Color profile: Generic CMYK printer profile Composite Default screen All-In-One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / Blind Folio i CCSP : ™ ® Cisco Certified Security Professional Certification EXAM GUIDE Robert E Larson Lance Cockcroft McGraw-Hill/Osborne New York • Chicago • San Francisco • Lisbon London • Madrid • Mexico City • Milan • New Delhi San Juan • Seoul • Singapore • Sydney • Toronto P:\010Comp\All-in-1\691-9\fm.vp Tuesday, July 01, 2003 1:05:21 PM Color profile: Generic CMYK printer profile Composite Default screen All-In-One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / Blind Folio ii McGraw-Hill/Osborne 2100 Powell Street, 10th Floor Emeryville, California 94608 U.S.A To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please contact McGraw-Hill/Osborne at the above address For information on translations or book distributors outside the U.S.A., please see the International Contact Information page immediately following the index of this book ™ CCSP : Cisco® Certified Security Professional Certification All-in-One Exam Guide (Exams 642-501 SECUR, 642-521 CSPFA, 642-511 CSVPN, 642-531 CSIDS, and 642-541 CSI) Copyright © 2003 by The McGraw-Hill Companies All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication 1234567890 DOC DOC 019876543 Book p/n 0-07-222692-7 and CD p/n 0-07-222693-5 parts of ISBN 0-07-222691-9 Publisher Brandon A Nordin Vice President & Associate Publisher Scott Rogers Acquisitions Editor Nancy Maragioglio Project Editor Lisa Wolters-Broder Acquisitions Coordinator Jessica Wilson Technical Editors Joe Phago Ole Drews Jensen Proofreaders Brian Galloway Linda Medoff Indexer Rebecca Plunkett Compositors Apollo Publishing Services George Toma Charbak Illustrators Lyssa Wald Melinda Moore Lytle Michael Mueller Series Design Peter F Hancik Copy Editor Marcia Baker This book was composed with Corel VENTURA™ Publisher Information has been obtained by McGraw-Hill/Osborne from sources believed to be reliable However, because of the possibility of human or mechanical error by our sources, McGraw-Hill/Osborne, or others, McGraw-Hill/Osborne does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information P:\010Comp\All-in-1\691-9\fm.vp Tuesday, July 01, 2003 1:05:21 PM Color profile: Generic CMYK printer profile Composite Default screen All-In-One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / Blind Folio iii This book is dedicated to my parents, Lou and Elmer Larson, who provided resources and direction when I was young, plus freedom, inspiration, and support as I got older —Bob P:\010Comp\All-in-1\691-9\fm.vp Tuesday, July 01, 2003 1:05:21 PM Color profile: Generic CMYK printer profile Composite Default screen All-In-One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / Blind Folio iv About the Authors Robert E Larson lives in the Seattle, Washington area with his wife Jerri and four adult children Bob has worked full-time as a computer trainer and course developer since 1985, including network training since 1995 Bob got involved with the Cisco Networking Academy program in 1998 He is currently the Cisco Regional Academy contact at Bates Technical College in Tacoma, plus teaches evening and weekend CCNP, Security, and CCIE prep classes at Green River Community College Bob is currently a member of the Cisco Networking Academy Advisory Council This is Bob’s third Cisco certification book, having also written a CCNA and CCNP book Bob taught the first Academy CCNA series in Africa in 1999 in Cape Town, South Africa He has also taught CCNP-level courses in Birmingham, England; Dillingen, Germany; and Vienna, Austria Lance Cockcroft, Net+, CCA, MCSE, MCT, CCNP, CCDP, has been a Senior Engineer for many ISP and telecommunications companies, including Bellsouth, Atlanta Broadband, and Southeastern Networks Lance is currently the Cisco Product Manager for Self