nspp.book page 750 tuesday, october 22, 2002 8:27...
TRANSCRIPT
NSPP.book Page 750 Tuesday, October 22, 2002 8:27 AM
I N D E X
Numerics3DES encryption, 311802.1x port authentication, 114
communications, 115–121configuring on Catalyst 6000 switches,
123–125functionality, 122
AAAA (authentication, authorization and accounting)
accounting, 469, 479method lists, applying, 481–482method lists, configuring, 479–481
applying access lists, 486–488authentication, 470
configuring, 471local database, configuring, 471method list, configuring, 471–474
authorization, 469, 475method lists, applying, 477–479method lists, configuring, 475–476
auth-proxy, 541–542, 544command authorization, configuring, 549–552debug commands, 670downloading routes, 486–488lock and key, configuring, 548–549method lists, 469network components, 470PPP
authentication and authorization, 482–485timeouts, configuring, 488–489
providing preshared keys for IPsec, 537, 539RADIUS, 515, 519–520, 522–530
accounting, 531–533communications architecture, 516packet format, 517–518password encryption, 518–519router support, 521–531
resolving common problems, 671–677show commands, 670
TACACS+accounting, 508–512authentication, 498authorization, 499–507communications architecture, 494daemon functionality, 493–494header architecture, 495–497packet encryption, 497
VPDN, 544, 546–547x-auth in ISAKMP, 539–541
acceptable usage policies, defining, 16access control. See also CBAC
PIX, 72switches, 75
access lists. See ACLsaccess policies, defining, 16–17Access-Accept messages (RADIUS), 519accessing firewalls, vulnerabilities, 140Access-Reject messages (RADIUS), 519accountability policies, defining, 16accounting, 479
method listsapplying, 481–482configuring, 479–481
RADIUS, 515, 531–532IETF Accounting AV pairs, 532–533
TACACS+, 508–512ACEs (Access Control Elements), 567ACKs, ZL ACKs, 248ACLs (access control lists), 153. See also
turbo ACLsapplying to IP fragments, 583–584, 587–588
overlapping fragment attacks, 589tiny fragment attacks, 588
applying with AAA, 486–488blocking ICMP packets, 573–575blocking known offenders, 575blocking spoofed IP addresses, 575extended, 569, 571functionality, 567–568, 573impact on performance, 590implicit deny all entry, 571logging facility, 573NetFlow switching, 594–595restricting traffic, 572–573standard, 568
NSPP.book Page 751 Tuesday, October 22, 2002 8:27 AM
752
thwarting attacksDoS attacks, 580–582fraggle attacks, 578–579smurf attacks, 576–578SYN floods, 579–580
top-down processing, 571active routers (HSRP), 43addressing, NAT
debugs, 626–627order of operations, 625–626PIX Firewall capabilities, 155resolving common problems, 629–633show commands, 627–629
advanced PIX Firewall featuresalias, 159
configuring, 185–188DNS doctoring, 161–162
DNS guards, 165flood guards, 162frag guards, 163–164fragment handling, 174–175mail guards, 164multicast support, 172multimedia support, 166protocol fixup, 168–169spoof detection, 168sysopt commands, 169–172traffic filtering, 165URPF, 168
Advertisement Interval field (VRRP packets), 53aggressive mode (IKE) exchanges, 278
using preshared key authentication, 302–306AH (Authentication Header), 317
integrity checking, 312–313Alarm messages (POP), 432alarms
corresponding severity levels, 447–448false positives, 449signatures, customizing, 463–465
alias feature (PIX Firewall), 159configuring, 185–188DNS doctoring, 161–162frag guards, 164
applets (Java), blocking, 203appliance sensors
event logging, 439–441IP session logging, 441
application layer inspection, Cisco IOS Firewall, 202
application layer VPNs, 219applying
ACLs overlapping fragment attacks, 589tiny fragment attacks, 588to ICMP packets, 573–575to IP fragments, 583–584, 587–588to known IP addresses, 575to spoofed IP addresses, 575with AAA, 486–488
method lists, 474, 477–482route filters, 82URPF, 90
area filters, 101ARP spoofing, 113ASA (Adaptive Security Algorithm), 147
ISN, generating random sequence, 148stateful inspection, 152TCP connection establishment, 148–150TCP traffic filtering, 148UDP session establishment, 150
assessing threats to security, 6–8assigning privilege levels to users, 549–552associations, 114asymmetric routing, 89, 143atomic signatures, 420attacks
cessation of operationLand.c, 414–415ping of death, 413–414
classifying with NBAR and PDLM, 607–608Code Red worm, 608–610DDoS, rate limiting with CAR, 619defending against with service provider
security, 557–558DoS, 7, 401, 405
CBAC prevention mechanisms, 204–206cessation of normal OS operation, 405DDoS, 407–413rate-limiting, 616–618resource exhaustion, 405TCP SYN floods, 405–407thwarting with ACLs, 580–582
false positives, 449fraggle, thwarting with ACLs, 578–579
ACLs (access control lists)
NSPP.book Page 752 Tuesday, October 22, 2002 8:27 AM
753
LAN floods, preventing, 110–111MAC address floods, 107–109network access, 401
buffer overflows, 415–416data access, 402privilege escalation, 417–418system access, 402
overlapping fragment, 175perpetrators
experienced hackers, 404inexperienced hackers, 403trusted users, 403untrusted users, 403
smurf, thwarting with ACLs, 576–578SYN floods, thwarting with ACLs, 579–580tiny fragment, 174–175tracing with service provider security, 560–562
attributes payload, 318auditing network security policies, 12authentication, 470
configuring AAA, 471cut-through proxy, 158–159
configuring on PIX, 188–191EAP, 115, 118IKE
digital signatures, 308–309encrypted nonces, 310preshared key, 307
local database, configuring, 471login banners, 69, 78method lists
applying, 474configuring, 471–474
OSPF, 98password management, 59–60policies, defining, 17port authentication, 802.1x, 114–125PPP, 482–485RADIUS, 515, 519router authentication, MD5-HMAC, 84–87TACACS+, 498x-auth in ISAKMP, 539–541
Authentication Data field HSRP packets, 46VRRP packets, 54
Authentication Type field (VRRP packets), 52
