Presentation is loading. Please wait.

Presentation is loading. Please wait.

Objectives Upon completion of this module, you will be able to perform the following tasks: Describe the features and functionality of the Cisco Low End.

Similar presentations


Presentation on theme: "Objectives Upon completion of this module, you will be able to perform the following tasks: Describe the features and functionality of the Cisco Low End."— Presentation transcript:

1

2 Objectives Upon completion of this module, you will be able to perform the following tasks: Describe the features and functionality of the Cisco Low End Routers and how they meet the customer requirements. Describe the features and functionality of the Cisco Low End Switches and how they meet the customer requirements. Configure the security features for the Cisco 1841 Router and Cisco Express 500 Switch in order to help SMB to protect its sensitive data and applications. Discuss the best practices related to security using Cisco Routers and Switches and how Cisco Resellers stands a value proposition for the security of its customers businesses. Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

3 Cisco Network Security
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

4 Network Security Definition
Steps that are taken to protect network resources and services from unauthorized actions that include: Destruction of data Information theft Network disruption Security breaches result in: Recovery costs Legal liability Lost revenue Reduced customer satisfaction

5 The Security Wheel Security is a strategy, not a product.
No single device or solution can protect a network against a changing variety of threats. Security is a process: Developing a policy Securing the network Monitoring for and responding to threats Testing for vulnerabilities Making improvements as needed

6 Using Cisco Router and Security Device Manager
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

7 What Is Cisco SDM? Embedded web-based management tool
Provides intelligent wizards to enable quicker and easier deployments and does not require knowledge of Cisco IOS CLI or security expertise Tools for more advanced users ACL editor VPN crypto map editor Cisco IOS CLI preview What is Security Device Manager (SDM)? SDM is an easy-to-use Internet browser-based device management tool that is embedded within the Cisco IOS 800 – 3700 Series access routers at no cost. It simplifies router and security configuration through the use of intelligent wizards to enable customers and partners to quickly and easily deploy, configure and monitor a Cisco access router. SDM is designed for resellers and network administrators of small- to medium-sized businesses who are proficient in LAN fundamentals and basic network design, but has little or no experience with IOS command-line interface (CLI) or may not be a security expert. SDM is also great for Advanced users too. It has a number of time saving tools. Examples include ACL editor, VPN crypto map editor, IOS CLI preview, and many more.

8 Cisco SDM Files The sdm-v10.zip file contains the following files:
sdm.tar home.html home.shtml home.tar ips.tar attack-drop.sdf sdmconfig-xxxx.cfg file: Enables HTTP server Enables SSH/Telnet Provides a default credential—username and password Default configuration file specific to router series: For example: sdmconfig-18xx.cfg

9 Installing Cisco SDM Task 1: Download the Cisco SDM files and a Cisco IOS image to a TFTP server. Task 2: Configure your router to support Cisco SDM. Task 3: Copy the Cisco SDM Files to the Router. Task 4: Start Cisco SDM. Requires a minimum 5.3 MB extra (available) router flash memory. When you install SDM on an existing router, use the “Downloading and Installing Cisco Security Device Manager (SDM) Version 1.0” document. It has important information that you need to know and procedures to follow. First follow the procedure for your specific router to download the SDM Files. There are two procedures. There’s the Cisco 1700, 2600, 3600, or 3700 Series Router procedure. For a Cisco 831, 836, or 837 Router, use that specific procedure. This one is different because they have Cisco Router Web Setup Tool (CRWS) as the default device manager on these routers Refer to the “Switching Between Cisco Security Device Manager (SDM) and Cisco Router Web Setup Tool (CRWS) on Cisco 83x Series Routers” document. Once you download the SDM files, there are two processes to replace the router configuration in flash. There’s one to “Modify Your Existing Configuration File”. Use this one if you want to retain your existing configuration. Or you can use a “Default Configuration File” procedure. Use this one if you don’t have the router already configured and want to start from a fresh default configuration file. SDM requires approximately 2.3 MB of free Flash memory.

10 Router Administration Using Cisco SDM
Cisco SDM is used for configuring, managing, and monitoring a single Cisco access router. Cisco SDM allows the ability for multiple concurrent users to be logged in. It is not recommended that multiple users use Cisco SDM to modify the configuration at the same time. You can use Cisco SDM or CLI commands or both: Use CLI commands for features not supported by SDM. Use Cisco SDM to configure security policies on unsupported interfaces. SDM is a tool for configuring, managing and monitoring a single Cisco access router. Each Cisco Access Router is accessible by its own copy of SDM which is located in the routers flash memory. A common scenario that can be supported by SDM is to have a user monitoring the router while at the same time another user may use SDM to modify the configuration of the router. It is NOT recommended that multiple users use SDM to modify the configuration at the same time. Although SDM will permit this scenario, it does not assure consistent or predictable results. Users now have the flexibility to configure the router with both SDM and the CLI. Since the SDM user interface does not support all of the IOS functionality, for example QOS, you can augment the SDM generated configuration with some CLI commands. For unsupported interfaces, such as ISDN interfaces, SDM automatically detects if the interfaces support security features, like firewalls, crypto maps, and NAT. If the security features are supported, users can use SDM to configure the security features to the unsupported interfaces. However the user will still need to configure the unsupported interface parameters directly through CLI.

