You are on page 1of 95

1999, Cisco Systems, Inc. www.cisco.

com
Module 11:
Security Basics
11-2 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Agenda
Why Security?
Security Technology
Identity
Integrity
Active Audit
11-3 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
All Networks Need Security
No matter the company
size, security is important
Internet connection is to
business in the late 1990s
what telephones were to
business in the late 1940s
Even small company sites
are cracked
11-4 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Why Security?
Three primary reasons
Policy vulnerabilities
Configuration vulnerabilities
Technology vulnerabilities
And People Eager to Take
Advantage of the Vulnerabilities
11-5 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Denial of Service Loss of Integrity
Bank Customer
Deposit $1000 Deposit $ 100
Security Threats
Loss of Privacy
m-y-p-a-s-s-w-o-r-d d-a-n
telnet company.org
username: dan
password:
Impersonation
Im Bob.
Send Me All Corporate
Correspondence
with Cisco.

Bob
CPU
11-6 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Security Objective: Balance
Business Needs with Risks
Access Security
Authentication
Authorization
Accounting
Assurance
Confidentiality
Data Integrity
Policy Management
Connectivity
Performance
Ease of Use
Manageability
Availability
11-7 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Doors, locks, &
guards
Keys & badges
Surveillance
cameras &
motion sensors
Firewalls &
access controls
Authentication
Intrusion
detection system
Complementary mechanisms that
together provide in-depth defense
Network Security Components:
Physical Security Analogy
1999, Cisco Systems, Inc. www.cisco.com
Security Technology
3-8 CSE-SecurityBasics 1999, Cisco Systems, Inc. www.cisco.com
11-9 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Policy
Identity
Accurately identify users
Determine what users are allowed to do
Integrity
Ensure network availability
Provide perimeter security
Ensure privacy
Active audit
Recognize network weak spots
Detect and react to intruders

Elements of Security
1999, Cisco Systems, Inc. www.cisco.com
Security Technology
Identity
3-10 CSE-SecurityBasics 1999, Cisco Systems, Inc. www.cisco.com
11-11 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Identity
Uniquely and accurately
identify users,
applications, services,
and resources
Username/password,
PAP, CHAP, AAA
server, one-time
password, RADIUS,
TACACS+, Kerberos,
MS-login, digital
certificates, directory
services, Network
Address Translation

