index...

Index

Numerics3DES (Triple Data Encryption Standard),

265

AAAA (authentication, authorization, and

accounting), 12, 511, 515configuring, 538

cut-through proxies, 569“Do I Know This Already?” quiz,

533–536defined, 511“Do I Know This Already?” quiz,

507–510Floodguard, 597PIX Firewalls supported AAA server

technologies, 515servers

identifying, 538, 541specifying, 537

support, 44troubleshooting, 573, 577

aaa accounting command, 539aaa authentication command, 539, 542aaa authentication console command, 544aaa authorization command, 539aaa-server command, 538AAA server groups, 446aaa-server local command, 539AAA servers, 383access, 9

AAA, 511, 515ACL, 26configuring inbound access, 159–168“Do I Know This Already?” quiz,

155–158

lists, 164modes, 129NAS, 512networks

security, 7threats, 8types of attacks, 8, 11vulnerabilities, 8

object grouping, 169, 172PDM requirements, 376remote, 71, 74

SSH, 72–74Telnet, 71–72

rules, configuring, 642access attacks, 9, 10–11Access Control Server (ACS), 44access list entries (ACEs), 164access lists, managing access control entries,

167access rules, 387–389access VPNs, 261, 311access-group command, 280, 641access-list command, 164, 275accounting, 512

configuring, 563–565troubleshooting, 575viewing, 565

ACEs (access list entries), 164ACLs (access control lists), 26

downloading, 569, 572logging, 172TurboACL, 168–169

ACS (Access Control Server), 44activating AUS, 464

auto update server contact information, 469

PIX Firewall configuration deployment, 470

1587201232.book Page 750 Monday, September 13, 2004 1:12 PM

PIX Firewall unique identification parameters, 467

activation keyslicense, 265upgrading, 79–80

ActiveX objects, filtering, 495–497Activity bar (Firewall MC user interface),

428Activity Report (Firewall MC), 455Adaptive Security Algorithm (ASA), 31,

41–43address command, 82address translation pools, 447addresses

IPglobal, 639–640mapping, 637

translation, 45, 106, 114bidirectional, 114commands, 107–108configuring multiple, 112, 114NAT, 108–109PAT, 110static, 111static port translation, 161troubleshooting, 114, 118

administration tasks (Firewall MC), 458maintenance, 461support, 462workflow setup, 458–460

advanced protocol handling, 175–177aggressive mode (IKE), 266AH (Authentication Header), 263algorithms

ASA, 31, 41–43SHA-1, 265transform sets, 276

alias command, 596applets, 496applications

advanced protocol handling, 175AVVID, 14–15, 19multimedia

H.323, 591RTSP, 588support, 587–593

threats, 8arc, 15Architecture for Voice, Video, and Integrated

Data. See AVVIDASA (Adaptive Security Algorithm), 31,

41–43ASBRs (Autonomous System Boundary

Routers), 216, 220assigning users to groups, 551Association, 643attack guards, 594, 598

AAA Floodguard, 597DNS, 595“Do I Know This Already?” quiz,

583–586Flood Defender, 597fragmentation, 594mail guard, 596–597

attacks, 9, 18reconnaissance, 9SYN flooding, 597Syslog, 185threats, 8types of

access, 10–11DoS, 11reconnaissance, 9–10

audit policy, 599


752

AUS (Auto Update Server), 409, 462activation, 464

auto update server contact information, 469

PIX Firewall configuration deployment, 470

PIX Firewall unique identification parameters, 467

administrative tasks, 483assignment configuration, 477device configuration, 474image configuration, 475installing, 463reports, 479–481supported devices, 463user interface, 471–473

authentication, 215CAs, 268–269configuring, 541–542, 550

authentication timeout, 549console access authentication, 544designating parameters, 543services, 545

cut-through proxy, 31, 43Easy VPN Remote, 336–338HMAC, 265prompts, 548services, 545timeout, 549troubleshooting, 574VPDN group, 354X.509 certificate support, 44, 61

Authentication Header (AH), 263authentication telnet console command, 72authentication, authorization, and

accounting. See AAAauthorization

command-level, 74–76configuring, 550–561Cisco Secure ACS, 551cut-through proxy, 31, 43rules, 555troubleshooting, 575

auth-prompt command, 548–549Autonomous System Boundary Routers

(ASBRs), 216, 220Auto Update Server. See AUSAVVID (Architecture for Voice, Video, and

Integrated Data), 14–15, 19

Bback user task flow (Firewall MC), 428banner command, 147basic configuration, 641bidirectional network address translation,

114block scans, 10blocking applets, 496boothelper disks, 84bootstrap commands (Firewall MC), 418browsers, PDM requirements, 376

Ccables (Crossover Ethernet), 246caches

no url-cache command, 500show url-cache command, 502

cannot, 497CAs (Certification Authorities), 337

VPN, 268–269case studies

DUKEM, 633authentication, 642basic PIX Firewall configuration,

635–640configuring access rules, 641failover, 655–656growth expectation, 634logging, 642VPNs, 643–654

troubleshooting implementation, 657–665

certificate revocation lists (CRLs), 144certificates (X.509), support, 44cgi-truncate parameter, 501chapter, 288CIFS (Common Internet File System), 105Cisco, 139Cisco AVVID. See AVVIDCisco Easy VPN Remote Router clients, 323Cisco Firewall Services Module. See FWSMCisco PIX 501 Firewall, 48Cisco PIX 501 VPN Client, 322Cisco PIX 506 Firewall, 49Cisco PIX 506 VPN Client, 322Cisco PIX 515E Firewall, 51–53Cisco PIX 525 Firewall, 54–56

