3DES (3Data Encryption Standard), 264-265 304
AAA (Authentication,
Authorization and
Accounting), 114
aaa accounting command, 140
aaa authentication login
default local
command, 120
aaa local authentication
attempts max-fail
command, 120
aaa new-model
command, 119
accounting configuration, 139-140
administrative
access, 115
clear aaa local
user lockout
command, 121
configuration
snapshots, 141
debug aaa
command, 120
exec authentication
policies, creating, 136
login authentication
policies, creating, 134-135
network authentication
policies, creating, 138
no aaa new-model
command, 119
remote user network
access, 115
router implementation
external AAA, 115-116, 122, 127-140
local AAA, 115-120
reasons for, 114
types of router
access, 116
show aaa local
user lockout
command, 120
show aaa sessions
command, 121
show aaa user all
command, 121
TACACS+, 125, 129-131, 140-141
troubleshooting, local
AAA, 140-141
AAA Client Hostname field
(Secure ACS Network
Configuration
page), 130
AAA Client IP Address field
(Secure ACS Network
Configuration page), 130
AAA clients. See NAS
academic hackers, 31
access (physical), best
practice against network
attacks, 46
access-class command, 102
access-list command, 99
accounting (AAA)
administrative
access, 115
configuration
snapshots, 141
configuring, 139-140
remote user network
access, 115
router implementation
external AAA, 115-116
local AAA, 115-120
reasons for, 114
types of router
access, 116
troubleshooting, local
AAA, 140-141
ACE (Application Control
Engine), 77
ACL (Access
Control Lists), 203
best practices, 208
common services,
filtering, 216-217
configuring via Cisco
SDM, 209-211
crypto ACL
Step-by-Step Setup
mode (Site-to-Site
VPN Wizard), 333-334
traffic-defining crypto ACL, creating
in IPsec
VPN, 319-320
verifying, 325
Firewall and ACL
Wizard (SDM), 110
ICMP, filtering, 216-217
identifying, 205
inbound IP address
spoofing, 204, 213-214
IPsec VPN compatibility, 315-316
named ACL, 205
network services,
filtering, 212
numbered ACL, 205
outbound IP address
spoofing, 204, 215
router service traffic,
filtering, 217
static packet-filtering
firewalls, creating, 204-217
usage examples, 205-208
ZPF, 220
ACS (Access Control
Servers). See Secure ACS
Add AAA Server dialog
(SDM), 131
Add Server window (SDM),
Server IP or Host
field, 131
Additional Tasks menu
(SDM), 111-112
administrative access
(AAA), 115
administrative access
(routers), 91
banner messages, 104
CLI role-based access,
configuring, 98-100
IOS resilient configuration
feature (Cisco), 101-102
line interfaces, 92-93
passwords
best practices, 94
configuring, 94-97
console
passwords, 94
enable passwords, 95
minimum length
configuration, 96
recovering, 97
secret passwords, 95
service password
encryption, 95
timeouts, 96
username
security, 96
virtual passwords, 95
privilege levels,
setting, 97
view creation, 98-100
virtual login security, 102-103
administrative controls
attributes of, 23
best practices against
network attacks, 45
administrative law,
prosecuting computer
crimes, 27
AES (Advanced Encryption
Standard), 253-255, 265-266, 304
AES Homepage
website, 505
age metric (data
classification), 22
AH (Authentication
Headers), IKE Phase II, 312-313
AIM-VPN (Advanced
Integration Module-Virtual
Private Networks), 300
alarms (signature), security
levels, 359-360
answers (practice exams)
anti-replay, site-to-site
VPN, 303
AnyConnect VPN Client, 300
application inspection
firewalls, 199-200
Application Layer (OSI
Layers 5-7),
encryption, 249
application layer gateways, 194-195
application servers,
VoIP, 412
applications, software
security, 398
ARP (Address Resolution
Protocol)
disabling, 172
GARP, disabling, 171
ASA 5500 Series Adaptive
Security appliances, 202, 299
ASR (Aggregation Service
Routers), web
resources, 90
assets, defining (network
security policies), 62
asymmetric key encryption
algorithms, 251, 275
authentication via, 277
DH, 255
length of, 253
private key
algorithms, 276
public key
algorithms, 276
speed of, 253
trusted algorithms, 255
types of, 253
atomic signatures, 358
attacks (network)
availability attacks, 42
botnets, 43
computer environment
attacks, 44
DDoS attacks, 44
DoS attacks, 43
electrical power attacks, 44
ICMP floods, 43
MAC floods, 45
physical environment
attacks, 44
SYN floods, 44
best practices against
administrative
controls, 45
education, 45
encryption, 46
environmental control, 46
hardware, 46
passwords, 46
patches, 45
physical access, 46
physical controls, 46
security policies, 45
TCP ports, 46
technical controls, 46
UDP ports, 46
unnecessary services, 46
confidentiality attacks, 36
covert channel
attacks, 37
dumpster diving, 37
emanation
capturing, 37
identity theft, 38
overt channel
attacks, 37
packet sniffing (protocol
analysis)
attacks, 37
pharming attacks, 38
phishing attacks, 38
ping sweeps, 37
port scanning
attacks, 37
protocol analysis
(packet sniffing)
attacks, 37
social engineering
attacks, 37
DDOS attacks, 36
Defense in Depth philosophy, 33-34
DoS attacks, 36
exploits, defining, 30
external threats
examples of, 16
protecting
against, 17
hackers
motiviations of, 31
specializations of, 31
thought process of, 32
types of, 31
integrity attacks
data diddling, 39
password attacks, 39
port redirection
attacks, 40
salami attacks, 39
session hijacking, 39
trust exploits, 39
internal threats
best practices
against, 17
examples of, 16
seriousness of, 17
IP spoofing, 34-36
MiM attacks, 36
risks, defining, 30
seven steps for compromising
targets and
applications, 32
vulnerabilities,
categories of, 30
audits (security). See
Security Audit Wizard
(SDM)
AUP (Acceptable Use
Policies), 64
Authenticate Using drop-down
list (Secure ACS
Network Configuration
page), 131
administrative
access, 115
applications requiring
authentication list, 40
asymmetric key encryption
algorithms, 277
certificate-based
authentication, 283-284
configuration snapshots, 141
exec authentication
policies, creating, 136
login authentication
policies, creating, 134-135
network authentication
policies, creating, 138
remote user network
access, 115
router implementation
external AAA, 115-116, 122, 127-140
local AAA, 115-120
reasons for, 114
types of router
access, 116
site-to-site VPN, 295, 303, 306
troubleshooting, local
AAA, 140-141
authorization (AAA)
administrative
access, 115
configuration
snapshots, 141
remote user network
access, 115
router implementation
external AAA, 115-116
local AAA, 115-120
reasons for, 114
types of router
access, 116
troubleshooting, local
AAA, 140-141
auto secure command, 103
autoloading configurations,
disabling, 169
auxiliary line interfaces, 93
Availability (CIA triad), 19-20
availability attacks, 42
botnets, 43
computer environment
attacks, 44
DDoS attacks, 44
DoS attacks, 43
electrical power
attacks, 44
ICMP floods, 43
MAC floods, 45
physical environment
attacks, 44
SYN floods, 44
AVS (Application Velocity
System), 60, 77
bandwidth
broadcast traffic
limitations, 437
multicast traffic
limitations, 437
unicast traffic
limitations, 438
banner messages, 104
Basic Firewall Wizard
(SDM), ZPF configuration, 224-233
BCP (Business Continuity
Planning)
categories of
disruption, 60
phases of, 59
BID (Bridge IDs), 426
birthday attacks, 250
black hat hackers, 31
blind spoofing attacks, 36
blue hat hackers, 31
BOOTP (Bootstrap
Protocol), disabling, 168
botnets, 43
BPDU (Bridge Protocol Data
Units), STP manipulation
attacks, 426
BPDU Guard, mitigating
STP manipulation attacks, 427-428
broadcast storms, 436-437
broadcast traffic, bandwidth
limitations, 437
browsers (web)
SDM requirements, 108
Secure ACS
support, 127
brute force attacks, 249
buffer overflows, endpoint
security, 399-400
CA (Certificate Authorities)
central (single-root) CA
topology, 279
CRL, 280
cross-certified CA, 279
