4 Configuring the Network Access Server for AAA Security .... © 2000 All Rights Reserved – BrainBuzz.com 2 Establishing A Network Security Policy Evaluating Network Security Threats A
Trang 1This study guide will help you to prepare for the Cisco MCNS (Managing
Cisco Network Security) 640-442 exam that will give you a specialization for your CCNP (Cisco Certified Network Professional) certification if taken before January 1st, 2001 Exam topics include basic configuration of PIX firewalls, configuring Cisco routers as firewalls, understanding of network security and policies, understanding of AAA processes and various encryption
technologies employed in Cisco networks.
Notice: While every precaution has been taken in the preparation of this material, neither the author nor BrainBuzz.com assumes any liability in the event
of loss or damage directly or indirectly caused by any inaccuracies or incompleteness of the material contained in this document The information in this document is provided and distributed "as-is", without any expressed or implied warranty Your use of the information in this document is solely at your own risk, and Brainbuzz.com cannot be held liable for any damages incurred through the use of this material The use of product names in this work is for
information purposes only, and does not constitute an endorsement by, or affiliation with BrainBuzz.com Product names used in this work may be
registered trademarks of their manufacturers This document is protected under US and international copyright laws and is intended for individual, personal use only For more details, visit our legal page.
Check for the newest version of this Cramsession
Rate this Cramsession
Feedback Forum for this Cramsession/Exam
More Cramsession Resources:
Search for Related Jobs
IT Resources & Tech Library
SkillDrill - skills assessment
CramChallenge - practice questions
Certification & IT Newsletters
Discounts, Freebies & Product Info
http://cramsession.brainbuzz.com/checkversion.asp?V=2451941&FN=Cisco/ccnp_mcns.pdf
http://cramsession.brainbuzz.com/cramreviews/reviewCram.asp?cert=ccnp+mcns
http://boards.brainbuzz.com/boards/vbt.asp?b=862
http://jobs.brainbuzz.com/BrowseJobSearchRes.asp
http://itresources.brainbuzz.com
http://www.skilldrill.com
http://www.cramsession.com/signup/default.asp#day
http://www.cramsession.com/signup/
http://www.cramsession.com/signup/prodinfo.asp
© 2000 All Rights Reserved - BrainBuzz.com
Trang 2© 2000 All Rights Reserved – BrainBuzz.com
1
Contents:
Contents: 1
Establishing A Network Security Policy 2
Evaluating Network Security Threats 2
Basic Categories of Security Threats 2
Motivations of Network Security Threats 2
Outlining A Network Security Policy 3
Securing The Dialup Connection 4
Configuring the Network Access Server for AAA Security 5
Overview of Basic AAA Configuration Process 6
Securing The Internet Connection 7
Cisco IOS Firewall 7
Configuring the PIX Firewall 9
PIX Firewall Basics 9
Configuring Access Through the PIX Firewall 11
Configuring Advanced Features 12
Encryption Technology 13
Basic Cryptography 13
Overview of IKE & IPSEC 14
Configuring IPSEC with IKE 15
Configuring IKE 16
Trang 3© 2000 All Rights Reserved – BrainBuzz.com
2
Establishing A Network Security Policy
Evaluating Network Security Threats
A security threat can be as simple as snooping your network’s normal
operation or as complex as taking control of your entire network It is
important then to be familiar with the three basic categories of network security threats
Basic Categories of Security Threats
• Unauthorized Access - Unauthorized access is when an unauthorized individual gains access to the network or any network resource with the possibility of taking that resource or tampering with it
• Impersonation – Impersonation is the process of identifying yourself as a different individual by using the same credentials as that particular individual uses There are several ways that this is done One of the more common ways is by eavesdropping on your network and gaining access to usernames and password when these are exchanged via
unsecured means Sniffer programs, as they are commonly referred as, are small software packages that enable someone to snoop into current network conversations and extract users’ credentials
• Denial of Service – Denial of Service is an attack on your network by a malicious individual in order to interfere in your networks normal
operation This is a common type of attack that has gained notoriety due
to the growth of the Internet
Motivations of Network Security Threats
It is important to understand the different motivations that some individuals may have in posing a security threat to your network It is a common
perception that network security attacks are perpetrated from your external network, which is the Internet Therefore, the firewall is an important piece
in protecting your network against these said attacks Here are some of the more basic motivations in launching an attack on your network
• Greed – The intruder’s purpose is to take control or possession of any network resource such as corporate data so that he/she may sell it for money
Trang 4© 2000 All Rights Reserved – BrainBuzz.com
3
• Notoriety – The intruder attempts to break in to networks that are said to
be secure proving his skill to gain respect from his peers
• Revenge – The intruder has been fired or laid off and is looking for some type of reprisal The most common occurrence of this is the damaging of important corporate data
Outlining A Network Security Policy
• Define physical security-Defining physical security controls pertain to the physical infrastructure that your network is built on This can be the various physical components that comprise your network such as servers, routers, switches and cabling Ensuring the security of these components should be the foundation of your network security policy Imagine having the strictest password policy but having your wiring closet open to anyone in the vicinity
• Define logical security controls – Logical security controls provide
boundaries within your network segments This process is done when traffic is filtered from one segment of your network to the next The two main logical boundaries used are:
oSubnet Boundaries
oVLAN Boundaries
