Managing Cisco Network Security P1

Chia sẻ: Tuyen Thon | Ngày: | Loại File: PDF | Số trang:30

lượt xem

Managing Cisco Network Security P1

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

The “2000 CSI/FBI Computer Crime and Security Survey,” conducted in early 2000 by the Computer Security Institute (CSI) with participation by the San Francisco office of the Federal Bureau of Investigation (FBI), showed that 90 percent of survey participants from large U.S. corporations, financial institutions, medical institutions, universities, and government agencies detected security breaches in 1999. About 70 percent of the participants experienced breaches more serious than viruses or employee Web abuse. Forty-two percent of survey participants (273 organizations) claimed financial losses totaling over 265 million dollars from cyber attacks. These security threats were composed of an assortment of attacks and abuses that originated both internally and externally to their...

Chủ đề:

Nội dung Text: Managing Cisco Network Security P1

  1. 1U YEARO TUPGRADE B YER PR ECTION PLAN MANAGING CISCO NETWORK SECURITY “Finally! A single resource that really delivers solid and comprehensive knowledge on Cisco security planning and implementation. A must have for the serious Cisco library.” —David Schaer, CCSI, CCNP, CCDA, MCSE, MCDBA, MCNI, MCNE, CCA FREE Monthly President, Certified Tech Trainers Technology Updates One-year Vendor Product Upgrade Protection Plan Russell Lusignan, CCNP, CCNA, MCSE, MCP+I, CNA Oliver Steudler, CCNA, CCDA, CNE FREE Membership to Jacques Allison, CCNP, ASE, MCSE+I Access.Globalknowledge TECHNICAL EDITOR: Florent Parent, Network Security Engineer, Viagénie Inc.
  2. With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally. By listening, we've learned what you like and dislike about typical computer books. The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies. In response, we have created, a service that includes the following features: s A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades. We will provide regular web updates for affected chapters. s Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difficult topics, written by content experts exclusively for s Regularly updated links to sites that our editors have determined offer valuable additional information on key topics. s Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors. Once you've purchased this book, browse to To register, you will need to have the book handy to verify your purchase. Thank you for giving us the opportunity to serve you.
  4. Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 AWQ692ADSE 002 KT3LGY35C4 003 C3NXC478FV 004 235C87MN25 005 ZR378HT4DB 006 PF62865JK3 007 DTP435BNR9 008 QRDTKE342V 009 6ZDRW2E94D 010 U872G6S35N PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Managing Cisco Network Security: Building Rock-Solid Networks Copyright © 2000 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written per- mission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-17-2 Copy edit by: Adrienne Rebello Proofreading by: Nancy Kruse Hannigan Technical review by: Stace Cunningham Page Layout and Art by: Shannon Tozier Technical edit by: Florent Parent Index by: Robert Saigh Project Editor: Mark A. Listewnik Co-Publisher: Richard Kristof Distributed by Publishers Group West
  5. Acknowledgments We would like to acknowledge the following people for their kindness and sup- port in making this book possible. Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise net- works. Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel, Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for making certain that our vision remains worldwide in scope. Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of Harcourt Australia for all their help. David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthu- siasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Special thanks to the professionals at Osborne with whom we are proud to publish the best-selling Global Knowledge Certification Press series. v
