Presentation is loading. Please wait.

Presentation is loading. Please wait.

Objectives Upon completion of this module, you will be able to perform the following tasks: Describe the features and functionality of the Cisco Low End.

Similar presentations


Presentation on theme: "Objectives Upon completion of this module, you will be able to perform the following tasks: Describe the features and functionality of the Cisco Low End."— Presentation transcript:

1

2 Objectives Upon completion of this module, you will be able to perform the following tasks: Describe the features and functionality of the Cisco Low End Routers and how they meet the customer requirements. Describe the features and functionality of the Cisco Low End Switches and how they meet the customer requirements. Configure the security features for the Cisco 1841 Router and Cisco Express 500 Switch in order to help SMB to protect its sensitive data and applications. Discuss the best practices related to security using Cisco Routers and Switches and how Cisco Resellers stands a value proposition for the security of its customers businesses. Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

3 Cisco Network Security
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

4 Network Security Definition
Steps that are taken to protect network resources and services from unauthorized actions that include: Destruction of data Information theft Network disruption Security breaches result in: Recovery costs Legal liability Lost revenue Reduced customer satisfaction

5 The Security Wheel Security is a strategy, not a product.
No single device or solution can protect a network against a changing variety of threats. Security is a process: Developing a policy Securing the network Monitoring for and responding to threats Testing for vulnerabilities Making improvements as needed

6 Cisco Secure Access Control Server for Windows Server
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

7 Cisco Secure ACS for Windows Server: General Features
PAP CHAP MS-CHAP TACACS+ RADIUS Cisco Secure ACS for Windows Server NAS Uses TACACS+ or RADIUS between Cisco Secure ACS and NAS Allows authentication against Windows 2000 user database, Cisco Secure ACS user database, token server, or other external databases Supports PAP, CHAP, and MS-CHAP authentication on the NAS

8 Cisco Secure ACS for Windows Server: ACS User Database
NAS 1 NAS 2 NAS 3 Cisco Secure ACS User Database

9 Cisco Secure ACS for Windows Server: External User Databases
NAS 1 NAS 2 NAS 3 ACS User Database External User Database

10 Administering Cisco Secure ACS for Windows Server

11 TACACS+ Security Server
TACACS+ Overview TACACS+ Security Server Remote User NAS PSTN/ISDN Corporate Network TACACS+ Client TCP Supports AAA Encrypts entire body LAN and WAN security RCMD, PPP, ARA, and NASI Supports PAP, CHAP, and MS-CHAP Router command authorization Blocks specific ports

12 Globally Enable AAA Cisco Secure ACS for Windows Server NAS
NAS router(config)# aaa new-model router(config)# aaa new-model

13 tacacs-server Commands
router(config)# tacacs-server key keystring You can either use the two commands shown here to share the key with all servers or use this command for a single server (see note in text) router(config)# tacacs-server key router(config)# tacacs-server host ipaddress router(config)# tacacs-server host router(config)# tacacs-server host ipaddress key keystring router(config)# tacacs-server host key

14 AAA Configuration Commands
router(config)# aaa authentication {login | enable default | arap | ppp | nasi} {default | list-name} method1 [method2 [method3 [method4]]] router(config)# aaa authorization {network | exec | commands level | reverse-access} {default | list-name} {if-authenticated | local | none | radius | tacacs+ | krb5-instance} router(config)# aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]]

15 NAS AAA Configuration Example for TACACS+
aaa new-model aaa authentication login default group tacacs+ enable aaa authentication ppp default group tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ enable secret 5 $1$x1EE$33AXd2VTVvhbWL0A37tQ3. enable password ! username admin password 7 094E4F0A D19 interface Serial2 ppp authentication pap tacacs-server host tacacs-server key ciscosecure line con 0 login authentication no_tacacs Purpose: Show a capture taken from the network access server configuration of the lab. This shows the default configuration specified in the CiscoSecure ACS for Windows NT installation shield. Emphasize: By configuring the aaa authentication login default tacacs+ enable command, you are specifying that if your TACACS+ server fails to respond (e.g., because it was set up incorrectly), you can log in to the access server by using your enable password. If you do not have an enable password set on the router, you will not be able to log in to the router until you have a functioning TACACS+ daemon configured with usernames and passwords. The enable password in this case is a last-resort authentication method. You also can specify none as the last-resort method, which means that no authentication is required if all other methods failed. The first authorization steps in configuring the network access server are to enable TACACS+, specify the list of CiscoSecure servers that will provide AAA services for the network access server, and configure the encryption key that is used to encrypt the data transfer between the network access server and the CiscoSecure server. Last are the AAA accounting configuration statements. Transition: After configuring the AAA service with a TACACS+ method, you can verify its function with a debug command.

16 RADIUS Background RADIUS was developed by Livingston Enterprises, now part of Lucent Technologies. It contains a: Protocol with a frame format that uses UDP Server Client

17 RADIUS Server Command radius-server key keystring
router(config)# radius-server key keystring You can either use the two commands shown here to share the key with all servers or you can use this command for a single server. router(config)# radius-server key router(config)# radius-server host {host-name | ipaddress} router(config)# radius-server host router(config)# radius-server host ipaddress key keystring router(config)# radius-server host key

18 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—1-18

19 Managing IP Traffic with ACLs
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

20 Why Use ACLs? Manage IP traffic as network access grows
Layer 2 of 2 Emphasize: An access list is a mechanism for identifying particular traffic. One application of an access list is for filtering traffic into or out of a router interface. Manage IP traffic as network access grows Filter packets as they pass through the router

21 Types of ACLs Standard ACL Checks source address
Generally permits or denies entire protocol suite Extended ACL Checks source and destination address Generally permits or denies specific protocols Layer 3 of 3 Purpose: Describe an inbound versus outbound access list on an interface.

22 How to Identify ACLs Standard IP lists (1-99) test conditions of all IP packets from source addresses. Extended IP lists ( ) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Standard IP lists ( ) (expanded range). Extended IP lists ( ) (expanded range). Other ACL number ranges test conditions for other networking protocols. Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).   Layer 3 of 3 Emphasize: Layer 3—Adds the Novell IPX access lists covered in Chapter 11, “Configuring Novell IPX,” and the number ranges for these types of access lists. As of Release (F), IPX also supports named access lists. Point out that number ranges generally allow 100 different access lists per type of protocol. When a given hundred-number range designates a standard access list, the rule is that the next hundred-number range is for extended access lists for that protocol. Exceptions to the numbering classification scheme include AppleTalk and DECnet, where the same number range can identify various access list types. For the most part, number ranges do not overlap between different protocols. Note: With Cisco IOS 12.0, the IP access-lists range has been expanded to also include: < > IP standard access list (expanded range) < > IP extended access list (expanded range)

23 A List of Tests: Deny or Permit
Layer 4 of 4 Purpose: Shows the implicit “deny all.” Emphasize: Describe the final access list test to match any packets not covered by earlier access list statements. All remaining packets match the “Implicit Deny” and are discarded into the bit bucket.