Test Software, Cisco’s only authorized test prep vendor Lance writes and oversees the production of all Cisco practice tests for Self Test Software Lance attended and continues to teach for Kennesaw State University and Southern Polytechnic University located in his hometown of Marietta, Georgia About the Technical Reviewers Ole Drews Jensen began working with computers 21 years ago, and five years later made it his profession He started out as a programmer in a wide variety of languages, but soon got involved with administering servers and networks Today Ole is the Systems Network Manager for an enterprise company with several subsidiaries in the recruiting industry, where one of the largest is Carlton Staffing Ole holds the following certifications: CCNP, MCSE, and MCP+I, and is currently pursuing the new CCSP Setotolwane Johannes “Joe” Phago, CCIE # 7105, CCNP, Cisco Firewall Specialist, Cisco VPN Specialist, B.Sc Computer Science (University of the North, S.A.) He was the first Black South African CCIE and is a graduate of the first Cisco Networking Academy in Africa Joe is currently Senior Network Analyst at Standard Bank of South Africa, a leading banking and financial services company in S.A and Africa with a presence on virtually all continents P:\010Comp\All-in-1\691-9\fm.vp Tuesday, July 01, 2003 1:05:21 PM Color profile: Generic CMYK printer profile Composite Default screen All-In-One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / CONTENTS Introduction xxi Part I Introduction to Network Security Chapter Understanding Network Security Threats Identify the Need for Network Security Identify the Causes of Network Security Problems Technology Weakness Policy Weakness Configuration Weakness The Four Primary Types of Network Threats Unstructured Threats Structured Threats Internal Threats External Threats The Four Primary Types of Network Attack Reconnaissance Attacks Access Attacks Denial of Service (DoS) Attacks Data Manipulation Attacks Cisco AVVID and SAFE Strategies AVVID SAFE Cisco Security Wheel Network Security Policy Why Create a Network Security Policy The Balancing Act A Security Policy Is to Be Shared Who Should Help Create the Security Policy? Assets and Threats Evaluating a Network Security Policy Example of a Network Security Policy Securing the Network Wireless Communication Policy Monitoring Network Security Improving Network Security Chapter Review Questions Answers 8 10 10 11 11 14 16 20 22 22 23 23 25 25 26 28 29 30 32 35 35 36 37 38 39 40 44 v P:\010Comp\All-in-1\691-9\fm.vp Tuesday, July 01, 2003 1:34:32 PM Color profile: Generic CMYK printer profile Composite Default screen All-In-One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / CCSP: Cisco Certified Security Professional Certification All-in-One Exam Guide vi Chapter Securing the Network 47 Secure Network Design Example Inside Network Outside Network Demilitarized Zone (DMZ) Securing Network Devices Physically Secure the Devices Securing Administrative Access Using Access Control Lists to Secure the Network Standard ACLs Extended Access Lists Named Access Lists Time-Based Access Lists Chapter Review Questions Answers 48 49 49 49 50 50 50 57 57 64 66 66 71 71 74 Part II Securing the Network Perimeter 75 Chapter Cisco AAA Security Technology 77 The Cisco AAA Model NAS Servers Why Authenticate? AAA Benefits TACACS+, RADIUS, and Kerberos Support AAA System Components AAA as Facilitator Authentication Authorization Accounting Testing AAA Configuration The show Commands The debug Commands Chapter Review Questions Answers 78 78 79 82 83 88 88 92 96 99 103 103 103 104 105 107 Chapter Cisco Secure ACS and TACACS+/RADIUS Technologies P:\010Comp\All-in-1\691-9\fm.vp Tuesday, July 01, 2003 1:05:21 PM 109 Describe Cisco Secure ACS CiscoSecure ACS for Windows and UNIX Features and Architecture of Cisco Secure ACS for Windows Features and