Managing Cisco Network Security (pdf document) free file download at fliiby.com

"1U YEARO TUPGRADE B YER PR ECTION PLAN CISCO MANAGING NETWORK SECURITY “Finally! A single resource that really delivers solid and comprehensive knowledge on Cisco security planning and implementation. A must have for the serious Cisco library.” —David Schaer, CCSI, CCNP, CCDA, MCSE, MCDBA, MCNI, MCNE, CCA President, Certified Tech Trainers FREE Monthly Technology Updates One-year Vendor Product Upgrade Protection Plan Russell Lusignan, CCNP, CCNA, MCSE, MCP+I, CNA Oliver Steudler, CCNA, CCDA, CNE Jacques Allison, CCNP, ASE, MCSE+I TECHNICAL EDITOR: Florent Parent, Network Security Engineer, Viagénie Inc. FREE Membership to Access.Globalknowledge solutions@syngress.com With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally. By listening, we've learned what you like and dislike about typical computer books. The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies. In response, we have created solutions@syngress.com, a service that includes the following features: s A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades. We will provide regular web updates for affected chapters. Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difﬁcult topics, written by content experts exclusively for solutions@syngress.com. Regularly updated links to sites that our editors have determined offer valuable additional information on key topics. Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors. s s s Once you've purchased this book, browse to www.syngress.com/solutions. To register, you will need to have the book handy to verify your purchase. Thank you for giving us the opportunity to serve you. MANAGING CISCO NETWORK SECURITY: BUILDING ROCK-SOLID NETWORKS Syngress Publishing, Inc., the author(s), and any person or ﬁrm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of proﬁts, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and ﬁles. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack Prooﬁng™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER AWQ692ADSE KT3LGY35C4 C3NXC478FV 235C87MN25 ZR378HT4DB PF62865JK3 DTP435BNR9 QRDTKE342V 6ZDRW2E94D U872G6S35N PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Managing Cisco Network Security: Building Rock-Solid Networks Copyright © 2000 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1234567890 ISBN: 1-928994-17-2 Copy edit by: Adrienne Rebello Technical review by: Stace Cunningham Technical edit by: Florent Parent Project Editor: Mark A. Listewnik Distributed by Publishers Group West Proofreading by: Nancy Kruse Hannigan Page Layout and Art by: Shannon Tozier Index by: Robert Saigh Co-Publisher: Richard Kristof Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel, Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for making certain that our vision remains worldwide in scope. Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of Harcourt Australia for all their help. David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Special thanks to the professionals at Osborne with whom we are proud to publish the best-selling Global Knowledge Certiﬁcation Press series. v From Global Knowledge At Global Knowledge we strive to support the multiplicity of learning styles required by our students to achieve success as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from providing instructor-led training to hundreds of thousands of students worldwide has been captured in book form to enhance your learning experience. We hope that the quality of these books demonstrates our commitment to your lifelong learning success. Whether you choose to learn through the written word, computer based training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very best in each of these categories. For those of you who know Global Knowledge, or those of you who have just found us for the ﬁrst time, our goal is to be your lifelong competency partner. Thank your for the opportunity to serve you. We look forward to serving your needs again in the future. Warmest regards, Duncan Anderson President and Chief Executive Ofﬁcer, Global Knowledge vi Contributors Russell Lusignan (CCNP, CCNA, MCSE, MCP+I, CNA) is a Senior Network