• Ensure data and system integrity – Data that passes to and from your network needs to be identified as valid traffic Valid traffic can further
be described as expected network traffic that is supported traffic,
unspoofed traffic and traffic in which the data has not been altered This is the main reason why firewalls are implemented A firewall
ensures your data’s validity and integrity ingressing and egressing your network
• Ensure data confidentiality – Data confidentiality pertains to encryption The key in this process is deciding which data is to be encrypted and which is not be encrypted This should be carefully evaluated so that key data that pose as the greatest risk if compromised is encrypted
• Develop policies and procedures for the staff that is responsible for the network – Specific guidelines should be in place for the staff that is responsible for the maintenance of the network infrastructure This should ensure that these policies are balanced between securing your network and allowing the staff to carry out their responsibilities in an efficient manner These policies may include the following:
Trang 5© 2000 All Rights Reserved – BrainBuzz.com
4
oBackups – One of the most important tasks in network management is being able to back up the data that is stored in that network Polices and procedures should be in place to provide the staff, that is responsible for the backups, the steps in securing those backups
oEquipment Certification – Network equipment that is introduced into the network should adhere to specific security requirements
oAudit Trails – Keeping a log of what goes on in your network greatly enhances your ability to determine if there is any suspicious activity going on in your network environment
• Develop appropriate security awareness training – Training should be provided to all staff in order for them to be informed of the various security measures that your network employs It is very important that the staff is made aware of the many problems that may arise due to security related issues
Securing The Dialup Connection
Dialup connections to your corporate network are usually comprised of
several dial in infrastructures These could be direct dial in connections from mobile users and telecommuters There is also the virtual dial in process of remote branches via the Internet through a corporate Virtual Private Network (VPN) Therefore, it is recommended that you secure these dial in access points with a firewall device that implements some kind of intrusion detection and auditing function Regardless of how dial in access is provided to the corporate network, the main security concerns lie in the following areas:
• Identifying the caller
• Identifying the location of the caller
• Identifying the destination of the caller
• Logging of accessed applications and data
• Logging of the duration of the connection
• Guaranteeing authenticated communication
• Guaranteeing private communication
Trang 6© 2000 All Rights Reserved – BrainBuzz.com
5
Configuring the Network Access Server for AAA Security
Access control is the process of controlling who is allowed access to the
network and what services they are allowed to use Authentication,
Authorization and Accounting (AAA) network security services provide the principal structure though which you set up access control on your router or network server AAA offers the following benefits:
• Increased flexibility
• Scalability
• Standard authentication methods, such as RADIUS, TACACS+ and Kerberos
• Multiple backup systems
AAA is designed to enable you to configure the type of authentication and authorization you would use on a per line (per user) or per service basis You define the type of authentication and authorization you want by creating method lists, then apply those method lists to specific services or interfaces Method lists are lists defining the authentication methods to be used, in order,
to authenticate a dial in user These lists enable you to assign one or more security protocols to be used for authentication, thus creating a backup
system for authentication to be used in case the initial method fails AAA is comprised of three independent security functions
their login and password dialog scripts, challenge and response, messaging support and encryption
remote user is authorized to access in the network such as network resources or services AAA authorization works by putting together a set of attributes that
identify what a user is authorized to perform These attributes are compared the information contained in a database for a given user The result is returned to AAA
to determine the user’s actual capabilities and restrictions This database can be local on the access server or remotely on a TACACS+ or RADIUS server
that remotely connected users are accessing Activities are logged to either a
Trang 7© 2000 All Rights Reserved – BrainBuzz.com
6
RADIUS or TACACS security server in the form of accounting records This data can then be analyzed for client billing, auditing or network management
Overview of Basic AAA Configuration Process
• Enable AAA by issuing this command in global mode
aaa new-model
• If you are using separate security servers, configure security control parameters, such as RADIUS, TACACS+ or Kerberos
• Define the method lists for authentication by issuing this command
aaa authentication
For example, if you would like to specify RADIUS as the default method for logging in, the command would be:
aaa authentication login default radius
To log in using the local username database on the router, the command would be:
aaa authentication login default local
To log in using PPP and specify the local username database, the command would be:
aaa authentication ppp default local
This example would allow authentication to succeed even if the TACACS+ server returns an error
aaa authentication ppp default tacacs+ none
• Apply the method list to a particular interface
This example applies the method list to interface serial 0
interface serial 0 ppp authentication chap pap default
• Configure authorization using this command
aaa authorization
This example allows authorization on the network via TACACS+
aaa authorization network tacacs+
This example specifies TACACS+ as the method for user authorization when trying to establish a reverse telnet session
aaa authorization reverse-access tacacs+