11-12 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
AAA
Server
Dial-In User
Network
Access Server
Campus
PPP
PAP
Password
ID/Password
ID/Password
ID/Password
Public
Network
Username/Password
User dials in with password to NAS
NAS sends ID/password to AAA server
AAA server authenticates user ID/password
and tells NAS to accept (or reject)
NAS accepts (or rejects) call
11-13 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Network
Access Server
PPP
PAP or CHAP
Public
Network
PAP and CHAP Authentication
Password Authentication Protocol (PAP)
Authenticates caller only
Passes password in clear text
Challenge Handshake Authentication
Protocol (CHAP)
Authenticates both sides
Password is encrypted
11-14 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Campus
AAA
Server
Token or
S-Key Server
Token card
Soft token
S-Key
ID/One-Time Password
ID/One-Time Password
ID/One-Time Password
One-Time
Password
Dial-In User
Network
Access
Server
Public
Network
One-Time Password
Additional level of security, guards against password
guessing and cracking
Prevents spoofing, replay attacks
Single-use password is generated by token
card or in software
Synchronized central server authenticates user
11-15 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
1 2 3
4 5 6
7
0
9 8
1 2 3
4 5 6
7
0
9 8
Authentication, Authorization, and
Accounting (AAA)
Tool for enforcing
security policy
Authentication
Verifies identity
Who are you?
Authorization
Configures integrity
What are you permitted
to do?
Accounting
Assists with audit
What did you do?
11-16 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
AAA Services
Centralized security database
High availability
Same policy across many access points
Per-user access control
Single network login
Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password
TACACS+
RADIUS
ID/User
Profile
ID/User
Profile
ID/User
Profile
AAA
Server
Dial-In
User
Network
Access Server
Campus
Internet User
Gateway
Router
Firewall
Intercept
Connection
s
Public
Network
Internet
11-17 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Lock-and-Key Security
Dynamically assigns access control lists on a per-user basis
Allows a remote host to access a local host via the Internet
Allows local hosts to access a host on a remote network
Authorized User
Corporate Site
Non-Authorized User
Internet
11-18 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Calling Line Identification
1234
Call Setup Message
with Local ISDN
Numbers
Station
ISDN
Number
A
1234
Compare with Known Numbers
Accept Call
PPP CHAP
Authentication
(Optional)
Station A
ISDN
11-19 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
User Authentication with Kerberos
Authenticates users and the network
services they use
Uses tickets or credentials issued
by a trusted Kerberos server
Limited life span; can be used in place of
standard user/password mechanism
?
Remote User
(Kerberos Principal)
Kerberos
Credential
(Ticket)
Encrypted Service
Credential
Kerberized
Router
Kerberos Server
Mail
Server
11-20 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
DES
Public Key
Private Key
Public Key
Private Key
WAN
How Public Key Works
By exchanging public keys, two devices can
determine a new unique key (the secret key)
known only to them
11-21 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
If verification is successful,
document has not been altered
Bobs
Document
Hash
Message
Hash
Bobs
Private Key
Encrypt
Digital
Signature
Bobs
Public Key
Bobs
Document
Message
Hash
Same?
Decrypt
Hash
Digital Signatures
11-22 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Certificate Authority
Certificate Authority (CA) verifies identity
CA signs digital certificate containing
devices public key
Certificate equivalent to an ID card
Partners include Verisign, Entrust,
Netscape, and Baltimore Technologies
?
B A N K
CA CA
Internet
11-23 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Network Address Translation
Provides dynamic or static translation of private addresses to
registered IP addresses
Eliminates readdressing overheadLarge admin. cost benefit
Conserves addressesHosts can share a single registered IP
address for all external communications via port-level multiplexing
Permits use of a single IP address range in multiple intranets
Hides internal addresses
Augmented by EasyIP DHCP host function
10.0.0.1
SA 10.0.0.1
Inside Local
IP Address
Inside Global
IP Address
10.0.0.1
10.0.0.2
171.69.58.80
171.69.58.81
SA 171.69.58.8
Internet
1999, Cisco Systems, Inc. www.cisco.com
Security Technology
Integrity
3-24 CSE-SecurityBasics 1999, Cisco Systems, Inc. www.cisco.com
11-25 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
IntegrityNetwork Availability
Ensure the network
infrastructure
remains available
TCP Intercept, route
authentication
11-26 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
TCP Intercept
Connection Transferred
Connection
Established
Request
Intercepted
Protects networks against denial of service attacks
TCP SYN flooding can overwhelm server and cause it to deny
service, exhaust memory, or waste processor cycles
TCP Intercept protects network by intercepting TCP
connection requests and replying on behalf of the destination
Can be configured to passively monitor TCP connection
requests and respond if connection fails to be established
in a configurable interval
11-27 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Route Authentication
Home Gateway
Internet
Enables routers to identify one another and
verify each others legitimacy before
accepting route updates
Ensures that routers receive legitimate
update information from a trusted source
Trusted Source
11-28 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
IntegrityPerimeter Security
Control access to
critical network
applications, data,
and services
Access control lists,
firewall technologies,
content filtering,
CBAC, authentication
11-29 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Access Lists
