Tài liệu Managing Cisco Network Security P1 pdf

FREE Monthly Technology UpdatesOne-year Vendor Product Upgrade Protection Plan FREE Membership to Access.Globalknowledge SECURITY MANAGING Russell Lusignan, CCNP, CCNA, MCSE, MCP+I, CNA

FREE Monthly Technology Updates

One-year Vendor Product Upgrade Protection Plan

FREE Membership to Access.Globalknowledge

SECURITY

MANAGING

Russell Lusignan, CCNP, CCNA, MCSE, MCP+I, CNA

Oliver Steudler, CCNA, CCDA, CNE

Jacques Allison, CCNP, ASE, MCSE+I

TECHNICAL EDITOR:

Florent Parent, Network Security Engineer, Viagénie Inc.

“Finally! A single resource that really

delivers solid and comprehensive

knowledge on Cisco security planning

and implementation A must have for the

serious Cisco library.”

— David Schaer, CCSI, CCNP, CCDA, MCSE, MCDBA,

MCNI, MCNE, CCA

President, Certified Tech Trainers

1 YEAR UPGRADE

B U Y E R P R O T E C T I O N P L A N

With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally By listening, we've learned what you like and dislike about typical computer books The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies In response, we have created solutions@syngress.com, a service that includes the following features:

■ A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades We will provide regular web updates for affected chapters.

■ Monthly mailings that respond to customer FAQs and provide

detailed explanations of the most difficult topics, written by content experts exclusively for solutions@syngress.com

■ Regularly updated links to sites that our editors have determined offer valuable additional information on key topics.

■ Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors.

Once you've purchased this book, browse to

www.syngress.com/solutions.

To register, you will need to have the book handy to verify your purchase Thank you for giving us the opportunity to serve you.

s o l u t i o n s @ s y n g r e s s c o m

MANAGING CISCO

NETWORK SECURITY:

BUILDING ROCK-SOLID

NETWORKS

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents The Work is sold

AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other dental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

inci-You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc “Career Advancement Through Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack

Proofing™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

Managing Cisco Network Security: Building Rock-Solid Networks

Copyright © 2000 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written per- mission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-928994-17-2

Copy edit by: Adrienne Rebello Proofreading by: Nancy Kruse Hannigan

Technical review by: Stace Cunningham Page Layout and Art by: Shannon Tozier

Technical edit by: Florent Parent Index by: Robert Saigh

Project Editor: Mark A Listewnik Co-Publisher: Richard Kristof

Distributed by Publishers Group West

Ralph Troupe and the team at Callisma for their invaluable insight into thechallenges of designing, deploying and supporting world-class enterprise net-works

Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel,Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan of

Publishers Group West for sharing their incredible marketing experience andexpertise

Mary Ging, Caroline Hird, and Simon Beale of Harcourt International formaking certain that our vision remains worldwide in scope

Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of HarcourtAustralia for all their help

David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong, LeslieLim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthu-siasm with which they receive our books

Kwon Sung June at Acorn Publishing for his support

Ethan Atkin at Cranbury International for his help in expanding the Syngressprogram

Special thanks to the professionals at Osborne with whom we are proud topublish the best-selling Global Knowledge Certification Press series

v

From Global Knowledge

At Global Knowledge we strive to support the multiplicity of learning stylesrequired by our students to achieve success as technical professionals Asthe world's largest IT training company, Global Knowledge is uniquelypositioned to offer these books The expertise gained each year from pro-viding instructor-led training to hundreds of thousands of students world-wide has been captured in book form to enhance your learning experience

We hope that the quality of these books demonstrates our commitment toyour lifelong learning success Whether you choose to learn through thewritten word, computer based training, Web delivery, or instructor-ledtraining, Global Knowledge is committed to providing you with the verybest in each of these categories For those of you who know Global

Knowledge, or those of you who have just found us for the first time, ourgoal is to be your lifelong competency partner

Thank your for the opportunity to serve you We look forward to servingyour needs again in the future

Warmest regards,

Duncan Anderson

President and Chief Executive Officer, Global Knowledge

Contributors

Russell Lusignan (CCNP, CCNA, MCSE, MCP+I, CNA) is a Senior

Network Engineer for Bird on a Wire Networks, a high-end cated and fully managed Web server/ASP provider located inToronto, Canada He is also a technical trainer for the ComputerTechnology Institute

dedi-Russell’s main area of expertise is in LAN routing andswitching technologies and network security implementations

Chapters 3, 4, and 6.

