CCBOOTCAMP's CCIE Security Written Exam Study Guide

Document Sample
CCBOOTCAMP's CCIE Security Written Exam Study Guide Powered By Docstoc
					                 CCBOOTCAMP’s
    CCIE Security Written Exam Study Guide
                for the CCIE Security Written Exam version 3.0


     For questions about this workbook please visit: www.securityie.com




                                     CCBOOTCAMP
                              375 N. Stephanie Street
                              Building 21, Suite 2111
                                Henderson, NV 89014
                             1.877.654.2243 Toll Free

                                www.ccbootcamp.com




 “Cisco,” the “Cisco Logo,” “CCNA,” “CCNP,” “CCDP,” “CCDA,” “CCIE,” “Cisco Certified
  Network Associate,” “Cisco Certified Design Professional,” “Cisco Certified Design
Associate,” “and “Cisco Certified Network Professional,” are registered trademarks of
Cisco Systems, Inc. The contents contained wherein, is not associated or endorsed by
                                  Cisco Systems, Inc.
PLEASE READ THIS SUBSCRIPTION LICENSE AGREEMENT CAREFULLY BEFORE USING THIS PRODUCT.
THIS SUBSCRIPTION LICENSE AGREEMENT APPLIES TO CCBOOTCAMP’s CCIE Security Written Exam
Study Guide.

BY ORDERING THIS PRODUCT YOU ARE CONSENTING TO BE BOUND BY THIS LICENSING AGREEMENT.
IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS LICENSE, THEN DO NOT PURCHASE THIS
PRODUCT.

License Agreement

CCBOOTCAMP’s CCIE Security Written Exam Study Guide is copyrighted. In addition, this
product is at all times the property of CCBOOTCAMP, and the customer shall agree to
use this product only for themselves, the licensed user. The license for the specific
customer remains valid from the purchase date until they pass their CCIE Security
written exam.

CCBOOTCAMP’s CCIE Security Written Exam Study Guide is licensed by individual
customer. This material cannot be resold, transferred, traded, sold, or have the price
shared in any way. Each specific individual customer must have a license to use this
product. The customer agrees that this product is always the property of CCBOOTCAMP,
and they are just purchasing a license to use it. A Customer’s license will be revoked
if they violate this licensing agreement in any way.

Copies of this material in any form or fashion are strictly prohibited. If for any
reason a licensed copy of this material is lost or damaged a new copy will be provided
free of charge, except for the cost of printing, shipping and handling.

Individuals or entities that knowingly violate the terms of this licensing agreement
may be subject to punitive damages that CCBOOTCAMP could seek in civil court. Damages
will be limited to a maximum of $500,000.00 per individual and $2,000,000.00 per
entity. In addition, individuals or entities that knowingly violate the terms of this
license agreement may be subject to criminal penalties as are allowed by law.

The venue of any dispute, controversy, litigation or proceeding (formal or informal)
arising out of or pertaining to this licensing agreement or the subject hereof shall
lie exclusively in the County of Clark, State of Nevada. Provided, however, that if
any such dispute, controversy, litigation or proceeding requires or permits
jurisdiction in a federal court or agency of the United States, then venue shall lie
in no federal court or agency other than those located in (or nearest to) the County
of Clark, State of Nevada.

Term and Termination of License Agreement

This License is effective until terminated. Customer may terminate this License at any
time by destroying all copies of written and electronic material of said product.
Customer's rights under this License will terminate immediately without notice from
CCBOOTCAMP, if Customer fails to comply with any provision of this License. Upon
termination, Customer must destroy all copies of material in its possession or
control. The license for the specific user remains valid from the purchase date until
the user passes their lab exam pertaining to the purchased subscription. Once the
customer passes the relevant lab exam the license is terminated and all material
written or electronic in their possession or control must be destroyed or returned to
CCBOOTCAMP.

Warranty

No warranty of any kind is provided with this product. There are no guarantees that
the use of this product will help a customer pass any exams, tests, or certifications,
or enhance their knowledge in any way. The product is provided on an “AS IS” basis.

In no event will CCBOOTCAMP, its suppliers, or licensed resellers be liable for any
incurred costs, lost revenue, lost profit, lost data, or any other damages regardless
of the theory of liability arising out of use or inability to use this product.
About the contributors:
Author – Brad Ellis

Brad Ellis (CCIE #5796, CCSI #30482, CSS1, CCDP, CCNP, MCNE, MCSE) works as a
network engineer and is CEO of CCBOOTCAMP. He has been dedicated to the
networking industry for over 12 years. Brad has worked on large scale security
assessments and infrastructure projects. He is currently focusing his efforts in the
security and voice fields. Brad is a dual CCIE (R&S / Security) #5796.

Contributing Author – Keith Barker


Mr. Barker is a full time instructor, content developer, and consulting engineer for
CCBOOTCAMP, a training subsidiary of Network Learning, Inc. Mr. Barker graduated
from the Control Data Institute in Los Angeles, CA in 1985. His past certification
experience includes Microsoft MCSE and Novell MCNE. Mr. Barker has worked with a
large range of Cisco security solutions including ASA, FWSM, IPS Sensors, IOS
Firewalls and IPSec and SSL VPN solutions. He has worked for Blue Cross,
Paramount Pictures and EDS. Mr. Barker previously was employed as an
Independent Consultant and Contract Trainer and as a Public Speaker. Mr. Barker
has been a technical instructor for over 15 years and currently maintains the
following certifications CCNA, CCNP, CCSP, CCDP, CCIE# 6783 (Routing and
Switching and Security), and CCSI# 21763.