Standard
Filter source address only
Permit/deny entire
protocol suite
Extended
Filter source,
destination addresses
Inbound or outbound
Port number
Permit/deny specific
protocols
Reflexive
Time-based
11-30 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Inbound Telnet
Stopped Here
Home Gateway
Internet
Policy Enforcement Using
Access Control Lists
Ability to stop or reroute traffic based on
packet characteristics
Access control on incoming or outgoing interfaces
Works together with NetFlow to provide high-speed
enforcement on network access points
Violation logging provides useful information
to network managers
11-31 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Importance of Firewalls
Permit secure
access to resources
Protect networks
from:
Unauthorized
intrusion from both
external and internal
sources
Denial of service
(DOS) attacks
11-32 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
What Is a Firewall?
All traffic from inside to outside and vice
versa must pass through the firewall
Only authorized traffic, as defined by the local
security policy, is allowed in or out
The firewall itself is immune to penetration
11-33 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Router with ACLs
Users
Users
Protected
Network
E-mail
Server
Micro Webserver
zip 1 0 0
Micro Webserver
Web Server
Public
Access
ISP and
Internet
Packet-Filtering Routers
11-34 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Provides user-level security
Most effective when used
with packet filtering
Internal Network
Proxy
Server
Internet/
Intranet
Proxy Service
11-35 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Firewall
Mail
Server
WWW
Server
Internet
Stateful Sessions
Highest performance security
Maintains complete session state
Connection oriented
Tracks complete connection
Establishment and termination
Strong audit capability
Easy to add new applications
11-36 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Company Network
.5
1
5
10
20
40
Meg
Per/Sec
Video
Audio
Private link
Web commerce
Internet
Performance Requirements
11-37 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
IntegrityPrivacy
Provide authenticated
private communication
on demand
VPNs, IPSec, IKE,
encryption, DES, 3DES,
digital certificates,
CET, CEP
11-38 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Encryption and Decryption
Clear Text Clear Text
Cipher Text
Decryption Encryption
11-39 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
What Is IPSec?
Network-layer encryption and authentication
Open standards for ensuring secure
private communications over any IP
network, including the Internet
Provides a necessary component
of a standards-based, flexible solution
for deploying a network-wide security policy
Data protected with network encryption,
digital certification, and device authentication
Implemented transparently in network infrastructure
Includes routers, firewalls, PCs, and servers
Scales from small to very large networks
11-40 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Router to Router
Router to Firewall
PC to Router
PC to Server
PC to Firewall
IPSec Everywhere!
11-41 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Automatically negotiates policy to protect
communication
Authenticated Diffie-Hellman key exchange
Negotiates (possibly multiple) security associations
for IPSec
3DES, MD5, and RSA Signatures,
OR
IDEA, SHA, and DSS Signatures,
OR
Blowfish, SHA, and RSA Encryption
IDEA, SHA, and DSS Signatures
IKE Policy Tunnel
IKEInternet Key Exchange
11-42 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Router A
Router B
1. Outbound packet from
Alice to BobNo IPSec
security association yet
2. Router As IKE begins
negotiation with
router Bs IKE
3. Negotiation complete;
router A and router B now have
complete IPSec SAs in place
IKE IKE
4. Packet is sent from Alice to
Bob protected by IPSec SA
IKE Tunnel
Router A Router B
How IPSec Uses IKE
11-43 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
EncryptionDES and 3DES
Widely adopted standard
Encrypts plain text, which
becomes cyphertext
DES performs 16 rounds
Triple DES (3DES)
The 56-bit DES algorithm runs three times
112-bit triple DES includes two keys
168-bit triple DES includes three keys
Accomplished on a VPN client,
server, router, or firewall
11-44 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Exhaustive search is the only way to break
DES keys (so far)
Would take hundreds of years on fastest general
purpose computers (56-bit DES)
Specialized computer would cost $1,000,000 but could crack
keys in 35 minutes (Source: M.J. Wiener)
Internet enables multiple computers to work
simultaneously
Electronic Frontier Foundation and distributed.net
cracked a 56-bit DES challenge in 22 hours and 15
minutes
Consensus of the cryptographic community is that 56-bit
DES, if not currently insecure, will soon be insecure
Breaking DES Keys
1999, Cisco Systems, Inc. www.cisco.com
Security Technology
Active Audit
3-45 CSE-SecurityBasics 1999, Cisco Systems, Inc. www.cisco.com
11-46 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Firewalls, authorization, and encryption do not provide
VISIBILITY into these problems
Why Active Audit?
The hacker might be an employee or trusted partner
Up to 80% of security breaches come from the
inside (Source: FBI)
Your defense might be ineffective
One out of every three intrusions occur where a firewall
is in place (Source: Computer Security Institute)
Your employees might make mistakes
Misconfigured firewalls, servers, etc.
Your network will grow and change
Each change introduces new security risks
11-47 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Why Active Audit?
Network security requires a layered
defense
Point security PLUS active systems to measure
vulnerabilities and monitor for misuse
Network perimeter and the intranet
Security is an ongoing, operational
process
Must be constantly measured, monitored, and
improved