defining, 277
hierarchical CA
topology, 279
call agents, VoIP, 412
call policies, VoIP, 416
CAM (Content Addressable
Memory), table overflow
attacks, 428-429
Category window (IPS
Policies Wizard), 369
CBC (Cipher Block
Chaining) mode, block
ciphers, 263
CCP (Cisco Configuration
Professional), 105
CD-ROM
installing, 500-501
system
requirements, 500
test modes
certification
mode, 499
custom mode, 500
study mode, 499
central (single-root) CA
topology, 279
Certicom VPN client, 300
certificates, 279
authentication via, 283-284
defining, 277
enrollment process, 282-283
issuing, 283
OSI application layer,
viewing at, 285
retrieving, 283
uses of, 285
certification exams
exam cram usage
strategies, 12
self-assessment, 5-9
topics of, 10-11
certification mode
(CD-ROM), 499
CFB (Cipher Feedback)
mode, stream
ciphers, 263
chain of custody, 26
Change and Configuration
Controls operations security
principle, 54
chosen-ciphertext
attacks, 250
chosen-plaintext
attacks, 250
CIA triad (Confidentiality,
Integrity, Availability), 303
Availability, 19-20
Confidentiality, 18-20
Integrity, 19-20
ciphers
defining, 246
DES cipher, 250
ciphertext
chosen-ciphertext
attacks, 250
ciphertext-only
attacks, 249
defining, 246
Cisco ASA 5500 Series
Adaptive Security appliances, 202
Cisco AutoSecure feature, 177-179
Cisco Discovery Protocol,
disabling, 169
Cisco Host Security Strategy, 397-398
Cisco IOS firewalls, 201
Cisco IOS IPS (Intrusion
Prevention Systems)
benefits of, 362-363
configuration verification, 384-385
configuring via
CLI, 377
feature blend, 362
interface verification, 386
IPS Policies Wizard, 367, 369-370
IPS Rule Wizard, 367
policy verification, 384
SDEE support, 381-383
settings verification, 386
signatures
configuring, 378-380
integration, 363
Cisco IOS resilient
configuration feature, 101-102
Cisco PIX 500 Series firewalls, 201
Cisco Security Center website, 504
Cisco Security Manager, 78
Cisco Security MARS. See
MARS
Cisco Self-Defending
Networks
firewalls role in, 190
website, 504
civil law, prosecuting
computer crimes, 27
class maps, ZPF
configurations, 235
classifying data, 21
age metric, 22
criteria for, 22
custodian role, 22
owner role, 22
personal association
metric, 22
personnel
classification via, 22
private sector
classification, 22
public sector
classification, 21
useful life metric, 22
user role, 22
value metric, 22
clear aaa local user lockout
command, 121
cleartext (plaintext)
chosen-plaintext
attacks, 250
defining, 246
known-plaintext
attacks, 249
ACL usage examples, 205-208
CLI (Command-Line
Interface)
IOS IPS
configuration, 377
IPsec implementation
on site-to-site VPN
ACL compatibility, 315-316
crypto ACL
verification, 325
crypto map
creation, 320
IKE Phase II SA
verification, 322-324
IPsec transform set
configuration, 318-319
ISAKMP (IKE
Phase I) policy
sets, 316-318
ISAKMP SA verification, 324
traffic-defining
crypto ACL creation, 319-320
troubleshooting, 321
verifying, 321-325
role-based
access, configuring, 98-100
client mode (SSL
VPN), 296
clientless mode (SSL VPN), 296
Code Book: The Science of
Secrecy from Ancient
Egypt to Quantum
Cryptography, The, 505
cold site backups, 61
common services, filtering
via ACL, 216-217
community strings,
SNMP, 158
compromising targets,
seven steps for, 32
computer crimes,
prosecuting
administrative law, 27
civil law, 27
complications in, 26
criminal law, 27
ethics, 27
investigations, 25
liability, 28
U.S. government
regulations, 28-29
computer environment,
attacks on, 44
Computer Fraud and Abuse
Act, 29
computer security
hackers, 31
concept of least privilege, 72
confidential data classification
level, 21-22
Confidentiality (CIA triad), 18-20
confidentiality attacks, 36
covert channel
attacks, 37
dumpster diving, 37
emanation
capturing, 37
identity theft, 38
overt channel
attacks, 37
packet sniffing (protocol
analysis)
attacks, 37
pharming attacks, 38
phishing attacks, 38
ping sweeps, 37
port scanning
attacks, 37
protocol analysis (packet
sniffing) attacks, 37
social engineering
attacks, 37
Config Location window
(IPS Policies Wizard), 369
Configuration Autoloading,
disabling, 169
Configuration Interceptor
(CSA), 406
configure command, 97
Configure mode (SDM), 110
configuring
AAA, configuration snapshots, 141
accounting (AAA), 139-140
ACL via SDM, 209-211
banner messages, 104
CLI role-based
access, 98-100
endpoints, VoIP, 417
external AAA on routers
via Secure ACS, 122, 127
AAA client additions, 129-130
AAA network configuration, 129-132
AAA server additions
on IOS routers, 131-132
traffic identification, 133-140
user configuration, 132
IOS resilient configuration
feature (Cisco), 101-102
IPS, 360-361
IOS IPS via CLI, 377
IOS IPS via SDM, 364-372, 375-376
signatures, 378-380
IPsec transform sets, 318-319
IPsec VPN
IKE Phase I, 307-311
IKE Phase II, 311-314
local AAA on routers, 116, 119
enabling/disabling
AAA, 118
user account
configuration, 117
verifying
configurations, 120
passwords, 94-97
port security, 429
basic settings, 430
optional settings, 430-432
violation mode, 431
SDM, advanced configurations, 111-112
secure management/
reporting time features,
NTP, 165
servers, VoIP, 417
SNMB, SDM configurations, 159-160
SSH deamons, 161-164
user accounts, local
AAA configuration on
routers, 117
ZPF manually via SDM, 233
class map
creation, 235
policy map creation, 236
zone creation, 234
zone pair
creation, 237
ZPF via Basic Firewall
Wizard (SDM), 224-233
console line interfaces, 93
console passwords, 94
covert channel attacks, 37
crackers, 31
criminal law, prosecuting
computer crimes, 27
CRL (Certificate Revocation
Lists), 280
cross-certified CA
(Certificate
Authorities), 279
cryptanalysis, defining, 246
crypto ACL (Access Control
Lists)
Step-by-Step Setup
mode (Site-to-Site
VPN Wizard), defining in, 333-334
traffic-defining ACL,
creating
in IPsec VPN, 319-320
verifying, 325
crypto ipsec transform-set
command, 319
crypto isakmp key
command, 317
crypto isakmp policy
command, 316
crypto map
command, 321
crypto maps, site-to-site
IPsec VPN, 320
cryptographic hashing
algorithms, 256, 268
HMAC, 270-272
MD5, 269-271
cryptographic keys. See
encryption keys
cryptography
asymmetric key encryption
algorithms, 251, 275
authentication
via, 277
length of, 253
private key
algorithms, 276
public key
algorithms, 276
speed of, 253
trusted
algorithms, 255
types of, 253
birthday attacks, 250
brute force attacks, 249
chosen-ciphertext
attacks, 250
chosen-plaintext
attacks, 250
ciphertext-only
attacks, 249
cryptographic hashing
algorithms, 256, 268
HMAC, 270-272
MD5, 269-271
defining, 246
digital signatures
DSS, 275
process example, 274
uses for, 272
ECC, 256
encryption algorithms
desirable features
of, 251
selection criteria, 255
encryption keys
keyspaces, 257-258
lengths of, 258
managing, 256-257
known-plaintext
attacks, 249
MiM attacks, 250
SSL VPN, 259-260
symmetric key encryption
algorithms, 251, 261
3DES, 264-265
DES, 263
DH, 255
key length, 262
RC, 267
SEAL, 266
trusted
algorithms, 255
types of, 252
web resources, 505
cryptology
defining, 246
example of, 247
cryptosystems, defining, 246-247
CSA (Cisco Security Agent)
buffer overflows, 400
Configuration
Interceptor, 406
endpoint protection, 397
endpoint security, 406
Execution Space
Interceptor, 406
File System
Interceptor, 406
HIPS, 351-355
Network
Interceptor, 406
CSM (Cisco Security
Manager), IPS management, 350
custodian role (data classification), 22
custom mode (CD-ROM), 500
custom threats, rise of, 18
data classification
age metric, 22
criteria for, 22
custodian role, 22
owner role, 22
personal association
metric, 22
personnel classification
via, 22
private sector
classification, 22
public sector
classification, 21
useful life metric, 22
user role, 22
value metric, 22
data diddling, 39
