel!TfUfy tI'iilffilc U'lat i:si:llJadv e1"ilenUy 1 • Striing signamreskllok: ID01' specific patterns for <II ffixedl seq1uence OF bytes.le.s There iiLrefive • types of signatures..siigiI1la:ml"e8looikat upper lay.d)e.s:lraJtQ[.Jmit. • State.orattaek • CO!liluection . t[ja~ m.A major benefit to using areupdated IOS~ they just need to!l. SDF is into C:ifSOO the dleyiqe ami lhe device CQII]. There .h:ackhtg: siig~J. sud St:m:ci'ld:badut. E'xp.'{)ute.set of S]gl1!llIit~Ire-s tllat are EU1!.lJpdate the SDP.e.s match on str. 'ICP or UDP port numbersand ofreni.toved in f]IIiIIS. the muter 10 load the cOFJItijljnecJl signatnres don't needto upgradle tfuat s[lloui..r platform.~. Signature Defi1nitiion Flies Signatul1e ttefinitio'n ji. Ce:[it. seen in specifie exp1o:it:s.[70] Securing Netwark.e[l)tat~onaJffi!d reassemhly affmgme'nts" <IS are uSIJ<lUy based ou <I tillreshoid value tha~ind:icmtes Ievels of concern . SUF suppo!lted on a Ci:soo customers ... Offtell these signatures expressions. types of tools.d be eonsidered memmy .s. . OM are a sulb.ng c .W:f1ns.alll memoryreqairemems when using SDFs. OM.e'l'S of the OSl model aad rd. om before dep]oyi.s slgnatnres SOFs. of Siignature. tha[ makeit easyfor ad~.3!'l!IIres track the S~[Ilte employ Fegl]laf DoS of bandw~dtfuJ O!l1J.'Tn:inOO.1tignfiliU (JIninstmcts is tba~ a. based allowed tfuJmu_ghl]ne. to • DoS signatures lookfor attacks that consume.are. the nel:wodt. large amonats attacks ~ndu.ing patterns. The..ellitifyacHoIls. with Chico IDS IPS 'Typ'es.TFN. conuections.s:iignll!blll"eS alie. Read the release notes at CiSDo .s (SBF) s.b. Some commmll.

~y'·mode.. OlE Cisco lOS . 3.on with [he Cisco CS-. CS-MARS . .!Bach mkro-engine In .m:o-engi.ueedsjo be sentto ta1!e OscolOS . .s <IS.luvi(jjef<lpid threat nlJJit]g~ll]on MCiSCiO lOS lPS devises ..NI<liru:re. ollows: O f 11 A Cisco IPS arpHa:[Ice .at the IPS sensor relies QII tD match ~~g[IJal~uesin a ooaumo[~ category .the the muter in <IIII "alarm OiM. • They <Ire categori7lediJor the protoccl arid. scaaned • They define allowed patteres or ra1~ges. Micro-engines have the foHowi:ng characteristics: • They caltegotri7le a grmJlP of s:igrmture:s. fields.s. 5.. snd merge sigllJahll1e:s. The new sigl1Ji!lJru:reilbrms.parnllieil mlmprove perlo:rm:lllflLce.ineS A mi. c:omp1]e.MARS[o p.The p:mces5.igl:l~lures.llJaJhll1eitcreates .mitigation (DTM)is apl:oDess in which IPS sensors work in coHaborati. that they seen..gi. Is.i.MARS also [r3icks.Securing Netwark. CS-MARS pushes the slgnatnee 10 [0 the SDf l!1~lei.m: Is wh.~:PS device detects one DE mere matches to a si... CS-MARS tracks the slgnannes 0[1 mllJlte:rsend adds.alrLes ami ccrrelates the event: with other raw eventsaad determines based on the MARSm~es what sig.4. CS-MARS~:I1i. • They use ymll'" router's memory to load.2.gmatilue and sends i1III alarm to ..En. M iCflQ·~. with Chico IDS IPS Diis1l:r'ibu:ted Threat MUlglation Distributed threat .as needed nlenlory [111tile liOll~e~' <lindthe: memory used lily the s~g. back to CS-MARS ami in t!lun trigJlle:rsa rule to dmlp those packets. new :s.rps devices based on w[ja~~helast sig~'I!ltrIrre upd<I!te was.

:I1Ion1l'll<l!~ and.sCOr.3(141)'f! • Service • Str:in.][I~:!IJttEl.c~. This is not a desired action.ssiQ[l aJtloul mic[Q-e:ngines los 124/1. A true l1egaJive is traffic that: is is ill desired acticn.ddfire but doesn't ThiJs is also !lct]O!l1 .sec_. • F:alsenegartiives are attacks deslredactlon. a detailed d~sc.[ 7:2 ] SecuriIT'l.salso . his occurs whenau T detected ItS alarm sh.m.ves:a1"eatmcks thatare expected .e pw!i. nUll! go U!Ilde~ecled. 24cgJh.m~e:l1lB~lles tl"e s. This iria desired • Trni!. me tei:gge:red when normal traffle fires <linalann.Cl(n1.ck:s.• /Wi <I • Tn:J.e:n.g • MlJIlti.1Falsepos:iiU¥e5.]]. 'j[1hi.l!Jlpill)(uted Cisco JOS Release a in n.s:itr..h!ttp:!lwww.eg~tives litre 1.i:ng: • Other 'fOil can fti.tii.1h]u:ive:ocd/ocl~dldoc:l~u\od~]ct/:SQftw~t[e! These are four types of alarms: • .cfprn1l5lsec_ips. .ht:mlhvpl] 54818.nd.g Networks with Chico lOS IPS The followlng • A~(]mk mic:. at . dOBS not cause analarm toflre.

