List of Figures
List of Figures
Chapter 1: Understanding Network Security Threats
- Figure 1-1: Bandwidth comparison for ISP to client links vs. ISP upstream links
- Figure 1-2: DoS attack with a single attacker and a single target
- Figure 1-3: DDoS attack involving Zombie remote hosts
- Figure 1-4: DRDoS attack showing the interim hosts
- Figure 1-5: Cisco Security Wheel depicting the evolution of a security system
- Figure 1-6: Balancing security needs with user ease of use
Chapter 2: Securing the Network
- Figure 2-1: A firewall separating the three security areas
- Figure 2-2: Console port on an 800 model telecommuter router
- Figure 2-3: Two-router network with two ACLs
- Figure 2-4: Two-router network for two branch locations
- Figure 2-5: Web browser access to a 2500 router
- Figure 2-6: TCP three-way handshake to establish a session
Chapter 3: Cisco AAA Security Technology
- Figure 3-1: Four-port serial module for a 4000 series router
- Figure 3-2: NM-16A module for 2600/3600 routers
- Figure 3-3: AAA and NAS server providing secure remote access to a network
Chapter 4: Cisco Secure ACS and TACACS+/RADIUS Technologies
- Figure 4-1: Cisco Secure ACS with an NAS AAA client
- Figure 4-2: Cisco Secure ACS using its own database to authenticate users
- Figure 4-3: Cisco Secure ACS using Windows security database for authentication
- Figure 4-4: Remote user authentication using Token Card
- Figure 4-5: Cisco Secure ACS HTML interface
- Figure 4-6: ACS configuration screen
- Figure 4-7: Configuration Area Submit and Cancel buttons
- Figure 4-8: Interface configuration setting TACACS+ features
- Figure 4-9: ACS System Configuration options
- Figure 4-10: Network configuration showing the NAS router and the AAA server
- Figure 4-11: Example of group setup options
- Figure 4-12: User account entry screen
Chapter 5: Securing Cisco Perimeter?Routers
- Figure 5-1: Network design with perimeter security
- Figure 5-2: Cisco 806 router for telecommuter or small office firewalls
- Figure 5-3: Simple example of lock-and-key access
- Figure 5-4: Topology impacts on interface selection
- Figure 5-5: NAT translation for inside network 10.0.0.0
- Figure 5-6: Router Rtr1 redirects traffic to Rtr2
Chapter 6: IOS Firewall Feature Set—CBAC
- Figure 6-1: Cisco CCO IOS Upgrade Planner showing feature sets
- Figure 6-2: Simple perimeter router with internal and external interface
- Figure 6-3: Simple firewall design with a protected DMZ
- Figure 6-4: Cisco ConfigMaker tool for network design and implementation
Chapter 7: IOS Firewall—Intrusion Detection System
- Figure 7-1: Cisco CCO IOS Upgrade Planner showing IDS feature sets
- Figure 7-2: Sample Syslog output showing IDS activity
Chapter 8: IOS Firewall—Authentication Proxy
- Figure 8-1: Authentication proxy login screen
- Figure 8-2: Authentication successful attempt response message
- Figure 8-3: Simple network implementation for authentication proxy
- Figure 8-4: Firewall router performing NAT translations
- Figure 8-5: Cisco Secure ACS for Windows opening screen
- Figure 8-6: Interface Configuration screen showing the TACACS+ and RADIUS options
- Figure 8-7: TACACS+ configuration page showing the New Services section
- Figure 8-8: Advanced TACACS+ configuration options
- Figure 8-9: Downloadable profile entries and activation buttons
Chapter 9: Cisco IOS IPSec Introduction
- Figure 9-1: VPN opportunities to extend the corporate LAN services
- Figure 9-2: Remote-access type VPN connections
- Figure 9-3: An example of site-to-site VPN connection
- Figure 9-4: VPN connection types supported by Cisco devices
- Figure 9-5: Layer 3 VPN tunneling representation
- Figure 9-6: AH authentication and integrity process
- Figure 9-7: DES encryption process
- Figure 9-8: VPN Transport mode connections
- Figure 9-9: Typical Tunnel mode VPN connections
- Figure 9-10: AH Transport mode versus AH Tunnel mode
- Figure 9-11: AH implementation to work with NAT
- Figure 9-12: ESP Transport mode versus AH Tunnel mode
- Figure 9-13: IPSec transform options
- Figure 9-14: Cleartext being processed using a key to produce cipher text
- Figure 9-15: Encryption implementation options
- Figure 9-16: HMAC hash process showing the private encryption key
- Figure 9-17: IPSec session five steps
- Figure 9-18: Preshared key authentication exchange
- Figure 9-19: RSA signature authentication exchange
- Figure 9-20: RSA encryption authentication exchange
Chapter 10: Cisco IOS IPSec for Preshared Keys
- Figure 10-1: Chapter scenario VPN session to be configured
- Figure 10-2: Chapter scenario network showing peer connections
- Figure 10-3: IPSec transform options
Chapter 11: Cisco IOS IPSec Certificate Authority Support
- Figure 11-1: Rtr1 sharing secure data with Rtr10 using a public key
- Figure 11-2: The attacker and Rtr10 now share a key, allowing the attacker to decrypt the messages.
