Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
Index
Numerics3DES (Triple Data Encryption Standard),
265
AAAA (authentication, authorization, and
accounting), 12, 511, 515configuring, 538
cut-through proxies, 569“Do I Know This Already?” quiz,
533–536defined, 511“Do I Know This Already?” quiz,
507–510Floodguard, 597PIX Firewalls supported AAA server
technologies, 515servers
identifying, 538, 541specifying, 537
support, 44troubleshooting, 573, 577
aaa accounting command, 539aaa authentication command, 539, 542aaa authentication console command, 544aaa authorization command, 539aaa-server command, 538AAA server groups, 446aaa-server local command, 539AAA servers, 383access, 9
AAA, 511, 515ACL, 26configuring inbound access, 159–168“Do I Know This Already?” quiz,
155–158
lists, 164modes, 129NAS, 512networks
security, 7threats, 8types of attacks, 8, 11vulnerabilities, 8
object grouping, 169, 172PDM requirements, 376remote, 71, 74
SSH, 72–74Telnet, 71–72
rules, configuring, 642access attacks, 9, 10–11Access Control Server (ACS), 44access list entries (ACEs), 164access lists, managing access control entries,
167access rules, 387–389access VPNs, 261, 311access-group command, 280, 641access-list command, 164, 275accounting, 512
configuring, 563–565troubleshooting, 575viewing, 565
ACEs (access list entries), 164ACLs (access control lists), 26
downloading, 569, 572logging, 172TurboACL, 168–169
ACS (Access Control Server), 44activating AUS, 464
auto update server contact information, 469
PIX Firewall configuration deployment, 470
1587201232.book Page 750 Monday, September 13, 2004 1:12 PM
PIX Firewall unique identification parameters, 467
activation keyslicense, 265upgrading, 79–80
ActiveX objects, filtering, 495–497Activity bar (Firewall MC user interface),
428Activity Report (Firewall MC), 455Adaptive Security Algorithm (ASA), 31,
41–43address command, 82address translation pools, 447addresses
IPglobal, 639–640mapping, 637
translation, 45, 106, 114bidirectional, 114commands, 107–108configuring multiple, 112, 114NAT, 108–109PAT, 110static, 111static port translation, 161troubleshooting, 114, 118
administration tasks (Firewall MC), 458maintenance, 461support, 462workflow setup, 458–460
advanced protocol handling, 175–177aggressive mode (IKE), 266AH (Authentication Header), 263algorithms
ASA, 31, 41–43SHA-1, 265transform sets, 276
alias command, 596applets, 496applications
advanced protocol handling, 175AVVID, 14–15, 19multimedia
H.323, 591RTSP, 588support, 587–593
threats, 8arc, 15Architecture for Voice, Video, and Integrated
Data. See AVVIDASA (Adaptive Security Algorithm), 31,
41–43ASBRs (Autonomous System Boundary
Routers), 216, 220assigning users to groups, 551Association, 643attack guards, 594, 598
AAA Floodguard, 597DNS, 595“Do I Know This Already?” quiz,
583–586Flood Defender, 597fragmentation, 594mail guard, 596–597
attacks, 9, 18reconnaissance, 9SYN flooding, 597Syslog, 185threats, 8types of
access, 10–11DoS, 11reconnaissance, 9–10
audit policy, 599
1587201232.book Page 751 Monday, September 13, 2004 1:12 PM
752
AUS (Auto Update Server), 409, 462activation, 464
auto update server contact information, 469
PIX Firewall configuration deployment, 470
PIX Firewall unique identification parameters, 467
administrative tasks, 483assignment configuration, 477device configuration, 474image configuration, 475installing, 463reports, 479–481supported devices, 463user interface, 471–473
authentication, 215CAs, 268–269configuring, 541–542, 550
authentication timeout, 549console access authentication, 544designating parameters, 543services, 545
cut-through proxy, 31, 43Easy VPN Remote, 336–338HMAC, 265prompts, 548services, 545timeout, 549troubleshooting, 574VPDN group, 354X.509 certificate support, 44, 61
Authentication Header (AH), 263authentication telnet console command, 72authentication, authorization, and
accounting. See AAAauthorization
command-level, 74–76configuring, 550–561Cisco Secure ACS, 551cut-through proxy, 31, 43rules, 555troubleshooting, 575
auth-prompt command, 548–549Autonomous System Boundary Routers
(ASBRs), 216, 220Auto Update Server. See AUSAVVID (Architecture for Voice, Video, and
Integrated Data), 14–15, 19
Bback user task flow (Firewall MC), 428banner command, 147basic configuration, 641bidirectional network address translation,
114block scans, 10blocking applets, 496boothelper disks, 84bootstrap commands (Firewall MC), 418browsers, PDM requirements, 376
Ccables (Crossover Ethernet), 246caches
no url-cache command, 500show url-cache command, 502
cannot, 497CAs (Certification Authorities), 337
VPN, 268–269case studies
DUKEM, 633authentication, 642basic PIX Firewall configuration,
635–640configuring access rules, 641failover, 655–656growth expectation, 634logging, 642VPNs, 643–654
troubleshooting implementation, 657–665
certificate revocation lists (CRLs), 144certificates (X.509), support, 44cgi-truncate parameter, 501chapter, 288CIFS (Common Internet File System), 105Cisco, 139Cisco AVVID. See AVVIDCisco Easy VPN Remote Router clients, 323Cisco Firewall Services Module. See FWSMCisco PIX 501 Firewall, 48Cisco PIX 501 VPN Client, 322Cisco PIX 506 Firewall, 49Cisco PIX 506 VPN Client, 322Cisco PIX 515E Firewall, 51–53Cisco PIX 525 Firewall, 54–56
