Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA Cisco Press CCSP Self-Study CCSP SECUR Exam Certification Guide Greg Bastien Christian Abera Degu 2408_CCSP.book Page i Thursday, November 13, 2003 2:38 PM ii CCSP Self-Study CCSP SECUR Exam Certification Guide Greg Bastien, Christian Abera Degu Copyright© 2004 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Library of Congress Cataloging-in-Publication Number: 2002109331 ISBN: 1-58720-072-4 First Printing December 2003 Warning and Disclaimer This book is designed to provide information about selected topics for the Cisco SECUR exam for the CCSP certification. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside of the U.S. please contact: International Sales 1-317-581-3793 international@pearsontechgroup.com 2408_CCSP.book Page ii Thursday, November 13, 2003 2:38 PM iii Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and preci- sion, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Publisher : John Wait Editor-In-Chief : John Kane Cisco Representative : Anthony Wolfenden Cisco Press Program Manager : Nannette M. Noble Executive Editor : Brett Bartow Acquisitions Editor: Michelle Grandin Production Manager : Patrick Kanouse Senior Development Editor : Christopher Cleveland Development Editor : Howard Jones Copy Editor : Keith Cline Technical Editors : Brad Dunsmore, Leon Katcharian, Inti Shah, John Stuppi Team Coordinator : Tammi Barnett Book and Cover Designer : Louisa Adair Production Team : Octal Publishing, Inc. Indexer : Eric Schroeder 2408_CCSP.book Page iii Thursday, November 13, 2003 2:38 PM iv About the Authors Greg Bastien , CCNP, CCSP, CISSP, is currently a partner with Trinity Information Management Services, Inc., as a consultant to the federal government. He holds a position as adjunct professor at Strayer University, teaching networking and network security classes. He completed his undergrad- uate and graduate degrees at Embry-Riddle Aeronautical University while on active duty as a heli- copter flight instructor in the U.S. Army. Christian Abera Degu , CCNP, CCDP, CCSP, currently works for Veridian Networks/General Dynamics as a consulting engineer to the Federal Energy Regulatory Commission. He received his undergraduate degree from Strayer University and his graduate degree in computer information systems from George Mason University. He lives with his family in Alexandria, Virginia. 2408_CCSP.book Page iv Thursday, November 13, 2003 2:38 PM v About the Technical Reviewers Brad Dunsmore is a new product instructor with the Advanced Services group for Cisco Systems. He develops and deploys network solutions and training for Cisco Systems engineers, Cisco sales engineers, selected training partners, and customers. He specializes in SS7 offload solutions, WAN communication methods, and Cisco security products. He developed the Building Enhanced Cisco Security Networks course for Cisco and he currently holds the following industry certifications: CCNP, CCDP, CCSP, INFOSEC, MCSE+I, and MCDBA. He recently passed his written exam for the CCIE R/S certification and is currently working on his laboratory exam. Leon Katcharian is an education specialist at Cisco Systems, Inc., where he develops and delivers training for Cisco network security products. He has more than 20 years of experience in the data- networking field, having been a technical support engineer, a technical instructor, and a course developer. Leon has worked as a technical support engineer or in an educational role for Motorola Information Systems Group, GeoTel Communications, ON Technology, Altiga Networks, and Cisco Systems. He holds a bachelor of science degree in business from Eastern Nazarene College along with several industry certifications. Leon is currently the lead course developer for the Securing Cisco IOS Networks (SECUR) curriculum. Inti Shah has worked in the networking industry for more than 15 years in both enterprise and service provider environments. He has extensive expertise in designing and delivering large-scale networks, complex e-business solutions, intrusion detection, firewall, and VPN services. Inti currently works for Energis in the UK and holds the Cisco CCNA, CCNP, CCSP, CCIP Security, Check Point CCSA, and CCSE accreditations. He is currently pursuing his CCIE Security accreditation. John Stuppi , CCIE No. 11154, is a network consulting engineer for Cisco Systems. John advises Cisco customers in the planning, design, and implementation of VPN and security related solutions, including IDS, IPSec VPNs, and firewall deployments. John is a CISSP and holds an Information Systems Security (INFOSEC) Professional certification. In addition, John has a BSEE from Lehigh University and an MBA from Rutgers University. John lives in Ocean Township, New Jersey with his wife, Diane, and his two wonderful children, Thomas and Allison. 