from the n1ien~] on the left. the SD. It '61. Cisco lOS can also uses sys]og to send IPS e'VeIJJlS~Oa .c as. .rUy.e.Device Ewnt . 3.e trnffic flow dlrectiente leaves be. .uring Cisco II'OSIPS Ush"QI SiDM to COlnlfiigu:re IPS Huiles The steps to CQll!figl]~-ea1~.eurity Device :E:ve:nIExchange The Se(.y the IPS ru. ChooSle U~.. 4.ge (SI[)EB)is a PI. Launch Cisco SDM using the installed laul1!cher m: a web browser.:!.."u.Exc.l1figun:: signature altmli.s.IU<lnagement station.¥ou c~m inspect tra:~nc ill'll :it come-s h~. "1~ CO. Cmrfitrm the s. Confiiig. with Chico IDS IPS S.'otQcol that uses a puU mechanism to relriJeve IPS-events Fmm the sensor. SDEE uses a secure session to eeturnIog files. Choose arouter intedaveEo which! to aptpl. S<uve tale' Ciscc liPS CIOIlTIg:tuation to the router.'ttat!U:s ofinterfaees aad si.or traffl. 2.Ma:rea:s fo.ty" 'event actions. The foUowing sections discuss [l]ls in flJ:rthce~r detail. Sleveri.hm~. Launch t[The IPS R~]~Jes WiZEn.~:PS via. alldpammel:ers ..IJe.gn<ltmefl1es.Securing Network.fBi..: 1. I!Il:spec:~edby tl1ernpSmles.l1ows.

A:frer selecting Next. In Isintended toasslst in rapid dl~iP~.!F]g:~ue 5-4. the mS~ol:ides Wiuri!l is . wml1Jg direction. the .s.o:lll..[}M IIiPS PoI!icie.. you are presented with a page from whieh you can seleettheinterfaee that the lPS policy wIU be ffppHed to and the directlon of thelPS ruHem:.on tn the direction here. Policie·s Wizard The lPS Policies Wiza:i:d Isa strai.gh~..i[lg"as shown :11'1 .s Wizard! Welcome page. Pay close [ljtJtelliti.iIlithl!~edL fllGIURE 5-3 TIh:e S.fa[wa:[\JI process . with Chico IDS IPS IPS. If you apply the policy to the wronginterface 0:1' :1:111. you may end up with undesired results.[74] Securing Network. rn Figure :3-3.oy:l1l!lel'[l au IPS on your router of a:l1d enables YOll tn tune the IPS CO'lIlfiguraUon after Us comp]eti.

If YOll ChO'05e~(} use the built-in signaiures just click Next. Flgure 5-5 shows thls c()!. s.click Ned 011 t. If Y'GUclick the :Finish bUUOIl.5-·4 lhie 80M liPS Polici:es \i"lilizard Se!e.¥olJ can tuae the cGl1lfigUJrat:i.'RUon page.If you .l1lfigUl.olli. the cOIlfi.glllgin to the Cisco Softwaee Cell!t8f and! acquiring the SDFf. r+=r r r !'" r r r~ r r Aflter clicking Next. .[75 ] CHAPTER s CCSP SiND ClIUlcik Reference by Brandon Jiames. SHE. y(m arepresented with a page from whkhyou CMll add! an sn~ or use the built-In signatures. If you plan to' use :iI1IiJ. YUIJIare given <I. . Carroll :FIIGIU IRIE. This migbt require klg.he SHF Locadons :pa~e.i]e aadplaclngit in rile t"oll!ter's flas!h memory or em an extemal server.:um]]ma:rypage for yom IPSoollfig)Li:rati.g!Ulmtion ]SpllCShed out to yourmllkr.onoutside of the wlzaed. YOIl must add it.nt ~nterfacecs page.

.igID'".[ 76] Securing Netwark.2. you can select t:11eEdit IPS tab in SBM .. enter tbernll:mber 2004. C~!l see access the IPS 11. Here you policy. . with Chico IDS IPS F~GII.s. aad then click Go. In the Sig IDfield...elit:h1gs. In the. and the sJB[I~tl1!res. wm fiRer the view 5>0 that YOll <Ireseeil]g only .RE 5. the globrl~ s.By d£ioiP-down. This the IeMP echo l'eqJue!lt sigl'latlllJr-e. SIDF lcocaili:Oli16 pagle" Confiigur'i~ng Signatures To tune the IPS s'ignatures and their actlcns. View. choose S.II.-5 The SDM IPS Pt1!I~ce6 Wilza:rd.

follcw these steps to dlilJlge the actkm.[n] Securing Netwark. and then dkk OK ]t Figlllre 5-7 shows the act1JonOr[~. ~ight-cHck the 2004 .{)~. the Opti!0I1£ tJl!laJt you want the IPS to perform.11!Y ICMP echo requests: cheek monk:ned to the Drepaction.s.I1eDmpacUon has.s'ig[lat~l[\e.nQ dropandalart~ 11.U:RE.ppD]ed f1~a:rn1I. ami choose Aetions..l:S.ml~y .. . would o. :2. s!ig:2004.-'6 5 FU~eriing:the si:gnaitL!l:re viiew.P]acea 011 iiI.YO'l!select all.. Next. with Chico IDS IPS F~G. not been selected. l'.a. Ma!ke SlllJr-e. so if [hilswere to be .

sdfmk.theldiitl:PS tab. :I'mportiln.[7B] Securing Netwark. ope'l1l.7 llhe SDMsignature aetton 0pUOIlS.PS is the updill!tiiliig of .: 1.ares~ SDFfi:le.st SDf Oil]!e ofthe OOml1ilO:n~1tla[1agemen[ taskslnvelved wHhrn.oiilded thefi1e. .~PS s:ign<litu[. ~l~. C]i:cik the lmp~rt button.s. igure F 2.e£ as they are released '[00 install or i~~lJIO[t updfllte~o the IPS s~gl1!aJt~]re5 ~.a Cisco lOS lPSrourer.-. with Chico IDS IPS FIIGIUIRE. Fo]]ow these st'elPS~O wm:PQrt the <uUack-iJl:rop. you must downlQad thel. In SDM.5.g the Late. Afieryotl <lin m have downl. and choose F'MRliPC (as shown 5-8). you nn IJ]seSDMtQimpm~ the file:.