24 Wildcard Bits: How to Check the Corresponding Address Bits
Purpose: This graphic describes the binary wildcard masking process. Emphasize: Introduce the wildcard bit process. Tell students that the wildcard bit matching process is different than the IP subnet addressing mask covered earlier. Illustrate how wildcard masking works using the examples shown in the graphic table. The term wildcard masking is a nickname for this access list mask-bit-matching process. This nickname comes from an analogy of a wildcard that matches any other card in a poker game. Emphasize the contrast between wildcard masks and subnet masks, stated in the Student Guide note. The confusion over wildcard and subnet masks can be a key obstacle to learning if students fail to understand the different uses of binary 0 and binary 1 in the two mask types. Point out that the 1 bits in a wildcard mask need not be contiguous, while the 1 bits in a subnet mask need to be contiguous. Wildcard is like the DOS “*” character. 0 means check value of corresponding address bit. 1 means ignore value of corresponding address bit.

25 Wildcard Bits to Match a Specific IP Host Address
Check all of the address bits (match all). Verify an IP host address, for example: Purpose: This graphic shows students how to use the host abbreviation in the extended access list wildcard mask. Emphasize: This abbreviation means check the bit value in all bit positions, which has the effect of matching only the specified IP host address in all bit positions. checks all of the address bits. Abbreviate this wildcard mask using the IP address preceded by the keyword host (host ).

26 Wildcard Bits to Match Any IP Address
Test conditions: Ignore all the address bits (match any). An IP host address, for example: Purpose: This graphic shows students how to use the wildcard any abbreviation. Emphasize: This abbreviation means ignore any bit value in all bit positions, which has the effect of matching anything in all bit positions. Accept any address: any Abbreviate expression with keyword “any”

27 ACL Configuration Guidelines
ACL numbers indicate which protocol is filtered. One ACL per interface, per protocol, per direction is allowed. The order of ACL statements controls testing. The most restrictive statements go at the top of the list. The last ACL test is always an implicit deny any statement, so every list needs at least one permit statement. ACLs must be created before applying them to interfaces. ACLs filter traffic going through the router. ACLs do not filter traffic originating from the router.

28 ACL Command Overview Step 1: Set parameters for this ACL test statement (which can be one of several statements). Router(config)# access-list access-list-number {permit | deny} {test conditions} Step 2: Enable an interface to use the specified ACL. Layer 2 of 2 Emphasize: Layer 2—Adds the general form of the interface command. This links the previously specified interface to a group that will handle its packet for the protocol in the manner specified by the global access list statements. It can help student understanding to learn a generalized command as a simplified template, common to most access list processes. However, the details for specific access lists vary widely. As you present the global access list command material that follows in this chapter, return to the template term “test conditions” if it helps your students associate variations to the general elements of this model. Emphasize that “test conditions” is an abstraction for this course. Use this abstraction as a generalization to assist teaching and learning. The words “test conditions” are not a Cisco IOS argument or parameter. Cisco IOS software also offers many variations for the second interface command. As you present these variations, refer your students to the template term “access group” and emphasize how each variation performs a link of the access list test conditions met and the interfaces that packets can use as a result. Router(config-if)# {protocol} access-group access-list-number {in | out} Standard IP lists (1-99) Extended IP lists ( ) Standard IP lists ( ) (expanded range) Extended IP lists ( ) (expanded range)

29 Standard IP ACL Configuration
Router(config)# access-list access-list-number {permit | deny | remark} source [mask] Sets parameters for this list entry IP standard ACLs use 1 to 99 Default wildcard mask = no access-list access-list-number removes entire ACL remark lets you add a description for the ACL Router(config-if)# ip access-group access-list-number {in | out} Layer 2 of 2 Purpose: This layer shows the ip access-group command. Emphasize: The ip access-group command links an access list to an interface. Only one access list per interface, per direction, per protocol is allowed. The ip access-group field descriptions are as follows: list—Number of the access list to be linked to this interface. direction—Default is outbound. Note: Create the access list first before applying it to the interface. If it is applied to the interface before it is created, the action will be to permit all traffic. However, as soon as you create the first statement in the access list, the access list will be active on the interface. Since there is the implicit deny all at the end of every access list, the access list may cause most traffic to be blocked on the interface. To remove an access list, remove it from all the interfaces first, then remove the access list. In older versions of Cisco IOS, removing the access list without removing it from the interface can cause problems. Activates the list on an interface Sets inbound or outbound testing Default = outbound no ip access-group access-list-number removes ACL from the interface

30 Standard IP ACL Example 1
Layer 2 of 2 Emphasize: Because of the implicit deny all, all non x.x traffic is blocked going out E0 and E1. Note: The red arrows represent the access list is applied as an outbound access list. Permit my network only.

31 Standard IP ACL Example 2
Layer 3 of 3 Emphasize: Only host is blocked from going out on E0 to subnet Ask the students what will happen if the access list is placed as an input access list on E1 instead. Host will be blocked from going out to the non cloud, as well as to subnet Note: The red arrows represent the access list is applied as an outbound access list. Deny a specific host.

32 Standard IP ACL Example 3
Layer 2 of 2 Emphasize: All hosts on subnet are blocked from going out on E0 to subnet Note: The red arrows represent the access list is applied as an outbound access list. Deny a specific subnet.

33 Extended IP ACL Configuration
Router(config)# access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log] Sets parameters for this list entry Layer 2 of 2 Purpose: Layer 2—Adds the access-group command for IP. Emphasize: The list number must match the number (100 to 199) you specified in the access-list command. Router(config-if)# ip access-group access-list-number {in | out} Activates the extended list on an interface

34 Extended ACL Example 1 Layer 3 of 3 Deny FTP from subnet to subnet out E0. Permit all other traffic.

35 Extended ACL Example 2 Deny only Telnet from subnet 172.16.4.0 out E0.
Layer 3 of 3 Deny only Telnet from subnet out E0. Permit all other traffic.

36 How to Control vty Access
Emphasize: To filter incoming and outgoing Telnet sessions to and from the router’s vty ports, the standard access list is used. If this is to block incoming Telnet sessions into a router’s vty port, the standard access list is used to match the source address of the host trying to Telnet into the router’s vty port. If this is to block outgoing Telnet sessions from the router’s vty ports to a host, the standard access list is used to match the destination address of the host the router is trying to Telnet into from its vty ports. Set up an IP address filter with a standard ACL statement. Use line configuration mode to filter access with the access-class command. Set identical restrictions on every vty.