AUS (Auto Update Server)


753

Cisco PIX 535 Firewall, 56–58Cisco PIX Firewall. See PIX FirewallCisco PIX Firewall FastEthernet Interface

Card (PIX-1FE), 47Cisco Secure ACS (Access Control Server),

515, 533, 566Cisco Secure Intrusion Detection Sensor, 44,

61Cisco Secure PIX 506, 44Cisco Secure PIX 515, 44Cisco Secure PIX 525, 44Cisco Secure PIX 535, 44Cisco Secure Scanner, 13Cisco VPN 3002 Hardware Client, 321–322Cisco VPN Software Client, 321, 334

features, 335manual configuration, 338–344specifications, 335

CiscoWorksFirewall MC, 46, 419

adding users, 421login process, 419user authorization roles, 421

clear command, 285clear ntp command, 145clear rip command, 216clear route command, 214clear uauth command, 550clear xlate command, 115, 593CLI (command-line interface), 45, 62, 72Click, 568client mode (Easy VPN Remote), 333clients

Cisco Easy VPN Remote Router clients, 323

DHCP, 143Easy VPN Remote, 321–322HTTP, upgrading OS, 83

clock summer-time command, 147clocks (system), 146–147command-level authorization, 74–76command-line interface (CLI), 45, 62, 72commands, 111, 143, 216, 227, 277, 285,

326, 332, 353, 539, 615–616, 625aaa accounting command, 539aaa authentication command, 539, 542aaa authentication console command,

544aaa authorization command, 539

aaa-server local command, 539aaa-server command, 538access modes command, 129access-group command, 280, 641access-list command, 164, 275address command, 82alias command, 596authentication telnet command, 72auth-prompt command, 548–549banner command, 147clear command, 285clear ntp command, 145clear rip command, 216clear route command, 214clear uauth command, 550clear xlate command, 115, 593clock command, 146clock summer-time command, 147configuration, 129, 151

global command, 135–136interface command, 130ip address command, 133nameif commands, 131nat command, 133–134rip command, 137route command, 136–137

configure terminal command, 129copy tftp flash command, 81crypto ipsec transform-set command,

280, 328crypto map command, 278debug aaa accounting command, 575debug aaa authentication command, 574debug aaa authorization command, 575debug command, 138, 286, 653debug crypto isakmp command, 286debug igmp command, 231debug radius command, 576debug tacacs command, 576dhcpd address command, 359dhcpd command, 140enable command, 129enable password command, 72file command, 82filter activex command, 497filter java command, 495filter url command, 498fixup command, 174–175fixup protocol command, 587

commands


754

commands (continued)fixup protocol h323 command, 591floodguard disable command, 598fragment command, 594hw-module command, 625igmp access-group command, 227igmp forward command, 226igmp join-group command, 226igmp query-interval command, 227igmp query-max-response-time

command, 227igmp version command, 227interface command, 82, 210ip address command, 133ip address dhcp command, 143ip audit command, 599ip local pool command, 327ip verify reverse-path command,

602–603isakmp keepalive command, 332isakmp policy command, 271logging command (syslog), 187logging facility command, 186logging on command, 194match address command, 280mroute command, 225multicast interface command, 224nameif command, 101, 119, 211nameif interface commands, 619nat command, 162nat 0 command, 162no aaa-server command, 540no fixup protocol ftp command, 176no url-cache command, 500ntp authenticate command, 145ntp authencation-key command, 145ntp trusted-key command, 145OSPF, 216, 222

network command, 218prefix-list command, 219redistribute ospf command, 220router ospf command, 217show ospf command, 222

passwd command, 72permit ip any command, 275ping command, 82, 138PIX bootstrap commands, 418prefix-list command, 219rip command, 215

route command, 213server command, 82setup command, 619show aaa-server command, 574show accounting command, 575show activation-key command, 79show command, 273, 284, 574, 653show conn commands, 116show crypto ispec sa command, 285show failover command, 251show isakmp policy command, 274show module command, 624show perfmon command, 503show route command, 214show url-cache command, 502show url-server stats command, 502show version command, 78show vpdn pppinterface command, 356show xlate command, 115shun command, 601ssh command, 73static command, 112sysopt connection permit-ipsec

command, 283sysopt uauth allow-http-cache

command, 544telnet command, 71timeout uauth command, 549transform-set command, 277translation, 107–108troubleshooting, 88–93url-cache command, 499url-server command, 497virtual telnet command, 545vpnclient server command, 348vpnclient vpngroup command, 348write memory command, 72, 139write standby command, 244xlate command, 108

Common Internet File System (CIFS), 105communications

VPN, 261CAs, 268–269configuring, 269IKE, 265, 268IPSEC, 262, 265troubleshoot, 288

components (AAA), 511, 515, 537

commands


755

Computer Telephony Interface Quick Buffer Encoding (CTIQBE), 589

Configuration Differences report (Firewall MC), 456

configuration replication (failover), 244configuration tasks

Firewall MC, 435creating building blocks, 440, 443,

447defining access rules, 436defining translation rules, 438generating and viewing

configuration information, 448MC settings, 449

configure terminal command, 129configuring, 139, 617

AAA, 538cut-through proxies, 569“Do I Know This Already?” quiz,

533–536access

access rules, 642inbound, 159–168

accounting, 563–565assignments (Firewall MC), 477authentication, 541–542, 550

authentication timeout, 549console access authentication, 544designating parameters, 543services, 545