authorization, 475configuring PPP timeouts with AAA, 488–489method lists
applying, 477–479configuring, 475–476
PPP, 482, 484–485privilege escalation, 402RADIUS, 515, 520–530
IETF attribute support on Cisco routers, 521–531
vendor-specific attribute support on Cisco routers, 530–531
TACACS+, 499–507auth-proxy, 541–542, 544. See also lock and key
troubleshooting, 676–677availability statements, defining, 18
Bbackscatter traceback, 560–562backup devices
HSRP, 42active routers, 43Failover protocol, 49failure detection, 43functionality, 47, 49implementations, 46–47packet format, 44–46versus VRRP, 49
routing-enabled redundancy, 39–40dynamic, 41static routes, 40
VRRP, 50failure detection, 51master router selection, 50packet format, 51–54
backup mode (VRRP), 50bandwidth management, CAR, 613–614
compound interest measurement, 615–616token buckets, 614
banners, 69, 78bastion hosts, 29BGP (Border Gateway Protocol), 92
disabling version negotiation, 94EBGP multihop, 94incoming route filtering, 92–93
BGP (Border Gateway Protocol)
NSPP.book Page 753 Tuesday, October 22, 2002 8:27 AM
754
network advertisements, 93outgoing route filtering, 93peer authentication, 92restricting communications, 94
Biotech Inc., network security design and implementation case study, 12–13
asset identification, 13defining security policies, 15–20risk analysis, 14–15threat identification, 13–14
black hole filtering, 87–88block size, 311bottlenecks, firewall-induced, 138bound checking buffer overflow attacks, 416broadcast floods, preventing, 110–111buffer overflow attacks, 415–416burst parameters of CAR, 614bypassing NAT, 663
Ccabling, selecting, 38CAM overflow, preventing, 107–109capturing core dumps, 70, 78CAR (Committed Access Rate), 613–614
compound interest measurement, 615–616dropping malicious traffic, 616–618rate-limiting traffic
DDoS attacks, 619DoS attacks, 616–618suspected malicious traffic, 618
token buckets, 614 case studies
implementing CBAC on routers with NAT, 207–210, 212
network security design and implementation, 12–13
asset identification, 13defining security policies, 15–20risk analysis, 14–15threat identification, 13–14
zoning with Cisco PIX Firewalls, 30–31Catalyst 6000 series switches
configuring as sensors, 435, 458–461port security, 107–109
private VLANs, 111–112ARP spoofing, 113configuring, 113ports, 112sticky ARP, 113
categories of IDS signatures, 444–445categorizing VPNs
based on business functionality, 220based on encryption, 217–218based on OSI model layer
application layer VPNs, 219data link layer VPNs, 219network layer VPNs, 219
CBAC (context-based access control), 199DoS attack prevention mechanisms, 204–206functionality of, 200–201implementing on routers with NAT, 207–212stateful packet filtering, 200–201threshold values, 204–205timeouts, 204–205
CBC (Cipher Block Chaining), 311CEF (Cisco Express Forwarding), enabling, 67centralized administrative tools, 139cessation-of-operation attacks, 405
Land.c, 414–415ping of death, 413–414
challenges of implementing service provider security, 563
characteristics of firewalls, 137Checksum field
RFC 1701 GRE header, 225VRRP packets, 53
CIDS configuration GUI (CSPM IDS console), 434circuit-level firewalls, 141Cisco 7200/7500 series rouers, turbo ACLs,
590–593Cisco IDS
shunning, 575troubleshooting, 666–670
Cisco IOS command authorization, 549–552Cisco IOS Firewall
features of, 201application layer inspection, 202DoS attack prevention, 204–206fragment handling, 206–207invalid command filtering, 203
BGP (Border Gateway Protocol)
NSPP.book Page 754 Tuesday, October 22, 2002 8:27 AM
755
Java blocking, 203transport layer inspection, 202
Cisco PIX Firewallaccess control, 72ACLs, 153advanced features
alias, 159–162DNS guards, 165flood guards, 162frag guards, 163–164fragment handling, 174–175mail guards, 164multicast support, 172multimedia support, 166protocol fixup, 168–169spoof detection, 168sysopt commands, 169–172traffic filtering, 165URPF, 168
alias feature, configuring, 185–188ASA, 147
generating random ISN sequence, 148stateful inspection, 152TCP traffic filtering, 148–150UDP session establishment, 150
configuration management, 71configuring
as sensors, 454–457with three interfaces, 176–181
connectivity, troubleshooting, 645–647cut-through proxy authentication, 158–159,
188–191debugs, 635–637events logging, 74, 442–443failover feature, 156–158, 181–184logging capabilities, 153–154NAT, 155object groups, scaling configurations, 191–195password management, 73–74recommended timeout values, 637redundancy, 155resolving common problems, 643–645routing capabilities, 155security zones, 152–153
sensor implementaion, 448show commands, 638–643SSH, 73troubleshooting, 633–634
Cisco Secure Intrusion Detectioncategories of signatures, 444–445management console. See also CSPM IDS
Console, UNIX directorCIDS console, 433CSPM IDS, 433interaction with sensor, 427–428placement, 426UNIX director, 430–432
sensors, configuringconfigd daemon, 437fileXferd daemon, 437inline processing, 427interaction with management console,
427–428loggerd daemon, 437logging instrusions, 439–443managed daemon, 437packetd daemon, 437passive monitoring, 427placement, 426postofficed daemon, 436–437responses to intrusions, 438sapd daemon, 437shunning feature, 444signature engines, 446–447TCP reset mechanism, 443types of, 435
signatures, customizing, 463–465class maps, NBAR classification, 603–605classifying
NBAR packets, 599–600class maps, 603–605packet dropping, 605–606packet marking, 605–606recognizable protocols, 600–603
network attacksbased on mode of attack, 401–402based on perpetrator, 402–404with PDLM and NBAR, 607–608
Code Red worm, 608–610
Code Red worm
NSPP.book Page 755 Tuesday, October 22, 2002 8:27 AM
756
command authorizationconfiguring, 549–552versus EXEC authentication, 551
Command messages (POP), 432commands
