Terms you’ll need to understand:✓ IP access control lists ✓ Authentication ✓ Authorization ✓ Accounting ✓ Remote Authentication Dial-In User Service RADIUS ✓ Terminal Access Controller A
Trang 1Terms you’ll need to understand:
✓ IP access control lists
✓ Authentication
✓ Authorization
✓ Accounting
✓ Remote Authentication Dial-In User Service (RADIUS)
✓ Terminal Access Controller Access Control System(TACACS)
✓ Private Internet Exchange (PIX) Firewalls
Techniques you’ll need to master:
✓ Describing why security and traffic filtering is important
on Cisco routers
✓ Determining the proper placement of Access Control Lists
to efficiently filter traffic
✓ Understanding the characteristics of AAA, RADIUS,and TACACS
✓ Knowing the queuing methods available on Cisco routers
Trang 2This chapter focuses on methods that can be used to provide you with a securenetwork The aim of this chapter is to familiarize you with common securityoptions and performance management queuing methods This chapter coversthe following CCIE blueprint objectives as determined by the Cisco SystemsCCIE program:
➤ Security—Authentication, Authorization, and Accounting (AAA); Terminal
Access Controller Access Control System (TACACS); RADIUS; PIXfirewalls; demilitarized zones (DMZ); encryption; public/private keys; DataEncryption Standard (DES)
➤ Access Lists—Standard access lists and extended access lists, to include where
and how to place and design them
➤ Performance Management—Traffic management queuing, Weighted Fair
Queuing (WFQ), Resource Reservation Protocol (RSVP), traffic shaping,load balancing
As with other chapters in this book, additional information is provided for ness and in preparation for additional subjects as the CCIE Program expands
complete-Basic Network Security
Network security is one of the primary concerns in today’s networks Many nesses must protect sensitive data from competitors or financial details from un-authorized personnel A good security policy protects your network againstcorruption, failure, and compromised data
busi-Cisco IOS provides a number of security features, including the following:
➤ Authentication, Authorization, and Accounting (AAA)
➤ Support for security server protocols, including RADIUS, TACACS, ExtendedTACACS, and TACACS+
➤ Traffic Filtering options using access lists
➤ Firewalls and DMZs
➤ Network data encryption
➤ Traffic-filtering options using access lists
All the security methods described in this chapter are designed to stop unauthorizedaccess to your router network This section covers the security methods outlined
in the preceding list, beginning with a discussion of Access Control Lists
Trang 3Standard and Extended IP Access Lists
Standard and extended access lists are used to filter IP traffic An access list is basically a set of permit or deny statements Standard access lists are used to con- trol IP traffic based on the source address only Extended access lists can filter on
source and destination addresses Extended access lists can also be used to filter
on specific protocols and port numbers Let’s look at how a Cisco router handlesaccess lists
Access Lists on Cisco Routers
By default, a Cisco router permits all IP and TCP traffic unless an access list isdefined and applied to the appropriate interface Figure 8.1 illustrates the stepstaken if an access list is configured on a Cisco router
If an incoming packet is received on a router and no access list is defined, thepacket will be forwarded to the IP routing software If an access list is definedand applied, the packet will be checked against the list, and the appropriate per-mit or deny action will be taken The default action taken by any access list is topermit any explicitly defined statements and then to deny everything else
Note: If the keyword out or in is not applied by the administrator when defining an
IP filter on an interface, the default action is to apply the filter on the Outbound traffic.
Standard IP Access Lists (1 through 99)
As mentioned earlier in this chapter, standard IP access lists are used for filtering
on the source address only The Cisco IOS syntax is as follows:
Incoming
packet
Drop packet
Process packet
Process packet
Access list configured?
Is packet permitted?
Trang 4access-list access-list-number {deny | permit} source
[source-wildcard]
The following describes the purpose of each field:
➤ access-list-number—A number from 1 through 99 that defines a standard
access list number New versions of IOS 12.0 or later also have standard cess lists ranging from 1300-1999
ac-➤ deny—IP packet will be denied if a match is found.
➤ permit—IP packet will be permitted if it matches the criteria as defined by
the administrator
➤ source—Source IP address or network Any source address can be applied by using the keyword any.