37 vty Commands Enters configuration mode for a vty or vty range
Router(config)# line vty {vty# | vty-range} Enters configuration mode for a vty or vty range Router(config-line)# access-class access-list-number {in | out} Emphasize: Use the access-class command to apply the standard access list to the vty port. The next slide shows a configuration example. Restricts incoming or outgoing vty connections for addresses in the ACL

38 Controlling Inbound Access
vty Access Example Controlling Inbound Access access-list 12 permit (implicit deny any) ! line vty 0 4 access-class 12 in Purpose: This example shows how to restrict incoming Telnet sessions to the router’s vty ports. Emphasize: The access class is applied as an input filter. Note: Ask the student about the effect of changing the direction of the access class to outbound instead of inbound. Now the router can accept incoming Telnet sessions to its vty ports from all hosts, but will block outgoing Telnet sessions from its vty ports to all hosts except hosts in network Once a user is Telneted into a router’s vty port, the outbound access-class filter will prevent the user from Telneting to other hosts as specified by the standard access list. Remember, when an access list is applied to an interface, it only blocks or permits traffic going through the router, it does not block or permit traffic initiated from the router itself. Permits only hosts in network to connect to the router vty

39 ACL Configuration Guidelines
The order of ACL statements is crucial. Recommended: Use a text editor on a PC to create the ACL statements, then cut and paste them into the router. Top-down processing is important. Place the more specific test statements first. Statements cannot be rearranged or removed. Use the no access-list number command to remove the entire ACL. Exception: Named ACLs permit removal of individual statements. Implicit deny any will be applied to all packets that do not match any ACL statement unless the ACL ends with an explicit permit any statement.

40 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—1-40

41 Cisco IOS Firewall Context-Based Access Control
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

42 The Cisco IOS Firewall Feature Set
The Cisco IOS Firewall contains the following three main features: Context-based Access Control (CBAC) Authentication proxy Intrusion Prevention System

43 Cisco IOS Firewall CBAC
TCP Internet UDP Packets are inspected entering the firewall by CBAC if they are not specifically denied by an ACL. CBAC permits or denies specified TCP and UDP traffic through a firewall. A state table is maintained with session information. ACLs are dynamically created or deleted. CBAC protects against DoS attacks.

44 Cisco IOS Firewall Authentication Proxy
HTTP, HTTPS, FTP, and Telnet authentication Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols

45 Cisco IOS Firewall Intrusion Prevention System
TCP Internet UDP Acts as an inline Cisco IOS intrusion prevention sensor. When a packet or packets match a signature, it can perform any of the following configurable actions: Alarm: Send an alarm to a Security Device Manager or syslog server. Drop: Drop the packet. Reset: Send TCP resets to terminate the session. Identifies 700+ common attacks.

46 How CBAC Works 2 CBAC creates a dynamic ACL allowing return traffic back through the firewall. 1 Control traffic is inspected by the CBAC rule. access-list 102 permit TCP host eq 23 host eq 2447 ip inspect name FWRULE tcp Port 2447 Port 23 3 CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application. It also monitors and protects against application- specific attacks. 4 CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session.

47 Supported Protocols TCP (single channel) UDP (single channel) RPC FTP
TFTP UNIX R-commands (such as rlogin, rexec, and rsh) SMTP HTTP (Java blocking) ICMP Java SQL*Net RTSP (such as Real Networks) H.323 (such as NetMeeting, ProShare, CUseeMe) Other multimedia Microsoft NetShow StreamWorks VDOLive SIP

48 Alerts and Audit Trails
CBAC generates real-time alerts and audit trails. Audit trail features use syslog to track all network transactions. With CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

49 CBAC Configuration Pick an interface: internal or external.
Configure IP ACLs at the interface. Set audit trails and alerts. Set global timeouts and thresholds. Define PAM. Define inspection rules. Apply inspection rules and ACLs to interfaces. Test and verify.

50 Enable Audit Trails and Alerts
Router(config)# ip inspect audit-trail Enables the delivery of audit trail messages using syslog Router(config)# no ip inspect alert-off Enables real-time alerts Router(config)# logging on Router(config)# logging Router(config)# ip inspect audit-trail Router(config)# no ip inspect alert-off

51 TCP SYN and FIN Wait Times
Router(config)# ip inspect tcp synwait-time seconds Specifies the time that the Cisco IOS Firewall waits for a TCP session to reach the established state Router(config)# ip inspect tcp finwait-time seconds Specifies the time that the Cisco IOS Firewall waits for a FIN exchange to complete before quitting the session

52 TCP, UDP, and DNS Idle Times
Router(config)# ip inspect tcp idle-time seconds ip inspect udp idle-time seconds Specifies the time allowed for a TCP or UDP session with no activity Router(config)# ip inspect dns-timeout seconds Specifies the time allowed for a DNS session with no activity

53 Global Half-Opened Connection Limits
Router(config)# ip inspect max-incomplete high number Defines the number of existing half-opened sessions that cause the software to start deleting half-opened sessions (aggressive mode) Router(config)# ip inspect max-incomplete low number Defines the number of existing half-opened sessions that cause the software to stop deleting half-opened sessions

54 Global Half-Opened Connection Limits (Cont.)
Router(config)# ip inspect one-minute high number Defines the number of new half-opened sessions per minute at which they start being deleted Router(config)# ip inspect one-minute low number Defines the number of new half-opened sessions per minute at which they stop being deleted

55 Inspection Rules for Application Protocols
Router(config)# ip inspect name inspection-name protocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds] Defines the application protocols to inspect Will be applied to an interface Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive alert, audit-trail, and timeout configurable per protocol and override global settings Router(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300 Router(config)# ip inspect name FWRULE ftp alert on audit-trail on timeout 300

56 Apply an Inspection Rule to an Interface
Router (config-if)# ip inspect inspection-name {in | out} Applies the named inspection rule to an interface Router(config)# interface e0/0 Router(config-if)# ip inspect FWRULE in Applies the inspection rule to interface e0/0 in inward direction

57 General Rules for Applying Inspection Rules and ACLs
Interface where traffic initiates Apply ACL on the inward direction that permits only wanted traffic Apply rule on the inward direction that inspects wanted traffic All other interfaces Apply ACL on the inward direction that denies all unwanted traffic

58 Example: Two-Interface Firewall
Outbound Allow all general TCP and UDP traffic Allow all ICMP traffic Deny everything else Inside Outside Internet e0/0 e0/1 Inbound Allow all ICMP and HTTP traffic only to Deny everything else

59 Outbound Traffic Inside Outside e0/0 e0/1
Router(config)# ip inspect name OUTBOUND tcp Router(config)# ip inspect name OUTBOUND udp Router(config)# ip inspect name OUTBOUND icmp Configures CBAC to inspect TCP, UDP, and ICMP traffic Router(config)# access-list 101 permit ip any Router(config)# access-list 101 deny ip any any Permits inside-initiated traffic from the network Router(config)# interface e0/0 Router(config-if)# ip inspect OUTBOUND in Router(config-if)# ip access-group 101 in Applies an ACL and inspection rule to the inside interface in an inward direction

60 Inbound Traffic Inside Outside e0/0 e0/1
Router(config)# access-list 102 permit icmp any host Router(config)# access-list 102 permit tcp any host eq www Router(config)# access-list 102 deny ip any any Permits outside-initiated ICMP and HTTP traffic to host Router(config)# interface e0/1 Router(config-if)# ip access-group 102 in Applies an ACL to outside interface in inward direction