  6. From Global Knowledge At Global Knowledge we strive to support the multiplicity of learning styles required by our students to achieve success as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from pro- viding instructor-led training to hundreds of thousands of students world- wide has been captured in book form to enhance your learning experience. We hope that the quality of these books demonstrates our commitment to your lifelong learning success. Whether you choose to learn through the written word, computer based training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very best in each of these categories. For those of you who know Global Knowledge, or those of you who have just found us for the first time, our goal is to be your lifelong competency partner. Thank your for the opportunity to serve you. We look forward to serving your needs again in the future. Warmest regards, Duncan Anderson President and Chief Executive Officer, Global Knowledge vi
  7. Contributors Russell Lusignan (CCNP, CCNA, MCSE, MCP+I, CNA) is a Senior Network Engineer for Bird on a Wire Networks, a high-end dedi- cated and fully managed Web server/ASP provider located in Toronto, Canada. He is also a technical trainer for the Computer Technology Institute. Russell’s main area of expertise is in LAN routing and switching technologies and network security implementations. Chapters 3, 4, and 6. David G. Schaer (CCNA, CCDA, CCNP, CCSI, MCT, MCSE, MCP+I, MCNE, CCA) is President of Certified Tech Trainers, Inc., an organization specializing in the development and delivery of custom training for Cisco CCNA and CCNP certification. He has provided training sessions for major corporations throughout the United States, Europe, and Central America. David enjoys kayak fishing, horseback riding, and exploring the Everglades. Oliver Steudler (CCNA, CCDA, CNE) is a Senior Systems Engineer at iFusion Networks in Cape Town, South Africa. He has over 10 years of experience in designing, implementing and troubleshooting complex networks. Chapter 5. vii
  8. Jacques Allison (CCNP, ASE, MCSE+I) Jacques has been involved with Microsoft-related projects on customer networks ranging from single domain and exchange organization migra- tions to IP addressing and network infrastructure design and implementation. Recently he has worked on CA Unicenter TNG implementations for network management. He received his engineering diploma in Computer Systems in 1996 from the Technicon Pretoria in South Africa. Jacques began his career with Electronic Data Systems performing desktop support, completing his MCSE in 1997. Jacques would like to dedicate his contribution for this book to his fiancée, Anneline, who is always there for him. He would also like to thank his family and friends for their support. Chapter 8. John Barnes (CCNA, CCNP, CCSI) is a network consultant and instructor. John has over ten years experience in the implemen- tation, design, and troubleshooting of local and wide area net- works as well as four years of experience as an instructor. John is a regular speaker at conferences and gives tutorials and courses on IPv6, IPSec, and intrusion detection. He is cur- rently pursuing his CCIE. He would like to dedicate his efforts on this book to his daughter, Sydney. Chapter 2. Russell Gillis (CISSP, MCSE, CCNA) is Associate Director of Networking at Kalamazoo College in Kalamazoo, Michigan. Prior to joining “K” College, Russ worked for 11 years in the pharmaceutical industry. His experience includes workstation support, system administration, network design, and information security. Chapter 1. viii
  9. Pritpal Singh Sehmi lives in London, England. He has worked in various IT roles and in 1995 launched Spirit of Free Enterprise, Ltd. Pritpal is currently working on an enterprise architecture redesign project for a large company. Pritpal is also a freelance Cisco trainer and manages the Cisco study group Pritpal owes his success to his family and life- long friend, Vaheguru Ji. Chapter 7. Technical Editor Florent Parent is currently working at Viagénie, Inc. as a con- sultant in network architecture and security for a variety of orga- nizations, corporations, and governments. For over 10 years, he has been involved in IP networking as a network architect, net- work manager, and educator. He is involved in