Managing Cisco Network Security

Florent Parent, Syngress

ISBN:1928994172, Edition: 1, 2000-10-30

Price: $59.95

Contents

Preface ~ xxi

Chapter 1 Introduction to IP Network Security ~ 1
Introduction ~ 2
Protecting Your Site ~ 2
Typical Site Scenario ~ 5
Host Security ~ 7
Network Security ~ 9
Availability ~ 10
Integrity ~ 11
Confidentiality ~ 12
Access Control ~ 12
Authentication ~ 13
Authorization ~ 14
Accounting ~ 15
Network Communication in TCP/IP ~ 15
Application Layer ~ 17
Transport Layer ~ 18
TCP ~ 18
TCP Connection ~ 20
UDP ~ 21
Internet Layer ~ 22
IP ~ 22
ICMP ~ 23
ARP ~ 23
Network Layer ~ 24
Security in TCP/IP ~ 24
Cryptography ~ 24
Symmetric Cryptography ~ 25
Asymmetric Cryptography ~ 26
Hash Function ~ 26
Public Key Certificates ~ 27
Application Layer Security ~ 28
Pretty Good Privacy (PGP) ~ 28
Secure HyperText Transport Protocol (S-HTTP) ~ 28
Transport Layer Security ~ 29
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) ~ 29
Secure Shell (SSH) ~ 30
Filtering ~ 30
Network Layer Security ~ 31
IP Security Protocols (IPSec) ~ 31
Filtering (Access Control Lists) ~ 34
Data Link Layer Security ~ 34
Authentication ~ 34
Terminal Access Controller Access Control System Plus (TACACS+) ~ 34
Remote Access Dial-In User Service (RADIUS) ~ 35
Kerberos ~ 36
Cisco IP Security Hardware and Software ~ 37
Cisco Secure PIX Firewall ~ 37
Cisco Secure Integrated Software ~ 40
Cisco Secure Integrated VPN Software ~ 40
Cisco Secure VPN Client ~ 41
Cisco Secure Access Control Server ~ 41
Cisco Secure Scanner ~ 42
Cisco Secure Intrusion Detection System ~ 42
Cisco Secure Policy Manager ~ 43
Cisco Secure Consulting Services ~ 43
Summary ~ 44
FAQs ~ 45

Chapter 2 Traffic Filtering on the Cisco IOS ~ 47
Introduction ~ 48
Access Lists ~ 48
Access List Operation ~ 49
Types of Access Lists ~ 50
Standard IP Access Lists ~ 52
Source Address and Wildcard Mask ~ 53
Keywords any and host ~ 56
Keyword log ~ 57
Applying an Access List ~ 58
Extended IP Access Lists ~ 59
Keywords permit or deny ~ 62
Protocol ~ 62
Source Address and Wildcard-Mask ~ 62
Destination Address and Wildcard Mask ~ 63
Source and Destination Port Number ~ 63
Established ~ 65
Named Access Lists ~ 67
Editing Access Lists ~ 69
Problems with Access Lists ~ 70
Lock-and-Key Access Lists ~ 71
Reflexive Access Lists ~ 77
Building Reflexive Access Lists ~ 79
Applying Reflexive Access Lists ~ 82
Reflexive Access List Example ~ 82
Context-based Access Control ~ 84
The Control-based Access Control Process ~ 86
Configuring Control-based Access Control ~ 86
Inspection Rules ~ 89
Applying the Inspection Rule ~ 89
Configuring Port to Application Mapping ~ 91
Configuring PAM ~ 91
Protecting a Private Network ~ 92
Protecting a Network Connected to the Internet ~ 93
Protecting Server Access Using Lock-and-Key ~ 94
Protecting Public Servers Connected to the Internet ~ 96
Summary ~ 97
FAQs ~ 98