61 show Commands show ip inspect name inspection-name
Router# show ip inspect name inspection-name show ip inspect config show ip inspect interfaces show ip inspect session [detail] show ip inspect all Displays CBAC configurations, interface configurations, and sessions Router# sh ip inspect session Established Sessions Session C ( :35009)=>( :34233) tcp SIS_OPEN Session 6156F0CC ( :35011)=>( :34234) tcp SIS_OPEN Session 6156AF74 ( :35010)=>( :5002) tcp SIS_OPEN

62 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—2-62

63 Cisco IOS Firewall Authentication Proxy
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

64 What Is the Authentication Proxy?
HTTP, HTTPS, FTP, and Telnet authentication. Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols. Once authenticated, all types of application traffic can be authorized. Works on any interface type for inbound or outbound traffic. New service called "auth-proxy" is added in AAA server: for clean implementation of user authorization configuration Separate authorization section for auth-proxy needs to be defined to specify downloadable user profile New attribute "proxyacl#<n>" is added for access-lists: for auth-proxy specific profile configuration

65 Using the Authentication Proxy
AAA Server Web Server Client Host Internet FTP Server Telnet Server Client Host

66 Authentication Proxy Configuration
For inbound proxy authentication—Add an ACL to block inward traffic from the outside. For outbound proxy authentication—Add an ACL to block inward traffic from the inside, except from the AAA server. Web, FTP, or Telnet Server User Outside Inside User AAA Server For inbound proxy authentication—Enable the authentication proxy to intercept inward HTTP, HTTPS, FTP, or Telnet traffic from the outside. For outbound proxy authentication—Enable the authentication proxy to intercept inward HTTP, HTTPS, FTP, or Telnet traffic from the inside.

67 Create auth-proxy Service in the Cisco Secure ACS
Enter the new service: auth-proxy.

68 Create a User Authorization Profile in the Cisco Secure ACS
Check auth-proxy. Check Custom attributes. Enter ACLs to apply after the user authenticates. proxyacl#1=permit tcp any any priv-lvl=15 Enter the privilege level of the user; it must be 15 for all users.

69 User Authorization Profiles
proxyacl#n=permit protocol any {any | host ip_addr | ip_addr wildcard_mask} [eq auth_service] Defines the allowable protocols, services, and destination addresses. The source address is always any and is replaced in the router with the IP address of host making the request. priv-lvl=15 Privilege level must be set to 15 for all users proxyacl#1=permit tcp any any eq 443 (HTTPS) proxyacl#2=permit icmp any host proxyacl#3=permit tcp any any eq ftp proxyacl#4=permit tcp any any eq smtp proxyacl#5=permit tcp any any eq telnet priv-lvl=15

70 Enable AAA aaa new-model Router(config)#
Enables the AAA functionality on the router (default = disabled)

71 Specify Authentication Protocols
Router(config)# aaa authentication login default method1 [method2] Defines the list of authentication methods that will be used Methods: TACACS+, RADIUS, or both Router(config)# aaa authentication login default group tacacs+

72 Specify Authorization Protocols
Router(config)# aaa authorization auth-proxy default method1 [method2] Use the auth-proxy keyword to enable authorization proxy for AAA methods Methods: TACACS+, RADIUS, or both Router(config)# aaa authorization auth-proxy default group tacacs+

73 Define a TACACS+ Server and Its Key
Router(config)# tacacs-server host ip_addr Specifies the TACACS+ server IP address Router(config)# tacacs-server key string Router(config)# tacacs-server host Router(config)# tacacs-server key secretkey Specifies the TACACS+ server key

74 Define a RADIUS Server and Its Key
Router(config)# radius-server host ip_addr Specifies the RADIUS server IP address Router(config)# radius-server key string Router(config)# radius-server host Router(config)# radius-server key secretkey Specifies the RADIUS server key

75 Allow AAA Traffic to the Router
Router(config)# access-list 111 permit tcp host eq tacacs host Router(config)# access-list 111 permit icmp any any Router(config)# access-list 111 deny ip any any Router(config)# interface ethernet0/0 Router(config-if)# ip access-group 111 in Create an ACL to permit TACACS+ traffic from the AAA server to the firewall Source address = AAA server Destination address = interface where the AAA server resides May want to permit ICMP Deny all other traffic Apply the ACL to the interface on the side where the AAA server resides

76 Enable the Router HTTP or HTTPS Server for AAA
Router(config)# ip http server Enables the HTTP server on the router Router(config)# ip http authentication aaa Sets the HTTP server authentication method to AAA Proxy uses HTTP server for communication with a client Router(config)# ip http secure-server Enables the HTTPS server on the router Router(config)# ip http server Router(config)# ip http authentication aaa

77 Set Global Timers Router(config)# ip auth-proxy {inactivity-timer min | absolute-timer min} Authentication inactivity timer in minutes (default = 60 minutes) Absolute activity timer in minutes (default = 0 minutes) Router(config)# ip auth-proxy inactivity-timer 120

78 Define and Apply Authentication Proxy Rules
Router(config)# ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-time min] [absolute-timer min][list {acl | acl-name}] Creates an authorization proxy rule Router(config-if)# ip auth-proxy auth-proxy-name Applies an authorization proxy rule to an interface For outbound authentication, apply to inside interface For inbound authentication, apply to outside interface Router(config)# ip auth-proxy name aprule http Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule

79 Authentication Proxy Rules with ACLs
Router(config)# ip auth-proxy name auth-proxy-name http list {acl-num | acl-name} Creates an authorization proxy rule with an ACL Router(config)# ip auth-proxy name aprule http list 10 Router(config)# access-list 10 permit Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule

80 Clear the Authentication Proxy Cache
Router# clear ip auth-proxy cache {* | ip_addr} Clears authentication proxy entries from the router

81 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—2-81

82 Cisco IOS Firewall Intrusion Prevention System
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

83 Cisco IOS Firewall Intrusion Prevention System
Network Management Console 4 Alarm 2 1 Attack Drop Packet 3 Reset Connection

84 Features Uses the underlying routing infrastructure
Ubiquitous protection of network assets Inline deep packet inspection IPS signature support Customized signature support Parallel signature scanning Named and numbered extended ACL support

85 Response Options Alarm
Sends alarms to the Cisco VMS, syslog server, or buffer Forwards the packet Reset: Sends packets with a reset flag to both session participants if TCP forwards the packet Drop: Immediately drops the packet If drop is used with the other actions, packet will be dropped with the respective action. For example if drop is used with reset, the packet will be dropped and TCP reset flag sent to both parties.

86 Configuration Tasks Install Cisco IOS Firewall IPS on the router.
Specify location of Signature Definition File (SDF) Create an IPS rule Attach a policy to a signature (optional) Apply IPS rule at an interface Configure logging via syslog or SDEE. Verify the configuration.

