List of Figures

List of Figures

Chapter 1: Understanding Network Security Threats

Figure 1-1: Bandwidth comparison for ISP to client links vs. ISP upstream links
Figure 1-2: DoS attack with a single attacker and a single target
Figure 1-3: DDoS attack involving Zombie remote hosts
Figure 1-4: DRDoS attack showing the interim hosts
Figure 1-5: Cisco Security Wheel depicting the evolution of a security system
Figure 1-6: Balancing security needs with user ease of use

Chapter 2: Securing the Network

Figure 2-1: A firewall separating the three security areas
Figure 2-2: Console port on an 800 model telecommuter router
Figure 2-3: Two-router network with two ACLs
Figure 2-4: Two-router network for two branch locations
Figure 2-5: Web browser access to a 2500 router
Figure 2-6: TCP three-way handshake to establish a session

Chapter 3: Cisco AAA Security Technology

Figure 3-1: Four-port serial module for a 4000 series router
Figure 3-2: NM-16A module for 2600/3600 routers
Figure 3-3: AAA and NAS server providing secure remote access to a network

Chapter 4: Cisco Secure ACS and TACACS+/RADIUS Technologies

Figure 4-1: Cisco Secure ACS with an NAS AAA client
Figure 4-2: Cisco Secure ACS using its own database to authenticate users
Figure 4-3: Cisco Secure ACS using Windows security database for authentication
Figure 4-4: Remote user authentication using Token Card
Figure 4-5: Cisco Secure ACS HTML interface
Figure 4-6: ACS configuration screen
Figure 4-7: Configuration Area Submit and Cancel buttons
Figure 4-8: Interface configuration setting TACACS+ features
Figure 4-9: ACS System Configuration options
Figure 4-10: Network configuration showing the NAS router and the AAA server
Figure 4-11: Example of group setup options
Figure 4-12: User account entry screen

Chapter 5: Securing Cisco Perimeter?Routers

Figure 5-1: Network design with perimeter security
Figure 5-2: Cisco 806 router for telecommuter or small office firewalls
Figure 5-3: Simple example of lock-and-key access
Figure 5-4: Topology impacts on interface selection
Figure 5-5: NAT translation for inside network
Figure 5-6: Router Rtr1 redirects traffic to Rtr2

Chapter 6: IOS Firewall Feature Set—CBAC

Figure 6-1: Cisco CCO IOS Upgrade Planner showing feature sets
Figure 6-2: Simple perimeter router with internal and external interface
Figure 6-3: Simple firewall design with a protected DMZ
Figure 6-4: Cisco ConfigMaker tool for network design and implementation

Chapter 7: IOS Firewall—Intrusion Detection System

Figure 7-1: Cisco CCO IOS Upgrade Planner showing IDS feature sets
Figure 7-2: Sample Syslog output showing IDS activity

Chapter 8: IOS Firewall—Authentication Proxy

Figure 8-1: Authentication proxy login screen
Figure 8-2: Authentication successful attempt response message
Figure 8-3: Simple network implementation for authentication proxy
Figure 8-4: Firewall router performing NAT translations
Figure 8-5: Cisco Secure ACS for Windows opening screen
Figure 8-6: Interface Configuration screen showing the TACACS+ and RADIUS options
Figure 8-7: TACACS+ configuration page showing the New Services section
Figure 8-8: Advanced TACACS+ configuration options
Figure 8-9: Downloadable profile entries and activation buttons

Chapter 9: Cisco IOS IPSec Introduction

Figure 9-1: VPN opportunities to extend the corporate LAN services
Figure 9-2: Remote-access type VPN connections
Figure 9-3: An example of site-to-site VPN connection
Figure 9-4: VPN connection types supported by Cisco devices
Figure 9-5: Layer 3 VPN tunneling representation
Figure 9-6: AH authentication and integrity process
Figure 9-7: DES encryption process
Figure 9-8: VPN Transport mode connections
Figure 9-9: Typical Tunnel mode VPN connections
Figure 9-10: AH Transport mode versus AH Tunnel mode
Figure 9-11: AH implementation to work with NAT
Figure 9-12: ESP Transport mode versus AH Tunnel mode
Figure 9-13: IPSec transform options
Figure 9-14: Cleartext being processed using a key to produce cipher text
Figure 9-15: Encryption implementation options
Figure 9-16: HMAC hash process showing the private encryption key
Figure 9-17: IPSec session five steps
Figure 9-18: Preshared key authentication exchange
Figure 9-19: RSA signature authentication exchange
Figure 9-20: RSA encryption authentication exchange