AUS (Auto Update Server)
1587201232.book Page 752 Monday, September 13, 2004 1:12 PM
753
Cisco PIX 535 Firewall, 56–58Cisco PIX Firewall. See PIX FirewallCisco PIX Firewall FastEthernet Interface
Card (PIX-1FE), 47Cisco Secure ACS (Access Control Server),
515, 533, 566Cisco Secure Intrusion Detection Sensor, 44,
61Cisco Secure PIX 506, 44Cisco Secure PIX 515, 44Cisco Secure PIX 525, 44Cisco Secure PIX 535, 44Cisco Secure Scanner, 13Cisco VPN 3002 Hardware Client, 321–322Cisco VPN Software Client, 321, 334
features, 335manual configuration, 338–344specifications, 335
CiscoWorksFirewall MC, 46, 419
adding users, 421login process, 419user authorization roles, 421
clear command, 285clear ntp command, 145clear rip command, 216clear route command, 214clear uauth command, 550clear xlate command, 115, 593CLI (command-line interface), 45, 62, 72Click, 568client mode (Easy VPN Remote), 333clients
Cisco Easy VPN Remote Router clients, 323
DHCP, 143Easy VPN Remote, 321–322HTTP, upgrading OS, 83
clock summer-time command, 147clocks (system), 146–147command-level authorization, 74–76command-line interface (CLI), 45, 62, 72commands, 111, 143, 216, 227, 277, 285,
326, 332, 353, 539, 615–616, 625aaa accounting command, 539aaa authentication command, 539, 542aaa authentication console command,
544aaa authorization command, 539
aaa-server local command, 539aaa-server command, 538access modes command, 129access-group command, 280, 641access-list command, 164, 275address command, 82alias command, 596authentication telnet command, 72auth-prompt command, 548–549banner command, 147clear command, 285clear ntp command, 145clear rip command, 216clear route command, 214clear uauth command, 550clear xlate command, 115, 593clock command, 146clock summer-time command, 147configuration, 129, 151
global command, 135–136interface command, 130ip address command, 133nameif commands, 131nat command, 133–134rip command, 137route command, 136–137
configure terminal command, 129copy tftp flash command, 81crypto ipsec transform-set command,
280, 328crypto map command, 278debug aaa accounting command, 575debug aaa authentication command, 574debug aaa authorization command, 575debug command, 138, 286, 653debug crypto isakmp command, 286debug igmp command, 231debug radius command, 576debug tacacs command, 576dhcpd address command, 359dhcpd command, 140enable command, 129enable password command, 72file command, 82filter activex command, 497filter java command, 495filter url command, 498fixup command, 174–175fixup protocol command, 587
commands
1587201232.book Page 753 Monday, September 13, 2004 1:12 PM
754
commands (continued)fixup protocol h323 command, 591floodguard disable command, 598fragment command, 594hw-module command, 625igmp access-group command, 227igmp forward command, 226igmp join-group command, 226igmp query-interval command, 227igmp query-max-response-time
command, 227igmp version command, 227interface command, 82, 210ip address command, 133ip address dhcp command, 143ip audit command, 599ip local pool command, 327ip verify reverse-path command,
602–603isakmp keepalive command, 332isakmp policy command, 271logging command (syslog), 187logging facility command, 186logging on command, 194match address command, 280mroute command, 225multicast interface command, 224nameif command, 101, 119, 211nameif interface commands, 619nat command, 162nat 0 command, 162no aaa-server command, 540no fixup protocol ftp command, 176no url-cache command, 500ntp authenticate command, 145ntp authencation-key command, 145ntp trusted-key command, 145OSPF, 216, 222
network command, 218prefix-list command, 219redistribute ospf command, 220router ospf command, 217show ospf command, 222
passwd command, 72permit ip any command, 275ping command, 82, 138PIX bootstrap commands, 418prefix-list command, 219rip command, 215
route command, 213server command, 82setup command, 619show aaa-server command, 574show accounting command, 575show activation-key command, 79show command, 273, 284, 574, 653show conn commands, 116show crypto ispec sa command, 285show failover command, 251show isakmp policy command, 274show module command, 624show perfmon command, 503show route command, 214show url-cache command, 502show url-server stats command, 502show version command, 78show vpdn pppinterface command, 356show xlate command, 115shun command, 601ssh command, 73static command, 112sysopt connection permit-ipsec
command, 283sysopt uauth allow-http-cache
command, 544telnet command, 71timeout uauth command, 549transform-set command, 277translation, 107–108troubleshooting, 88–93url-cache command, 499url-server command, 497virtual telnet command, 545vpnclient server command, 348vpnclient vpngroup command, 348write memory command, 72, 139write standby command, 244xlate command, 108
Common Internet File System (CIFS), 105communications
VPN, 261CAs, 268–269configuring, 269IKE, 265, 268IPSEC, 262, 265troubleshoot, 288
components (AAA), 511, 515, 537
commands
1587201232.book Page 754 Monday, September 13, 2004 1:12 PM
755
Computer Telephony Interface Quick Buffer Encoding (CTIQBE), 589
Configuration Differences report (Firewall MC), 456
configuration replication (failover), 244configuration tasks