- Figure 11-3: Conceptual representation of a digital certificate
- Figure 11-4: Chapter scenario VPN session to be configured
- Figure 11-5: Configuration parameters for VeriSign CA support
- Figure 11-6: RSA-encryption authentication exchange
Chapter 12: Cisco IOS Remote Access Using Cisco Easy VPN
- Figure 12-1: A secure VPN tunnel and split tunneling for web browsing
- Figure 12-2: Starting the Cisco VPN Client software
- Figure 12-3: Cisco Systems VPN Client opening dialog box
- Figure 12-4: Define connection name and description
- Figure 12-5: Using an IP address to define a VPN head-end device
- Figure 12-6: Entering the IPSec group and password
- Figure 12-7: Final New Connection Entry Wizard dialog box
- Figure 12-8: The Cisco Systems VPN Client main dialog box is ready to connect.
- Figure 12-9: VPN connection progress dialog box
- Figure 12-10: Windows user authentication box
- Figure 12-11: VPN Client customization options
- Figure 12-12: Router (Rtr2) acting as both an Easy VPN Client and a Server
- Figure 12-13: Stateful Firewall (Always on) on the Options menu
- Figure 12-14: Cisco System VPN Client Connection Status information box
- Figure 12-15: Firewall tab for CPP
- Figure 12-16: Client/Server Firewall tab
- Figure 12-17: VPN Client connection statistics
Chapter 13: Cisco VPN Hardware Overview
- Figure 13-1: Cisco VPN 3002 Client device (front view)
- Figure 13-2: Cisco VPN 3002 Client with built-in 8-port switch
- Figure 13-3: VPN 3005 front and rear views
- Figure 13-4: VPN 3015 front and rear views
Chapter 14: Cisco VPN 3000 Remote Access Networks
- Figure 14-1: VPN Concentrator Manager Quick Configuration option screen
- Figure 14-2: VPN 3000 Concentrator Manager login screen
- Figure 14-3: Manager opening screen
- Figure 14-4: Configuration menu fully expanded
- Figure 14-5: Administration menu fully expanded
- Figure 14-6: Monitoring menu fully expanded
- Figure 14-7: System monitoring screen
- Figure 14-8: VPN 3000 Concentrator Manager Help system
- Figure 14-9: Typical Manager screen with reminder icons
- Figure 14-10: Remote access type VPN connections
- Figure 14-11: LAN-to-LAN VPN connection example
- Figure 14-12: VPN Concentrator remote access scenario
- Figure 14-13: Configuring the public interface
- Figure 14-14: Setting the default gateway for the Concentrator
- Figure 14-15: Using the Configuration | Interfaces screen to confirm configuration
- Figure 14-16: Creating a new static route
- Figure 14-17: Defined default and static routes
- Figure 14-18: Selecting an inside address assignment method for remote users
- Figure 14-19: Defining a pool of addresses for remote users to use
- Figure 14-20: Managing IP address pools for remote users
- Figure 14-21: General Default Settings tab
- Figure 14-22: Setting IPSec defaults
- Figure 14-23: Setting Cisco Client default parameters
- Figure 14-24: Setting Microsoft Client parameters and Common Client parameters
- Figure 14-25: Defining client firewall default requirements
- Figure 14-26: Defining VPN 3002 Hardware Client defaults
- Figure 14-27: Screen to create and manage user groups
- Figure 14-28: Creating a group and defining a password
- Figure 14-29: Group parameters screen showing the Inherit option
- Figure 14-30: User management screen for adding users
- Figure 14-31: Defining a VPN user
- Figure 14-32: Configuration menu options
- Figure 14-33: Default access definitions
- Figure 14-34: Modify or add a new access definition
- Figure 14-35: Change access hours for a specific group
- Figure 14-36: Certificate management screen
- Figure 14-37: Install CA Certificate screen
- Figure 14-38: CA certificate request information
- Figure 14-39: Certificate management enrollment screen
- Figure 14-40: Enrollment Identity screen to select a certificate
- Figure 14-41: Screen to add certificate enrollment information
- Figure 14-42: SCEP Status: Installed
- Figure 14-43: IKE Proposal options
- Figure 14-44: IKE Proposal option to be modified
- Figure 14-45: Defining the IKE parameters for the IPSec SA
- Figure 14-46: New Connection Entry Wizard box
- Figure 14-47: Cisco Systems VPN Client box
- Figure 14-48: VPN 3000 Administration menu
- Figure 14-49: The Administration | Administer Sessions screen summarizing VPN activity
- Figure 14-50: Ping screen
- Figure 14-51: System reboot and shutdown options
- Figure 14-52: VPN Concentrator software upgrade screen