Securing Netwark. Ule :syslOg se. ym] can modify the SDIlEE settings.with Chico IDS IPS FIIGIURE.s tab.Ui. . SeUn.ngs page.8.i!md.l<ule{)ito Ute.gulI"ation .ng:s.s. Figure 5-'9 shows the Global. number off otlile~~parameters that are re. ms f[Mlction off themuter. Impoli1ilrng the SOlE G loball Confi.. 5·.Prom the Global Se[ting. iii.

he fo]]owing devices e Us T s~lpparl Ci..aJtfurms... ....s.. ""' ":111 . with Chico IDS IPS F~GII. :-.l"lll"[j!~ ". Cisco IPS P'roduct Familly The Ci:soo IPS techiuQk)gy runs QII a varie~y of :p~.....compSlechl~. own unique features . .D~ FII!IC-~!0':1 1)~I:IJIHr t~MII!II~~!= [i""M:illrl. ach w~~Jh.RE5-9 IIIPSg'lool[Il seUingiS.II.. "" !i!l:WlI .ology: II ASA • AlP-SSM . :<III:'!fIH1 ~I)M.... 01:'" mn:~ Mif~"t'lI-l'J"lt'1"[iUii ..[BO] Securing Netwark... .L!.s..

run a gim~]lil. slmi. you calliexteud IPS to the branch wU:h ill.s.[ 81 ] Securing Network.th:e. AlP-SSM in an ABA 5000. The reifl~. which also runs iii. . These modules come in two fkIiV'OIrS. al!tli. diifel'eIJJGes in tlhese mod~]]es ~re.ofs.l. [he AIP-SSM-'I(I' snd the AIP-SSM-20". These AIP-SSMs.aJr oae.'r cede to the Cisco IPS 4200 series s.rNetwol'k o M()dll.J!~.lF1!na]]y.e.eJJ!lS.cmality of a Cisco .ol]n~ .¥ou can install.6500' series w:ithi the Cisco Catalyst 650(] IDSM-2.cti.of memmy and pmcessar. Cisco IDS Acoe:ssiR.with Chico IDS IPS • Cisen mSM2 • IPS 4200 series sensors • C]~CO IPS Network: Module The Clseo ASA 5:::)'00 series Security Appliance is a key compenent in the Adaptive Threat Defense strategy.oute.¥OU can exltend the ffu:I1.

So wil.enti.have [he same t':!I11cfJ'JIUa!liJ.idpatiJng in an IPsec session .m5 .spfiOlected and.'l:ingomething s like a preshased or agreed-:npo:nkey air iJlig:iJt'alcertlifi.e!l1..spolls~hle o I for the~oUow.c.[ 82 ] Buillding II:Psec VP'Ns Overview of IP'sec VPNs A:I1. the i'nte.eI'ares encryption refreshes the encrypHon k.e'IDinypti.en cha:rngoedio pmvrd.rnet .<ut is IP'sec s.e the fo]]owing: p[-l!v.~1pposed~o do? Simple .Exchange (.Psec lIJI~ses. and terms must be.ruteleae that the fundamen~ tal concepts. I symmlletnc key . I remote users.olii1a]goI'Hh. males . Automatk:aUy AutomaHcaUy geNl. The fad frhat this tec[mology is so widely used. To do this" IPsec must.cespa!lt.key aad that the ley ~salway.c<l!ti!ol1lof thepeer I.e the highest ~!evel f security.ai. that two devi.eJgptiates • • a. U'terniTI:terruet securely.Cf"il!ptimll.~:KE)". KE is l'e. techaologles.eys .[ie. security a:ssodaHoll (SA) keys.el1iCIJipt~. Bind!pifI!rttneir'Se~r a~d!EaJr. understood. • llltegdty c[~ecks • 011 the data transmiltlted wHh a cJJecksum AntJ11. This requires.<utes IEncryptiion Keys and IIIK'E To pmvide .Kq . TO. mit">benefltsInclude the conneetlvity o:fbrand1es..aJter confideutial o • Confu:ielm.facilHate this by m~l:mgement~Cisco lOS uses. oift.]llg: • N.. pmvrd.OIm.Ha1:ity with data .Psec VPNis prob\%b]y one ofU1e most used network types today.a]]y:rnPsec: is an IElF standard (RFC 24K:H _:2412) tJl1alenables usto send data over a p~]b]ic medium such as.