Trang 8© 2000 All Rights Reserved – BrainBuzz.com
7
• Configure accounting using this command
aaa accounting
In the following example, RADIUS-style accounting is used to track all usages of EXEC commands and network services, such as PPP, SLIP and ARAP
aaa accounting exe start-stop radius aaa accounting network start-stop radius
Securing The Internet Connection
The most common solution to securing your Internet connection is setting up
a firewall A firewall is a network device that is placed between your trusted network and untrusted networks, the most common in which, is the Internet
It is also possible to setup a firewall within the boundaries of your internal network so as to prevent unauthorized access to certain areas of your
network that are highly sensitive such as payroll files or engineering data Today, there are three classifications of firewalls:
• Packet Filtering – This type of firewall depend exclusively on UDP, ICMP, TCP and IP headers of individual packets to deny or permit traffic The packet filter examines the combination of inbound or outbound traffic direction, IP source and destination address and TCP or UDP source and destination port numbers
• Circuit filtering – This type of firewall controls access via observing state information and recreating the flow of data that the traffic is associated with
• Application gateway – This type of firewall processes messages that are specific to a particular IP application This type of firewall
is probably the most secure, however, it is also the most resource intensive type to deploy
Cisco IOS Firewall
The Cisco IOS firewall feature set is a security-specific option for the Cisco IOS software It enhances the built-in security capabilities in the Cisco IOS and adds the full functionality of a firewall The Cisco IOS firewall feature set
is comprised of several different feature modules The three basic feature sets we cover are:
Trang 9© 2000 All Rights Reserved – BrainBuzz.com
8
• Context-Based Access Control – This feature module provides the
functionality of an advanced traffic filter and is an essential part of your IOS firewall CBAC provides these functions for your firewall
o Traffic Filtering – Filters TCP and UDP packets based on information that is obtained through the application-layer protocol session The firewall can inspect traffic originating from either side of the firewall and can then determine which traffic is allowed access into
or out of the network
o Alert and Audit Trails – CBAC produces real time alerts and audit logs based on events that are observed by the firewall This enhanced log keeps tracks of all network transactions, such as source and destination hosts, ports used and total number of bytes transferred
o Traffic Inspection – Inspection of inbound and outbound traffic produces state information This state information allows the firewall to create temporary openings to allow return traffic for the permissible session
• Intrusion Detection System – This feature set is designed for mid-range and high-end router platforms with firewall support It is best suited for any router deployed around your network perimeter, more commonly, on your Internet connections This feature set provides identification of the most common attacks by identifying the signature in the pattern of
attacks that are launched against your network When the intrusion detection system identifies a pattern of attack that matches against a signature on the systems database, it responds before network security can be compromised and the event is then logged These responses are
to be configured by the administrator and can be one of the following:
o Send an alarm – this can be sent to either a syslog or a centralized management system such as NetRanger
o Drop the packet
o Reset the TCP Connection
• IOS Firewall Authentication Proxy – This feature set allows network
administrators to apply specific security policies based on user In earlier versions, security policies were generally applied across multiple users This feature can only be active when there is traffic from the
authenticated user
Trang 10
© 2000 All Rights Reserved – BrainBuzz.com
9
Configuring the PIX Firewall
PIX Firewall Basics
The PIX firewall is a complete hardware and software security solution The PIX IOS runs on proprietary PIX hardware In most respects, the basic
concept behind the PIX firewall is to allow everything from the internal
network to go outbound and only allow the return connections from the
outside interface to the inside interface The handling of connections from an inside interface to an outside interface is different from connections that are from the outside interface to the inside interface Here are the basic steps in configuring a PIX firewall
• The first step in configuring a PIX firewall is naming the different
interfaces On new installations, the PIX firewall provides default names
for each interface To view these default interface names, use the show
nameif command However, it would be ideal to rename these interfaces
according to your network conventions or specifications The command to
name the interface is nameif The syntax of this command is as follows:
nameif hardware_Id Interface Security_level
Hardware_id – this is the hardware name for the network interface
card you are naming Examples of this would be Ethernet0 (if you are using Ethernet interfaces)
Interface – this would be where you would name that interface if you
want to use a different name other than the default one Examples of this would be dmz or perimeter You can specify up to 48 characters for this field, however, if you use a long name, you would need to reenter that name every time
Security_level – You can choose any security level value between 1
and 99 for any perimeter interface so long as it is not the same as the inside or outside interface If this is an initial PIX configuration, the default security level starts at security10 for the first perimeter interface
An example of the nameif command is:
nameif ethernet0 inside 10
• The second step in configuring a PIX firewall is assigning IP addresses to each interface on your PIX firewall If you have any unused interface on your PIX firewall, the PIX assigned IP address for that interface is
127.0.0.1 and the subnet mask of 255.255.255.255 This does not allow