Firewall MC, 435creating building blocks, 440, 443,
447defining access rules, 436defining translation rules, 438generating and viewing
configuration information, 448MC settings, 449
configure terminal command, 129configuring, 139, 617
AAA, 538cut-through proxies, 569“Do I Know This Already?” quiz,
533–536access
access rules, 642inbound, 159–168
accounting, 563–565assignments (Firewall MC), 477authentication, 541–542, 550
authentication timeout, 549console access authentication, 544designating parameters, 543services, 545
authorization, 550–561basic configuration, 641Cisco Secure ACS, 525, 551Cisco VPN Software Client
manually, 338–342, 345modifying VPN Client options,
342–344commands, 129
global command, 135–136interface command, 130ip address command, 133nameif command, 131nat command, 133–134rip command, 137route command, 136–137
crypto maps, 278–280cut-through proxy, 569
DHCP, 140, 143clients, 143servers, 140–142
DHCP options, 360DHCP server, 357–358DNS support, 118downloadable PIX ACLs, 569, 572Easy VPN Remotes, 347–350failover, 242, 246–247, 251, 657
configuration replication, 244DUKEM case study, 655–656
filters, viewing, 502FWSM, 618
access lists, 620interfaces, 619running setup command, 619
IKE, 270, 274images (Firewall MC), 475interfaces, 638–640intrusion detection, 599–600IPSec, 274, 283login banners, 147–148multiple translation types, 112–114NAT, 331object group, 170OSPF, 220–222PAT, 134PIX Firewall, 129
DUKEM case study, 635–642interface command, 130nameif command, 131nat command, 133PDM, 379–380, 383route command, 136sample configuration, 149saving configuration, 139time settings, 144verification, 132
preshared keys, 272redundancy, 32–33replication, 244RIP, 215–216routing, 638, 640SA lifetimes, 278servers, 384SNMP, 88static routes, 213
configuring
1587201232.book Page 755 Monday, September 13, 2004 1:12 PM
756
configuring (continued)switches (FWSM), 615–616syslog, 46, 62, 189
messages at the console, 192sending messages to a log server,
193–194SNMP traps and SNMP requests,
195syslogd servers, 195–197
testing configuration, 138time settings, 147transform sets, 276TurboACL, 169URL-filtering policy, 498virtual HTTP inbound connections, 548VPDN group, 354VPNs, 269, 292, 647
DUKEM case study, 643–654PDM, 392–404troubleshooting, 654tunneling, 653verifying configuration, 273
XAUTH, 325–331connections
Cisco Secure PIX 501, 48Cisco Secure PIX 506, 49Cisco Secure PIX 515E, 51–53Cisco Secure PIX 525, 54–56Cisco Secure PIX 535, 56–58cut-through proxy, 31, 43, 513“Do I Know This Already?” quiz,
97–100Easy VPN Remote, 323–324embryonic (half-open), 104failover (LAN-based), 245–246filters (Java applets), 496flags, 117security, 7stateful failover, 244–245Telnet, 71threats, 8troubleshooting, 114, 118types of attacks, 8, 11VPNs, troubleshooting, 283–286vulnerabilities, 8
console access authentication, 544content area (Firewall MC user interface),
426content filtering, 492
copy tftp flash command, 81creating boothelper disks, 84CRLs (certificate revocation lists), 144Crossover Ethernet cables, 246crypto access lists, 275–276crypto IPSec SA lifetime, 278crypto ipsec transform-set command, 280,
328crypto map command, 278–280crypto maps
commands, 280configuring, 278dynamic, 330
Cisco Secure ACS (Cisco Secure Access Control Server), 533
authorization, 551configuring, 525downloadable PIX ACLs, 569, 572users, configuring, 551verifying, 577
CTIQBE (Computer Telephony Interface Quick Buffer Encoding), 589
cut-through proxy, 31, 43, 513cut-through proxy configuration, 569
Ddata
compression, 337frames, 102segments, 101
Data Encryption Standard (DES), 265, 375DDoS (distributed denial of service) attacks,
11dead peer detection (DPD), 318, 337debug aaa accounting command, 575debug aaa authentication command, 574debug aaa authorization command, 575debug command, 138, 286, 653debug crypto isakmp command, 286debug igmp command, 231debug radius command, 576debug tacacs command, 576debugging
DHCP server, 361–362multicast configuration, 230VPN connectivity, 286
default routes, 213
configuring
1587201232.book Page 756 Monday, September 13, 2004 1:12 PM
757
default security policies, 101defense in depth, 14defining, 616
access rules (Firewall MC), 436multiple transform sets, 276translation rules (Firewall MC), 438
demilitarized zone (DMZ) segment, 113denial of service (DoS) attacks, 11deny keyword, 275deploying FWSM, 612–613deployment tasks
Deploy Saved Changes, 450–451Status Summary, 454
DES (Data Encryption Standard), 265, 375device management (Firewall MC), 429, 434
importing devices, 431managing groups, 429
Device Setting Report, 457devices
Firewall MC support, 416supported by AUS, 463
DHCP (Dynamic Host Configuration Protocol), 358
configuration, 140–143lease length, 360overview, 358
DHCP serversauto configuration, 361configuring, 357–358debugging, 362PIX Firewall, 359–360
dhcpd address command, 359dhcpd auto-config command, 353dhcpd command, 140–141disabling Syslog messages, 198distinguished name (DN), 324distributed denial of service (DDoS) attacks,
11DMZ (demilitarized zone) segment, 113DN (distinguished name), 324DNS (Domain Name Service), 176, 596
DNA guard, 595support
configuring, 118in PIX Firewall, 139
queries, 9“Do I Know This Already?” quizzes
