ccsp csi exam certification guide phần 7 ppt

This chapter covers the following topics:■ General Implementation Recommendations ■ Using the ISP Router in Small Networks ■ Using the Cisco IOS Firewall Router in Small Networks ■ Using

Table 13-11 lists the expected threats and mitigation actions found within the Campus module.

Table 13-11 Campus Module Threats and Threat Mitigation

Application layer attacks Operating systems, devices, and applications are kept up to date

with the latest security fixes and are protected by HIDSs Packet sniffers A switched infrastructure limits the effectiveness of sniffing Port redirection HIDSs prevent port redirection agents from being installed Trust exploitation Private VLANs prevent hosts on the same subnet from

communicating unless necessary.

Unauthorized access HIDSs and application access control are used to mitigate

unauthorized access.

Virus and Trojan-horse applications Host-based virus scanning and host intrusion prevention

prevents most viruses and many Trojan horses.

As mentioned in the Introduction, “All About the Cisco Certified Security Professional Certification,” you have two choices for review questions The questions that follow next give you a more rigorous challenge than the exam itself by using an open-ended question format By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter The answers to these questions are found in Appendix A

For more practice with exam-like question formats, including questions using a router simulator and multiple choice questions, use the exam engine on the CD-ROM

1. What modules are found within the small network design?

2. Where are private VLANs used in the small network design?

3. What two security devices can be used in the Corporate Internet module to connect to the ISP module?

4. Where would you use intrusion detection in the small network design?

5. VPN functionality is provided by what devices in the small network design?

6. The Corporate Internet module connects to which modules?

7. What are the two configuration types available in the small network design?

8. The Campus module provides functionality to what components?

9. Because no Layer 3 services are available in the Campus module, an increased emphasis is placed on _ and security

10. What is a common design deviation in the Corporate Internet module?

11. The Corporate Internet module provides what services?

Reference

Convery, Sean, and Roland Saville “SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks.” Cisco Systems, Inc., 2001

This chapter covers the following topics:

■ General Implementation Recommendations

■ Using the ISP Router in Small Networks

■ Using the Cisco IOS Firewall Router in Small Networks

■ Using the PIX Firewall in Small Networks

■ Alternative Implementations

“Do I Know This Already?” Quiz

The purpose of the “Do I Know This Already?” quiz is to help you decide if you really need to read the entire chapter If you already intend to read the entire chapter, you do not necessarily need to answer these questions now

The 10-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time

Table 14-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics

NOTE The configuration shown in this chapter highlights only the code that is required to achieve the specific security requirement of the design that is under discussion Complete configurations are not shown nor are all the available options for a specific feature under discussion

Also, this chapter assumes that the reader is familiar with the devices that are used in the small network design and, in particular, has an understanding of the command sets that are used for each of the device types shown

1. The functionality of the ISP module can be incorporated into which component of the small network design?

Table 14-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping

Foundation Topics Section Questions Covered in This Section

General Implementation Recommendations 1

Using the ISP Router in Small Networks 2–3

Using the Cisco IOS Firewall Router in Small Networks 4–7

Using the PIX Firewall in Small Networks 8–9

CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter

If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security

4. Which of the following is provided by the Cisco IOS Firewall router?

9. Filtering is applied to an interface in a PIX Firewall using which command?

10. When the small network model is used as a branch, which of the following is true?

a. It is normal not to have a public services segment

b. It is normal to terminate remote VPN users

c. Branch LANs are normally routable across the WAN

d. It is normal not to have a firewall

e. None of the above

The answers to the “Do I Know This Already?” quiz are found in Appendix A, “Answers to the

‘Do I Know This Already?’ Quizzes and Q&A Sections.” The suggested choices for your next step are as follows:

■ 8 or less overall score—Read the entire chapter This includes the “Foundation Topics” and

“Foundation Summary” sections, and the “Q&A” section

■ 9 or more overall score—If you want more review on these topics, skip to the “Foundation

Summary” section and then go to the “Q&A” section Otherwise, move to the next chapter

Foundation Topics

General Implementation Recommendations

In the SAFE small network implementation, we will look at the specific configuration requirements for the following components:

■ Internet service provider (ISP) router

■ Cisco IOS Firewall router

■ PIX FirewallThese three components are the major networked devices that can be used within the small network Technically, the ISP router is not part of the small network design, but because it plays a major role in the overall design aspects, it is included here for completeness Also, the functionality of the ISP router can be integrated in some circumstances within the Cisco IOS Firewall router, thus eliminating

it from the design

As a review of the options explained in Chapter 13, Figure 14-1 illustrates the small network modules and their respective devices

Figure 14-1 Small Network Devices

NOTE Discussion on the implementation of the Campus module in the small network is not undertaken in this chapter because this module involves only a basic configuration on the Layer 2 switch or involves application-specific configuration, which is outside the scope of this chapter

Internet

ISP Module

Corporate Internet Module Campus Module

Corporate Users

Corporate Servers

Management Server Public

Servers

General configuration guidelines on effective tightening of security on Cisco routers and switches are listed in Appendix B, “General Configuration Guidelines for Cisco Router and Switch Security.” Readers should familiarize themselves with the content of this appendix because these commands are not shown in the following sections but play an important role in the overall implementation.

Using the ISP Router in Small Networks

The primary purpose of the ISP router is to provide connectivity from the small network to a provider’s network The ISP router also provides mitigation against DDoS attacks and IP address spoofing attacks

Distributed Denial of Service Attacks

DDoS mitigation can be provided at the egress of the ISP router through the use of rate limiting of nonessential traffic that exceeds prespecified thresholds Obviously, the criteria used to identify nonessential traffic are critical because the flow of production traffic could be affected To implement rate limiting, committed access rate (CAR) filtering can be used by following these steps:

Step 1 Define an ACL to select nonessential traffic:

a

ac c cc ce c es e s ss s s- - -l li l i is s st t t 1 10 1 0 00 0 0 p pe p e er r rm m mi it i t non-essential-traffic-criteria1 a t an a n ny y access-list 100 permit non-essential-traffic-criteria2 any

Step 2 Apply the rate-limit command to the interface:

rate-limit input access-group rate-limit 100 8000 1500 20000 conform-action drop exceed-action drop

To prevent TCP SYN-flooding attacks, another form of a DoS attack, a feature called TCP intercept can be implemented by following these steps:

Step 1 Define an ACL to select the host(s) or network to be protected In this example,

only the destination is being specified

access-list 105 permit tcp any host-or-network-to-protect

Step 2 Apply the tcp intercept command:

ip tcp intercept list 105

IP Spoofing Attacks

IP spoofing mitigation can be provided at the egress of the ISP router through the use of RFC 1918 and RFC 2827 filtering The implementation of these filters is described in the sections that follow

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 1 10 0 01 1 1 d de d e en ny n y y i i ip p p 1 1 17 72 7 2 2 .1 1 16 6 6 .0 0 0 .0 0 0 0 0 0 .1 15 1 5 5 .2 2 25 55 5 5 5 .2 25 2 5 55 5 5 a an a n ny y a

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 1 10 0 01 1 1 d de d e en ny n y y i i ip p p 1 1 19 92 9 2 2 .1 1 16 6 68 8 8 0 0 0 0 0 0 0 0 0 .0 0 0 .2 2 25 5 55 5 5 .2 25 2 5 55 5 5 a an a n ny y a

Using the Cisco IOS Firewall Router in Small Networks

This section details the implementation and configuration of the Cisco IOS Firewall router in the small network standalone model The Cisco IOS Firewall router provides all of the required functionality in a single device, including a stateful firewall, IDS services, filtering, and WAN connectivity

This section highlights the security aspects of the Cisco IOS Firewall configuration and does not include general router configuration nor WAN connectivity details Details on the configuration changes of this router in a branch scenario are discussed in subsequent sections of the chapter The primary features and configuration examples that are presented in this section cover the following:

■ Cisco IOS Firewall configuration

■ IDS configuration

■ VPN configuration

■ Internal traffic filtering

■ Public services traffic filtering

■ Public traffic filtering

Cisco IOS Firewall Implementation

The implementation of the Cisco IOS stateful firewall is implemented as follows:

Step 1 Because the router is configured with a public services segment or demilitarized

zone (DMZ), two separate sets of firewall inspection rules need to be figured The first set is configured for traffic from the inside of the firewall that is destined for the Internet or the DMZ The second set is set up for traffic from the Internet that is destined for the DMZ only

con-The following commands configure the router’s firewall inspection rules for transmissions from inside the firewall to the Internet or DMZ:

i

ip p p i in i n ns s sp p pe ec e c ct t t n na n am a m me e e I IN I N N_ _ _F F FW W W t t tc c cp p i

ip p p i in i n ns s sp p pe ec e c ct t t n na n am a m me e e I IN I N N_ _ _F F FW W W u u ud d dp p i

ip p p i in i n ns s sp p pe ec e c ct t t n na n am a m me e e I IN I N N_ _ _F F FW W W f f ft t tp p i

ip p p i in i n ns s sp p pe ec e c ct t t n na n am a m me e e I IN I N N_ _ _F F FW W W s s sm m mt t tp p i

ip p p i in i n ns s sp p pe ec e c ct t t n na n am a m me e e I IN I N N_ _ _F F FW W W s s sq q ql l ln ne n e et t i

ip p p i in i n ns s sp p pe ec e c ct t t n na n am a m me e e I IN I N N_ _ _F F FW W W r r re e ea a al la l a au u ud d di io i o

ip inspect name IN_FW h323

The following commands configure the router’s firewall inspection rules for Internet-to-DMZ transmissions:

i

ip p p i in i n ns s sp p pe ec e c ct t t n na n am a m me e e O OU O U UT T T_ _ _F FW F W W t t tc c cp p i

ip p p i in i n ns s sp p pe ec e c ct t t n na n am a m me e e O OU O U UT T T_ _ _F FW F W W u u ud d dp p i

ip p p i in i n ns s sp p pe ec e c ct t t n na n am a m me e e O OU O U UT T T_ _ _F FW F W W f f ft t tp p

ip inspect name OUT_FW h323

Step 2 These two rule sets are then applied to their respective interfaces where they

inspect the traffic that is transiting those interfaces

The IN_FW inspection rule set is applied to the inside interface of the router by using the command

ip inspect IN_FW in The OUT _FW inspection rule set is applied to the outside interface of the

router by using the command ip inspect OUT_FW in.

NOTE Not all of the available firewall inspection rules are shown in the previous examples Inspection rules can be amended as required

IDS Implementation

The implementation of basic Cisco IOS IDS services and reporting to the syslog server is achieved

in the Cisco IOS Firewall router by following these steps:

Step 1 Define the IDS rules:

i

ip p p a a au u ud d di it i t t n n no ot o ti t i if f fy y y l l lo o og g i

ip p p a a au u ud d di it i t t p p po o o m m ma a ax x x- -e - e ev v ve e en nt n ts t s s 1 1 10 00 0 0 i

ip p p a a au u ud d di it i t t n n na am a me m e e I I ID DS D S S i i in nf n fo f o o a a ac ct c t ti i io o on n n a a al l la a ar rm r m

ip audit name IDS attack action alarm drop reset

Step 2 Apply the IDS rules to each interface that requires monitoring by using the

command ip audit IDS in.

en n nc cr c r r 3 3 3d de d es e s a

au u ut th t h he e en n nt ti t ic i c ca a at ti t io i o on n n p pr p r re e e- - -s sh s ha h a ar r re e g

gr r ro ou o u up p p 5 5 c

cr r ry yp y p pt t to o o i is i s sa a ak km k mp m p p k k ke ey e y y crypto-key a a ad d dd d dr re r es e s ss s s peer-address

Step 2 Define the cryptographic transform set that is to be used for the VPN

connection:

crypto ipsec transform-set transform-set-name esp-3des esp-sha-hmac

Step 3 Define the crypto map:

c

cr r ry yp y p pt t to o o m ma m a ap p p crypto-map-name 1 1 10 0 0 i i ip p ps se s ec e c c- - -i i is sa s a ak k km m mp p p s

se e et t t p p pe e ee er e r peer-IP-address r s

se e et t t t t tr r ra an a ns n s sf f fo or o rm r m m- - -s s se et e t t transform-set-name m

ma a at tc t c ch h h a ad a d dd d dr r re es e ss s s s 1 1 11 10 1 0

Step 4 Define the traffic that is to be encrypted by using an ACL This can be for both

user and management traffic:

access-list 110 permit traffic-to-be-encrypted

Step 5 Assign the crypto map to the outside interface:

crypto map crypto-map-name

Internal Traffic Filtering

By using an inbound ACL, you can filter traffic that is entering from the inside interface This

filtering is applied to the inside interface by using the command ip access-group 120 in You should

consider using the following common access list definitions

Allow ssh management access to the public services network devices:

Public Services Traffic Filtering

By using an inbound ACL, you can filter traffic that is entering from the public services interface

This filtering is applied to the public services interface by using the command ip access-group 130

in You should consider using the following common ACL definitions.