Engineer for Bird on a Wire Networks, a high-end dedicated and fully managed Web server/ASP provider located in Toronto, Canada. He is also a technical trainer for the Computer Technology Institute. Russell’s main area of expertise is in LAN routing and switching technologies and network security implementations. Chapters 3, 4, and 6. David G. Schaer (CCNA, CCDA, CCNP, CCSI, MCT, MCSE, MCP+I, MCNE, CCA) is President of Certiﬁed Tech Trainers, Inc., an organization specializing in the development and delivery of custom training for Cisco CCNA and CCNP certiﬁcation. He has provided training sessions for major corporations throughout the United States, Europe, and Central America. David enjoys kayak ﬁshing, horseback riding, and exploring the Everglades. Oliver Steudler (CCNA, CCDA, CNE) is a Senior Systems Engineer at iFusion Networks in Cape Town, South Africa. He has over 10 years of experience in designing, implementing and troubleshooting complex networks. Chapter 5. vii Jacques Allison (CCNP, ASE, MCSE+I) Jacques has been involved with Microsoft-related projects on customer networks ranging from single domain and exchange organization migrations to IP addressing and network infrastructure design and implementation. Recently he has worked on CA Unicenter TNG implementations for network management. He received his engineering diploma in Computer Systems in 1996 from the Technicon Pretoria in South Africa. Jacques began his career with Electronic Data Systems performing desktop support, completing his MCSE in 1997. Jacques would like to dedicate his contribution for this book to his ﬁancée, Anneline, who is always there for him. He would also like to thank his family and friends for their support. Chapter 8. John Barnes (CCNA, CCNP, CCSI) is a network consultant and instructor. John has over ten years experience in the implementation, design, and troubleshooting of local and wide area networks as well as four years of experience as an instructor. John is a regular speaker at conferences and gives tutorials and courses on IPv6, IPSec, and intrusion detection. He is currently pursuing his CCIE. He would like to dedicate his efforts on this book to his daughter, Sydney. Chapter 2. Russell Gillis (CISSP, MCSE, CCNA) is Associate Director of Networking at Kalamazoo College in Kalamazoo, Michigan. Prior to joining “K” College, Russ worked for 11 years in the pharmaceutical industry. His experience includes workstation support, system administration, network design, and information security. Chapter 1. viii Pritpal Singh Sehmi lives in London, England. He has worked in various IT roles and in 1995 launched Spirit of Free Enterprise, Ltd. Pritpal is currently working on an enterprise architecture redesign project for a large company. Pritpal is also a freelance Cisco trainer and manages the Cisco study group www.ccguru.com. Pritpal owes his success to his family and lifelong friend, Vaheguru Ji. Chapter 7. Technical Editor Florent Parent is currently working at Viagénie, Inc. as a consultant in network architecture and security for a variety of organizations, corporations, and governments. For over 10 years, he has been involved in IP networking as a network architect, network manager, and educator. He is involved in the architecture development and deployment of IPv6 in the CA*net network and the 6Tap IPv6 exchange. Florent participates regularly in the Internet Engineering Task Force (IETF), especially in the IPv6 and IPSec work groups. In addition to acting as technical editor for the book, Florent authored the Preface and Chapter 9. Technical Reviewer Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant currently located in San Antonio, TX. He has assisted several clients, including a casino, in the development and implementation of network security plans for their organizations. He held the positions of Network Security Ofﬁcer and Computer Systems Security Ofﬁcer while serving in the United States Air Force. ix While in the Air Force, Stace was involved for over 14 years in installing, troubleshooting, and protecting long-haul circuits ensuring the appropriate level of cryptography necessary to protect the level of information traversing the circuit