FREE Monthly Technology Updates One-year Vendor Product Upgrade Protection Plan FREE Membership to Access.Globalknowledge CISCO NETWORK SECURITY MANAGING Russell Lusignan, CCNP, CCNA, MCSE, MCP+I, CNA Oliver Steudler, CCNA, CCDA, CNE Jacques Allison, CCNP, ASE, MCSE+I TECHNICAL EDITOR: Florent Parent, Network Security Engineer, Viagénie Inc. “Finally! A single resource that really delivers solid and comprehensive knowledge on Cisco security planning and implementation. A must have for the serious Cisco library.” —David Schaer, CCSI, CCNP, CCDA, MCSE, MCDBA, MCNI, MCNE, CCA President, Certified Tech Trainers 1 YEAR UPGRADE BUYER PROTECTION PLAN 112_FC 11/22/00 1:15 PM Page 1 With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally. By listening, we've learned what you like and dislike about typical computer books. The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies. In response, we have created solutions@syngress.com , a service that includes the following features: ■ A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades. We will provide regular web updates for affected chapters. ■ Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difficult topics, written by content experts exclusively for solutions@syngress.com . ■ Regularly updated links to sites that our editors have determined offer valuable additional information on key topics. ■ Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors. Once you've purchased this book, browse to www.syngress.com/solutions . To register, you will need to have the book handy to verify your purchase. Thank you for giving us the opportunity to serve you. solutions@syngress.com 112_IpSec_FM 11/8/00 8:52 AM Page i 112_IpSec_FM 11/8/00 8:52 AM Page ii MANAGING CISCO NETWORK SECURITY: BUILDING ROCK-SOLID NETWORKS 112_IpSec_FM 11/8/00 8:52 AM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 AWQ692ADSE 002 KT3LGY35C4 003 C3NXC478FV 004 235C87MN25 005 ZR378HT4DB 006 PF62865JK3 007 DTP435BNR9 008 QRDTKE342V 009 6ZDRW2E94D 010 U872G6S35N PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Managing Cisco Network Security: Building Rock-Solid Networks Copyright © 2000 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written per- mission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-17-2 Copy edit by: Adrienne Rebello Proofreading by: Nancy Kruse Hannigan Technical review by: Stace Cunningham Page Layout and Art by: Shannon Tozier Technical edit by: Florent Parent Index by: Robert Saigh Project Editor: Mark A. Listewnik Co-Publisher: Richard Kristof Distributed by Publishers Group West 112_IpSec_FM 11/8/00 8:52 AM Page iv v Acknowledgments We would like to acknowledge the following people for their kindness and sup- port in making this book possible. Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise net- works. Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel, Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for making certain that our vision remains worldwide in scope. Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of Harcourt Australia for all their help. David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthu- siasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Special thanks to the professionals at Osborne with whom we are proud to publish the best-selling Global Knowledge Certification Press series. v 112_IpSec_FM 11/8/00 8:52 AM Page v vi From Global Knowledge At Global Knowledge we strive to support the multiplicity of learning styles required by our students to achieve success as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from pro- viding instructor-led training to hundreds of thousands of students world- wide has been captured in book form to enhance your learning experience. We hope that the quality of these books demonstrates our commitment to your lifelong learning success. Whether you choose to learn through the written word, computer based training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very best in each of these categories. For those of you who know Global Knowledge, or those of you who have just found us for the first time, our goal is to be your lifelong competency partner. Thank your for the opportunity to serve you. We look forward to serving your needs again in the future. Warmest regards, Duncan Anderson President and Chief Executive Officer, Global