AAA, 507–510AAA configuration, 533–536
access, 155–158access VPNs, 311–315attack guards and multimedia support,
583–586content filtering, 491–494failover, 238–240Firewall MC, 409–413FWSM, 607–610network security, 3–6PDM, 369–372PIX Firewalls, 23–25, 37–40, 125–128Syslog, 181–184system maintenance, 67–70translation and connection, 97–100
DoS (denial of service) attacks, 9–11downloadable PIX ACLs, 569, 572DPD (dead peer detection), 318, 332dynamic address translation, 107dynamic crypto maps, 330Dynamic Host Configuration Protocol. See
DHCPdynamic routes, 214
configuring RIP, 216OSPF
commands, 216–220configuring, 220viewing configuration, 222
dynamic shunning, 601
EEasy VPN Remote
authentication, 338connection process, 323–324modes of operation, 332–333overview, 320PIX Firewall configuration, 347–348
client device mode, 348IUA, 350SUA, 349
supported clients, 321–322supported servers, 320tunneling protocols, 336
Easy VPN Server, 316IPSec options, 319overview, 318
embedding, secure real-time embedded systems, 31
embedding, secure real-time embedded systems
1587201232.book Page 757 Monday, September 13, 2004 1:12 PM
758
embryonic (half-open) connections, 104enable command, 129enable password command, 72enabling
DHCP on PIX Firewall, 361IUA, 351PPPoE client, 355RIP, 137
Encapsulating Security Payload (ESP), 262encapsulation (upper-level data), 102encryption
3DES, 265crypto access lists, 275DES, 265, 375Easy VPN Remote, 336hash algorithms, 329
enrollment mechanisms, 337ESP (Encapsulating Security Payload), 262Ethernet VLAN tagging, 208
logical interfaces, 209–210managing VLANs, 211
Event Report (AUS), 481events
failover, 241–243Syslog, 46, 62
external threats, 9
Ffabrication, access attacks, 10failover
configuring, 242, 246–247, 251, 657configuration replication, 244DUKEM case study, 655–656
“Do I Know This Already?” quiz, 238–240
events, 241–243LAN-based, 245–246PIX Firewall, 248–251redundancy, 32–33stateful, 244–245
file command, 82File Transfer Protocol (FTP), 176filter activex command, 497filter java command, 495filter url command, 498filtering, 495
ActiveX objects, 497
FTP, 500FTP sites, 499HTTPS, 500HTTPS sites, 499Java applets, 495URLs, 497–499
configuring URL-filtering policy, 498
identifying servers, 497long URLs, 501–502
filtersJava applets, 496viewing, 502
Firewall MCadministration tasks, 458
maintenance, 461support, 462workflow setup, 458–460
AUS, 462activation, 464, 467–470administrative tasks, 483assignment configuration, 477device configuration, 474image configuration, 475installing, 463reports, 479–481supported devices, 463user interface, 471–473
back user task flow, 428CiscoWorks, 419
adding users, 421login process, 419user authorization roles, 421
configuration hierarchy, 415configuration tasks, 435
creating building blocks, 440, 443, 447
defining access rules, 436defining translation rules, 438generating and viewing
configuration information, 448MC settings, 449
deployment tasksDeploy Saved Changes, 450–451Status Summary, 454
device management, 429, 434importing devices, 431managing groups, 429
embryonic (half-open) connections
1587201232.book Page 758 Monday, September 13, 2004 1:12 PM
759
“Do I Know This Already?” quiz, 409–413
installing, 416client requirements, 418server requirements, 417
key concepts, 414PIX bootstrap commands, 418reports, 454–457supported devices, 416user interface, 423
Activity bar, 428configuration tabs, 425Object Selector, 427options bar, 425path bar, 426TOC, 425Tools bar, 427
firewall module switch command, 616firewall vlan-group command, 616firewalls, 26, 30
basic configuration, 641managing, 45, 62packet filtering, 26–28PIX, 30–33
ASA, 31, 41–43Cisco 501, 48Cisco 506, 49Cisco 515E, 51–53Cisco 525, 54–56Cisco 535, 56–58models, 44
proxy, 28proxy servers, 28stateful inspection, 29–30
fixup command, 174–175fixup protocol command, 587fixup protocol h323 command, 591Flood Defender, 597Floodguard, 597floodguard disable command, 598formatting
boothelper disk, 84crypto access lists, 275
fragment command, 594fragmentation guard, 594frames, 102FTP (File Transfer Protocol), 176, 500
FWSM (Cisco Firewall Services Module), 44, 607
configuring, 618–619access lists, 620interfaces, 619
deployment scenarios, 612–613“Do I Know This Already?” quiz,
607–610initializing, 615–616overview, 611PIX Firewall, 622status LED, 625troubleshooting, 623
resetting and rebooting, 625switch commands, 623
Ggateways, 46, 62, 82, 269gigabits per second (Gbps), 611global command, 135–136global information, recording, 636global IP addresses, 639–640groups
rules, 555users, 551
guards, 596attack, 598DNS, 595–596mail, 596–597
HH.323, 589–591H.323 collection of protocols, 591handling protocols, 175, 177hardware (Cisco Secure ACS), 515headers (AH), 263HMAC (Keyed-Hash Message
Authentication Code), 265horizontal scans, 9Hosts/Networks tab (Startup Wizard), 385HTTP
clients, upgrading OS, 83virtual, 548
HTTPS filtering, 500hw-module command, 625
hw-module command
1587201232.book Page 759 Monday, September 13, 2004 1:12 PM
760
IICMP object groups, 172identifying
filtering servers, 497servers, 538, 541
IGMP (Internet Group Management Protocol), 224
igmp access-group command, 227igmp forward command, 226igmp join-group command, 226igmp query-interval command, 227igmp query-max-response-time command,