data integrity, HMAC, 271
Data Link Layer (OSI Layer 2),
encryption, 248
data packets, ensuring path
integrity, 170
DDOS (Distributed Denial of
Service) attacks, 36, 44
debug aaa authentication
command, 120, 140-141
debug crypto ipsec
command, 322
debug crypto isakmp command, 322
decryption (deciphering),
defining, 246
Defense in Depth
philosophy, 33-34
Deny Attacker Inline
action (IPS attack
responses), 348
Deny Connection Inline
action (IPS attack
responses), 348
Deny Packet Inline
action (IPS attack
responses), 348
DES (Data Encryption
Standard), 250, 263, 304
design, simplicity of, 72
detective type (security
controls), 24
deterrent type (security
controls), 24
DH (Diffie-Hellman) key
exchange algorithm, 255, 276, 305
dial plans (UCM), 414
diddling data, 39
digital signatures
DSS, 275
process example, 274
uses for, 272
Discovery Protocol (Cisco),
disabling, 169
DMVPN (Dynamic
Multipoint Virtual Private
Networks), 298
DNS (Domain Name
System), disabling, 170
DoS (Denial of Service)
attacks, 36, 43
causes of, 20
IP-address broadcasts,
disabling, 172
terminal access security,
ensuring, 171
VoIP, 413
double-tagging (VLAN
hopping), 424-425
drop action (ZPF), 221
DRP (Disaster Recovery
Procedures)
categories of
disruption, 60
phases of, 59
DSA (Digital Signature
Algorithm), 275-276
DSS (Digital Signature
Standard), 275
dual operator control
(SoD operations security
principle), 55
due care (liability), 28
due diligence (liability), 28
dumpster diving, 37
dynamic packet-filtering
firewalls, 196-198
Easy VPN (Virtual Private
Networks), 298-299
eavesdropping attacks,
VoIP, 414
ECB (Electronic Code Block)
mode, block ciphers, 263
ECC (Elliptic Curve
Cryptography), 256
ECDSA (Elliptic Curves
Digital Signature
Algorithm), 275
Economic Espionage Act of 1996, 29
education, best practices
against network
attacks, 45
electrical power attacks, 44
ElGamal, 276
Elliptic Cruve, 276
email, digital signatures, 273
emanation capturing, 37
enable passwords, 95
enable view command, 101
encryption (enciphering), 248
3DES, VPN, 304
Application Layer (OSI
Layers 5-7), 249
asymmetric key
encryption algorithms, 251, 275
authentication
via, 277
length of, 253
private key
algorithms, 276
public key
algorithms, 276
speed of, 253
trusted algorithms, 255
types of, 253
best practices against
network attacks, 46
cryptographic hashing
algorithms, 256, 268
HMAC, 270-272
MD5, 269-271
Data Link
Layer (OSI Layer 2), 248
defining, 246
DES, VPN, 304
digital signatures
DSS, 275
process example, 274
uses for, 272
ECC, 256
encryption algorithms
desirable features
of, 251
encryption keys
with, 251
selection criteria, 255
encryption keys, 248
distributing, 252
encryption algorithms
with, 251
keyspaces, 257-258
lengths of, 258
managing, 256-257
hardware-accelerated
encryption, 300
Network Layer (OSI Layer 3), 249
RSA, VPN, 305
SEAL, VPN, 305
service password
encryption, 95
site-to-site IPsec VPN, 303-305
symmetric key encryption algorithms, 251, 261
3DES, 264-265
DES, 263
DH, 255
key length, 262
RC, 267
SEAL, 266
trusted
algorithms, 255
types of, 252
Transport
Layer (OSI Layer 4), 249
encryption keys, DH key
exchanges, 305
end systems, 396
end-user policies, 65
endpoint protection (Cisco
Security Agent), 397
endpoint security
best practices, 407
buffer overflows, 399-400
IronPort, 403
NIC, 397
Trojan horses, 399-402
viruses, 399-401
VoIP, 417
worms, 399-402
ENGINE_BUILDING
messages, IPS, 373
ENGINE_BUILDS_STARTED
messages, IPS, 373
ENGINE_READY messages,
IPS, 373
entrapment, defining, 27
environmental control, best
practices against network
attacks, 46
ESP (Encapsulating Security
Payloads), IKE Phase II, 313-314
ethics, prosecuting computer
crimes, 27
exams (certification)
exam cram usage strategies, 12
self-assessment, 5-9
topics of, 10-11
exams (practice)
exam 1
answers, 461-469
exam 2
answers, 487-496
questions, 472-485
MeasureUp, 500-501
exchange one (IKE Phase I
main mode
exchanges), 310
exchange two (IKE Phase I
main modeexchanges), 310-311
exec authentication policies,
creating, 136
Exec banner messages, 104
exec-timeout command, 96
Execution Space Interceptor
(CSA), 406
exploits, defining, 30
external AAA
(Authentication,
Authorization and
Accounting), router configuration
via Secure ACS, 115-116, 122, 127
AAA client additions, 129-130
AAA network configuration, 129-132
traffic identification, 133-140
user configuration, 132
external threats
examples of, 16
protecting against, 17
FAC (Forced Authorization
Codes), UCM, 414
false negative signature
alarms, 359
false positive signature alarms, 359
FCIP (Fiber Channel over
IP), SAN, 408
Federal Information
Security Management Act
of 2002 (FISMA), 29
Fiber Channel (SAN), 408
File System Interceptor
(CSA), 406
Finger service,
disabling, 170
FIPS 197, Advanced
Encryption Standard (AES)
website, 505
Firewall and ACL Wizard
(SDM), 110
firewalls
advantages of, 189
application inspection
firewalls, 199-200
application layer
gateways, 194-195
Basic Firewall Wizard
(SDM), ZPF configuration via, 224-233
best practices, 202
characteristics of, 189
Cisco ASA 5500 Series
Adaptive Security
appliances, 202
Cisco IOS firewalls, 201
Cisco PIX 500 Series
firewalls, 201
Cisco Self-Defending
Networks, role in, 190
defining, 188
disadvantages of, 190
dynamic packet-filtering
firewalls, 196-198
layered defense strategies,
role in, 190
perimeters, defining, 188
static packet-filtering firewalls, 191-192
advantages of, 193
creating via ACL, 204-217
disadvantages
of, 194
transparent
firewalls, 200
VAC+, 300
VoIP, 415-416
ZPF, 218
ACL, 220
actions of, 221
advantages of, 220
configuration
overview, 219
configuring manually
via SDM, 233-237
configuring via Basic
Firewall Wizard
(SDM), 224-233
features of, 221
monitoring, 238-240
zone behavior in, 221-223
FISMA (Federal Information
Security Management Act
of 2002), 29
five P’s of worm attacks, 402
flash file system (routers),
required SDM operation files, 106-107
fraud
Theft and Toll Fraud, VoIP, 414
UCM protection features, 414
vishing attacks, VoIP, 414
FTP servers, disabling, 169
GARP (Gratuitous Address
Resolution Protocol), disabling, 171
gatekeepers, VoIP, 411
gateways, VoIP, 412
GLBA (Gramm-leach-Bliley
Act of 1999), 28
governing policies, 64
gray hat hackers, 31
guidelines (network security policies), 66
H.323 protocol, 412
hackers
custom threats, rise of, 18
motivations of, 31
specializations of, 31
thought process of, 32
types of, 31
Hacking Exposed, 5th Edition, 504
hacktivists, 31
HAGLE (Hash,
Authentication, Group,
Lifetime, Encryption)
memory aid, 308, 328
Handbook of Applied Cryptography, 505
hard zoning, SAN, 410
hardware, best practices
against network
attacks, 46
hardware-accelerated encryption, 300
HMAC, 270-272
MD5, 269-271
site-to-site IPsec VPN, 305
headers, TCP segment headers, 196
Health Insurance Portability
and Accountability Act of
2000 (HIPAA), 28
help, technical support, 502
hierarchical CA topology, 279
high security level (signature alarms), 360
HIPAA (Health Insurance
Portability and
Accountability Act of
2000), 28
HIPS (host-based Intrusion
Protection Systems), 351-355
HMAC (Hashed Message
Authentication Code), 270-272, 305
hobby hackers, 31
honey pots, defining, 347
hopping attacks (VLAN), 422
double-tagging, 424-425
rogue trunks, 423-424
hot (mirror) sites, backups, 61
HTTP (Hypertext Transfer
Protocol), disabling
configuration/monitoring
service, 170
HTTPS (Hypertext Transfer
Protocol over Secure
Socket Layer), disabling
configuration/monitoring
service, 170
ICMP (Internet Control
Message Protocol)
ACL, filtering via, 216-217
floods, 43
mask replies, disabling, 171
redirects, 170
unreachable notifications, disabling, 171
IDENT (IP Indentification)
service, disabling, 171
identity theft, 38
IDM (IPS (Device