                                      iii
Table of Contents
Introduction ...................................................................... xx
Chapter 1 Security Protocols ............................................... 1
      Authentication, Authorization and Accounting ............................... 1
             AAA Overview ........................................................................ 1
             Overview: AAA Security Services ........................................... 1
             AAA Terminology.................................................................... 3
             Benefits of Using AAA............................................................. 3
             AAA Configuration Process – Overview .................................. 4
             AAA Request for Comments (RFCs) ........................................ 4
      Remote Authentication Dial-In User Service (RADIUS) .................. 4
             Introduction ........................................................................... 4
             Background Information ........................................................ 4
             Authentication and Authorization........................................... 5
             Accounting ............................................................................. 6
             Radius Packet Format ............................................................ 7
             Radius Packet Types .............................................................. 7
             Radius Files ............................................................................ 8
             Radius Attributes ................................................................... 9
      IETF Attributes vs. VSAs............................................................... 22
      RADIUS Configuration Task List ................................................... 23
      AAA and RADIUS IOS Configuration ............................................. 24
      Named Method Lists for Authorization ......................................... 25
      Terminal Access Controller Access Control System plus (TACACS+)26
             Introduction ......................................................................... 26
             TACACS+ Packet Format ...................................................... 26
             TACACS+ Encryption ............................................................ 28
             TACACS+ Authentication ...................................................... 28
             TACACS+ Authentication Example Sequence ........................ 29
             TACACS+ Authorization ........................................................ 29
             TACACS+ Authentication and Authorization Attributes ........ 30
             TACACS+ Accounting............................................................ 37
             TACACS+ Accounting Attributes ........................................... 37
      Attribute ...................................................................................... 37
      RADIUS and TACACS+ Compared ................................................. 41
      Cryptographic Algorithms ............................................................ 41
             Introduction ......................................................................... 41
             Symmetric Algorithms .......................................................... 42
                 Types ................................................................................. 43




                                                           v
          Computation Speed .............................................................. 43
       Asymmetric Algorithms ........................................................ 43
          Postal System – An Analogy .................................................. 43
       Hash Functions..................................................................... 44
       Digital Signatures................................................................. 44
       Advanced Encryption Standard (AES)................................... 44
          How secure is AES? .............................................................. 45
          Performance ........................................................................ 45
          Further Reading – AES RFCs and Books .................................. 45
       Data Encryption Standard (DES) .......................................... 46
       Triple DES (3DES) ................................................................ 46
          Performance ........................................................................ 46
Wireless Security Protocols .......................................................... 46
       Introduction ......................................................................... 46
       Extensible Authentication Protocol (EAP) ............................ 47
          EAP Packer Format ............................................................... 47
          EAP Message Types .............................................................. 47
          EAP Flavors ......................................................................... 47
       Protected Extensible Authentication Protocol (PEAP) .......... 48
       Temporal Key Integrity Protocol (TKIP)............................... 48
       802.11i ................................................................................. 48
VPN Protocols .............................................................................. 49
       Introduction ......................................................................... 49
       Virtual Private Networks Defined ......................................... 49
       Virtual Private Networks Goals ............................................ 50
       Types of Virtual Private Networks ........................................ 51
          VPN Types – Based on Security .............................................. 51
          VPN Types – Based on Business Model .................................... 52
          VPN Types – Based on the OSI Model ..................................... 52
          VPN Types – Based on Network Connectivity and End-Points ..... 53
       Benefits of Virtual Private Networks .................................... 54
       VPN Security Protocols – IPSEC ........................................... 54
          IPSec Standards and Protocols ............................................... 55
       IPSec Terminology ............................................................... 56
          Anti-Replay ......................................................................... 56
          Data Authentication .............................................................. 56
          Data Confidentiality .............................................................. 57
          Data Flow............................................................................ 57
          Peer ................................................................................... 57




                                                    vi
               Perfect Forward Secrecy (PFS) ............................................... 57
               Security Association ............................................................. 57
               Security Parameter Index (SPI) ............................................. 58
               Transform ........................................................................... 58
               Tunnel ................................................................................ 58
            IPSec Functionality .............................................................. 58
            IPSec Modes and Packet Encapsulation ................................ 59
               Encapsulating Security Payload (ESP) ..................................... 60
               Authentication Header (AH) ................................................... 61
               Tunnel Mode ........................................................................ 62
               Transport Mode.................................................................... 62
               Authentication Header vs. ESP ............................................... 62
               Further Reading ................................................................... 63
            VPN Security Protocols – Internet Key Exchange (IKE)........ 63
               IKE Benefits ........................................................................ 64
               IKE Protocols ....................................................................... 64
               IKE Phases .......................................................................... 64
               IKE Main Mode and Aggressive Mode ...................................... 65
               IKE Authentication................................................................ 66
     Creating IKE Policies .................................................................... 67
     Diffie Hellman .............................................................................. 68
            IPSEC and Fragmentation .................................................... 69
            IPSEC and GRE ..................................................................... 70
            IPSEC and QoS ..................................................................... 71
            Point to Point Tunneling Protocol ......................................... 72
            Configuration Summary: PPTP ............................................. 73
            Configuration Sample: Basic PAC Setup: ............................. 73
            Layer 2 Tunneling Protocol................................................... 74
               L2TP Benefits....................................................................... 75
               L2TP Implementation Topologies ............................................ 76
               L2TP Security ...................................................................... 77
     Chapter 1 Questions ..................................................................... 78
     Chapter 1 Answers ....................................................................... 92
Chapter 2 Application Protocols ......................................... 94
     Domain Name System (DNS)........................................................ 94
     Trivial File Transfer Protocol (TFTP)............................................. 97
     File Transfer Protocol (FTP) ......................................................... 99
     Hypertext Transfer Protocol (HTTP) ........................................... 100
     Secure Socket Layer (SSL) ......................................................... 103