Chapter 10: Cisco IOS IPSec for Preshared Keys

Figure 10-1: Chapter scenario VPN session to be configured
Figure 10-2: Chapter scenario network showing peer connections
Figure 10-3: IPSec transform options

Chapter 11: Cisco IOS IPSec Certificate Authority Support

Figure 11-1: Rtr1 sharing secure data with Rtr10 using a public key
Figure 11-2: The attacker and Rtr10 now share a key, allowing the attacker to decrypt the messages.
Figure 11-3: Conceptual representation of a digital certificate
Figure 11-4: Chapter scenario VPN session to be configured
Figure 11-5: Configuration parameters for VeriSign CA support
Figure 11-6: RSA-encryption authentication exchange

Chapter 12: Cisco IOS Remote Access Using Cisco Easy VPN

Figure 12-1: A secure VPN tunnel and split tunneling for web browsing
Figure 12-2: Starting the Cisco VPN Client software
Figure 12-3: Cisco Systems VPN Client opening dialog box
Figure 12-4: Define connection name and description
Figure 12-5: Using an IP address to define a VPN head-end device
Figure 12-6: Entering the IPSec group and password
Figure 12-7: Final New Connection Entry Wizard dialog box
Figure 12-8: The Cisco Systems VPN Client main dialog box is ready to connect.
Figure 12-9: VPN connection progress dialog box
Figure 12-10: Windows user authentication box
Figure 12-11: VPN Client customization options
Figure 12-12: Router (Rtr2) acting as both an Easy VPN Client and a Server
Figure 12-13: Stateful Firewall (Always on) on the Options menu
Figure 12-14: Cisco System VPN Client Connection Status information box
Figure 12-15: Firewall tab for CPP
Figure 12-16: Client/Server Firewall tab
Figure 12-17: VPN Client connection statistics

Chapter 13: Cisco VPN Hardware Overview

Figure 13-1: Cisco VPN 3002 Client device (front view)
Figure 13-2: Cisco VPN 3002 Client with built-in 8-port switch
Figure 13-3: VPN 3005 front and rear views
Figure 13-4: VPN 3015 front and rear views

Chapter 14: Cisco VPN 3000 Remote Access Networks

Figure 14-1: VPN Concentrator Manager Quick Configuration option screen
Figure 14-2: VPN 3000 Concentrator Manager login screen
Figure 14-3: Manager opening screen
Figure 14-4: Configuration menu fully expanded
Figure 14-5: Administration menu fully expanded
Figure 14-6: Monitoring menu fully expanded
Figure 14-7: System monitoring screen
Figure 14-8: VPN 3000 Concentrator Manager Help system
Figure 14-9: Typical Manager screen with reminder icons
Figure 14-10: Remote access type VPN connections
Figure 14-11: LAN-to-LAN VPN connection example
Figure 14-12: VPN Concentrator remote access scenario
Figure 14-13: Configuring the public interface
Figure 14-14: Setting the default gateway for the Concentrator
Figure 14-15: Using the Configuration | Interfaces screen to confirm configuration
Figure 14-16: Creating a new static route
Figure 14-17: Defined default and static routes
Figure 14-18: Selecting an inside address assignment method for remote users
Figure 14-19: Defining a pool of addresses for remote users to use
Figure 14-20: Managing IP address pools for remote users
Figure 14-21: General Default Settings tab
Figure 14-22: Setting IPSec defaults
Figure 14-23: Setting Cisco Client default parameters
Figure 14-24: Setting Microsoft Client parameters and Common Client parameters
Figure 14-25: Defining client firewall default requirements
Figure 14-26: Defining VPN 3002 Hardware Client defaults
Figure 14-27: Screen to create and manage user groups
Figure 14-28: Creating a group and defining a password
Figure 14-29: Group parameters screen showing the Inherit option
Figure 14-30: User management screen for adding users
Figure 14-31: Defining a VPN user
Figure 14-32: Configuration menu options
Figure 14-33: Default access definitions
Figure 14-34: Modify or add a new access definition
Figure 14-35: Change access hours for a specific group
Figure 14-36: Certificate management screen
Figure 14-37: Install CA Certificate screen
Figure 14-38: CA certificate request information
Figure 14-39: Certificate management enrollment screen
Figure 14-40: Enrollment Identity screen to select a certificate
Figure 14-41: Screen to add certificate enrollment information
Figure 14-42: SCEP Status: Installed
Figure 14-43: IKE Proposal options
Figure 14-44: IKE Proposal option to be modified
Figure 14-45: Defining the IKE parameters for the IPSec SA
Figure 14-46: New Connection Entry Wizard box
Figure 14-47: Cisco Systems VPN Client box
Figure 14-48: VPN 3000 Administration menu
Figure 14-49: The Administration | Administer Sessions screen summarizing VPN activity
Figure 14-50: Ping screen
Figure 14-51: System reboot and shutdown options
Figure 14-52: VPN Concentrator software upgrade screen
Figure 14-53: Monitoring menu options
Figure 14-54: Routing table entries