ck mede is oOlu]J~ered In Phase 2. and tWD more SA:s are ge~enlredo • Phase .1.ther In<li.i.rate in three modes. Other funcrlnns that CaN.h ~mu::thods.. IKlIEPh<l!se I negoUares ..enUcflit]Dn.Pwtm:ol {lgA. SA:s litre negotiated q!!lilckmode. QI].MmM'lgeme~t 3.S..2. Using U'lliaJt SA.nor aggressive u mode.res:s:ivemooein a faster negotiationa:s that agg.s tftThe negoitiat:ion SA omIDlparoo to mfli. negoli!ilt:es. fmm <Igg.r 2. There is an 'IJ(pUonal phase. 'fhie~KE pnJoess is broken down intn tWD phases. 2. a secure clIa1l!ne~.DUiring:tfuie mKE p!l'ocess. lllfIDO three packets and Is.'1lld:Jam~el. Key .~KE I can ope. Phase l neg:otiJates the SA forlbe seem.£he e']ltCfyptk]l]lm~e.dudellie following: • NAT 'J1'rnver:sal (NA'I~T) • NAT detection . IKIIRPhus.KMP) using bepertormed bynCEil1.Phase.ain mooe dliffen.s for the user traf:l':k.J[tewuied authentication (XAU'I'H) by lftteme:t performed.res:s:ive modle CD:rnPI'e!SSe. ses d. M. s negot]fIitelll. IKlIEPh<lse loS 'pedarms tntns. When this happens.. . The Pl'Ocess is as ~onows: 1. e. This is whe:reex~errlded autheeticationis fu:x:lended 'lUJtft'l!e'l1iticflitiml isusedto pmvide user <IUit[1.fonn f>e~""hflS.D mode.of the usel~. Sec!II.erpfIIl'ameters.ti01'land . and o:tft1. sometimes referred to <IS Phasel.rity AS'~"t::icia. [hialt we warut to ]Jr\Jtec~t.

]oIl.e [ESP (P\n)~oco~. simply pmvidJes <un 5]) <l!uth.mcrytrtedldata num Dille emlpoi~t~o f. the header thatis plaeedin lfoo]if[ olf the encrypted data.. alld it p['OV.e.lIESP is.su.lnDirr[jer.caUon of the dmita [mt pmvides. FlI!U~oco~.T decision • nDP eucapsulation II UDP encaps~da[ion of IPsec packets 'pl)Glc!e:sS'for s(rflwm1e engiIlles:rr. the core of IPsec. A. 0)".• NAT.enlti.uJhenticatioll Flexlder tAH.ides Slu[ihe:rnticat.aition Header U1.l1o e:nc:rryption services. ESP provides 5 . .rm:lsporl mode and tunnel mode fur Encap.Payload and Authentic.latirlg Secur'i't_y Ra/yload (ESP) encspsulation • Mode cOil1lfiguraUoll options • KAUTH :E:ncapsullaitl:ng Securi·ty· .

· AM IP . D~~se m·QJjjje~re tUtl:!z. 'TiI]l1ne] mode hid.arg. 6-"11 ESPami.:spolJ ~llode doesn't h:ilJk the o:rig~~mJ! .1IcatQ!l·-----. does. Men tunnel mode is active.r:.!-IOr AuHliIlnllca19d ---_ Wfuen :ymll u:se~:Psec you nil] OIpemle in O![lil!e two modes. IP t-klr NeWIP Hllr +----NBW IP H(!r _--- Auloon. (GRE) tUIlI1:e. Figm-e6-2 shows these two modes.es the original 1P adldre.erthan intraasport mode. fml][ of thelBSP headerfor mu]t~llg.AH.M. Cisco default.r.header liJ~]t ORE.Ttmlsport mode is o:flen u&eiJl t10gether with gef~el'.glmode and lmJ'l. lthie packets me 2:0 bytes IF' I.]s because tra.:sand. Tmmel of a mode is tilThe.sport mode . :pla.. .lla1io~.[ 85] FIIG.iGmuting encaJ)s.UIRE.ces a new lP headle!' hi!.

ssage A.ese a]gm'i'tllms. ami it ]3 slower than MD5 [0 compt~le.n K.'SHA-l l.[ 86] IFII.ryptions Standard (DES) • Triple DES ODES) II A.. ESP ·1 ~----------------------~~ llBIIar ESP ESP llllf13POrt t. t'I l28-11liJt hasbrunc~~on.integdty checks.reHash A. . art IP Htlr NsWI'P HIlr aw Hi!( IP H!lr -4---- llBIIar :E!~r'l'~ .GIIJIRE'6-.ash :f~]I1CtiJO!l1l.2 Tlllil 11le!1 ode 'versus m 1iJraliliSp moGle .i'an Code (HMAC)~o p:mvidenMlssagei!mthentication and .a lliO-bit .:tik:t:!tiGat.The trade-off is that it: .:an:ceaEncryption Stamarr/ (AES) ..Eincryptiio.lJ&eS Has}~edMe.r.inchtde tile 1!iollowirng: • Data Eru... toperform t~i. l1b.eys IPsec uses symmetric key encryption algorriJtJ1JlUs.uoo 'l'i'llil Eoor~~n IPsec 1I.lgoritlmt 1 .is m.On]ynhe fIrst: 96 b~~ of SHA-l are usedby IPsec.:.arc secure.m.. OI SecrJ.s task .. HMAC uses message digest algoritmn 5 (MUS).

s.. Create an lSAKMPponcy .ACl.'d o:f eIilc!~ytpti!o]lJor no:ncbssJfied f 128: bit.oi is used [0 estafu]]sh st:lfl!red~secret keys. . FOir more ~nformati!GInabout DiJf]e":HeU~1!mn ley <Igreennellll'.I1figureand IPsec traasform set. 3!S shown hilif]g)l]:re 6-3. <lind2:56-hU keys. 1. 192":bit. . MooirfyiIilterlace "'fOilcan perform eLm or '. Create a CryptD map to tle U'l:e.c traffic. t . C()!..[ 87 ] AESi. Slte-jo-slte VPN establishmeet ]sa five-step pmces. ..gfltlement protm.e'l1l!crypti. AES is c"f'alble.lh'ntm (D") k:ey-a.s to allow IPse. Create a crypto ACt.s~h!e. US.3.lyefer to hUp:llen.2.. darn. <IHof these tasks via the Ciseo !5. .s.OI':gJwik]/mffie-Henman.r<unlIJ[lpwtected dUlnnel. government :smndw. cCJi]lfl:gl]rnti!on~ogether. O\I\e.'1<1he SUM.a1l!ldapply it te theinterface.wrk:~ped:ia..4.oousing The Difjie-He.. o:fperfo:rm~llg .

o. begln by S!e]ec'l:ing VPN met1l!!li the SDM.il]lerface.II.[813.ec sire-to-sire VPN using Clsco SDM.Sit:e VPNs Usiing Ciiisco' . to complete the S:]m-~o-S:iil:e VIPN Wi. .nfiiig'uring IP'secSite-.t:o.glffe an IIPs..RE 6-3 Sill:e-~o-'Sill:eVIPN preeess..:Ullrtl: . FoUow the ]U these steps. To confl.] F~GII. SDM C.