                                                        vii
     Simple Mail Transfer Protocol (SMTP) ........................................ 104
     Network Time Protocol (NTP) .................................................... 107
     Secure Shell (SSH) ..................................................................... 109
     Simple Network Management Protocol (SNMP) .......................... 112
     Lightweight Directory Access Protocol (LDAP) ........................... 114
     Active Directory ......................................................................... 115
     Remote Data Exchange Protocol (RDEP) .................................... 115
     Chapter 2 Questions ................................................................... 116
     Chapter 2 Answers ..................................................................... 122
Chapter 3 General Networking ........................................ 123
     Networking Basics / OSI Model.................................................. 123
     TCP/IP Model ............................................................................. 124
     Routing and Switching Concepts ................................................ 125
     Cisco Hierarchical Internetworking Model .................................. 125
     Distance-Vector Routing Protocols ............................................. 126
     Link-State Routing Protocols ...................................................... 127
     Hybrid Routing Protocols ........................................................... 127
     Routing Loops ............................................................................ 128
            Methods for Avoiding Routing Loops .................................. 128
     Route Summarization ................................................................. 128
     Tunnels ...................................................................................... 131
     Networking Standards................................................................ 131
            IEEE 802.x Protocols .......................................................... 131
            More 802.x standards......................................................... 132
            Cabling and connector standards ....................................... 132
     Protocol Mechanisms ................................................................. 133
            Connection-Oriented and Connectionless Service............... 133
            Maximum Transmission Unit (MTU).................................... 133
     Transmission Control Protocol (TCP).......................................... 134
            TCP Sliding Window (Data Transfer) .................................. 134
            TCP Flags (Control Bits) ..................................................... 135
     User Datagram Protocol (UDP)................................................... 135
     Address Resolution Protocol (ARP) ............................................ 136
            Passive Interface ............................................................... 137
            Jam Signal.......................................................................... 137
            Bridged Environment.......................................................... 137
            Routed Environment........................................................... 138
     General Bridging Rules ............................................................... 138
     LAN Switching ............................................................................ 139




                                                       viii
Routing Information Protocol (RIP) & RIP V2 ............................ 139
      Split Horizon in a Hub and Spoke Network ......................... 140
Interior Gateway Routing Protocol (IGRP) ................................. 141
Open Shortest Path First (OSPF) ................................................ 142
      Other OSPF Features: ......................................................... 142
      OSPF Traffic Types: ............................................................ 142
      OSPF Area Types: ............................................................... 143
      Stub and Totally Stubby Area Similarities: ......................... 144
      Stub and Totally Stubby Area Differences: ......................... 144
      OSPF Peer Relationships: ................................................... 144
      Router Types: ..................................................................... 146
      LSA Types: ......................................................................... 147
      LSA Options Field: .............................................................. 148
      OSPF Summarization .......................................................... 148
      OSPF Metrics ...................................................................... 149
      Passive OSPF Interface ...................................................... 150
      OSPF Multicast Addresses .................................................. 150
      Default Routes ................................................................... 150
      OSPF Timers ....................................................................... 150
      OSPF Redistribution ........................................................... 150
      Basic OSPF Configuration: .................................................. 151
      Configuring Stub and Totally Stubby Areas: ....................... 151
      Configuring a Totally Stubby Network (ABR only): ............. 151
      OSPF Authentication .......................................................... 151
Enhanced Interior Gateway Routing Protocol (EIGRP) ............... 152
      Types of EIGRP Successors ................................................ 153
      Feasibility Condition ........................................................... 153
      Attributes of EIGRP ............................................................ 154
      EIGRP Tables...................................................................... 154
      Choosing routes ................................................................. 154
      Init Flag ............................................................................. 156
      EIGRP Stub Routing ........................................................... 157
      Simple Hub and Spoke Network ......................................... 157
      Route Summary.................................................................. 158
      Auto-Summarization .......................................................... 158
      Process ID for an Autonomous System .............................. 159
      Show IP Route EIGRP......................................................... 159
      Show Ip Eigrp Topology ..................................................... 160
      Show Ip Eigrp Neighbor ..................................................... 162




                                                  ix
Border Gateway Protocol (BGP) ................................................. 163
       Situations that may require BGP: ....................................... 163
       Interior Border Gateway Protocol (IBGP) .......................... 164
       Exterior Border Gateway Protocol (EBGP) .......................... 164
       BGP Attributes ................................................................... 164
       Weight Attribute ................................................................ 164
       Local Preference Attribute.................................................. 165
       Multi-Exit Discriminator Attribute ...................................... 166
       Origin Attribute .................................................................. 167
       AS_path Attribute .............................................................. 167
       Next-Hop Attribute ............................................................. 168
       Community Attribute .......................................................... 169
       Cluster-List ........................................................................ 169
       Originator ID ...................................................................... 169
       BGP Neighbor Connectivity................................................. 170
       Synchronization/Full Mesh ................................................. 170
       Next-Hop-Self Command .................................................... 171
       Private AS numbers............................................................ 171
       BGP Path Selection ............................................................. 171
       Scalability Problems with Internal BGP (IBGP) .................. 172
       Peer Groups ....................................................................... 172
       Confederations ................................................................... 173
       Route Reflectors................................................................. 173
       Route Summary.................................................................. 173
       BGP Clusters ...................................................................... 174
High-Level Data Link Control (HDLC) ......................................... 174
Point-to-Point Protocol (PPP) .................................................... 174
Modems and Async ..................................................................... 175
IP Multicast ................................................................................ 176
Benefits of IP Multicast .............................................................. 176
       Multicast ............................................................................ 176
IGMP and CGMP Multicast Protocols ........................................... 177
       Designated Querier ............................................................ 178
IGMP Versions 1, 2, and 3 .......................................................... 178
       Multicast Addressing .......................................................... 180
Wireless Standards .................................................................... 181
Wireless/802.11b ...................................................................... 181
Wireless Networking Terms ....................................................... 182
802.1x Authentication ................................................................ 183