11-48 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Active AuditNetwork
Vulnerability Assessment
Assess and report on
the security status of
network components
Scanning (active,
passive), vulnerability
database

11-49 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Active AuditIntrusion Detection
System
Identify and react to
known or suspected
network intrusion or
anomalies
Passive promiscuous
monitoring
Database of threats or
suspect behavior
Communication
infrastructure or access
control changes
11-50 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
IDS Attack Detection
Context:
(Header)
Content:
(Data)
Atomic
Single Packet
Composite
Multiple Packets
Ping of Death
Land Attack
Port Sweep
SYN Attack
TCP Hijacking
MS IE Attack
DNS Attacks
Telnet Attacks
Character Mode
Attacks
11-51 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Actively audit and
verify policy
Detect intrusion
and anomalies
Report
Active Audit
UNIVERSAL
PASSPORT
Kj kj kj dgdk
kj dkj fdkI kdfj kdj
Ikej kej Kkdkd
fdKKj kdj d
Kj kdj fkdKj kd
Kj dkfj kdj Kj dk
USA
************************
************************
Kdkfldkaloee
kj fkj aj j akjkj kjkajkj fiejijgkd
kdj fkdkdkdkddfkdj fkdj kdkd
kfj dkkdj kfd
kfj dkfj dkj kdj kdj kaj
kj fdkj fkdj kfj kj ajjaj djfla
kj dfkj eiieie
fkeieooei
UNIVERSAL
PASSPORT
11-52 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Security is a mission-critical
business requirement for all
networks
Security requires a global,
corporate-wide policy
Security requires a
multilayered implementation
Summary
11-53 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Basic Security and
Traffic Management
with Access Lists
11-54 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Why Use Access Lists?
Deny traffic you do not want based on packet tests
(for example, addressing or traffic type)
Token
Ring
FDDI
172.16.0.0 Internet
172.17.0.0
11-55 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
What are Access Lists?
Standard
Simpler address specifications
Generally permits or denies entire protocol suite
Extended
More complex address specifications
Generally permits or denies specific protocols
Access List Processes
E0
Incoming
Packet
Source
and
Destination
Permit?
Outgoing
Packet
E0
Optional
Dialer
11-56 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Access List Command
Overview
Router (config-if) #
access-list access-list-number {permit|deny} {test conditions}
{protocol} access-group access-list-number
Access lists are numbered (for IP, numbered or named)
Router (config) #
Step 1: Set parameter for this access list test statement
(which can be done one of several statements)

Step 2: Enable an interface to become part of the group
that uses the specified access list

11-57 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
How to Identify Access Lists
Access List Type Number Range/Identifier
IP Standard
Extended
1-99
100-199
Named (Cisco IOS 11.2 and later)
IPX Standard
SAP filters
800-899
1000-1099
AppleTalk 600-699
Number identifies the protocol and type
Other number ranges for most protocols
11-58 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
TCP/IP Access Lists
11-59 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Testing Packets with Access Lists
Frame
Header
(for example,
HDLC)
Packet
(IP header)
Segment
(for example,
TCP header)
Data
Port number
Protocol
Source Address
Destination Address
Permit Deny