authorization, 550–561basic configuration, 641Cisco Secure ACS, 525, 551Cisco VPN Software Client

manually, 338–342, 345modifying VPN Client options,

342–344commands, 129

global command, 135–136interface command, 130ip address command, 133nameif command, 131nat command, 133–134rip command, 137route command, 136–137

crypto maps, 278–280cut-through proxy, 569

DHCP, 140, 143clients, 143servers, 140–142

DHCP options, 360DHCP server, 357–358DNS support, 118downloadable PIX ACLs, 569, 572Easy VPN Remotes, 347–350failover, 242, 246–247, 251, 657

configuration replication, 244DUKEM case study, 655–656

filters, viewing, 502FWSM, 618

access lists, 620interfaces, 619running setup command, 619

IKE, 270, 274images (Firewall MC), 475interfaces, 638–640intrusion detection, 599–600IPSec, 274, 283login banners, 147–148multiple translation types, 112–114NAT, 331object group, 170OSPF, 220–222PAT, 134PIX Firewall, 129

DUKEM case study, 635–642interface command, 130nameif command, 131nat command, 133PDM, 379–380, 383route command, 136sample configuration, 149saving configuration, 139time settings, 144verification, 132

preshared keys, 272redundancy, 32–33replication, 244RIP, 215–216routing, 638, 640SA lifetimes, 278servers, 384SNMP, 88static routes, 213

configuring


756

configuring (continued)switches (FWSM), 615–616syslog, 46, 62, 189

messages at the console, 192sending messages to a log server,

193–194SNMP traps and SNMP requests,

195syslogd servers, 195–197

testing configuration, 138time settings, 147transform sets, 276TurboACL, 169URL-filtering policy, 498virtual HTTP inbound connections, 548VPDN group, 354VPNs, 269, 292, 647

DUKEM case study, 643–654PDM, 392–404troubleshooting, 654tunneling, 653verifying configuration, 273

XAUTH, 325–331connections

Cisco Secure PIX 501, 48Cisco Secure PIX 506, 49Cisco Secure PIX 515E, 51–53Cisco Secure PIX 525, 54–56Cisco Secure PIX 535, 56–58cut-through proxy, 31, 43, 513“Do I Know This Already?” quiz,

97–100Easy VPN Remote, 323–324embryonic (half-open), 104failover (LAN-based), 245–246filters (Java applets), 496flags, 117security, 7stateful failover, 244–245Telnet, 71threats, 8troubleshooting, 114, 118types of attacks, 8, 11VPNs, troubleshooting, 283–286vulnerabilities, 8

console access authentication, 544content area (Firewall MC user interface),

426content filtering, 492

copy tftp flash command, 81creating boothelper disks, 84CRLs (certificate revocation lists), 144Crossover Ethernet cables, 246crypto access lists, 275–276crypto IPSec SA lifetime, 278crypto ipsec transform-set command, 280,

328crypto map command, 278–280crypto maps

commands, 280configuring, 278dynamic, 330

Cisco Secure ACS (Cisco Secure Access Control Server), 533

authorization, 551configuring, 525downloadable PIX ACLs, 569, 572users, configuring, 551verifying, 577

CTIQBE (Computer Telephony Interface Quick Buffer Encoding), 589

cut-through proxy, 31, 43, 513cut-through proxy configuration, 569

Ddata

compression, 337frames, 102segments, 101

Data Encryption Standard (DES), 265, 375DDoS (distributed denial of service) attacks,

11dead peer detection (DPD), 318, 337debug aaa accounting command, 575debug aaa authentication command, 574debug aaa authorization command, 575debug command, 138, 286, 653debug crypto isakmp command, 286debug igmp command, 231debug radius command, 576debug tacacs command, 576debugging

DHCP server, 361–362multicast configuration, 230VPN connectivity, 286

default routes, 213

configuring

1587201232.book 56 Monday, September 13, 2004 1:12 PM

757

default security policies, 101defense in depth, 14defining, 616

access rules (Firewall MC), 436multiple transform sets, 276translation rules (Firewall MC), 438

demilitarized zone (DMZ) segment, 113denial of service (DoS) attacks, 11deny keyword, 275deploying FWSM, 612–613deployment tasks

Deploy Saved Changes, 450–451Status Summary, 454

DES (Data Encryption Standard), 265, 375device management (Firewall MC), 429, 434

importing devices, 431managing groups, 429

Device Setting Report, 457devices

Firewall MC support, 416supported by AUS, 463

DHCP (Dynamic Host Configuration Protocol), 358

configuration, 140–143lease length, 360overview, 358

DHCP serversauto configuration, 361configuring, 357–358debugging, 362PIX Firewall, 359–360

dhcpd address command, 359dhcpd auto-config command, 353dhcpd command, 140–141disabling Syslog messages, 198distinguished name (DN), 324distributed denial of service (DDoS) attacks,

11DMZ (demilitarized zone) segment, 113DN (distinguished name), 324DNS (Domain Name Service), 176, 596

DNA guard, 595support

configuring, 118in PIX Firewall, 139

queries, 9“Do I Know This Already?” quizzes

AAA, 507–510AAA configuration, 533–536

access, 155–158access VPNs, 311–315attack guards and multimedia support,

583–586content filtering, 491–494failover, 238–240Firewall MC, 409–413FWSM, 607–610network security, 3–6PDM, 369–372PIX Firewalls, 23–25, 37–40, 125–128Syslog, 181–184system maintenance, 67–70translation and connection, 97–100