...""-'-'''*..~'( I..... i i.fioI '"!::!.:N1'!"P1:i1"i': ""I:11![]1"'!N~LlI~"'f1" "''''''" Ir~ '\." p:hI . tll!l'l!l11J1 ...0:1 ..·M ....~!bI -:t-I t'~nl"=ii..!o:o"I~ml:!:-: "P~I¢.. ~nnlj...Fri'!:W!I'j"....lil ."I:'III--.I"!~'!i~d~ 1J~"HlW[l!! IIii!II UI. .'X'I! II .'" ='!I~.....l.:IiiJll..'i'!l~ ~ ~rJlnr..rnil.. a .....[_iI!:U'D ~~D ~1n1'Cil! P . 'l'1l"i 1'1'1 II't'II V': .:-!II)#~ n. ·"-".FIGURE 6·-·4 Bite-to-Site W'iz... ~I-l:...."JIIItEI"mI'l'f1p.. pillli: I.:ard t VPINI iibiII.='t. ~ -I..cif .t'11:. . !III'qI!!~~ -...... t.

........ iill..... ").. ~ .)~~~.~li_ii!IWIiI .....:.r.I. .-\fiI.....n.... :-':I...:I:...~~ .rr. ·.... -.... ~.. ..r.:r! 1D'H1 ..iN..ard 2.-\. i I). .el-l-. ~-=~ ~.t-:!IU'IL .ti:..... ~=~~~:t..[90] FIGIIJR'ES-5 Site-to-Site VPI1>JI \I1fiz.....Lt' a'!II~!!Nt-IP....a.l\Iu iIn ..:.iJpffij:~ ('"I:~ • ..I ill!..:i.. _. ...:N~..-..... ..:I ...:.nr.....~~~........-.....wiII!ii!i...._~....~I(~(jI4i"j"~~el.r:.i~~I~l:fj..._..... t. .at= 1J::i:..."'N ~iIi":-'fi:!i«lEol1~'ll...kIv .......~ t"........ N'H'~ «CkN"-:.....luaoI ..:l~~I~~M~ .. 6i .LY'I ~~I :'_:1L1I1t'liI~ r.r ..dial:l::illlw1blJ~Ii:~:-7I~ji:..~:i~~~~~i J~. . ... -..:.u ... ........... ~. .. 5:JM EMIP'I" .IrEQ..

wIi'i:'I:I:rfhn~1 ~ T I'Ij._. . ..~'~ bllil ~~ ti..lIlj'-lw .:iI:&iWi:t.I... :IO'II'i:Iir:l .'iI"iTl!lf"t..IJ'" U ....MIIi:li"lfl.."i:i'Il... OJI ...1 £If'...:lln">:I1J"JI . ~... VPINI Id (.t-lIIr.• ~~'..l1'i''''''''·li_f''':.[ 91 ] FIGIIJR'E6-6 SHte-to-Site \I1fiz.. :se:1 u:!-'~ ~1I:~rtl:nllr!tJ'I"i--!1JJ .. i.ltr:...I"'~ r-1:.. .jII Lttllllllh . ~iIIIMPM~~"'i1 •.:.RI!II'-Ilf~LlNII' wt1d . .I""'. .i ~JtiI~:I'lp"""'l .ardl3...tla.lu •• t. ~h.:."U:Ii :.M:N..r"~..r. .:... ki..~~'!I!J'= ~1I:1i~':IT1[:f'l-llDIr LII::!(..:IIr......N8'! ...I'" lII.:io'lJ.

Click .~ Ih~ll. ..tH :i::rl~l~ ~d:lM:tI ::f I·LLL.Nexlt to take the default IPsec transform set .Si~e PN V Wizardl -4..[ 92 ] IFIIGIURE 6-7 Si~e-tQ... 5. Click Ne~'l tn take tale default IKBpmpm:::Il 6. ~I~'C~ lh:u.

7..MlraI.:~ A\lll':)hllMii lIJ!': M "=llua u tr!I'.Finish to npply the VPN conli'igu['i1Hon..i.0p'~i!OIla]]y.Siite \I\Iiiz.E[l~r the networks that tFltGllIItRE 6. you can mi~!L"O![U'le co]![f!gw~aUon the other side off the for cenaeetlon orjest the cQllfig:uraticm atter yUIJI ltave finished.£I!II!h''''II".W:::I.J ~ IWII:. I~h'hi ["r"llt:[] ''I'"'!fIltlf~ll!'m ~ 1"I .lrf I [l.ar"d 5.IJ .h '(I:.'koI"''''lt. "Iii ..:iIli!!'1"Ifi' LI!!l. ."=I~":i.-. :"l"i~..t:~ :-tI¥H.k:lc Next. t"Eli:lI"'I"':!r':"II"M-:"~TI~:-r 1-D~l"mt"::l!!: [II!! TJ!!1!l!~M_~T1!'R!U~'...as shewn ... t..w"ll!ltiM1M~ 'LI:I~ ~..i. eHd .8 S!ite-to.!I' 1o:...~r'I!ViI.lJh"""II!"""IL~I.I .inPl'':l'''''I'!'~ (lla.:J.trf .l':llrh~".!tjJI "-[ I t!j:t5"~C S.l.:ah.~nFigure 6-:8.tAI tj!WI'll!Mlr.""r.e!rti. <Indthelli cl. . VPIlIJI YULI wa[lt~oprolect.mf.