Use
access
list statements
1-99 or 100-199 to
test the
packet

11-60 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Key Concept for IP Access Lists
Standard lists (1 to 99) test conditions of all IP
packets from source addresses
Extended lists (100 to 199) can test conditions of
Source and destination addresses
Specific TCP/IP-suite protocols
Destination ports
Wildcard bits indicate how to check the
corresponding address bits (0=check, 1=ignore)
11-61 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
How to Use Wildcard Mask
Bits
128 64 32 16 8 4 2 1
0
0
0
1
1
0
0
1
1
0 0 0 0 0 0 0
0
1 1
1 1 1
1 1
0
1
1
1
1
1
1
1
1
1
0
1
1
1
0
1
=
=
=
=
=
check all address bits
(match all)
ignore last 6 address bits
ignore last 4 address bits
check last 2 address bits
do not check address
(ignore bits in octet)
0 means check corresponding bit value
1 means ignore value of corresponding bit

11-62 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
How to Use the Wildcard any
Accept any address: 0.0.0.0 255.255.255.255;
abbreviate the expression using the keyword any
Any IP address
0.0.0.0
Test conditions: Ignore all the address bits (match any)
Wildcard mask: 255.255.255.255
(ignore all)
11-63 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
How to Use the Wildcard host
Test conditions: Check all the address bits (match all)
Example 172.30.16.29 0.0.0.0 checks all the address bits
Abbreviate the wildcard using the IP address followed by
the keyword host. For example, 172.30.16.29 host
An IP host address, for example:
170.3.16.29
Wildcard mask: 0.0.0.0
(check all bits)
11-64 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
IP Standard Access List Configuration
Router (config-if) #
access-list access-list-number {permit|deny}
source [source-mask]
Sets parameters for this list entry
IP standard access lists use 1 to 99
ip access-group access-list-number {in|out}
Activates the list on an interface
Router (config) #
11-65 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Standard Access List Example 1
172.16.3.0 172.16.4.0
172.16.4.13
E0 E1
S0
Non-
172.16.0.0
access-list 1 permit 172.16.0.0 0.0.255.255
(implicit deny all-not visible in the list)
(access-list 1 deny 0.0.0.0 255.255.255.255)

interface ethernet 0
ip access-group 1 out
interface ethernet 1
ip access-group 1 out
Permit my network only
11-66 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Standard Access List Example 2
172.16.3.0 172.16.4.0
172.16.4.13
E0 E1
S0
Non-
172.16.0.0
access-list 1 deny 172.16.4.13 host
access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)

interface ethernet 0
ip access-group 1
Deny a specific host
11-67 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Standard Access List Example 3
172.16.3.0 172.16.4.0
172.16.4.13
E0 E1
S0
Non-
172.16.0.0
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any
(implicit deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)

interface ethernet 0
ip access-group 1
Deny a specific subnet
11-68 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Extended IP Access Lists
Allow more precise filtering conditions
Check source and destination IP address
Specify an optional IP protocol port number
Use access list number range 100 to 199
11-69 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Extended Access List Configuration
access-list access-list-number {permit|deny}
protocol source source-mask destination
destination-mask [operator operand] [established]
Sets parameters for this list entry
IP uses a list number in range 100 to 199
ip access-group access-list-number {in|out}
Activates the extended list on an interface
Router (config) #
11-70 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Extended Access List
Example
172.16.3.0 172.16.4.0
172.16.4.13
E0 E1
S0
Non-
172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
access-list 101 permit ip 172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255
(implicit deny all)
(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)

interface ethernet 0
ip access-group 101
Deny FTP for E0
11-71 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Where to Place IP Access Lists
Token
Ring
To0
E0
E0
S0
S1
S0
S1
E0
E0
E1
A
B
D
C
Place standard access lists close to the destination
Place extended access lists close to the source
11-72 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Monitoring Access Lists
Router# show ip interface

Ethernet0 is up, line protocol is up
Internet address is 192.54.222.2, subnet mask is 255.255.255.0
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is 192.52.71.4
Secondary address 131.192.115.2, subnet mask 255.255.255.0
Outgoing access list 10 is set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachable are always sent
ICMP mask replies are never sent
IP fast switching is enabled
Gateway Discovery is disabled
IP accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Router#
11-73 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Monitoring Access List
Statements
Router> show access-lists