Manager), IPS
management, 350
IDS (Intrusion Detection Systems)
cateogries of, 343-344
custom threats, handling, 18
sensor types, 346-347
signatures
alarms, 359-360
micro-engines, 357-358
IEV (IPS Event Viewer), IPS
management, 350-351
IPsec VPN configuration
Phase II, 311-314
Phase I, 307-311
ISAKMP policy sets, 316-318
ISAKMP SA verification, 324
main mode exchanges, 310-311
Phase II, 311
AH, 312-313
ESP, 313-314
SA verification, 322-324
Step-by-Step Setup mode
(Site-to-Site VPN
Wizard), defining proposals in, 331-332
implementation, simplicity of, 72
in-band administrative
access (routers). See
remote administrative
access (routers)
in-band interfaces, 93
in-band traffic, 152
inbound IP address spoofing, 204, 213-214
incident response
chain of custody, 26
complications in, 26
investigations, 25
Incoming banner messages, 104
informational security level (signature alarms), 360
Inside Internal Security,
What Hackers Don’t Want
You to Know, 504
inspect action (ZPF), 221
installing
CD-ROM, 500-501
Secure ACS, Windows requirements, 124
integrity, site-to-site VPN, 294, 303-305
Integrity (CIA triad), 19-20
integrity attacks
data diddling, 39
password attacks, 39
port redirection attacks, 40
salami attacks, 39
session hijacking, 39
trust exploits, 39
interactive mode (Cisco AutoSecure feature), 177
Interface and Connection Wizard (SDM), 110
interface command, 99
interfaces
GARP, disabling, 171
in-band interfaces, 93
line interfaces
auxiliary line interfaces, 93
console line interfaces, 93
reviewing, 92-93
virtual line interfaces, 93
out-of-band interfaces, 93
router interfaces, disabling, 168
vulnerable interfaces, disabling, 167-169
vulnerabilities, 167
intermediate systems, 396
internal threats
best practices against, 17
examples of, 16
seriousness of, 17
Internet Denial of Service,
Attack and Defense
Mechanisms, 504
Introduction to Security
Policies, Four-Part
Series, 503
intrusion notification, switch security, 434-435
Intrusion Prevention Wizard (SDM), 111
IOS firewalls (Cisco), 201
IOS IPS (Intrusion Prevention Systems)
benefits of, 362-363
configuration verification, 384-385
configuring via
CLI, 377
feature blend, 362
interface verification, 386
IPS Policies Wizard, 367-370
IPS Rule Wizard, 367
policy verification, 384
settings verification, 386
signatures
configuring, 378-380
integration, 363
IOS resilient configuration feature (Cisco), 101-102
IOS routers
deploying, 88-90
DF, 367-369
DMVPN, 298
Easy VPN, 298
IPsec stateful failover, 298
V3PN, 298
VPN features, 298
IP-directed broadcasts, disabling, 172
phones, VoIP, 411
source routing, 170
VoIP
call policies, 416
components of, 411-412
DoS attacks, 413
eavesdropping attacks, 414
endpoint configuration, 417
firewalls, 415-416
inspecting, 416
MIM attacks, 414
protocols of, 412
rate limits, 416
reconnaissance attacks, 413
registration, 416
security, 415-417
server configuration, 417
SIP vulnerabilities, 414
SPIT, 413
standards compliance, 416
Theft and Toll Fraud, 414
vishing attacks, 414
VPN, 416-417
VVLAN, 415
IP addresses
end systems, 396
FCIP (Fiber Channel over IP), 408
intermediate systems, 396
blind attacks, 36
inbound, 213-214
nonblind attacks, 36
outbound, 215
ip ips command, 377
ip ips config location command, 377
ip ips name command, 377
ip ips notify command, 377
ip ips signature-category command, 377
ip verify unicast reverse-path command, 216
ip virtual-reassembly, 377
IPS (Intrusion Prevention Systems)
attack responses, 348
best practices, 360-361
categories of, 343-344
Cisco appliances, 356
configuration verification, 384-385
configuring, 360-361
custom threats, handling, 18
ENGINE_BUILDING messages, 373
ENGINE_BUILDS_STARTED messages, 373
ENGINE_READY messages, 373
event management/monitoring, 349-350
HIPS, 351-355
interface verification, 386
IOS IPS
benefits of, 362
CLI configura-tion, 377
configuration verification, 384-385
feature blend, 362
interface verification, 386
policy verification, 384
SDEE support, 381-383
SDM configuration, 364-372, 375-376
settings verification, 386
signature configuration, 378-380
signature integration, 363
IPS Policies Wizard, 367-370
IPS Rule Wizard, 367
network IPS, 354-355
policy verification, 384
sensor types, 346-347
settings verification, 386
signatures
alarms, 359-360
configuring, 378-380
IOS IPS integration, 363
micro-engines, 357-358
IPS Policies Wizard, 367-370
IPS Rule Wizard, 367
IPsec (Internet Protocol Security)
crypto maps, site-to-site IPsec VPN, 320
stateful failover, 298
strengths of, 307
transform sets, 329
configuring, 318-319
Step-by-Step Setup mode
(Site-to-Site VPN
Wizard), defining in, 332-333
verifying, 322
transport mode, 314
tunnel mode, 314
IPsec VPN (Internet Protocol Security over
Virtual Private Networks)
AES, 255
Certicom client, 300
certificate-based authentication, 283
configuring
IKE Phase I, 307-311
IKE Phase II, 311-314
DH, 255
IPsec VPN SPA, 300
PKI, 280
site-to-site VPN
anti-replay, 303
CLI implementation, 315-325
confidentiality, 302-305
DH key exchanges, 305
integrity, 303-305
SDM implementation, 325-326, 329-336
SSL VPN versus, 301-302
IPsec VPN SPA (Shared
Port Adapters), 300
IronPort, endpoint
security, 403
ISAKMP (IKE Phase I)
policy sets, IPsec VPN
implementation via
CLI, 316-318
SA verification, 324
iSCSI (SCSI over TCP/IP), SAN, 408
ISR (Integrated Service
Routers), 80, 90
keepalives (TCP), disabling, 171
keys (encryption), DH key exchanges, 305
keyspaces (encryption keys), 257-258
known-plaintext attacks, 249
law, prosecuting computer crimes
administrative law, 27
civil law, 27
complications in, 26
criminal law, 27
ethics, 27
investigations, 25
liability, 28
U.S. government regulations, 28-29
layer 2 security
best practices, 438
CAM table overflow attacks, 428-429
intrusion notification, 434-435
MAC address spoofing attacks, 429
port security, 429
basic settings, 430
optional settings, 430-432
verification, 433-434
violation mode configuration, 431
SPAN, 435
storm control, 436-437
STP manipulation attacks, 425
BPDU Guard, 427-428
portfast mode, 426-427
root guard, 428
VLAN hopping attacks, 422
double-tagging, 424-425
rogue trunks, 423-424
layered defense strategies,
firewalls role in, 190
least privilege, concept of, 72
liability, prosecuting computer
crimes, 28
line interfaces
auxiliary line interfaces, 93
console line interfaces, 93
reviewing, 92-93
virtual line interfaces, 93
local AAA (Authentication,
Authorization and
Accounting), 115
router configuration, 116, 119-120
enabling/disabling AAA, 118
user account configuration, 117
verifying configurations, 120
troubleshooting, 140-141
local administrative access (routers), 91
banner messages, 104
CLI role-based access configuration, 98-100
IOS resilient configuration feature (Cisco), 101-102
line interfaces, 92-93
passwords
best practices, 94
configuring, 94-97
console passwords, 94
enable passwords, 95
minimum length configuration, 96
recovering, 97
secret passwords, 95
service password encryption, 95
timeouts, 96
username security, 96
virtual terminal passwords, 95
privilege levels, setting, 97
view creation, 98-100
virtual login security, 102-103
Log Attacker Packets
action (IPS attack
responses), 348
Log Pair Packets action (IPS
attack responses), 348
Log Victim Packets action
(IPS attack responses), 348
logins
authentication policies, creating, 134-135
banner messages, 104
configuration verification, 103
Syslog login detection messages, generating, 103
virtual login security, 102-103
logs
how to log, 150
messages
formats of, 156
security levels, 155
sending, 154-155
what to log, determining, 149-150
low security level (signature alarms), 360
LUN (Logical Unit Numbers), 408
MAC addresses
spoofing attacks, 429
sticky learning, 432
MAC floods, 45
mac-address-table notification command, 435