87 Specify Location of SDF
Router (config)# ip ips sdf location url (Optional) Specifies the location in which the router will load the SDF attack-drop.sdf. If this command is not issued, the router will load the default, built-in signatures. Router(config)# ip ips sdf location disk2:attack-drop.sdf

88 Create IPS Rule Creates an IPS rule Router(config)# ip ips name MYIPS
ip ips name ips-name [list acl] Creates an IPS rule Router(config)# ip ips name MYIPS Creates an IPS rule named MYIPS that will be applied to an interface

89 Attach a Policy to a Given Signature (Optional)
Router (config)# ip ips signature signature-id [:sub-signature-id] {delete | disable | list acl-list} Attaches a policy to a given signature Router(config)# ip ips signature 1000 disable Disables signature 1000 in the SDF

90 Apply an IPS Rule at an Interface
Router (config-if)# ip ips ips-name {in | out} Applies an IPS rule at an interface Router(config-if)# ip ips MYIPS in

91 Monitoring Cisco IOS Firewall IPS Signatures
Network Management Console Alarm SDEE Protocol Alert Syslog Syslog Server

92 SDEE and Syslog Cisco IOS software now supports the Security Device Event Exchange (SDEE) protocol. SDEE uses a pull mechanism: Requests come from the network management application, and the IDS or IPS router responds. SDEE will become the standard format for all vendors to communicate events to a network management application. The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network. The Cisco IOS Firewall IPS router will still send IPS alerts via syslog.

93 Set Notification Type Router(config)# ip ips notify sdee
ip ips notify [log | sdee] Sets notification type Router(config)# ip ips notify sdee Router(config)# ip ips notify log Router (config)# ip sdee events num_of_events Sets the maximum number of SDEE events that can be stored in the event buffer

94 Upgrade to Latest SDF Creates an IPS rule
Router (config)# ip ips name ips-name Creates an IPS rule Router (config)# no ip ips sdf builtin Instructs the router not to load the built-in signatures Router (config)# ip ips fail closed Instructs the router to drop all packets until the signature engine is built and ready to scan traffic

95 Upgrade to Latest SDF (Cont.)
Router (config-if)# ip ips ips-name {in | out} [list acl] Applies an IPS rule at an interface. This command automatically loads the signatures and builds the signature engines.

96 show Commands Verifies that Cisco IOS IPS is properly configured
Router# show ip ips configuration Verifies that Cisco IOS IPS is properly configured Router# show ip ips signatures [detailed] Verifies signature configuration, such as signatures that have been disabled Router# show ip ips interface Displays the interface configuration

97 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—-2-97

98 Mitigating Layer 2 Attacks: Port Security, Security Levels, 802.1x
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

99 Identity-Based Network Services
Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls Hard and Soft Tokens Cisco Secure ACS OTP Server VPN Clients Internet Router Firewall Remote Offices

100 Identity-Based Networking Services
Features and benefits: Intelligent adaptability for offering greater flexibility and mobility to stratified users A combination of authentication, access control, and user policies to secure network connectivity and resources User productivity gains and reduced operating costs

101 802.1x Authentication Server Cisco Catalyst 2950 (RADIUS) End User
(Switch) End User (Client)

102 Supported Topologies The 802.1X port-based authentication is supported in two topologies: Point-to-point Wireless LAN

103 How 802.1x Works Authentication Server (RADIUS) End User (Client)
Cisco Catalyst 2950 (Switch) 802.1x RADIUS Actual authentication conversation occurs between the client and authentication server using EAP. The authenticator is aware of this activity, but it is just a middleman.

104 Configuring CE500 for 2 Layer Security
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

105 CE 500 Graphical User Interface: Dashboard
Figure 3-1 Smartports Port Roles in a Catalyst Express Network

106 CE 500 Graphical User Interface: Port Roles
Description                                 Apply this role to ports that will be connected to desktop devices, such as desktop PCs, workstations, notebook PCs, and other client-based hosts. Note Do not apply this role to ports that will be connected to switches, routers, or access points.                                           Apply this role to ports that will be connected to IP phones. A desktop device, such as a PC, can be connected to the IP phone. Both the IP phone and connected PC would have access to the network and the Internet through the switch port. This role prioritizes voice traffic over data traffic to ensure clear voice reception on the IP phones.                       Apply this role to ports that will be connected to other switches.                      Apply this role to ports that will be connected to WAN devices that connect to the Internet, such as routers and Layer 3 switches with routing service capabilities, firewalls, or virtual private network concentrators. Apply this role to ports that will be connected to non-PoE and PoE-capable wireless access points. The access point can provide network access to up to 30 mobile (wireless) users. Apply this role to ports that will be connected to servers that provide network services, such as exchange servers, collaborative servers, terminal servers, file servers, Dynamic Host Configuration Protocol (DHCP) servers, IP PBX server, and so on. This role is for Gigabit or non-Gigabit ports, depending on the server type to be connected. This role prioritizes server traffic as trusted, critical, business, or standard, depending on the function of the server. Apply this role to ports that will be connected to a printer, such as a network printer. This role prevents printer traffic from affecting voice and critical data traffic.                     Apply this role to ports that will be connected to desktop devices and to access points to provide guest wireless access. This role provides guests and visitors temporary access to the Internet but prevents them from accessing your internal network.                    Apply this role to ports if you do not want to apply a specialized Smartports role on the port. This role can be used on connections to guest or visitor devices, printers, desktops, servers, and IP phones. Note Do not apply this role to ports that will be connected to sniffer or intrusion detection system devices. Figure 3-1 Smartports Port Roles in a Catalyst Express Network

107 CE 500 GUI: Smart Ports Configuration

108 Cisco Network Assistant CNA: CE 500 Port Security Configuration - LOW

109 CNA: CE 500 Port Security MEDIUM

110 CNA: CE 500 Port Security HIGH

111 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—3-111

112 Using Cisco Router and Security Device Manager
Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

113 What Is Cisco SDM? Embedded web-based management tool
Provides intelligent wizards to enable quicker and easier deployments and does not require knowledge of Cisco IOS CLI or security expertise Tools for more advanced users ACL editor VPN crypto map editor Cisco IOS CLI preview What is Security Device Manager (SDM)? SDM is an easy-to-use Internet browser-based device management tool that is embedded within the Cisco IOS 800 – 3700 Series access routers at no cost. It simplifies router and security configuration through the use of intelligent wizards to enable customers and partners to quickly and easily deploy, configure and monitor a Cisco access router. SDM is designed for resellers and network administrators of small- to medium-sized businesses who are proficient in LAN fundamentals and basic network design, but has little or no experience with IOS command-line interface (CLI) or may not be a security expert. SDM is also great for Advanced users too. It has a number of time saving tools. Examples include ACL editor, VPN crypto map editor, IOS CLI preview, and many more.