                                                   x
     802.11 On Its Own is Inherently Insecure ................................. 184
            Prevention.......................................................................... 184
            Detection............................................................................ 185
     Wireless Networks Are Targets for Intruders ............................. 185
            Interference and Jamming ................................................. 185
            MAC Authentication ............................................................ 186
            Ad Hoc versus Infrastructure Modes .................................. 186
            Service Denial or Degradation ............................................ 186
            Wireless Networks Are Weapons........................................ 186
            Authentication.................................................................... 187
            Key Management................................................................ 187
     802.11 Wired Equivalent Privacy (WEP)..................................... 187
            Security Extensions to WEP Are Required .......................... 188
     IPsec in a WLAN Environment .................................................... 188
     802.1x/EAP ................................................................................ 189
     EAP Authentication Protocols ..................................................... 191
            Lightweight Extensible Authentication Protocol (LEAP) ..... 191
            Extensible Authentication Protocol-Transport Level Security (EAP-TLS)
            ........................................................................................... 192
            Protected Extensible Authentication Protocol (PEAP) ........ 193
            WEP Enhancements............................................................ 195
            Cisco TKIP: Per-Packet Keying ........................................... 195
            Cisco TKIP—Message Integrity Check ................................ 196
     EAP Authentication Summary..................................................... 197
     Chapter 3 Answers ..................................................................... 207
Chapter 4 Security Technologies ..................................... 208
     Firewalls and Access Control ...................................................... 208
            Introduction ....................................................................... 208
            Choosing the Right Firewall................................................ 208
               Redundancy and Resiliency.................................................. 208
               High Throughput Support .................................................... 209
               Ease of Configuration.......................................................... 209
               Detailed Logging and Notification Support ............................. 209
            Types of Firewalls .............................................................. 209
               Packet-filtering Firewalls ..................................................... 210
               Stateful Firewalls................................................................ 211
               Application Gateways.......................................................... 212
               Host-Based Firewalls .......................................................... 214
     Anti-Virus and Anti-Spyware Solutions ...................................... 214




                                                       xi
      Anti-Virus Software ............................................................ 214
      Anti-Spyware Software ...................................................... 215
      Content Filtering ................................................................ 215
Network Address Translation ..................................................... 217
      Introduction ....................................................................... 217
      Benefits .............................................................................. 217
      Terminology ....................................................................... 218
      More NAT Terminology ....................................................... 223
      Summary of NAT Commands .............................................. 223
      NAT Order of Operation ...................................................... 224
Configuring IPSec-Based VPNs (Pre-Shared Keys)..................... 225
Configuring Scalable IPSec-Based VPNs Using Digital Certificates236
      What are Digital Certificates?............................................. 236
      Introduction to Certificate Authorities (CA) ....................... 236
      Certificate Authority Support on Cisco Routers .................. 237
      Implementing IPSEC without CA Support........................... 238
      Implementing IPSEC with CA Support ................................ 239
      Implementing IPSEC with Multiple Root CAs ...................... 239
      How CA Certificates are used by IPSec Devices? ................ 240
      Registration Authorities ..................................................... 240
      CA Configuration Steps on Cisco Routers ........................... 240
      Verifying Keys and Certificates........................................... 246
      CA Configuration Example .................................................. 248
Configuring NAT & IPSec Together ............................................. 251
      Configuration for Router 3640-2b ...................................... 251
      Configuration for Router 3640-2b ...................................... 253
Intrusion Detection and Prevention ........................................... 255
      Introduction ....................................................................... 255
      What is Intrusion Detection?.............................................. 256
      Intrusion Detection Terminology........................................ 256
      Attack Identification and Analysis ...................................... 257
         Anomaly Detection ............................................................. 257
         Misuse Detection ................................................................ 258
         Protocol Analysis ................................................................ 259
      IDS placement.................................................................... 259
         Network-Based Intrusion Detection Systems (NIDS) ............... 259
         Host-Based Intrusion Detection Systems (HIDS) .................... 260
      Intrusion Detection – Response Techniques and Corrective Actions
      ........................................................................................... 261
         TCP Reset ......................................................................... 261



                                                  xii
               Blocking ............................................................................ 261
               Logging............................................................................. 262
            Intrusion Detection – Evasion Techniques ......................... 262
               Encryption ......................................................................... 262
               Flooding ............................................................................ 262
               Fragmentation ................................................................... 263
               Obfuscation ....................................................................... 264
            Cisco Threat Response (CTR) ............................................. 264
               Introduction ...................................................................... 264
               Benefits ............................................................................ 264
               Threat Response Investigation Levels ................................... 266
               Threat Response Predefined Policies ..................................... 266
               Multiphase Analysis ............................................................ 267
               Attack Scenarios ................................................................ 269
               EOL Status ........................................................................ 271
     Network-Based Application Recognition..................................... 272
     Identity Technologies................................................................. 273
            Introduction ....................................................................... 273
            Authentication Factors ....................................................... 273
            Some Identity Technologies ............................................... 273
               Static Usernames and Passwords ......................................... 273
               Aging Passwords ................................................................ 274
               One-Time Passwords (OTPs) ................................................ 274
               Smart Cards ...................................................................... 275
               Public Key Infrastructure (PKI)............................................. 275
               Kerberos ........................................................................... 275
               Biometrics ......................................................................... 276
               PGP and S/MIME ................................................................ 277
               802.1x .............................................................................. 277
     Chapter 4 Questions ................................................................... 279
     Chapter 4 Questions ................................................................... 279
     Chapter 4 Answers ..................................................................... 298
Chapter 5 Security Applications ....................................... 300
     Cisco Secure ACS ........................................................................ 300
            Introduction ....................................................................... 300
            Benefits .............................................................................. 300
            Cisco Secure ACS for Windows Architecture ....................... 301
            ACS Version 3.3 .................................................................. 303
               Software Requirements ....................................................... 303