Knowledge 112_IpSec_FM 11/8/00 8:52 AM Page vi vii Contributors Russell Lusignan (CCNP, CCNA, MCSE, MCP+I, CNA) is a Senior Network Engineer for Bird on a Wire Networks, a high-end dedi- cated and fully managed Web server/ASP provider located in Toronto, Canada. He is also a technical trainer for the Computer Technology Institute. Russell’s main area of expertise is in LAN routing and switching technologies and network security implementations. Chapters 3, 4, and 6. David G. Schaer (CCNA, CCDA, CCNP, CCSI, MCT, MCSE, MCP+I, MCNE, CCA) is President of Certified Tech Trainers, Inc., an organization specializing in the development and delivery of custom training for Cisco CCNA and CCNP certification. He has provided training sessions for major corporations throughout the United States, Europe, and Central America. David enjoys kayak fishing, horseback riding, and exploring the Everglades. Oliver Steudler (CCNA, CCDA, CNE) is a Senior Systems Engineer at iFusion Networks in Cape Town, South Africa. He has over 10 years of experience in designing, implementing and troubleshooting complex networks. Chapter 5. 112_IpSec_FM 11/8/00 8:52 AM Page vii viii Jacques Allison (CCNP, ASE, MCSE+I) Jacques has been involved with Microsoft-related projects on customer networks ranging from single domain and exchange organization migra- tions to IP addressing and network infrastructure design and implementation. Recently he has worked on CA Unicenter TNG implementations for network management. He received his engineering diploma in Computer Systems in 1996 from the Technicon Pretoria in South Africa. Jacques began his career with Electronic Data Systems performing desktop support, completing his MCSE in 1997. Jacques would like to dedicate his contribution for this book to his fiancée, Anneline, who is always there for him. He would also like to thank his family and friends for their support. Chapter 8. John Barnes (CCNA, CCNP, CCSI) is a network consultant and instructor. John has over ten years experience in the implemen- tation, design, and troubleshooting of local and wide area net- works as well as four years of experience as an instructor. John is a regular speaker at conferences and gives tutorials and courses on IPv6, IPSec, and intrusion detection. He is cur- rently pursuing his CCIE. He would like to dedicate his efforts on this book to his daughter, Sydney. Chapter 2. Russell Gillis (CISSP, MCSE, CCNA) is Associate Director of Networking at Kalamazoo College in Kalamazoo, Michigan. Prior to joining “K” College, Russ worked for 11 years in the pharmaceutical industry. His experience includes workstation support, system administration, network design, and information security. Chapter 1. 112_IpSec_FM 11/8/00 8:52 AM Page viii ix Pritpal Singh Sehmi lives in London, England. He has worked in various IT roles and in 1995 launched Spirit of Free Enterprise, Ltd. Pritpal is currently working on an enterprise architecture redesign project for a large company. Pritpal is also a freelance Cisco trainer and manages the Cisco study group www.ccguru.com. Pritpal owes his success to his family and life- long friend, Vaheguru Ji. Chapter 7. Technical Editor Florent Parent is currently working at Viagénie, Inc. as a con- sultant in network architecture and security for a variety of orga- nizations, corporations, and governments. For over 10 years, he has been involved in IP networking as a network architect, net- work manager, and educator. He is involved in the architecture development and deploy- ment of IPv6 in the CA*net network and the 6Tap IPv6 exchange. Florent participates regularly in the Internet Engineering Task Force (IETF), especially in the IPv6 and IPSec work groups. In addition to acting as technical editor for the book, Florent authored the Preface and Chapter 9. Technical Reviewer Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant cur- rently located in San Antonio, TX. He has assisted several clients, including a casino, in the development and implementa- tion of network security plans for their organizations. He held the positions of Network Security Officer and Computer Systems Security Officer while serving in the United States Air Force. 112_IpSec_FM 11/8/00 8:52 AM Page ix [...]