114 Cisco SDM Files The sdm-v10.zip file contains the following files:
sdm.tar home.html home.shtml home.tar ips.tar attack-drop.sdf sdmconfig-xxxx.cfg file: Enables HTTP server Enables SSH/Telnet Provides a default credential—username and password Default configuration file specific to router series: For example: sdmconfig-18xx.cfg

115 Installing Cisco SDM Task 1: Download the Cisco SDM files and a Cisco IOS image to a TFTP server. Task 2: Configure your router to support Cisco SDM. Task 3: Copy the Cisco SDM Files to the Router. Task 4: Start Cisco SDM. Requires a minimum 5.3 MB extra (available) router flash memory. When you install SDM on an existing router, use the “Downloading and Installing Cisco Security Device Manager (SDM) Version 1.0” document. It has important information that you need to know and procedures to follow. First follow the procedure for your specific router to download the SDM Files. There are two procedures. There’s the Cisco 1700, 2600, 3600, or 3700 Series Router procedure. For a Cisco 831, 836, or 837 Router, use that specific procedure. This one is different because they have Cisco Router Web Setup Tool (CRWS) as the default device manager on these routers Refer to the “Switching Between Cisco Security Device Manager (SDM) and Cisco Router Web Setup Tool (CRWS) on Cisco 83x Series Routers” document. Once you download the SDM files, there are two processes to replace the router configuration in flash. There’s one to “Modify Your Existing Configuration File”. Use this one if you want to retain your existing configuration. Or you can use a “Default Configuration File” procedure. Use this one if you don’t have the router already configured and want to start from a fresh default configuration file. SDM requires approximately 2.3 MB of free Flash memory.

116 Router Administration Using Cisco SDM
Cisco SDM is used for configuring, managing, and monitoring a single Cisco access router. Cisco SDM allows the ability for multiple concurrent users to be logged in. It is not recommended that multiple users use Cisco SDM to modify the configuration at the same time. You can use Cisco SDM or CLI commands or both: Use CLI commands for features not supported by SDM. Use Cisco SDM to configure security policies on unsupported interfaces. SDM is a tool for configuring, managing and monitoring a single Cisco access router. Each Cisco Access Router is accessible by its own copy of SDM which is located in the routers flash memory. A common scenario that can be supported by SDM is to have a user monitoring the router while at the same time another user may use SDM to modify the configuration of the router. It is NOT recommended that multiple users use SDM to modify the configuration at the same time. Although SDM will permit this scenario, it does not assure consistent or predictable results. Users now have the flexibility to configure the router with both SDM and the CLI. Since the SDM user interface does not support all of the IOS functionality, for example QOS, you can augment the SDM generated configuration with some CLI commands. For unsupported interfaces, such as ISDN interfaces, SDM automatically detects if the interfaces support security features, like firewalls, crypto maps, and NAT. If the security features are supported, users can use SDM to configure the security features to the unsupported interfaces. However the user will still need to configure the unsupported interface parameters directly through CLI.

117 Accessing Cisco SDM for the First Time
Accessing Cisco SDM on a factory-fresh router with SDM installed: Connect PC to the lowest LAN Ethernet port of the router, using crossover cable. Use a static IP address for the PC: ( / ). Launch a supported browser. The default URL to access Cisco SDM is The Cisco SDM default login is: Username: sdm Password: sdm Use the following process when you access SDM for the first time. This assumes either an out-of-box router with SDM installed, or a default SDM configuration was loaded into flash. Connect a PC to the router’s lowest LAN Ethernet port using a cross-over cable. Assign a static IP address to the PC. Its recommended to use with subnet mask. Launch a supported Browser. Use URL You will be prompted to log in. Use the SDM defaulted login: Username SDM Password SDM

118 Startup Wizard: Basic Configuration, Change Default Username and Password
Step 2 Enter the router Hostname and Domain name here. These fields are optional but it is recommended that you change these. The user must enter a new enable secret password with minimum length of 6 characters. It will not allow you to proceed until a valid password is entered and re-entered. Click Next to proceed. Step 3 On this page , the user must change the sdm default username (which is sdm) and password (sdm).

119 Startup Wizard: LAN Interface Configuration
These next two steps are optional steps, meaning it will allow the defaults. Step 4 Enter the IP address for the interface which will be connected to the LAN network. Click Next. Step 5 You can configure the router as a DHCP server here. For 8xx routers, the checkbox is turned on by default. When you check this box, it allows the router to assign private IP addresses to devices on the LAN. Then you must enter a start and end address for the DHCP pool. The address pool must be based on the LAN IP address that you entered in the previous step.

120 Startup Wizard: DHCP Server Configuration

121 Startup Wizard: DNS Configuration
These steps are also optional. Step 6. You can specify the primary and secondary DNS servers here. DNS translates names of network nodes into addresses. Step 7 SDM lets you disable some features that are on by default in Cisco IOS. These features when enabled can create security risks, or use up available memory in the router. You should leave the boxes checked unless you know that your requirements are different. Later if you decide to enable a feature listed here, you can use the Advance mode to re-enable it. The first checked box disables SNMP Services on Your Router. The second checked box disables services that are considered security risks. Examples include Finger Service, TCP and UDP Small Servers Service, CDP, and others. The third checked box enables Services for Enhanced Security on the Router/Network. Examples include: Set TCP Synwait Time, Enable Logging, enable Firewall on All of the Outside Interfaces, and others. The 4th checked box enables Enhance Security on Router Access. This includes enabling VTY, telnet access, passwords and parameters, banner settings, and others. The last checked box enables password encryption.

122 Startup Wizard: Security Configuration

123 Startup Wizard: Configuration Delivery
Step 9 Informs you of the new IP address that must be used to reconnect to the router and re-launch SDM. I have it outlined in red on the screen. Click Finish to start the configuration delivery to the router flash. Step 10 Once the configuration is delivered the OK button is enabled. When you click OK it shuts down SDM and you lose your connection. You will lose your connection after it is delivered to the router. Use the new IP address to access SDM for further configuration.

124 Accessing Cisco SDM: Ongoing
Already configured router with Cisco SDM installed: Use a LAN/WAN connection. Manage the router using either HTTP or HTTPS with IP address>/. To access SDM ongoing, use either http: or https: to access SDM followed by the router IP address “/flash/sdm.shtml” as shown on the screen. When you enter https it specifies that the Secure Socket Layer (SSL) protocol be used for a secure connection. if SSL is not available, http: Once you have your WAN interface configured, you can access SDM through a LAN or WAN interface. Note: specifies that SSL be used for a secure connection. can be used if SSL is not available.

125 Cisco SDM: Startup Troubleshooting
Browser problem? Enable Java and JavaScript on the browser. Disable popup blockers or unsupported Java plug-ins on PC. Router not allowing access? Ensure that HTTP server is enabled on router. Ensure that the PC is not blocked on the interface by a firewall ACL. Requires HTTP/HTTPS and SSH/Telnet or SSH/Telnet and RCP access to router Open specific addresses/ports in ACL editor in advanced mode Cisco SDM installed? Access it with IP address>/flash/sdm.shtml. Enter the CLI show flash command. If you are having problems getting SDM to work, here are some troubleshooting tips. First determine is it a browser problem? If so, make sure: Java and JavaScript on the browser is enabled Disable popup blockers on the PC. SDM needs popups. Disable unsupported Java plug-ins from Control Panel. Is the router not allowing access? Remember that certain configuration settings are required for SDM to work. Did you use the provided default configuration. Or did you use an existing router configuration. Ensure HTTP server is enabled on the router. If it isn’t most likely other SDM settings are not set correctly either. Refer to the “Downloading and Installing Cisco SDM” document for the required settings. Did SDM access work before, but now its not? Ensure your PC is not blocked by an ACL. Remember SDM requires HTTP, SSH, telnet access and/or RCP access to the router (which could have been inadvertently disabled in a security lockdown). Don’t forget the obvious, is SDM installed? Quickest way to determine is trying to access it IP address>/flash/sdm.shtml. Look at the router flash memory and make sure the required SDM files are present. Enter the CLI command show flash.