as well the circuits from TEMPEST hazards. This included American equipment as well as equipment from Britain and Germany while he was assigned to Allied Forces Southern Europe (NATO). Stace has been an active contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has co-authored or served as the Technical Editor for over 30 books published by Osborne/McGraw-Hill, Syngress Media, and Microsoft Press. He is also a published author in “Internet Security Advisor” magazine. His wife Martha and daughter Marissa have been very supportive of the time he spends with the computers, routers, and ﬁrewalls in the “lab” of their house. Without their love and support, he would not be able to accomplish the goals he has set for himself. x Contents Preface Chapter 1 Introduction to IP Network Security Introduction Protecting Your Site Typical Site Scenario Host Security Network Security Availability Integrity Confidentiality Access Control Authentication Authorization Accounting Network Communication in TCP/IP Application Layer Transport Layer TCP TCP Connection UDP Internet Layer IP ICMP ARP Network Layer Security in TCP/IP Cryptography Symmetric Cryptography Asymmetric Cryptography Hash Function Public Key Certificates xxi 1 2 2 5 7 9 10 11 12 12 13 14 15 15 17 18 18 20 21 22 22 23 23 24 24 24 25 26 26 27 xi xii Contents Application Layer Security Pretty Good Privacy (PGP) Secure HyperText Transport Protocol (S-HTTP) Transport Layer Security Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Secure Shell (SSH) Filtering Network Layer Security IP Security Protocols (IPSec) Filtering (Access Control Lists) Data Link Layer Security Authentication Terminal Access Controller Access Control System Plus (TACACS+) Remote Access Dial-In User Service (RADIUS) Kerberos Cisco IP Security Hardware and Software Cisco Secure PIX Firewall Cisco Secure Integrated Software Cisco Secure Integrated VPN Software Cisco Secure VPN Client Cisco Secure Access Control Server Cisco Secure Scanner Cisco Secure Intrusion Detection System Cisco Secure Policy Manager Cisco Secure Consulting Services Summary FAQs 28 28 28 29 29 30 30 31 31 34 34 34 34 35 36 37 37 40 40 41 41 42 42 43 43 44 45 Chapter 2 Traffic Filtering on the Cisco IOS Introduction Access Lists Access List Operation Types of Access Lists Standard IP Access Lists Source Address and Wildcard Mask Keywords any and host Keyword log Applying an Access List Extended IP Access Lists Keywords permit or deny Protocol Source Address and Wildcard-Mask 47 48 48 49 50 52 53 56 57 58 59 62 62 62 Contents xiii Destination Address and Wildcard Mask Source and Destination Port Number Established Named Access Lists Editing Access Lists Problems with Access Lists Lock-and-Key Access Lists Reflexive Access Lists Building Reflexive Access Lists Applying Reflexive Access Lists Reflexive Access List Example Context-based Access Control The Control-based Access Control Process Configuring Control-based Access Control Inspection Rules Applying the Inspection Rule Configuring Port to Application Mapping Configuring PAM Protecting a Private Network Protecting a Network Connected to the Internet Protecting Server Access Using Lock-and-Key Protecting Public Servers Connected to the Internet Summary FAQs 63 63 65 67 69 70 71 77 79 82 82 84 86 86 89 89 91 91 92 93 94 96 97 98 Chapter 3 Network Address Translation (NAT) Introduction NAT Overview Overview of NAT Devices Address Realm NAT Transparent Address Assignment Transparent Routing Public, Global, and External Networks Private and Local Networks Application Level Gateway NAT Architectures Traditional or Outbound NAT Network Address Port Translation (NAPT) Static NAT Twice NAT Guidelines for Deploying NAT and NAPT 99 100 100 100 101 101 102 103 104 105 105 106 106 108 109 111 113 xiv Contents Configuring NAT on Cisco IOS Configuration Commands Verification Commands Configuring NAT between a Private Network and Internet Configuring NAT in a Network with DMZ Considerations on NAT and NAPT IP Address Information in Data Bundled Session Applications Peer-to-Peer Applications IP Fragmentation with NAPT En Route Applications Requiring Retention of Address Mapping IPSec and IKE Summary FAQs 116 116 121 122 124 