Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1031pt1IX.fm Page 766 Monday, March 3, 2003 4:46 PM
I
N
D
E
X
Symbols
Numerics
3DES (Triple DES) encryption algorithm, 526
A
AAA (authentication, authorization, and accounting) architecture, 111, 157, 408–412
access traffic, 112accounting, 112, 126–127
configuring, 168authentication, 111
CHAP (Challenge Handshake Authentication Protocol), 121–122, 124–125
methods, 114–125PAP (Password Authentication
Protocol), 121–125passwords, 114–117S/Key, 117–120token cards, 120token servers, 120usernames, 114, 116–117
authentication profiles, configuring, 163authorization, 111
configuring, 166character-mode traffic, 113configuring, 205
debugging, 169enabling, 205local security databases, 127NAS (Network Access Server), 158–174
globally enabling, 162privileged EXEC (enable) mode, 160
network accesssecuring, 111–114
packet-mode traffic, 114PIX Firewall, configuring, 401–412remote security databases, 128–130
CiscoSecure ACS, 148Kerberos, 142–151RADIUS, 136–142standards, 130–151TACACS+, 131–136
security servers, 127–151aaa authentication command, 197, 199aaa authentication login command, 147aaa authentication ppp command, 146AAA configuration commands, 199aaa new-model command, 159, 197Acceptable Use Policy, 696–697access
administrative interfaces, console, 70–76HTTP, controlling, 95–96perimeter routers, controlling, 234–237physcial access, securing, 69–70securing, AAA architecture, 111–114SNMP, controlling, 81–86Telnet, controlling, 80–81
access listsconfiguring, 713
verifying, 734–735IP access lists, extended IP access lists,
714–734named IP access lists, 735–737references, 106SNMP, 85
access traffic, AAA architecture, 112access-list command, 552, 716, 722access-list icmp command, 725access-list tcp command, 728access-list udp command, 730accounting, AAA architecture, 112, 126–127,
168Adaptive Security Algorithm.
See
ASA (Adaptive Security Algorithm)
administrationCisco IOS Firewall, 277–279
1031pt1IX.fm Page 767 Monday, March 3, 2003 4:46 PM
768
CSNT, 192, 194–195administrative interfaces
banner messages, setting, 79–80console, access security, 70–76password encryption, 73privelege levels, setting multiple, 77–78securing, 70–86SNMP, access control, 81–86Telnet, access control, 80–81
Advanced PIX Firewall, configuring, 443–447AH (Authentication Header) encryption
algorithm, 525, 527IPSec, 527–528
alias command, 359AppleTalk Remote Access Protocol.
See
ARAP (AppleTalk Remote Access Protocol)
application gateways, firewalls, 229application layer encryption, 458applications, encryption, 456apply, 661apply command, 323, 359, 419ARAP (AppleTalk Remote Access Protocol),
114, 180packet-mode traffic, 114
ASA (Adaptive Security Algorithm), 292–296Ascend, RADIUS, 137assumes, 552attacks
initial access, 24password attacks, 24remote-access services, 24secondary access, 24session hijacking, 31session replays, 31
attributes, RADIUS, 140audit trails, Cisco IOS Firewall, 261audits, 46authentication, 111
AAA architecture, 114–125CHAP (Challenge Handsahke
Authentication Protocol), 121–125PAP, 122–125
PAP (Password Authentication Protocol), 121
passwords, 114, 116–117S/Key, 117–120token cards, 120token servers, 120usernames, 114–117
CAs, 658guidelines, 697IPSec
configuring, 565–593RSA-encrypted nonces, 594–603
PPP, Kerberos, 145routing protocols, 86–90
Authentication Header.
See
AH (Authentication Header) encryption
authentication profiles, AAA, configuring, 163authentication proxy, Cisco IOS FIrewall, 260authentication, authorization, and accounting
architecture.
See
AAA (authentication, authorization, and accounting) architecture
authorization, 111AAA architecture, 125–126
Axent token card servers, 188
B-C
Baltimore Technologies, VPNs, 552banner command, 79banner messages, setting, 79–80bastion hosts, perimeter security, 228branch offices, policies, 700ca enroll command, 663CA support
configuring, 648–670planning for, 648
ca zeroize rsa command, 673Campus Access Policy, 698campuses, security, 67–69CAs
authenticating, 658declaring, 654
administration
1031pt1IX.fm Page 768 Monday, March 3, 2003 4:46 PM
769
interoperability, managing, 667IPSec, 548–552PIX Firewall, configuring, 645–673routers, configuring, 645–673standards, 550
case studies, network security, 48–60CBAC (Context-Based Access Control), 259
Cisco IOS Firewall, 260–264configuring, 266–277memory, 265performance, 265restrictions, 264–265
debugging, 277global timeouts, configuring, 268–271inspection rules
applying, 276defining, 271–276
interfaces, choosing, 266IP access lists, configuring, 267monitoring, 276testing, 276–277thresholds, configuring, 268–271verifying, 276–277
CBAC (context-based access control)perimeter routers, 226
Certificate Revocation Lists.
See
CRLs (Certificate Revocation Lists)
CET (Cisco Encryption Technology), 241, 453, 471–479
configuration procedures job aid, 512configuring, 479–505, 510crypto engines, 471–473cryptosystems, forming, 460–468data integrity, 453–460designing, 508–509diagnosing, 505–507DSS keys
generating, 480–483sending from passive side, 486
DSS public keysaccepting, 486authenticating, 486exchanging, 483–490
encryptiontesting, 499–505verifying, 499–505
encryption export policy, 511encryption job aid, planning for, 511–512encryption solutions, 453–460exchange connections
enabling from active side, 485enabling from passive side, 484
global encryption policies, defining, 490–493
implementing, 508–510network layer encryption, 459per-session encryption policy, configuring,
493–498references, 469troubleshooting, 505–507
CHAP (Challenge Handshake Authentication Protocol), 114
AAA architecture, 121-125character-mode traffic, AAA architecture, 113circuit-level gateways, firewalls, 229Cisco, 137Cisco ConfigMaker, 259, 278Cisco Encryption Technology.