Allow mail services between the public and internal mail servers:

a

ac c cc c ce es e s ss s s- - -l li l i is s st t t 1 1 13 3 30 0 0 p pe p e er r rm m mi it i t t t t tc cp c p p h h ho o os st s t t public-mail-server-IP h h ho os o st s t t internal-mail-server-IP e eq e q q s s sm mt m tp t pAllow HIDS traffic from the public server to the management server:

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 1 13 3 30 0 0 p pe p e er rm r m mi i it t t t tc t c cp p p h h ho o os s st t public-server-IP h t h ho o os s st t t management-server-IP e e eq q q 5 50 5 0 00 0 00 0Allow any network device that is on the public services segment to synchronize time with the router:

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 13 1 3 30 0 0 p p pe e er rm r m mi it i t t u ud u d dp p p h h ho o os st s t t PS-network-device-IP h h ho o os s st t internal-time-server-IP e t e eq q q n n nt t tp pAllow management traffic to flow from public services segment network devices:

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 1 13 3 30 0 0 p pe p e er rm r m mi i it t t i ip i p p h h ho o os s st t t PS-network-device-IP h h ho o os s st t management-server-IP tDeny all other connections to the internal network from the public services segment:

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 1 13 3 30 0 0 d de d e en ny n y y i i ip p p a a an ny n y y internal-networkAllow all mail and DNS traffic that originates from the public services server:

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 1 13 3 30 0 0 p pe p e er rm r m mi i it t t t tc t c cp p p h h ho o os s st t public-server-IP a t a an n ny y y e eq e q q s s sm m mt t tp p a

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 1 13 3 30 0 0 p pe p e er rm r m mi i it t t u ud u d dp p p h h ho o os s st t public-server-IP a t a an n ny y y e eq e q q d d do o om m ma a ai in i nBlock all other traffic and log it:

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 1 13 3 30 0 0 d de d e en ny n y y i i ip p p a a an ny n y y a a an n ny y y l lo l o og g

Public Traffic Filtering

You can use an inbound ACL to filter traffic that is entering from the public (Internet) interface This

filtering is applied to the public interfaceby using the command ip access-group 140 in You should

consider the following common ACL definitions

If required, allow traffic from remotes sites:

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 1 14 4 40 0 0 p pe p e er rm r m mi i it t t i ip i p p remote-site-A-network internal-network a

ac c cc ce c e es ss s s s- - -l l li i is st s t t 1 1 14 4 40 0 0 p pe p e er rm r m mi i it t t i ip i p p remote-site-B-network internal-network

Apply RFC 1918 filtering If RFC 1918 addresses are used remotely, these rules require modification accordingly.

ac c cc c ce e es ss s s s- -l - l li is i s st t t 1 1 14 40 4 0 0 p p pe e er rm r m mi it i t t e e es s sp p p h ho h o os st s t t remote-peer-IP h h ho os o s st t router-outside-IP t

If required, allow management traffic from the remote sites This can be either a global statement,

as shown in the subsequent command, or made more specific by electing to specify services

Using the PIX Firewall in Small Networks

This section details the implementation and configuration of the PIX Firewall in the small network standalone model WAN connectivity is provided by an ISP-supplied device The configuration shows only the ACLs and cryptographic parameters that are required for the PIX Firewall to operate

as a headend device

NOTE In earlier implementations of IPSec and Cisco IOS Firewall, it may be necessary to add

an additional entry to the preceding ACL to identify the actual traffic that needs to be encrypted through the VPN on top of those already defined

This section covers the following primary features and configuration examples:

■ Outside interface filtering

■ Inside interface filtering

■ DMZ interface filtering

■ IDS configuration

■ VPN configuration

Outside Interface Filtering

By using an ACL, you can filter traffic that is entering from the outside (Internet) interface This

filtering is applied to the outside interface by using the access-group command You should consider

the following common ACL definitions

Allow access to the services that are available on the public services segment:

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t outside_access_in p p pe e er rm r m mi it i t t t t tc c cp p p a an a n ny y y h h ho os o s st t public-NAT-IP e t eq e q q f ft f t tp p a

ac c cc ce c e es ss s s s- - -l l li i is st s t t outside_access_in p p pe e er rm r m mi it i t t t t tc c cp p p a an a n ny y y h h ho os o s st t public-NAT-IP e t eq e q q w ww w w ww w a

ac c cc ce c e es ss s s s- - -l l li i is st s t t outside_access_in p p pe e er rm r m mi it i t t t t tc c cp p p a an a n ny y y h h ho os o s st t public-NAT-IP e t eq e q q s sm s m mt tp t p a

ac c cc ce c e es ss s s s- - -l l li i is st s t t outside_access_in p p pe e er rm r m mi it i t t t t tc c cp p p a an a n ny y y h h ho os o s st t public-NAT-IP e t eq e q q 4 44 4 4 43 3 a

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t outside_access_in d d de e en ny n y y i i ip p p 1 1 10 0 0 0 0 0 0 0 0 .0 0 0 0 0 0 .2 2 25 5 55 5 5 .2 25 2 5 55 5 5 2 2 25 5 55 5 5 a a an ny n y a

ac c cc ce c e es ss s s s- - -l l li i is st s t t outside_access_in d d de e en ny n y y i i ip p p 1 1 17 72 7 2 2 .1 1 16 6 6 .0 0 0 .0 0 0 0 0 0 .1 1 15 5 5 .2 2 25 55 5 5 5 .2 2 25 5 55 5 5 a an a n ny y a

ac c cc ce c e es ss s s s- - -l l li i is st s t t outside_access_in d d de e en ny n y y i i ip p p 1 1 19 92 9 2 2 .1 1 16 6 68 8 8 .0 0 0 0 0 0 0 0 0 .0 0 0 .2 2 25 55 5 5 5 .2 2 25 5 55 5 5 a an a n ny y

If required, allow management traffic from the remote sites This can be either a global statement,

as shown in the command that follows, or made more specific by electing to specify services

Internal Traffic Filtering

By using an ACL, you can filter traffic that is entering from the inside interface This filtering is

applied to the inside interface by using the access-group command You should consider the

following common ACL definitions

Allow management access to the public services network devices:

Public Services Traffic Filtering

Using an ACL, traffic that is entering from the DMZ interface can be filtered This filtering is applied

to the DMZ interface by using the access-group command You should consider the following

common ACL definitions

Allow mail services between the public and internal mail servers:

a

ac cc c c ce e es ss s s s- -l - l li is i s st t t dmz_access_in p p pe er e r rm mi m i it t t t t tc cp c p p h h ho o os s st t t public-mail-server-IP

Allow echo replies from the internal network:

a

ac c cc c ce es e s ss s s- - -l l li is i s st t dmz_access_in p t p pe e er r rm m mi it i t t i i ic c cm mp m p p public-services-network internal-network e

eq q q e e ec ch c h ho o o- - -r r re ep e p pl ly l yAllow HIDS traffic from the public server to the management server:

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t dmz_access_in p p pe er e r rm m mi it i t t t t tc cp c p p h h ho o os st s t t public-server-IP h h ho os o s st t management-server-IP t e

eq q q 5 5 50 00 0 0 00 0Allow management traffic to flow from public services segment network devices:

a

ac c cc ce c e es ss s s s- - -l l li i is st s t t ps_access_in p pe p e er rm r m mi i it t t t tc t c cp p p h h ho o os s st t public-server-IP a t a an n ny y y e eq e q q s s sm m mt tp t p a

ip p p a a au ud u d di i it t t n na n a am me m e e I I ID D DS S S a at a t tt t ta a ac c ck k k a ac a c ct t ti i io o on n n a al a l la a ar r rm m m d d dr ro r o op p p r r re es e s se et e t i