DoS (denial of service) attacks, 9–11downloadable PIX ACLs, 569, 572DPD (dead peer detection), 318, 332dynamic address translation, 107dynamic crypto maps, 330Dynamic Host Configuration Protocol. See

DHCPdynamic routes, 214

configuring RIP, 216OSPF

commands, 216–220configuring, 220viewing configuration, 222

dynamic shunning, 601

EEasy VPN Remote

authentication, 338connection process, 323–324modes of operation, 332–333overview, 320PIX Firewall configuration, 347–348

client device mode, 348IUA, 350SUA, 349

supported clients, 321–322supported servers, 320tunneling protocols, 336

Easy VPN Server, 316IPSec options, 319overview, 318

embedding, secure real-time embedded systems, 31

embedding, secure real-time embedded systems


758

embryonic (half-open) connections, 104enable command, 129enable password command, 72enabling

DHCP on PIX Firewall, 361IUA, 351PPPoE client, 355RIP, 137

Encapsulating Security Payload (ESP), 262encapsulation (upper-level data), 102encryption

3DES, 265crypto access lists, 275DES, 265, 375Easy VPN Remote, 336hash algorithms, 329

enrollment mechanisms, 337ESP (Encapsulating Security Payload), 262Ethernet VLAN tagging, 208

logical interfaces, 209–210managing VLANs, 211

Event Report (AUS), 481events

failover, 241–243Syslog, 46, 62

external threats, 9

Ffabrication, access attacks, 10failover

configuring, 242, 246–247, 251, 657configuration replication, 244DUKEM case study, 655–656

“Do I Know This Already?” quiz, 238–240

events, 241–243LAN-based, 245–246PIX Firewall, 248–251redundancy, 32–33stateful, 244–245

file command, 82File Transfer Protocol (FTP), 176filter activex command, 497filter java command, 495filter url command, 498filtering, 495

ActiveX objects, 497

FTP, 500FTP sites, 499HTTPS, 500HTTPS sites, 499Java applets, 495URLs, 497–499

configuring URL-filtering policy, 498

identifying servers, 497long URLs, 501–502

filtersJava applets, 496viewing, 502

Firewall MCadministration tasks, 458

maintenance, 461support, 462workflow setup, 458–460

AUS, 462activation, 464, 467–470administrative tasks, 483assignment configuration, 477device configuration, 474image configuration, 475installing, 463reports, 479–481supported devices, 463user interface, 471–473

back user task flow, 428CiscoWorks, 419

adding users, 421login process, 419user authorization roles, 421

configuration hierarchy, 415configuration tasks, 435

creating building blocks, 440, 443, 447

defining access rules, 436defining translation rules, 438generating and viewing

configuration information, 448MC settings, 449

deployment tasksDeploy Saved Changes, 450–451Status Summary, 454

device management, 429, 434importing devices, 431managing groups, 429

embryonic (half-open) connections


759


installing, 416client requirements, 418server requirements, 417

key concepts, 414PIX bootstrap commands, 418reports, 454–457supported devices, 416user interface, 423

Activity bar, 428configuration tabs, 425Object Selector, 427options bar, 425path bar, 426TOC, 425Tools bar, 427

firewall module switch command, 616firewall vlan-group command, 616firewalls, 26, 30

basic configuration, 641managing, 45, 62packet filtering, 26–28PIX, 30–33

ASA, 31, 41–43Cisco 501, 48Cisco 506, 49Cisco 515E, 51–53Cisco 525, 54–56Cisco 535, 56–58models, 44

proxy, 28proxy servers, 28stateful inspection, 29–30

fixup command, 174–175fixup protocol command, 587fixup protocol h323 command, 591Flood Defender, 597Floodguard, 597floodguard disable command, 598formatting

boothelper disk, 84crypto access lists, 275

fragment command, 594fragmentation guard, 594frames, 102FTP (File Transfer Protocol), 176, 500

FWSM (Cisco Firewall Services Module), 44, 607

configuring, 618–619access lists, 620interfaces, 619

deployment scenarios, 612–613“Do I Know This Already?” quiz,

607–610initializing, 615–616overview, 611PIX Firewall, 622status LED, 625troubleshooting, 623

resetting and rebooting, 625switch commands, 623

Ggateways, 46, 62, 82, 269gigabits per second (Gbps), 611global command, 135–136global information, recording, 636global IP addresses, 639–640groups

rules, 555users, 551

guards, 596attack, 598DNS, 595–596mail, 596–597

HH.323, 589–591H.323 collection of protocols, 591handling protocols, 175, 177hardware (Cisco Secure ACS), 515headers (AH), 263HMAC (Keyed-Hash Message

Authentication Code), 265horizontal scans, 9Hosts/Networks tab (Startup Wizard), 385HTTP

clients, upgrading OS, 83virtual, 548

HTTPS filtering, 500hw-module command, 625

hw-module command


760

IICMP object groups, 172identifying

filtering servers, 497servers, 538, 541

IGMP (Internet Group Management Protocol), 224

igmp access-group command, 227igmp forward command, 226igmp join-group command, 226igmp query-interval command, 227igmp query-max-response-time command,

227igmp version command, 227IKE (Internet Key Exchange)

configuring, 270, 274VPN, 265, 268

implementation of security designs, 12importing devices (Firewall MC), 431inbound access, 159–162

access lists, 164–166inbound connections, 43

cut-through proxy, 31Individual User Authentication (IUA), 350information security, 7Initial Contact, 319initializing