11 Accessing Cisco SDM for the First Time
Accessing Cisco SDM on a factory-fresh router with SDM installed: Connect PC to the lowest LAN Ethernet port of the router, using crossover cable. Use a static IP address for the PC: ( / ). Launch a supported browser. The default URL to access Cisco SDM is https:// The Cisco SDM default login is: Username: sdm Password: sdm Use the following process when you access SDM for the first time. This assumes either an out-of-box router with SDM installed, or a default SDM configuration was loaded into flash. Connect a PC to the router’s lowest LAN Ethernet port using a cross-over cable. Assign a static IP address to the PC. Its recommended to use with subnet mask. Launch a supported Browser. Use URL https:// /flash/sdm.shtml You will be prompted to log in. Use the SDM defaulted login: Username SDM Password SDM

12 Startup Wizard: Basic Configuration, Change Default Username and Password
Step 2 Enter the router Hostname and Domain name here. These fields are optional but it is recommended that you change these. The user must enter a new enable secret password with minimum length of 6 characters. It will not allow you to proceed until a valid password is entered and re-entered. Click Next to proceed. Step 3 On this page , the user must change the sdm default username (which is sdm) and password (sdm).

13 Startup Wizard: LAN Interface Configuration
These next two steps are optional steps, meaning it will allow the defaults. Step 4 Enter the IP address for the interface which will be connected to the LAN network. Click Next. Step 5 You can configure the router as a DHCP server here. For 8xx routers, the checkbox is turned on by default. When you check this box, it allows the router to assign private IP addresses to devices on the LAN. Then you must enter a start and end address for the DHCP pool. The address pool must be based on the LAN IP address that you entered in the previous step.

14 Startup Wizard: DHCP Server Configuration

15 Startup Wizard: DNS Configuration
These steps are also optional. Step 6. You can specify the primary and secondary DNS servers here. DNS translates names of network nodes into addresses. Step 7 SDM lets you disable some features that are on by default in Cisco IOS. These features when enabled can create security risks, or use up available memory in the router. You should leave the boxes checked unless you know that your requirements are different. Later if you decide to enable a feature listed here, you can use the Advance mode to re-enable it. The first checked box disables SNMP Services on Your Router. The second checked box disables services that are considered security risks. Examples include Finger Service, TCP and UDP Small Servers Service, CDP, and others. The third checked box enables Services for Enhanced Security on the Router/Network. Examples include: Set TCP Synwait Time, Enable Logging, enable Firewall on All of the Outside Interfaces, and others. The 4th checked box enables Enhance Security on Router Access. This includes enabling VTY, telnet access, passwords and parameters, banner settings, and others. The last checked box enables password encryption.

16 Startup Wizard: Security Configuration

17 Startup Wizard: Configuration Delivery
Step 9 Informs you of the new IP address that must be used to reconnect to the router and re-launch SDM. I have it outlined in red on the screen. Click Finish to start the configuration delivery to the router flash. Step 10 Once the configuration is delivered the OK button is enabled. When you click OK it shuts down SDM and you lose your connection. You will lose your connection after it is delivered to the router. Use the new IP address to access SDM for further configuration.

18 Accessing Cisco SDM: Ongoing
Already configured router with Cisco SDM installed: Use a LAN/WAN connection. Manage the router using either HTTP or HTTPS with https://<router IP address>/. To access SDM ongoing, use either http: or https: to access SDM followed by the router IP address “/flash/sdm.shtml” as shown on the screen. When you enter https it specifies that the Secure Socket Layer (SSL) protocol be used for a secure connection. if SSL is not available, http: Once you have your WAN interface configured, you can access SDM through a LAN or WAN interface. Note: https:// specifies that SSL be used for a secure connection. can be used if SSL is not available.

19 Cisco SDM: Startup Troubleshooting
Browser problem? Enable Java and JavaScript on the browser. Disable popup blockers or unsupported Java plug-ins on PC. Router not allowing access? Ensure that HTTP server is enabled on router. Ensure that the PC is not blocked on the interface by a firewall ACL. Requires HTTP/HTTPS and SSH/Telnet or SSH/Telnet and RCP access to router Open specific addresses/ports in ACL editor in advanced mode Cisco SDM installed? Access it with https://<router IP address>/flash/sdm.shtml. Enter the CLI show flash command. If you are having problems getting SDM to work, here are some troubleshooting tips. First determine is it a browser problem? If so, make sure: Java and JavaScript on the browser is enabled Disable popup blockers on the PC. SDM needs popups. Disable unsupported Java plug-ins from Control Panel. Is the router not allowing access? Remember that certain configuration settings are required for SDM to work. Did you use the provided default configuration. Or did you use an existing router configuration. Ensure HTTP server is enabled on the router. If it isn’t most likely other SDM settings are not set correctly either. Refer to the “Downloading and Installing Cisco SDM” document for the required settings. Did SDM access work before, but now its not? Ensure your PC is not blocked by an ACL. Remember SDM requires HTTP, SSH, telnet access and/or RCP access to the router (which could have been inadvertently disabled in a security lockdown). Don’t forget the obvious, is SDM installed? Quickest way to determine is trying to access it https://<router IP address>/flash/sdm.shtml. Look at the router flash memory and make sure the required SDM files are present. Enter the CLI command show flash.

