Cramsession™ for Cisco CCNP Managing Cisco Network Security This study guide will help you to prepare for the Cisco MCNS (Managing Cisco Network Security) 640-442 exam that will give you a specialization for your CCNP (Cisco Certified Network Professional) certification if taken before January 1st, 2001 Exam topics include basic configuration of PIX firewalls, configuring Cisco routers as firewalls, understanding of network security and policies, understanding of AAA processes and various encryption technologies employed in Cisco networks Check for the newest version of this Cramsession http://cramsession.brainbuzz.com/checkversion.asp?V=2451941&FN=Cisco/ccnp_mcns.pdf Rate this Cramsession http://cramsession.brainbuzz.com/cramreviews/reviewCram.asp?cert=ccnp+mcns Feedback Forum for this Cramsession/Exam http://boards.brainbuzz.com/boards/vbt.asp?b=862 More Cramsession Resources: Search for Related Jobs CramChallenge - practice questions http://jobs.brainbuzz.com/BrowseJobSearchRes.asp http://www.cramsession.com/signup/default.asp#day IT Resources & Tech Library Certification & IT Newsletters http://itresources.brainbuzz.com http://www.cramsession.com/signup/ SkillDrill - skills assessment Discounts, Freebies & Product Info http://www.skilldrill.com http://www.cramsession.com/signup/prodinfo.asp Notice: While every precaution has been taken in the preparation of this material, neither the author nor BrainBuzz.com assumes any liability in the event of loss or damage directly or indirectly caused by any inaccuracies or incompleteness of the material contained in this document The information in this document is provided and distributed "as-is", without any expressed or implied warranty Your use of the information in this document is solely at your own risk, and Brainbuzz.com cannot be held liable for any damages incurred through the use of this material The use of product names in this work is for information purposes only, and does not constitute an endorsement by, or affiliation with BrainBuzz.com Product names used in this work may be registered trademarks of their manufacturers This document is protected under US and international copyright laws and is intended for individual, personal use only For more details, visit our legal page © 2000 All Rights Reserved - BrainBuzz.com TM Cramsession: Cisco CCNP Managing Cisco Network Security Contents: Contents: Establishing A Network Security Policy Evaluating Network Security Threats Basic Categories of Security Threats Motivations of Network Security Threats Outlining A Network Security Policy Securing The Dialup Connection Configuring the Network Access Server for AAA Security Overview of Basic AAA Configuration Process Securing The Internet Connection Cisco IOS Firewall Configuring the PIX Firewall PIX Firewall Basics Configuring Access Through the PIX Firewall 11 Configuring Advanced Features .12 Encryption Technology .13 Basic Cryptography 13 Overview of IKE & IPSEC 14 Configuring IPSEC with IKE 15 Configuring IKE 16 © 2000 All Rights Reserved – BrainBuzz.com TM Cramsession: Cisco CCNP Managing Cisco Network Security Establishing A Network Security Policy Evaluating Network Security Threats A security threat can be as simple as snooping your network’s normal operation or as complex as taking control of your entire network It is important then to be familiar with the three basic categories of network security threats Basic Categories of Security Threats • Unauthorized Access - Unauthorized access is when an unauthorized individual gains access to the network or any network resource with the possibility of taking that resource or tampering with it • Impersonation – Impersonation is the process of identifying yourself as a different individual by using the same credentials as that particular individual uses There are several ways that this is done One of the more common ways is by eavesdropping on your network and gaining access to usernames and password when these are exchanged via unsecured means Sniffer programs, as they are commonly referred as, are small software packages that enable someone to snoop into current network conversations and extract users’ credentials • Denial of Service – Denial of Service is an attack on your network by a malicious individual in order to interfere in your networks normal operation This is a common type of attack that has gained notoriety due to the growth of the Internet Motivations of Network Security Threats It is important to understand the different motivations that some individuals may have in posing a security threat to your network It is a common perception that network security attacks are perpetrated from your external network, which is the Internet Therefore, the firewall is an important piece in protecting your network against these said attacks Here are some of the more basic motivations in launching an attack on your network • Greed – The intruder’s purpose is to take control or possession of any network resource such as corporate data so that he/she may sell it for money © 2000 All Rights Reserved – BrainBuzz.com TM Cramsession: Cisco CCNP Managing Cisco Network Security • Notoriety – The intruder attempts to break in to networks that are said to be secure proving his skill to gain respect from his peers • Revenge – The intruder has been fired or laid off and is looking for some type of reprisal The most common occurrence of this is the damaging of important corporate data Outlining A Network Security Policy • • Define physical security-Defining physical security controls pertain to the physical infrastructure that your network is built on This can be the various physical components that comprise your network such as servers, routers, switches and cabling Ensuring the security of these components should