David G Schaer (CCNA, CCDA, CCNP, CCSI, MCT, MCSE,

MCP+I, MCNE, CCA) is President of Certified Tech Trainers, Inc.,

an organization specializing in the development and delivery ofcustom training for Cisco CCNA and CCNP certification He hasprovided training sessions for major corporations throughout theUnited States, Europe, and Central America David enjoys kayakfishing, horseback riding, and exploring the Everglades

Oliver Steudler (CCNA, CCDA, CNE) is a Senior Systems

Engineer at iFusion Networks in Cape Town, South Africa Hehas over 10 years of experience in designing, implementing andtroubleshooting complex networks

Chapter 5.

Jacques Allison (CCNP, ASE, MCSE+I) Jacques has been

involved with Microsoft-related projects on customer networksranging from single domain and exchange organization migra-tions to IP addressing and network infrastructure design andimplementation Recently he has worked on CA Unicenter TNGimplementations for network management

He received his engineering diploma in Computer Systems in

1996 from the Technicon Pretoria in South Africa Jacquesbegan his career with Electronic Data Systems performingdesktop support, completing his MCSE in 1997

Jacques would like to dedicate his contribution for this book tohis fiancée, Anneline, who is always there for him He would alsolike to thank his family and friends for their support

Chapter 8.

John Barnes (CCNA, CCNP, CCSI) is a network consultant and

instructor John has over ten years experience in the tation, design, and troubleshooting of local and wide area net-works as well as four years of experience as an instructor

implemen-John is a regular speaker at conferences and gives tutorialsand courses on IPv6, IPSec, and intrusion detection He is cur-rently pursuing his CCIE He would like to dedicate his efforts

on this book to his daughter, Sydney

Chapter 2.

Russell Gillis (CISSP, MCSE, CCNA) is Associate Director of

Networking at Kalamazoo College in Kalamazoo, Michigan

Prior to joining “K” College, Russ worked for 11 years in thepharmaceutical industry His experience includes workstationsupport, system administration, network design, and informationsecurity

Chapter 1.

Pritpal Singh Sehmi lives in London, England He has worked

in various IT roles and in 1995 launched Spirit of FreeEnterprise, Ltd Pritpal is currently working on an enterprisearchitecture redesign project for a large company Pritpal is also

a freelance Cisco trainer and manages the Cisco study groupwww.ccguru.com Pritpal owes his success to his family and life-long friend, Vaheguru Ji

Chapter 7.

Technical Editor

Florent Parent is currently working at Viagénie, Inc as a

con-sultant in network architecture and security for a variety of nizations, corporations, and governments For over 10 years, hehas been involved in IP networking as a network architect, net-work manager, and educator

orga-He is involved in the architecture development and ment of IPv6 in the CA*net network and the 6Tap IPv6 exchange.Florent participates regularly in the Internet Engineering TaskForce (IETF), especially in the IPv6 and IPSec work groups

deploy-In addition to acting as technical editor for the book, Florent authored the Preface and Chapter 9.

Technical Reviewer

Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E,

CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant rently located in San Antonio, TX He has assisted severalclients, including a casino, in the development and implementa-tion of network security plans for their organizations He heldthe positions of Network Security Officer and Computer SystemsSecurity Officer while serving in the United States Air Force

While in the Air Force, Stace was involved for over 14 years ininstalling, troubleshooting, and protecting long-haul circuitsensuring the appropriate level of cryptography necessary to pro-tect the level of information traversing the circuit as well the cir-cuits from TEMPEST hazards This included American

equipment as well as equipment from Britain and Germany while

he was assigned to Allied Forces Southern Europe (NATO)

Stace has been an active contributor to The SANS Institutebooklet “Windows NT Security Step by Step.” In addition, he hasco-authored or served as the Technical Editor for over 30 bookspublished by Osborne/McGraw-Hill, Syngress Media, andMicrosoft Press He is also a published author in “InternetSecurity Advisor” magazine