Standard IP access list 19
permit 172.16.19.0
deny 0.0.0.0, wildcard bits 255.255.255.255
Standard IP access list 49
permit 172.16.31.0, wildcard bits 0.0.0.255
permit 172.16.194.0, wildcard bits 0.0.0.255
permit 172.16.195.0, wildcard bits 0.0.0.255
permit 172.16.196.0, wildcard bits 0.0.0.255
permit 172.16.197.0, wildcard bits 0.0.0.255
Extended IP access list 101
permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 23
Type code access list 201
permit 0x6001 0x0000
Type code access list 202
permit 0x6004 0x0000
deny 0x0000 0xFFFF
Router>
11-74 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Summary
Access lists perform several functions
within a Cisco router, including:
Implement security/access procedures
Determine whether packets need dialer
for WAN links
Act as a protocol firewall
Extended access lists allow filtering on
address, protocol, and application
parameter
Use access lists to limit broadcast traffic
from protocol overhead packets
11-75 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Cisco
PIX Firewall
Configuration
Guidelines
11-76 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Command Line Guidelines
Information that you will need before you start
configuring PIX firewall :
- Access mode
- Backup
- Default configuration
- Help information
- Ip addresses
- Masks
11-77 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Access modes
The pix firewall contains a command set base on cisco IOS technologies, which
provides three administrative access mode.
* Unprivilaged mode is available when you first access the firewall and display
> prompt.
*privilaged mode display the # prompt and let you change the current
settings. any unprivilaged command also work in previllage mode .
use the enable command to start the privilage mode and the disable, exit or quit
commad to exit.
*configuration mode displays the (config)# prompt to lets you change system
configurations. all privilage, unprivilage, and configuration commands work in
this mode. Using the configure terminal to start configuring mode and the exit
and quit commands to exit.
11-78 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Backups
you should back up your configuration in at least one of the following ways.

* store the configuration in flash memory with the write memory command. Should
need arise, you can restore a configuration from flash memory using the configure
memory command.

* use the write terminal command to list configuration. Then cut and paste the
configuration into a text file. The archive the text file. You can restore a
configuration from a text file using the write terminal command and pasting the
configuration either line by line or as a whole.

* store the configuration on another system using the tftp-server command to initialy
specify a host and write net command to store the configuration.
11-79 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
The default configuration command is :

* nameif : identifies the interface name and specifies its security level. if you have
more than two interface, you need to add a nameif command to the configuration
for each interface.

* enable password :list the encrypted privilaged mode password

* passwd: list the encrypted password for telnet access to PIX firewall console.

* hostname: set the pix firewall system name topixfirewall. You can change this
name or leave as default.

* names: let you rename IP address with names from your native language to add
clarity to your configuration. It is best to ignore this command until you have
established network connectifity.
Default configuration
11-80 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
* interfaces commands: identifies the speed of interface or whetherthe network
inteface card can automaticly sence itspeed and duplex. All interfaces are disabled
by default. Before you can use an interface you need to enable it by entering the
interface command without shutdown option.

example: interface ethernet 0 outside auto
interface ethernet 1 inside auto

The auto command option to the interface command is not recommanded. For best
performance is by specify the speed of interface such as 10base, 10full, 100baseTx,
100full, 1000basesx, 1000sxfull, 4mbps or 16 mbps for the token ring interface.

* mtu commands : set maximun paket size to 1500 bytes for ethernet or to appropriate
size for tokenring interface.

* ip address commands: identifies the ip address for each interface.
11-81 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Help Information
* help information is avaiable from the pix firewall command line by entering help or
a question mark to list all commands. The number of command is listed when you
use the question mark or help command differs by access mode so that
unprivilaged mode offers the least commands and configuration mode. In addition,
you can enter any command by itself on the command line and press enter to view
the command syntax.
11-82 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
* PIX firewall requires that ip addresses in the ip adresses, static, global, failover, and
virtual commands be unique. these ip address cannot be same as your ip address.