127 127 127 128 128 128 129 129 130 Chapter 4 Cisco PIX Firewall Introduction Overview of the Security Features Differences Between IOS 4.x and 5.x Initial Configuration Installing the PIX Software Basic Configuration Installing the IOS over TFTP Command Line Interface IP Configuration IP Address Configuring NAT and NAPT Security Policy Configuration Security Strategies Deny Everything That Is Not Explicitly Permitted Allow Everything That Is Not Explicitly Denied Identify the Resources to Protect Demilitarized Zone (DMZ) Identify the Security Services to Implement Authentication and Authorization Access Control Confidentiality URL, ActiveX, and Java Filtering Implementing the Network Security Policy Authentication Configuration in PIX Access Control Configuration in PIX 131 132 133 137 139 140 140 143 145 146 147 149 153 153 154 154 156 157 158 158 159 159 160 160 160 163 Contents xv Securing Resources URL, ActiveX, and Java Filtering PIX Configuration Examples Protecting a Private Network Protecting a Network Connected to the Internet Protecting Server Access Using Authentication Protecting Public Servers Connected to the Internet Securing and Maintaining the PIX System Journaling Securing the PIX Summary FAQs 165 168 170 170 172 174 176 182 182 184 185 186 Chapter 5 Virtual Private Networks Introduction What Is a VPN? Overview of the Different VPN Technologies The Peer Model The Overlay Model Link Layer VPNs Network Layer VPNs Transport and Application Layer VPNs Layer 2 Transport Protocol (L2TP) Configuring Cisco L2TP LAC Configuration Example LNS Configuration Example IPSec IPSec Architecture Security Association Anti-Replay Feature Security Policy Database Authentication Header Encapsulating Security Payload Manual IPSec Internet Key Exchange Authentication Methods IKE and Certificate Authorities IPSec Limitations Network Performance Network Troubleshooting Interoperability with Firewalls and Network Address Translation Devices 189 190 190 190 191 192 192 193 194 195 196 197 197 198 201 202 203 203 204 205 205 206 207 208 209 209 210 210 xvi Contents IPSec and Cisco Encryption Technology (CET) Configuring Cisco IPSec IPSec Manual Keying Configuration IPSec over GRE Tunnel Configuration Connecting IPSec Clients to Cisco IPSec Cisco Secure VPN Client Windows 2000 Linux FreeS/WAN BSD Kame Project Summary FAQs 210 211 212 218 226 226 228 229 230 231 231 Chapter 6 Cisco Authentication, Authorization, and Accounting Mechanisms Introduction AAA Overview AAA Benefits Cisco AAA Mechanisms Supported AAA Security Protocols RADIUS TACACS+ Kerberos RADIUS, TACACS+, or Kerberos Authentication Login Authentication Using AAA PPP Authentication Using AAA Enable Password Protection for Privileged EXEC Mode Authorization Configure Authorization TACACS+ Configuration Example Accounting Configuring Accounting Suppress Generation of Accounting Records for Null Username Sessions RADIUS Configuration Example Typical RAS Configuration Using AAA Typical Firewall Configuration Using AAA Authentication Proxy How the Authentication Proxy Works Comparison with the Lock-and Key Feature Benefits of Authentication Proxy Restrictions of Authentication Proxy Configuring Authentication Proxy 233 234 234 238 239 239 239 243 246 254 255 258 261 263 263 265 266 268 269 271 271 271 276 280 280 281 282 282 283 Contents xvii Configuring the HTTP Server Configure Authentication Proxy Authentication Proxy Configuration Example Summary FAQs 283 284 285 286 287 Chapter 7 Intrusion Detection Introduction What Is Intrusion Detection? Network Attacks and Intrusions Poor Network Perimeter/Device Security Network Sniffers Scanner Programs Network Topology Unattended Modems Poor Physical Security Application and Operating Software Weaknesses Software Bugs Web Server/Browser-based Attacks Getting Passwords—Easy Ways in Cracking Programs Trojan Horse Attacks Virus or Worm Attacks Human Failure Poorly Configured Systems Information Leaks Malicious Users Weaknesses in the IP Suite of Protocols Layer 7 Attacks Layer 5 Attacks Layer 3 and 4 Attacks Network and Host-based Intrusion Detection Netwo..."

You need to upgrade your Flash Player , or try to enable javascript in order see this document properly.