                                                       xiii
      ACS Version 4.0 .................................................................. 304
          System Requirements ......................................................... 304
          Software Requirements ....................................................... 304
          Network and Port Requirements ........................................... 305
      Features and Benefits of version 4.0 .................................. 305
      Installing Cisco Secure ACS ................................................ 307
Administration of Cisco Secure ACS............................................ 308
          Reports and Activity ........................................................... 310
      Positioning ACS in your Network ........................................ 311
          Network Topology .............................................................. 311
          Remote-Access Policy ......................................................... 315
          Database .......................................................................... 316
          Network Speed and Reliability.............................................. 317
Cisco Secure PIX Firewall ........................................................... 317
      Introduction ....................................................................... 317
      Stateful Inspection Firewall Features ................................. 317
          Intrusion Detection ............................................................. 319
          URL Filtering ...................................................................... 319
          Access Control Lists (ACLs).................................................. 320
          Routing Options ................................................................. 321
          Customizable Administrative Roles ....................................... 321
          Customizable Syslog ........................................................... 321
      MANAGEMENT .................................................................... 321
          Cisco PIX Device Manager ................................................... 321
          Cisco Secure Policy Manager ................................................ 323
          Large-Scale Management Solutions ...................................... 323
      Two Key Components of Cisco PIX Firewalls ...................... 324
          Cut-Through Proxy ............................................................. 324
          Adaptive Security Algorithm ................................................ 325
          How Adaptive Security Algorithm works in PIX ....................... 326
      Features of PIX Software Version 6.3................................. 327
      Cisco PIX Appliance Models ................................................ 331
      PIX Firewall Licensing ........................................................ 335
          User Licenses..................................................................... 335
          Platform Licenses ............................................................... 336
          Feature licenses ................................................................. 336
          Encryption Licenses ............................................................ 336
      Adaptive Security Appliance Series .................................... 337
          Cisco ASA 5500 Series Adaptive Security Appliances............... 337




                                                  xiv
       Cisco Adaptive Security Device Manager ............................ 339
       Configuring Cisco PIX Firewalls.......................................... 340
          Changing Interface Names or Security Levels ........................ 340
          Configuring NAT and PAT .................................................... 341
       Saving Your Configuration.................................................. 344
       Configuration Examples - Two Interfaces without NAT or PAT345
       Two Interfaces with NAT and PAT ...................................... 347
       Site-to-Site VPN Configuration ........................................... 349
       Configuring Overlapping Networks..................................... 352
       Syslog Messages ................................................................ 353
Cisco IOS Firewall ...................................................................... 356
       Cisco IOS Firewall Features................................................ 357
Authentication Proxy.................................................................. 358
       Introduction ....................................................................... 358
       Working ............................................................................. 358
       Authentication Proxy Screens ............................................ 359
       Compatibility ...................................................................... 361
       Configuring Authentication Proxy ...................................... 361
Cisco IOS Firewall TCP Intercept................................................ 364
       Modes................................................................................. 365
       Configuration Sample ......................................................... 365
Cisco Context-Based Access Control (CBAC) .............................. 366
       Introduction ....................................................................... 366
       Traffic Filtering .................................................................. 366
       Traffic Inspection and DoS Attack Protection ..................... 366
       Limitations of CBAC ............................................................ 367
       CBAC - Working .................................................................. 367
       CBAC Deployment Scenarios .............................................. 369
       The CBAC Process............................................................... 369
       CBAC - Supported Protocols ............................................... 371
          Generic Inspection ............................................................. 371
          Application Specific Inspection ............................................. 371
       CBAC - Limitations.............................................................. 371
       Configuring CBAC ............................................................... 372
          Generic TCP/UDP Inspection ................................................ 376
          Port to Application Mapping ................................................. 378
Cisco Secure Intrusion Detection System ................................... 380
       Introduction ....................................................................... 380
       IDS/IPS Software .............................................................. 381




                                                  xv
         New Features in Cisco IPS Software Version 5.0 ..................... 381
         Cisco IDS 4.1 Software Architecture ..................................... 383
      Cisco Intrusion Detection Sensors - Models ....................... 386
      Cisco Intrusion Detection Solution for Routers and Switches389
Cisco IDS / IPS Network Interfaces ........................................... 389
      Cisco Intrusion Detection Signatures ................................. 390
      Signature Categories .......................................................... 390
      Signature Engines .............................................................. 391
      Cisco IDS Alarm Levels....................................................... 392
      Tuning IDS Signatures ....................................................... 393
      Cisco Intrusion Detection Management .............................. 393
         Cisco IDS MC & IPS MC ....................................................... 394
      Cisco Intrusion Detection Event Monitoring ....................... 396
      Cisco IDS Management and Monitoring – Ports and Protocols398
      Cisco IOS IDS – Configuration............................................ 399
Cisco VPN 3000 Series Concentrators ........................................ 403
      Introduction ....................................................................... 403
      Concentrators .................................................................... 403
         Models .............................................................................. 403
         Models Comparison ............................................................ 404
      Management ...................................................................... 405
      New Features in Version 4.7 (software) ............................. 405
      Cisco VPN Concentrator Deployment Scenarios .................. 406
      VPN Clients ........................................................................ 406
Cisco Catalyst Service Modules................................................... 409
      Benefits .............................................................................. 410
      Firewall Services Module (FWSM) ...................................... 411
      Intrusion Detection System Service Module (IDSM)........... 412
      IPSEC VPN Services Module (VPNSM) ................................ 413
      SSL Services Module (SSLSM) ............................................ 413
MARS - Security Information Monitoring System........................ 414
      Introduction ....................................................................... 414
      Benefits .............................................................................. 415
      Appliances.......................................................................... 416
      System Description ............................................................ 416
         Local Controller .................................................................. 417
         Global Controller ................................................................ 417
         MARS Web Interface ........................................................... 418
         Reporting and Mitigation Devices.......................................... 418