main mode exchanges (IKE Phase I), 310-311
maps, ZPF configurations
class maps, 235
policy maps, 236
MARS (Monitoring,
Analysis, and Response
System), 78, 154, 350
mask replies (ICMP), disabling, 171
MCU (Multipoint Control Units), VoIP, 412
MD5 (Message Digest 5), 269, 271, 305
means (computer crime investigations), 25
MeasureUp practice tests, 500-501
medium security level (signature alarms), 360
memory, CAM table overflow attacks, 428
message logs, viewing
SDEE logs, 382
Syslog logs, 383
message tampering, SIP, 414
MGCP (Media Gateway Control Protocol), 412
MiM (Man-in-the-Middle) attacks, 36, 250, 414
mirror (hot) site backups, 61
MOP (Maintenance
Operation Protocol),
disabling, 169
MOTD (Message-Of-The-Day)
banner
messages, 104
motive (computer crime investigations), 25
multi-string signatures, 358
multicast traffic, bandwidth limitations, 437
NAA (NAC Application Agent), 404
NAC (Network Admission Control), 397
endpoint security, 403-405
NAA, 404
NAC Appliance, 404
NAC Framework, 403
NAM, 404
NAS, 404
rule-set updates, 404
NAC Wizard (SDM), 111
NAM (NAC Application Manager), 404
named ACL (Access Control Lists), 205
NAS (Network Access Servers), 115, 404
NAT Wizard (SDM), 111
navigation bar (Secure ACS), 127, 130
availability attacks, 42
botnets, 43
computer environment attacks, 44
DDoS attacks, 44
DoS attacks, 43
electrical power attacks, 44
ICMP floods, 43
MAC floods, 45
physical environment attacks, 44
SYN floods, 44
best practices against
administrative controls, 45
education, 45
encryption, 46
environmental control, 46
hardware, 46
passwords, 46
patches, 45
physical
access, 46
physical controls, 46
security policies, 45
TCP ports, 46
technical controls, 46
UDP ports, 46
unnecessary services, 46
confidentiality attacks, 36
covert channel attacks, 37
dumpster diving, 37
emanation capturing, 37
identity theft, 38
overt channel attacks, 37
packet sniffing (protocol analysis) attacks, 37
pharming attacks, 38
phishing attacks, 38
ping sweeps, 37
port scanning attacks, 37
protocol analysis (packet sniffing) attacks, 37
social engineering attacks, 37
DDOS attacks, 36
Defense in Depth philosophy, 33-34
DoS attacks, 36
exploits, defining, 30
external threats
examples of, 16
protecting against, 17
hackers
motivations of, 31
specializations of, 31
thought process of, 32
types of, 31
integrity attacks
data diddling, 39
password attacks, 39
port redirection attacks, 40
salami attacks, 39
session hijacking, 39
trust exploits, 39
internal threats
best practices against, 17
examples of, 16
seriousness of, 17
IP spoofing, 34-36
MiM attacks, 36
risks, defining, 30
seven steps for compromising
targets and
applications, 32
vulernabilities, categories of, 30
network authentication policies, creating, 138
Network Configuration page (Secure ACS)
AAA Client Hostname field, 130
AAA Client IP Address field, 130
accessing, 130
Authentication Using drop-down list, 131
Shared Secret field, 130
Network Interceptor (CSA), 406
network IPS (Intrusion
Protection Systems), 354-355
Network Layer (OSI Layer 3),
encryption, 249
network probes, disabling, 170
network scans, disabling, 170
network security
perimeters, determining, 73-74
policies
assets, defining, 62
AUP, 64
end-user policies, 65
governing policies, 64
guidelines, 66
principles of, 70-72
procedures, 66
reasons for having, 63
responsibility for, 66
RFC 2196, 61-62
risk management, 67-69
SDLC, 62
standards, 66
technical policies, 65
web resources, 503
practices, web resources, 504
scanners, 56
Nmap, 57
SuperScan, 57-58
Self-Defending Networks
collaborative systems, 75
integrated security portfolio, 79-80
Operational Control and
Policy Management
component, 76-78
principles of, 75
Secure Communications component, 76-77
Secure Network Platform component, 76
Threat Control and Containment component, 76-77
sensors, 56
testing
techniques, 55-56
tools list, 56
network services, filtering ACL via, 212
NIC (Network Infection
Containment), 397
Nmap, features of, 57
no aaa new-model command, 119
no service password-recovery command, 97
non-interactive mode (Cisco
AutoSecure feature), 177
nonblind spoofing attacks, 36
notifications (intrusion), switch security, 434-435
NTP (Network Time Protocol)
disabling, 169
secure management/reporting time features, configuring, 165
numbered ACL (Access Control Lists), 205
OFB (Output Feedback)
mode, stream ciphers, 263
off-site backup facilities, 61
One-Step Lockdown feature
(Security Audit Wizard), 172, 176
OOB (Out-Of-Band) traffic, 152
Operational Control and
Policy Management component
(Self-Defending
Networks), 76-78
operations security
BCP, phases of, 59-60
Change and Configuration Controls principle, 54
DRP
categories of disruption, 60
phases of, 59
network security
Nmap, 57
scanners, 56
sensors, 56
SuperScan, 57-58
testing techniques, 55-56
testing tools list, 56
Rotation of Duties principle, 54
SDLC, 52
SoD principle, 54-55
Trusted Recovery principle, 54
opportunity (computer crime investigations), 25
origin authentication, 19, 271
OS (operating systems),
software security, 397-398
OSI application layer, viewing
certificates at, 285
out-of-band interfaces, 93
outbound IP address spoofing, 204, 215
overt channel attacks, 37
owner role (data classification), 22
packets (data)
packet sniffing (protocol analysis) attacks, 37
path integrity, 170
parser view feature, view creation, 98-100
partitioning (UCM), 414
pass action (ZPF), 221
passwords
attacks, 39
best practices, 94
best practices
against network
attacks, 46
configuring, 94-97
console passwords, 94
enable passwords, 95
minimum length, configuring, 96
recovering, 97
secret passwords, 95
service password encryption, 95
timeouts, setting, 96
username security, 96
virtual terminal passwords, 95
patches, best practices against network attacks, 45
path integrity, ensuring, 170
Perform Security Audit button
(Security Audit
Wizard), 173
perimeters (network security)
defining, 188
determining, 73-74
personal association metric (data classification), 22
pharming attacks, 38
phishing attacks, 38
phone phreaks, 31
phreakers, 31
physical
access, best practices
against network
attacks, 46
physical environment, attacks on, 44
ping sweeps, 37
PIX 500 Series firewalls (Cisco), 201
PKCS (Public Key Cryptography Standards), PKI, 281
PKI (Public-Key Infrastructures)
areas of, 278
CA
central (single-root) CA topology, 279
CRL, 280
cross-certified CA, 279
defining, 277
hierarchical CA topology, 279
certificates, 279
authentication via, 283-284
defining, 277
enrollment process, 282-283
issuing, 283
retrieving, 283
uses of, 285
viewing at OSI application layer, 285
defining, 277
encryption key management, 257
IPsec VPN, 280
PKCS, 281
RA, offloading tasks to, 280
SCEP, 281
usage keys, 279
X.509 v3 standard, 281
plaintext (cleartext)
chosen-plaintext attacks, 250
defining, 246
known-plaintext attacks, 249
policies
best practices against network attacks, 45
end-user policies, 65
governing policies, 64
network security
assets, defining, 62
AUP, 64
end-user policies, 65
governing policies, 64
guidelines, 66
principles of, 70-72
procedures, 66
reasons for having, 63
responsibility for, 66
RFC 2196, 61-62
risk management, 67-69
SDLC, 62
standards, 66
technical policies, 65
web resources, 503
technical policies, 65
policy maps, ZPF
configurations, 236
policy sets
ISAKMP (IKE Phase I) policy sets, IPsec VPN
implementation via
CLI, 316-318
transform sets versus, 311
VPN, 310
port security
CAM table overflow attacks, mitigating, 429
configuring, 429
basic settings, 430
optional settings, 430-432
MAC address spoofing attacks, mitigating, 429
show port-security address command, 434
show port-security command, 433
show port-security interface command, 433-434