- Figure 14-53: Monitoring menu options
- Figure 14-54: Routing table entries
Chapter 15: Configuring Cisco VPN 3002 Remote Clients
- Figure 15-1: Cisco VPN 3002 Client device (front view)
- Figure 15-2: Cisco VPN 3002 Client models
- Figure 15-3: VPN 3002 connection overview and detail view
- Figure 15-4: VPN 3002 Hardware Client Manager
- Figure 15-5: VPN 3002 Hardware Client Manager login screen
- Figure 15-6: Client Manager opening screen
- Figure 15-7: VPN 3002 Client Manager help system
- Figure 15-8: Client Manager menu tree expanded on the left side
- Figure 15-9: VPN 3002 Update process using the web interface
- Figure 15-10: Web interface displaying system status
- Figure 15-11: PPPoE configuration on the public interface screen
- Figure 15-12: VPN 3002 configuration scenario
- Figure 15-13: Screen to set date, time, and time zone for the device
- Figure 15-14: Choice to upload an existing configuration file
- Figure 15-15: Configure the private interface
- Figure 15-16: Configuring the DHCP server
- Figure 15-17: Screen to configure the public interface
- Figure 15-18: IPSec configuration screen
- Figure 15-19: Client mode or Network Extension mode choice
- Figure 15-20: Define ISP DNS server and domain name (optional)
- Figure 15-21: Existing static routes
- Figure 15-22: Adding a static route to the VPN 3002
- Figure 15-23: DHCP Options configuration screen
- Figure 15-24: Configure Interactive Hardware Client Authentication
- Figure 15-25: Configure backup servers directly on the VPN 3002 Client
- Figure 15-26: Configure backup servers on the VPN Concentrator
- Figure 15-27: Configuring load balancing
- Figure 15-28: Using SCEP to enroll certificates
- Figure 15-29: VPN scenario network with the main office using RRI
- Figure 15-30: Configuring Reverse Route Injection
- Figure 15-31: Configuring IKE proposals, including AES and DH 1, 5, and 7
- Figure 15-32: Configuring a banner to be pushed to VPN 3002s
- Figure 15-33: Client auto-update screen
- Figure 15-34: Configuration | System | Client Update | Entries screen
- Figure 15-35: Adding or modifying a client update entry
Chapter 16: Cisco VPN 3000 LAN-to-LAN Networks
- Figure 16-1: Common LAN-to-LAN VPN implementations
- Figure 16-2: VPN 3002 configuration scenario
- Figure 16-3: Main Office interfaces configuration
- Figure 16-4: Network List creation and management screen
- Figure 16-5: Screen to create a new network list
- Figure 16-6: Enabling inbound RIP on Ethernet 1
- Figure 16-7: IKE Proposal Options
- Figure 16-8: IKE Proposal option to be modified
- Figure 16-9: Top half of the Tunnel | Add screen
- Figure 16-10: Bottom half of the Tunnel | Add screen
- Figure 16-11: Update the Authentication mode to use digital certificates
- Figure 16-12: Configuring IPSec NAT Transparency
- Figure 16-13: Configuring NAT Transparency on the client software
- Figure 16-14: Configuring IPSec over UDP on the Concentrator
- Figure 16-15: Overlapping network address scenario
- Figure 16-16: Configuring the local and remote networks
- Figure 16-17: Defining the translations
- Figure 16-18: LAN-to-LAN Tunnel NAT Rule enabled
- Figure 16-19: Configuring the default gateway
- Figure 16-20: RRI configuration screen
- Figure 16-21: Enabling RIP on the private interface
- Figure 16-22: Configuring VRRP
Chapter 17: CiscoSecure PIX Firewalls
- Figure 17-1: PIX security levels with a DMZ interface
Chapter 19: Access Through the PIX Firewall
- Figure 19-1: A two-interface firewall showing data traffic flows
- Figure 19-2: PIX security levels with a DMZ interface
- Figure 19-3: Stateless firewall with reflexive-type filtering
- Figure 19-4: OSI model encapsulation process
- Figure 19-5: IP header information
- Figure 19-6: TCP header information showing flag bits and other fields
- Figure 19-7: TCP/IP application layer header for SNMP data
- Figure 19-8: First step of the TCP setup handshake
- Figure 19-9: Second step of the TCP setup handshake
- Figure 19-10: Protected DMZ server that must be accessed from the outside
- Figure 19-11: Pool of DMZ servers that need to be mapped to global IP addresses
- Figure 19-12: A pool of DMZ servers that already have global IP addresses
- Figure 19-13: Static translation for a DNS server on a DMZ network
- Figure 19-14: A network with a PIX Firewall using a Websense server
- Figure 19-15: Websense screen explaining that the selected site is blocked