See
CET (Cisco Encryption Technology)
Cisco IOS crypto engine, 472Cisco IOS Firewall, 259
administration, 277–279audit trails, 261authentication proxy, 260CBAC, 260–264
configuring, 266–277memory, 265performance, 265restrictions, 264–265
configuring, 260–262, 280–284DoS (denial of eervice), 260dynamic port mapping, 261event logging, 261features, 260–261firewalls, managing, 261IDS (Intrusion Detection System), 262
Cisco IOS Firewall
1031pt1IX.fm Page 769 Monday, March 3, 2003 4:46 PM
770
intrusion detection, 260IPSec encryption, 261Java applet blocking, 261NAT (network address translation), 261peer router authentication, 261planning, 263–265QoS (Quality of Service), 261real-time alerts, 261security, problems, 259–260time-based access lists, 261VPNs (virtual private networks), 261
Cisco IOS Firewall feature set, 226Cisco IOS firewalls, 230Cisco IOS Security Configuration Guide, 125,
474, 478Cisco PIX firewalls, 230CiscoSecure ACS, CSNT, system
requirements, 185CiscoSecure ACS (Access Control Server), 177
CSNT (CiscoSecure ACS for NT), 178–195
administering, 192–195architecture, 185–188features, 181–185installing, 190–191token card support, 188–189troubleshooting, 192–195
CSUNIX (CiscoSecure ACS 2.3 for UNIX), 195-197
features, 196–197system requirements, 197
operating systems, 177–178RADIUS
configuring, 205–210support, 178testing, 208–210troubleshooting, 208–210
remote security databases, 148TACACS+
configuring, 197–205debugging, 202–204support, 178
CiscoSecure ACS for NT.
See
CSNT (CiscoSecure ACS for NT)
CiscoSecure ACS for UNIX, 150CiscoSecure GRS, 151CiscoSecure Integrated Software.
See
CSIS (CiscoSecure Integrated Software)
CiscoSecure PIX 515, 520, 305–307clear arp command, 326clear commands, 586clear configure primary command, 313clear ip permit command, 99clear xlate command, 391CLI (command-line interface), 311–314command syntax, ICMP, 725commands, 166
aaa authentication, 197, 199aaa authentication login, 147aaa authentication ppp, 146aaa new-model, 159, 197access-list, 552, 716, 722access-list icmp, 725access-list tcp, 728access-list udp, 730alias, 359apply, 323, 359, 419banner, 79ca enroll, 663ca zeroize rsa, 673clear, 586clear arp, 326clear configure primary, 313clear ip permit, 99clear xlate, 391conduit, 298, 359, 362, 364–365, 392–396config-isakmp, keywords, 568configure terminal, 313connect, 147copy rcp, 148copy running-config startup-config, 481crypto ca, 553crypto ca enroll, 661crypto ca identity, 655
Cisco IOS Firewall
1031pt1IX.fm Page 770 Monday, March 3, 2003 4:46 PM
771
crypto gen-signature-keys, 481crypto ipsec transform-set, 552crypto isakmp, 553crypto isakmp enable, 567crypto isakmp policy, 553crypto key generate dss, 481crypto key generate rsa, 653crypto key pubkey-chain rsa, 598crypto key zeroize dss, 505crypto key zeroize rsa, 672crypto key-timeout, 497crypto map, 541, 553, 630crypto map local-address, 661crypto pregen-dh-pairs, 498debug, 169, 193, 586debug aaa, 169debug crypto ca, 673debug crypto pki, 672debug icmp trace, 327, 353debug ip icmp, 353debug ip packet, 353debug packet, 327disable, 313enable, 161, 313enable password, 74, 312enable secret, 75, 160encryption, 161esp-md5-hmac, 574esp-sha-hmac, 574established, 354exec-timeout, 76extended IP access lists, 722, 724–725failover active, 433failover reset, 433fixup, 426fixup protocol, 366–367flash, 442global, 310, 320–325, 340, 359, 386–391hostname, 596, 651IKE, 587interface, 310interface type number, 244ip access-group, 713
ip address, 310ip domain-name, 650ip host, 651ip http access-class, 96ip http authentication, 96ip nat inside, 244ip nat outside, 244ip route, 233ip tcp intercept, 240isakmp policy, 638key chain, 88kill, 313link, 435linkpath, 435log, 717logging message, 427logging trap debugging, 247login local, 237login tacacs, 237mailhost, 359MD5, 88nameif, 298, 310, 387, 391nat, 310, 320–325, 342, 359, 386–391nat 0, 344netmask, 341, 388no ca enroll, 663no ca identity, 673no cdp enable, 232no cdp run, 231no crypto ca identity, 672no crypto map, 505no debug all, 277no ip bootp server, 231no ip directed-broadcast, 232no ip domain-lookup, 230no ip identd, 231no ip mroute-cache, 231no ip proxy-arp, 231no ip rcmp rcp-enable, 231no ip redirects, 231no ip route-cache, 231no ip rsh-enable, 231no ip source-route, 231
commands
1031pt1IX.fm Page 771 Monday, March 3, 2003 4:46 PM
772
no ip tcp path-mtu-discovery, 231no ip tcp selective-ack, 231no ip unreachable, 231no mop enabled, 231no service finger, 230no service tcp-small-servers, 230no service udp-small-servers, 230norandomseq, 342outbound, 323, 419outside, 342overload, 246password-encryption, 161ping, 14, 327, 365, 566PIX Firewall, 317–325rcp, 21rlogin, 21, 148route, 300route inside, 301rsh, 21, 148serverfarm, 383service, 161service password-encryption, 73service timestamps, 247services password-encryption, 160set enablepass, 97set ip permit disable, 99set ip permit enable, 99set port security, 98show, 391, 566, 586show arp, 326show ca certificate, 672show ca configure, 672show ca identity, 672show ca mypubkey rsa, 672show conn, 391show crypto ca certificates, 671show crypto cisco algorithms, 491show crypto isakmp policy, 566show crypto key mypubkey, 671show crypto key mypubkey dss, 481show crypto map, 555, 566show ip address, 325show isakmp, 555
show isakmp policy, 555show nat, 391show port, 98show running-config, 73, 232show tcp intercept connections, 240show tcp intercept statistics, 240show version, 307show xlate, 391snmp-server, 429snmp-server community, 84standard IP access lists, 716–718static, 298, 300, 340, 356–359, 392–394tacacs-server host, 197tacacs-server key, 197telnet, 148, 384, 388test crypto initiate-session, 499–500tftp, 442timeout xlate, 390traceroute, 300, 388undebug all, 277url-cache, 426write, 310write memory, 391, 434write standby, 434write terminal, 73, 555, 566xlate, 368
community strings, SNMP, 84compliance requirements, 697Computer Oracle and Password System.