the architecture development and deploy- ment of IPv6 in the CA*net network and the 6Tap IPv6 exchange. Florent participates regularly in the Internet Engineering Task Force (IETF), especially in the IPv6 and IPSec work groups. In addition to acting as technical editor for the book, Florent authored the Preface and Chapter 9. Technical Reviewer Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant cur- rently located in San Antonio, TX. He has assisted several clients, including a casino, in the development and implementa- tion of network security plans for their organizations. He held the positions of Network Security Officer and Computer Systems Security Officer while serving in the United States Air Force. ix
  10. While in the Air Force, Stace was involved for over 14 years in installing, troubleshooting, and protecting long-haul circuits ensuring the appropriate level of cryptography necessary to pro- tect the level of information traversing the circuit as well the cir- cuits from TEMPEST hazards. This included American equipment as well as equipment from Britain and Germany while he was assigned to Allied Forces Southern Europe (NATO). Stace has been an active contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has co-authored or served as the Technical Editor for over 30 books published by Osborne/McGraw-Hill, Syngress Media, and Microsoft Press. He is also a published author in “Internet Security Advisor” magazine. His wife Martha and daughter Marissa have been very sup- portive of the time he spends with the computers, routers, and firewalls in the “lab” of their house. Without their love and sup- port, he would not be able to accomplish the goals he has set for himself. x
  11. Contents Preface xxi Chapter 1 Introduction to IP Network Security 1 Introduction 2 Protecting Your Site 2 Typical Site Scenario 5 Host Security 7 Network Security 9 Availability 10 Integrity 11 Confidentiality 12 Access Control 12 Authentication 13 Authorization 14 Accounting 15 Network Communication in TCP/IP 15 Application Layer 17 Transport Layer 18 TCP 18 TCP Connection 20 UDP 21 Internet Layer 22 IP 22 ICMP 23 ARP 23 Network Layer 24 Security in TCP/IP 24 Cryptography 24 Symmetric Cryptography 25 Asymmetric Cryptography 26 Hash Function 26 Public Key Certificates 27 xi
  12. xii Contents Application Layer Security 28 Pretty Good Privacy (PGP) 28 Secure HyperText Transport Protocol (S-HTTP) 28 Transport Layer Security 29 Secure Sockets Layer (SSL) and Transport Layer Security (TLS) 29 Secure Shell (SSH) 30 Filtering 30 Network Layer Security 31 IP Security Protocols (IPSec) 31 Filtering (Access Control Lists) 34 Data Link Layer Security 34 Authentication 34 Terminal Access Controller Access Control System Plus (TACACS+) 34 Remote Access Dial-In User Service (RADIUS) 35 Kerberos 36 Cisco IP Security Hardware and Software 37 Cisco Secure PIX Firewall 37 Cisco Secure Integrated Software 40 Cisco Secure Integrated VPN Software 40 Cisco Secure VPN Client 41 Cisco Secure Access Control Server 41 Cisco Secure Scanner 42 Cisco Secure Intrusion Detection System 42 Cisco Secure Policy Manager 43 Cisco Secure Consulting Services 43 Summary 44 FAQs 45 Chapter 2 Traffic Filtering on the Cisco IOS 47 Introduction 48 Access Lists 48 Access List Operation 49 Types of Access Lists 50 Standard IP Access Lists 52 Source Address and Wildcard Mask 53 Keywords any and host 56 Keyword log 57 Applying an Access List 58 Extended IP Access Lists 59 Keywords permit or deny 62 Protocol 62 Source Address and Wildcard-Mask 62
  13. Contents xiii Destination Address and Wildcard Mask 63 Source and Destination Port Number 63 Established 65 Named Access Lists 67 Editing Access Lists 69 Problems with Access Lists 70 Lock-and-Key Access Lists 71 Reflexive Access Lists 77 Building Reflexive Access Lists 79 Applying Reflexive Access Lists 82 Reflexive Access List Example 82 Context-based Access Control 84 The Control-based Access Control Process 86 Configuring Control-based Access Control 86 Inspection Rules 89 Applying the Inspection Rule 89 Configuring Port to Application Mapping 91 Configuring PAM 91 Protecting a Private Network 92 Protecting a Network Connected to the Internet 93 Protecting Server Access Using Lock-and-Key 94 Protecting Public Servers Connected to the Internet 96 Summary 97 FAQs 98 Chapter 3 Network Address Translation (NAT) 99 Introduction 100 NAT Overview 100 Overview of NAT Devices 100 Address Realm 101 NAT 101 Transparent Address Assignment 102 Transparent Routing 103 Public, Global, and External Networks 104 Private and Local Networks 105 Application Level Gateway 105 NAT Architectures 106 Traditional or Outbound NAT 106 Network Address Port Translation (NAPT) 108 Static NAT 109 Twice NAT 111 Guidelines for Deploying NAT and NAPT 113