be the foundation of your network security policy Imagine having the strictest password policy but having your wiring closet open to anyone in the vicinity Define logical security controls – Logical security controls provide boundaries within your network segments This process is done when traffic is filtered from one segment of your network to the next The two main logical boundaries used are: o Subnet Boundaries o VLAN Boundaries • Ensure data and system integrity – Data that passes to and from your network needs to be identified as valid traffic Valid traffic can further be described as expected network traffic that is supported traffic, unspoofed traffic and traffic in which the data has not been altered This is the main reason why firewalls are implemented A firewall ensures your data’s validity and integrity ingressing and egressing your network • Ensure data confidentiality – Data confidentiality pertains to encryption The key in this process is deciding which data is to be encrypted and which is not be encrypted This should be carefully evaluated so that key data that pose as the greatest risk if compromised is encrypted • Develop policies and procedures for the staff that is responsible for the network – Specific guidelines should be in place for the staff that is responsible for the maintenance of the network infrastructure This should ensure that these policies are balanced between securing your network and allowing the staff to carry out their responsibilities in an efficient manner These policies may include the following: © 2000 All Rights Reserved – BrainBuzz.com TM Cramsession: Cisco CCNP Managing Cisco Network Security o Backups – One of the most important tasks in network management is being able to back up the data that is stored in that network Polices and procedures should be in place to provide the staff, that is responsible for the backups, the steps in securing those backups o Equipment Certification – Network equipment that is introduced into the network should adhere to specific security requirements o Audit Trails – Keeping a log of what goes on in your network greatly enhances your ability to determine if there is any suspicious activity going on in your network environment • Develop appropriate security awareness training – Training should be provided to all staff in order for them to be informed of the various security measures that your network employs It is very important that the staff is made aware of the many problems that may arise due to security related issues Securing The Dialup Connection Dialup connections to your corporate network are usually comprised of several dial in infrastructures These could be direct dial in connections from mobile users and telecommuters There is also the virtual dial in process of remote branches via the Internet through a corporate Virtual Private Network (VPN) Therefore, it is recommended that you secure these dial in access points with a firewall device that implements some kind of intrusion detection and auditing function Regardless of how dial in access is provided to the corporate network, the main security concerns lie in the following areas: • Identifying the caller • Identifying the location of the caller • Identifying the destination of the caller • Logging of accessed applications and data • Logging of the duration of the connection • Guaranteeing authenticated communication ã Guaranteeing private communication â 2000 All Rights Reserved – BrainBuzz.com TM Cramsession: Cisco CCNP Managing Cisco Network Security Configuring the Network Access Server for AAA Security Access control is the process of controlling who is allowed access to the network and what services they are allowed to use Authentication, Authorization and Accounting (AAA) network security services provide the principal structure though which you set up access control on your router or network server AAA offers the following benefits: • Increased flexibility • Scalability • Standard authentication methods, such as RADIUS, TACACS+ and Kerberos • Multiple backup systems AAA is designed to enable you to configure the type of authentication and authorization you would use on a per line (per user) or per service basis You define the type of authentication and authorization you want by creating method lists, then apply those method lists to specific services or interfaces Method lists are lists defining the authentication methods to be used, in order, to authenticate a dial in user These lists enable you to assign one or more security protocols to be used for authentication, thus creating a backup system for authentication to be used in case the initial method fails AAA is comprised of three independent security functions Authentication – Authentication is the process of identifying users, including their login and password dialog scripts, challenge and response, messaging support and encryption Authorization – Authorization provides the process of determining what a remote user is authorized to access in the network such as network resources or services AAA authorization works by putting together a set of attributes that identify what a user is authorized to perform These attributes are compared the information contained in a database for a given user The result is returned to AAA to determine the user’s actual capabilities and restrictions This database can be local on the access server or remotely on a TACACS+ or RADIUS server Accounting – Accounting is the process of tracking the different types of services that remotely connected users are accessing Activities are logged to either a © 2000 All Rights Reserved – BrainBuzz.com TM Cramsession: Cisco CCNP Managing Cisco Network Security RADIUS or TACACS security server in the form of accounting records This data