debug icmp trace, 635–637debug ip inspect tcp, 651debug ip nat, 626–627debug ip packet, 626maximum-prefix, 97scheduler allocate, 67show conn detail, 639–640show crypto engine connection active, 659show crypto isakmp sa, 659–660show interface, 640–643show ip inspect all, 648–649show ip nat translations, 628show xlate detail, 637–639sysopt, 169–172
communications architecture, RADIUS, 516community ports, 112components
of AAA, 470of IKE, 276
aggressive mode, 302–306main mode, 278–293, 296–302quick mode, 279
of service provider security, 563composite signatures, 420compound interest measurement, 615–616compulsory tunneling, 245
setup process, 251–270computer technology purchasing guidelines,
defining, 16concentrators, 275configd daemon
IDS Sensor, 437UNIX director, 431
configuration management, 54–55PIX, 71switches, 75
configuring802.1x on Catalyst 6000 switches, 123–125accounting, method lists, 479–482authentication, 147
local database, 471method lists, 471–474
authorization, method lists, 475–479Catalyst 6000 IDSM as sensors, 458–461CEF, 67firewalls, 139HTTP, 66IP permit lists, 109–110IPsec
combined remote-access/LAN-to-LAN implementation, 369–373
one-to-many router, 355–360over GRE, 360–365over L2TP using voluntary tunneling,
373–379remote-access implementations, 366–368router-to-router using digital signatures,
338–349router-to-router using preshared key
authentication, 325–338router-to-router using RSA encrypted
nonces, 349–354TED, 379–391
NTP, 68OSPF
loopbacks as router ID, 101route filtering, 101stub areas, 99–100timers, 101
PIX Firewallalias feature, 185–188as sensors, 454–457cut-through proxy authentication,
188–191failover to secondary device, 181–184with 3 interfaces, 176–181
PPP timeouts with AAA, 488–489private VLANs, 113proxy authentication, 541–544route dampening, 96routers as sensors, 449–454scheduler, 67SNMP, 64–66turbo ACLs, 591–593UNIX director, shunning, 462–463URPF, 89VPDN, 544–547
congestion, firewall-induced, 138
command authorization
NSPP.book Page 756 Tuesday, October 22, 2002 8:27 AM
757
connecting IPX sites with GRE, 235–239multiple sites with GRE, 230–235
connectivity, Cisco PIX, troubleshooting, 645–647control connection establishment, L2TP, 246controlling
LAN floods, 110–111PIX access, 72router access, 55
TTY, 58vty, 55–57
switch access, 75convergence, 83cookies, 280core dumps, 70, 78Count IP Addrs field (VRRP packets), 52coup hello messages, 43courtesy ARP, 113crackers versus hackers, 400creating
DMZs, 26–30security policies, 8–9
CSPM IDS Consoleinternal architecture, 433
CIDS configuration GUI, 434cvtnrlog.exe, 434EDI, 434EVI, 434nr.postofficed daemon, 433nr.smid daemon, 434Sensor CA, 433
versus UNIX director, 429customizing signatures, 463–465cut-through proxy authentication, 158–159
configuring on PIX Firewall, 188–191cvtnrlog.exe (CSPM IDS console), 434
Ddaemons
CIDS console, 433–435Cisco IDS sensor, 436–438UNIX director, 431–432
damages due to successful attacks, estimating, 8data access attacks, 402
data link layer VPNs, 219data-link layer, L2TP, 243
compulsory tunneling, 245, 251–270control connection establishment, 246header format, 248–250session establishment, 247–248setup process, 246tunnel layers, 244voluntary tunneling, 245
DDoS attacks, 407rate limiting with CAR, 619Stacheldraht, 411–413TFN, 409–411Trinoo, 408
debug icmp trace command, 635–637debug ip inspect tcp command, 651debug ip nat command, 626–627debug ip packet command, 626debugs
IPsec, 654–658PIX, 635–637
default timeout values, PIX, 637defining
network security policies, 15–20security zones, 25–26
DMZs, 26–31deliberate inside attackers, 403denial of service, 7DES encryption, 311designing secure networks, 11
case study, 12–20security zones, 25–26
case study, 30–31DMZs, 26–27, 29–30
Destination Address field (VRRP packets), 51detecting
Code Red worm, 610intrusions, 418–419
devicesAAA network components, 470authentication
digital signatures, 308–309encrypted nonces, 310preshared keys, 307
Catalyst 6000 IDSM, configuring as sensor, 458–461
devices
NSPP.book Page 757 Tuesday, October 22, 2002 8:27 AM
758
physical security, 36environmental factors, 39media, 38network topographical design, 36placement, 37–38power supply, 38redundant locations, 36
PIX, 71access control, 72configuration management, 71connectivity problems, troubleshooting,
645–647debugs, 635–637events logging, 74password management, 73–74recommended timeout values, 637resolving common problems, 643–645show commands, 638–643SSH, 73troubleshooting, 633–634
redundancydynamic, 41HSRP, 42–49routing-enabled, 39–40VRRP, 49–54
routersCEF, 67configuration management, 54–55configuring as sensor, 449–454controlling access, 55–58core dumps, 70disabling unnecessary services, 61–63events logging, 61HTTP, 66login banners, 69loopback interfaces, 63Nagle protocol, 70NTP, 68password management, 59–60scheduler, 67sensor implementation, 448SNMP, 64–66SSH, 58traffic processing, 585
switchesconfiguration management, 75controlling access, 75
core dumps, 78events logging, 76IP permit lists, configuring, 109–110login banners, 78NTP, 77port security, 107–109
VLANs, 105basic security rules, 105–106
Diffie-Hellman algorithm, 284–285DiffServ, marking packets, 605–607digital signatures, 308–309directed broadcast control, 87dirty DMZs, 28–29disabling
BGP version negotiation, 94directed broadcast control, 87
disabling unnecessary services, 61–63DMZs, 26–30
placementbetween firewall and public network, 27between stacked firewalls, 30outside the firewall, 28–29
DNS guards (PIX Firewall), 165DoS attacks, 401, 405
CBAC prevention mechanisms, 204–206cessation of normal OS operation, 405DDoS, 407
Stacheldraht, 411, 413TFN, 409–411Trinoo, 408
preventing on Cisco IOS Firewalls, 204–206rate-limiting, 616–618resource exhaustion, 405TCP SYN floods, 405–407thwarting with ACLs, 580–582
DPD (Dead Peer Discovery), 323dropped packets
NBAR, 605–606rate limiting, 616
DSCP (Differentiated Services Code Point), marking packets, 605–607