FWSM, 615–616PDM, 623

inspectionadvanced protocol handling, 175–177FTP, 176

installingAUS, 463Cisco VPN Software Client, 339Cisco Secure ACS, 516–518, 527Firewall MC, 416

client requirements, 418server requirements, 417

operating systems, 77PDM, 378

Instructions box (Firewall MC user interface), 426

integrated data (AVVID), 14–15, 19integrity, X.509 certificate support, 44, 61Intel Internet Video Phone, 177interception, 10

intercepts (TCP), 161–162interface command, 82, 130, 210interfaces, 641. See also access

CLI, 45, 62, 72configuring, 638–640static NAT, 159

Internet Group Management Protocol (IGMP), 224

Intranet VPNs, 261intrusion detection, 44, 61, 598, 601

configuring, 599–600dynamic shunning, 601optimizing, 13

IPaddress pool, 327addresses

global, 639–640mapping, 637

fragmentation, 594ip address command, 133ip address dhcp command, 143ip audit command, 599ip local pool command, 327IP routing, 212

dynamic routes, 214configuring RIP, 216OSPF, 216–222

multicasting, 224commands, 224–227debugging, 230inbound traffic, 228–229outbound traffic, 230

static routes, 212–213ip verify reverse-path command,

602–603IPSec (Internet Protocol Security)

configuring, 274, 283Easy VPN Server, 319sysopt connection permit-ipsec

command, 283VPN, 262, 265

IPSec Traffic Selector Panel, 396isakmp keepalive command, 332isakmp policy command, 271, 326IUA (Individual User Authentication),

350

ICMP object groups


761

J–KJava applets, 495–496

Keyed-Hash Message Authentication Code (HMAC), 265

keywords, 275

LLAN-based failover, 245–246levels of security, 101, 186link-state advertisements (LSAs), 216Linux, PDM requirements, 377listening (ports), 8lists

access, 164CRLs, 144

loggingACLs, 172configuring, 642

logging commands (syslog), 187logging facilities, 186logging on command, 194logical interfaces, 209–210login banners, configuring, 147–148logs, viewing, 190longurl-truncate parameter, 501LSAs (link-state advertisements), 216

Mmail guard, 596–597main mode (IKE), 266managing

firewalls, 45, 62VLANs, 211

mappingstatic IP addresses, 637static NAT, 159

match address command, 280MD5 (Message Digest 5), 265MDIX (Medium Dependent Interface

Crossover), 322Media Gateway Control Package (MGCP),

591–592

Medium Dependent Interface Crossover (MDIX), 322

memory requirements, 77Message Digest 5 (MD5), 265messages

digest, 265HMAC, 265Syslog

changing levels, 187disabling, 198organizing, 188reading, 189sending to a Telnet session, 193

MGCP (Media Gateway Control Package), 591–592

Microsoft NetMeeting, 177, 545Microsoft Netshow, 177models (PIX Firewalls), 44modes

access, 129monitor, 82stateful failover, 244

modificationaccess attacks, 10activation keys, 80

monitor mode, 82monitoring

failover events, 243networks, 13PPPoE client, 355–356

Monitoring button (PDM), 389–391monitoring PIX Firewall, 389–391mroute command, 225MSFC (Multilayer Switch Feature Card), 613

configuring on the inside interface, 617as inside router, 613

MTU (maximum transmission unit), 339multicast interface command, 224multicast routing, 224

commandsigmp access-group command, 227igmp forward command, 226igmp join-group command, 226igmp query-interval command, 227igmp query-max-response-time

command, 227igmp version command, 227mroute command, 225multicast interface command, 224

multicast routing


762

multicast routing (continued)debugging, 230inbound traffic, 228–229outbound traffic, 230

multimediaH.323, 591RTSP, 588support, 177, 587, 591


H.323, 589–591MGCP, 591–592SCCP, 592SiP, 593VoIP, 588–589

Nname, 324nameif command, 101, 119, 131, 211nameif interface commands, 619NAS (Network Access Server), 512,

537–538, 541NAT (Network Address Translation),

106–109bidirectional, 114configuring, 331policy NAT, 162static, 159static NAT, 159

nat 0 access-list address translation rule, 159nat 0 command, 162nat command, 133–134nat/global command, 101NDG (Network Device Group), 558negotiation

IKE, 265, 268nesting object groups, 172NetBIOS Domain Name System, 105NetMeeting, 545Network Access Server (NAS), 512Network Address Translation. See NATnetwork command, 218Network Device Group (NDG), 558network object group, 170network of networks, 14network security

defense in depth, 14

“Do I Know This Already?” quiz, 3–6as a “legal issue”, 13

Network Time Protocol (NTP), 144–145networks

addresses, translation, 45firewalls, 26, 30–33monitoring, 13SAFE, 16, 20security, 7, 11threats, 8types of attacks, 8, 11VPN, 261

CAs, 268–269certificates, 45configuring, 269, 647gateways, 46, 62IKE, 265, 268IPSec, 262, 265scalability, 288troubleshooting, 288, 654tunneling, 653

vulnerabilities, 8no aaa-server command, 540no fixup protocol ftp command, 176no url-cache command, 500nodes (communication), 103nonce values, 267NTP (Network Time Protocol), 144–145ntp authenticate command, 145ntp authentication-key command, 145ntp trusted-key command, 145null rules, 389