Chapter 15: Configuring Cisco VPN 3002 Remote Clients

Figure 15-1: Cisco VPN 3002 Client device (front view)
Figure 15-2: Cisco VPN 3002 Client models
Figure 15-3: VPN 3002 connection overview and detail view
Figure 15-4: VPN 3002 Hardware Client Manager
Figure 15-5: VPN 3002 Hardware Client Manager login screen
Figure 15-6: Client Manager opening screen
Figure 15-7: VPN 3002 Client Manager help system
Figure 15-8: Client Manager menu tree expanded on the left side
Figure 15-9: VPN 3002 Update process using the web interface
Figure 15-10: Web interface displaying system status
Figure 15-11: PPPoE configuration on the public interface screen
Figure 15-12: VPN 3002 configuration scenario
Figure 15-13: Screen to set date, time, and time zone for the device
Figure 15-14: Choice to upload an existing configuration file
Figure 15-15: Configure the private interface
Figure 15-16: Configuring the DHCP server
Figure 15-17: Screen to configure the public interface
Figure 15-18: IPSec configuration screen
Figure 15-19: Client mode or Network Extension mode choice
Figure 15-20: Define ISP DNS server and domain name (optional)
Figure 15-21: Existing static routes
Figure 15-22: Adding a static route to the VPN 3002
Figure 15-23: DHCP Options configuration screen
Figure 15-24: Configure Interactive Hardware Client Authentication
Figure 15-25: Configure backup servers directly on the VPN 3002 Client
Figure 15-26: Configure backup servers on the VPN Concentrator
Figure 15-27: Configuring load balancing
Figure 15-28: Using SCEP to enroll certificates
Figure 15-29: VPN scenario network with the main office using RRI
Figure 15-30: Configuring Reverse Route Injection
Figure 15-31: Configuring IKE proposals, including AES and DH 1, 5, and 7
Figure 15-32: Configuring a banner to be pushed to VPN 3002s
Figure 15-33: Client auto-update screen
Figure 15-34: Configuration | System | Client Update | Entries screen
Figure 15-35: Adding or modifying a client update entry

Chapter 16: Cisco VPN 3000 LAN-to-LAN Networks

Figure 16-1: Common LAN-to-LAN VPN implementations
Figure 16-2: VPN 3002 configuration scenario
Figure 16-3: Main Office interfaces configuration
Figure 16-4: Network List creation and management screen
Figure 16-5: Screen to create a new network list
Figure 16-6: Enabling inbound RIP on Ethernet 1
Figure 16-7: IKE Proposal Options
Figure 16-8: IKE Proposal option to be modified
Figure 16-9: Top half of the Tunnel | Add screen
Figure 16-10: Bottom half of the Tunnel | Add screen
Figure 16-11: Update the Authentication mode to use digital certificates
Figure 16-12: Configuring IPSec NAT Transparency
Figure 16-13: Configuring NAT Transparency on the client software
Figure 16-14: Configuring IPSec over UDP on the Concentrator
Figure 16-15: Overlapping network address scenario
Figure 16-16: Configuring the local and remote networks
Figure 16-17: Defining the translations
Figure 16-18: LAN-to-LAN Tunnel NAT Rule enabled
Figure 16-19: Configuring the default gateway
Figure 16-20: RRI configuration screen
Figure 16-21: Enabling RIP on the private interface
Figure 16-22: Configuring VRRP

Chapter 17: CiscoSecure PIX Firewalls

Figure 17-1: PIX security levels with a DMZ interface

Chapter 19: Access Through the PIX Firewall

Figure 19-1: A two-interface firewall showing data traffic flows
Figure 19-2: PIX security levels with a DMZ interface
Figure 19-3: Stateless firewall with reflexive-type filtering
Figure 19-4: OSI model encapsulation process
Figure 19-5: IP header information
Figure 19-6: TCP header information showing flag bits and other fields
Figure 19-7: TCP/IP application layer header for SNMP data
Figure 19-8: First step of the TCP setup handshake
Figure 19-9: Second step of the TCP setup handshake
Figure 19-10: Protected DMZ server that must be accessed from the outside
Figure 19-11: Pool of DMZ servers that need to be mapped to global IP addresses
Figure 19-12: A pool of DMZ servers that already have global IP addresses
Figure 19-13: Static translation for a DNS server on a DMZ network
Figure 19-14: A network with a PIX Firewall using a Websense server
Figure 19-15: Websense screen explaining that the selected site is blocked
Figure 19-16: Perimeter router, PIX Firewall, and Layer 3 switch implementation