... Features Placing Cisco Secure ACS in Your Network Cisco Secure ACS Device and Software Support Using Cisco Secure ACS Configuration Cisco Secure ACS Configuration Example Summary FAQs Chapter 9 Security Processes and Managing Cisco Security Fast Track Introduction What Is a Managing Cisco Security Fast Track? Introduction to Cisco Network Security Network Security Network Communications in TCP/IP Security. .. Manager Features Cisco Firewall Management VPN and IPSec Security Management Security Policy Management Network Security Deployment Options Cisco Secure Policy Manager Device and Software Support Using Cisco Secure Policy Manager Configuration CSPM Configuration Example Cisco Secure ACS Cisco Secure ACS Overview Cisco Secure ACS Benefits Installation Requirements for Cisco Secure ACS Cisco Secure ACS... (RADIUS) Kerberos Cisco IP Security Hardware and Software Cisco Secure PIX Firewall Cisco Secure Integrated Software Cisco Secure Integrated VPN Software Cisco Secure VPN Client Cisco Secure Access Control Server Cisco Secure Scanner Cisco Secure Intrusion Detection System Cisco Secure Policy Manager Cisco Secure Consulting Services Summary FAQs Chapter 2 Traffic Filtering on the Cisco IOS Introduction... What Is Intrusion Detection? Cisco Secure Scanner (NetSonar) Cisco Secure NetRanger Cisco Secure Intrusion Detection Software Network Security Management Cisco PIX Firewall Manager CiscoWorks 2000 ACL Manager Cisco Secure Policy Manager Cisco Secure Access Control Manager General Security Configuration Recommendations on Cisco Remote Login and Passwords Disable Unused Network Services Logging and Backups... Control Lists Manager, Cisco Secure Security Manager (CSPM), and Cisco Secure Access Control Server Chapter 9: Security Processes and the Managing Cisco Security Fast Track provides a concise review of Cisco IP network security, detailing the essential concepts covered in the book This chapter also includes a section on general security configuration recommendations for all networks You can use these recommendations... attack networks We discuss host and network intrusion and focus on the intrusion detection and vulnerability scanner products available from Cisco www.syngress.com 112_IpSec_pref xxiv 11/8/00 8:55 AM Page xxiv Preface Chapter 8: Network Security Management provides a look at the network security management tools available from Cisco: PIX Firewall Manager, CiscoWorks 2000 Access Control Lists Manager, Cisco. .. 1: Introduction to IP Network Security provides an overview of the components that comprise system and network security The chapter introduces some basic networking concepts (IP, TCP, UCP, ICMP) and discusses some of the security mechanisms available in TCP/IP We also introduce some of the essential network security products available from Cisco Chapter 2: Traffic Filtering on the Cisco IOS focuses on... 1 Introduction to IP Network Security Solutions in this chapter: s Protecting Your Site s Network Communication in TCP/IP s Security in TCP/IP s Cisco IP Security Hardware and Software 1 112_IpSec_01 2 11/6/00 7:32 PM Page 2 Chapter 1 • Introduction to IP Network Security Introduction The “2000 CSI/FBI Computer Crime and Security Survey,” conducted in early 2000 by the Computer Security Institute (CSI)... only one piece in the network security infrastructure Good host security, regular assessment of the overall vulnerability of the network (audits), good authentication, authorization, accounting practices, and intrusion detection are all valuable tools in combatting network attacks and ensure a network security manager’s “peace of mind.” Cisco Systems is the worldwide leader in IP networking solutions... Preface Chapter 1 Introduction to IP Network Security Introduction Protecting Your Site Typical Site Scenario Host Security Network Security Availability Integrity Confidentiality Access Control Authentication Authorization Accounting Network Communication in TCP/IP Application Layer Transport Layer TCP TCP Connection UDP Internet Layer IP ICMP ARP Network Layer Security in TCP/IP Cryptography Symmetric . Chapter 9 Security Processes and Managing Cisco Security Fast Track 407 Introduction 408 What Is a Managing Cisco Security Fast Track? 408 Introduction to Cisco. Introduction to Cisco Network Security 408 Network Security 409 Network Communications in TCP/IP 409 Security in TCP/IP 410 Traffic Filtering on the Cisco IOS 412