227igmp version command, 227IKE (Internet Key Exchange)
configuring, 270, 274VPN, 265, 268
implementation of security designs, 12importing devices (Firewall MC), 431inbound access, 159–162
access lists, 164–166inbound connections, 43
cut-through proxy, 31Individual User Authentication (IUA), 350information security, 7Initial Contact, 319initializing
FWSM, 615–616PDM, 623
inspectionadvanced protocol handling, 175–177FTP, 176
installingAUS, 463Cisco VPN Software Client, 339Cisco Secure ACS, 516–518, 527Firewall MC, 416
client requirements, 418server requirements, 417
operating systems, 77PDM, 378
Instructions box (Firewall MC user interface), 426
integrated data (AVVID), 14–15, 19integrity, X.509 certificate support, 44, 61Intel Internet Video Phone, 177interception, 10
intercepts (TCP), 161–162interface command, 82, 130, 210interfaces, 641. See also access
CLI, 45, 62, 72configuring, 638–640static NAT, 159
Internet Group Management Protocol (IGMP), 224
Intranet VPNs, 261intrusion detection, 44, 61, 598, 601
configuring, 599–600dynamic shunning, 601optimizing, 13
IPaddress pool, 327addresses
global, 639–640mapping, 637
fragmentation, 594ip address command, 133ip address dhcp command, 143ip audit command, 599ip local pool command, 327IP routing, 212
dynamic routes, 214configuring RIP, 216OSPF, 216–222
multicasting, 224commands, 224–227debugging, 230inbound traffic, 228–229outbound traffic, 230
static routes, 212–213ip verify reverse-path command,
602–603IPSec (Internet Protocol Security)
configuring, 274, 283Easy VPN Server, 319sysopt connection permit-ipsec
command, 283VPN, 262, 265
IPSec Traffic Selector Panel, 396isakmp keepalive command, 332isakmp policy command, 271, 326IUA (Individual User Authentication),
350
ICMP object groups
1587201232.book Page 760 Monday, September 13, 2004 1:12 PM
761
J–KJava applets, 495–496
Keyed-Hash Message Authentication Code (HMAC), 265
keywords, 275
LLAN-based failover, 245–246levels of security, 101, 186link-state advertisements (LSAs), 216Linux, PDM requirements, 377listening (ports), 8lists
access, 164CRLs, 144
loggingACLs, 172configuring, 642
logging commands (syslog), 187logging facilities, 186logging on command, 194logical interfaces, 209–210login banners, configuring, 147–148logs, viewing, 190longurl-truncate parameter, 501LSAs (link-state advertisements), 216
Mmail guard, 596–597main mode (IKE), 266managing
firewalls, 45, 62VLANs, 211
mappingstatic IP addresses, 637static NAT, 159
match address command, 280MD5 (Message Digest 5), 265MDIX (Medium Dependent Interface
Crossover), 322Media Gateway Control Package (MGCP),
591–592
Medium Dependent Interface Crossover (MDIX), 322
memory requirements, 77Message Digest 5 (MD5), 265messages
digest, 265HMAC, 265Syslog
changing levels, 187disabling, 198organizing, 188reading, 189sending to a Telnet session, 193
MGCP (Media Gateway Control Package), 591–592
Microsoft NetMeeting, 177, 545Microsoft Netshow, 177models (PIX Firewalls), 44modes
access, 129monitor, 82stateful failover, 244
modificationaccess attacks, 10activation keys, 80
monitor mode, 82monitoring
failover events, 243networks, 13PPPoE client, 355–356
Monitoring button (PDM), 389–391monitoring PIX Firewall, 389–391mroute command, 225MSFC (Multilayer Switch Feature Card), 613
configuring on the inside interface, 617as inside router, 613
MTU (maximum transmission unit), 339multicast interface command, 224multicast routing, 224
commandsigmp access-group command, 227igmp forward command, 226igmp join-group command, 226igmp query-interval command, 227igmp query-max-response-time
command, 227igmp version command, 227mroute command, 225multicast interface command, 224
multicast routing
1587201232.book Page 761 Monday, September 13, 2004 1:12 PM
762
multicast routing (continued)debugging, 230inbound traffic, 228–229outbound traffic, 230
multimediaH.323, 591RTSP, 588support, 177, 587, 591
“Do I Know This Already?” quiz, 583–586
H.323, 589–591MGCP, 591–592SCCP, 592SiP, 593VoIP, 588–589
Nname, 324nameif command, 101, 119, 131, 211nameif interface commands, 619NAS (Network Access Server), 512,
537–538, 541NAT (Network Address Translation),
106–109bidirectional, 114configuring, 331policy NAT, 162static, 159static NAT, 159
nat 0 access-list address translation rule, 159nat 0 command, 162nat command, 133–134nat/global command, 101NDG (Network Device Group), 558negotiation
IKE, 265, 268nesting object groups, 172NetBIOS Domain Name System, 105NetMeeting, 545Network Access Server (NAS), 512Network Address Translation. See NATnetwork command, 218Network Device Group (NDG), 558network object group, 170network of networks, 14network security
defense in depth, 14
“Do I Know This Already?” quiz, 3–6as a “legal issue”, 13
Network Time Protocol (NTP), 144–145networks
addresses, translation, 45firewalls, 26, 30–33monitoring, 13SAFE, 16, 20security, 7, 11threats, 8types of attacks, 8, 11VPN, 261
CAs, 268–269certificates, 45configuring, 269, 647gateways, 46, 62IKE, 265, 268IPSec, 262, 265scalability, 288troubleshooting, 288, 654tunneling, 653