  14. xiv Contents Configuring NAT on Cisco IOS 116 Configuration Commands 116 Verification Commands 121 Configuring NAT between a Private Network and Internet 122 Configuring NAT in a Network with DMZ 124 Considerations on NAT and NAPT 127 IP Address Information in Data 127 Bundled Session Applications 127 Peer-to-Peer Applications 128 IP Fragmentation with NAPT En Route 128 Applications Requiring Retention of Address Mapping 128 IPSec and IKE 129 Summary 129 FAQs 130 Chapter 4 Cisco PIX Firewall 131 Introduction 132 Overview of the Security Features 133 Differences Between IOS 4.x and 5.x 137 Initial Configuration 139 Installing the PIX Software 140 Basic Configuration 140 Installing the IOS over TFTP 143 Command Line Interface 145 IP Configuration 146 IP Address 147 Configuring NAT and NAPT 149 Security Policy Configuration 153 Security Strategies 153 Deny Everything That Is Not Explicitly Permitted 154 Allow Everything That Is Not Explicitly Denied 154 Identify the Resources to Protect 156 Demilitarized Zone (DMZ) 157 Identify the Security Services to Implement 158 Authentication and Authorization 158 Access Control 159 Confidentiality 159 URL, ActiveX, and Java Filtering 160 Implementing the Network Security Policy 160 Authentication Configuration in PIX 160 Access Control Configuration in PIX 163
  15. Contents xv Securing Resources 165 URL, ActiveX, and Java Filtering 168 PIX Configuration Examples 170 Protecting a Private Network 170 Protecting a Network Connected to the Internet 172 Protecting Server Access Using Authentication 174 Protecting Public Servers Connected to the Internet 176 Securing and Maintaining the PIX 182 System Journaling 182 Securing the PIX 184 Summary 185 FAQs 186 Chapter 5 Virtual Private Networks 189 Introduction 190 What Is a VPN? 190 Overview of the Different VPN Technologies 190 The Peer Model 191 The Overlay Model 192 Link Layer VPNs 192 Network Layer VPNs 193 Transport and Application Layer VPNs 194 Layer 2 Transport Protocol (L2TP) 195 Configuring Cisco L2TP 196 LAC Configuration Example 197 LNS Configuration Example 197 IPSec 198 IPSec Architecture 201 Security Association 202 Anti-Replay Feature 203 Security Policy Database 203 Authentication Header 204 Encapsulating Security Payload 205 Manual IPSec 205 Internet Key Exchange 206 Authentication Methods 207 IKE and Certificate Authorities 208 IPSec Limitations 209 Network Performance 209 Network Troubleshooting 210 Interoperability with Firewalls and Network Address Translation Devices 210
  16. xvi Contents IPSec and Cisco Encryption Technology (CET) 210 Configuring Cisco IPSec 211 IPSec Manual Keying Configuration 212 IPSec over GRE Tunnel Configuration 218 Connecting IPSec Clients to Cisco IPSec 226 Cisco Secure VPN Client 226 Windows 2000 228 Linux FreeS/WAN 229 BSD Kame Project 230 Summary 231 FAQs 231 Chapter 6 Cisco Authentication, Authorization, and Accounting Mechanisms 233 Introduction 234 AAA Overview 234 AAA Benefits 238 Cisco AAA Mechanisms 239 Supported AAA Security Protocols 239 RADIUS 239 TACACS+ 243 Kerberos 246 RADIUS, TACACS+, or Kerberos 254 Authentication 255 Login Authentication Using AAA 258 PPP Authentication Using AAA 261 Enable Password Protection for Privileged EXEC Mode 263 Authorization 263 Configure Authorization 265 TACACS+ Configuration Example 266 Accounting 268 Configuring Accounting 269 Suppress Generation of Accounting Records for Null Username Sessions 271 RADIUS Configuration Example 271 Typical RAS Configuration Using AAA 271 Typical Firewall Configuration Using AAA 276 Authentication Proxy 280 How the Authentication Proxy Works 280 Comparison with the Lock-and Key Feature 281 Benefits of Authentication Proxy 282 Restrictions of Authentication Proxy 282 Configuring Authentication Proxy 283