126 Cisco SDM Main Window Layout and Navigation
Menu Bar Toolbar When SDM is launched, SDM reads the existing router configuration. You will see a message stating this. Then it will present the features that it supports as available for configuration through the SDM. At the top of the screen you will see the typical menu bar with File, view, edit, tools and help. Below that is the SDM tool bar. It has the SDM wizards and modes you can select. On the left side under the tool bar displays the current mode you are in. The menu, tool bar, and current mode are always displayed at the top of each screen. The other parts of the screen change based upon the mode and function you are performing. The far left panel is the Category Bar. It changes with the options available based on the mode you are in. When you log in, the first page displayed is the Overview page. It gives you a great summary of the router. It displays the router model, total amount of memory and flash, IOS and SDM versions, the hardware installed and a summary of some security features such as firewall status and the number of active VPN connections. Router Information Configuration Overview

127 Cisco SDM Wizard Options
LAN configuration: Configure LAN interfaces and DHCP. WAN configuration: Configure PPP, Frame Relay, and HDLC WAN interfaces. Firewall: Access two types of Firewall wizards: Simple inside/outside Advanced inside/outside/DMZ with multiple interfaces VPN: Access three types of VPN wizards: Secure site-to-site VPN Cisco Easy VPN GRE tunnel with IPSec VPN Security Audit: Perform a router security audit, with a button for router lockdown. IPS: Intrusion Prevention System QOS: Quality of Service In order to configure a firewall on the router, first the Cisco IOS image must support the Firewall feature set. The SDM Firewall contains two wizards that enables you to create a firewall for your LAN by answering prompts in a set of screens. SDM builds your firewall based on your selections. To start, click the Firewall wizard icon from the left pane and this window appears. Select the type of firewall that you want to create. There are two types of Firewall Wizards: Basic Firewall - click this if you want SDM to create a firewall using SDM default rules. This one-Step firewall wizard, configures only one outside interface and one or more inside interfaces. It does not support configuring a DMZ or custom inspection rules. The use case scenario on the right, shows a typical network configuration for this type of firewall. This is a basic Firewall that is good for a telecommuter or SOHO scenario. Advanced Firewall - click this if you want SDM to lead you through the steps of configuring a firewall with a DMZ interface. This wizard allows you to configure the router to connect to the Internet and configure hosts off a DMZ interface to be accessible to outside users. This wizard also lets you specify an inspection rule for the firewall. Once you have selected the firewall type, click”Launch the Selected task” to begin.

128 Firewall Wizard: Basic Firewall Interface Configuration
There are three basic steps in a One-Step Firewall. Step 1 is an information screen, click Next to proceed. Step 2 you specify the following: The Inside (or trusted) interfaces. These interfaces connect to the LAN. You can select multiple interfaces. The outside (or untrusted) interface is connected to the Internet or to your organization's WAN. When making firewall settings, keep in mind which interface you are using to access SDM through. If you select the interface that you accessed SDM as the outside (untrusted) interface, it will cause you to lose your connection to SDM because it will then be protected by a firewall. This means you will not be able to launch SDM from the outside interface after the Firewall Wizard completes. There is a warning window that reminds you of this possibility. If you should inadvertently lock yourself out, you will need to go in through the console and modify the firewall access lists before you can log into SDM again. The third setting is the Access rule log option. Check this box if you want to log all failed network access attempts caused by unauthorized users or protocols that are specified in the firewall access rules. Click Next to proceed.

129 Firewall Wizard: One-Step Firewall Configuration Summary
This screen summarizes the firewall information. You can review the information by using use the Back button to return to screens in the wizard to make changes. SDM lists the router’s interfaces that you designated as the interfaces in this wizard session, along with their IP addresses. SDM describes in English versus CLI syntax the access and inspection rules that will be associated with these interfaces if these changes are applied. Read your firewall wizard summary screen to determine the types of settings are what you want. At the bottom of the screen, you can also select to save these configuration to the routers startup config. Click Finish to complete the wizard. You can later view and also change any of these settings in the Advanced mode. I will point these out later.

130 Advanced Firewall Wizard: Interface Configuration
To create an advanced firewall, I will only cover what’s different. In step 2, for the Advanced Firewall Interface screen a DMZ interface field is added, I have it highlighted in red. Select the router interface that connects to a DMZ network, if one exists. Click Next.

131 Advanced Firewall Wizard: DMZ Service Configuration
Step 3, is where you specify which services available inside the DMZ that will be made available through the router’s outside interfaces. Click Add to begin. Step 4, the DMZ service configuration window appears. Configure the DMZ network hosts by specifying the address range with a first and last IP address. To specify a n individual host address then do not enter a last IP address. For Service, click either TCP or UDP if you want to allow traffic for one of those services Next you will assign the service for TCP or UDP by clicking the button with the … on the right. Step 5 the service window opens. In this example the customer wants to allow TCP service smtp. So the smtp service would be selected followed by OK. Then all selections are propagated to the DMZ service configuration window. Continue adding all the services desired for the DMZ, again starting with the step 3 window. When complete click next.

132 Advanced Firewall Wizard: Configure Inspection Rules
Step 6. Create CBAC inspection rules to allow specific return traffic onto the network. These rules cause the router to examine outgoing packets for specified types of traffic. Traffic arriving at the outside interface is compared against the traffic types in the inspection rule, and are allowed onto the network if it is associated with a session that is started on the LAN and is also a type specified in the inspection rules. You can use the SDM default inspection rule which uses common traffic type, and is defaulted to alert and not log errors when this type of traffic is encountered. You can use the default rule or click add and build a new inspection rule. When your done creating the inspection rule, Click Next. If you decide later to change the inspection rules, you can use the advanced mode - rules option to change them. As I mentioned before, SDM has intelligence built into it. If a VPN configuration exists, the firewall wizard takes that into consideration when it creates the firewall, so as not to block valid VPN users. Step 7 the firewall configuration summary appears. The inspection rule is applied to the inside interface in an inbound direction and also the DMZ interface in an outbound direction. Click finish to deliver the config to the router.