lfiu.el!>IIIEasy VPN ~ server amJi 8111..IiJCIm.. .My'I-I~IQ"'.S. ."I-2' l.yVPN S'erver' C1olnfigura'tionl The Clseo 8DM hiitedaoe enables. cemplete these steps: 1. :iwvoIY. Cisco remote-access.as.[94] Remote'III... t. . :!IIIL..lr.IJeJlllloteI. V:PN. YOUItO oOlIlJg:moe <I! Clsce Easy VFN remote-access eenneetien.l8:asy VPN remote ..oftW<lB~' VPN c.:l~"l... ~-~1'~N~I!l!1~ r- ~ .e-. n 'm~I:i . cOinfigllre an Easy VP.usually t S.:JriIil..iI.The Easy VPN sel....is typk:Blly 8'1ilI.rl.. called Easy VPN.n. .'nll. C]kkElIIsy' FIGIIJR'ES-9 Easy V!PN Serveir Contig:uratiO!I1i 1.cjass mme:r. as :showlli[lflg~]r-e.t1ol ~ .ver . 6-9 Ejl_.l1I'j..~mjjhe .'I-I~IMiLll"!I:Il.-. L .i.N"']iI'In ~I"~'I'I .Acce.UaI h~ &t!1P.I'!"II. :.......wa]]OJ sf!ltdl offic-ef1~o'n'leoffice (SOHO}mUJter.N server to accept incoming VPN eennectsen requests.ss VPNs Ciseo remote access ls a two-p<l!rt conflgurstion.e. rUnl. lid.ri'l!h r..n~elpmi.. To. 1 VPN Sen"er. U L..:In~.t or a smaU P]X :U1\e. a IE...

..I~.. C~.......Ilt'U-.~WI"':~"i'. 4.[ 95] 3..t'-':iilWl"l:lb·lIt"l.pn"'''''''''.:o:!i: I)Jl~". I'.III. 1. 1-Io'!J.·.i ~q_IIiiIlllJJ! ::J~ .oo i:I . Cllck Ne:1il tn accept loeal user au~heTIlU.11"IJ t'I.11fl . .r'!t !'T1lh~ 1.uIj. mm~ ..catiJo:rl. Jh..II"' iJlH 111'I'Hr:1 5·..I'IiII"'~· f!: .biMiI IPkWl'il'l': hb .ic........'.....oo~~~)' Ir ..!P"'~ .. '" 1"'. C]ick Next at the We]COVf~. rr:-~ . 1!NIILlnlL" MIV"L.. M<:!~bo:: . IFIIGllJR:E 16-10> IEasy VPN Sell~er OonfiigUli3tion 2:.. "''iI'U:_:)'I:Irn!!-tifIH~'''' ~. Okik:Ne:1iJ toaccept the: dd&~ll]ttransfonn set 7.kNe:1ilnaecept the IKEpmposaL t G.:'--I. ~P!:I ... a.. '~'::l~l-llfo:llnl"llll~ H:o "~r)!:p.... .....m:t:I!fJIlf"'t!':......m:W)J. ~~:.. liw.'''...:':........ c .... C]rekLal1Jl!llchHasy VPN Seneif Wilzard ..esereea.:Ih!E'Iii:[i~'tf"t!:~tElII'h ~~M'I FI\~ II tl!!l(1I ~~:rt~. ~I=.:4I.

..:l'" Wi:IIIIIJIIiIi.'W'9lJ:UI~ c-"~"'"" ~i"lF.:tJ.'?iI ..'IIIIIIII:..'IEJ'I ~lht'h"~~I~'h!ilWiItP.Ia. 1I1l~ -tM W.~J"""IiII:~ I':~I~~.Il~ ~(!I" !!'.. ~~I hili ~ I:'I~. ~ i"&r "*1l11hitl:1IiLII1I ..... LCi .· ~ L ..I:IJ p~._t'!Ir~"tiI'OO.[96] IFIIGiU R E 6 -1111 lSa:sy VPN Server Gontlguratiolnl :3......i~lhl!1oiZi1ill:ii'i1l'i1 ~1rR'i.r..!.n !..!I. I'Jdf1·I'!'1"'!l~1"i] 1""'"ITJIit!lIiIh...h.::I: ..• ..

1".liilnilll[j~ loo'DIll'II ~ IliiilDii "HIin~ "'~I:.-.. i.I:re an Easy VPN rema~e. tfln.'~=-.J::':.. as beeni!l1l. 1K Jla"I~""'!JrI!I!'d:!.~ •..' r.'112 Easy VPiNServe.l~:.t ~11. 11 .l..ld:iiJ..ljifu . &.LIiI'1I!I . Figure 6-13.fig~]rilUOIl" IS .:IL E:asyVPNRemlole 'To confli~l..·~. taiv4 I:!lu:. yml.. After the ~prlic<lilio!l1l. the grmlp vl1La[ you aJ'e 3llitlteNiti.s:ta]]ed..erro[' t[i1e h eenneetien to thfll8:asy VPN server.[ 97 ] tFltGllIItRE 6. snd the 11DS word FOi[' the groufl (whi...~ h 1I'I!!'.::1-!.u lii-brtl'u!n!tlrr_l:bTI .1 ill tw·:hJ': i tl"!JiHt-'IiIJ'I"Ii~·f·J.S~1I!(]Iw:s this OONi.:~L "hri~l~ ul::l •.C:3Hng lnnr.::dio: aw.LIkll' ~I~~~~---' 1---:iI)ilJtij5"ijiE'ill~""1 U 1."f_::II«II . You needthe IF address of the .11~'" rtNt! ~~!Il:l).' 1·::: .IMD~..:OjiJ!lIi!lUJlilll~ ~.· ~r...rt~1IIIIi'I'I !I:lier. '=lltIl...!lI:'Ii!l dl!T \:I.ch is the' preshaoed key). [eaUy reiJtuired :is ill dO'WIl]oad 0:[' the Cisoo VPN CUeruL The :insrn]] an a Wind)ow:s maehine ~:s a staadard inssall..- 'lflii ~1!fI~1 ~ 1. all tha~ is.tE:asyVPN server.........G~ Ib"h. C:arnfjg!!lJT1'lI~iolill 4..... (.jn. needto create a new profll.ItI::uIl"LI¥J1iI Nr.