Oobject grouping, 169, 172Object Selector (Firewall MC user interface),

427Open System Interconnection (OSI), 26operating systems (Cisco Secure ACS), 515optimization (security), 13Organizational Unit (OU), 324OS (operating system)

installing, 77upgrading, 80

copy tftp flash command, 81HTTP client, 83monitor mode, 82

multicast routing


763

OSI (Open System Interconnection), 26OSI reference model, 28OSPF (Open Shortest Path First)

commands, 216network command, 218prefix-list command, 219redistribute ospf command, 220router ospf command, 217show ospf command, 222

configuring, 220overview, 216viewing configuration, 222

OU (Organizational Unit), 324

Ppackets, 101parameters

AAA authentication, 543access-list command, 164banner command, 148cgi-truncate command, 501clock command, 146dhcpd command, 141filter command, 496global command, 135interface command, 130isakmp policy command, 271longurl-truncate command, 501nameif command, 132nat command, 134ntp command, 144rip command, 137static command, 159syslog command, 189username command, 76

passwd command, 72password recovery, 85–87

diskless PIX Firewall, 86floppy drives, 86

PAT (Port Address Translation), 45, 106–107, 110, 134

patches, 8. See also vulnerabilitiespath bar, Firewall MC user interface, 426PDM

access rules, 387configuring PIX Firewall, 379–380,

383

defining hosts and networks, 385“Do I Know This Already?” quiz,

369–372GUI, 374installing, 378monitoring capability, 389–391overview, 373requirements to run on PIX Firewall,

375Linux requirements, 377SUN Solaris, 377Windows, 377workstation, 376

translation rules, 386–387versions, 375VPN configuration, 392–394

remote-access, 397–404Site to Site VPNs, 395

PDM (PIX Device Manager), 46, 62, 544, 601

PDM (PIX Device Manager) Image, 622PDM Log panel, 190per user command authorization, 560performance, 15perimeter security

firewalls, 26, 30packet filtering, 26–28PIX, 30–33proxy servers, 28stateful inspection, 29–30

permit ip any command, 275permit keyword, 275PFSS (PIX Firewall Syslog Server), 185,

196phase 1 negotiation, 266physical interfaces, 211physical security

AAA, 511, 515security policies, 11

PIDs (process identifications), 220ping command, 82, 138ping sweeps, 9pipes, 186PIX 515E Firewall, 52PIX Device Manager (PDM), 46, 62, 544,

601, 622PIX DHCP, 360

PIX DHCP


764

PIX Firewall, 32AAA, 512

supported server technologies, 515ASA, 41–43characteristics, 30Cisco 501, 48Cisco 506, 49Cisco 515E, 51–53Cisco 525, 54–56Cisco 535, 56–58configuring, 129

DHCP, 140–143inbound access, 159–166PDM, 379–380, 383sample configuration, 149

cut-through proxy, 513DHCP server, 359–360

auto configuration, 361debugging, 362

DNS support, 139“Do I Know This Already?” quiz, 23–25,

37–40, 125–128dynamic shunning, 601Easy VPN Remote configuration,

347–348client device mode, 348IUA, 350SUA, 349

failoverconfiguring, 242events, 241sample configuration, 248–249,

251Flood Defender, 597FWSM, installing PDM, 622intrusion detection, 598IP routing, 212

dynamic routes, 214–222static routes, 212–213

logical interfaces, 209–210login banners, 147–148models, 44monitoring, 389–391multimedia support, 587

H.323, 589–591MGCP, 591–592SCCP, 592SiP, 593VoIP, 588–589

optional components, 47OSPF, 216PDM, requirements to run, 375–377PPPoE, 351–352

enabling PPPoE client, 355monitoring PPPoE client, 355–356

RIP, 215scalable VPNs, 288secure real-time embedded system, 31syslog

configuring, 189, 192logging facilities, 186organizing messages, 188PFSS, 197reading messages, 189sending messages to a log server,

193–194sending messages to a Telnet

session, 193severity levels, 187SNMP traps and SNMP requests,

195time settings, 144troubleshooting, 574

implementation, 657–665upgrading OS, 80

PIX Firewall Syslog Server (PFSS), 185, 196PIX MC (CiscoWorks Management Center

for Firewalls), 46PIX-1FE (Cisco PIX Firewall FastEthernet

Interface Card), 47point-to-point architecture, 12, 42–58,

102–104, 112–114, 120–121, 191, 248, 261–267, 292, 308, 374, 380–390, 393–405, 514, 519, 521–522, 527–528, 538–541, 546, 552–573, 590

policies, 18ISAKMP, 272security, 11, 101

policy, 647policy NAT, 162Port Address Translation (PAT), 45, 107Port Fast, 242ports

address translation, 45fixup command, 174–175listening, 8redirection, 112static address translation, 161

PIX Firewall


765

PPP (Point-to-Point Protocol), 352PPPoE (Point-to-Point Protocol over

Ethernet), 351–352enabling PPPoE client, 355monitoring PPPoe client, 355–356

prefix-list command, 219preshared keys, 267

configuring, 272process identifications (PIDs), 220processes (security), 12prompts (authentication), 548protocol object-type, 171protocols

advanced handling, 175–177FTP, 176H.323 collection, 591NTP, 144–145PPP, 352SCEP, 45, 61SNMP, 46, 62TCP, 102

intercepts, 161–162transport, 101, 106UDP, 102

proxy firewalls, 28public address translation, 45

Q–Rqueries (DNS), 9

RADIUS (Remote Authentication Dial-In User Service), 515

RealNetworks RealAudio and RealVideo, 177

Real-Time Streaming Protocol (RTSP), 588reconnaissance attacks, 9–10recording global information, 636recovery, passwords, 87redirection (ports), 112redistribute ospf command, 220redundancy, 32–33remote access, 71, 74