2408_CCSP.book Page v Thursday, November 13, 2003 2:38 PM vi Dedications This book is dedicated to In Ho Park (February 27, 1973—December 16, 2001): CCNA, CCNP, and a good friend. 2408_CCSP.book Page vi Thursday, November 13, 2003 2:38 PM vii Acknowledgments This book has been a very challenging, yet rewarding project. We sincerely appreciate the efforts of all those who helped to keep us focused throughout the process. We would especially like to thank Michelle Grandin, acquisitions editor, and the “development editor team” of Christopher Cleveland and Howard Jones for their guidance and encouragement. We would also like to thank the technical reviewers for their attention to detail, ability to decipher 2 a.m. techno-babble and offer up reason- able alternatives, and the sense of humor needed to hash through mountains of draft manuscripts. Last but not least, we would like to thank Andy and Mark for getting the ball rolling on the project. 2408_CCSP.book Page vii Thursday, November 13, 2003 2:38 PM viii Contents at a Glance Foreword xxiii Introduction xxiv PART I An Overview of Network Security 2 Chapter 1 Network Security Essentials 5 Chapter 2 Attack Threats Defined and Detailed 23 Chapter 3 Defense in Depth 43 PART II Managing Cisco Routers 56 Chapter 4 Basic Router Management 59 Chapter 5 Secure Router Administration 79 PART III Authentication, Authorization, and Accounting (AAA) 98 Chapter 6 Authentication 101 Chapter 7 Authentication, Authorization, and Accounting 115 Chapter 8 Configuring RADIUS and TACACS+ on Cisco IOS Software 137 Chapter 9 Cisco Secure Access Control Server 157 Chapter 10 Administration of Cisco Secure Access Control Server 175 PART IV The Cisco IOS Firewall Feature Set 188 Chapter 11 Securing the Network with a Cisco Router 191 Chapter 12 Access Lists 203 Chapter 13 The Cisco IOS Firewall 219 Chapter 14 Context-Based Access Control (CBAC) 231 Chapter 15 Authentication Proxy and the Cisco IOS Firewall 251 Chapter 16 Intrusion Detection and the Cisco IOS Firewall 279 2408_fmatter.fm Page viii Thursday, November 13, 2003 3:22 PM ix PART V Virtual Private Networks 300 Chapter 17 Building a VPN Using IPSec 303 Chapter 18 Scaling a VPN Using IPSec with a Certificate Authority 339 Chapter 19 Configuring Remote Access Using Easy VPN 359 Chapter 20 Scaling Management of an Enterprise VPN Environment 379 PART VI Scenarios 400 Chapter 21 Final Scenarios 403 Appendix Answers to the “Do I Know This Already?” Quizzes and Q&A Sections 427 Glossary 463 Index 472 2408_CCSP.book Page ix Thursday, November 13, 2003 2:38 PM x Contents Foreword xxiii Introduction xxiv Part I An Overview of Network Security 2 Chapter 1 Network Security Essentials 5 “Do I Know This Already?” Quiz 5 Foundation Topics 9 Definition of Network Security 9 Balancing Business Need with Security Requirement 9 Security Policies 9 Security Policy Goals 12 Security Guidelines 13 Management Must Support the Policy 13 The Policy Must Be Consistent 13 The Policy Must Be Technically Feasible 14 The Policy Should Not Be Written as a Technical Document 14 The Policy Must Be Implemented Globally Throughout the Organization 14 The Policy Must Clearly Define Roles and Responsibilities 15 The Policy Must Be Flexible Enough to Respond to Changing Technologies and Organization- al Goals 15 The Policy Must Be Understandable 15 The Policy Must Be Widely Distributed 16 The Policy Must Specify Sanctions for Violations 16 The Policy Must Include an Incident Response Plan for Security Breaches 16 Security Is an Ongoing Process 17 Network Security as a Process 17 Network Security as a Legal Issue 18 Foundation Summary 19 Security Policies 19 Security Policy Goals 19 Security Guidelines 20 Network Security as a Process 20 Q&A 21 Chapter 2 Attack Threats Defined and Detailed 23 “Do I Know This Already?” Quiz 23 Foundation Topics 27 Vulnerabilities 27 Self-Imposed Vulnerabilities 27 Lack of Effective Policy 28 Configuration Weakness 29 Technology Weakness 30 2408_CCSP.book Page x Thursday, November 13, 2003 2:38 PM [...]