vulnerabilities, 8no aaa-server command, 540no fixup protocol ftp command, 176no url-cache command, 500nodes (communication), 103nonce values, 267NTP (Network Time Protocol), 144–145ntp authenticate command, 145ntp authentication-key command, 145ntp trusted-key command, 145null rules, 389
Oobject grouping, 169, 172Object Selector (Firewall MC user interface),
427Open System Interconnection (OSI), 26operating systems (Cisco Secure ACS), 515optimization (security), 13Organizational Unit (OU), 324OS (operating system)
installing, 77upgrading, 80
copy tftp flash command, 81HTTP client, 83monitor mode, 82
multicast routing
1587201232.book Page 762 Monday, September 13, 2004 1:12 PM
763
OSI (Open System Interconnection), 26OSI reference model, 28OSPF (Open Shortest Path First)
commands, 216network command, 218prefix-list command, 219redistribute ospf command, 220router ospf command, 217show ospf command, 222
configuring, 220overview, 216viewing configuration, 222
OU (Organizational Unit), 324
Ppackets, 101parameters
AAA authentication, 543access-list command, 164banner command, 148cgi-truncate command, 501clock command, 146dhcpd command, 141filter command, 496global command, 135interface command, 130isakmp policy command, 271longurl-truncate command, 501nameif command, 132nat command, 134ntp command, 144rip command, 137static command, 159syslog command, 189username command, 76
passwd command, 72password recovery, 85–87
diskless PIX Firewall, 86floppy drives, 86
PAT (Port Address Translation), 45, 106–107, 110, 134
patches, 8. See also vulnerabilitiespath bar, Firewall MC user interface, 426PDM
access rules, 387configuring PIX Firewall, 379–380,
383
defining hosts and networks, 385“Do I Know This Already?” quiz,
369–372GUI, 374installing, 378monitoring capability, 389–391overview, 373requirements to run on PIX Firewall,
375Linux requirements, 377SUN Solaris, 377Windows, 377workstation, 376
translation rules, 386–387versions, 375VPN configuration, 392–394
remote-access, 397–404Site to Site VPNs, 395
PDM (PIX Device Manager), 46, 62, 544, 601
PDM (PIX Device Manager) Image, 622PDM Log panel, 190per user command authorization, 560performance, 15perimeter security
firewalls, 26, 30packet filtering, 26–28PIX, 30–33proxy servers, 28stateful inspection, 29–30
permit ip any command, 275permit keyword, 275PFSS (PIX Firewall Syslog Server), 185,
196phase 1 negotiation, 266physical interfaces, 211physical security
AAA, 511, 515security policies, 11
PIDs (process identifications), 220ping command, 82, 138ping sweeps, 9pipes, 186PIX 515E Firewall, 52PIX Device Manager (PDM), 46, 62, 544,
601, 622PIX DHCP, 360
PIX DHCP
1587201232.book Page 763 Monday, September 13, 2004 1:12 PM
764
PIX Firewall, 32AAA, 512
supported server technologies, 515ASA, 41–43characteristics, 30Cisco 501, 48Cisco 506, 49Cisco 515E, 51–53Cisco 525, 54–56Cisco 535, 56–58configuring, 129
DHCP, 140–143inbound access, 159–166PDM, 379–380, 383sample configuration, 149
cut-through proxy, 513DHCP server, 359–360
auto configuration, 361debugging, 362
DNS support, 139“Do I Know This Already?” quiz, 23–25,
37–40, 125–128dynamic shunning, 601Easy VPN Remote configuration,
347–348client device mode, 348IUA, 350SUA, 349
failoverconfiguring, 242events, 241sample configuration, 248–249,
251Flood Defender, 597FWSM, installing PDM, 622intrusion detection, 598IP routing, 212
dynamic routes, 214–222static routes, 212–213
logical interfaces, 209–210login banners, 147–148models, 44monitoring, 389–391multimedia support, 587
H.323, 589–591MGCP, 591–592SCCP, 592SiP, 593VoIP, 588–589
optional components, 47OSPF, 216PDM, requirements to run, 375–377PPPoE, 351–352
enabling PPPoE client, 355monitoring PPPoE client, 355–356
RIP, 215scalable VPNs, 288secure real-time embedded system, 31syslog
configuring, 189, 192logging facilities, 186organizing messages, 188PFSS, 197reading messages, 189sending messages to a log server,
193–194sending messages to a Telnet
session, 193severity levels, 187SNMP traps and SNMP requests,
195time settings, 144troubleshooting, 574
implementation, 657–665upgrading OS, 80
PIX Firewall Syslog Server (PFSS), 185, 196PIX MC (CiscoWorks Management Center
for Firewalls), 46PIX-1FE (Cisco PIX Firewall FastEthernet
Interface Card), 47point-to-point architecture, 12, 42–58,
102–104, 112–114, 120–121, 191, 248, 261–267, 292, 308, 374, 380–390, 393–405, 514, 519, 521–522, 527–528, 538–541, 546, 552–573, 590
policies, 18ISAKMP, 272security, 11, 101
policy, 647policy NAT, 162Port Address Translation (PAT), 45, 107Port Fast, 242ports
address translation, 45fixup command, 174–175listening, 8redirection, 112static address translation, 161
PIX Firewall
1587201232.book Page 764 Monday, September 13, 2004 1:12 PM
765
PPP (Point-to-Point Protocol), 352PPPoE (Point-to-Point Protocol over
Ethernet), 351–352enabling PPPoE client, 355monitoring PPPoe client, 355–356
prefix-list command, 219preshared keys, 267
configuring, 272process identifications (PIDs), 220processes (security), 12prompts (authentication), 548protocol object-type, 171protocols
advanced handling, 175–177FTP, 176H.323 collection, 591NTP, 144–145PPP, 352SCEP, 45, 61SNMP, 46, 62TCP, 102
intercepts, 161–162transport, 101, 106UDP, 102
proxy firewalls, 28public address translation, 45
Q–Rqueries (DNS), 9
RADIUS (Remote Authentication Dial-In User Service), 515
