170 Chapter 11: Cisco Perimeter Security Products Table 11-12 describes some common IDS deployment areas. Table 11-12 Common IDS Deployment Areas Deployment Area Sensor Type Mitigation Extranets NIDS Monitors traffic from partners Intranets/internal NIDS, HIDS Protects internal critical systems and data Internet access NIDS, HIDS Protects against threats from untrusted public networks; includes public services segment for web servers, etc. Remote access NIDS Hardens perimeter 0899x.book Page 170 Tuesday, November 18, 2003 2:20 PM Q&A 171 Q&A As mentioned in the introduction, “All About the Cisco Certified Security Professional Certification” you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in Appendix A. For more practice with exam-like question formats, including questions using a router simulator and multiple choice questions, use the exam engine on the CD-ROM. 1. Define IDS. 2. What protocol do Cisco Secure IDS devices use to communicate with each other? 3. Traditionally, what devices provided perimeter security? 4. What are the three types of responses that a sensor can perform in reply to an attack? 5. What are the perimeter security features provided by a Cisco router? 6. Define a perimeter. 7. Network sensing, attack response, and device management are functions of what device? 8. What is the Cisco Secure Scanner? 9. Define stateful packet filtering. 10. Describe the two versions of Cisco Secure HIDS that are available. 0899x.book Page 171 Tuesday, November 18, 2003 2:20 PM This chapter covers the following topics: ■ Secure Connectivity ■ Identity Management—Cisco Secure Access Control Server ■ Security Management ■ Cisco AVVID ■ Design Considerations 0899x.book Page 172 Tuesday, November 18, 2003 2:20 PM C H A P T E R 12 Cisco Network Core Security Products In the previous chapter, “Cisco Perimeter Security Products,” you learned about the specific products available from the Cisco Secure security portfolio that are used to secure the perimeter of a network and those products that provide intrusion detection facilities for the network. In this second chapter on the Cisco Secure product portfolio, we look at securing network connectivity, securing identity, security management, and Cisco Architecture for Voice, Video, and Integrated Data (AVVID). “Do I Know This Already?” Quiz The purpose of the “Do I Know This Already?” quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 14-question quiz, derived from the major sections in “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time. Table 12-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics. Table 12-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping Foundation Topics Section Questions Covered in This Section Secure Connectivity 1–4 Identity Management 5–7 Security Management 8–11 Cisco AVVID 12–13 Design Considerations 14 0899x.book Page 173 Tuesday, November 18, 2003 2:20 PM 174 Chapter 12: Cisco Network Core Security Products 1. What technology is primarily used by Cisco to secure connectivity? a. Remote access b. Switching c. IPSec VPN d. Routing e. Intrusion detection 2. Which of the following can be used to provide Cisco Secure connectivity? a. Routers b. Switches c. Firewalls d. VPN 3000 Series e. IDS sensor 3. How many types of Cisco VPN clients are there? a. 1 b. 2 c. 3 d. 4 e. 5 4. Currently, how many models of the Cisco VPN 3000 Series Concentrator are available? a. 2 b. 3 c. 4 d. 5 e. 6 CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security. 0899x.book Page 174 Tuesday, November 18, 2003 2:20 PM “Do I Know This Already?” Quiz 175 5. Cisco Secure Access Control Server supports which of the following authentication protocols? a. RADIUS b. X.25 c. SMTP d. TACACS+ e. POP3 6. What independent security functions are represented by AAA? a. Advertisement b. Accounting c. Authentication d. Allocation e. Authorization 7. Cisco Secure ACS is used to perform what primary function? a. Diagnostics b. Access control c. Filtering d. Sampling e. Reporting 8. Which of the following provide Cisco Security Management facilities? a. CSPM b. IPT c. IDSM d. FWSM e. VMS 0899x.book Page 175 Tuesday, November 18, 2003 2:20 PM 176 Chapter 12: Cisco Network Core Security Products 9. Cisco VMS is made up of a set of web-based applications that provide which of the following facilities? a. Configuring b. Designing c. Monitoring d. Troubleshooting e. Marketing 10. What does the initialism CSPM represent? a. Cisco Server Policy Manager b. Cisco Security Policy Monitor c. Cisco Secure Policy Monitor d. Cisco Secure Policy Manager e. Cisco Security Policy Manager 11. CSPM is used to manage which of the following? a. Cisco PIX Firewall b. Cisco IP Telephony c. Cisco IOS routers d. Cisco IPSec VPN routers e. Cisco IDS sensors 12. Cisco AVVID Network Infrastructure