- Figure 19-16: Perimeter router, PIX Firewall, and Layer 3 switch implementation
Chapter 20: Advanced PIX Firewall?Features
- Figure 20-1: SNMP management station in the inside network
Chapter 21: Firewalls and VPN Features
- Figure 21-1: IPSec site-to-site VPN implementation (tunnel mode)
- Figure 21-2: IPSec remote access VPN implementation (transport mode)
- Figure 21-3: Basic PIX Firewall supporting PPPoE
- Figure 21-4: PDM graphical interface showing the System Properties page
Chapter 22: Managing and Maintaining the PIX Firewall
- Figure 22-1: PDM graphical interface showing the System Properties page
- Figure 22-2: Internet Explorer Advanced Options tab
- Figure 22-3: The Help | About Cisco PDM screen
- Figure 22-4: The PDM Startup Wizard opening screen
- Figure 22-5: Screen 2 of the PDM Start Wizard changes PIX names and password
- Figure 22-6: Configuring Telnet access using PDM
- Figure 22-7: Configuring a Syslog Server with PDM
- Figure 22-8: VPN IKE policy configuration using PDM
- Figure 22-9: VPN Wizard opening screen with VPN type selection
- Figure 22-10: VPN remote peer definition and authentication type
- Figure 22-11: Transform Set panel for defining encryption and authentication
- Figure 22-12: IPSec Traffic Selector panels for designating protected addresses
- Figure 22-13: Remote Access Client panel for selecting the client type
- Figure 22-14: VPN Client Group panel for defining the VPN groups
- Figure 22-15: Extended Client Authentication panel choices
- Figure 22-16: Address Translation Exemption panel
- Figure 22-17: Two PIX Firewall units forming a simple serial failover pair
- Figure 22-18: Failover system with stateful failover cable installed
Chapter 23: Intrusion Detection System Overview
- Figure 23-1: Attacking IP trust relationships between compromised hosts
- Figure 23-2: Manipulating network-based sensors using TTL
Chapter 24: Cisco Secure Intrusion Detection System
- Figure 24-1: Model 4210 rear panel
- Figure 24-2: Models 4235 and 4250 rear panel
- Figure 24-3: Model 4230 rear panel
- Figure 24-4: Cisco Catalyst 6000 IDS module
- Figure 24-5: Reliable message delivery via the PostOffice protocol
- Figure 24-6: Redundant director platforms
- Figure 24-7: CIDS multihomed director platform
- Figure 24-8: PostOffice host and organization addressing
- Figure 24-9: Using Device Management to block an IP address
- Figure 24-10: CIDS sensor architecture
- Figure 24-11: Director architecture
- Figure 24-12: IDS Directory structure
Chapter 25: Sensor Installation and Configuration
- Figure 25-1: Sensor deployment at network entry points
- Figure 25-2: Sensor in front of a filtering device
- Figure 25-3: Sensor behind a filtering device
- Figure 25-4: IDS Device Manager initial view
- Figure 25-5: Security warning dialog box
- Figure 25-6: Apply changes
- Figure 25-7: Network Security Database
- Figure 25-8: IDS Device Manager Network panel
- Figure 25-9: Adding allowed hosts
- Figure 25-10: Remote Access configuration
- Figure 25-11: Remote Hosts panel
- Figure 25-12: Signature groups configuration pane
- Figure 25-13: Configration panel for built-in and custom signatures
- Figure 25-14: TCP connection signatures configuration pane
- Figure 25-15: UPD connection signatures configuration pane
- Figure 25-16: String matching signature configuration pane
- Figure 25-17: Level of logging configuration pane
- Figure 25-18: Signature filtering configuration pane
- Figure 25-19: Spam control configuration pane
- Figure 25-20: IP fragmentation reassembly configuration pane
- Figure 25-21: TCP reassembly configuration pane
- Figure 25-22: Sensing properties configuration panel
- Figure 25-23: Event logging configuration panel
- Figure 25-24: Exporting event logs configuration panel
- Figure 25-25: The blocking properties configuration panel
- Figure 25-26: Never block addresses configuration panel
- Figure 25-27: Adding a managed device
- Figure 25-28: The Logs Sub-Area
- Figure 25-29: Sensor statistics report
- Figure 25-30: System information report
- Figure 25-31: Scheduled updates
- Figure 25-32: Manual blocking configuration panel
Appendix A: Access Control Lists
- Figure A-1: Inbound and outbound traffic flows on router interfaces
- Figure A-2: Binary to decimal conversion tool
- Figure A-3: Extended access list processing steps
- Figure A-4: TCP three-way handshake to establish a session