DTP (Dynamic Trunking Protocol), 106dynamic network redundancy, 41Dynamic Trunking Protocol (DTP), 106
devices
NSPP.book Page 758 Tuesday, October 22, 2002 8:27 AM
759
EEAP (Extensible Authentication Protocol), 115
as 802.1x communications mechanism, 118messages, 117–118packet fields, 116
EAPOL (EAP over LANs), 119ease of firewall configuration, 139EBGP multihop, 94EDI (Event Database Interface), CSPM IDS
console, 434elements
of security policies, 9–10, 15–20of service provider security, 563
enable secrets, 59enabling
CEF, 67Nagel protocol, 70
encapsulationEAPOL, 121GRE, 223
connecting IPX sites, 235–239connecting multiple sites, 230–235implementations, 224non-IP traffic, 227RFC 1701 implementation, 223–225RFC 2784 implementation, 226–227tunneling between private networks,
227–230IPsec
AH, 317ESP, 316transport mode, 314tunnel mode, 314–316
encryptionIPsec, 311nonces, 310public/private key pairs, 307VPNs, 218
end devices, 7environmental considerations of physical security
design, 39Error messages (POP), 432ESP (Encapsulating Security Payload), 316
integrity checking, 312–313
event logging, 439–442in appliance sensors, 439–441on IDSM, 441
eventd daemon (UNIX director), 432events logging, 61
switches, 76EVI (Event Viewing System), CSPM IDS
console, 434extended ACLs, 569–571extended authentication. See x-authextranet VPNs, 220
Ffailover (PIX), 155–158
to secondary device, 181–184Failover protocol (HSRP), 49failure detection (HSRP), 43false positives, 449features of Cisco IOS Firewall, 201
application layer inspection, 202DoS attack prevention, 204–206fragment handling, 206–207invalid command filtering, 203Java blocking, 203transport layer inspection, 202
fieldsof EAP packets, 116of EAPOL frames, 121of HSRP packets, 45–46of VRRP packets, 52–54
fileXferd daemon (IDS Sensor), 431, 437fileXferd daemon (UNIX director), 431filtering. See also protocol filtering
incoming BGP routes, 92–93IP fragments, 583–588
overlapping fragment attacks, 589tiny fragment attacks, 588
MAC addresses on specific ports, 107–109outgoing BGP routes, 93RFC 1918 address space, 582traffic with IP permit lists, 109–110with ACLs
blocking ICMP packets, 573–575blocking known offenders, 575blocking spoofed IP addresses, 575
filtering
NSPP.book Page 759 Tuesday, October 22, 2002 8:27 AM
760
extended, 569–571functionality, 567–568, 573implicit deny all entry, 571NetFlow switching, 594–595standard, 568top-down processing, 571
firewallsbastion hosts, 29characteristics, 137circuit-level, 141Cisco IOS Firewall
application layer inspection, 202CBAC, 199–201debug commands, 650–651DoS attack prevention, 204–206features, 201fragment handling, 206–207invalid command filtering, 203Java blocking, 203order of operations, 648show commands, 648–649resolving common problems, 651–652transport layer inspection, 202troubleshooting, 647
Cisco PIX FirewallACLs, 153advanced traffic filtering, 165alias feature, 159, 161–162, 185–188ASA, 147–150configuring with three interfaces, 176–181connectivity problems, troubleshooting,
645–647creating zones, 30–31cut-through proxy authentication,
158–159, 188–191debugs, 635–637DNS guards, 165event logging, 442–443failover feature, 156–158failover to secondary device, 181,
183–184flood guards, 162frag guards, 163–164fragment handling, 174–175IP session logging, 443
logging capabilities, 153–154mail guards, 164multicast support, 172multimedia support, 166NAT, 155protocol fixup, 168–169redundancy, 155resolving common problems, 643–645routing capabilities, 155scaling configurations, 191–195security zones, 152–153sensor implementation, 448show commands, 638–643spoof detection, 168stateful inspection, 152sysopt commands, 169–172troubleshooting, 633–634URPF, 168
device security, 140ease of configuration, 139interaction with IPsec, 393layering, 144nonstateful packet filters, 141notification ability, 138personal, 142positioning, 143–144proxy servers, 141stateful packet filters, 142three-legged, creating DMZs, 27traffic processing speed, 138
Flags field (RFC 1701 GRE header), 224flapping routes, dampening, 95floating static routes, 40flood guards (PIX Firewall), 162flooded CAM tables, preventing, 107–109frag guards (PIX Firewall), 163–164fraggle attacks, thwarting with ACLs, 578–579fragment handling
Cisco IOS Firewalls, 206–207PIX Firewall, 174–175
fully meshed networks, dynamic redundancy, 41functionality
of CBAC, 200–201of HSRP, 47–49
filtering
NSPP.book Page 760 Tuesday, October 22, 2002 8:27 AM
761
GGarfinkel, S., 8getadmin exploits, 417–418goal of network security, 5gratuitous ARP, 113GRE (Generic Routing Encapsulation), 223
connecting IPX sites, 235–239connecting multiple sites, 230–235implementations, 224non-IP traffic encapsulation, 227RFC 1701 implementation, 224–226RFC 2784 implementation, 226–227tunneling between private networks, 227–230
Group field (HSRP), 46guard feature (PIX Firewall)
DNS guards, 165flood guards, 162frag guards, 163–164mail guards, 164
Hhackers, 400
experienced, 404Metnick, Kevin, 421–422professional, 404script kiddies, 403versus crackers, 400
half-open SYN attacks, 405, 407hard coding BGP version information, 94hash payload (IKE main mode message), 290hashing, 312–313
MD5-HMAC, 84–87 headers
L2TP, format, 248–250TACACS+, 495–497
Heartbeat messages (POP), 432Hellotime field (HSRP), 45heuristic/holistic classification, NBAR, 600high-availability IPsec over GRE, 360–365high-severity alarms, 448HMAC (Message Authentication Codes using
Hashing), integrity checking, 312–313holdtime (HSRP active routers), 43Holdtime field (HSRP), 45
home gateways, VPDN configuration, 544–547Honey Pots, 558host intrusion detection, 425HSRP (Hot Standby Router Protocol), 42
active routers, 43Failover protocol, 49failure detection, 43functionality, 47–49implementations, 46–47packet format, 44–46versus VRRP, 49
IICMP (Internet Control Message Protocol)