➤ source-wildcard (optional)—Wildcard mask that is to be applied to the source
address This is an inverse mask, which is further explained with a few amples later in this section The default is 0.0.0.0, which specifies an exactmatch
ex-After applying the access list command as described in the preceding text, youmust apply the access list to the required interface using the following command:
ip access-group {access-list-number | name}{in | out}
The following describes the purpose of each field:
➤ access-list-number—A number in the range from 1 through 99 that defines
a standard access list number
➤ name—If you are using named access lists then that “name” will be
refer-enced here
➤ in—keyword that designates the access list as an inbound packet filter.
➤ out—keyword that designates the access list as an outbound packet filter.
This is the default action
The wildcard mask mentioned earlier in the access-list command is used to match
the source address When the wildcard mask is set to binary 0, the correspondingbit field must match—if it is set to binary 1, then the router does not care tomatch any bit or it is an inconsequential e bit For example, the mask 0.0.255.255means that the first two octets must match but the last two octets do not need to
match Hence, the commonly used phrases care bits (0’s) and don’t care bits (1’s).
For further clarification, let’s look at some examples of using access lists
Trang 5Suppose you have found a faulty NIC card with the address 141.108.1.99/24.You have been asked to stop packets from being sent out Serial 0 on your routerbut to permit everyone else In this situation, you need to deny the host address141.108.1.99 and permit all other host devices The following access list wouldfulfill this requirement:
access-list 1 deny 141.108.1.99 0.0.0.0
access-list 1 permit 141.108.1.0 0.0.0.255
Next, you would apply the access list to filter outbound (the keyword out is
sup-plied) IP packets on the Serial 0 interface, like this:
Trang 6department and odd subnets to Sales You do not want the Sales department toaccess the Internet, as shown in Figure 8.2 To solve this issue, you configure astandard access list Figure 8.2 displays a simple requirement to block all oddnetworks from accessing the Internet.
You could configure the router to deny all the odd networks, but that wouldrequire many configuration lines
Note: Access lists are CPU process intensive because the router has to go through every
entry in the access list for each packet until a match is made If you wish to determine the actual effect an access list has on your router then compare the CPU processes prior
to and after activating an access list, remember to check on a regular basis in order to see the big picture.
Instead, let’s say that you permit only even networks with one configuration line
To accomplish this, you need to convert all networks to binary to see if there isany pattern that you can use in the wildcard mask Table 8.1 displays the number
1 through 16 in both decimal and binary format
Notice that odd networks always end in the binary value of 1 and even networksend with 0 Therefore, you can apply your access lists to match on the even net-work and deny everything else Even numbers will always end in binary 0 You do
Table 8.1 Example calculation of numbers in binary.
Trang 7not care about the first seven bits, but you must have the last bit set to 0 Thewildcard mask that will apply this condition is 111111110 This converts to deci-mal value of 254 Hence, the following access list will only permit even networks:
access 1 permit 141.108.2.0 0.0.254.255
The preceding access list will match networks 2, 4, 6, 8, 10, 12, 14, and 16 in thethird octet The default action is to deny all else, so only even networks will beallowed and odd networks will be blocked by default Next, you would apply theaccess list to the outbound interface Listing 8.1 describes the full configuration.Let’s take a minute to briefly review inverse masks Assume that you want to let
in a certain number of hosts If we were routing to these hosts, we would definethe hosts as 150.124.10.0 255.255.255.240 To use the same limits in an accesslist, we would take the subnet mask and subtract it from 255.255.255.255 asfollows:
Extended Access Lists
Extended access lists range from 100 through 199 and 2,000 through 2,699 IPextended access lists (expanded range) in IOS 12.0 and greater Alternatively, youcan use a named access list with later releases of the IOS 12.0 or later As men-tioned earlier in this chapter, extended access lists can be applied to both sourceand destination addresses as well as filter protocol types and port numbers Letslook at some examples of extended access lists that will allow you to filter severaldifferent types of traffic:
For Internet Control Message Protocol (ICMP), you can also use the syntaxshown in Listing 8.2
Listing 8.2 Access list for ICMP traffic
access-list access-list-number [dynamic dynamic-name
[timeout minutes]] {deny | permit} icmp source source-wildcard
destination destination-wildcard [icmp-type [icmp-code]
[icmp-message] [precedence precedence] [tos tos] [log]
For Internet Group Management Protocol (IGMP), you can use the syntax shown
in Listing 8.3
Trang 8Listing 8.3 Access list for IGMP traffic.