20 Cisco SDM Main Window Layout and Navigation
Menu Bar Toolbar When SDM is launched, SDM reads the existing router configuration. You will see a message stating this. Then it will present the features that it supports as available for configuration through the SDM. At the top of the screen you will see the typical menu bar with File, view, edit, tools and help. Below that is the SDM tool bar. It has the SDM wizards and modes you can select. On the left side under the tool bar displays the current mode you are in. The menu, tool bar, and current mode are always displayed at the top of each screen. The other parts of the screen change based upon the mode and function you are performing. The far left panel is the Category Bar. It changes with the options available based on the mode you are in. When you log in, the first page displayed is the Overview page. It gives you a great summary of the router. It displays the router model, total amount of memory and flash, IOS and SDM versions, the hardware installed and a summary of some security features such as firewall status and the number of active VPN connections. Router Information Configuration Overview

21 Cisco SDM Wizard Options
LAN configuration: Configure LAN interfaces and DHCP. WAN configuration: Configure PPP, Frame Relay, and HDLC WAN interfaces. Firewall: Access two types of Firewall wizards: Simple inside/outside Advanced inside/outside/DMZ with multiple interfaces VPN: Access three types of VPN wizards: Secure site-to-site VPN Cisco Easy VPN GRE tunnel with IPSec VPN Security Audit: Perform a router security audit, with a button for router lockdown. IPS: Intrusion Prevention System QOS: Quality of Service In order to configure a firewall on the router, first the Cisco IOS image must support the Firewall feature set. The SDM Firewall contains two wizards that enables you to create a firewall for your LAN by answering prompts in a set of screens. SDM builds your firewall based on your selections. To start, click the Firewall wizard icon from the left pane and this window appears. Select the type of firewall that you want to create. There are two types of Firewall Wizards: Basic Firewall - click this if you want SDM to create a firewall using SDM default rules. This one-Step firewall wizard, configures only one outside interface and one or more inside interfaces. It does not support configuring a DMZ or custom inspection rules. The use case scenario on the right, shows a typical network configuration for this type of firewall. This is a basic Firewall that is good for a telecommuter or SOHO scenario. Advanced Firewall - click this if you want SDM to lead you through the steps of configuring a firewall with a DMZ interface. This wizard allows you to configure the router to connect to the Internet and configure hosts off a DMZ interface to be accessible to outside users. This wizard also lets you specify an inspection rule for the firewall. Once you have selected the firewall type, click”Launch the Selected task” to begin.

22 Cisco Secure Access Control Server for Windows Server
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

23 Cisco Secure ACS for Windows Server: General Features
PAP CHAP MS-CHAP TACACS+ RADIUS Cisco Secure ACS for Windows Server NAS Uses TACACS+ or RADIUS between Cisco Secure ACS and NAS Allows authentication against Windows 2000 user database, Cisco Secure ACS user database, token server, or other external databases Supports PAP, CHAP, and MS-CHAP authentication on the NAS

24 Cisco Secure ACS for Windows Server: ACS User Database
NAS 1 NAS 2 NAS 3 Cisco Secure ACS User Database

25 Cisco Secure ACS for Windows Server: External User Databases
NAS 1 NAS 2 NAS 3 ACS User Database External User Database

26 Administering Cisco Secure ACS for Windows Server

27 TACACS+ Security Server
TACACS+ Overview TACACS+ Security Server Remote User NAS PSTN/ISDN Corporate Network TACACS+ Client TCP Supports AAA Encrypts entire body LAN and WAN security RCMD, PPP, ARA, and NASI Supports PAP, CHAP, and MS-CHAP Router command authorization Blocks specific ports

28 RADIUS Background RADIUS was developed by Livingston Enterprises, now part of Lucent Technologies. It contains a: Protocol with a frame format that uses UDP Server Client

29 Enable AAA-USING SDM Create a local user with privilege level 15 1 2 5 4 3

30 Enable AAA-USING SDM (Cont.)
2. Enable AAA on the router 1 2 4 5 3

31 Enable AAA-USING SDM (Cont.)
6 7

32 Define AAA Servers-USING SDM

33 Define AAA Servers-USING SDM
2 3 1

34 Define AAA Servers-USING SDM

35 Create a user with name CTTAdmin Assign the password cisco
Lab Exercise Create a user with name CTTAdmin Assign the password cisco Enable AAA on the router Create a RADIUS Server with Address Create a TACACS+ Server with Address © 2005 Cisco Systems, Inc. All rights reserved. SNRS v1.0—7-35

36 Authentication-using AAA servers (Cont.)
1 2

37 Authentication-using AAA servers (cont.)
3 4 5

38 Configure VTY Access for AAA Authentication
1 2 3 4 No default vty access

39 Lab Exercise Change de Default Authentication Method from Local to Group RADIUS to Method 1 and Local to Method 2 Configure VTY Access to permit telnet access Connect to the terminal server and make a Telnet to the router Rx. Login With the user ISAdminp © 2005 Cisco Systems, Inc. All rights reserved. SNRS v1.0—7-39

40 Managing IP Traffic with ACLs
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

41 Why Use ACLs? Manage IP traffic as network access grows
Layer 2 of 2 Emphasize: An access list is a mechanism for identifying particular traffic. One application of an access list is for filtering traffic into or out of a router interface. Manage IP traffic as network access grows Filter packets as they pass through the router

42 Types of ACLs Standard ACL Checks source address
Generally permits or denies entire protocol suite Extended ACL Checks source and destination address Generally permits or denies specific protocols Layer 3 of 3 Purpose: Describe an inbound versus outbound access list on an interface.

43 How to Identify ACLs Standard IP lists (1-99) test conditions of all IP packets from source addresses. Extended IP lists ( ) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Standard IP lists ( ) (expanded range). Extended IP lists ( ) (expanded range). Other ACL number ranges test conditions for other networking protocols. Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).   Layer 3 of 3 Emphasize: Layer 3—Adds the Novell IPX access lists covered in Chapter 11, “Configuring Novell IPX,” and the number ranges for these types of access lists. As of Release (F), IPX also supports named access lists. Point out that number ranges generally allow 100 different access lists per type of protocol. When a given hundred-number range designates a standard access list, the rule is that the next hundred-number range is for extended access lists for that protocol. Exceptions to the numbering classification scheme include AppleTalk and DECnet, where the same number range can identify various access list types. For the most part, number ranges do not overlap between different protocols. Note: With Cisco IOS 12.0, the IP access-lists range has been expanded to also include: < > IP standard access list (expanded range) < > IP extended access list (expanded range)

44 A List of Tests: Deny or Permit
Layer 4 of 4 Purpose: Shows the implicit “deny all.” Emphasize: Describe the final access list test to match any packets not covered by earlier access list statements. All remaining packets match the “Implicit Deny” and are discarded into the bit bucket.