Benefits Cisco Secure ACS Benefits Cisco Secure ACS for Windows Internal Architecture System Performance Features of CiscoSecure ACS for UNIX Features and Benefits Preparing to Install UNIX ACS 110 110 111 111 112 113 117 118 118 119 Color profile: Generic CMYK printer profile Composite Default screen All-In-One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / Contents vii Installing Cisco Secure ACS 3.0 for Windows Hardware Requirements Operating System Requirements Third-Party Software Requirements NAS Minimum IOS Requirements Network Requirements Back Up Server Data Gathering Information Required During Installation Administering and Troubleshooting Cisco Secure ACS for Windows Navigation Bar Configuration Area Display Area Accessing the HTML Interface Suggested Configuration Sequence TACACS+ Overview Configuring Cisco Secure ACS and TACACS+ Configure NAS to TACACS+ Server Communication Verifying TACACS+ The show Commands The debug Commands Configure NAS to RADIUS Server Communication Chapter Review Questions Answers 119 120 120 120 121 121 121 122 122 123 125 125 125 128 132 133 134 136 136 136 137 138 139 141 Chapter Securing Cisco Perimeter Routers 143 Perimeter Router Terms and Concepts Simple Secure Network Design Eavesdropping Router Solutions Hub and Switch Issues Limit Unneeded TCP/IP and Other Services TCP and UDP “Small Services” Finger NTP CDP Denial of Service Attacks Controlling Directed Broadcasts Flood Management Antispoofing with RPF Checks Unauthorized Access Address Filtering Dynamic (Lock-and-Key) Access Lists Reflexive Access Lists Lack of Legal IP Addresses NAT Technology and Terminology Static NAT Dynamic NAT Dynamic NAT with Overloading (PAT) Rerouting Attacks 143 144 147 147 149 150 150 150 150 150 150 151 151 152 152 152 152 157 161 162 163 165 167 169 P:\010Comp\All-in-1\691-9\fm.vp Tuesday, July 01, 2003 1:05:21 PM Color profile: Generic CMYK printer profile Composite Default screen All-In-One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / CCSP: Cisco Certified Security Professional Certification All-in-One Exam Guide viii Event Logging on Perimeter Routers Access List Violation Logs Chapter Review Questions Answers 170 171 171 172 174 Chapter IOS Firewall Feature Set—CBAC 175 Introduction to Cisco IOS Firewall Router-Based Firewall Functionality Integration with Cisco IOS Software Feature Summary Context-Based Access Control (CBAC) Quick Access List Review CBAC Advantages CBAC Limitations CBAC Process Configuring CBAC IOS Firewall Management Command Line Interface ConfigMaker Chapter Review Questions Answers 175 176 176 178 179 179 179 181 181 182 198 198 199 200 201 203 Chapter IOS Firewall—Intrusion Detection System 205 Intrusion Detection System (IDS) IOS Firewall Intrusion Detection System Devices Supporting the IOS Firewall IDS Features Cisco IDS Attack Signatures Cisco Secure IDS Director Support Performance Implications IOS IDS vs Cisco Secure IDS Cisco IOS Firewall IDS Configuration Task List Initializing the IOS Firewall IDS The ip audit smtp spam Command The ip audit po max-events Command Initializing the Post Office The ip audit notify Command The ip audit po local Command The ip audit po remote Command Creating and Applying Audit Rules Creating an Audit Rule Apply the Audit Rule to the Interface(s) Verifying the IDS Configuration The show ip audit statistics Command The show ip audit configuration Command The show ip audit interface Command The show ip audit all Command Chapter Review Questions Answers 205 206 206 208 209 210 210 211 212 212 212 212 213 214 215 216 217 220 222 222 223 223 224 224 225 227 P:\010Comp\All-in-1\691-9\fm.vp Tuesday, July 01, 2003 1:05:21 PM Color profile: Generic CMYK printer profile Composite Default screen All-In-One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / Contents ix Chapter IOS Firewall—Authentication Proxy 229 Cisco IOS