Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA Cisco Press CCSP Self-Study CCSP SECUR Exam Certification Guide Greg Bastien Christian Abera Degu 2408_CCSP.book Page i Thursday, November 13, 2003 2:38 PM ii CCSP Self-Study CCSP SECUR Exam Certification Guide Greg Bastien, Christian Abera Degu Copyright© 2004 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Library of Congress Cataloging-in-Publication Number: 2002109331 ISBN: 1-58720-072-4 First Printing December 2003 Warning and Disclaimer This book is designed to provide information about selected topics for the Cisco SECUR exam for the CCSP certification. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside of the U.S. please contact: International Sales 1-317-581-3793 international@pearsontechgroup.com 2408_CCSP.book Page ii Thursday, November 13, 2003 2:38 PM iii Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and preci- sion, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Publisher : John Wait Editor-In-Chief : John Kane Cisco Representative : Anthony Wolfenden Cisco Press Program Manager : Nannette M. Noble Executive Editor : Brett Bartow Acquisitions Editor: Michelle Grandin Production Manager : Patrick Kanouse Senior Development Editor : Christopher Cleveland Development Editor : Howard Jones Copy Editor : Keith Cline Technical Editors : Brad Dunsmore, Leon Katcharian, Inti Shah, John Stuppi Team Coordinator : Tammi Barnett Book and Cover Designer : Louisa Adair Production Team : Octal Publishing, Inc. Indexer : Eric Schroeder 2408_CCSP.book Page iii Thursday, November 13, 2003 2:38 PM iv About the Authors Greg Bastien , CCNP, CCSP, CISSP, is currently a partner with Trinity Information Management Services, Inc., as a consultant to the federal government. He holds a position as adjunct professor at Strayer University, teaching networking and network security classes. He completed his undergrad- uate and graduate degrees at Embry-Riddle Aeronautical University while on active duty as a heli- copter flight instructor in the U.S. Army. Christian Abera Degu , CCNP, CCDP, CCSP, currently works for Veridian Networks/General Dynamics as a consulting engineer to the Federal Energy Regulatory Commission. He received his undergraduate degree from Strayer University and his graduate degree in computer information systems from George Mason University. He lives with his family in Alexandria, Virginia. 2408_CCSP.book Page iv Thursday, November 13, 2003 2:38 PM v About the Technical Reviewers Brad Dunsmore is a new product instructor with the Advanced Services group for Cisco Systems. He develops and deploys network solutions and training for Cisco Systems engineers, Cisco sales engineers, selected training partners, and customers. He specializes in SS7 offload solutions, WAN communication methods, and Cisco security products. He developed the Building Enhanced Cisco Security Networks course for Cisco and he currently holds the following industry certifications: CCNP, CCDP, CCSP, INFOSEC, MCSE+I, and MCDBA. He recently passed his written exam for the CCIE R/S certification and is currently working on his laboratory exam. Leon Katcharian is an education specialist at Cisco Systems, Inc., where he develops and delivers training for Cisco network security products. He has more than 20 years of experience in the data- networking field, having been a technical support engineer, a technical instructor, and a course developer. Leon has worked as a technical support engineer or in an educational role for Motorola Information Systems Group, GeoTel Communications, ON Technology, Altiga Networks, and Cisco Systems. He holds a bachelor of science degree in business from Eastern Nazarene College along with several industry certifications. Leon is currently the lead course developer for the Securing Cisco IOS Networks (SECUR) curriculum. Inti Shah has worked in the networking industry for more than 15 years in both enterprise and service provider environments. He has extensive expertise in designing and delivering large-scale networks, complex e-business solutions, intrusion detection, firewall, and VPN services. Inti currently works for Energis in the UK and holds the Cisco CCNA, CCNP, CCSP, CCIP Security, Check Point CCSA, and CCSE accreditations. He is currently pursuing his CCIE Security accreditation. John Stuppi , CCIE No. 11154, is a network consulting engineer for Cisco Systems. John advises Cisco customers in the planning, design, and implementation of VPN and security related solutions, including IDS, IPSec VPNs, and firewall deployments. John is a CISSP and holds an Information Systems Security (INFOSEC) Professional certification. In addition, John has a BSEE from Lehigh University and an MBA from Rutgers University. John lives in Ocean Township, New Jersey with his wife, Diane, and his two wonderful children, Thomas and Allison. 