can then be analyzed for client billing, auditing or network management Overview of Basic AAA Configuration Process • Enable AAA by issuing this command in global mode aaa new-model • If you are using separate security servers, configure security control parameters, such as RADIUS, TACACS+ or Kerberos • Define the method lists for authentication by issuing this command aaa authentication For example, if you would like to specify RADIUS as the default method for logging in, the command would be: aaa authentication login default radius To log in using the local username database on the router, the command would be: aaa authentication login default local To log in using PPP and specify the local username database, the command would be: aaa authentication ppp default local This example would allow authentication to succeed even if the TACACS+ server returns an error aaa authentication ppp default tacacs+ none • Apply the method list to a particular interface This example applies the method list to interface serial interface serial ppp authentication chap pap default • Configure authorization using this command aaa authorization This example allows authorization on the network via TACACS+ aaa authorization network tacacs+ This example specifies TACACS+ as the method for user authorization when trying to establish a reverse telnet session aaa authorization reverse-access tacacs+ © 2000 All Rights Reserved – BrainBuzz.com TM Cramsession: Cisco CCNP Managing Cisco Network Security • Configure accounting using this command aaa accounting In the following example, RADIUS-style accounting is used to track all usages of EXEC commands and network services, such as PPP, SLIP and ARAP aaa accounting exe start-stop radius aaa accounting network start-stop radius Securing The Internet Connection The most common solution to securing your Internet connection is setting up a firewall A firewall is a network device that is placed between your trusted network and untrusted networks, the most common in which, is the Internet It is also possible to setup a firewall within the boundaries of your internal network so as to prevent unauthorized access to certain areas of your network that are highly sensitive such as payroll files or engineering data Today, there are three classifications of firewalls: • Packet Filtering – This type of firewall depend exclusively on UDP, ICMP, TCP and IP headers of individual packets to deny or permit traffic The packet filter examines the combination of inbound or outbound traffic direction, IP source and destination address and TCP or UDP source and destination port numbers • Circuit filtering – This type of firewall controls access via observing state information and recreating the flow of data that the traffic is associated with • Application gateway – This type of firewall processes messages that are specific to a particular IP application This type of firewall is probably the most secure, however, it is also the most resource intensive type to deploy Cisco IOS Firewall The Cisco IOS firewall feature set is a security-specific option for the Cisco IOS software It enhances the built-in security capabilities in the Cisco IOS and adds the full functionality of a firewall The Cisco IOS firewall feature set is comprised of several different feature modules The three basic feature sets we cover are: © 2000 All Rights Reserved – BrainBuzz.com TM Cramsession: Cisco CCNP Managing Cisco Network Security • • • Context-Based Access Control – This feature module provides the functionality of an advanced traffic filter and is an essential part of your IOS firewall CBAC provides these functions for your firewall o Traffic Filtering – Filters TCP and UDP packets based on information that is obtained through the application-layer protocol session The firewall can inspect traffic originating from either side of the firewall and can then determine which traffic is allowed access into or out of the network o Alert and Audit Trails – CBAC produces real time alerts and audit logs based on events that are observed by the firewall This enhanced log keeps tracks of all network transactions, such as source and destination hosts, ports used and total number of bytes transferred o Traffic Inspection – Inspection of inbound and outbound traffic produces state information This state information allows the firewall to create temporary openings to allow return traffic for the permissible session Intrusion Detection System – This feature set is designed for mid-range and high-end router platforms with firewall support It is best suited for any router deployed around your network perimeter, more commonly, on your Internet connections This feature set provides identification of the most common attacks by identifying the signature in the pattern of attacks that are launched against your network When the intrusion detection system identifies a pattern of attack that matches against a signature on the systems database, it responds before network security can be compromised and the event is then logged These responses are to be configured by the administrator and can be one of the following: o Send an alarm – this can be sent to either a syslog or a centralized management system such as NetRanger o Drop the packet o Reset the TCP Connection IOS Firewall Authentication Proxy – This feature set allows network administrators to apply specific security policies based on user In earlier versions, security policies were generally applied across multiple users This feature can only be active when there is traffic from the authenticated user © 2000 All Rights Reserved – BrainBuzz.com TM Cramsession: Cisco CCNP Managing Cisco Network Security Configuring the PIX Firewall PIX Firewall Basics The PIX firewall is a complete hardware and