See
COPS (Computer Oracle and Password System)
conduit command, 298, 359–365, 392–396conduits, PIX Firewall, inbound access, 296–
303config-isakmp command, keywords, 568ConfigMaker, 278configuration
AAA, 205accounting, 168authntication profiles, 163authorization, 166debugging, 169
access lists, 713
commands
1031pt1IX.fm Page 772 Monday, March 3, 2003 4:46 PM
773
verifying, 734–735CA support, 648–670
PIX Firewall, 645–673routers, 645–673
CET (Cisco Encryption Technology), 479–505, 510
per-session encryption policy, 493–498
Cisco IOS Firewall, 260–262, 280–284CBAC, 266–277
dynamic crypto maps, 673dynamic NAT, 244general access lists, 712IKE Mode Configuration, 676
IPSec, 670preshared keys, 567, 613references, 608RSA-encrypted nonces, 602verifying, 618–619
IP access lists, 705–738extended IP access lists, 720–734standard IP access lists, 714–720
IPSecencryption task overview, 554-558PIX Firewall, 619preparing, 566, 594–602preshared keys, 565–593, 603–606references, 608RSA-encrypted nonces, 594–603security association lifetime, 626-628testing, 636–638verification, 636–638verifying, 634–635Xauth (Extended Authentication), 678
NAS AAA, 158–170PAT, 246perimeter routers, 248–254PIX Firewall, 310, 330–335
AAA (authentication, authorization, and accounting) server, 401–407
commands, 391failover, 430–433FTP, 426–428
inside interfaces, 386–391IPSec, 611–638Java applet blocking, 422–423multiple interface access, 381–401multiple interfaces, 408–412NAT 0, 417–418outbound access control, 339–355outside to DMZ, 392–394PPTP (Point-to-Point Tunneling
Protocol), 437–439secured bidirectional communication,
375–378SNMP (Simple Network Management
Protocol), 428–430Syslog Server, 396–400testing, 325–330URL filtering, 423–425URL logging, 426–428user authentication, 401–407VPNs, 434–439
preshared keys, 616–618RADIUS, CiscoSecure ACS, 205–210SNMP agent, 84TACACS+
AAA configuration caommands, 199CiscoSecure ACS, 197–205
transform sets, 624–627VPNs (virtual private networks),
verification, 671–672Configuration Fundamentals Configuration
Guide, 89configuration procedures job aid, CET (Cisco
Encryption Technology), 512configure terminal command, 313connect command, 147connections, PIX Firewall, licensing, 391console, administrative interface, access
security, 70–76Context-Based Access Control.
See
CBAC (Context-Based Access Control)
COPS (Computer Oracle and Password System), 47
copy rcp command, 148
copy rcp command
1031pt1IX.fm Page 773 Monday, March 3, 2003 4:46 PM
774
copy running-config startup-config command, 481
credentials, Kerberos, 144CRLs (Certificate Revocation Lists), 551
requesting, 667crypto access lists, creating, 620, 622–624crypto ca command, 553crypto ca enroll command, 661crypto ca identity command, 655crypto engines
CET (Cisco Encryption Technology), 471–473
Cisco IOS, 472ESA (Encryption Service Adapter) crypto
engine, 471VIP2 (Versatile Interface Processor), 471
crypto gen-signature-keys command, 481crypto ipsec transform-set command, 552crypto isakmp command, 553crypto isakmp enable command, 567crypto isakmp policy command, 553crypto key generate dss command, 481crypto key generate rsa command, 653crypto key pubkey-chain rsa command, 598crypto key zeroize dss command, 505crypto key zeroize rsa command, 672crypto key-timeout command, 497crypto map command, 541, 553, 630crypto map local-address command, 661crypto maps
creating, 628–633dynamic crypto maps, configuring, 673interfaces, applying to, 633–634
crypto pregen-dh-pairs command, 498CryptoCard token card server, CSNT, 188–189cryptosystems, forming, 460, 462–468CSIS (CiscoSecure Integrated Software), 259CSNT (CiscoSecure ACS for NT), 178-195
administering, 192–195architecture, 185–188features, 181–185installing, 190–191system requirements, 185
token cards, support, 188–189troubleshooting, 192–195
CSPM (CiscoSecure Policy Manager), PIX Firewall, 439
CSUNIX (CiscoSecure ACS 2.3 for UNIX), 195–197
features, 196–197system requirements, 197
cut-through user authentication, PIX Firewall, 301, 303
D
Data Encryption Standard.
See
DES (Data Encryption Standard)
data integrityCET (Cisco Encryption Technology), 453–
460encryption, 454
data link layer encryption, 459data manipulation threats, 30–32data transfers, IPSec, 527DDoS attacks, preventing, 238debug aaa commands, 169debug command, 193debug commands, 169, 586debug crypto ca command, 673debug crypto pki command, 672debug icmp trace command, 327, 353debug ip icmp command, 353debug ip packet command, 353debug packet command, 327debugging
AAA configuration, 169CBAC, 277TACACS+, 202–204
defining, global encryption policies, CET, 490–493
demilitarized zone.
See
DMZ (demilitarized zone)
Denial of Service.
See
DoS (denial of service)departments
copy running-config startup-config command
1031pt1IX.fm Page 774 Monday, March 3, 2003 4:46 PM
775
DES (Data Encryption Standard) encryption algorithm, 462–464, 526, 535
IPSec, 535–537designing, CET (Cisco Encryption
Technology), 508–509device banner messages, setting, 79–80DHCP (Dynamic Host Configuration
Protocol), 52diagnosis, CET (Cisco Encryption
Technology), 505–507dialup access, XYZ Company network
scenario, 688Diffie-Hellman Key agreement, IPSec, 541–
543Diffie-Hellman Key exchange, 467–468Digital Encryption Standard.
See
DES (Digital Encryption Standard)
Digital Signature Standard.