ip p p a a au ud u d di i it t t i in i n nt te t e er r rf f fa a ac ce c e e o o ou u ut t ts s si id i d de e e I I ID D DS S i

ip p p a a au ud u d di i it t t i in i n nt te t e er r rf f fa a ac ce c e e i i in n ns s si i id de d e e I I ID D DS S i

cr r ry yp y p pt to t o o i i ip p ps se s e ec c c t t tr r ra a an ns n s sf fo f o or r rm m m- - -s se s e et t t R R RE E EM M MO OT O T TE ES E S SI IT I T TE E ES S S e es e s sp p- p - -3 3 3d de d e es s s e es e s sp p p- - -m m md d5 d 5 5- -h - h hm m ma a ac c c c

cr r ry yp y p pt to t o o m m ma a ap p p R RE R E EM M MO O OT T TE E E 1 10 1 0 0 i i ip p ps se s e ec c- c - -i i is s sa a ak km k m mp p c

cr r ry yp y p pt to t o o m m ma a ap p p R RE R E EM M MO O OT T TE E E 1 10 1 0 0 m m ma a at tc t c ch h h a a ad d dd d dr re r e es ss s s s r r re e em m mo o ot te t e e- -s - s si i it t te e es s c

cr r ry yp y p pt to t o o m m ma a ap p p R RE R E EM M MO O OT T TE E E 1 10 1 0 0 s s se e et t t p pe p e ee e er r r p p pe e ee er e r r- -I - I IP P P- - -A A c

cr r ry yp y p pt to t o o m m ma a ap p p R RE R E EM M MO O OT T TE E E 1 10 1 0 0 s s se e et t t t tr t r ra a an n ns s sf fo f o or rm r m m- -s - s se e et t t R RE R E EM MO M O OT T TE ES E S SI IT I T TE ES E S c

cr r ry yp y p pt to t o o m m ma a ap p p R RE R E EM M MO O OT T TE E E i in i n nt t te e er r rf fa f a ac ce c e e o o ou u ut ts t s si id i d de e i

is s sa ak a k km mp m p p e e en n na ab a b bl le l e e o o ou u ut ts t s si id i d de e i

is s sa ak a k km mp m p p k k ke e ey y key a y a ad dd d d dr re r e es s ss s s IP-address n ne n e et t tm m ma a as sk s k k 2 2 25 5 55 5 5 .2 25 2 5 55 5 5 2 2 25 5 55 5 5 .2 2 25 55 5 5 5

is sa ak km mp p i id de en nt ti it ty y a ad dd dr re es ss

ac c cc c ce e es ss s s s- -l - l li i is s st t t remote-sites p p pe e er rm r m mi it i t t i i ip p p internal-network remote-site-network

To configure remote-access VPN users, use the following commands:

■ Corporate resources are normally centralized at the corporate headquarters; therefore, the use

of a local public services segment is redundant Under this circumstance, all related guration is removed

confi-■ To provide site-to-site connectivity between offices, IPSec over Generic Routing Encapsulation (GRE) can be used If you use GRE, you must amend cryptographic parameters to allow IPSec transport mode to be used and then modify the associated filtering to reflect this change

■ Remote users normally terminate at the corporate headquarters rather than on the small network Under this circumstance, all related configuration is removed

Foundation Summary

The “Foundation Summary” section of each chapter lists the most important facts from the chapter Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should at a minimum know all the details in each “Foundation Summary” section before taking the exam

The following three components are the major networked devices that can be used within the small SAFE network:

■ ISP router

■ Cisco IOS Firewall router

■ PIX FirewallTechnically, the ISP router is not part of the small network design, but it plays a major role in the overall design The functionality of the ISP router can be integrated in some circumstances within the Cisco IOS Firewall router, thus eliminating it from the design The primary purpose of the ISP router is to provide the following:

■ Connectivity from the small network to a provider’s network

■ Mitigation against DDoS attacks and IP address spoofing attacks

The Cisco IOS Firewall router provides all the required functionality of the small network in a single device that includes the following:

■ A stateful firewall

■ IDS services

■ Filtering

■ WAN connectivityThe primary features and configuration examples presented in this chapter include

■ Cisco IOS Firewall configuration

■ IDS configuration

■ VPN configuration