software security solution The PIX IOS runs on proprietary PIX hardware In most respects, the basic concept behind the PIX firewall is to allow everything from the internal network to go outbound and only allow the return connections from the outside interface to the inside interface The handling of connections from an inside interface to an outside interface is different from connections that are from the outside interface to the inside interface Here are the basic steps in configuring a PIX firewall • The first step in configuring a PIX firewall is naming the different interfaces On new installations, the PIX firewall provides default names for each interface To view these default interface names, use the show nameif command However, it would be ideal to rename these interfaces according to your network conventions or specifications The command to name the interface is nameif The syntax of this command is as follows: nameif hardware_Id Interface Security_level Hardware_id – this is the hardware name for the network interface card you are naming Examples of this would be Ethernet0 (if you are using Ethernet interfaces) Interface – this would be where you would name that interface if you want to use a different name other than the default one Examples of this would be dmz or perimeter You can specify up to 48 characters for this field, however, if you use a long name, you would need to reenter that name every time Security_level – You can choose any security level value between and 99 for any perimeter interface so long as it is not the same as the inside or outside interface If this is an initial PIX configuration, the default security level starts at security10 for the first perimeter interface An example of the nameif command is: nameif ethernet0 inside 10 • The second step in configuring a PIX firewall is assigning IP addresses to each interface on your PIX firewall If you have any unused interface on your PIX firewall, the PIX assigned IP address for that interface is 127.0.0.1 and the subnet mask of 255.255.255.255 This does not allow © 2000 All Rights Reserved – BrainBuzz.com TM Cramsession: Cisco CCNP Managing Cisco Network Security any traffic to pass through this interface The format for this ip address command is as follows: ip address inside ip_address network_mask ip address outside ip_address network_mask ip_address – IP address you specify for that interface This IP address must be unique network_mask – The network mask of the IP address assigned If you are using a subnet mask, use it in this field An example of the ip address command is: ip address inside 10.10.10.1 255.255.255.0 • The next step is configuring the interfaces that are on your PIX firewall The command that is used is interface The format for this command is as follows: interface Hardware_id Hardware_speed (Shutdown) Hardware_id - You can use either ethernetn for Ethernet interfaces or token for token ring depending on how it was specified in the nameif command Hardware_speed – If the interface used is Token Ring, use either 4Mbps or 16Mbps depending on the speed of the Token Ring card If the interface is Ethernet, depending on the network interface card used in the PIX firewall, you can use auto (sets Ethernet speed automatically), 10baset (10 Mbps half duplex), 10full (10 Mbps full duplex), 100basetx (100 Mbps half duplex), 100full (100 Mbps full duplex) and aui (10 Mbps half duplex on a aui cable interface) Shutdown – This is used to disable the use of this interface If this is an initial configuration, the shutdown option is on by default To enable an interface, you would need to enter the command without the shutdown option An example of the interface command is: interface ethernet0 auto © 2000 All Rights Reserved – BrainBuzz.com 10 TM Cramsession: Cisco CCNP Managing Cisco Network Security Configuring Access Through the PIX Firewall Now that we have configured the different components of the PIX firewall, we need to allow users to connect through the PIX firewall As we have identified each interface with a security level, we need to define the guidelines allowing connections coming from a higher security level interface to a lower security level interface and vice versa The commands that are used to allow this are nat and global • To allow inside users to connect to any lower security level interface, use the nat (inside) 0 command The “1” after the interface (inside) is the NAT ID Instead of using 0, to allow all hosts to start a connection, you can specify a host or a network address and mask For example, to allow only the 10.10.10.5 host to start a connection, you can specify this command: nat (inside) 10.10.10.5 255.255.255.255 • Adding a global command for each lower security level interface allows users to have access to, for example, the outside interface or the dmz interface The global command then creates a pool of addresses that translated connections can pass through Remember to have enough global addresses to accommodate the number of users that are accessing the lower security level interface An example of this is: global (dmz1) 10.10.10.20-10.10.10.50 netmask 255.255.255.0 • The next step is to set up a default route that points to the outside router You can use the show route command to view the command that you just issued If there is an existing route already configured, use the no route to remove it For example, if the outside router’s address is 64.18.5.10, you would issue this command: route outside 0 64.18.5.10 This command defines that the default router is on the outside interface The default route is defined as the 0 right before the ip address This is translated as 0.0.0.0 netmask 0.0.0.0 The at the end of the command states that this is the next hop router • The next step is to permit ping