access-list access-list-number [dynamic dynamic-name
[timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]
For TCP, you can use the syntax shown in Listing 8.4
Listing 8.4 Access list for TCP traffic
access-list access-list-number [dynamic dynamic-name
[timeout minutes]] {deny | permit} tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]
For User Datagram Protocol (UDP), you can use the syntax shown in Listing 8.5
Listing 8.5 Access list for UDP traffic
access-list access-list-number [dynamic dynamic-name
[timeout minutes]] {deny | permit} udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]
As you can see, extended access lists have a range of options to suit any ment The most commonly used extended access list options are:
require-➤ access-list-number—Provides a number ranging from 100 through 199 that
defines an extended access list
➤ deny—Denies access if the conditions are matched.
➤ permit—Permits access if the conditions are matched.
➤ protocol—Specifies the protocol you are filtering Some common options include eigrp, gre, icmp, igmp, igrp, ip, ospf, tcp, and udp.
➤ source—Specifies the source address.
➤ source-wildcard—Specifies the wildcard mask.
➤ destination—Identifies the destination network.
➤ destination-wildcard—Identifies the destination mask.
You should be able to demonstrate your understanding of standard andextended access lists You are not expected to memorize the availableoptions in an extended access list The options are provided in thischapter for your reference only When constructing access lists thebuilt in help feature is extremely helpful
Trang 9The example in Listing 8.6 permits Domain Naming System (DNS) packets,ICMP echo and echo replies, OSPF, and BGP packets (BGP runs over TCPusing port 179) In Listing 8.6, the access list numbered as 100 is not concernedabout specific host addresses or networks, but rather ranges of networks.
Listing 8.6 Extended access list example
access-list 100 permit tcp any any eq smtp
! Permits Simple Mail Transfer Protocols
access-list 100 permit udp any any eq domain
! Permits DNS queries
access-list 100 permit icmp any any echo
! Permits ICMP ping requests
access-list 100 permit icmp any any echo-reply
! Permits ICMP replies
access 100 permit ospf any any
! Permits OSPF packets
access 100 permit tcp any any eq bgp
! Permits BGP to any device
In Listing 8,6, the any keyword is shorthand for 0.0.0.0 255.255.255.255, which
means that the address of the device is irrelevant This address can be entered in
shorthand as any If any IP packet arrives to the router and does not match the
specified criteria, the packet will be dropped
The Cisco CD documentation provides additional quality examples of accesslists You should take some time to study Cisco’s examples For further informa-tion, see the “Need to Know More” section at the end of this chapter
Authentication, Authorization, and Accounting (AAA)
AAA provides a method used to identify which users are logged into a router andeach user’s authority level AAA also provides the capability to monitor user ac-tivity and provide accounting information
To start AAA on a Cisco router, you issue the aaa new-model IOS
command
Let’s now define the what Authentication, Authorization, and Accounting is and
a common example on a Cisco router
Authentication
Authentication allows the administrators to identify who can connect to a router,
by including the user’s user name and password Normally, when a user connects
to a router remotely via Telnet, the user only needs to supply a password and the
Trang 10administrator has no way of knowing the user’s user name With AAA cation, whenever a user logs on, the user must enter a user name and passwordpair (which has been assigned by the administrator).