See
DSS (Digital Signature Standard)
disable command, 313disabling IKE, 613DMZ (demilitarized zone), 223, 228
firewalls, 381PIX Firewall, 385
configuring, 392–394DNS (domain name system), references, 389DNS and BIND, 389DNS Guard, PIX Firewall, 370–374DoS (denial of service)
attacks, preventing, 237–240Cisco IOS Firewall, 260PIX FIrewall, 370–374threats, 24–25, 27–29
Double AuthenticationPPP sessions, 210–212prerequisites, 212
DSS (Digital Signature Standard), 465–466, 476
DSS keys, generating, CET, 480–483DSS public keys, exchanging, CET, 483–490dual-homed hosts, 228dynamic crypto maps, configuring, 673Dynamic Host Configuration Protocol, 52
Dynamic NAT, 340configuring, 244
dynamic port mapping, Cisco IOS Firewall, 261
E
eavesdropping, 17ECRA (Export Compliance and Regulatory
Affairs), 511EIGRP, MD5 authentication, 88enable command, 161, 313enable password command, 74, 312enable secret command, 75, 160enabling IKE, 613Encapsulating Security Payload.
See
ESP (Encapsulating Security Payload)
enciphering.
See
encryptionencrypted sessions
establishing, 477terminating, 478
encryptio algorithms, IPSec, 525encryption, 454–456
alternatives, 458application layer encryption, 458applications, 456CET (Cisco Encryption Technology), 471–
479configuration procedures job aid, 512configuring, 479–505, 510crypto engines, 471–473cryptosystems, 460–468designing, 508–509diagnosing, 505–507DSS keys, 480–483DSS public keys, 483–490encryption export policy, 511encryption job aid, 511–512global encryption policies, 490–493implementing, 508–510testing, 499–505
encryption
1031pt1IX.fm Page 775 Monday, March 3, 2003 4:46 PM
776
troubleshooting, 505–507verification, 499–505
CET (Cisco Encryption Technology), 453–460
cryptosystems, forming, 460–468data integrity, 454data link layer encryption, 459data privacy, 454DES (Digital Encryption Standard), 462–
464Diffie-Hellman Key exchange, 467–468DSS (Digital Signature Standard), 465–
466encrypted sessions, 477
terminating, 478MD5 (Message Digest 5), 464network layer encryption, 459, 474nonrepudiation, 455passwords, administrative interfaces, 73planning, 474policies, 700references, 469
encryption command, 161encryption export policy, CET (Cisco
Encryption Technology), 511encryption job aid, CET (Cisco Encryption
Technology), planning for, 511–512encryption task overview (IPSec), configuring,
554–558Entrust Technologies, VPNs, 552equipment security, 699errors, standard IP access lists, 719ESA (Encryption Service Adapter) crypto
engine, 471ESP (Encapsulating Security Payload), 526,
529IPSec, 529–535
ESP HMAC, 529esp-md5-hmac command, 574esp-sha-hmac command, 574established command, 354
Ethernet switchesmanagement access, controlling, 97port security, 97references, 106securing, 97–99
event logging, Cisco IOS Firewall, 261events, perimeter routers, logging, 247exec-timeout command, 76exploitation, 14Extended Authentication.
See
Xauthextended IP access lists
commands, 722–725configuring, 705–738location, 732processing, 721–722
extranets, policies, 700
F
failover, PIX Firewall, configuring, 430–433failover active command, 433failover reset command, 433filtering ICMP messages, PIX Firewall, 395–
396filters
incoming network filters, 93traffic control, 91–92
fine-tuning passwords, line parameters, 76firewalls, 698
application gateways, 229circuit-level gateways, 229Cisco IOS firewalls, 230Cisco PIX firewalls, 230DMZ (demilitarized zone), 381packet filters, 229perimeter security, 229proxy servers, 229
see also
, Cisco IOS Firewall and PIX Firewall
fixup commands, 426fixup protocol command, 366–367
encryption
1031pt1IX.fm Page 776 Monday, March 3, 2003 4:46 PM
777
flash command, 442FTP, PIX Firewall, configuring, 426–428
G-H
general access lists, configuring, 712global command, 310, 340–359
inside interfaces, configuring, 386–391global commands, PIX Firewall, 320–325global encryption policies, CET, defining, 490–
493global IPSec security association lifetime,
configuring, 626-628global timeouts, CBAC, configuring, 268–271GRE (Generic Routing Encapsulation), 520Hashed Message Authentication Codes, 543–
545hashes, 88HMACs (Hashed Message Authentication
Codes), 543–545home access, policies, 700hostname command, 596, 651HSRP (Hot Standby Router Protocol), 430HTTP (Hypertext Transport Protocol), access,
controlling, 95–96
I
ibound packet filtering, 234–235ICMP
command syntax, 725messages, names, 725, 727–728
ICMP messages, PIX Firewall, filtering, 395–396
Identification and Authentication Policy, 697IDS (Intrusion Detection System)
Cisco IOS Firewall, 262, 701IETF, RADIUS, 137IKE (Internet Key Exchange), 537, 550
commands, 587configuring
IPSec, 670
preshared keys, 567, 613references, 608RSA-encrypted nonces, 602verifying, 618–619
disabling, 613enabling, 613IOS software, 552–553IPSec, 537–541policies, creating, 613, 615
IKE Mode Configuration, 676IKE Phase 1 (IPSec), 524IKE Phase 2 (IPSec), 525implementation, CET (Cisco Encryption
Technology), 508–510inbound access, PIX Firewall, 296–303inbound access control, PIX Firewall, 351–354Incident Response Procedure, 701incident-handling procedures, 700–703incoming network filters, 93inform requests, SNMP notifications, 83information theft, 17initial access attacks, 24inside global addresses, NAT, 243inside hosts
access control, PIX Firewall, 356–374PIX Firewall
DNS Guard, 370–374DoS (denial of service), 370–374ping access, 369–370static translation, 356–368
inside interfaces, PIX Firewall, 385configuring, 386–391
inside local addresses, NAT, 243inspection rules, CBAC
applying, 276defining, 271–276
installation, CSNT, 190–191intended audiences, security policies, 693interface command, 310interface type number command, 244interfaces, CBAC
choosing, 266commands, PIX Firewall, 317–320
interfaces, CBAC
1031pt1IX.fm Page 777 Monday, March 3, 2003 4:46 PM
778
crypto maps, applying, 633–634naming, 383PIX Firewall, 307–309
configuring, 392–394, 408–412DMZ interfaces, 392–394inside interfaces, 386–391security, 314–317
security levels, 384Internet access, XYZ Company network
scenario, 689Internet Access Policy, 698Internet Key Exchange.