45 Wildcard Bits: How to Check the Corresponding Address Bits
Purpose: This graphic describes the binary wildcard masking process. Emphasize: Introduce the wildcard bit process. Tell students that the wildcard bit matching process is different than the IP subnet addressing mask covered earlier. Illustrate how wildcard masking works using the examples shown in the graphic table. The term wildcard masking is a nickname for this access list mask-bit-matching process. This nickname comes from an analogy of a wildcard that matches any other card in a poker game. Emphasize the contrast between wildcard masks and subnet masks, stated in the Student Guide note. The confusion over wildcard and subnet masks can be a key obstacle to learning if students fail to understand the different uses of binary 0 and binary 1 in the two mask types. Point out that the 1 bits in a wildcard mask need not be contiguous, while the 1 bits in a subnet mask need to be contiguous. Wildcard is like the DOS “*” character. 0 means check value of corresponding address bit. 1 means ignore value of corresponding address bit.

46 Wildcard Bits to Match a Specific IP Host Address
Check all of the address bits (match all). Verify an IP host address, for example: Purpose: This graphic shows students how to use the host abbreviation in the extended access list wildcard mask. Emphasize: This abbreviation means check the bit value in all bit positions, which has the effect of matching only the specified IP host address in all bit positions. checks all of the address bits. Abbreviate this wildcard mask using the IP address preceded by the keyword host (host ).

47 Wildcard Bits to Match Any IP Address
Test conditions: Ignore all the address bits (match any). An IP host address, for example: Purpose: This graphic shows students how to use the wildcard any abbreviation. Emphasize: This abbreviation means ignore any bit value in all bit positions, which has the effect of matching anything in all bit positions. Accept any address: any Abbreviate expression with keyword “any”

48 ACL Configuration Guidelines
ACL numbers indicate which protocol is filtered. One ACL per interface, per protocol, per direction is allowed. The order of ACL statements controls testing. The most restrictive statements go at the top of the list. The last ACL test is always an implicit deny any statement, so every list needs at least one permit statement. ACLs must be created before applying them to interfaces. ACLs filter traffic going through the router. ACLs do not filter traffic originating from the router.

49 ACL Configuration Guidelines
The order of ACL statements is crucial. Recommended: Use a text editor on a PC to create the ACL statements, then cut and paste them into the router. Top-down processing is important. Place the more specific test statements first. Statements cannot be rearranged or removed. Use the no access-list number command to remove the entire ACL. Exception: Named ACLs permit removal of individual statements. Implicit deny any will be applied to all packets that do not match any ACL statement unless the ACL ends with an explicit permit any statement.

50 ACL Configuration 1 2

51 ACL Configuration (Cont.)
1 2 3 4 5 6

52 ACL Configuration (Cont.)

53 Lab Exercise Create an ACL that Deny the telnet traffic into the router from AAA Server. Connect to AAA Server using remote desktop Test your ACL from the AAA Server © 2005 Cisco Systems, Inc. All rights reserved. SNRS v1.0—7-53

54 Cisco IOS Firewall Slide 1 of 2
Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

55 The Cisco IOS Firewall Feature Set
The Cisco IOS Firewall contains the following three main features: Context-based Access Control (CBAC) Authentication proxy Intrusion Prevention System

56 Cisco IOS Firewall CBAC
TCP Internet UDP Packets are inspected entering the firewall by CBAC if they are not specifically denied by an ACL. CBAC permits or denies specified TCP and UDP traffic through a firewall. A state table is maintained with session information. ACLs are dynamically created or deleted. CBAC protects against DoS attacks.

57 Cisco IOS Firewall Authentication Proxy
HTTP, HTTPS, FTP, and Telnet authentication Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols

58 Cisco IOS Firewall Intrusion Prevention System
TCP Internet UDP Acts as an inline Cisco IOS intrusion prevention sensor. When a packet or packets match a signature, it can perform any of the following configurable actions: Alarm: Send an alarm to a Security Device Manager or syslog server. Drop: Drop the packet. Reset: Send TCP resets to terminate the session. Identifies 700+ common attacks.

59 How CBAC Works 2 CBAC creates a dynamic ACL allowing return traffic back through the firewall. 1 Control traffic is inspected by the CBAC rule. access-list 102 permit TCP host eq 23 host eq 2447 ip inspect name FWRULE tcp Port 2447 Port 23 3 CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application. It also monitors and protects against application- specific attacks. 4 CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session.