Firewall Authentication Proxy How the Authentication Proxy Works Applying the Authentication Proxy Comparison with the Lock-and-Key Feature Compatibility with Other Features Security Vulnerability Issues Before Configuring Authentication Proxy Authentication Proxy Configuration Task List AAA Server Configuration AAA Router Configuration Enable AAA Define the Security Server Define Login Authentication Methods List Enable Authorization Proxy (auth-proxy) for AAA Activate Authentication Proxy Accounting ACL Entry for Return Traffic from the AAA Server Configuring the HTTP Server Authentication Proxy Configuration on the Router The ip auth-proxy auth-cache-time Command The ip auth-proxy auth-proxy-banner Command The ip auth-proxy name Command The auth-proxy Interface Configuration Verify Authentication Proxy Configuration The auth-proxy Cache The debug Commands CBAC Configuration Chapter Review Questions Answers 229 230 232 233 233 236 236 238 238 244 244 244 249 250 251 252 253 254 254 255 255 257 257 258 259 259 260 260 263 Part III Virtual Private Networks (VPNs) 265 Chapter Cisco IOS IPSec Introduction 267 Virtual Private Networks Remote–Access Site-to-Site Layer VPNs Layer VPNs Other VPN Implementations Why Use VPNs? VPN Analogy Tunneling Protocols Layer Two Forwarding (L2F) Protocol Layer Tunneling Protocol (L2TP) Generic Routing Encapsulation (GRE) How IPSec Works Cisco IOS IPSec Technologies IPSec Security Overview 268 269 270 271 272 273 274 274 275 276 276 276 276 277 278 P:\010Comp\All-in-1\691-9\fm.vp Tuesday, July 01, 2003 1:05:22 PM Color profile: Generic CMYK printer profile Composite Default screen All-In-One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / CCSP: Cisco Certified Security Professional Certification All-in-One Exam Guide x Transport and Tunnel Mode IPSec Transforms and Transform Sets Cisco IOS Cryptosystem Components How Encryption Works Cryptography Types Encryption Alternatives Hashing Diffie-Hellman Key Agreement (DH) Security Association (SA) IKE SAs versus IPSec SAs Five Steps of IPSec Revisited Step 1—Determine Interesting Traffic Step 2—IKE Phase One Step 3—IKE Phase Two Step 4—IPSec Data Transfer Step 5—Session Termination IPSec Support in Cisco Systems Products Chapter Review Questions Answers 281 286 288 288 290 290 292 293 294 295 296 296 297 300 301 301 301 302 303 305 Chapter 10 Cisco IOS IPSec for Preshared Keys 307 Configure IPSec Encryption Tasks Task Prepare for IKE and IPSec Task Configure IKE Task Configure IPSec Task Test and Verify IPSec Configuring IPSec Manually Configuring IPSec Manually Is Not Recommended Chapter Review Questions Answers 307 309 317 321 329 333 334 335 336 339 Chapter 11 Cisco IOS IPSec Certificate Authority Support 341 CA Support Overview Digital Certificates Certificate Distribution IPSec with CAs How CA Certs Are Used by IPSec Peers Cisco IOS CA Standards Simple Certificate Enrollment Protocol (SCEP) CA Servers Interoperable with Cisco Routers Enroll a Device with a CA Configure CA Support Tasks Task 1—Prepare for IKE and IPSec Task 2—Configure CA Support Task 3—Configure IKE Task 4—Configure IPSec Task 5—Test and Verify IPSec 341 342 343 344 344 345 345 346 348 348 349 351 369 371 372 P:\010Comp\All-in-1\691-9\fm.vp Tuesday, July 01, 2003 1:05:22 PM ... Certification All- in- One Exam Guide (Exams 642-501 SECUR, 642-521 CSPFA, 642-511 CSVPN, 642-531 CSIDS, and 642-541 CSI) Copyright © 2003 by The McGraw-Hill Companies All rights reserved Printed in the... with 10 minutes remaining, try to pick up the pace At five minutes remaining, use the remaining time to guess your way through any remaining questions Guessing is better than not answering because... screen All- In- One / CCSP Cisco Certified Security Professional Certification / Larson, Cockcroft / 222691-9 / CCSP: Cisco Certified Security Professional Certification All- in- One Exam Guide xxii In