See
IKE (Internet Key Exchange)
interoperability, CAs, managing, 667intrusion detection, Cisco IOS Firewall, 260Intrusion Detection Software (Intrusion
Detection Software), 262, 701IOS software
IKE, 552–553IPSec, 552–553
IP access listsCBAC, configuring, 267configuring, 705–738extended IP access lists, configuring, 720–
734standard IP access lists, configuring, 714–
720wildcard masks, 711–712
ip access-group command, 713ip address command, 310IP addresses, managing, perimeter routers,
242–246IP addressing, 706–707
network classes, 707–708subnet addresses, 708–710
ip domain-name command, 650ip host command, 651ip http access-class command, 96ip http authentication command, 96ip nat inside command, 244ip nat outside command, 244ip route command, 233IP spoofing, 31
ip tcp intercept command, 240IPSec, 520–527
AH (Authentication Header), 527–528CAs, 548–552configuring
PIX Firewall, 619preparing, 566, 594–602preshared keys, 565–593, 603–606references, 608RSA-encrypted nonces, 594–603testing, 636–638verification, 634–638
data transfers, 527DES (Data Encryption Standard), 535–537Diffie-Hellman Key agreement, 541–543encryption algorithms, support, 525encryption task overview, configuring,
554-558equipment infrastructure, 522ESP (Encapsulating Security Payload),
529–535features, 520HMACs (Hashed Message Authentication
Codes), 543–545IKE (Internet Key Exchange), 537–541,
670IKE Phase 1, 524IKE Phase 2, 525IOS software, 552–553network-layer encryption, 242PIX Firewall
configuring, 611–638preparing, 612preshared keys, 638–639, 641
PKI (Public Key Infrastructure), 548–552process initiation, 523RSA security, 546–548security association lifetime, configuring,
626-628security associations, 521–522standards, 561technologies, 527–548
interfaces, CBAC
1031pt1IX.fm Page 778 Monday, March 3, 2003 4:46 PM
779
testing, 586–588, 590–593tunnel termination, 527verifying, 586–593VPNs, securing, 519–520Xauth (Extended Authentication)
configuring, 678IPSec encryption, Cisco IOS Firewall, 261isakmp policy command, 638isolation LAN.
See
DMZ (demilitarized zone)issues, security, reasons, 6–13
J-K
Java applet blocking, PIX Firewall, configuring, 422–423
KDC (key distribution center), 142–144Kerberized, 144Kerberos
authentication, PPP, 145components, 143credentials, 144features, 143generic authentication, 145KDC (key distribution center), 142–144Kerberized, 144KINIT, 144login authentication, 146operations, 145realms, 144remote security databases, 142–151service credentials, 145terminology, 144TGT (Ticket Granting Ticket), 145
key chain command, 88key distribution center, 142–144keywords, config-isakmp command, 568kill command, 313KINIT, Kerberos, 144
L
L2F (Layer 2 Forwarding), 520L2TP (Layer 2 Tunneling Protocol), 520licensing, PIX Firewall, connections, 391line parameters, passwords, fine-tuning, 76link command, 435linkpath command, 435local authentication, local security databases,
128local security databases
AAA architecture, 127local authentication, 128
locationsextended IP access lists, 732standard IP access lists, 718–719
lock-and-key security, perimeter routers, 235–237
log command, 717logging events, perimeter routers, 247logging message command, 427logging trap debugging command, 247login local command, 237login tacacs command, 237
M
Mail Guard, PIX Firewall, configuring, 366mailhost command, 359Management Information Bases, 81MCNS (Managing Cisco Network Security)
course, 687MD5 (Message Digest 5) encryption
algorithm, 464, 526EIGRP, 88routing protocols, 88
md5 command, 88memory usage, managing, 650messages, ICMP, names, 725, 727–728MIBs (Management Information Bases), 81Microsoft Dial-Up Networking Configuration
Screen, 438
Microsoft Dial-Up Networking Congifuration Screen
1031pt1IX.fm Page 779 Monday, March 3, 2003 4:46 PM
780
Microsoft Point-to-Point Encryption, 520Microsoft Windows 2000 Certificate Services
5.0, VPNs, 552mobile computing, policies, 699models, PIX Firewall, 305–307monitoring security, 45MPPE (Microsoft Point-to-Point Encryption),
520multimedia applications, PIX Firewall, 354–
355multiple interfaces, PIX Firewall, access
configuration, 381–401
N
named IP access lists, 735–737nameif command, 298, 310, 387, 391naming interfaces, 383NAS (Network Access Server), 157, 177
AAA (authentication, authorization, and accounting) security, 158–174
globally enabling, 162privileged EXEC (enable) mode, 160
NASI (NetWare Access Server Interface), 114packet-mode traffic, 114
NAT (Network Address Translation), 242, 261, 339
Cisco IOS Firewall, 261configuring
nat 0 configuration, 344–347outbound access control, 341–344
Dynamic NAT, 244, 340IP addresses, managing, 242–246overloading, 245PAT (Port Address Translation), 340, 347–
349PIX Firewall, 340–344Static NAT, 340terminology, 243
nat 0 command, 344, 417-418
nat command, 310, 342, 359NetBIOS, PIX Firewall, 349–350netmask command, 341, 388NetWare Access Server Interface.
See
NASI (NetWare Access Server Interface)
Network Access Server.
See
NAS (Network Access Server)
Network Address Translation.
See
NAT (Network Address Translation)
network classes, IP addressing, 707–708network layer encryption, 459network security policies, analyzing, 42–43network snooping, 17network-layer encryption, 474
IPSec, 242perimeter routers, 241–242
networksaccess, securing, 111–114protecting, importance of, 39–40security, case studies, 48–60suppressing, 92–93
NICs (network interface cards), PIX Firewall, 308–309
no ca enroll command, 663no ca identity command, 673no cdp enable command, 232no cdp run command, 231no crypto ca identity command, 672no crypto map command, 505no debug all command, 277no ip bootp server command, 231no ip directed-broadcast command, 232no ip domain-lookup command, 230no ip identd command, 231no ip mroute-cache command, 231no ip proxy-arp command, 231no ip rcmd rcp-enable command, 231no ip redirects command, 231no ip route-cache command, 231no ip rsh-enable command, 231no ip source-route command, 231no ip tcp path-mtu-discovery command, 231no ip tcp selective-ack command, 231
Microsoft Point-to-Point Encryption
1031pt1IX.fm Page 780 Monday, March 3, 2003 4:46 PM
781
no ip unreachable command, 231no mop enabled command, 231no service finger command, 230no service tcp-small-servers command, 230no service udp-small-servers command, 230nonprivileged access, SNMP, 84nonrepudiation, encryption, 455nonvolatile random-access memory, 75norandomseq command, 342notifications, SNMP, 83NVRAM (nonvolatile random-access
memory), 75
O
operating systems, CiscoSecure ACS, 177–178outbound access control, PIX Firewall, 339–
355NAT (Network Address Translation), 341–
344outbound command, 323, 419outbound packet filtering, 235outboung access, PIX Firewall, controlling,
419–422outside command, 342outside global addresses, NAT, 243outside interfaces, PIX Firewall, 385
configuring, 392–394outside local addresses, NAT, 243overload command, 246overloading, NAT, 245
P
packet filteringfirewalls, 229inbound packet filtering, 234–235outbound packet filtering, 235
packet mode traffic, AAA, 114packet sniffing, 17packet-capturing utilities, 17
PAP (Password Authentication Protocol), 52, 114, 180
AAA architecture, 121–125password attacks, 24Password Authentication Protocol.