                                                 xvi
           MARS installation and configuration: ................................. 419
     Cisco VMS – Security Management System ................................ 420
           Introduction ....................................................................... 420
           Application ......................................................................... 420
           Current Status .................................................................... 421
     Cisco Router and Security Device Manager (SDM) ...................... 421
           SDM enabling a IOS Router ................................................ 425
     Chapter 5 Questions ................................................................... 426
     Chapter 5 Answers ..................................................................... 445
Chapter 6 Security General .............................................. 448
           Security Policy Best Practices ............................................ 448
           Standards Bodies and Security Organizations .................... 451
           Vulnerabilities .................................................................... 456
           Know Your Enemy .............................................................. 457
           Hacking Methodology ......................................................... 459
           Common Attacks ................................................................ 460
           Countermeasures ............................................................... 466
           Information Security Standards ......................................... 469
               ISO 17799 ........................................................................ 469
               ISO 27001 ........................................................................ 469
               BS7799 ............................................................................. 470
               BCP 38.............................................................................. 471
     Chapter 6 Questions ................................................................... 472
     Chapter 6 Answers ..................................................................... 479
Chapter 7 Cisco General................................................... 480
           Access Control Lists (ACLs) ................................................ 480
               Basic IP Extended ACL ........................................................ 483
               ICMP ................................................................................ 484
               TCP .................................................................................. 484
               UDP .................................................................................. 484
           Logging .............................................................................. 488
           Show and Debug Commands .............................................. 492
           Controlling Access to a Cisco Router .................................. 502
               Line Authentication ............................................................. 502
               Local Authentication ........................................................... 503
               AAA Authentication ............................................................. 503
               Privilege Levels .................................................................. 504
               Enable and Enable Secret .................................................... 505
           Password Recovery ............................................................ 506




                                                       xvii
               Older Routers .................................................................... 507
               Newer Routers ................................................................... 509
           Encrypting Cisco Passwords ............................................... 509
           Disable Unnecessary Services ............................................ 510
               TCP and UDP Small Services ................................................ 510
               Finger ............................................................................... 510
               NTP .................................................................................. 510
               CDP .................................................................................. 510
               DHCP ................................................................................ 511
           Layer-2 Switching Security Features .................................. 511
               Media Access Control (MAC) Address Flooding........................ 511
               Port Security ..................................................................... 513
               VLAN “Hopping” ................................................................. 514
               VLAN Best Practices............................................................ 515
               Address Resolution Protocol (ARP) Attacks ............................ 515
               DHCP Snooping and Dynamic ARP Inspection......................... 515
               Spanning Tree Protocol (STP) Protection ............................... 516
     Chapter 7 Questions ................................................................... 518
     Chapter 7 Answers ..................................................................... 528
Chapter 8 New Topics ...................................................... 529
     Network Access Control (NAC) ................................................... 529
           Deployment modes............................................................. 532
               NAC in Band ...................................................................... 532
               NAC Out of Band ................................................................ 533
               Cisco Trust Agent (CTA) ...................................................... 534
               CTA Features ..................................................................... 535
           Adaptive threat defense (ATD) ........................................... 535
           Host Intrusion-prevention system (HIPS) .......................... 536
               Cisco Security Agent (CSA) ................................................. 537
               Cisco Security Agent Management Architecture ...................... 538
               Cisco Security Agent for IP Communication ........................... 539
           Easy Virtual Private Network (EZVPN) ............................... 540
           Easy VPN Client .................................................................. 540
           Easy VPN Remote ............................................................... 540
           Easy VPN Server................................................................. 541
           Secure Socket Layer Virtual Private Network (SSLVPN) ..... 542
           Cisco IOS IPS ..................................................................... 543
               Key Benefits ...................................................................... 543
               Actions for Detected Signatures ........................................... 543




                                                       xviii
            Handling Distributed Denial of Service (DDOS) attacks ...... 544
                Cisco Traffic Anomaly Detectors ........................................... 545
                Cisco Traffic Anomaly Detector Module.................................. 546
                Cisco Guard DDoS Mitigation Appliance ................................. 546
                Cisco Anomaly Guard Module ............................................... 547
            Cisco Security Management................................................ 548
                Cisco Adaptive Security Device Manager (ASDM).................... 548
                Cisco Router & Security Device Manager (SDM) ..................... 550
                Cisco Security Manager (CSM) ............................................. 556
            PIX and ASA version 7.x updates ....................................... 560
                General info....................................................................... 560
                Changed commands ........................................................... 561
      Chapter 8 Questions: .................................................................. 563
      Chapter 8 Answers: .................................................................... 565
INDEX .............................................................................. 566




                                                       xix
Introduction

  This book is an updated version which is targeted towards version 2.0 of the CCIE
  Security written exam blueprint (350-018), as can be found at:

  http://www.cisco.com/web/learning/le3/ccie/security/wr_exam_blueprint_v2.html

  The written exam is a two-hour, multiple choice test with 100 questions covering areas
  such as security protocols, operating systems, application protocols, security
  technologies, and Cisco security applications. The exam is closed book and no outside
  reference materials are allowed.

  The book should be studied with other sources of information including (but not limited
  to):

  The current recommended book list which can be found at:

     http://www.cisco.com/web/learning/le3/ccie/security/book_list.html

  The recommended list of online resources, as can be found at:

     http://www.cisco.com/web/learning/le3/ccie/security/online_resources.html

  Also, it will be extremely helpful to attend a bunch of training courses and have a Cisco
  Certified Security Professional (CCSP) certification. The recommended list of curses can
  be found at:

     http://www.cisco.com/web/learning/le3/ccie/security/training.html

  If you prefer to study in a class environment and already have your CCSP certification,
  you are welcome to join a tailor made Bootcamp, focused on the written exam, more
  details can be found at our web site, at: www.ccbootcamp.com.