Chapter 3 Network Address Translation (NAT) ~ 99
Introduction ~ 100
NAT Overview ~ 100
Overview of NAT Devices ~ 100
Address Realm ~ 101
NAT ~ 101
Transparent Address Assignment ~ 102
Transparent Routing ~ 103
Public, Global, and External Networks ~ 104
Private and Local Networks ~ 105
Application Level Gateway ~ 105
NAT Architectures ~ 106
Traditional or Outbound NAT ~ 106
Network Address Port Translation (NAPT) ~ 108
Static NAT ~ 109
Twice NAT ~ 111
Guidelines for Deploying NAT and NAPT ~ 113
Configuring NAT on Cisco IOS ~ 116
Configuration Commands ~ 116
Verification Commands ~ 121
Configuring NAT between a Private Network and Internet ~ 122
Configuring NAT in a Network with DMZ ~ 124
Considerations on NAT and NAPT ~ 127
IP Address Information in Data ~ 127
Bundled Session Applications ~ 127
Peer-to-Peer Applications ~ 128
IP Fragmentation with NAPT En Route ~ 128
Applications Requiring Retention of Address Mapping ~ 128
IPSec and IKE ~ 129
Summary ~ 129
FAQs ~ 130

Chapter 4 Cisco PIX Firewall ~ 131
Introduction ~ 132
Overview of the Security Features ~ 133
Differences Between IOS 4.x and 5.x ~ 137
Initial Configuration ~ 139
Installing the PIX Software ~ 140
Basic Configuration ~ 140
Installing the IOS over TFTP ~ 143
Command Line Interface ~ 145
IP Configuration ~ 146
IP Address ~ 147
Configuring NAT and NAPT ~ 149
Security Policy Configuration ~ 153
Security Strategies ~ 153
Deny Everything That Is Not Explicitly Permitted ~ 154
Allow Everything That Is Not Explicitly Denied ~ 154
Identify the Resources to Protect ~ 156
Demilitarized Zone (DMZ) ~ 157
Identify the Security Services to Implement ~ 158
Authentication and Authorization ~ 158
Access Control ~ 159
Confidentiality ~ 159
URL, ActiveX, and Java Filtering ~ 160
Implementing the Network Security Policy ~ 160
Authentication Configuration in PIX ~ 160
Access Control Configuration in PIX ~ 163
Securing Resources ~ 165
URL, ActiveX, and Java Filtering ~ 168
PIX Configuration Examples ~ 170
Protecting a Private Network ~ 170
Protecting a Network Connected to the Internet ~ 172
Protecting Server Access Using Authentication ~ 174
Protecting Public Servers Connected to the Internet ~ 176
Securing and Maintaining the PIX ~ 182
System Journaling ~ 182
Securing the PIX ~ 184
Summary ~ 185
FAQs ~ 186

Chapter 5 Virtual Private Networks ~ 189
Introduction ~ 190
What Is a VPN? ~ 190
Overview of the Different VPN Technologies ~ 190
The Peer Model ~ 191
The Overlay Model ~ 192
Link Layer VPNs ~ 192
Network Layer VPNs ~ 193
Transport and Application Layer VPNs ~ 194
Layer 2 Transport Protocol (L2TP) ~ 195
Configuring Cisco L2TP ~ 196
LAC Configuration Example ~ 197
LNS Configuration Example ~ 197
IPSec ~ 198
IPSec Architecture ~ 201
Security Association ~ 202
Anti-Replay Feature ~ 203
Security Policy Database ~ 203
Authentication Header ~ 204
Encapsulating Security Payload ~ 205
Manual IPSec ~ 205
Internet Key Exchange ~ 206
Authentication Methods ~ 207
IKE and Certificate Authorities ~ 208
IPSec Limitations ~ 209
Network Performance ~ 209
Network Troubleshooting ~ 210
Interoperability with Firewalls and Network Address Translation Devices ~ 210
IPSec and Cisco Encryption Technology (CET) ~ 210
Configuring Cisco IPSec ~ 211
IPSec Manual Keying Configuration ~ 212
IPSec over GRE Tunnel Configuration ~ 218
Connecting IPSec Clients to Cisco IPSec ~ 226
Cisco Secure VPN Client ~ 226
Windows 2000 ~ 228
Linux FreeS/WAN ~ 229
BSD Kame Project ~ 230
Summary ~ 231
FAQs ~ 231