floods, rate limiting with CAR, 617maintaining path integrity, 91packet filtering, 573–575
identifying resources to protect, 6identity payload
EAP messages, 117IKE main mode message, 290
IDSMevent logging, 441–442IP session logging, 442sensor implementation, 448
IDSsCatalyst 6000 IDSM
configuring as sensors, 458–461Cisco Secure IDS
categories of signatures, 444–445management console, 426–433sensors, 426–428, 435–444signature engines, 446–447
PIX Firewall, configuring as sensors, 454–457resolving common problems, 666–670routers, configuring as sensors, 449–454signature-based, 419statistical anomaly-based, 419
IEEE 802.1x port authentication, 114communications, 115–21configuring on Catalyst 6000 switches,
123–125functionality, 122
IETF Accounting AV pairs (RADIUS), 532–533IETF attributes supported on Cisco routers, 521–531
IETF attributes supported on Cisco routers
NSPP.book Page 761 Tuesday, October 22, 2002 8:27 AM
762
IKE (Internet Key Exchange), 276aggressive mode using preshared key
authentication, 302–306Diffie-Hellman algorithm, 284–285digital signature authentication, 308–309encrypted nonces, 310main mode, 278
using digital signature authentication, 298–302
using preshared key authentication, 280––297
preshared key authentication, 307quick mode, 279SA, 279, 284
implementationsof GRE, 224
RFC 1701, 224–226RFC 2784, 226–227
of HSRP, 46–47implementing
CBAC on routers with NAT, 207–210, 212network security policies, 10–20service provider security, 563
implicit deny all entry (ACLs), 571improving network security policies, 12incoming BGP routes, filtering, 92–93incoming call establishment
L2TP, 247ingress filtering, 82inside global addresses, 628inside local addresses, 628integrity checking, 312–313intranet VPNs, 220intrusion detection, 418
motivation for, 399–400responses, 438
event logging, 439–442IP session logging, 441–443shunning, 443TCP reset, 443
invalid command filtering, Cisco IOS Firewall, 203invalid IP addresses, blocking with ACLs, 581–582IOS Firewalls
CBAC, 199functionality of, 200–201stateful packet filtering, 200–201
debug commands, 650–651
order of operations, 648resolving common problems, 651–652show commands, 648–649troubleshooting, 647
IP Address field (VRRP packets), 53IP addressing, NAT, 129
security benefits, 130vulnerabilities, 131
IP fragmentsfiltering, 583–584, 587–588overlapping fragment attacks, 589tiny fragment attacks, 588
IP log messages (POP), 432IP permit lists, configuring, 109–110IP session logging, 441–443
in appliance sensors, 441on IDSM, 442on PIX Firewall, 443on router-based sensors, 443
IP source routing, maintaining path integrity, 91IPsec
AH, 317combined LAN-to-LAN/remote access
configuration, 369–373components, 276compulsory tunneling, 266–270debugs, 654–658DPD, 323encryption mechanisms, 311ESP, 316high-availability configuration over GRE,
360–365IKE, 276
aggressive mode, 302–306digital signature authentication, 308–309encrypted nonces, 310main mode, 278–302preshared key authentication, 307quick mode, 279
integrity checking, 312–313interaction
with firewalls, 393with NAT, 391–393
LAN-to-LAN implementations, 274MTU issues, troubleshooting, 664–666one-to-many router configuration, 355–360order of operations, 653–654
IKE (Internet Key Exchange)
NSPP.book Page 762 Tuesday, October 22, 2002 8:27 AM
763
over L2TP using voluntary tunneling, 373–379preshared keys, obtaining from AAA, 537–539remote-access client implementation, 366–368,
275, 317–318extended authentication, 318–320mode configuration, 321NAT transparency, 321
router-to-router using digital signatures, 338–349using preshared key authentication,
325–338using RSA encrypted nonces, 349–354
show commands, 658–660TED, configuring, 379, 381–391transport mode, 314troubleshooting common problems, 661–666tunnel mode, 314–316VPNs, order of events, 653–654
IPv4 GRE, 223RFC 1701 implementation, 223–225RFC 2784 implementation, 226–227
IPX sites, connecting with GRE, 235–239ISAKMP, 277
x-auth, 541x-auth for remote-access clients, 539–540
ISN (Initial Sequence Number), generating random sequences, 148
isolated ports, 112ISPs, net police filters, 82
J-KJava blocking (Cisco IOS Firewall), 203
Key field (RFC 1701 GRE header), 225key-exchange process (IKE), 276
aggressive mode exchange with preshared key authentication, 302–306
main mode exchange, 278with digital signature authentication,
298–302with preshared key authentication,
280–297quick mode exchange, 279
known offenders, blocking, 575
LL2TP (Layer 2 Tunneling Protocol), 243
compusory tunnels, 245setup process, 251–270
control connection establishment, 246header format, 248–250session establishment, 247–248setup process, 246three-way message exchange, 246tunnel layers, 244voluntary tunnels, 245
LAN switchingbasic security rules, 105–106flood attacks, preventing, 110–111IP permit lists, configuring, 109–110port authentication, 114
communications, 121IEEE 802.1x, 114–125
port security, 107–109Land.c attacks, 414–415LAN-to-LAN IPsec implementations, 274
combining with remote-access configuration, 369–373
layering firewalls, 144Length field (L2TP header), 250likelihood of attack, assessing, 7–8Livingston Enterprises, Inc., RADIUS, 515lock and key, configuring, 548–549loggerd daemon, 431
IDS Sensor, 437UNIX director, 431
loggingACLs, 573BGP neighbor status changes, 97events, 61intrusions
event logs, 439–442IP session logs, 441–443
PIX events, 74switches, 76syslog messages on PIX, 153–154
login banners, 69switches, 78
loopbacks, 63configuring as router ID (OSPF), 101
low-severity alarms, 447
low-severity alarms
NSPP.book Page 763 Tuesday, October 22, 2002 8:27 AM
764
MMAC addresses, restricting on specific ports,
107–109mail guards (PIX Firewall), 164main mode (IKE) exchanges, 278
using digital signature authentication, 298– 302using preshared key authentication, 280– 298
ISAKMP message payloads, 281–284PFS, 291–292