Cisco oflleJfS a wide <I![ray V!PN-ell~b]ed p:mducts that are of ar. coacentrators I•.IFIIGlIIR'E 6-113 E8Jsy ViPN n:!!mote .ces when choos. seis 3020 • 3030 •• 300) I•. 31005 t. Here ]s a quick-refereace . Holt -[I""P.ctionof your dev."!~""l""II¥-U'! F-[i~~ ""'" ("~~~~ The Cis. 3080 .Jdrcation specific.i.ing fI! VPN sollJltioNi. I•.co VPN Product: Famiiily Along with eaabllng you to conflgure VPN S all Cisco routers.US:~of the OSiCO VPN product fa:m]]y: • Cisco VPN ]1000 series. U':si:mp0Wunil: to consider the placement and the desiredffu'n1..

dap. ttack miUg~Uo!lii . a . C:i:soo . [..o-sH:e VPN ami firewall routers [IIi Cisoo l8iOO series • • Cisco 2S.lecti.ed iJ~tegmtion ..[ Cisoo IPsec VPN Shared Pori.PIX :.iOO series • Cisen .te Eocryptian Processor (SEP) • VPN AcceleMtor Cani + (VA:C+) Reme~[!Ibei' thllJt ln the end.:53$ [.[ Cisoo ASA .l:riry Appllaace til: CisooP[X. • C1S00 ASA :5540' .i(]O series C1S00 38.d C]~COASA 5500 series Adfllptive Secl.v:ity.PIX :506e • Cisco P[X 5] S:e •• Cisea PIX 525.i(~.ter (SPA) • Scatab.l)e1:iabi1Uy. C:i:soo ASA :552. a:rnd. theproduct ymll choose should emulate the fmU}timl!Blreql]irenlents of your network.Advllnc.[ 99 ] • SHe-t..A.:55H]' [.HM)series Seeurlty APlPUMn!cea:rI.Uociule (AUcll} [. This should provide ymll with..:50:l [. secure ('Qnl.: . Cisco .P[X ..