2408_CCSP.book Page v Thursday, November 13, 2003 2:38 PM vi Dedications This book is dedicated to In Ho Park (February 27, 1973—December 16, 2001): CCNA, CCNP, and a good friend. 2408_CCSP.book Page vi Thursday, November 13, 2003 2:38 PM vii Acknowledgments This book has been a very challenging, yet rewarding project. We sincerely appreciate the efforts of all those who helped to keep us focused throughout the process. We would especially like to thank Michelle Grandin, acquisitions editor, and the “development editor team” of Christopher Cleveland and Howard Jones for their guidance and encouragement. We would also like to thank the technical reviewers for their attention to detail, ability to decipher 2 a.m. techno-babble and offer up reason- able alternatives, and the sense of humor needed to hash through mountains of draft manuscripts. Last but not least, we would like to thank Andy and Mark for getting the ball rolling on the project. 2408_CCSP.book Page vii Thursday, November 13, 2003 2:38 PM viii Contents at a Glance Foreword xxiii Introduction xxiv PART I An Overview of Network Security 2 Chapter 1 Network Security Essentials 5 Chapter 2 Attack Threats Defined and Detailed 23 Chapter 3 Defense in Depth 43 PART II Managing Cisco Routers 56 Chapter 4 Basic Router Management 59 Chapter 5 Secure Router Administration 79 PART III Authentication, Authorization, and Accounting (AAA) 98 Chapter 6 Authentication 101 Chapter 7 Authentication, Authorization, and Accounting 115 Chapter 8 Configuring RADIUS and TACACS+ on Cisco IOS Software 137 Chapter 9 Cisco Secure Access Control Server 157 Chapter 10 Administration of Cisco Secure Access Control Server 175 PART IV The Cisco IOS Firewall Feature Set 188 Chapter 11 Securing the Network with a Cisco Router 191 Chapter 12 Access Lists 203 Chapter 13 The Cisco IOS Firewall 219 Chapter 14 Context-Based Access Control (CBAC) 231 Chapter 15 Authentication Proxy and the Cisco IOS Firewall 251 Chapter 16 Intrusion Detection and the Cisco IOS Firewall 279 2408_fmatter.fm Page viii Thursday, November 13, 2003 3:22 PM ix PART V Virtual Private Networks 300 Chapter 17 Building a VPN Using IPSec 303 Chapter 18 Scaling a VPN Using IPSec with a Certificate Authority 339 Chapter 19 Configuring Remote Access Using Easy VPN 359 Chapter 20 Scaling Management of an Enterprise VPN Environment 379 PART VI Scenarios 400 Chapter 21 Final Scenarios 403 Appendix Answers to the “Do I Know This Already?” Quizzes and Q&A Sections 427 Glossary 463 Index 472 2408_CCSP.book Page ix Thursday, November 13, 2003 2:38 PM x Contents Foreword xxiii Introduction xxiv Part I An Overview of Network Security 2 Chapter 1 Network Security Essentials 5 “Do I Know This Already?” Quiz 5 Foundation Topics 9 Definition of Network Security 9 Balancing Business Need with Security Requirement 9 Security Policies 9 Security Policy Goals 12 Security Guidelines 13 Management Must Support the Policy 13 The Policy Must Be Consistent 13 The Policy Must Be Technically Feasible 14 The Policy Should Not Be Written as a Technical Document 14 The Policy Must Be Implemented Globally Throughout the Organization 14 The Policy Must Clearly Define Roles and Responsibilities 15 The Policy Must Be Flexible Enough to Respond to Changing Technologies and Organization- al Goals 15 The Policy Must Be Understandable 15 The Policy Must Be Widely Distributed 16 The Policy Must Specify Sanctions for Violations 16 The Policy Must Include an Incident Response Plan for Security Breaches 16 Security Is an Ongoing Process 17 Network Security as a Process 17 Network Security as a Legal Issue 18 Foundation Summary 19 Security Policies 19 Security Policy Goals 19 Security Guidelines 20 Network Security as a Process 20 Q&A 21 Chapter 2 Attack Threats Defined and Detailed 23 “Do I Know This Already?” Quiz 23 Foundation Topics 27 Vulnerabilities 27 Self-Imposed Vulnerabilities 27 Lack of Effective Policy 28 Configuration Weakness 29 Technology Weakness 30 2408_CCSP.book Page x Thursday, November 13, 2003 2:38 PM [...]