* IP addresses are primarily one of this values:

- local_ip: An untranslated ip addrss on the internal, protected network. In an
outbound connection originated from local_ip, the local_ip is translated to global_ip.

- Global_ip: A translated global ip address in the pool or those address declared with
the global or static commands.

- Foreign_ip :An untranslated ip address on an external network. foreign_ip is an
adresses for host on the external network.
IP Addresses
11-83 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
Mask
- For the PIX firewall commands that accept network masks. Specify the correct mask
for a network address. For hosts use 255.255.255.255. However, for the ip address
command, use a network mask, and for the global command, use a network address
for both PAT (Port Address Translation) addresses and when specifying a pool of
global addresses.

Examples :

ip address inside 10.1.1.1 255.255.255.0
ip address outside 209.165.201.1 255.255.255.224
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 209.165.201.2 netmask 255.255.255.224
static (inside,outside) 209.165.201.3 10.1.1.3 netmask 255.255.255.255
access-list acl-out permit tcp any host 209.165.201.3 eq www
route outside 0 0 209.165.201.4 1
telnet 10.1.1.2 255.255.255.255
11-84 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
-The ip address commands is specify addreses for inside and outside network
interfaces.

-The nat command is to let users start connection from inside.

-The global command provide the PAT (Port Address Translation) address to handle
the translated connectio from inside

-The static command is map an inside host to a global address for access by outside
user. Host mask are always specofied as 255.255.255.255

-The access-list command permit any outside host to access the global address
specified by the static command.

-The route statement spesifies the address to the default router. the 0 0 entry
indicates any host and it respective mask.

-The telnet command specifies a host that can access the PIX firewall units console
using telnet.
11-85 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
1. Without Nat
Local Host
202.100.100.1
255.255.255.248
Two Interface Without Nat
Inside
Internet
Outside
202.100.100.2
2552.55.255.248
202.100.100.9
255.255.255.248
202.100.100.10
255.255.255.248
202.100.100.11
255.255.255.248
202.100.100.12
255.255.255.248
202.100.100.13
255.255.255.248
202.100.100.14
255.255.255.248
- transparant ip from outbound connection to inbound connection
- using filtering with access-list connection from outbound to inbound
Mail Server Web Server
- enable all inbound connection to outbound or internet
Using the command at the Network
configuration.
11-86 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

access-list acl-out permit tcp any host 200.100.100.13 eq www

access-list acl-out permit tcp any host 200.100.100.14 eq pop3

access-list acl-out permit tcp any host 200.100.100.14 eq smtp

access-list acl-in permit ip any any

interface ethernet0 auto

interface ethernet1 auto
Command Configuration without Nat
11-87 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com

ip address outside 200.100.100.2 255.255.255.248

ip address inside 200.100.100.9 255.255.255.248

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 200.100.100.13 200.100.100.13 netmask

255.255.255.255 0 0

static (inside,outside) 200.100.100.14 200.100.100.14 netmask

255.255.255.255 0 0

access-group acl-in in interface inside

access-group acl-out in interface outside

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 200.100.100.1 1
Command Configuration without Nat
11-88 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
2. With Dynamic Nat
Two Interface With Nat
Internet
Dynamic Nat
Local Host
202.100.100.1
255.255.255.248
Inside
Outside
202.100.100.2
2552.55.255.248
202.100.100.9-14
255.255.255.248
100.100.100.6
255.255.255.248
100.100.100.2
255.255.255.248
100.100.100.3
255.255.255.248
100.100.100.4
255.255.255.248
100.100.100.5
255.255.255.248
- using legal random ip to having the connection from inbound to outbound
- using filtering with access-list connection from outbound to inbound
- enable all inbound connection to outbound or internet
Dynamic Nat Range
100.100.100.1
255.255.255.248
Understanding Network Address Translation.
11-89 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