... designed to help you prepare for the Cisco SECUR certification exam The SECUR exam is the first in a series of five exams required for the Cisco Certified Security Professional (CCSP) certification This exam focuses on the application of security principles with regard to Cisco IOS routers, switches, and virtual private network (VPN) devices Who Should Read This Book? Network security is a very complex business... 2408 _CCSP. book Page xxiii Thursday, November 13, 2003 2:38 PM xxiii Foreword CCSP SECUR Exam Certification Guide is a complete study tool for the CCSP SECUR exam, enabling you to assess your knowledge, identify areas to concentrate your study, and master key concepts to help you succeed on the exams and in your daily job The book is filled with features that help you master the skills needed to secure... covered on certification exams often This exam guide should not be your only reference when preparing for the certification exam There is a wealth of information available at Cisco.com that covers each topic in painful detail The goal of this book is to prepare you as well as possible for the SECUR exam Some of this is completed by breaking a 500-page (average) implementation guide into a 20-page chapter... that you can figure out the correct answer with the information provided 2408 _CCSP. book Page xxix Thursday, November 13, 2003 2:38 PM xxix The Certification Exam and This Preparation Guide The questions for each certification exam are a closely guarded secret The truth is that if you had the questions and could only pass the exam, you would be in for quite an embarrassment as soon as you arrived at your... Press will present study guides on existing and future exams through these Exam Certification Guides to help achieve Cisco Internet Learning Solutions Group’s principal objectives: to educate the Cisco community of networking professionals and to enable that community to build and maintain reliable, scalable networks The Cisco career certifications and classes that support these certifications are directed... computer networking before you can begin to apply security principles The Cisco SECUR program was developed to introduce the security products associated with or integrated into Cisco IOS Software, explain how each product is applied, and explain how it can increase the security of your network The SECUR program is for network administrators, network security administrators, network architects, and... an effective network security policy I Chapter 3, “Defense in Depth”—Until recently, a network was considered to be secure if it had a strong perimeter defense Network attacks are becoming much more dynamic and require a security posture that provides defense at many levels Chapter 3 discusses the concepts that integrate all the security components into a single, very effective security strategy I Chapter... routers I Chapter 9, “Cisco Secure Access Control Server”—This chapter describes the features and architectural components of the Cisco Secure Access Control Server I Chapter 10, “Administration of Cisco Secure Access Control Server”—This chapter discusses the installation and configuration of the Cisco Secure Access Control Server on a Microsoft Windows 2000 Server I Chapter 11, “Securing the Network with... 31 2408 _CCSP. book Page xii Thursday, November 13, 2003 2:38 PM xii Chapter 5 Secure Router Administration 79 “Do I Know This Already?” Quiz 79 Foundation Topics 83 Privilege Levels 83 Securing Console Access 84 Configuring the Enable Password 84 enable secret 86 service password-encryption 87 Configuring Multiple Privilege Levels 87 Warning Banners 89 Interactive Access 90 Securing vty Access 90 Secure... on Cisco IOS 140 TACACS+ Authentication Examples 141 TACACS+ Authorization Example 143 TACACS+ Accounting Example 143 AAA TACACS+ Troubleshooting 144 debug aaa authentication 144 debug tacacs 145 debug tacacs events 145 Configuring RADIUS on Cisco IOS 146 RADIUS Authentication and Authorization Example 148 RADIUS Authentication, Authorization, and Accounting Example Testing and Troubleshooting RADIUS . Press CCSP Self-Study CCSP SECUR Exam Certification Guide Greg Bastien Christian Abera Degu 2408 _CCSP. book Page i Thursday, November 13, 2003 2:38 PM ii CCSP. 2408 _CCSP. book Page i Thursday, November 13, 2003 2:38 PM ii CCSP Self-Study CCSP SECUR Exam Certification Guide Greg Bastien, Christian Abera Degu Copyright© 2004