Chapter 6 Cisco Authentication, Authorization, and Accounting Mechanisms ~ 233
Introduction ~ 234
AAA Overview ~ 234
AAA Benefits ~ 238
Cisco AAA Mechanisms ~ 239
Supported AAA Security Protocols ~ 239
RADIUS ~ 239
TACACS+ ~ 243
Kerberos ~ 246
RADIUS, TACACS+, or Kerberos ~ 254
Authentication ~ 255
Login Authentication Using AAA ~ 258
PPP Authentication Using AAA ~ 261
Enable Password Protection for Privileged EXEC Mode ~ 263
Authorization ~ 263
Configure Authorization ~ 265
TACACS+ Configuration Example ~ 266
Accounting ~ 268
Configuring Accounting ~ 269
Suppress Generation of Accounting Records for Null Username Sessions ~ 271
RADIUS Configuration Example ~ 271
Typical RAS Configuration Using AAA ~ 271
Typical Firewall Configuration Using AAA ~ 276
Authentication Proxy ~ 280
How the Authentication Proxy Works ~ 280
Comparison with the Lock-and Key Feature ~ 281
Benefits of Authentication Proxy ~ 282
Restrictions of Authentication Proxy ~ 282
Configuring Authentication Proxy ~ 283
Configuring the HTTP Server ~ 283
Configure Authentication Proxy ~ 284
Authentication Proxy Configuration Example ~ 285
Summary ~ 286
FAQs ~ 287

Chapter 7 Intrusion Detection ~ 289
Introduction ~ 290
What Is Intrusion Detection? ~ 290
Network Attacks and Intrusions ~ 290
Poor Network Perimeter/Device Security ~ 291
Network Sniffers ~ 291
Scanner Programs ~ 291
Network Topology ~ 292
Unattended Modems ~ 292
Poor Physical Security ~ 293
Application and Operating Software Weaknesses ~ 293
Software Bugs ~ 293
Web Server/Browser-based Attacks ~ 293
Getting Passwords—Easy Ways in Cracking Programs ~ 293
Trojan Horse Attacks ~ 294
Virus or Worm Attacks ~ 294
Human Failure ~ 295
Poorly Configured Systems ~ 295
Information Leaks ~ 295
Malicious Users ~ 296
Weaknesses in the IP Suite of Protocols ~ 296
Layer 7 Attacks ~ 298
Layer 5 Attacks ~ 299
Layer 3 and 4 Attacks ~ 300
Network and Host-based Intrusion Detection ~ 305
Network IDS ~ 305
Host IDS ~ 308
What Can’t IDSs Do? ~ 308
Deploying in a Network ~ 309
Sensor Placement ~ 310
Network Vulnerability Analysis Tools ~ 311
Cisco’s Approach to Security ~ 311
Cisco Secure Scanner (NetSonar) ~ 311
Minimum System Specifications for Secure Scanner V2.0 ~ 311
Searching the Network for Vulnerabilities ~ 312
Viewing the Results ~ 314
Keeping the System Up-to-Date ~ 317
Cisco Secure Intrusion Detection System (NetRanger) ~ 320
What Is NetRanger? ~ 320
Before You Install ~ 324
Director and Sensor Setup ~ 324
General Operation ~ 327
nrConfigure ~ 327
Data Management Package (DMP) ~ 329
Cisco IOS Intrusion Detection System ~ 331
Configuring IOS IDS Features ~ 332
Associated Commands ~ 335
Cisco Secure Integrated Software (Firewall Feature Set) ~ 335
Summary ~ 337
FAQs ~ 337