DUKEM case study, 654SSH, 72–74Telnet, 71–72

Remote Authentication Dial-In User Service (RADIUS), 515

remote office/branch office (ROBO), 49remote-access VPNs, 261, 397–400, 402,

404remote-procedure call (RPC), 105replication, configuration, 244reports

AUS, 479Event Report, 481System Info Report, 480

Firewall MC, 454, 457requests (SNMP), 195requirements (memory), 77resources, 10Restricted Bundle, 59reverse path forwarding, 602–603RIP (Routing Information Protocol), 137

configuring, 216enabling, 137

rip command, 137, 215ROBO (remote office/branch office), 49route command, 136–137, 213router ospf command, 217routing, 203, 215

authentication, 215configuring, 636–640IP routing, 212

dynamic routes, 214–222static routes, 212–213

multicast routing, 224, 227commands, 224–227debugging, 230inbound traffic, 228–229outbound traffic, 230

principles, 208Routing Information Protocol. See RIPRPC (remote-procedure call), 105RTSP (Real-Time Streaming Protocol), 588rules

access, configuring, 642groups, authorization, 555

running setup command, 619

SSA (security association), 262, 278

SA (security association)


766

SAFE (Secure Blueprint for Enterprise Networks), 16, 20

saving configuration, 139scalability

AVVID, 15VPN, 288

scanningblock, 10Cisco Secure Scanner, 13horizontal, 9vertical scans, 9

SCCP (Skinny Client Control Protocol), 592SCEP (Simple Certificate Enrollment

Protocol), 45, 61Scope bar (Firewall MC user interface), 426Secure Hash Algorithm 1 (SHA-1), 265Secure Intrusion Detection Sensor, 44, 61secure real-time embedded systems, 31Secure Shell (SSH), 72–74Secure Unit Authentication (SUA), 349security, 262, 265

AAA, 511, 515access rules (PDM), 387ASA, 31, 41–43attack guards, 594, 598

AAA Floodguard, 597DNS, 595Flood Defender, 597fragmentation, 594mail guard, 596

attacks, 18design, implementing, 12firewalls, 26, 30

packet filtering, 26–28PIX, 30, 32–33proxy servers, 28stateful inspection, 29–30

intrusion detection, 598, 601configuring, 599–600dynamic shunning, 601

levels (Syslog), 186network, 7, 13optimizing, 13policies, 11, 18, 101process, 12static NAT, 159testing, 13threats, 8, 17

trafficlevels, 101transport protocols, 101, 106

types of attacks, 8, 11vulnerabilities, 8

security association (SA), 262segments, 101, 113selecting VPN configuration, 269–270sends, 187server, 642server command, 82servers

AAAconfiguring, 538, 569identifying, 538, 541specifying, 537

ACS, 44configuring, 384Cisco Secure ACS, 515, 527, 533

authorization, 551installing, 516–518, 527users, 551verifying, 577

DHCP, 140–143filters, identifying, 497NAS, 512, 537–538, 541NetMeeting, 546PFSS, 185, 196Syslog, 185syslogd servers, 195–197

service definitions, 443service groups, 445service object-type, 171services

authentication, 545fixup command, 174–175

session command, 625Session Initiation Protocol (SIP), 593setup command, 619severity levels (syslog), 187SHA-1 (Secure Hash Algorithm), 265shell command authorization sets, 561show aaa-server command, 574show accounting command, 575show activation-key command, 79show command, 273, 284, 574, 653show conn command, 116show crypto ipsec sa command, 285show failover command, 251

SAFE (Secure Blueprint for Enterprise Networks)


767

show isakmp policy command, 274show module command, 624show ospf command, 222show perfmon command, 503show route command, 214show url-cache command, 502show url-server stats command, 502show version command, 78show vpdn pppinterface command, 356show xlate command, 115shun command, 601Simple Certificate Enrollment Protocol

(SCEP), 45, 61SIP (Session Initiation Protocol), 593Site to Site VPNs, 261, 392–395Skinny Client Control Protocol (SCCP),

592SMTP, 177SNMP (Simple Network Management

Protocol), 46, 62configuring, 88requests, 195system maintenance, 87traps, 195

specifying AAA servers, 537split tunneling, 404spoofing, 28SSH (Secure Shell), remote access, 72–74standby unit, 244state tables, 29stateful failover, 244–245

redundancy, 32–33static command, 111–112static crypto maps, 330static IP address mapping, 637static NAT, 159static port address translation (static PAT),

161static routes, 212–213static translation, 107, 111statistics

show url-server stats command, 502viewing filters, 502

structured threats, 8SUA (Secure Unit Authentication), 349Sun Solaris, PDM requirements, 377support

DNS, configuring, 118

multimedia, 177, 591H.323, 591RTSP, 588

Syslog, 46, 62X.509 certificates, 44

SYN flooding, 597Syslog, 185

changing message levels, 187configuring, 189

messages at the console, 192sending messages to a log server,

193–194SNMP traps and SNMP requests,

195syslogd servers, 195–197


logging facilities, 186messages

disabling, 198organizing, 188reading, 189sending to a Telnet session, 193

security levels, 186severity levels, 187support, 46, 62viewing logging with PDM, 190

syslogd servers, 195, 197sysopt connection permit-ipsec command,

283sysopt uauth allow-http-cache command,

544system clock, 146–147System Info Report (AUS), 480system maintenance. See also

troubleshootingcommand-level authorization, 74–76creating boothelper disks, 84“Do I Know This Already?” quiz, 67–70installing OS, 77object grouping, 169, 172password recovery, 85

diskless PIX Firewall, 86floppy drives, 86

SNMP, 87TurboACL, 168upgrading activation keys, 79

System Properties tab (Startup Wizard), 381system requirements (Cisco Secure ACS), 515

system requirements (Cisco Secure ACS)