authenti-The following code snippet shows an example of a remote user accessing an configured Cisco router:
AAA-User Access Verification
Authorization
Authorization comes into play after authentication Authorization allows ministrators to control the level of access users have after they successfully gain
ad-access to the router Cisco IOS allows certain ad-access levels (called privilege levels)
that control which IOS commands the user can issue For example, a user with a
0 privilege level cannot issue any IOS commands A user with a privilege level of
15 can perform all valid IOS commands The local or remote security server cangrant access levels
You can display your privileged level on a Cisco router with the show privilege
command, as shown in the following code snippet:
R1#show privilege
Current privilege level is 15
Keep in mind that the higher the privilege, the more capabilities a user has withthe IOS command set
Accounting
Accounting occurs after the authentication and authorization steps have beencompleted Accounting allows administrators to collect information about users.Specifically, administrators can track which user logged into which router, whichIOS commands a user issued, and how many bytes were transferred during auser’s session For example, accounting enables administrators to monitor whichrouters have had their configurations changed Accounting information can becollected by a router or by a remote security server To display local account infor-
mation on a Cisco router collecting accounting information, you issue the show accounting IOS command.
Trang 11Note: You must use AAA if you intend to use RADIUS or TACACS security server
protocols.
After AAA is configured, you can use external security servers to run externalsecurity protocols—such as RADIUS or TACACS—that will stop unauthorizedaccess to your network Both RADIUS and TACACS can be implemented onCisco routers, so we’ll review these two protocols in the upcoming sections
Remote Authentication Dial-In User Service (RADIUS)
RADIUS is a client-server based system that secures a Cisco network againstintruders RADIUS is a protocol that is implemented in IOS that sends authen-
tication requests to a RADIUS server A RADIUS server is a device that has the
RADIUS daemon or application installed RADIUS must be used with AAA toenable the authentication, authorization, and accounting of remote users
When a RADUIS server authenticates a user, the following events occur:
➤ The remote user is prompted for a username and password
➤ The username and password is encrypted and sent across the data network.The RADIUS server accepts or rejects a user name and password pair In some
instances, a user might be asked to enter more information (this is called a lenge response) For example, if a user’s password has expired, a RADUIS server
chal-will prompt the user for a new password
Let’s now examine the RADIUS configuration tasks required on a Cisco router
Note: A RADIUS server is usually software that runs on a variety of platforms,
including Microsoft NT servers or a Unix host RADIUS can be used to authenticate router users, authenticate vendors, and even to validate IP routes.
Configuring RADIUS
The steps required to enable RADIUS are:
1 Use the aaa new-model command AAA must be used with RADIUS.
2 Specify the RADIUS server with the radius-server host command.
3 Specify the password used between the router and the RADIUS server.The following example displays the required configuration for a Cisco router toauthenticate users from the RADIUS server with the host address 10.99.34.50
The password or key used between the router and RADIUS server is set to ccie:
radius-server host 10.99.34.50
radius-server key ccie
Trang 12Please refer to the “Need To Know More?” section at the end of this chapter foradditional RADIUS references Table 8.2 summarizes some useful RADIUScommands.
To enable RADIUS to operate with AAA, you must use the keyword
radius when applying any AAA commands.
Now, let’s move on to TACACS, which is an alternative protocol to RADIUS
Terminal Access Controller Access Control
System (TACACS)
Cisco IOS supports three versions of TACACS—TACACS, extended TACACS,and TACACS+ All three methods authenticate users and deny access to userswho do not have a valid username and password pairing
The first version of TACACS provides simple password verification and tication Accounting is very limited in that only requests and denials are listed.Next, extended TACACS replaced the first version of TACACS
authen-TACACS+, also referred to as TACACS plus, provides detailed accounting and
has to be used along with AAA (in other words, the aaa new-model command
must be enabled) TACACS+ supersedes the earlier releases of TACACS
In general, TACACS provides a centralized security system that validates usersfrom any remote location Typically, TACACS runs on a Windows NT station or
Table 8.2 Summary of common RADIUS commands.
radius-server transmit <retries> Indicates the number of retries a router will
attempt before giving up.
radius-server timeout <seconds> Indicates the number of seconds a router
will wait before giving up on a response from the RADIUS server.
radius-server dead-time <minutes> Specifies the number of minutes before a
router will decide that the RADIUS server is unreachable.
ip radius source-interface <sub interface> Specifies the interface for outgoing RADIUS
packets.
radius server-host <ip address> Specifies a remote RADIUS server You can
specify more than one.
radius server-key <password> Specifies the password used between the
router and the RADIUS server.