Chapter 20: Advanced PIX Firewall?Features

Figure 20-1: SNMP management station in the inside network

Chapter 21: Firewalls and VPN Features

Figure 21-1: IPSec site-to-site VPN implementation (tunnel mode)
Figure 21-2: IPSec remote access VPN implementation (transport mode)
Figure 21-3: Basic PIX Firewall supporting PPPoE
Figure 21-4: PDM graphical interface showing the System Properties page

Chapter 22: Managing and Maintaining the PIX Firewall

Figure 22-1: PDM graphical interface showing the System Properties page
Figure 22-2: Internet Explorer Advanced Options tab
Figure 22-3: The Help | About Cisco PDM screen
Figure 22-4: The PDM Startup Wizard opening screen
Figure 22-5: Screen 2 of the PDM Start Wizard changes PIX names and password
Figure 22-6: Configuring Telnet access using PDM
Figure 22-7: Configuring a Syslog Server with PDM
Figure 22-8: VPN IKE policy configuration using PDM
Figure 22-9: VPN Wizard opening screen with VPN type selection
Figure 22-10: VPN remote peer definition and authentication type
Figure 22-11: Transform Set panel for defining encryption and authentication
Figure 22-12: IPSec Traffic Selector panels for designating protected addresses
Figure 22-13: Remote Access Client panel for selecting the client type
Figure 22-14: VPN Client Group panel for defining the VPN groups
Figure 22-15: Extended Client Authentication panel choices
Figure 22-16: Address Translation Exemption panel
Figure 22-17: Two PIX Firewall units forming a simple serial failover pair
Figure 22-18: Failover system with stateful failover cable installed

Chapter 23: Intrusion Detection System Overview

Figure 23-1: Attacking IP trust relationships between compromised hosts
Figure 23-2: Manipulating network-based sensors using TTL

Chapter 24: Cisco Secure Intrusion Detection System

Figure 24-1: Model 4210 rear panel
Figure 24-2: Models 4235 and 4250 rear panel
Figure 24-3: Model 4230 rear panel
Figure 24-4: Cisco Catalyst 6000 IDS module
Figure 24-5: Reliable message delivery via the PostOffice protocol
Figure 24-6: Redundant director platforms
Figure 24-7: CIDS multihomed director platform
Figure 24-8: PostOffice host and organization addressing
Figure 24-9: Using Device Management to block an IP address
Figure 24-10: CIDS sensor architecture
Figure 24-11: Director architecture
Figure 24-12: IDS Directory structure

Chapter 25: Sensor Installation and Configuration

Figure 25-1: Sensor deployment at network entry points
Figure 25-2: Sensor in front of a filtering device
Figure 25-3: Sensor behind a filtering device
Figure 25-4: IDS Device Manager initial view
Figure 25-5: Security warning dialog box
Figure 25-6: Apply changes
Figure 25-7: Network Security Database
Figure 25-8: IDS Device Manager Network panel
Figure 25-9: Adding allowed hosts
Figure 25-10: Remote Access configuration
Figure 25-11: Remote Hosts panel
Figure 25-12: Signature groups configuration pane
Figure 25-13: Configration panel for built-in and custom signatures
Figure 25-14: TCP connection signatures configuration pane
Figure 25-15: UPD connection signatures configuration pane
Figure 25-16: String matching signature configuration pane
Figure 25-17: Level of logging configuration pane
Figure 25-18: Signature filtering configuration pane
Figure 25-19: Spam control configuration pane
Figure 25-20: IP fragmentation reassembly configuration pane
Figure 25-21: TCP reassembly configuration pane
Figure 25-22: Sensing properties configuration panel
Figure 25-23: Event logging configuration panel
Figure 25-24: Exporting event logs configuration panel
Figure 25-25: The blocking properties configuration panel
Figure 25-26: Never block addresses configuration panel
Figure 25-27: Adding a managed device
Figure 25-28: The Logs Sub-Area
Figure 25-29: Sensor statistics report
Figure 25-30: System information report
Figure 25-31: Scheduled updates
Figure 25-32: Manual blocking configuration panel

Appendix A: Access Control Lists

Figure A-1: Inbound and outbound traffic flows on router interfaces
Figure A-2: Binary to decimal conversion tool
Figure A-3: Extended access list processing steps
Figure A-4: TCP three-way handshake to establish a session

Part III: Virtual Private Networks (VPNs)