See
PAP (Password Authentication Protocol)
password-based attacks, 20password-encryption command, 161passwords
authentication, AAA architecture, 114, 116–117
encryption, administrative interfaces, 73line parameters, fine-tuning, 76management guidelines, 697recovering, PIX Firewall, 440
PAT (Port Address Translation), 242, 339configuring, 246IP addresses, managing, 242–246NAT (Network Address Translation), 340,
347–349peer router authentication, Cisco IOS Firewall,
261perimeter routers, 224–228
access, controlling, 234–237CBAC (context-based access control), 226Cisco IOS Firewall feature set, 226configuring, 248, 250, 252–254DMZ (demilitarized zone), 228DoS attacks, preventing, 237–240events, logging, 247features, 225inbound packet filtering, 234–235IP addresses, managing, 242–246lock-and-key security, 235–237network-layer encryption, 241–242outbound packet filtering, 235rerouting attacks, preventing, 232–233route advertisement, controlling, 233route authentication, 233screened subnet architecture, 224static routes, 232
perimeter security, 223–230bastion hosts, 228
perimeter security
1031pt1IX.fm Page 781 Monday, March 3, 2003 4:46 PM
782
firewalls, 229perimeter routers, 224–228
per-session encryption policy, CET, configuring, 493–498
physical devices, securing, 69–70ping access, PIX Firewall
inside hosts, 369–370permitting, 395–396
ping command, 14, 327, 365, 566PIX Firewall, 291–292
(Private Internet Exchange)AAA (authentication, authorization, and
accounting) server, configuring, 401–407
ASA (Adaptive Security Algorithm), 292CA support, configuring, 645–673CLI (command-line interface), 311–314components, 303–309conduits, inbound access, 296–303configuring, 310, 330–335
Advanced PIX Firewall, 443–444, 446–447
commands, 391multiple interface access, 381–401multiple interfaces, 408–412outbound access control, 339–355outside to DMZ, 392–394secured bidirectional communication,
375–378testing, 325–330URL logging, 426–428user authentication, 401–407
connections, licensing, 391CSPM (CiscoSecure Policy Manager), 439cut-through user authentication, 301, 303DNS Guard, 370–374DoS (denial of service), 370–374entering, 293–303failover, configuring, 430–433features, 293FTP, configuring, 426–428
global commands, 320–325ICMP messages, filtering, 395–396inbound access control, 351–354inside hosts
access control, 356–374ping access, 369–370static translation, 356–362, 364–368
inside interfaces, configuring, 386–391interface commands, 317–320interfaces
DMZ, 385inside, 385outside, 385security, 314–317
ip address commands, 317–320IPSec
configuring, 611–638overall configuration, 636–638preparing, 612
Java applet blocking, configuring, 422–423
Mail Guard, configuring, 366maintenance, 440–443models, 303–309multimedia applications, 354–355NAT (Network Address Translation), 340–
344nat 0 configuration, 344–347outbound access control, 341–344PAT (Port Address Translation), 347–
349NAT 0, configuring, 417–418nat commands, 320–325NetBIOS translation, 349–350network interfaces, 307–309NICs (network interface cards), 308–309operations, 293outbound access, controlling, 419–422outbound access control, 351–354password recovery, 440ping access, permitting, 395–396PPTP (Point-to-Point Tunneling Protocol)
configuring, 437–439
perimeter security
1031pt1IX.fm Page 782 Monday, March 3, 2003 4:46 PM
783
Private Link encryption, 434–437SNMP (Simple Network Management
Protocol), configuring, 428–430software licensing, 308software upgrades, 441–442statics, inbound access, 296–303SYN (synchronize segment) flood attacks,
372–374Syslog Server, configuring, 396–400URL filtering, configuring, 423–425VPNs, configuring, 434–439
PKCS #10 (Public-Key Cryptography Standard #7), 550
PKCS #7 (Public-Key Cryptography Standard #7), 550
PKI (Public Key Infrastructure), 548IPSec, 548–552
plaintext authenticationrouting protocols, 87security, 87
planning encryption, 474points of contact, incident response teams, 702Point-to-Point Protocol.
See
PPP (Point-to-Point Protocol)
Point-to-Point Tunneling Protocol.
See
PPTP (Point-to-Point Tunneling Protocol)
policiesAcceptable Use Policy, 696–697analyzing, 42–43Campus Access Policy, 698Identification and Authentication Policy,
697IKE, creating, 613, 615implementation, 696intended audiences, 693Internet Access Policy, 698Remote Access Policy, 699–700scope, 694stakeholders, 694system administrators, responsibilities,
695user education, 696
Port Address Translation.
See
PAT (Port Address Translation)
postures, improving, 47PPP (Point-to-Point Protocol), 52
authentication, Kerberos, 145Double Authentication, 210–212packet-mode traffic, 114
PPTP (Point-to-Point Tunneling Protocol), 437, 520
PIX Firewall, configuring, 437–439preshared keys
configuring, 616–618IKE, configuring, 567, 613IPSec, configuring, 565–593, 603–606PIX Firewall, configuring for, 638–639,
641preshared keys (IKE), 539Private Internet Exchange Firewall.
See
PIX (Private Internet Exchange)
Private Link encryption, PIX Firewall, 434–437
privilege levels, administrative interfaces, setting multiple, 77–78
privileged access, 21SNMP, 85
processingextended IP access lists, 721–722standard IP access lists, 714–716
protocol analyzers, 17protocols, VPNs, 520proxy servers, firewalls, 229Public Key Infrastructure.