maintainingpath integrity. 91routing table stability, 94
maximum-prefix command, 97route dampening, 95–96
maintenance policies, defining, 18malicious attacks, false positives, 449malicious traffic, dropping with CAR, 616–618managed daemon (IDS Sensor), 437management console (Cisco Secure IDS)
CSPM IDS console, 433CIDS configuration GUI, 434cvtnrlog.exe, 434EDI (Event Database Interface), 434EVI, 434nr.postofficed daemon, 433nr.smid daemon, 434Sensor CA, 433
interaction with sensor, 427–428placement, 426UNIX director, 430
configd daemon, 431eventd daemon, 432fileXferd daemon, 431loggerd daemon, 431POP, 432postofficed daemon, 430sapd daemon, 431shunning, 462–463smid daemon, 431
management protocolsHTTP, 66SNMP, 64–66
managing NBAR classified traffic, 606–607marking packets, NBAR, 605–606master routers, 50masters (Trinoo), 408
MD-5 challenge messages (EAP), 117MD5-HMAC, 84–87medium-severity alarms, 448messages, TLS, 118method lists, 469
applying, 474–482configuring, 471–474
for AAA accounting, 479–481for AAA authorization, 476
Metnick, Kevin, attack on Tsutomu Shimomura’s computers, 421–422
misconfigurationof access lists, troubleshooting, 662of firewalls, 139
mode configuration (remote access IPsec), 321motivation
for IDSs, 399–400for service provider security, 557
ability to track source of attacks, 560–562defense against attacks, 557–558
multicast support, PIX Firewall, 172multimedia support, PIX Firewall, 166multiple sites, connecting with GRE, 230–235
NNagle protocol, enabling, 70NAK messages (EAP), 117NAT (Network Address Translation), 129
bypassing, 663common problems, troubleshooting, 629–633debugs, 626–627interaction with IPsec, 391–393order of operations, 625–626PIX Firewall capabilities, 155security benefits, 130show commands, 627–629transparency (remote access IPsec), 321vulnerabilities, 131
NBAR (Network-Based Application Recognition), 599–600
class maps, 603–605classifying attacks with PDLM, 607–608detection of Code Red worm, 608–610dropping packets, 605–606
MAC addresses, restricting on specific ports
NSPP.book Page 764 Tuesday, October 22, 2002 8:27 AM
765
effect on performance, 608marking packets, 605–606non-TCP-based recognizable protocols,
602–603non-UDP-based recognizable protocols,
602–603TCP-based recognizable protocols, 600–602UDP-based recognizable protocols, 600–602
negotiation (IKE)aggressive mode exchanges using preshared
key authentication, 302–306main mode exchanges
ISAKMP message payloads, 281–284PFS, 291–292using digital signature authentication,
298–302using preshared key authentication,
280–298neighbor database filters, 101neighbor status (BGP), logging changes in, 97net police filters, 82NetFlow switching, ACL enhancements, 594–595network access attacks, 401–402network advertisements, BGP, 93network attacks, 401
cessation-of-operationLand.c, 414–415ping of death, 413–414
DoS, 401, 405cessation of normal OS operation, 405DDoS, 407–413resource exhaustion, 405TCP SYN floods, 405–407
network access, 401buffer overflows, 415–416data access, 402privilege escalation, 417–418system access, 402
network flows, 594network intrusion detection, 425network layer VPNs, 219network security policies
auditing, 12creating, 8–9defining, 15–20
design issues, 11elements of, 9–10implementing, 10–11
nonbroadcast neighbor configuration, OSPF, 98–99nonces, 285nonencrypted VPNs, 218noninitial fragment inspection (Cisco IOS
Firewall), 206non-IP traffic encapsulation, 227nonstateful packet filters, 141non-TCP-based protocols recognized by NBAR,
602–603non-UDP-based protocols recognized by NBAR,
602–603notification ability of firewalls, 138notification messages (EAP), 117notify payload (DPD), 323Nr field (L2TP header), 250nr.postofficed daemon (CSPM IDS console), 433nr.smid daemon (CSPM IDS console), 434Ns field (L2TP header), 250NTP (Network Time Protocol)
configuring, 68switch implementations, 77
null route filtering, 87
OOakley, 277object groups, scaling PIX configurations, 191–195Offset field (L2TP header), 250–251one-time password messages (EAP), 117one-to-many router IPsec configuration, 355–360OSPF (Open Shortest Path First)
configuring loopbacks as router ID, 101nonbroadcast neighbor configuration, 98–99route filtering, 101router authentication, 98stub areas, configuring, 99–100timers, configuring, 101
outgoing BGP routes, filtering, 93outgoing call establishment, L2TP, 247–248out-of-sequence fragments, stateful inspection of
with Cisco IOS Firewall, 207outside global addresses, 628
outside global addresses
NSPP.book Page 765 Tuesday, October 22, 2002 8:27 AM
766
outside local addresses, 628overlapping fragment attacks, 175, 589Overload NAT, 129
Ppacket filters
nonstateful, 141stateful, 142
packetd daemon (IDS Sensor), 437packets
classifying with NBAR, 599–603class maps, 603–605
dropping, 605–606EAP, fields, 116HSRP, 44–46ICMP, blocking with ACLs, 573, 575marking with NBAR, 605–606network flows, 594RADIUS, 517–518TACACS+, encryption, 497VRRP, 51–54
PAE (Port Access Entity), 115passive monitoring, 427 passwords
authentication, 470encryption with RADIUS, 518–519PIX, managing, 73–74
PAT (Port Address Translation), 129path integrity, maintaining, 91PDLM (Protocol Description Language Module),
classifying attacks with NBAR, 607–608peer authentication (BGP), 92performance, effect of NBAR on, 608permissive security policies, 9perpetrators of network attacks
experienced hackers, 404inexperienced hackers, 403trusted users, 403untrusted users, 403
personal firewalls, 142PFS (Perfect Forward Secrecy), 291–292physical security, 36
environmental factors, 39network topographical design, 36power supply, 38
redundant locations, 36selecting secure locations, 37–38
ping of death attacks, 413–414PIX Firewall, 71
access control, 72ACLs, 153advanced features
DNS guards, 165flood guards, 162frag guards, 163–164fragment handling, 174–175mail guards, 164multicast support, 172multimedia support, 166protocol fixup, 168–169spoof detection, 168sysopt commands, 169–172traffic filtering, 165URPF, 168