access This allows you to test that the host is reachable through the PIX firewall The process starts by creating an access-list that permits pings through the firewall Here is an example: access-list ping_in permit icmp any any access-list ping_out permit icmp any any © 2000 All Rights Reserved – BrainBuzz.com 11 TM Cramsession: Cisco CCNP Managing Cisco Network Security • After creating the access-lists, you would need to apply it to the specific interface In this example, we are applying the access-list ping_in towards the inside interface of the PIX firewall access-group ping_in interface inside • The final steps are to save the configuration by issuing the write memory command, checking the configuration by using the write terminal command and finally testing the network connectivity Pinging the different interfaces of the firewall and getting a response would be a good start in verifying network connectivity Here are some of the commands you would use to check the configuration of the PIX firewall: show ip address – to verify the ip address of each interface show nat – to verify network address translation show route – to verify the default route show global – to show the range of global addresses If you happen to need a host from the outside interface to gain access to a host in the inside interface, the conduit command is used An example of this is when you want anyone from the outside interface to access your web server in the dmz The resulting command would be: static (dmz, outside) 64.18.1.50 10.10.10.50 netmask 255.255.255.255 conduit permit tcp host 64.18.1.50 ew www any The first line defines that from the dmz, host 10.10.10.50 is mapped access through the outside interface of 64.18.1.50 The second line then defines that any user from the outside can access 64.18.1.50 via port 80 Configuring Advanced Features • Failover – Failover allows you to add a secondary PIX firewall unit that takes over when the primary unit fails These units are connected by special RS-232 serial cables that transmit special “hello” failover messages to each other every 15 secs When a failure of the primary unit is detected, the secondary unit assumes the IP address and the MAC address of the failed unit The secondary unit then acquires the configuration of the primary unit and is now able to function as the firewall To enable failover between two PIX firewall units, they would need to be configured exactly the same When a failover cable is connected between the two units, you need to explicitly enable failover by issuing the failover command In addition, if any configuration change is made on the © 2000 All Rights Reserved – BrainBuzz.com 12 TM Cramsession: Cisco CCNP Managing Cisco Network Security primary unit, you need to issue the command write standby in order for the changes to be replicated to the standby unit • PPTP Virtual Private Network – In version 5.1, Microsoft’s PPTP is supported PPTP (Point to point tunneling protocol) is a layer tunneling protocol that allows a remote client to establish secure communication through a public IP network such as the internet The vpdn command enable the PPTP feature for inbound connections between the PIX firewall and a windows client An example of the use of this command is as follows: vpdn enable outside • ActiveX Blocking – Active X controls are components that are inserted in a web page or application that can contain several different forms that can gather or display information This can create many potential security problems as these can be invoked to attack network services or take over a workstation The PIX firewall Active X feature blocks these controls from the web page itself • SNMP – The PIX firewall can be configured to send SNMP traps to a SNMP sever so that it can be monitored remotely The command to enable this advanced feature is snmp-server hosts • Websense URL Filtering – If you use a websense server, the PIX firewall can be configured to allow it to URL filtering The command issued on the PIX firewall to point itself to a websense server is as follows: url- server (inside) host 10.10.10.1 timoeout 15 • FTP and URL Logging – The PIX firewall can log ftp commands and WWW URL’s to a syslog server Issuing the command show fixup ensures that the ftp and http protocol commands are present in the configuration Encryption Technology Basic Cryptography Cryptography is defined as the science of reading or writing coded messages It is the foundation of the mechanics of enabling authentication, integrity and confidentiality The process of cryptography is known as encryption An encrypted message is a message that has undergone a mathematical process or algorithmic process in order for it to be converted to cipher text When the intended recipient gets the cipher text, he then proceeds to decrypt the message by applying the same algorithmic process on it as the sender This allows him to be able to get back the decrypted message There are three types of cryptographic functions that enable authentication, integrity and confidentiality: © 2000 All Rights Reserved – BrainBuzz.com 13 TM Cramsession: Cisco CCNP Managing Cisco Network Security • Symmetric encryption – This type of encryption is often known as secret key encryption This is where a common key and the same algorithmic process is used to encrypt and decrypt a message • Asymmetric encryption – This type of encryption is often known as public key encryption Public key encryption uses two different but related keys in order to the algorithmic process on the message When a message is encrypted, both a public key and a private key is needed For example, Joe would like to send Mary an encrypted message First, he encrypts the message using both his public and private key He then sends Mary both the encrypted