switchport port-security aging command, 432
switchport port-security mac-address command, 432
switchport port-security maximum command, 431
verifying, 433-434
violation mode, configuring, 431
portfast mode, mitigating
STP manipulation attacks, 426-427
ports
redirection attacks, 40
scanning attacks, 37
TCP ports, best practices
against network attacks, 46
UDP ports, best practices against network attacks, 46
practice exams
exam 1
answers, 461-469
exam 2
answers, 487-496
questions, 472-485
MeasureUp, 500-501
preventative type (security controls), 24
Privacy Act of 1974, 29
private data classification level, 22
private key encryption algorithms, 276
private sector data classification, 22
privilege levels (adminstrative access), setting, 97
privilege, concept of least, 72
probes (network), disabling, 170
procedures (network security policies), 66
Produce Alert
action (IPS
attack responses), 348
Produce Verbose Alert action (IPS attack responses), 348
prosecuting computer crimes
administrativer law, 27
civil law, 27
complications in, 26
criminal law, 27
ethics, 27
investigations, 25
liability, 28
U.S. government regulations, 28-29
protocol analysis (packet sniffing) attacks, 37
Proxy ARP (Address
Resolution Protocol), disabling, 172
PSK (Pre-Shared Keys), site-to-site IPsec VPN, 306
public data classification level, 22
public key encryption algorithms, 276
public sector data classification, 21
PVST+ (Per VLAN Spanning Tree Plus), 426
qualitative risk analysis, 67
Quality of Service Wizard (SDM), 111
quantitative risk analysis, 67, 69
questions (practice exams)
Quick Setup mode (Site-to-Site
VPN Wizard), 325-326, 329
quiet mode (virtual login security), 102
RA (Registrtion
Authorities), offloading
PKI tasks to, 280
RADIUS (Remote Dial-In User Services)
AAA implementation, 125, 129-130
default port numbers for, 126
TACACS+ versus, 125-126
troubleshooting, 140-141
rate limits, VoIP, 416
RBAC (Role-Based Access Controls), creating, 78
RC (Rivest Ciphers), 267
reconnaissance attacks, VoIP, 413
recovery, passwords, 97
redirection attacks (ports), 40
Refresh mode (SDM), 110
registration
hacks, SIP, 414
VoIP, 416
remote administrative access (routers), 91
auxiliary line interfaces, 93
banner messages, 104
CLI role-based access configuration, 98-100
console line interfaces, 93
IOS resilient configuration feature (Cisco), 101-102
passwords
best practices, 94
configuring, 94-97
console passwords, 94
enable passwords, 95
minimum length configuration, 96
recovering, 97
secret passwords, 95
service password encryption, 95
timeouts, 96
username security, 96
virtual passwords, 95
privilege levels, setting, 97
reviewing, 92-93
view creation, 98-100
virtual line interfaces, 93
virtual login security, 102-103
remote user network
access, AAA, 115
remote-access VPN (Virtual Private Networks), 295
Cisco product positioning, 297-298
Easy VPN, 298-299
VPN 3002 Hardware Client, 300
Web VPN, 299
Request Block Connection action (IPS attack responses), 348
Request Block Host action (IPS attack responses), 348
Request SNMP Trap action (IPS attack responses), 348
Reset TCP Connection action (IPS attack responses), 348
resources (web)
cryptography, 505
network security
policies, 503
practices, 504
RFC (Request for Comment) 2196,
network security policies, 61-62
risks
analyzing, 67-69
avoidance, 69
defining, 30
managing, 67-69
rogue trunks (VLAN hopping), 423-424
ROMMON (ROM Monitor) mode, password recovery, 97
root guard, mitigating STP manipulation attacks, 428
Rotation of Duties operations security principle, 54
Router Secuirty Strategies, Security IP Network Traffic Planes, 504
router services
vulnerable services, disabling, 167
commonly configured management services, 169-170
unnecessary services, 168-169
vulnerabilities of, 167
routers
administrative
access, 91
auxiliary line interfaces, 93
banner messages, 104
CLI role-based access configuration, 98-100
console line interfaces, 93
console passwords, 94
enable passwords, 95
IOS resilient configuration feature (Cisco), 101-102
minimum password length configuration, 96
password best practices, 94
password configuration, 94-97
password recovery, 97
privilege levels, 97
reviewing line interfaces, 92-93
secret passwords, 95
service password encryption, 95
timeouts, 96
username security, 96
view creation, 98-100
virtual line interfaces, 93
virtual login security, 102-103
virtual passwords, 95
AIM-VPN, 300
ASR, web resources, 90
Cisco AutoSecure feature, 177-178
flash file system, required SDM operation files, 106-107
interfaces, disabling, 168
IOS routers
deploying, 88-90
DMVPN, 298
Easy VPN, 298
IPsec stateful failover, 298
SDF, 367-369
V3PN, 298
VPN features, 298
IPsec VPN SPA, 300
path integrity, ensuring, 170
Proxy ARP, disabling, 172
SDM
launching, 108
required operation files, 106-107
SDM Express, 107
“self” zones, 223
service traffic, filtering via ACL, 217
timeouts, setting, 96
traffic destined to, ZPF zone behavior, 223
traffic flowing through, ZPF zone behavior, 222
traffic originating from, ZPF zone behavior, 223
Routing Wizard (SDM), 111
RSA (Rivest, Shamir and
Adleman) encryption
algorithm, 275-276, 305-306
RTCP (RTP Control Protocol), 413
RTP (Real-Time Transport Protocol), 412
rule-set updates (NAC), 404
SA (Security Associations), verifying
IKE Phase II SA, 322-324
ISAKMP (IKE Phase I) SA, 324
SAFE (Security and Freedom
Through Encryption Act of 1997), 29
salami attacks, 39
SAN (Storage Area Networks)
advantages of, 407
FCIP (Fiber Channel over IP), 408
Fiber Channel, 408
iSCSI (SCSI over TCP/IP), 408
LUN, 408
security storages, 409
VSAN, 409
WWN, 409
zoning, 410
Sarbanes-Oxley Act of 2002 (SOX), 29
Save mode (SDM), 110
SBU (Sensitive but
Unclassified) data classification
level, 21
scanners, 56
Nmap, features of, 57
SuperScan, features of, 57-58
scans (network), disabling, 170
SCCP (Skinny Client Control Protocol), 413
SCEP (Simple Certificate
Enrollment Protocol),
PKI, 281
script kiddies, 31
SCSI (Small Computer Systems Interface), 408
SDEE (Security Device Event Exchange)
IOS IPS support for, 381-383
message log, viewing, 382
SDF (Signature Definition Files), 367-369
SDLC (System Development Life Cycle), 52, 62
SDM (Security Device Manager), 105
AAA
enabling/disabling, 119
router configuration, 120
ACL configuration, 209-211
Add AAA Server dialog, 131
Add Server window, Server IP or Host field, 131
Additional Tasks menu, 111-112
advanced configurations, 111-112
authentication methods, applying, 135
Basic Firewall Wizard, ZPF configuration, 224-233
browser software requirements, 108
Configure mode, 110
files required for operation from router, 106-107
Firewall and ACL Wizard, 110
Interface and Connection Wizard, 110
Intrusion Prevention Wizard, 111
IOS IPS configuration, 364-372, 375-376
IPS management, 350
IPS Policies Wizard, 367-370
IPS Rule Wizard, 367
IPsec implementation on site-to-site VPN
Quick Setup mode (Site-to-Site VPN Wizard), 325-326, 329
Step-by-Step Setup mode
(Site-to-Site VPN Wizard), 329-336
launching, 108
NAC Wizard, 111
NAT Wizard, 111
Quality of Service Wizard, 111
Refresh mode, 110
Routing Wizard, 111
Save mode, 110
Security Audit Wizard, 111
Cisco AutoSecure feature versus, 178-179
One-Step Lockdown feature, 172, 176
Perform Security Audit button, 173
Security Audit Interface Configuration page, 174
Security Audit report window, 174-175
smart wizards, list of, 110-111
SNMB, configuring, 159-160
SSH daemon configuration, 162-164
Syslog logging, enabling, 156-157
user accounts, configuring via, 117
VPN Wizard, 110
web resources, 106
ZPF
configuring manually, 233-237
monitoring, 238-240
SDM Express, 107
SEAL (Software Encryption Algorithm), 266, 305
secret data classification level, 21
secret passwords, 95
Secure ACS (Access Control Servers)