Chapter 8 Network Security Management ~ 341
Introduction ~ 342
PIX Firewall Manager ~ 342
PIX Firewall Manager Overview ~ 342
PIX Firewall Manager Benefits ~ 344
Supported PIX Firewall IOS Version Versus PIX Firewall Manager Version ~ 345
Installation Requirements for PIX Firewall Manager ~ 346
PIX Firewall Manager Features ~ 348
Using PIX Firewall Manager ~ 352
Configuration ~ 352
Installation Errors in PIX Firewall Manager ~ 354
A Configuration Example ~ 356
CiscoWorks 2000 ACL Manager ~ 361
ACL Manager Overview ~ 361
ACL Manager Device and Software Support ~ 364
Installation Requirements for ACL Manager ~ 364
ACL Manager Features ~ 366
Using a Structure Access Control Lists Security Policy ~ 366
Increase Deployment Time for Access Control Lists ~ 367
Ensure Consistency of Access Control Lists ~ 367
Keep Track of Changes Made on the Network ~ 368
Troubleshooting and Error Recovery ~ 368
Basic Operation of ACL Manager ~ 369
Using ACL Manager ~ 372
Configuration ~ 372
An ACL Manager Configuration Example ~ 374
Cisco Secure Policy Manager ~ 378
Cisco Secure Policy Manager Overview ~ 379
The Benefits of Using Cisco Secure Policy Manager ~ 379
Installation Requirements for Cisco Secure Policy Manager ~ 380
Cisco Secure Policy Manager Features ~ 382
Cisco Firewall Management ~ 382
VPN and IPSec Security Management ~ 382
Security Policy Management ~ 384
Network Security Deployment Options ~ 385
Cisco Secure Policy Manager Device and Software Support ~ 386
Using Cisco Secure Policy Manager ~ 388
Configuration ~ 388
CSPM Configuration Example ~ 389
Cisco Secure ACS ~ 393
Cisco Secure ACS Overview ~ 393
Cisco Secure ACS Benefits ~ 394
Installation Requirements for Cisco Secure ACS ~ 395
Cisco Secure ACS Features ~ 395
Placing Cisco Secure ACS in Your Network ~ 397
Cisco Secure ACS Device and Software Support ~ 398
Using Cisco Secure ACS ~ 399
Configuration ~ 399
Cisco Secure ACS Configuration Example ~ 401
Summary ~ 405
FAQs ~ 405

Chapter 9 Security Processes and Managing Cisco Security Fast Track ~ 407
Introduction ~ 408
What Is a Managing
Cisco Security Fast Track? ~ 408
Introduction to Cisco Network Security ~ 408
Network Security ~ 409
Network Communications in TCP/IP ~ 409
Security in TCP/IP ~ 410
Traffic Filtering on the Cisco IOS ~ 412
Access Lists ~ 412
Standard and Extended Access Lists ~ 412
Reflexive Access Lists ~ 413
Context-based Access Control ~ 414
Network Address Translation (NAT) ~ 414
Private Addresses ~ 414
Network Address Translation ~ 415
Static NAT ~ 415
Traditional or Outbound NAT ~ 416
Network Address Port Translation (NAPT or PAT) ~ 416
Considerations ~ 416
Cisco PIX Firewall ~ 417
Security Policy Configuration ~ 418
Securing and Maintaining the PIX ~ 418
Virtual Private Networks (VPNs) ~ 419
L2TP ~ 419
IPSec ~ 419
Network Troubleshooting ~ 421
Interoperability with Firewalls and Network Address Translation Devices ~ 421
Cisco Authentication, Authorization and Accounting Mechanisms ~ 421
Authentication ~ 422
Authorization ~ 423
Accounting ~ 423
Intrusion Detection ~ 424
What Is Intrusion Detection? ~ 424
Cisco Secure Scanner (NetSonar) ~ 425
Cisco Secure NetRanger ~ 425
Cisco Secure Intrusion Detection Software ~ 426
Network Security Management ~ 426
Cisco PIX Firewall Manager ~ 427
CiscoWorks 2000 ACL Manager ~ 427
Cisco Secure Policy Manager ~ 428
Cisco Secure Access Control Manager ~ 429
General Security Configuration Recommendations on Cisco ~ 429
Remote Login and Passwords ~ 429
Disable Unused Network Services ~ 431
Logging and Backups ~ 433
Traffic Filtering ~ 433
Physical Access ~ 435
Keeping Up-to-Date ~ 435
Summary ~ 437
FAQs ~ 437

Index ~ 439