alias feature, configuring, 159–162, 185–188ASA, 147
generating random ISN sequence, 148stateful inspection, 152TCP traffic filtering, 148–150UDP session establishment, 150
configuration management, 71configuring
as sensors, 454–457with three interfaces, 176–181
connectivity, troubleshooting, 645–647cut-through proxy authentication, 158–159,
188–191debugs, 635–637events logging, 74, 442–443failover, 156–158
to secondary devices, 181–184logging capabilities, 153–154NAT, 155object groups, scaling configurations, 191–195password management, 73–74recommended timeout values, 637redundancy, 155resolving common problems, 643–645routing capabilities, 155security zones, 152–153sensor implementation, 448show commands, 638–643
outside local addresses
NSPP.book Page 766 Tuesday, October 22, 2002 8:27 AM
767
SSH, 73troubleshooting, 633–634zones, creating, 30–31
placementof DMZs
between firewall and public network, 27between stacked firewalls, 30outside the firewall, 28–29
of firewalls, 143policies, 5
auditing, 12creating, 8–9defining, 15–20design issues, 11elements of, 9–10implementing, 10–11
policing, managing NBAR classified traffic, 607policy routing, dropping/marking NBAR classified
traffic, 606POP (Post Office Protocol), Cisco Secure IDS
communications, 432ports
authentication, 802.1x, 114communications, 115–121configuring on Catalyst 6000 switches,
123–125functionality, 122
on private VLANs, 112security, 107–109
positioning firewalls, 143–144postofficed daemon
IDS Sensor, 436–437UNIX director, 430
power supplies, designing physical security, 38PPP (Point-to-Point Protocol)
AAA authentication and authorization, 482–485
L2TP, 243compusory tunnels, 245, 251–270control connection establishment, 246header format, 248–250session establishment, 247–248setup process, 246tunnel layers, 244voluntary tunnels, 245
timeouts, configuring with AAA, 488–489prefix lists, filtering incoming BGP routes, 92–93
preshared key authentication, 307authenticating ISAKMP in IPsec
implementations, 537–539preventing flood attacks, 110–111Priority field
HSRP, 46L2TP header, 250VRRP packets, 52
private networksroute filtering, 81
address spaces, 82applying, 82ingress filtering, 82net police filters, 82
tunneling between with GRE, 227–230VPDN, 544–547
private VLANs, 111–112ARP spoofing, 113configuring, 113ports, 112sticky ARP, 113
privilege levelsassigning to users, 549–552escalating, 402, 417
getadmin exploits, 418unicode exploits, 418
processing, order of operationsACLs, 571IPsec, 653–654NAT, 625–626
professional hackers, Metnick, Kevin, 421–422promiscuous ports, 112Protocol Description Language Module. See PDLMProtocol field (VRRP packets), 51protocol filtering, controlling LAN floods, 110–111protocol fixup, PIX Firewall, 168–169Protocol Type field (RFC 1701 GRE header), 225proxy authentication, configuring, 541–544 proxy servers, 129
firewalls, 141public/private key pairs, 307
public/private key pairs
NSPP.book Page 767 Tuesday, October 22, 2002 8:27 AM
768
QQoS (quality of service)
CAR, 613–614compound interest measurement, 615–616dropping malicious traffic, 616–618token buckets, 614
NBAR, 599–600classifying attacks with PDLM, 607–608detection of Code Red worm, 608–610effect on performance, 608marking/dropping packets, 605–606recognizable protocols, 600–603
qualitative risk assessment, 8quick mode (IKE), 279
timeout negotiation, 293
RRADIUS, 515
accounting, 531–532IETF Accounting AV pairs, 532–533
authentication, 519authorization, 520–530
IETF attributes, 521–531vendor-specific attributes, 530–531
communications architecture, 516packet format, 517–518password encryption, 518–519
rate limitingCAR, 613–614
compound interest measurement, 615–616dropped packets, 616dropping malicious traffic, 616–618token buckets, 614
DoS attacks, 616–618suspicious traffic, 618
recommended PIX timeout values, 637redundancy
HSRP, 42active routers, 43Failover protocol, 49failure detection, 43functionality, 47–49
implementations, 46–47packet format, 44–46versus VRRP, 49
physical security, 36PIX Firewall capabilities, 155–158routing-enabled, 39–40
dynamic, 41static routes, 40
VRRP, 50failure detection, 51master router selection, 50packet format, 51–54
remote-access clients, x-auth, 539–541remote-access IPsec, 275, 317–318, 366–368
combining with LAN-to-LAN configuration, 369–373
extended authentication, 318–320mode configuration, 321NAT transparency, 321
resolving common issuesAAA-related problems, 671–677IDS-related problems, 666–670IOS-related Firewall problems, 651–652IPsec-related problems, 661–666NAT-related problems, 629–633
resource exhaustion DoS attacks, 405DDoS
Stacheldraht, 411–413TFN, 409–411Trinoo, 407–408
simple DoS attacks. TCP SYN floods, 406–407responses to intrusions (IDS Sensor), 438
event logging, 439–442IP session logging, 441–443shunning, 444TCP reset, 443
restrictingBGP communications, 94MAC addresses on specific ports, 107–109traffic
with ACLs, 572–573with IP Permit lists, 109–110
restrictive security policies, 9RFC 1701 GRE implementation, 224–226
QoS (quality of service)
NSPP.book Page 768 Tuesday, October 22, 2002 8:27 AM
769
RFC 1918 addressingaddress space, filtering, 582NAT, 129–130vulnerabilities of, 131
RFC 2409, IKE, 277RFC 2784 GRE implementation, 226–227RFC 2890 GRE implemenation, 226risk assessment, likelihood of attacks, 7–8route dampening, 95–96route filtering, 81
address spaces, 82applying, 82ingress filtering, 82net police filters, 82OSPF, 101
Router and PIX Firewall sensors, 435router-based sensors
event logging, 442–443IP session logging, 443
routersCBAC implementation case study, 207–212CEF, enabling, 67configuration management, 54–55configuring as sensors, 449–454controlling access, 55
TTY, 58vty, 55–57