browser support for, 127
external AAA router configuration, 122, 127
AAA client additions, 129-130
AAA network configruation, 129-132
traffic identification, 133-140
user configura-tion, 132
features of, 123
Network Configuration page
AAA Client Hostname field, 130
AAA Client IP Address field, 130
accessing, 130
Authentication Using drop-down list, 131
Shared Secret field, 130
prerequisites for, 126-127
reasons for using, 123
solution engine versus Secure ACS Express, 125
Windows installation requirements, 124
Secure ACS Express, 125
secure boot-config command, 101
Secure Communications
component (Self-
Defending Networks), 76-77
secure management/reporting, 148
guidelines for, 153
logs
determining what to log, 149-150
how to log, 150
message formats, 156
security levels, 155
sending messages, 154-155
MARS, 154
reference architecture for, 151-152
SNMP, 157
architecture of, 158
community strings, 158
SDM configuration, 159-160
security levels, 158-159
security models, 158-159
trap receivers, 160
versions of, 158
SSH daemons, configuring, 161-164
Syslog, 153-157
time feature configuration, NTP, 165
Secure Network Platform
component (Self-Defending
Networks), 76
Security and Freedom
Through Encryption Act of 1997
(SAFE), 29
Security Audit Interface
Configuration page
(Security Audit Wizard), 174
Security Audit report window
(Security Audit Wizard), 174-175
Security Audit Wizard (SDM), 111
Cisco AutoSecure feature versu, 178-179
One-Step Lockdown feature, 172, 176
Perform Security Audit button, 173
Security Audit Interface Configuration page, 174
Security Audit report window, 174-175
security controls
administrative controls, 23
detective type, 24
deterrent type, 24
physical controls, 23-24
preventative type, 24
technical controls, 23
Security Manager (Cisco), 78
Security MARS (Cisco). See MARS
security passwords min-length command, 96
security policies
assets, defining, 62
AUP, 64
best practices against network attacks, 45
end-user policies, 65
governing policies, 64
guidelines, 66
principles of, 70
concept of least privilege, 72
design simplicity, 72
implementation simplicity, 72
realistic assumptions, 71
security awareness, 72
procedures, 66
reasons for having, 63
responsiblity for, 66
RFC 2196, 61-62
risk management, 67-69
SDLC, 62
standards, 66
technical policies, 65
segment hearders (TCP), 196
“self” zones (routers), 223
self-assessment (certification exams), 5-9
self-contained AAA. See local AAA
Self-Defending Networks
collaborative systems, 75
firewalls role in, 190
integrated security portfolio, 79-80
Operational Control and Policy Management component, 76-78
principles of, 75
Secure Communications component, 76-77
Secure Network Platform component, 76
Threat Control and Containment component, 76-77
sensitive data classification level, 22
sensors, 56
SEP-E (Scalable Encryption
Processor-Enhanced), 300
Server IP or Host field
(SDM Add Server window), 131
servers
FTP servers, disabling, 169
NAS, 115
TFTP servers, disabling, 169
VoIP configuration, 417
services
DNS, disabling, 170
HTTP configuration/
monitoring service,
disabling, 170
HTTPS configuration/monitoring service, disabling, 170
IDENT, disabling, 171
MOP, disabling, 169
NTP, disabling, 169
password encryption, 95-96
router services
disabling vulnerable services, 167-170
vulnerabilities of, 167
signatures, 358
SNMP, disabling, 169
TCP, disabling, 169
UDP, disabling, 169
unnecessary services, best practices against
network attacks, 46
session hijacking, 39
session tear-down, SIP, 414
seven steps for compromising
targets and applications, 32
SHA-1 (Secure Hashing
Algorithm 1), 269, 272, 305
Shared Secret field (Secure ACS
Network
Configuration page), 130
shortcuts (MeasureUp practice tests), creating, 501
show aaa local user lockout command, 120
show aaa sessions command, 121
show aaa user all command, 121
show access-list 101 command, 214
show access-list command, 322
show crypto ipsec sa command, 322
show crypto ipsec transform-set command, 322
show crypto isakmp policy command, 318, 322
show crypto isakmp sa command, 322
show crypto isakmpsa command, 324
show crypto map command, 321-322
show flash command, 101
show ip interface command, 208
show ip ips all command, 386
show ip ips configuration command, 384-386
show ip ips interfaces command, 386
show ip ips signatures count command, 375-376
show logging command, 157
show login command, 103
show parser view command, 100
show policy-map type
inspect zone-pair session
command, 238-240
show port-security address command, 434
show port-security command, 433
show port-security interface command, 433-434
show privilege command, 97
show secure bootset command, 102
show version command, SEAL, 266
Signature File and Public
Key window (IPS Policies
Wizard), 367
signatures
alarms, security levels, 359-360
atomic signatures, 358
IDS
alarms, 359-360
micro-engines, 357-358
IPS
alarms, 359-360
configuring, 378-380
IOS IPS signature integration, 363
micro-engines, 357-358
micro-engines, 357-358
multi-string signatures, 358
service signatures, 358
string signatures, 358
SIP (Session Initiation Protocol), 412-414
Site Security Handbook, RFC 2196, 503
site-to-site VPN (Virtual Private Networks), 294
anti-replay, 303
Cisco product positioning, 297-298
DH key exchanges, 305
DMVPN, 298
IPsec stateful failover, 298
IPsec VPN
anti-replay, 303
CLI implementation, 315-325
confidentiality, 302-305
integrity, 303-305
SDM implementation, 325-326, 329-336
Site-to-Site VPN Wizard
Quick Setup mode, 325-326, 329
Step-by-Step Setup mode, 329
defining connection settings, 330
defining IKE proposals, 331-332
defining IPsec transform sets, 332-333
defining protected traffic (Crypto ACL), 333-334
reviewing configurations, 334
troubleshooting configurations, 335-336
SLA (Service-Level Agreements), backups, 60
SLIP-PPP (Serial Line
Internet Protocol-Point-to-Point
Protocol) banner
messages, 104
smart wizards (SDM), list of, 110-111
smurf attacks, disabling IP-directed broadcasts, 172
SNMP (Simple Network Management Protocol), 157
architecture of, 158
community strings, 158
disabling, 169
SDM, configuring via, 159-160
security levels, 158-159
security models, 158-159
trap receivers, 160
versions of, 158
social engineering attacks, 37
sockets, components of, 197
SoD (Separation of Duties)
operations security
principle, 54-55
soft zoning, SAN, 410
software security, 397-398
source routing (IP), 170
SOX (Sarbanes-Oxley Act of 2002), 29
SPAN (Switched Port
Analyzers), switch
security, 435
SPIT (Spam over Telephony), VoIP, 413
spoofing attacks
blind attacks, 36
inbound, 213-214
nonblind attacks, 36
outbound, 215
MAC addresses, 429
SRTP (Secure RTP), 413
SSH (Secure Shell)
daemons, configuring, 161-164
SSL VPN (Secure Socket
Layer Virtual Private
Networks), 259-260
AnyConnect VPN Client, 300
client mode, 296
clientless mode, 296
compatibility, 297
disadvantages of, 296
IPsec VPN versus, 301-302
standards (network security policies), 66
standards compliance, VoIP, 416
state tables, 197
stateful failover (IPsec), 298
static packet-filtering firewalls, 191-193
ACL, creating via, 204-217
advantages of, 193
disadvantages of, 194
steganography, 37
Step-by-Step Setup mode
(Site-to-Site VPN
Wizard), 329
configuration review, 334
connection settings, defining, 330
IKE proposals, defining, 331-332
IPsec transform sets, defining, 332-333
protected traffic (Crypto ACL), defining, 333-334
troubleshooting configurations, 335-336
sticky learning, MAC addresses, 432
storm control, 436-437
STP (spanning tree protocol),
manipulation
attacks, 425
BPDU Guard, 427-428
portfast mode, 426-427
root guard, 428
strings
community strings, SNMP, 158
signatures, 358
study mode (CD-ROM), 499
Summary window (IPS