  If you have any concerns you are welcome to post them on www.securityie.com , we will
  actively monitor those forums and provide support and clarifications through there.

  The CCIE certification is a two step procedure, once you pass the written exam (which
  this book is targeted to), you should start the preparation for the lab exam, which will
  test your hands-on skills and abilities. The CCBootcamp recommended approach for a
  CCIE Security certification can be found in our web site at:

  http://www.ccbootcamp.com/collateral/ccbootcamp-security-approach-method.pdf

  Good Luck, CCBOOTCAMP Security team!




                                          xx
Chapter        1

Security Protocols

Authentication, Authorization and Accounting

     AAA Overview

     Authentication, Authorization, and Accounting often abbreviated as AAA, is a security
     architecture that facilitates secure access to your network (authentication), what
     rights the user has once authenticated (authorization), and lastly what actions the
     user has performed while logged on to that network (accounting). The
     Authentication, Authorization, and Accounting (AAA) network security services
     provide the primary framework through which you set up access control on your
     network devices. For a valid chain of evidence, it is important to identify and log
     who is accessing the network and what changes, if any are being made.

     To better understand AAA, let us consider the simple example of operating an ATM
     machine, this is something that almost each and every one of us has experienced
     some time or the other. Now once the ATM card is inserted into the ATM, it
     immediately prompts for a PIN Code. Upon entering the PIN, the software inside the
     machine validates it with a database running at the back-end probably somewhere in
     a remote location. This step can be equated with ‘Authentication’. If the user has
     inserted the proper ATM card along with the appropriate PIN code, he is successfully
     authenticated into the ATM system. On the other hand, if either the ATM Card or the
     associated PIN is incorrect, this counts as a failed authentication attempt. Assuming
     successful authentication, the user now selects the ‘Withdraw Cash’ option. On
     receiving this user input, the ATM system has to validate a number of constraints
     such as does this particular account holder have sufficient balance to withdraw this
     amount, is this figure within the ‘maximum daily withdrawal’ limit, etc. In terms of
     the AAA model, this is known as ‘Authorization’. Finally, let’s say that the bank that
     owns that ATM keeps a log of whatever the user does, right from the very start when
     the user enters the kiosk and inserts his ATM card, enters the pin, operates his
     account, and finally checks out. This is known as ‘Accounting’.

     Overview: AAA Security Services

     Authentication - Provides the method of identifying users, including login and
     password dialogs, challenge and response, messaging support, and depending on the
     security protocol you select, encryption.
Chapter 1: Security Protocols                                                            2


Authentication is the way a user is identified prior to being allowed access to the
network and network services. You configure AAA authentication by defining a
named list of authentication methods, and then applying that list to various
interfaces. The method list defines the types of authentication that are to be
performed and the sequence in which they will be performed. Also, the method list
must be applied to a specific interface before any of the defined authentication
methods will be performed. The only exception is the default method list, which is
automatically applied to all interfaces (as long as no other method list is applied to
that interface). A defined method list overrides the default method list.

All authentication methods, except for local, line password, and enable
authentication, must be defined through AAA. For information about configuring all
authentication methods, including those implemented outside of the AAA security
services, refer to the "Configuring Authentication" chapter in the Cisco IOS Security
Configuration Guide, available on the Cisco Documentation DVD and the Cisco
UniverCD Website located at: http://www.cisco.com/univercd.

Authorization - Provides the method for remote access control, including one-time
authorization or authorization for each service, per-user account list and profile, user
group support, and support of IP, IPX, ARA, and Telnet.

AAA authorization works by assembling a set of attributes that describe what the
user is authorized to perform. These attributes are compared to the information
contained in a database for a given user and the result is returned to AAA to
determine the user's actual capabilities and restrictions. The database can be located
locally on the access server or router or it can be hosted remotely on a RADIUS or
TACACS+ security server. Remote security servers such as RADIUS and TACACS+
authorize users for specific rights by associating Attribute-Value (AV) pairs, which
define those rights for the appropriate user. All authorization methods must be
defined through AAA. When AAA authorization is activated, it is applied equally to all
interfaces on the access server or router. For more information on configuring
authorization using AAA, refer to the "Configuring Authorization" chapter in the Cisco
IOS Security Configuration Guide.

Accounting - Provides the method for collecting and sending security server
information used for billing, auditing, and reporting, such as user identities, start and
stop times, executed commands (such as PPP etc.), number of packets, and number
of bytes.

Accounting enables you to track the services users are accessing as well as the
amount of network resources they are consuming. When AAA accounting is
activated, the network access server reports user activity to the TACACS+ or
RADIUS security server (depending on which security method you have
implemented) in the form of accounting records. Each accounting record is
comprised of accounting AV pairs and is stored on the access control server. This
data can then be analyzed for network management, client billing, and/or auditing.
All accounting methods must be defined through AAA. When AAA accounting is
activated, it is applied equally to all interfaces on the access server or router. For
more information on configuring accounting using AAA, refer to the "Configuring
Accounting" chapter in the Cisco IOS Security Configuration Guide.
Chapter 1: Security Protocols                                                         3


AAA Terminology

The diagram below illustrates the components of a basic AAA-enabled network. The
device labeled NAS is the Network Access Server. This can be any device such as a
router or firewall that is responsible for performing the AAA functions (for the users
accessing the device or network behind it). This device is therefore referred to as the
AAA Client. The AAA Client communicates with the AAA Server or Security Server
using some security protocol like Kerberos, TACACS+, or Radius. This AAA Server is
also referred as a TACACS+ Server or a RADIUS Server depending on the protocol
being used.