His wife Martha and daughter Marissa have been very portive of the time he spends with the computers, routers, andfirewalls in the “lab” of their house Without their love and sup-port, he would not be able to accomplish the goals he has set forhimself

Availability 10Integrity 11Confidentiality 12

Authentication 13Authorization 14Accounting 15

xii Contents

Secure HyperText Transport Protocol (S-HTTP) 28

Secure Sockets Layer (SSL) andTransport Layer Security (TLS) 29

Filtering 30

IP Security Protocols (IPSec) 31Filtering (Access Control Lists) 34

Authentication 34Terminal Access Controller Access

Control System Plus (TACACS+) 34Remote Access Dial-In User Service (RADIUS) 35

Cisco IP Security Hardware and Software 37

Cisco Secure Integrated Software 40Cisco Secure Integrated VPN Software 40

Cisco Secure Access Control Server 41

Cisco Secure Intrusion Detection System 42

Cisco Secure Consulting Services 43Summary 44FAQs 45

Chapter 2 Traffic Filtering on the Cisco IOS 47

Introduction 48

Source Address and Wildcard Mask 53

Protocol 62Source Address and Wildcard-Mask 62

Contents xiii

Destination Address and Wildcard Mask 63Source and Destination Port Number 63Established 65

Building Reflexive Access Lists 79Applying Reflexive Access Lists 82

The Control-based Access Control Process 86Configuring Control-based Access Control 86

Configuring Port to Application Mapping 91

Protecting a Network Connected to the Internet 93Protecting Server Access Using Lock-and-Key 94Protecting Public Servers Connected to the Internet 96Summary 97FAQs 98

Chapter 3 Network Address Translation (NAT) 99

Public, Global, and External Networks 104

Network Address Port Translation (NAPT) 108

Guidelines for Deploying NAT and NAPT 113

xiv Contents

Configuring NAT between a

Configuring NAT in a Network with DMZ 124Considerations on NAT and NAPT 127

IP Address Information in Data 127

Introduction 132Overview of the Security Features 133Differences Between IOS 4.x and 5.x 137

Installing the IOS over TFTP 143

Deny Everything That Is Not Explicitly Permitted 154Allow Everything That Is Not Explicitly Denied 154Identify the Resources to Protect 156

Contents xv

URL, ActiveX, and Java Filtering 168

Protecting a Network Connected to the Internet 172Protecting Server Access Using Authentication 174Protecting Public Servers Connected

Chapter 5 Virtual Private Networks 189

Introduction 190

Overview of the Different VPN Technologies 190

xvi Contents

IPSec and Cisco Encryption Technology (CET) 210

IPSec Manual Keying Configuration 212IPSec over GRE Tunnel Configuration 218Connecting IPSec Clients to Cisco IPSec 226

Summary 231FAQs 231

Chapter 6 Cisco Authentication, Authorization,

Introduction 234

Supported AAA Security Protocols 239RADIUS 239TACACS+ 243Kerberos 246RADIUS, TACACS+, or Kerberos 254

Login Authentication Using AAA 258PPP Authentication Using AAA 261Enable Password Protection for Privileged

Suppress Generation of Accounting Records

RADIUS Configuration Example 271Typical RAS Configuration Using AAA 271Typical Firewall Configuration Using AAA 276

How the Authentication Proxy Works 280Comparison with the Lock-and Key Feature 281Benefits of Authentication Proxy 282Restrictions of Authentication Proxy 282Configuring Authentication Proxy 283

Contents xvii

Configure Authentication Proxy 284Authentication Proxy Configuration Example 285Summary 286FAQs 287

Introduction 290

Poor Network Perimeter/Device Security 291

Application and Operating Software Weaknesses 293

Web Server/Browser-based Attacks 293Getting Passwords—Easy Ways in Cracking Programs 293

Network and Host-based

Network Vulnerability Analysis Tools 311

Cisco Secure Scanner (NetSonar) 311Minimum System Specifications for

Searching the Network for Vulnerabilities 312

Keeping the System Up-to-Date 317