60 Supported Protocols TCP (single channel) UDP (single channel) RPC FTP
TFTP UNIX R-commands (such as rlogin, rexec, and rsh) SMTP HTTP (Java blocking) ICMP Java SQL*Net RTSP (such as Real Networks) H.323 (such as NetMeeting, ProShare, CUseeMe) Other multimedia Microsoft NetShow StreamWorks VDOLive SIP

61 Alerts and Audit Trails
CBAC generates real-time alerts and audit trails. Audit trail features use syslog to track all network transactions. With CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

62 Firewall Wizard: Basic Firewall Interface Configuration
There are three basic steps in a One-Step Firewall. Step 1 is an information screen, click Next to proceed. Step 2 you specify the following: The Inside (or trusted) interfaces. These interfaces connect to the LAN. You can select multiple interfaces. The outside (or untrusted) interface is connected to the Internet or to your organization's WAN. When making firewall settings, keep in mind which interface you are using to access SDM through. If you select the interface that you accessed SDM as the outside (untrusted) interface, it will cause you to lose your connection to SDM because it will then be protected by a firewall. This means you will not be able to launch SDM from the outside interface after the Firewall Wizard completes. There is a warning window that reminds you of this possibility. If you should inadvertently lock yourself out, you will need to go in through the console and modify the firewall access lists before you can log into SDM again. The third setting is the Access rule log option. Check this box if you want to log all failed network access attempts caused by unauthorized users or protocols that are specified in the firewall access rules. Click Next to proceed.

63 Firewall Wizard: One-Step Firewall Configuration Summary
This screen summarizes the firewall information. You can review the information by using use the Back button to return to screens in the wizard to make changes. SDM lists the router’s interfaces that you designated as the interfaces in this wizard session, along with their IP addresses. SDM describes in English versus CLI syntax the access and inspection rules that will be associated with these interfaces if these changes are applied. Read your firewall wizard summary screen to determine the types of settings are what you want. At the bottom of the screen, you can also select to save these configuration to the routers startup config. Click Finish to complete the wizard. You can later view and also change any of these settings in the Advanced mode. I will point these out later.

64 Advanced Firewall Wizard: Interface Configuration
To create an advanced firewall, I will only cover what’s different. In step 2, for the Advanced Firewall Interface screen a DMZ interface field is added, I have it highlighted in red. Select the router interface that connects to a DMZ network, if one exists. Click Next.

65 Advanced Firewall Wizard: DMZ Service Configuration
Step 3, is where you specify which services available inside the DMZ that will be made available through the router’s outside interfaces. Click Add to begin. Step 4, the DMZ service configuration window appears. Configure the DMZ network hosts by specifying the address range with a first and last IP address. To specify a n individual host address then do not enter a last IP address. For Service, click either TCP or UDP if you want to allow traffic for one of those services Next you will assign the service for TCP or UDP by clicking the button with the … on the right. Step 5 the service window opens. In this example the customer wants to allow TCP service smtp. So the smtp service would be selected followed by OK. Then all selections are propagated to the DMZ service configuration window. Continue adding all the services desired for the DMZ, again starting with the step 3 window. When complete click next.

66 Advanced Firewall Wizard: Configure Inspection Rules
Step 6. Create CBAC inspection rules to allow specific return traffic onto the network. These rules cause the router to examine outgoing packets for specified types of traffic. Traffic arriving at the outside interface is compared against the traffic types in the inspection rule, and are allowed onto the network if it is associated with a session that is started on the LAN and is also a type specified in the inspection rules. You can use the SDM default inspection rule which uses common traffic type, and is defaulted to alert and not log errors when this type of traffic is encountered. You can use the default rule or click add and build a new inspection rule. When your done creating the inspection rule, Click Next. If you decide later to change the inspection rules, you can use the advanced mode - rules option to change them. As I mentioned before, SDM has intelligence built into it. If a VPN configuration exists, the firewall wizard takes that into consideration when it creates the firewall, so as not to block valid VPN users. Step 7 the firewall configuration summary appears. The inspection rule is applied to the inside interface in an inbound direction and also the DMZ interface in an outbound direction. Click finish to deliver the config to the router.

67 Configuring IPS Using SDM
Enable Cisco IOS IPS with a Factory Default SDF Using Cisco SDM

68 IPS Policies Wizard: Welcome

69 IPS Wizard: Interfaces Window

70 IPS Wizard: SDF Locations

71 IPS Wizard: Signature Configuration
Configuration Delivery and Signature Compilation Status

72 IPS Wizard: Signature List

73 IPS Wizard: Global Settings

74 VPN Wizard: Main Window
You can let SDM guide you through a simple VPN configuration by clicking the VPN icon in the Wizard Mode. Select one of the three VPN wizards. Create a Site-to-Site VPN with Pre-shared Keys that connects two routers. Create an Easy VPN Remote Client to configure a connection to a VPN server or concentrator. This only supports the Easy VPN Remote Phase II feature. Create a Secure GRE Tunnel over IPSec between your router and a peer system. The use Case Scenario displays for the wizard selected. Click desired the wizard and then click Launch the selected task to begin configuration. In this scenario I will describe how to create a Site-to-Site VPN with Pre-shared Keys.

75 VPN Wizard There are two choices Quick Setup and Step by Step Wizard.
Quick Setup is used between two Cisco routers using SDM generated defaults. It uses a default (internet key exchange) IKE policy for authentication, a default transform set to control the encryption of data, and a default IPSec rule that will encrypt all traffic between the router and the remote device. The quick setup is best used when both the local router and the remote system are Cisco routers using SDM. You can view the default IKE settings by selecting View Defaults. The Step by Step Wizard provide more configuration flexibility. You can create IKE policies as part of this wizard. In this example will use the quick setup option using the SDM default IKE policy.

76 VPN Wizard: VPN Connection Configuration
In this screen, select the existing interface that will be used for this VPN tunnel. Identify the remote VPN peer by entering the peers IP address or host name. Both sides must agree on the Pre-shared key that is used to authenticate each other. The key can be up to 128 characters with any combination of letters and numbers, but question marks (?) and spaces are not allowed. Enter and re-enter the key. The key is displayed in asterisks to protect it’s secrecy. Under “Protect all traffic between the following subnets” select the source (inside) interface that will be used for traffic on this VPN connection. For destination enter the remote IP addresses that will be permitted to enter this tunnel. You can enter a specific remote subnet as the destination, or select all destinations as permitted to enter the tunnel. SDM creates an access list that permits IP traffic between the source and destination based on the values you just entered on this page. Click Next.