133 Configuring IPS Using SDM
Enable Cisco IOS IPS with a Factory Default SDF Using Cisco SDM

134 IPS Policies Wizard: Welcome

135 IPS Wizard: Interfaces Window

136 IPS Wizard: SDF Locations

137 IPS Wizard: Signature Configuration
Configuration Delivery and Signature Compilation Status

138 IPS Wizard: Signature List

139 IPS Wizard: Global Settings

140 VPN Wizard: Main Window
You can let SDM guide you through a simple VPN configuration by clicking the VPN icon in the Wizard Mode. Select one of the three VPN wizards. Create a Site-to-Site VPN with Pre-shared Keys that connects two routers. Create an Easy VPN Remote Client to configure a connection to a VPN server or concentrator. This only supports the Easy VPN Remote Phase II feature. Create a Secure GRE Tunnel over IPSec between your router and a peer system. The use Case Scenario displays for the wizard selected. Click desired the wizard and then click Launch the selected task to begin configuration. In this scenario I will describe how to create a Site-to-Site VPN with Pre-shared Keys.

141 VPN Wizard There are two choices Quick Setup and Step by Step Wizard.
Quick Setup is used between two Cisco routers using SDM generated defaults. It uses a default (internet key exchange) IKE policy for authentication, a default transform set to control the encryption of data, and a default IPSec rule that will encrypt all traffic between the router and the remote device. The quick setup is best used when both the local router and the remote system are Cisco routers using SDM. You can view the default IKE settings by selecting View Defaults. The Step by Step Wizard provide more configuration flexibility. You can create IKE policies as part of this wizard. In this example will use the quick setup option using the SDM default IKE policy.

142 VPN Wizard: VPN Connection Configuration
In this screen, select the existing interface that will be used for this VPN tunnel. Identify the remote VPN peer by entering the peers IP address or host name. Both sides must agree on the Pre-shared key that is used to authenticate each other. The key can be up to 128 characters with any combination of letters and numbers, but question marks (?) and spaces are not allowed. Enter and re-enter the key. The key is displayed in asterisks to protect it’s secrecy. Under “Protect all traffic between the following subnets” select the source (inside) interface that will be used for traffic on this VPN connection. For destination enter the remote IP addresses that will be permitted to enter this tunnel. You can enter a specific remote subnet as the destination, or select all destinations as permitted to enter the tunnel. SDM creates an access list that permits IP traffic between the source and destination based on the values you just entered on this page. Click Next.

143 Security Audit: Overview
The security audit compares router configuration against a predefined checklist of best practices (ICSA, TAC approved). Examples of the audit include (but are not limited to) the following: Shut down unneeded servers on the router (BOOTP, finger, tcp/udp small-servers). Shut down unneeded services on the router (CDP, ip source-route, ip classless). Apply the firewall to the outside interfaces. Disable SNMP or enable it with hard-to-guess community strings. Shut down unused interfaces, no ip proxy-arp. Force passwords for console and vty lines. Force an enable secret password. Enforce the use of ACLs. The SDM Security Audit feature examines router configuration against a predefined checklist that are “best practice” using ICSA and Cisco TAC recommendations. Examples of the audit include, but are not limited too the following: It shuts down un-needed servers on the router (BOOTP, finger, tcp/udp small-servers) Shuts down un-needed services on the router (CDP, ip source-route, ip classless) Applies a firewall to the outside interfaces Disables SNMP or enables it with hard-to-guess community strings Shuts down unused interfaces using “no ip proxy-arp” Forces passwords for the router console and vty lines Forces an “enable secret” password Enforces the use of access lists.

144 Security Audit Click the Security Audit mode to begin.
Next, It will ask you which interfaces are inside and outside before beginning the audit. That’s not shown here. Then the Security Audit wizard tests your router configuration to determine which possible security vulnerabilities may exist. A screen showing the progress of this action appears, listing all of the configuration options being tested for, and whether or not the current router configuration passes those tests. Vulnerable items found are marked in red. Click Close.

145 Security Audit: Fix Security Problems
Now the Security Audit Report Card screen appears. It shows a list of possible security problems. You can check the “Fix it” boxes next to any problems that you want SDM to fix. For a description of the problem and a list of the Cisco IOS commands that will be added to your configuration, click the problem description. It displays a help page about that problem. You can also click “Fix all” at the top. It will automatically secure all vulnerabilities it found with a “best practice” solution. Additional screens may appear requiring your input such as enter a password. Also warnings could appear if you were to completely secure the router, so that no one could get in, including you. For example, by default it will “Set Access Class on HTTP Server Service” for inside interfaces only. This will deny you from being able to remotely access SDM from a WAN. So especially pay attention to warning screens. You can choose to permit or deny individual settings.

146 Monitor Mode Overview Interface Status Firewall Status VPN Status

147 Additional Tasks

148 Lab Exercise © 2005 Cisco Systems, Inc. All rights reserved.
SNRS v1.0—7-148

149 Summary (1) Cisco offers a complete set of security features with its products in order to protect the information assets of its customers. Cisco Secure ACS for Windows Server is a feature-rich application used to work with a wide variety of AAA clients and databases. Authentication is done using TACACS+ or RADIUS configured on various network devices such as NASs, Cisco PIX Firewall, Cisco VPN Concentrator, routers, and now switches for Layer 2 security. A web interface is required for initial configuration and makes administration user-friendly. Tools include reports for troubleshooting access problems and debug commands for troubleshooting TACACS+ and RADIUS. Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

150 Summary (2) CBAC uses dynamically created ACLs to control access to the network. It provides protection from DOS, RPC, Java, SMTP, and many other types of attacks based application-layer protocol session information. The Cisco IOS Firewall authentication proxy feature enables network administrators to apply specific security policies on a per-user basis as users log on to the network or Internet using HTTP, FTP, Telnet, and HTTPS. This feature uses the auth-proxy service provided by ACS along with ACLs used to define traffic requiring authentication and authorization. The Cisco IOS Firewall IPS acts as an inline intrusion detection sensor sending alarms, dropping packets, or resetting the connection in response to events triggered by the IPS. More than 700 signatures are available with the latest release. Syslog or SDEE are used to monitor and send alerts. Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.

151 Summary (3) Besides Port Security, Cisco IBNS combines several Cisco products to offer authentication, access control, and user policies to enhance network security. It is based on 802.1x and RADIUS implementations. When 802.1x is enabled, ports are authenticated before any other Layer 2 features are enabled. A RADIUS server is used to authenticate users. RADIUS keys must match on client and server. The three factors that affect mitigation strategy techniques are the number of security zones, the number of user groups, and the number of switch devices. Recommendations include secure switch management using SSH, SNMPv3, regular audits, and penetration testing. Cisco SDM allows you to customize Cisco access router configuration using advanced features and wizards. Slide 1 of 2 Purpose: This slide states the chapter objectives. Emphasize: Read or state each objective so that each student has a clear understanding of the chapter objectives. Note: Catalyst switches have different CLIs. The Catalyst 2900xl and the Catalyst 1900 has a Cisco IOS CLI. The Cisco IOS CLI commands available on the 2900xl is different from the The Catalyst 5000 family has no Cisco IOS CLI, and use the set commands instead. This class only covers the configuration on the Catalyst 1900 switch.


Download ppt "Objectives Upon completion of this module, you will be able to perform the following tasks: Describe the features and functionality of the Cisco Low End."

Similar presentations


Ads by Google