768

TTACACS+ (Terminal Access Controller

Access Control System Plus), 515tagging. See Ethernet VLAN taggingTCP

intercepts, 161–162three-way handshake, 103virtual circuits, 102

technologies (VPN), 261Telnet, 71

starting sessions, 72virtual Telnet, 545

telnet command, 71Terminal Access Controller Access Control

System Plus (TACACS+), 515testing

configuration, 138security, 13

TFTP (Trivial File Transfer Protocol), 374threats, 8, 17three-way handshake (TCP), 103time settings

configuration, 147configuring, 144NTP, 144–145system clock, 146–147

timeout uauth command, 549timeouts (authentication), 549tokens, X.509 certificate support, 44, 61Tools bar (Firewall MC user interface), 427traffic, 30

cut-through proxy, 513firewalls, 26, 28, 30

PIX, 30–33proxy servers, 28

routing, 203, 208security

levels, 101transport protocols, 101, 106

stateful inspection, 29Transform Set Panel, 395transform sets

configuring, 276creating, 328crypto ipsec transform-set command,

280defining multiple, 276

transform-set command, 277

translationaddresses, 45, 106, 114

commands, 107–108NAT, 108–109PAT, 110static, 111troubleshooting, 114, 118

bidirectional, 114“Do I Know This Already?” quiz,

97–100dynamic address translation, 107flags, 116multiple, configuring, 112, 114rules, 386, 438static port add, 161

translation rules, 387translation slots, 104transparent tunneling, 341transport protocols, 101, 106traps (SNMP), 195Triple Data Encryption Standard (3DES),

265Trivial File Transfer Protocol (TFTP), 374Trojan horses, 10troubleshooting, 67, 654. See also system

maintenanceAAA, 573, 577accounting, 575address translation, 114, 118authentication, 574authorization, 575boothelper disk, 84commands, 88–93FWSM, 623

resetting and rebooting, 625switch commands, 623

password recovery, 85–86PIX Firewall implementation, 657–665security, 13Syslog, 185VPN, 288, 653VPN connections, 283–286

trunk ports, 209tunneling

transparent, 341VPN, 653

tunneling protocols, 336TurboACL, 168–169

TACACS+ (Terminal Access Controller Access Control System Plus)


769

UUDP (User Datagram Protocol), 102unauthorized access, 10Unicast RPF (Unicast Reverse Path

Forwarding), 602–603unstructured threats, 8upgrading

activation keys, 79–80operating systems, 80

copy tftp flash command, 81HTTP client, 83monitor mode, 82

upper-level data, 102url-cache command, 499URLs

filtering, 497–499configuring URL-filtering policy,

498identifying servers, 497

long (filtering), 501–502url-server command, 497User Datagram Protocol (UDP), 102users

accounting, 563–565authentication, 541–545, 549–550authorization, 550–561

VVAC (VPM Accelerator Card), 47VAC+ (VPN Accelerator Card Plus), 47VDOnet VDOLive, 177verification

Cisco Secure ACS, 577IKE configuration, 273X.5, 61X.509, 44

vertical scans, 9video (AVVID), 14–15, 19viewing

accounting, 565filters, 502logging, 190

virtual circuits, 102virtual HTTP, 548virtual interfaces, 52virtual private networks. See VPNs

virtual services, authentication, 545virtual telnet command, 545virtual Telnet, 545viruses, 10vlan command, 615VLANs (Virtual LANs), 615

creating, 615managing, 211physical interfaces, 211

VocalTech, 177voice (AVVID), 14–15, 19VoIP, 588–589VPDN (Virtual Private Dial-Up Networking)

group, 354VPN Accelerator Card (VAC), 47VPN Accelerator Card Plus (VAC+), 47vpnclient server command, 348vpnclient vpngroup command, 348VPNs (Virtual Private Networks)

access VPNs, 261, 311CAs, 268–269certificates, 45configuring, 269, 292, 647

DUKEM case study, 645–653ISAKMP policies, 272troubleshooting, 654tunneling, 653verifying configuration, 273

connections, troubleshooting, 283–286gateways, 46, 62IKE, 265, 268IPSec, 262, 265PDM

configuration, 392–404remote access

DUKEM case study, 654remote-access, 397–404scalability, 288Site to Site VPNs, 392–395technologies, 261troubleshooting, 288

vulnerabilities, 8VXtreme WebTheatre, 177

WWhite Pine CuSeeMe, 177

White Pine CuSeeMe


770

White Pine Meeting Point, 177Windows 2000

Cisco Secure ACS, 516–518, 527PDM requirements, 377

Windows Internet Naming Service (WINS), 142

Windows NTCisco Secure ACS, 516–518, 527PDM requirements, 377

WINS (Windows Internet Naming Service), 142

worms, 10write memory command, 72, 139

write standby command, 244

XX.509 certificates, support, 44XAUTH (extended authentication), 325

configuring, 326, 330–331defining group policy for mode

configuration push, 328transform sets, 329

Xing StreamWorks, 177xlate command, 108

White Pine Meeting Point


index...

Documents