77 Security Audit: Overview
The security audit compares router configuration against a predefined checklist of best practices (ICSA, TAC approved). Examples of the audit include (but are not limited to) the following: Shut down unneeded servers on the router (BOOTP, finger, tcp/udp small-servers). Shut down unneeded services on the router (CDP, ip source-route, ip classless). Apply the firewall to the outside interfaces. Disable SNMP or enable it with hard-to-guess community strings. Shut down unused interfaces, no ip proxy-arp. Force passwords for console and vty lines. Force an enable secret password. Enforce the use of ACLs. The SDM Security Audit feature examines router configuration against a predefined checklist that are “best practice” using ICSA and Cisco TAC recommendations. Examples of the audit include, but are not limited too the following: It shuts down un-needed servers on the router (BOOTP, finger, tcp/udp small-servers) Shuts down un-needed services on the router (CDP, ip source-route, ip classless) Applies a firewall to the outside interfaces Disables SNMP or enables it with hard-to-guess community strings Shuts down unused interfaces using “no ip proxy-arp” Forces passwords for the router console and vty lines Forces an “enable secret” password Enforces the use of access lists.

78 Security Audit Click the Security Audit mode to begin.
Next, It will ask you which interfaces are inside and outside before beginning the audit. That’s not shown here. Then the Security Audit wizard tests your router configuration to determine which possible security vulnerabilities may exist. A screen showing the progress of this action appears, listing all of the configuration options being tested for, and whether or not the current router configuration passes those tests. Vulnerable items found are marked in red. Click Close.

79 Security Audit: Fix Security Problems
Now the Security Audit Report Card screen appears. It shows a list of possible security problems. You can check the “Fix it” boxes next to any problems that you want SDM to fix. For a description of the problem and a list of the Cisco IOS commands that will be added to your configuration, click the problem description. It displays a help page about that problem. You can also click “Fix all” at the top. It will automatically secure all vulnerabilities it found with a “best practice” solution. Additional screens may appear requiring your input such as enter a password. Also warnings could appear if you were to completely secure the router, so that no one could get in, including you. For example, by default it will “Set Access Class on HTTP Server Service” for inside interfaces only. This will deny you from being able to remotely access SDM from a WAN. So especially pay attention to warning screens. You can choose to permit or deny individual settings.

80 Monitor Mode Overview Interface Status Firewall Status VPN Status

81 Additional Tasks

82 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—7-82

83 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—2-83

84 Cisco IOS Firewall Authentication Proxy
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

85 What Is the Authentication Proxy?
HTTP, HTTPS, FTP, and Telnet authentication. Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols. Once authenticated, all types of application traffic can be authorized. Works on any interface type for inbound or outbound traffic. New service called "auth-proxy" is added in AAA server: for clean implementation of user authorization configuration Separate authorization section for auth-proxy needs to be defined to specify downloadable user profile New attribute "proxyacl#<n>" is added for access-lists: for auth-proxy specific profile configuration

86 Using the Authentication Proxy
AAA Server Web Server Client Host Internet FTP Server Telnet Server Client Host

87 Authentication Proxy Configuration
For inbound proxy authentication—Add an ACL to block inward traffic from the outside. For outbound proxy authentication—Add an ACL to block inward traffic from the inside, except from the AAA server. Web, FTP, or Telnet Server User Outside Inside User AAA Server For inbound proxy authentication—Enable the authentication proxy to intercept inward HTTP, HTTPS, FTP, or Telnet traffic from the outside. For outbound proxy authentication—Enable the authentication proxy to intercept inward HTTP, HTTPS, FTP, or Telnet traffic from the inside.

88 Create auth-proxy Service in the Cisco Secure ACS
Enter the new service: auth-proxy.

89 Create a User Authorization Profile in the Cisco Secure ACS
Check auth-proxy. Check Custom attributes. Enter ACLs to apply after the user authenticates. proxyacl#1=permit tcp any any priv-lvl=15 Enter the privilege level of the user; it must be 15 for all users.

90 User Authorization Profiles
proxyacl#n=permit protocol any {any | host ip_addr | ip_addr wildcard_mask} [eq auth_service] Defines the allowable protocols, services, and destination addresses. The source address is always any and is replaced in the router with the IP address of host making the request. priv-lvl=15 Privilege level must be set to 15 for all users proxyacl#1=permit tcp any any eq 443 (HTTPS) proxyacl#2=permit icmp any host proxyacl#3=permit tcp any any eq ftp proxyacl#4=permit tcp any any eq smtp proxyacl#5=permit tcp any any eq telnet priv-lvl=15

91 Enable AAA aaa new-model Router(config)#
Enables the AAA functionality on the router (default = disabled)

92 Specify Authentication Protocols
Router(config)# aaa authentication login default method1 [method2] Defines the list of authentication methods that will be used Methods: TACACS+, RADIUS, or both Router(config)# aaa authentication login default group tacacs+

93 Specify Authorization Protocols
Router(config)# aaa authorization auth-proxy default method1 [method2] Use the auth-proxy keyword to enable authorization proxy for AAA methods Methods: TACACS+, RADIUS, or both Router(config)# aaa authorization auth-proxy default group tacacs+

94 Define a TACACS+ Server and Its Key
Router(config)# tacacs-server host ip_addr Specifies the TACACS+ server IP address Router(config)# tacacs-server key string Router(config)# tacacs-server host Router(config)# tacacs-server key secretkey Specifies the TACACS+ server key