See
PKI (Public Key Infrastructure)
Public-Key Cryptography Standard #10.
See
PKCS #10 (Public-Key Cryptography Standard #10)
Public-Key Cryptography Standard #7.
See
PKCS #7 (Public-Key Cryptography Standard #7)
Public-Key Cryptography Standard #7
1031pt1IX.fm Page 783 Monday, March 3, 2003 4:46 PM
784
Q-R
QoSCisco IOS Firewall, 261
RA (Registration Authority), 551RADIUS (Remote Access Dial-In User
Service), 177accounting process, 139attributes, 140authentication process, 138authorization, 138CiscoSecure ACS, 178configuring, CiscoSecure ACS, 205–210features, 137remote security databases, 136–142TACACS+, compared, 141testing, 208–210troubleshooting, 208–210versions, 137
rcp command, 21realms, Kerberos, 144real-time alerts, Cisco IOS Firewall, 261reconnaissance threats, 14–18recovering passwords, PIX Firewall, 440references
AAA (authentication, authorization, and accounting), 413
access lists, 738CET (Cisco Encryption Technology), 515Cisco IOS Firewall, configuring, 286CiscoSecure Policy Manager, 449CiscoSecure Software Center, 449CiscoSecure ACS, 219CLI, 336conduit commands, 379DNS, 389DoS attacks, 379encryption, 469ESA (Encryption Service Adapter), 515Ethernet switches, 106firewall configuration, 285general router configuration, 105hackers, 336
hacking, 336IKE, configuring, 608IPSec, configuration, 608NAT, 336neighbor routing authentication, 106network security, 336PIX Firewall, 379, 413PPTP (Point-to-Point Tunneling Protocol),
448Private Link Encryption, 448security, 34security policy configuration, 218SNMP, 106standard and extended access lists, 106TACACS+/RADIUS, 219TFTP servers, 448token servers, 152URL filtering, 448xlate commands, 379
Registration Authority.
See
RA (Registration Authority)
Remote Access Dial-In User Service.
See
RADIUS (Remote Access Dial-In User Service)
Remote Access Policy, 699–700remote security databases
AAA architecture, 128–130CiscoSecure ACS, 148Kerberos, 142–151RADIUS, 136–142standards, 130–151TACACS+, 131–136
remote-access services, 24rerouting attacks, preventing, 232–233reverse DNS, references, 389rlogin command, 21, 148route advertisement, controlling, 233route authentication, perimeter routers, 233route command, 300route inside command, 301router configuration files, securing, 90–91
QoS
1031pt1IX.fm Page 784 Monday, March 3, 2003 4:46 PM
785
routersCA support, configuring, 645–673HTTP access, controlling, 95–96perimeter routers, 224–226, 228
router-to-router communicationsrouter configuration files, securing, 90–91routing protocols, authenticating, 86–90securing, 86–96traffic control, filters, 91–92
routing protocols, authenticating, 86–90RSA, 550RSA key pairs, generating, 652RSA security, IPSec, 546–548RSA signatures (IKE), 539RSA-encrypted nonces, IPSec, configuring,
594, 596–603RSA-encrypted nonces (IKE), 539rsh command, 21, 148
S
S/Key authenticationAAA architecture, 117–120client software, 118hosts, 119users, 119
SafeWord, 188scaling VPNs (virtual private networks), 673–
680SCEP (Simplified Certification Enrollment
Protocol), 551scope, policies, 694screened subnet architecture, perimeter routers,
224secondary access, 21, 24secured bidirectional communication, PIX
Firewall, configuring, 375–378security, 5
AAA (authorization, authentication, and accounting), NAS (Network Access Server), 158, 160–174
administrative interfaces, 70–86access, 70–76banner messages, 79–80password encryption, 73privilege levels, 77–78
campuses, 67–69case studies, 48–60Cisco IOS Firewall, problems, 259–260cost considerations, 39DoS attacks, preventing, 237–240encryption, 454–456
alternatives, 458applications, 456CET (Cisco Encryption Technology),
453–460DES (Digital Encryption Standard),
462–464Diffie-Hellman Key exchange, 467–
468DSS (Digital Signature Standard),
465–466MD5 (Message Digest 5), 464references, 469
Ethernet switches, 97–99importance of, 39–40issues, reasons, 6–13lock-and-key security, 235–237monitoring, 45necessity of, 5–6network-layer encryption, 241–242opportunities, 33perimeter routers, access, 234–237perimeter security, 223–230
perimeter routers, 224–228physical devices, 69–70PIX Firewall, interfaces, 314–317references, 34rerouting attacks, preventing, 232–233router-to-router communications, 86–88,
90–96router configuration files, 90–91routing protocol authentication, 86–
90
router-to-router communications
1031pt1IX.fm Page 785 Monday, March 3, 2003 4:46 PM
786
traffic control, 91–92SNMP, access control, 81–86SPA (security posture assessment), 40-47statements of authority and scope, 693–696SYN attacks, preventing, 239TCP/IP, controlling, 230–232Telnet, access, 80–81testing, 46threats
data manipulation threats, 30–32DoS (denial of service) threats, 24–29reconnaissance threats, 14–18types, 13–33unauthorized remote access threats,
18–24trusted access, 24VPNs, IPSec, 519–520Web sites, 35XYZ Company network scenario, 690–691
security association lifetime, IPSec, configuring, 626-628
security associations, IPSec, 521–522security audits, 46Security Configuration Guide and Security
Configuration Command Reference, 510Security Dynamics, Inc., 188security levels, interfaces, 384security policies
Acceptable Use Policy, 696–697analyzing, 42–43Campus Access Policy, 698Identification and Authentication Policy,
697implementation, 696intended audiences, 693Internet Access Policy, 698Remote Access Policy, 699–700scope, 694stakeholders, 694system administrators, responsibilities,
695user education, 696
security posture assessment.