RealNetworks RealAudio and RealVideo, 177
Real-Time Streaming Protocol (RTSP), 588reconnaissance attacks, 9–10recording global information, 636recovery, passwords, 87redirection (ports), 112redistribute ospf command, 220redundancy, 32–33remote access, 71, 74
DUKEM case study, 654SSH, 72–74Telnet, 71–72
Remote Authentication Dial-In User Service (RADIUS), 515
remote office/branch office (ROBO), 49remote-access VPNs, 261, 397–400, 402,
404remote-procedure call (RPC), 105replication, configuration, 244reports
AUS, 479Event Report, 481System Info Report, 480
Firewall MC, 454, 457requests (SNMP), 195requirements (memory), 77resources, 10Restricted Bundle, 59reverse path forwarding, 602–603RIP (Routing Information Protocol), 137
configuring, 216enabling, 137
rip command, 137, 215ROBO (remote office/branch office), 49route command, 136–137, 213router ospf command, 217routing, 203, 215
authentication, 215configuring, 636–640IP routing, 212
dynamic routes, 214–222static routes, 212–213
multicast routing, 224, 227commands, 224–227debugging, 230inbound traffic, 228–229outbound traffic, 230
principles, 208Routing Information Protocol. See RIPRPC (remote-procedure call), 105RTSP (Real-Time Streaming Protocol), 588rules
access, configuring, 642groups, authorization, 555
running setup command, 619
SSA (security association), 262, 278
SA (security association)
1587201232.book Page 765 Monday, September 13, 2004 1:12 PM
766
SAFE (Secure Blueprint for Enterprise Networks), 16, 20
saving configuration, 139scalability
AVVID, 15VPN, 288
scanningblock, 10Cisco Secure Scanner, 13horizontal, 9vertical scans, 9
SCCP (Skinny Client Control Protocol), 592SCEP (Simple Certificate Enrollment
Protocol), 45, 61Scope bar (Firewall MC user interface), 426Secure Hash Algorithm 1 (SHA-1), 265Secure Intrusion Detection Sensor, 44, 61secure real-time embedded systems, 31Secure Shell (SSH), 72–74Secure Unit Authentication (SUA), 349security, 262, 265
AAA, 511, 515access rules (PDM), 387ASA, 31, 41–43attack guards, 594, 598
AAA Floodguard, 597DNS, 595Flood Defender, 597fragmentation, 594mail guard, 596
attacks, 18design, implementing, 12firewalls, 26, 30
packet filtering, 26–28PIX, 30, 32–33proxy servers, 28stateful inspection, 29–30
intrusion detection, 598, 601configuring, 599–600dynamic shunning, 601
levels (Syslog), 186network, 7, 13optimizing, 13policies, 11, 18, 101process, 12static NAT, 159testing, 13threats, 8, 17
trafficlevels, 101transport protocols, 101, 106
types of attacks, 8, 11vulnerabilities, 8
security association (SA), 262segments, 101, 113selecting VPN configuration, 269–270sends, 187server, 642server command, 82servers
AAAconfiguring, 538, 569identifying, 538, 541specifying, 537
ACS, 44configuring, 384Cisco Secure ACS, 515, 527, 533
authorization, 551installing, 516–518, 527users, 551verifying, 577
DHCP, 140–143filters, identifying, 497NAS, 512, 537–538, 541NetMeeting, 546PFSS, 185, 196Syslog, 185syslogd servers, 195–197
service definitions, 443service groups, 445service object-type, 171services
authentication, 545fixup command, 174–175
session command, 625Session Initiation Protocol (SIP), 593setup command, 619severity levels (syslog), 187SHA-1 (Secure Hash Algorithm), 265shell command authorization sets, 561show aaa-server command, 574show accounting command, 575show activation-key command, 79show command, 273, 284, 574, 653show conn command, 116show crypto ipsec sa command, 285show failover command, 251
SAFE (Secure Blueprint for Enterprise Networks)
1587201232.book Page 766 Monday, September 13, 2004 1:12 PM
767
show isakmp policy command, 274show module command, 624show ospf command, 222show perfmon command, 503show route command, 214show url-cache command, 502show url-server stats command, 502show version command, 78show vpdn pppinterface command, 356show xlate command, 115shun command, 601Simple Certificate Enrollment Protocol
(SCEP), 45, 61SIP (Session Initiation Protocol), 593Site to Site VPNs, 261, 392–395Skinny Client Control Protocol (SCCP),
592SMTP, 177SNMP (Simple Network Management
Protocol), 46, 62configuring, 88requests, 195system maintenance, 87traps, 195
specifying AAA servers, 537split tunneling, 404spoofing, 28SSH (Secure Shell), remote access, 72–74standby unit, 244state tables, 29stateful failover, 244–245
redundancy, 32–33static command, 111–112static crypto maps, 330static IP address mapping, 637static NAT, 159static port address translation (static PAT),
161static routes, 212–213static translation, 107, 111statistics
show url-server stats command, 502viewing filters, 502
structured threats, 8SUA (Secure Unit Authentication), 349Sun Solaris, PDM requirements, 377support
DNS, configuring, 118
multimedia, 177, 591H.323, 591RTSP, 588
Syslog, 46, 62X.509 certificates, 44
SYN flooding, 597Syslog, 185
changing message levels, 187configuring, 189
messages at the console, 192sending messages to a log server,
193–194SNMP traps and SNMP requests,
195syslogd servers, 195–197
“Do I Know This Already?” quiz, 181–184
logging facilities, 186messages
disabling, 198organizing, 188reading, 189sending to a Telnet session, 193
security levels, 186severity levels, 187support, 46, 62viewing logging with PDM, 190