lindiwnapoli5.hellDns to ~llIli aruloors ~~ are not -~~ &n.ill:lill m:l\'!e·.lh~hI.. ~._"_ . iD-dE.[1. FirM DUgil:i1 Av:Jiilil. 8~:Jl!Vy ~pp1eC.t.mil~iClD ~ooui: DBIIlI[lit:il'lll.i!ll '~fBlJ capit~'Uized.~!I!~.! ~1iIl~:JJ¢1fIas :rffl!C~~.Ioii~B ililrll1: it 10 'batl.ernilik:s tiJ:J:\'8bl!BII ~i1"1i1!S8 Ct. 'Iih.~ ItiOO East 96th Sllrei3ll..._mt~~~l!!!'i""'~INr.Disclaiimetr Thi~ di~ul.ani! 'GO'I'e:r..e Ulliiled.'-"". US1!._. ~'mi-iili rm:.~ E'J(QI!m".z:t.l+i2i~'CIi:D:lM(lffil'iil ~~![]~[i~~"I'11.0 :lnyl0:5s or darnli~~ £!igiial Shan Out Th~ opullio!l5 8:'::p~SiJC!.".>3 300 aeeurate-as ~a~sib'l~.[lie ptthli~~r :spz~:L!I .rililill und 'pliBci~i!lD.may ilXg~ Wall1nlng <lInd. ~litl!mJ.:.:lO :Sy5LeIil1~nnc.ml!i ilil!lrni~e 'or .ent Sales . Of OIIJBl1.19 oorpsri!l!~@p.1-:5S105-5Q.~m~on imw\l:e callI!! i~prow lo~ qu~lily Ofllh.llhe fltdil!ishBr.Ye. OOiU!l)'.Em.lTIlIi!mbarn of IIDB Re~dBr feBdlhaoik i~ .Jil3!1AJiJ"1Od ~~ dll<5i.:'MPI~~B'm~:'.igtJmLl~ !!l. wlTitlll111 ~m'i~sim1 fio:m.. _.m inclu:4e'1!hB qi~nl:l!l Sllmt Cut til~ andJS.~:. a!llr~[m! i[JSA li5ID Cfi!:UBi . jXlrt of tihiis ~i£li~:JJS~iJI't an.1-1 'Wi!.:I~~mau_t-~n.~ 'IIhB v:L!ltdily of aD)' 1r:l~IiJI:lj~ or :Q?['O'OOIl m~~_ ~mII..I!H-J lIi!J4"~I"'~-. Acl!!:nowledgmMts An t8Jm~ IIll!'ruiooolil.LnIi>!bIU'"_I.s:lIIil~I-S!l[!<l. ~·~:n::·Ib:· ~.S" CI:!~JI'OO'.:! Oli5 di~~1 s:1wrt Cut a.'.I.llJC_ my pi!1W1l m e!.~re l!IU].!~O'ti'p.r-.e!HIIll focll&."'~~ 1!I~D!i.onIlI SlaIiH ~ll1i1n:ml~I.~oeq.~loost !!!cl!l:llit:!' :JJRdI1/.\l.IJnl(>JIli .t:ti!.~IItOOJ ~il:ll.!I'eil!~ c[!nl:al:~: li.·!he iElflllfmali[!D cDrrtlliJnBil ill1lhis 1111!hllllh C:15(0" o:.~u2Ii~:JJ S~iJI'l ~OOI!s~~r:illlllh~ ·[If CiSCo<-Sl/8to!liIlli. e:tC!3pl: for trn i~dJW5~R of i][il!lf g~lGt~li= in ~ At Ci:sDol'TIB.of . pIUdi1:J~8S0r l!!eC!lro:n:i~ "ErsicD5 aMVar !:l1E11[l1ill 00'I\1!:f.iJlI\'.I ~h3I'nIi_«AI~ ~littt .~i::Ii~hn.:n.~ ~HI!II .~I!!!!:III.i:gml Trademrn:adc.':L!I.Jln T!.~carnplllil.c or IDl!~ni.!.ltily mi~im\S from. to pm'!!fuI!ii ~~fuIJ'. .l.~ ~-~~ Ji. p:artic~liir 10 ]lDur 'busiD~S~..:.i !i~II... Ci= tl}i~ di.'I!.':r._3~. . may 00 reprodlOOBd!ur '1!r~~5Ii1lilEed in ilLI1ly farm Of by my means.tl~~'ftMr I'fti!lriK'U.!!g~:<oJ.hllflv~n:t46240 AU rigml~ r8seli1l!OO.:l-1RauA'l'w.~OCE.t~.~ooll!l1l. ul1idlKliI18~OOoliJcop:l'in& IBCornlD[l.ss.o~~mll':tl~~ ~{f.y:HBi1iI~. illC'.~ ~nd! ..1I:tfr:tl1l.*~~~~. .~O~dIIP!I:u:_:'~~t[lpm~ ~~.'1!eOcoob2r 2Oi17 lSI3:N-U]: lSI3N-UO: 918-1-5!!7{1j.~il)illliB~Il~!~.it~J Shan CLlt ltim.~scllooni.Jllb 'lOCblJic:t! boo1s or '1Ih~1ti.0_ ~ m.".@jpe~ruJmll!l!Lc[lrn :Jon'\~5 is" b:lSi~.c.~~~~~~~~'ht.'~~t!IIl~~.c-oal'loolllltest ID·if1B acOOl1liJ:.!I~'I!.) book.i:L1Bi Olilf a.~iIIItoilrl!iillb'ihLy l][!rlillsI!J!l1l5ibili~.. yo~ ran c[lrrl:al:l us thlilll!£.E~ ~liiis. Oisoo S.p4l[1:00.. r~cr. '[hi3 :m!!lIhms.ce IBrandon J.~!I!!I!~ ~I.h e-matliu fEedb~~t(jjkis~~uOOJ.~WJ1 an..~oo:L Far ~~IBS ol\t~ide. r~Wrti. \l.:bi.a 'Lell'l~ Of inIhis di£iil:Ll Stilml C~I.g.~~OOtsl.-SIH-~ .t!.QJIlA.>3r i!llJil )'01JIIlEfIll~.~er. CiSllD~ allll errol) ~j~~ S)f5J!l'IIJl5. s!lIHl!W Ilml 'to.".~~~I'WIJl!l:lJlitvj:ll.]I 1.III!~ . :~IlJ!!br~mf!i!l1\S nilLelill\ll5.!!M..(IJ:I~: ~~ml I:iI:a:!.l)t diooDIiIIlI!:s'DO li1i~ qi~iljl Short ClJj Whl!l1DnflSiiBlll !in "I11~DtiJf for 'buJk.~. I'IID1i!ioo~ by: Ci~oo I're.:..c~! cOIil1:I1l1Ii1DFI:y. Uyo~ miWs ilLI1ll/ oCamlil1.iJ.!: .~Ii'"~r... too IIlliq. .~!. LlIIIIe~Dnrrg r.Yof l!1i~ ~nrOffil1a!i[!n. PI~5t!'b2..sils!l=_ Y 'Co:~po:rat:elandl G:overnlillll.a natutr:~! oDrrtil1!!1:Li1[on oHbis pmce~5.82.:Ith~IHEI!"II~"""~ ~rn. The iDf[lm:llllki~ is povilllEd ~th r8~. SI:L~M pte:L~~ ooJ1I:LOi::~IJkmaJl.J~ "'If«<~_"_I'o __ 1!·1i!ha!!~I!\!~~~'r. Refe:rell1. '1r. __ i}R"'-""':!Il_'" .oI. QI'I ·[!ff~.:Ii. Ine.E!N i!n ~'Dlilrlil1~l!lB- rSlii8'llr.hBI. .~i~ fI1-:IW«t'hYM1J[:-f":_ 193-.~SiIiIIIIIM~." FB:--~~'~:ilNt1 11~'·ml'_'Ti'N'~.'Idl'~_Ii'\IiI"l.C'~P=IIIu.Hvery ~ort lIas 1i!~III1!l:vill!i III TiIl:t1\>.m:lr.:Ikai:u~J.or!by :llfiY nnfm:liII~tiOJl !i1:Of'~i5~ :mel.wF.b~.li @:I' :mloe~5 is implioo.li] to t!O! tr:ldE'IIJl2i~ Dr fJi!rY'..00 ] CCSP SND' Quick.iIIII!IuI.iIl!.i5 diWil::i1 SOO:rt C~t.ames Garrolll Copyr.I.a\'lliliJprne~t p:lIlr~~i[!rlallEclmi.~hi!lliW!l1tllWrM. rnli[!o. flJr IJKIJI! illfiC\nrrlllitilllll..!:tJ'ronl~higrnllp.d.I "'_~'V<'~~~ .