95 Define a RADIUS Server and Its Key
Router(config)# radius-server host ip_addr Specifies the RADIUS server IP address Router(config)# radius-server key string Router(config)# radius-server host Router(config)# radius-server key secretkey Specifies the RADIUS server key

96 Allow AAA Traffic to the Router
Router(config)# access-list 111 permit tcp host eq tacacs host Router(config)# access-list 111 permit icmp any any Router(config)# access-list 111 deny ip any any Router(config)# interface ethernet0/0 Router(config-if)# ip access-group 111 in Create an ACL to permit TACACS+ traffic from the AAA server to the firewall Source address = AAA server Destination address = interface where the AAA server resides May want to permit ICMP Deny all other traffic Apply the ACL to the interface on the side where the AAA server resides

97 Enable the Router HTTP or HTTPS Server for AAA
Router(config)# ip http server Enables the HTTP server on the router Router(config)# ip http authentication aaa Sets the HTTP server authentication method to AAA Proxy uses HTTP server for communication with a client Router(config)# ip http secure-server Enables the HTTPS server on the router Router(config)# ip http server Router(config)# ip http authentication aaa

98 Set Global Timers Router(config)# ip auth-proxy {inactivity-timer min | absolute-timer min} Authentication inactivity timer in minutes (default = 60 minutes) Absolute activity timer in minutes (default = 0 minutes) Router(config)# ip auth-proxy inactivity-timer 120

99 Define and Apply Authentication Proxy Rules
Router(config)# ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-time min] [absolute-timer min][list {acl | acl-name}] Creates an authorization proxy rule Router(config-if)# ip auth-proxy auth-proxy-name Applies an authorization proxy rule to an interface For outbound authentication, apply to inside interface For inbound authentication, apply to outside interface Router(config)# ip auth-proxy name aprule http Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule

100 Authentication Proxy Rules with ACLs
Router(config)# ip auth-proxy name auth-proxy-name http list {acl-num | acl-name} Creates an authorization proxy rule with an ACL Router(config)# ip auth-proxy name aprule http list 10 Router(config)# access-list 10 permit Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule

101 Clear the Authentication Proxy Cache
Router# clear ip auth-proxy cache {* | ip_addr} Clears authentication proxy entries from the router

102 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—2-102

103 Cisco IOS Firewall Intrusion Prevention System
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

104 Cisco IOS Firewall Intrusion Prevention System
Network Management Console 4 Alarm 2 1 Attack Drop Packet 3 Reset Connection

105 Features Uses the underlying routing infrastructure
Ubiquitous protection of network assets Inline deep packet inspection IPS signature support Customized signature support Parallel signature scanning Named and numbered extended ACL support

106 Response Options Alarm
Sends alarms to the Cisco VMS, syslog server, or buffer Forwards the packet Reset: Sends packets with a reset flag to both session participants if TCP forwards the packet Drop: Immediately drops the packet If drop is used with the other actions, packet will be dropped with the respective action. For example if drop is used with reset, the packet will be dropped and TCP reset flag sent to both parties.

107 Configuration Tasks Install Cisco IOS Firewall IPS on the router.
Specify location of Signature Definition File (SDF) Create an IPS rule Attach a policy to a signature (optional) Apply IPS rule at an interface Configure logging via syslog or SDEE. Verify the configuration.

108 Specify Location of SDF
Router (config)# ip ips sdf location url (Optional) Specifies the location in which the router will load the SDF attack-drop.sdf. If this command is not issued, the router will load the default, built-in signatures. Router(config)# ip ips sdf location disk2:attack-drop.sdf

109 Create IPS Rule Creates an IPS rule Router(config)# ip ips name MYIPS
ip ips name ips-name [list acl] Creates an IPS rule Router(config)# ip ips name MYIPS Creates an IPS rule named MYIPS that will be applied to an interface

110 Attach a Policy to a Given Signature (Optional)
Router (config)# ip ips signature signature-id [:sub-signature-id] {delete | disable | list acl-list} Attaches a policy to a given signature Router(config)# ip ips signature 1000 disable Disables signature 1000 in the SDF

111 Apply an IPS Rule at an Interface
Router (config-if)# ip ips ips-name {in | out} Applies an IPS rule at an interface Router(config-if)# ip ips MYIPS in

112 Monitoring Cisco IOS Firewall IPS Signatures
Network Management Console Alarm SDEE Protocol Alert Syslog Syslog Server

113 SDEE and Syslog Cisco IOS software now supports the Security Device Event Exchange (SDEE) protocol. SDEE uses a pull mechanism: Requests come from the network management application, and the IDS or IPS router responds. SDEE will become the standard format for all vendors to communicate events to a network management application. The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network. The Cisco IOS Firewall IPS router will still send IPS alerts via syslog.

114 Set Notification Type Router(config)# ip ips notify sdee
ip ips notify [log | sdee] Sets notification type Router(config)# ip ips notify sdee Router(config)# ip ips notify log Router (config)# ip sdee events num_of_events Sets the maximum number of SDEE events that can be stored in the event buffer

115 Upgrade to Latest SDF Creates an IPS rule
Router (config)# ip ips name ips-name Creates an IPS rule Router (config)# no ip ips sdf builtin Instructs the router not to load the built-in signatures Router (config)# ip ips fail closed Instructs the router to drop all packets until the signature engine is built and ready to scan traffic

116 Upgrade to Latest SDF (Cont.)
Router (config-if)# ip ips ips-name {in | out} [list acl] Applies an IPS rule at an interface. This command automatically loads the signatures and builds the signature engines.