access-list acl-out deny ip any any

access-list acl-in permit ip any any

interface ethernet0 auto

interface ethernet1 auto

Command Configuration with Dynamic Nat
11-90 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
ip address outside 200.100.100.2 255.255.255.248

ip address inside 100.100.100.1 255.255.255.0

nat (inside) 1 100.100.100.0 255.255.255.0 0 0

global (outside) 1 200.100.100.9-200.100.100.14

access-group acl-in in interface inside

access-group acl-out in interface outside

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 200.100.100.1 1
Command Configuration with Dynamic Nat
11-91 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
3. With Static Nat
202.100.100.1
255.255.255.252
Inside
Internet
Outside
202.100.100.2
2552.55.255.252
- using the port adress translation ip from inbound connection to internet or outbound
- using privat ip to connect from all inbound connection to dmz
Tree Interface With Nat
202.100.100.5,6
255.255.255.252
Static Nat
Port Address Translation
202.100.100.9
255.255.255.248
90.90.90.2
255.0.0.0
202.100.100.10
255.255.255.248
90.90.90.3
255.0.0.0
Web Server
Mail Server
Dmz
100.100.100.3
255.255.255.0
90.90.90.1
255.0.0.0
100.100.100.2
255.255.255.0
100.100.100.1
255.255.255.0
- using legal ip connection from Dmz to outbound or internet
- enable all internet to connection (Dmz mailserver&webserver)
- filtering all port except web & mail and other application port if used from internet
Understanding Network Address Translation.
11-92 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
nameif ethernet0 outside security0

nameif ethernet1 dmz security50

nameif ethernet2 inside security100

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

access-list acl-out permit tcp any host 202.100.100.9 eq www

access-list acl-out permit tcp any host 202.100.100.10 eq pop3

access-list acl-out permit tcp any host 202.100.100.10 eq smtp

access-list acl-in permit ip any any

Command Configuration with Static Nat
11-93 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

ip address outside 202.100.100.2 255.255.255.252

ip address dmz 90.90.90.1 255.255.255.0

ip address inside 100.100.100.1 255.255.255.0

nat (inside) 1 100.100.100.0 255.255.255.0 0 0

global (outside) 1 202.100.100.5

global (outside) 1 202.100.100.6

Command Configuration with Static Nat
11-94 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
static (dmz,outside) 202.100.100.9 90.90.90.2 netmask 255.255.255.255 0 0

static (dmz,outside) 202.100.100.10 90.90.90.3 netmask 255.255.255.255 0 0

static (inside,dmz) 90.90.90.2 90.90.90.2 netmask 255.255.255.255 0 0

static (inside,dmz) 90.90.90.3 90.90.90.3 netmask 255.255.255.255 0 0

access-group acl-in in interface inside

access-group acl-in in interface dmz

access-group acl-out in interface outside

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 202.100.100.1 1
Command Configuration with Static Nat
11-95 CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc. www.cisco.com
How To configure If your Network like this ???
Inside
INTERNET
ISDN
Frame Relay
CISCO
1720
CISCO
2509
CISCO PIX
DialUp Users
NAT Server
3COM
3C892A
Web Server
&
Mail Server
192.1.1.1/252
192.1.1.2/252
192.237.117.214/240
192.237.117.209/240
192.168.1.1/24
206.182.235.225/248
206.182.235.230/248
206.182.235.228/248
DNS
Server 1
206.182.235.229/248
192.168.1.2/24
Proxy
Server
192.168.1.3/24
IP untuk PCs:
192.168.1.20/24
s/d
192.168.1.254/24
IP untuk PCs:
192.168.11.20/24
s/d
192.168.11.254/24
192.168.1.19/24
IP Un-numbered
IP untuk PCs:
192.168.1.5/24
s/d
192.168.1.15/24
192.168.11.99/24
206.182.235.227/248
Nb : nat inside to internet with ip
206.182.235.238
Nb : nat inside to dmz with ip
206.182.235.226
DMZ
Internet
outside
Web Server
&
Mail Server
DNS
Server 2