Policies Wizard), 370
SuperScan, features of, 57-58
switch security
best practices, 438
CAM table overflow attacks, 428-429
intrusion notification, 434-435
MAC address spoofing attacks, 429
port security, 429
basic settings, 430
optional settings, 430-432
verification, 433-434
violation mode configuration, 431
SPAN, 435
storm control, 436-437
STP manipulation attacks, 425
BPDU Guard, 427-428
portfast mode, 426-427
root guard, 428
VLAN hopping attacks, 422
double-tagging, 424-425
rogue trunks, 423-424
switchport port-security aging command, 432
switchport port-security mac-address command, 432
switchport port-security maximum command, 431
symmetric key encryption algorithms, 251, 261
3DES, 264-265
DES, 263
key length, 262
RC, 267
SEAL, 266
trusted algorithms, 255
types of, 252
SYN floods, 44
Syslog, 153-155
login detection messages, generating, 103
message log, viewing, 383
SDM, enabling logging via, 156-157
system requirements, CD-ROM installations, 500
TACACS+ (Terminal Access
Control Access Control
Server Plus)
AAA implementation, 125, 129-131
RADIUS versus, 125-126
troubleshooting, 140-141
TCP (Transfer Control Protocol)
disabling, 169
keepalives, disabling, 171
segment headers, 196
TCP ports, best practices
against network
attacks, 46
TCP/IP (Transfer Control
Protocol/Internet Protocol)
end systems, 396
intermediate systems, 396
iSCSI (SCSI over TCP/IP), 408
technical policies, 65
technical support, 502
TEMPEST U.S. government standard, 38
term monitor command, 373
terminal access security, ensuring, 171
terminal monitor command, 120
test modes (CD-ROM)
certification mode, 499
custom mode, 500
study mode, 499
tests (certification)
exam cram usage strategies, 12
self-assessment, 5-9
topics of, 10-11
tests (practice)
MeasureUp, 500-501
test 1
answers, 461-469
test 2
answers, 487-496
questions, 472-485
TFTP servers, disabling, 169
Theft and Toll Fraud, VoIP, 414
Threat Control and
Containment component
(Self-Defending
Networks), 76-77
threat identification (risk
management), 67
timeouts, setting in router lines, 96
top secret data classification level, 21
tort law. See civil law
traffic
external AAA router configuration, identifying for, 133-140
in-band traffic, 152
OOB traffic, 152
router services, filtering via ACL, 217
router traffic, ZPF zone behavior, 222-223
IPsec transform sets, 329
configuring, 318-319
defining in Step-by-Step
Setup mode
(Site-to-Site VPN
Wizard), 332-333
verifying, 322
policy sets versus, 311
transparent firewalls, 200
Transport Layer (OSI Layer 4),
encryption, 249
transport mode (IPsec) versus
tunnel mode, 314
trap receivers (SNMP), 160
Trojan horses, endpoint
security, 399-402
troubleshooting
IPsec site-to-site VPN,
CLI implementations, 321-322
local AAA, 140-141
RADIUS, 140-141
TACACS+, 140-141
VPN, Step-by-Step
Setup mode (Site-to-Site
VPN Wizard), 335-336
true negative signature alarms, 359
true positive signature alarms, 359
trust exploits, 39
Trusted Recovery operations
security principle, 54
tunnel mode (IPsec) versus transport mode, 314
two-man control (SoD
operations security
principle), 55
U.S. government regulations,
computer crime
prosecution, 28-29
UCM (Unified
Communications
Manager), fraud protection
features, 414
UDP (User Datagram Protocol), disabling, 169
UDP ports, best practices
against network attacks, 46
unclassified data classification level, 21
Understanding PKI:
Concepts,
Standards and Deployment
Considerations, 505
unicast traffic, bandwidth limitations, 438
unnecessary services, best
practices against network
attacks, 46
unreachable notifications (ICMP), disabling, 171
USA PATRIOT Act, 29
useful life metric (data classification), 22
user accounts, local
AAA configuration on
routers, 117
user role (data classification), 22
usernames, password security, 96
V3PN (Voice and Video Enabled VPN), 298
VAC+ (VPN Accelerator Card +), 300
value metric (data classification), 22
videoconference stations, VoIP, 412
views, creating, 98-100
violation mode (port security), configuring, 431
virtual line interfaces, 93
virtual login security
blocking login systems, 102
delays between logins, 103
login configuration verification, 103
quiet mode, 102
Syslog login detection messages, generating, 103
virtual terminal passwords, 95
viruses, endpoint security, 399-401
vishing attacks, VoIP, 414
VLAN (Virtual Local Area
Networks), hopping
attacks, 422
double-tagging, 424-425
rogue trunks, 423-424
VoIP (Voice over Internet Protocol)
call policies, 416
components of, 411-412
DoS attacks, 413
eavesdropping attacks, 414
inspecting, 416
MIM attacks, 414
protocols of, 412
rate limits, 416
reconnaissance attacks, 413
registration, 416
security
endpoint configuration, 417
firewalls, 415-416
server configura-tion, 417
VPN, 416-417
VVLAN, 415
SIP, 414
SPIT, 413
standards compliance, 416
Theft and Toll Fraud, 414
vishing attacks, 414
VPN (Virtual Private Networks)
AIM-VPN, 300
ASA 550 Series adaptive
security appliances, 299
benefits of, 293
Certicom client, 300
Cisco product positioning, 297-298
Cisco products list, 293
defining, 292
Easy VPN, 298-299
encryption algorithms, 304-305
hashing algorithms, 305
IOS routers, VPN features of, 298
IPsec VPN
AES, 255
certificate-based authentication, 283
configuring, 307-314
DH, 255
IKE Phase I, 307-311
IKE Phase II, 311-314
PKI, 280
SSL VPN versus, 301-302
IPsec VPN SPA, 300
policy sets, 310
PSK, 306
remote-access VPN, 295
Easy VPN, 298-299
VPN 3002 Hardware Client, 300
Web VPN, 299
RSA encrypted nonces, 306
RSA signatures, 306
SEP-E, 300
site-to-site VPN
anti-replay, 303
CLI implementation, 315-325
DH key exchanges, 305
DMVPN, 298
IPsec stateful failover, 298
SDM implementation, 325-326, 329-336
SSL VPN, 259-260
AnyConnect VPN Client, 300
client mode, 296
clientless mode, 296
compatibility, 297
disadvantages of, 296
IPsec VPN versus, 301-302
troubleshooting, Step-by-Step Setup mode
(Site-to-Site VPN Wizard), 335-336
V3PN, 298
VAC+, 300
VoIP, 416-417
VPN Software Client, 300
Web VPN, 299
VPN 3002 Hardware Client, 300
VPN Software Client, 300
VPN Wizard (SDM), 110
VSAN (Virtual Storage Area Networks), 409
vulnerabilities, categories of, 30
VVLAN (Voice VLANs), 415
warm site backups, 61
web resources
cryptography, 505
network security
policies, 503
practices, 504
Web VPN (Virtual Private Networks), 299
white hat hackers, 31
wildcard masks, 214
Windows, Secure
ACS installation requirements, 124
wizards
Basic Firewall Wizard
(SDM), ZPF configuration, 224-233
Firewall and ACL Wizard (SDM), 110
Interface and
Connection Wizard
(SDM), 110
Intrusion Prevention Wizard (SDM), 111
IPS Policies Wizard, 367, 369-370
IPS Rule Wizard, 367
NAC Wizard (SDM), 111
NAT Wizard (SDM), 111
Quality of Service Wizard (SDM), 111
Routing Wizard (SDM), 111
Security Audit Wizard (SDM), 111
Cisco AutoSecure feature versus, 178-179
One-Step Lockdown feature, 172, 176
Perform Security Audit button, 173
Security Audit Interface Configuration page, 174
Security Audit report window, 174-175
Site-to-Site VPN Wizard
Quick Setup mode, 325-326, 329
Step-by-Step Setup mode, 329-336
smart wizards (SDM), list of, 110-111
VPN Wizard (SDM), 110
worms
endpoint security, 399-402
five p’s of worm attacks, 402
write mem command, 99
WWN (World Wide
Names), 409
X.509 v3 standard, PKI, 281
zoning, SAN, 410
ZPF (Zone-based Policy
Firewalls), 218
ACL, 220
actions of, 221
advantages of, 220
Basic Firewall Wizard
(SDM), configuring
via, 224-233
configuring, 219
features of, 221
manual configuration via SDM, 233
class map creation, 235
policy map creation, 236
zone creation, 234
zone pair creation, 237
monitoring, 238-240
zone behavior in, 221
traffic destined to routers, 223
traffic flowing through routers, 222
traffic originating from routers, 223
zone pairs, creating for, 237