Trang 13Unix operating system When a TACACS server authenticates a user, the ing events occur:
follow-1 The remote user is prompted for a username and password
2 The user name and password is sent across the data network and is ticated
authen-3 The TACACS server accepts or rejects the username and password pair The
user might be asked to enter more information (this is called a challenge sponse) For example, a challenge response might appear when an error oc-
re-curs during authentication Further, a user might be prompted for additionalinformation if TACACS is configured to require additional information.Let’s now examine the TACACS+ configuration tasks required on a Cisco router
TACACS+ requires AAA, but TACACS and extended TACACS cannot
use AAA
Configuring TACACS+
The steps required to enable TACACS+ are:
1 Use the aaa new-model command AAA must be used with TACACS+.
2 Specify the TACACS+ server with the tacacs-server host command.
3 Specify the authentication key used between the router and the TACACS+server
4 Finally, because TACACS+ must be used in conjunction with AAA, youmust specify TACACS+ authentication, authorization, and accounting
The following example displays the required configuration for a Cisco router toauthenticate users from the TACACS+ server with the host address 10.99.34.50:
aaa new-model
aaa authentication enable default tacacs+
! Sets router to use the tacacs server to authenticate enable
! password
aaa authorization exec tacacs+
! Sets tacacs+ plus to authorize exec commands on local router
aaa accounting exec start-stop tacacs+
! Accounting information is gathered for exec commands.
radius-server host 10.99.34.50
tacacs-server key ccie
Trang 14In the preceding example, the password or key used between the router and
TACACS server is set to ccie You can set other configurations options to enable
complex AAA commands Table 8.3 lists some useful TACACS+ commands
Note: See the “Need to Know More?” section at the end of this chapter for more
references on TACACS examples.
Next, we’ll cover another common method of securing your network—usingfirewalls
Private Internet Exchange (PIX) Firewalls
The Private Internet Exchange (PIX) firewall prevents unauthorized tions between two or more networks The latest release versions of Cisco code forthe PIX firewall also performs many advanced security features, such as AAAservices, access lists, FTP logging, and also Cisco IOS-like interface commands.For a full description of all the features of a PIX firewall, refer to the “Need toKnow More” section at the end of this chapter The PIX firewall can also protectone or more networks from an outer, unprotected network Further, the PIXfirewall optionally supports multiple outside or perimeter networks, known as
connec-demilitarized zones (DMZs).
Note: When reading documentation surrounding PIX firewalls, realize that inside
networks and outside networks refer to networks that the PIX is connected to For instance, inside networks are protected by the PIX, and outside are where the bad guys are Consider them as trusted and untrusted, respectively.
Table 8.3 Summary of common TACACS+ commands.
ip tacacs source-interface <sub interface> Specifies the interface for outgoing
TACACS+ packets.
tacacs server-host <ip address> Specifies a remote TACACS+ server.
tacacs server-key <password> Specifies the authentication key used
between a router and a TACACS+ server.
Trang 15A PIX firewall permits a connection based on your security policy For instance,
you might allow Telnet sessions from inside your network to be initiated fromwithin your network but not allow them to be initiated into your network fromoutside your network
The PIX firewall’s popularity stems from the fact that it is solely dedicated tosecurity A router is still required to connect to wide area networks, such as theInternet Some companies use PIX firewalls for internal use only where theymight have sensitive networks, such as payroll or human resources
Figure 8.3 shows a typical network scenario where a PIX firewall is implementedbetween an inside network and an outside network
Note: Each connection through an PIX firewall requires memory Depending on the
amount of RAM installed on a PIX, you can support up to 260,000 connections with 128MB.16MB can support up to 32,768 connections, and 32MB of memory can
support up to 65,536 connections This is also how a PIX is licensed.
Demilitarized zones (DMZ) usually exist as a part of a network that the Internetcommunity or the general public can access, such as a Web, FTP, or SMTPservers FTP servers, for instance, allow external users access to public files such
as Cisco IOS software available online at ftp.cisco.com The final security option
we’ll look at is encryption
Outside
Internet router
Figure 8.3 PIX location.