components are? a. Reporters b. Clients c. Servers d. Network platforms e. Intelligent network services 0899x.book Page 176 Tuesday, November 18, 2003 2:20 PM “Do I Know This Already?” Quiz 177 13. Cisco AVVID consists of which building blocks? a. Network management b. Network infrastructure c. Service control d. Reporting facilities e. Communications services 14. What are common factors that can determine the choice of products in a design? a. Appearance b. Cost c. Customer requirements d. Manageability e. Functionality The answers to the “Do I Know This Already?” quiz are found in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.” The suggested choices for your next step are as follows: ■ 12 or less overall score—Read the entire chapter. This includes the “Foundation Topics” and “Foundation Summary” sections, and the “Q&A” section. ■ 13 or more overall score—If you want more review on these topics, skip to the “Foundation Summary” section and then go to the “Q&A” section. Otherwise, move to the next chapter. 0899x.book Page 177 Tuesday, November 18, 2003 2:20 PM 178 Chapter 12: Cisco Network Core Security Products Foundation Topics Secure Connectivity The Internet has evolved into an inexpensive, efficient form of doing business. The number of businesses that rely on the Internet to communicate with clients has increased and is still growing. The current techniques used for routing IP packets on the Internet, however, leave it vulnerable to security attacks such as spoofing, sniffing, and session hijacking, to name a few. As companies move from expensive, dedicated, secure connections to cost-effective use of the Internet, they require secure communications over what is generally described as an insecure network. Virtual private networks (VPNs) can reduce security risks and provide a more efficient use of Internet connections by reducing the number of dedicated leased lines. With this knowledge, Cisco has embraced VPN technologies throughout its product range and now offers the most extensive VPN product portfolios available in the industry. Cisco VPN-Enabled Routers The Cisco IOS Software running in Cisco routers provides feature-rich IPSec VPN services with industry-leading routing and delivers a comprehensive VPN routing solution. The Cisco IOS Software combines IPSec VPN enhancements, such as strong 3DES encryption authentication using either digital certificates or preshared keys, with robust firewall, intrusion detection, and secure administrative capabilities. The actual capability of the router to establish an IPSec VPN connection is determined by the software version running on the router rather than the actual hardware platform. Cisco provides, however, a suite of VPN-optimized routers, which currently range from the low-end Cisco SOHO/ 800 Series routers to headend connectivity with the Cisco 7200 Series routers. Cisco IOS routers support both site-to-site VPNs between IPSec-compliant devices and client-to- site VPNs that terminate VPN sessions from various IPSec operating system–based clients such as the Cisco VPN Client. You can find detailed information about the Cisco VPN-enabled routers at Cisco.com by searching for “routers.” Cisco Secure PIX Firewall VPN functionality is provided within the Cisco Secure PIX Firewall product range and uses the industry-standard IPSec protocol suite to enable advanced VPN features. The PIX Firewall’s 0899x.book Page 178 Tuesday, November 18, 2003 2:20 PM Secure Connectivity 179 IPSec implementation is based on the same Cisco IOS IPSec found on Cisco routers. It provides high-performance VPN connectivity using 3DES encryption under most normal load conditions. Cisco Secure PIX Firewalls support both site-to-site VPNs between IPSec-compliant devices and client-to-site VPNs that terminate VPN sessions from various IPSec operating system–based clients such as the Cisco VPN Client. You can find detailed information about the Cisco VPN 3000 Series Concentrators at Cisco.com by searching for “PIX.” Cisco VPN 3000 Series Concentrator The Cisco VPN 3000 Series Concentrator is a range of purpose-built, remote-access VPN devices that provide high performance, high availability, and scalability. The Cisco VPN 3000 Series Concentrator uses the most advanced state-of-the-art encryption and authentication techniques that are currently available within the industry. The Cisco VPN 3000 Series Concentrator includes models that support a range of enterprise cus- tomers, from small businesses requiring 100 or fewer concurrent VPN connections to large organi- zations with up to 10,000 simultaneous connections. Currently, the Cisco VPN 3000 Series Concentrator is available in five models: ■ 3005 ■ 3015 ■ 3030 ■ 3060 ■ 3080 Table 12-2 presents a feature comparison for all models in the VPN 3000 Series Concentrator product range. Table 12-2 Cisco VPN 3000 Concentrator Product Comparison Feature 3005 3015 3030 3060 3080 Height (U) 12222 Performance (Mbps) 4 4 50 100 100 Simultaneous users 100 100 1500 5000 10000 continues 0899x.book Page 179 Tuesday, November 18, 2003 2:20 PM [...]