... designed to help you prepare for the Cisco SECUR certification exam The SECUR exam is the first in a series of five exams required for the Cisco Certified Security Professional (CCSP) certification This exam focuses on the application of security principles with regard to Cisco IOS routers, switches, and virtual private network (VPN) devices Who Should Read This Book? Network security is a very complex business... Taking the SECUR Certification Exam As with any Cisco certification exam, it is best to be thoroughly prepared before taking the exam There is no way to determine exactly what questions are on the exam, so the best way to prepare is to have a good working knowledge of all subjects covered on the exam Schedule yourself for the exam and be sure to be rested and ready to focus when taking the exam The best... called Cisco Certified Security Professional (CCSP) and consists of the following exams: I CSVPN—Cisco Secure Virtual Private Networks (642-511) I CSPFA—Cisco Secure PIX Firewall Advanced (642-521) I SECUR Securing Cisco IOS Networks (642-501) 2408_CCSP.book Page xxxii Thursday, November 13, 2003 2:38 PM xxxii I CSIDS—Cisco Secure Intrusion Detection System (642-531) I CSI—Cisco SAFE Implementation (642-541)... November 13, 2003 2:38 PM xxiii Foreword CCSP SECUR Exam Certification Guide is a complete study tool for the CCSP SECUR exam, enabling you to assess your knowledge, identify areas to concentrate your study, and master key concepts to help you succeed on the exams and in your daily job The book is filled with features that help you master the skills needed to secure Cisco IOS Router networks This book was... computer networking before you can begin to apply security principles The Cisco SECUR program was developed to introduce the security products associated with or integrated into Cisco IOS Software, explain how each product is applied, and explain how it can increase the security of your network The SECUR program is for network administrators, network security administrators, network architects, and... apply the security concepts Although a previous Cisco certification is not required to begin the Cisco security certification process, it is a good idea to at least complete the CCNA certification The skills required to complete the CCNA will give you a solid foundation that you can expand into the network security field The security certification is called Cisco Certified Security Professional (CCSP) and... prepare you for the SECUR exam unless you already have extensive experience with Cisco products and a background in networking or network security At a minimum you will want to use this book combined with the Technical Assistance Center (http://www.cisco.com/public/support/tac/home.shtml) to prepare for this exam Assessing Exam Readiness After completing a number of certification exams, I have found... published in this book Figure I-2 Addressing for Examples DMZ 172.16.1.0/24 Inside 10.10.10.0/24 Internet Outside 192.168.0.0/15 (or any public space) It is our hope that this will assist you in understanding the examples and the syntax of the many commands required to configure and administer Cisco IOS routers Exam Registration The SECUR exam is a computer-based exam, with multiple-choice, fill-in-the-blank,... network security market is currently in a position where the demand for qualified engineers vastly surpasses the supply For this reason, many engineers consider migrating from routing/ networking over to network security Remember that “network security” is just “security” applied to “networks.” This sounds like an obvious concept, but it is actually a very important one if you are pursuing your security... on Cisco IOS 140 TACACS+ Authentication Examples 141 TACACS+ Authorization Example 143 TACACS+ Accounting Example 143 AAA TACACS+ Troubleshooting 144 debug aaa authentication 144 debug tacacs 145 debug tacacs events 145 Configuring RADIUS on Cisco IOS 146 RADIUS Authentication and Authorization Example 148 RADIUS Authentication, Authorization, and Accounting Example Testing and Troubleshooting RADIUS . CCSP SECUR Exam Certification Guide Greg Bastien Christian Abera Degu 2408_CCSP.book Page i Thursday, November 13, 2003 2:38 PM ii CCSP Self-Study CCSP SECUR Exam Certification Guide. Plan for Security Breaches 16 Security Is an Ongoing Process 17 Network Security as a Process 17 Network Security as a Legal Issue 18 Foundation Summary 19 Security Policies 19 Security. Network Security 9 Balancing Business Need with Security Requirement 9 Security Policies 9 Security Policy Goals 12 Security Guidelines 13 Management Must Support the Policy 13 The Policy Must