  17. Contents xvii Configuring the HTTP Server 283 Configure Authentication Proxy 284 Authentication Proxy Configuration Example 285 Summary 286 FAQs 287 Chapter 7 Intrusion Detection 289 Introduction 290 What Is Intrusion Detection? 290 Network Attacks and Intrusions 290 Poor Network Perimeter/Device Security 291 Network Sniffers 291 Scanner Programs 291 Network Topology 292 Unattended Modems 292 Poor Physical Security 293 Application and Operating Software Weaknesses 293 Software Bugs 293 Web Server/Browser-based Attacks 293 Getting Passwords—Easy Ways in Cracking Programs 293 Trojan Horse Attacks 294 Virus or Worm Attacks 294 Human Failure 295 Poorly Configured Systems 295 Information Leaks 295 Malicious Users 296 Weaknesses in the IP Suite of Protocols 296 Layer 7 Attacks 298 Layer 5 Attacks 299 Layer 3 and 4 Attacks 300 Network and Host-based Intrusion Detection 305 Network IDS 305 Host IDS 308 What Can’t IDSs Do? 308 Deploying in a Network 309 Sensor Placement 310 Network Vulnerability Analysis Tools 311 Cisco’s Approach to Security 311 Cisco Secure Scanner (NetSonar) 311 Minimum System Specifications for Secure Scanner V2.0 311 Searching the Network for Vulnerabilities 312 Viewing the Results 314 Keeping the System Up-to-Date 317
  18. xviii Contents Cisco Secure Intrusion Detection System (NetRanger) 320 What Is NetRanger? 320 Before You Install 324 Director and Sensor Setup 324 General Operation 327 nrConfigure 327 Data Management Package (DMP) 329 Cisco IOS Intrusion Detection System 331 Configuring IOS IDS Features 332 Associated Commands 335 Cisco Secure Integrated Software (Firewall Feature Set) 335 Summary 337 FAQs 337 Chapter 8 Network Security Management 341 Introduction 342 PIX Firewall Manager 342 PIX Firewall Manager Overview 342 PIX Firewall Manager Benefits 344 Supported PIX Firewall IOS Version Versus PIX Firewall Manager Version 345 Installation Requirements for PIX Firewall Manager 346 PIX Firewall Manager Features 348 Using PIX Firewall Manager 352 Configuration 352 Installation Errors in PIX Firewall Manager 354 A Configuration Example 356 CiscoWorks 2000 ACL Manager 361 ACL Manager Overview 361 ACL Manager Device and Software Support 364 Installation Requirements for ACL Manager 364 ACL Manager Features 366 Using a Structure Access Control Lists Security Policy 366 Increase Deployment Time for Access Control Lists 367 Ensure Consistency of Access Control Lists 367 Keep Track of Changes Made on the Network 368 Troubleshooting and Error Recovery 368 Basic Operation of ACL Manager 369 Using ACL Manager 372 Configuration 372 An ACL Manager Configuration Example 374 Cisco Secure Policy Manager 378 Cisco Secure Policy Manager Overview 379
  19. Contents xix The Benefits of Using Cisco Secure Policy Manager 379 Installation Requirements for Cisco Secure Policy Manager 380 Cisco Secure Policy Manager Features 382 Cisco Firewall Management 382 VPN and IPSec Security Management 382 Security Policy Management 384 Network Security Deployment Options 385 Cisco Secure Policy Manager Device and Software Support 386 Using Cisco Secure Policy Manager 388 Configuration 388 CSPM Configuration Example 389 Cisco Secure ACS 393 Cisco Secure ACS Overview 393 Cisco Secure ACS Benefits 394 Installation Requirements for Cisco Secure ACS 395 Cisco Secure ACS Features 395 Placing Cisco Secure ACS in Your Network 397 Cisco Secure ACS Device and Software Support 398 Using Cisco Secure ACS 399 Configuration 399 Cisco Secure ACS Configuration Example 401 Summary 405 FAQs 405 Chapter 9 Security Processes and Managing Cisco Security Fast Track 407 Introduction 408 What Is a Managing Cisco Security Fast Track? 408 Introduction to Cisco Network Security 408 Network Security 409 Network Communications in TCP/IP 409 Security in TCP/IP 410 Traffic Filtering on the Cisco IOS 412 Access Lists 412 Standard and Extended Access Lists 412 Reflexive Access Lists 413 Context-based Access Control 414 Network Address Translation (NAT) 414 Private Addresses 414 Network Address Translation 415 Static NAT 415
Đồng bộ tài khoản