... from the chapter that will be on your CSI exam, a wellprepared CSI candidate should at a minimum know all the details in each “Foundation Summary” section before taking the exam Table 12-5 shows a feature comparison for all models in the VPN 3000 Series Concentrator product range Table 12-5 Cisco VPN 3000 Concentrator Product Comparison Feature 3005 3015 3030 3 060 3080 Height (U) 1 2 2 2 2 Performance... 180 Chapter 12: Cisco Network Core Security Products Table 12-2 Cisco VPN 3000 Concentrator Product Comparison (Continued) Feature 3005 3015 3030 3 060 3080 Site-to-site tunnels 100 100 500 1000 1000 Encryption SW SW HW HW HW Memory (MB) 32 64 128 2 56 2 56 Power supplies 1 Up to 2 Up to 2 2 2 SEP modules 0 0 1 2 4 Upgradeable N Y Y Y N The Cisco VPN 3000 Series Concentrator is available in both nonredundant... 10000 Site-to-site tunnels 100 100 500 1000 1000 Encryption SW SW HW HW HW Memory (MB) 32 64 128 2 56 2 56 Power supplies 1 Up to 2 Up to 2 2 2 SEP modules 0 0 1 2 4 Upgradeable N Y Y Y N AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner Table 12 -6 shows the Cisco AAA Protocol Definition, which provides a modular way of performing these... the exam itself by using an open-ended question format By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter The answers to these questions are found in Appendix A For more practice with exam- like question formats, including questions using a router simulator and multiple choice questions, use the exam. .. following Cisco CSI exam topics: I Small network design overview I Small network Corporate Internet module I Small network Campus module I Small network implementation—ISP router I Small network implementation—IOS Firewall features and configuration I Small network implementation—PIX Firewall I Medium network Corporate Internet module I Medium network Corporate Internet module design guidelines I Medium... Mapping Foundation Topics Section Questions Covered in This Section Components of SAFE Small Network Design 1 Corporate Internet Module in Small Networks 2 6 Campus Module in Small Networks 7–9 0899x.book Page 1 96 Tuesday, November 18, 2003 2:20 PM 1 96 Chapter 13: Designing Small SAFE Networks CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter If you do not know... provides the administrator the facility to easily define perimeter security policies for Cisco Secure PIX Firewalls and Cisco IOS routers running the firewall feature set 0899x.book Page 1 86 Tuesday, November 18, 2003 2:20 PM 1 86 Chapter 12: Cisco Network Core Security Products I Cisco VPN router management—The CSPM GUI allows for the easy configuration of intranet/extranet IPSec VPNs based on Cisco PIX Firewalls... SAFE Networks The principle goal of Cisco SAFE blueprints is to provide to interested parties best-practice information on how to design and implement secure networks SAFE serves as a guide to network architects who are examining the security requirements of their networks SAFE blueprints combat security threats by using a modular method that allows for the creation of a scalable, corporate-wide security... and stability of a hardware platform It is available in two models, with or without an integral eight-port switch The Cisco VPN 3002 Hardware Client is a full-featured VPN client that supports 56- bit DES or 168 bit 3DES IPSec encryption It has two modes of operation, a client mode and a network extension mode The client mode emulates the operation of the software client in hardware, whereas the network... Module Usual deviations from these design guidelines normally include the breaking out of the functional components in the network from a single device to individual, specific devices or an increase in network capacity When these functions are broken out, the design begins to take on the look of the medium-sized network design, which is discussed in Chapter 16, “Implementing Medium-Sized SAFE Networks.” . chapter that will be on your CSI exam, a well- prepared CSI candidate should at a minimum know all the details in each “Foundation Summary” section before taking the exam. Table 12-5 shows a feature. 3080 Site-to-site tunnels 100 100 500 1000 1000 Encryption SW SW HW HW HW Memory (MB) 32 64 128 2 56 2 56 Power supplies 1 Up to 2 Up to 2 2 2 SEP modules 00124 Upgradeable NYYYN Table 12-2 Cisco. 10000 Site-to-site tunnels 100 100 500 1000 1000 Encryption SW SW HW HW HW Memory (MB) 32 64 128 2 56 2 56 Power supplies 1 Up to 2 Up to 2 2 2 SEP modules 0 0 1 2 4 Upgradeable N Y Y Y N 0899x.book