117 show Commands Verifies that Cisco IOS IPS is properly configured
Router# show ip ips configuration Verifies that Cisco IOS IPS is properly configured Router# show ip ips signatures [detailed] Verifies signature configuration, such as signatures that have been disabled Router# show ip ips interface Displays the interface configuration

118 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—-2-118

119 Mitigating Layer 2 Attacks: Port Security, Security Levels, 802.1x
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

120 Identity-Based Network Services
Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls Hard and Soft Tokens Cisco Secure ACS OTP Server VPN Clients Internet Router Firewall Remote Offices

121 Identity-Based Networking Services
Features and benefits: Intelligent adaptability for offering greater flexibility and mobility to stratified users A combination of authentication, access control, and user policies to secure network connectivity and resources User productivity gains and reduced operating costs

122 802.1x Authentication Server Cisco Catalyst 2950 (RADIUS) End User
(Switch) End User (Client)

123 Supported Topologies The 802.1X port-based authentication is supported in two topologies: Point-to-point Wireless LAN

124 How 802.1x Works Authentication Server (RADIUS) End User (Client)
Cisco Catalyst 2950 (Switch) 802.1x RADIUS Actual authentication conversation occurs between the client and authentication server using EAP. The authenticator is aware of this activity, but it is just a middleman.

125 Configuring CE500 for 2 Layer Security
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

126 CE 500 Graphical User Interface: Dashboard
Figure 3-1 Smartports Port Roles in a Catalyst Express Network

127 CE 500 Graphical User Interface: Port Roles
Description                                 Apply this role to ports that will be connected to desktop devices, such as desktop PCs, workstations, notebook PCs, and other client-based hosts. Note Do not apply this role to ports that will be connected to switches, routers, or access points.                                           Apply this role to ports that will be connected to IP phones. A desktop device, such as a PC, can be connected to the IP phone. Both the IP phone and connected PC would have access to the network and the Internet through the switch port. This role prioritizes voice traffic over data traffic to ensure clear voice reception on the IP phones.                       Apply this role to ports that will be connected to other switches.                      Apply this role to ports that will be connected to WAN devices that connect to the Internet, such as routers and Layer 3 switches with routing service capabilities, firewalls, or virtual private network concentrators. Apply this role to ports that will be connected to non-PoE and PoE-capable wireless access points. The access point can provide network access to up to 30 mobile (wireless) users. Apply this role to ports that will be connected to servers that provide network services, such as exchange servers, collaborative servers, terminal servers, file servers, Dynamic Host Configuration Protocol (DHCP) servers, IP PBX server, and so on. This role is for Gigabit or non-Gigabit ports, depending on the server type to be connected. This role prioritizes server traffic as trusted, critical, business, or standard, depending on the function of the server. Apply this role to ports that will be connected to a printer, such as a network printer. This role prevents printer traffic from affecting voice and critical data traffic.                     Apply this role to ports that will be connected to desktop devices and to access points to provide guest wireless access. This role provides guests and visitors temporary access to the Internet but prevents them from accessing your internal network.                    Apply this role to ports if you do not want to apply a specialized Smartports role on the port. This role can be used on connections to guest or visitor devices, printers, desktops, servers, and IP phones. Note Do not apply this role to ports that will be connected to sniffer or intrusion detection system devices. Figure 3-1 Smartports Port Roles in a Catalyst Express Network

128 CE 500 GUI: Smart Ports Configuration

129 Cisco Network Assistant CNA: CE 500 Port Security Configuration - LOW

130 CNA: CE 500 Port Security MEDIUM

131 CNA: CE 500 Port Security HIGH

132 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—3-132

133 Summary (1) Cisco offers a complete set of security features with its products in order to protect the information assets of its customers. Cisco Secure ACS for Windows Server is a feature-rich application used to work with a wide variety of AAA clients and databases. Authentication is done using TACACS+ or RADIUS configured on various network devices such as NASs, Cisco PIX Firewall, Cisco VPN Concentrator, routers, and now switches for Layer 2 security. A web interface is required for initial configuration and makes administration user-friendly. Tools include reports for troubleshooting access problems and debug commands for troubleshooting TACACS+ and RADIUS. Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

134 Summary (2) CBAC uses dynamically created ACLs to control access to the network. It provides protection from DOS, RPC, Java, SMTP, and many other types of attacks based application-layer protocol session information. The Cisco IOS Firewall authentication proxy feature enables network administrators to apply specific security policies on a per-user basis as users log on to the network or Internet using HTTP, FTP, Telnet, and HTTPS. This feature uses the auth-proxy service provided by ACS along with ACLs used to define traffic requiring authentication and authorization. The Cisco IOS Firewall IPS acts as an inline intrusion detection sensor sending alarms, dropping packets, or resetting the connection in response to events triggered by the IPS. More than 700 signatures are available with the latest release. Syslog or SDEE are used to monitor and send alerts. Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

135 Summary (3) Besides Port Security, Cisco IBNS combines several Cisco products to offer authentication, access control, and user policies to enhance network security. It is based on 802.1x and RADIUS implementations. When 802.1x is enabled, ports are authenticated before any other Layer 2 features are enabled. A RADIUS server is used to authenticate users. RADIUS keys must match on client and server. The three factors that affect mitigation strategy techniques are the number of security zones, the number of user groups, and the number of switch devices. Recommendations include secure switch management using SSH, SNMPv3, regular audits, and penetration testing. Cisco SDM allows you to customize Cisco access router configuration using advanced features and wizards. Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.


Download ppt "Objectives Upon completion of this module, you will be able to perform the following tasks: Describe the features and functionality of the Cisco Low End."

Similar presentations


Ads by Google