syslogd servers, 195, 197sysopt connection permit-ipsec command,
283sysopt uauth allow-http-cache command,
544system clock, 146–147System Info Report (AUS), 480system maintenance. See also
troubleshootingcommand-level authorization, 74–76creating boothelper disks, 84“Do I Know This Already?” quiz, 67–70installing OS, 77object grouping, 169, 172password recovery, 85
diskless PIX Firewall, 86floppy drives, 86
SNMP, 87TurboACL, 168upgrading activation keys, 79
System Properties tab (Startup Wizard), 381system requirements (Cisco Secure ACS), 515
system requirements (Cisco Secure ACS)
1587201232.book Page 767 Monday, September 13, 2004 1:12 PM
768
TTACACS+ (Terminal Access Controller
Access Control System Plus), 515tagging. See Ethernet VLAN taggingTCP
intercepts, 161–162three-way handshake, 103virtual circuits, 102
technologies (VPN), 261Telnet, 71
starting sessions, 72virtual Telnet, 545
telnet command, 71Terminal Access Controller Access Control
System Plus (TACACS+), 515testing
configuration, 138security, 13
TFTP (Trivial File Transfer Protocol), 374threats, 8, 17three-way handshake (TCP), 103time settings
configuration, 147configuring, 144NTP, 144–145system clock, 146–147
timeout uauth command, 549timeouts (authentication), 549tokens, X.509 certificate support, 44, 61Tools bar (Firewall MC user interface), 427traffic, 30
cut-through proxy, 513firewalls, 26, 28, 30
PIX, 30–33proxy servers, 28
routing, 203, 208security
levels, 101transport protocols, 101, 106
stateful inspection, 29Transform Set Panel, 395transform sets
configuring, 276creating, 328crypto ipsec transform-set command,
280defining multiple, 276
transform-set command, 277
translationaddresses, 45, 106, 114
commands, 107–108NAT, 108–109PAT, 110static, 111troubleshooting, 114, 118
bidirectional, 114“Do I Know This Already?” quiz,
97–100dynamic address translation, 107flags, 116multiple, configuring, 112, 114rules, 386, 438static port add, 161
translation rules, 387translation slots, 104transparent tunneling, 341transport protocols, 101, 106traps (SNMP), 195Triple Data Encryption Standard (3DES),
265Trivial File Transfer Protocol (TFTP), 374Trojan horses, 10troubleshooting, 67, 654. See also system
maintenanceAAA, 573, 577accounting, 575address translation, 114, 118authentication, 574authorization, 575boothelper disk, 84commands, 88–93FWSM, 623
resetting and rebooting, 625switch commands, 623
password recovery, 85–86PIX Firewall implementation, 657–665security, 13Syslog, 185VPN, 288, 653VPN connections, 283–286
trunk ports, 209tunneling
transparent, 341VPN, 653
tunneling protocols, 336TurboACL, 168–169
TACACS+ (Terminal Access Controller Access Control System Plus)
1587201232.book Page 768 Monday, September 13, 2004 1:12 PM
769
UUDP (User Datagram Protocol), 102unauthorized access, 10Unicast RPF (Unicast Reverse Path
Forwarding), 602–603unstructured threats, 8upgrading
activation keys, 79–80operating systems, 80
copy tftp flash command, 81HTTP client, 83monitor mode, 82
upper-level data, 102url-cache command, 499URLs
filtering, 497–499configuring URL-filtering policy,
498identifying servers, 497
long (filtering), 501–502url-server command, 497User Datagram Protocol (UDP), 102users
accounting, 563–565authentication, 541–545, 549–550authorization, 550–561
VVAC (VPM Accelerator Card), 47VAC+ (VPN Accelerator Card Plus), 47VDOnet VDOLive, 177verification
Cisco Secure ACS, 577IKE configuration, 273X.5, 61X.509, 44
vertical scans, 9video (AVVID), 14–15, 19viewing
accounting, 565filters, 502logging, 190
virtual circuits, 102virtual HTTP, 548virtual interfaces, 52virtual private networks. See VPNs
virtual services, authentication, 545virtual telnet command, 545virtual Telnet, 545viruses, 10vlan command, 615VLANs (Virtual LANs), 615
creating, 615managing, 211physical interfaces, 211
VocalTech, 177voice (AVVID), 14–15, 19VoIP, 588–589VPDN (Virtual Private Dial-Up Networking)
group, 354VPN Accelerator Card (VAC), 47VPN Accelerator Card Plus (VAC+), 47vpnclient server command, 348vpnclient vpngroup command, 348VPNs (Virtual Private Networks)
access VPNs, 261, 311CAs, 268–269certificates, 45configuring, 269, 292, 647
DUKEM case study, 645–653ISAKMP policies, 272troubleshooting, 654tunneling, 653verifying configuration, 273
connections, troubleshooting, 283–286gateways, 46, 62IKE, 265, 268IPSec, 262, 265PDM
configuration, 392–404remote access
DUKEM case study, 654remote-access, 397–404scalability, 288Site to Site VPNs, 392–395technologies, 261troubleshooting, 288
vulnerabilities, 8VXtreme WebTheatre, 177
WWhite Pine CuSeeMe, 177
White Pine CuSeeMe
1587201232.book Page 769 Monday, September 13, 2004 1:12 PM
770
White Pine Meeting Point, 177Windows 2000
Cisco Secure ACS, 516–518, 527PDM requirements, 377
Windows Internet Naming Service (WINS), 142
Windows NTCisco Secure ACS, 516–518, 527PDM requirements, 377
WINS (Windows Internet Naming Service), 142
worms, 10write memory command, 72, 139
write standby command, 244
XX.509 certificates, support, 44XAUTH (extended authentication), 325
configuring, 326, 330–331defining group policy for mode
configuration push, 328transform sets, 329
Xing StreamWorks, 177xlate command, 108
White Pine Meeting Point
1587201232.book Page 770 Monday, September 13, 2004 1:12 PM