message and his public key Mary then uses Joe’s public key to decrypt the message • Hash functions – A hash function takes a message and then outputs it to a certain code The code has to meet specific properties to be effective These properties are consistency, randomness, uniqueness and it must be one way One-way hashes verify the integrity of a message by making sure that the message has not been tampered with in transit Overview of IKE & IPSEC • IPSEC –IPSEC stands for IP Security IPSEC is a framework of open standards for guaranteeing secure private communications over the Internet IPSEC uses encryption technology to offer data integrity, confidentiality and authenticity between participating peers in a private network Cisco provides full Encapsulating Security Payload (ESP) and Authentication Header (AH) support IPSEC provides IP network layer encryption and authentication thus providing an end-to-end security solution in your network architecture This encryption method allows encrypted packets to look the same as regular packets; these packets are routed normally through any IP network, such as the Internet This is done without any changes to the transitional networking devices The only devices that are aware of such an encryption are the end points of the communication IPSEC employs several different technologies to provide a complete system of confidentiality, integrity and authenticity These technologies are: o Diffie-Hellman key exchange – This is used for obtaining key material between peers on a public network o Public key cryptography – This is used for signing the DiffieHellman exchanges This guarantees the identities of the two parties o Bulk key encryption – This is for encrypting the data o Keyed Hash Algorithms – This, combined with traditional hash algorithms, provides packet authentication © 2000 All Rights Reserved – BrainBuzz.com 14 TM Cramsession: Cisco CCNP Managing Cisco Network Security o • Digital Certificates – Items signed by a certificate authority to act as digital identification cards IKE – IKE stands for Internet Key Exchange IKE was formerly known as the Internet Security Association Key Management Protocol or ISAKMP IKE offers security association management IKE authenticates each peer in an IPSEC communication, negotiates security policy and handles the exchange of session keys IKE is a key management protocol standard that is used in conjunction with IPSEC IPSEC can be configured without IKE; however, IKE enhances the IPSEC with its additional features IKE automatically negotiates IPSEC security associations and enables IPSEC secure communications without manual configuration IKE provides these benefits: o Eliminates the need to manually configure the different security parameters of IPSEC in the crypto maps at both peers o Allows you to configure a lifetime for the IPSEC security association o Allows encryptions keys to change during IPSEC sessions o Allows IPSEC to offer anti-replay services o Permits Certificate Authority support for manageable and scalable IPSEC implementation o Allows dynamic authentication of peers Configuring IPSEC with IKE • Enable the debug crypto ipsec command to obtain important IPSECrelated messages that only display when this command is entered • Create an access-list to define the traffic to protect: access-list 102 permit ip 10.10.0.0 255.255.0.0 64.18.1.1 255.255.255.0 • Configure a transform set that specifies how the traffic will be protected For example: crypto ipsec transform-set testset1 esp-des esp-shahmac crypto ipsec transform-set testset2 ah-sha-hmac esp3des esp-sha-hmac • Create a crypto map entry in the IPSEC ISAKMP mode: crypto map testmap1 10 ipsec-isakmp © 2000 All Rights Reserved – BrainBuzz.com 15 TM Cramsession: Cisco CCNP Managing Cisco Network Security • Assign an access-list to a crypto map entry For example: crypto map testmap1 10 match address 102 • Define the peer to which the IPSEC protected traffic can be forwarded to: crypto map testmap1 10 set peer 209.223.140.2 • Specify which transform sets are allowed for this crypto map entry For example: crypto map testmap1 10 set transform-set testset1 testset2 Configuring IKE • The first step is to enable the debug crypto isakmp command to capture important IKE-related messages that only display when this command is enabled • Enable IKE on the interface on which the IPSEC traffic will be evaluated For example: isakmp enable outside • Define the policy to create The priority number that is assigned by you identifies each policy For example: isakmp policy 21 • Specify the encryption algorithm For example: isakmp policy 21 encryption des • Specify the hash algorithm For example: isakmp policy 21 hash md5 • Specify the authentication method For example: isakmp policy 21 authentication rsa-sig • Specify the Diffie-Hellman group identifier For example: isakmp policy 21 group • Specify the security association’s lifetime For example: Isakmp policy 21 lifetime 4000 © 2000 All Rights Reserved – BrainBuzz.com 16 TM Cramsession: Cisco CCNP Managing Cisco Network Security Special thanks to Alfred Saulo for contributing this Cramsession © 2000 All Rights Reserved – BrainBuzz.com 17 ... example, RADIUS-style accounting is used to track all usages of EXEC commands and network services, such as PPP, SLIP and ARAP aaa accounting exe start-stop radius aaa accounting network start-stop... username database on the router, the command would be: aaa authentication login default local To log in using PPP and specify the local username database, the command would be: aaa authentication... records This data can then be analyzed for client billing, auditing or network management Overview of Basic AAA Configuration Process • Enable AAA by issuing this command in global mode aaa new-model