See
SPA (security posture assessment)
security postures, improving, 47security servers, AAA architecture, 127–151sensitivity levels, information, 693–696serverfarm command, 383service command, 161service credentials, Kerberos, 145service password-encryption command, 73,
160service timestamps command, 247session hijacking, 31session replays, 31set enablepass command, 97set ip permit disable command, 99set ip permit enable command, 99set password command, 97set port security command, 98SHA-1 (Secure Hash Algorithm-1) encryption
algorithm, 526show arp command, 326show ca certificate command, 672show ca configure command, 672show ca identity command, 672show ca mypubkey rsa command, 672show commands, 391, 566, 586show conn command, 391show crypto ca certificates command, 671show crypto cisco algorithms command, 491show crypto isakmp policy command, 566show crypto key mypubkey command, 671show crypto key mypubkey dss command, 481show crypto map command, 555, 566show ip address command, 325show isakmp command, 555show isakmp policy command, 555show nat command, 391show port command, 98show running-config command, 73, 232show tcp intercept connections command, 240show tcp intercept statistics command, 240show version command, 307show xlate command, 391
router-to-router communications
1031pt1IX.fm Page 786 Monday, March 3, 2003 4:46 PM
787
signatures, 14Simple Network Management Protocol. See
SNMP (Simple Network Management Protocol), 67, 428
Simple WATCHdog, 47Simplified Certification Enrollment Protocol.
See
SCEP (Simplified Certification Enrollment Protocol)
SNMP (Simple Network Management Protocol), 67, 82, 428
access, controlling, 81–86access lists, 85agent, configuring, 84community strings, 84nonprivileged access, 84notifications, 83PIX Firewall, configuring, 428–430privileged access, 85references, 106versions, 83
snmp-server command, 429snmp-server community command, 84software licensing, PIX Firewall, 308software upgrades, PIX Firewall, 441–442SPA (security posture assessment), 40, 42–47stakeholders, policies, 694standard IP access lists
commands, 716–718common errors, 719configuring, 705–738location, 718–719processing, 714–716
standards, remote security databases, 130–151statements of authority and scope, 693–696static command, 298-300, 340, 356–359, 392–
394Static NAT, 340static routes, perimeter routers, 232static translation, PIX Firewall, inside hosts,
356–368statics, PIX Firewall, inbound access, 296–303subnet addresses, IP addressing, 708–710suppressing networks, 92–93
Swatch (Simple WATCHdog), 47switches, Ethernet, securing, 97–99SYN (synchronize segment) flood attacks
attacks, controlling, 239PIX Firewall, 372–374
syntaxTCP, 728UDP, 730
Syslog Server, PIX Firewall, configuring, 396–400
system administrators, policies, responsibilities, 695
system requirementsCSNT, 185CSUNIX, 197
T
TACACS (Terminal Access Controller Access Control System), versions, 131
TACACS+ (Terminal Access Controller Access Control System Plus), 132, 177
accounting process, 135authentication process, 133authorization process, 134CiscoSecure ACS, 178configuring
AAA configuration commands, 199CiscoSecure ACS, 197–205
debugging, 202–204features, 132RADIUS, compared, 141remote security databases, 131–136
tacacs-server host command, 197tacacs-server key command, 197TARA (Tiger Analytical Research Assistant),
47TCP (Transport Control Protocol)
port keywords, 729syntax, 728
TCP intercept, 239TCP/IP, controlling, 230–232
TCP/IP, controlling
1031pt1IX.fm Page 787 Monday, March 3, 2003 4:46 PM
788
technologies, IPSec, 527–548TED (Tunnel Endpoint Discovery), 679telecommuters, policies, 700Telnet, access, controlling, 80–81telnet command, 148, 384, 388Terminal Access Controller Access Control
System+.
See
TACACS+ (Terminal Access Controller Access Control System Plus)
terminology, Kerberos, 144test crypto initiate-session command, 499–500testing
CBAC, 276–277CET encryption, 499–505IPSec, 586–593PIX Firewall, configuration, 325–330RADIUS, 208–210security, 46
TFTP (Trivial File Transport Protocol), 67tftp command, 442TGT (Ticket Granting Ticket), 145threats, security
data manipulation threats, 30–32DoS (denial of service) threats, 24–29reconnaissance threats, 14–18types, 13–33unauthorized remote access threats, 18–24
thresholds, CBAC, configuring, 268–271Ticket Granting Ticket, 145Tiger Analytical Research Assistant.
See
TARA (Tiger Analytical Research Assistant)
time-based access lists, Cisco IOS Firewall, 261
timeout xlate command, 390token cards, authentication, AAA architecture,
120token servers
authentication, AAA architecture, 120references, 152
traceroute command, 300, 388traffic, controlling, filters, 91–92transform sets, configuring, 624–627traps, SNMP notifications, 83Triplight, 47
Trivial File Transport Protocol, 67troubleshooting
CET (Cisco Encryption Technology), 505–507
CSNT, 192–195RADIUS, 208–210
trust relationships, 698trusted access, 24trusted computers, 21Tunnel Endpoint Discovery.
See
TED (Tunnel Endpoint Discovery)
tunnel termination, IPSec, 527
UUDP, syntax, 730unauthorized remote access threats, 18–24undebug all command, 277UNIX, CiscoSecure ACS, 177–178updates, network suppression, 92–93upgrades, PIX Firewall software, 441–442url-cache command, 426URLs
filtering, PIX Firewall, 423–425logging, PIX Firewall, 426–428
user authentication, PIX Firewall, configuring, 401–407
user education, policies, 696usernames, authentication, AAA architecture,
114–117
Vverification
access list configuration, 734–735CET encryption, 499–500, 502–505IKE, configuration, 618–619IPSec, 586–593
configuration, 634–635VPNs, configuration, 671–672
VeriSign, VPNs, 552
technologies, IPSec
1031pt1IX.fm Page 788 Monday, March 3, 2003 4:46 PM
789
VIP2 (Versatile Interface Processor) crypto engine, 471
VLANs (virtual local-area networks), 98VPNs (virtual private networks)
Baltimore Technologies, 552Cisco IOS Firewall, 261configuring, verifying, 671–672Entrust Technologies, 552Microsoft Windows 2000 Certificate
Services 2.0, 552PIX Firewall, configuring, 434–439protocols, 520scaling, 673–680securing, IPSec, 519–520VeriSign, 552
vulnerabilities, 14
W-ZWeb sites, security, 35wildcard masks, IP access lists, 711–712Windows NT, CiscoSecure ACS, 177–178write command, 310write memory command, 391, 434write standby command, 434write terminal command, 73, 555-566X.509v3 certificates, 550Xauth (Extended Authentication), 678
IPSec, configuring, 678xlate command, 368XTACACS, 132XYZ Company network scenario, 687–688
departments, 689–690dialup access, 688Internet access, 689security, 690–691
XYZ Company network scenario
1031pt1IX.fm Page 789 Monday, March 3, 2003 4:46 PM