                  Figure 1-1 Components of an AAA Enabled Network




Benefits of Using AAA

AAA provides the following benefits:

•   Increased flexibility and control
•   Scalability
•   Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
•   Multiple backup systems

______________________________________________________________________________________
NOTE: The deprecated protocols, TACACS and Extended TACACS, are not compatible
with AAA (on Cisco Devices); if you select these security protocols, you will not be
able to take advantage of the AAA security services.
______________________________________________________________________________________
     Chapter 1: Security Protocols                                                        4


     AAA Configuration Process – Overview

     •   Enable AAA by using the aaa new-model global configuration command.
     •   If you decide to use a separate (external) security server, configure security
         protocol parameters, such as RADIUS, TACACS+, or Kerberos.
     •   Define the method lists for authentication by using the aaa authentication
         command.
     •   Apply the method lists to a particular interface or line, if required.
     •   (Optional) Configure authorization using the aaa authorization command.
     •   (Optional) Configure accounting using the aaa accounting command.

     AAA Request for Comments (RFCs)

     A number of RFCs define the AAA architecture. A few of those are as follows:

     •   RFC   2903   ‘Generic AAA Architecture’
     •   RFC   2924   ‘Accounting Attributes and Record Formats’
     •   RFC   2975   ‘Introduction to Accounting Management’
     •   RFC   2989   ‘Criteria for Evaluating AAA Protocols for Network Access’

     More details about the above mentioned RFCs and others dealing with AAA can be
     found on the IETF AAA Charter Page located at:
     http://www.ietf.org/html.charters/aaa-charter.html.




Remote Authentication Dial-In User Service (RADIUS)

     Introduction

     The Remote Authentication Dial-In User Service (RADIUS) protocol was developed by
     Livingston Enterprises, Inc. as an access server authentication and accounting
     protocol. The new RADIUS specification RFC 2865 obsoletes RFC 2138. The RADIUS
     accounting standard RFC 2866 obsoletes the previous RFC 2139.

     Background Information

     Communication between a network access server (NAS) and a RADIUS server is
     based on the User Datagram Protocol (UDP). Generally, the RADIUS protocol is
     considered a connectionless service. Issues related to server availability,
     retransmission, and timeouts are handled by the RADIUS-enabled devices rather
     than the transmission protocol.

     RADIUS is a client/server protocol. The RADIUS client is typically a NAS and the
     RADIUS server is usually a daemon process running on a UNIX or Windows NT
     machine. The client passes user information to designated RADIUS servers and acts
     on the response that is returned. RADIUS servers receive user connection requests,
     authenticate the user, and then return the configuration information necessary for
Chapter 1: Security Protocols                                                         5


the client to deliver service to the user. A RADIUS server can act as a proxy client to
other RADIUS servers or other kinds of authentication servers. The following is a
step-by-step explanation of the RADIUS AAA process:




   1. User initiates PPP authentication to the NAS.
   2. NAS prompts for a username and password (in case of Password
      Authentication Protocol [PAP]) or a challenge (in case of Challenge Handshake
      Authentication Protocol [CHAP]).
   3. User replies.
   4. RADIUS client sends username and encrypted password to the RADIUS
      server.
   5. RADIUS server responds with Accept, Reject, or Challenge.
   6. The RADIUS client acts upon services and services parameters bundled with
      Accept or Reject.




  Figure 1-2 Interaction between a Dial-in User and a Radius Client and Server

Authentication and Authorization

The RADIUS server can support a variety of methods to authenticate a user. When it
is provided with the username and original password given by the user, it can
support PPP, PAP or CHAP, UNIX login, and other authentication mechanisms.

Typically, a user login consists of a query (Access-Request) from the NAS to the
RADIUS server and a corresponding response (Access-Accept or Access-Reject) from
the server. The Access-Request packet contains the username, encrypted password,
NAS IP address, and port. The early deployment of RADIUS was done using UDP port
number 1645, which conflicts with the "datametrics" service. Because of this conflict,
RFC 2865 officially assigned port number 1812 for RADIUS
authentication/authorization. Most Cisco devices and applications offer support for
either set of port numbers. The format of the request also provides information
about the type of session that the user wants to initiate. For example, if the query is
presented in character mode, the inference is "Service-Type = Exec-User," but if the
request is presented in PPP packet mode, the inference is "Service Type = Framed
User" and "Framed Type = PPP."
Chapter 1: Security Protocols                                                          6


When the RADIUS server receives the Access-Request from the NAS, it searches a
database for the username listed. If the username does not exist in the database,
either a default profile is loaded or the RADIUS server immediately sends an Access-
Reject message. This Access-Reject message can be accompanied by a text message
indicating the reason for the refusal.

In RADIUS, authentication and authorization are coupled together. If the username
is found and the password is correct, the RADIUS server returns an Access-Accept
response, including a list of attribute-value pairs that describe the parameters to be
used for this session. Typical parameters include service type (shell or framed),
protocol type, the IP address for the user (static or dynamic), access list(s), or a
static route to install in the NAS’s routing table. The configuration information in the
RADIUS server defines what will be installed on the NAS. The figure below illustrates
the RADIUS authentication and authorization sequence.




   Figure 1-3 Radius Authentication and Authorization Sequence

Accounting

The accounting features of the RADIUS protocol can be used independently of
RADIUS authentication or authorization. The RADIUS accounting functions allow data
to be sent at the start and end of sessions, indicating the amount of resources (such
as time, packets, bytes, and so on) used during the session. An Internet service
provider (ISP) might use RADIUS access control and accounting software to meet
special security and billing needs. The accounting port for RADIUS for most Cisco
devices is 1646, but it can also be 1813 (because of the change in ports as specified
in RFC 2139).

Transactions between the client and RADIUS server are authenticated through the
use of a shared secret, which is never sent over the network. In addition, user
passwords are sent encrypted between the client and RADIUS server to eliminate the
possibility that someone snooping on an insecure network could determine a user's
password.