core dumps, 70disabling unnecessary services, 61–63events logging, 61HTTP, configuring, 66login banners, 69loopback interfaces, 63Nagle protocol, 70NTP, configuring, 68password management, 59–60scheduler, configuring, 67securing access, 58sensor implementation, 448sinkholes, 558SNMP, configuring, 64–66standby mode, 42traffic processing, 585
routingasymmetric, 89black hole filtering, 87–88convergence, 83
directed broadcast control, 87maintaining path integrity
ICMP redirects, 91IP source routinng, 91
PIX Firewall capabilities, 155route authentication, 83
clear-text passwords, 84–87MD5-HMAC, 84–87OSPF, 98
static routes, 83URPF, 88
applying, 90configuring, 89
Routing field (RFC 1701 GRE header), 226routing protocols
BGP, 92disabling version notification, 94EBGP multihop, 94incoming route filtering, 92–93logging neighbor status changes, 97network advertisements, 93outgoing route filtering, 93peer authentication, 92restricting BGP communications, 94
OSPFconfiguring loopbacks as router ID, 101nonbroadcast neighbor configuration,
98–99route filtering, 101router authentication, 98stub areas, 99–100timers, configuring, 101
routing tables, maintaining stability, 94maximum-prefix command, 97route dampening, 95–96
routing-enabled redundancy, 39–40dynamic, 41static routes, 40
SSA (security association), 279sapd daemon, 431
IDS Sensor, 437UNIX director, 431
sapd daemon
NSPP.book Page 769 Tuesday, October 22, 2002 8:27 AM
770
scaling PIX configurations, 191–195scheduler, configuring, 67script kiddies, 403security policies, 5
auditing, 12creating, 8–9defining, 15–20design issues, 11elements of, 9–10incident reporting, 18implementing, 10–11
security zonesdefining, 25–26DMZs, 26–30
case study, 30–31placement, 28–30
PIX, 152–153selecting
secure locations for devices, 37–38secure media, 38VRRP master routers, 50
Sensor CA (CSPM IDS console), 433sensors
Catalyst 6000 IDSM, configuring as, 458–461Cisco Secure IDS
configd daemon, 437fileXferd daemon, 437inline processing, 427interaction with management console,
427–428loggerd daemon, 437managed daemon, 437packetd daemon, 437passive monitoring, 427placement, 426postofficed daemon, 436–437sapd daemon, 437types of, 435
PIX Firewall, configuring as, 454–457responses to intrusions, 438
event logging, 439–442IP session logging, 441–443shunning, 444TCP reset, 443
routers, configuring as, 449–454
signature engines, 446–447signatures, corresponding alarms and severity
levels, 447–448Sequence field (L2TP header), 250Sequence Number field (RFC 1701 GRE
header), 225service provider security
backscatter traceback, 560–562components of, 563implementing, 563motivation for, 557
ability to track source of attacks, 560–562defense against attacks, 557–558
sinkhole routers, 558session establishment, L2TP, 247–248Session ID field (L2TP header), 250setup process, L2TP, 246
compulsory tunnels, 251–266with IPsec, 266–270
severity levels of alarms, 447–448Shimomura, Tsotomu, 421–422show conn detail command, 639–640show crypto engine connection active
command, 659show crypto isakmp sa command, 659–660show interface command, 640–643show ip inspect all command, 648–649show ip nat translations command, 628show xlate detail command, 637–639shunning, 443, 575
configuring on UNIX director, 462–463managed daemon (Cisco IDS sensor), 437
signature engines, 446–447signature-based IDSs, 419signatures, 419, 463–465
corresponding alarms and severity levels, 447–448
IDS signature categories, 444–445simple-text password authentication (VRRP), 53sinkhole routers, 558SIS (state information structure), 200–201site to site IPsec VPNs, 274SKEME, 276smashing the stack, 416smid daemon, 431smid daemon (UNIX director), 431
scaling PIX configurations
NSPP.book Page 770 Tuesday, October 22, 2002 8:27 AM
771
smurf attacks, thwarting with ACLs, 576, 578SNMP (Simple Network Management Protocol),
configuring, 64–66son-of-IKE initiative, 277Source Address field (VRRP packets), 51source of attacks, tracking with service provider
security, 560–562Spafford, G., 8speak state (HSRP routers), 43spoof detection, PIX Firewall, 168spoofed IP addresses
blocking, 575source IP addresses, 88–89
SSH (secure shell), 58PIX implementation, 73
Stacheldraht attack, 411–413standalone IDS 4200 series sensors, 435standard ACLs, 568standards, IEEE 802.1x
configuring on Catalyst 6000 switches, 123–125
functionality, 122port authentication, 114–121
standby groups (HSRP), 43standby mode (HSRP), 42state information, 147
SIS, 200–201stateful inspection, 152
packet filters, 142TCP packets, 148
static routes, 83routing-enabled redundancy, 40
statistical anomaly-based IDSs, 419sticky ARP, 113stub areas, configuring, 99–100subport classification, NBAR, 600supplicants (IEE 802.1x), 114
communications with authenticator, 119–121suspicious content, rate-limiting, 618switches
access control, 75Catalyst 6000 private VLANs, 111–112
ARP spoofing, 113configuring, 113ports, 112IEEE 802.1x, configuration, 123–125sticky ARP, 113
configuration management, 75core dumps, 78events logging, 76login banners, 78NTP, 77
switchingbasic security rules, 105–106IP permit lists, configuring, 109–110LAN floods, controlling, 110–111port authentication, 114
communications, 115–121functionality, 122
port security, 107–109SYN floods
rate limiting with CAR, 617thwarting with ACLs, 579–580
synchronization, NTPconfiguring, 68switch implementations, 77
syslog messages, PIX, 153–154sysopt commands, 169–172system access attacks, 402
TTACACS+ (Terminal Access Controller Access
Control Server plus)accounting, 508–512authentication, 498authorization, 499–507communications architecture, 494daemon functionality, 493–494header architecture, 495–497packet encryption, 497
TCP (Transmission Control Protocol)connection establishment through PIX,
148–150ISN, generating with ASA, 148NBAR recognized protocols, 600–602packet filtering with ASA, 148
TCP port 179, restricting BGP communications, 94TCP reset, 443TCP SYN floods, 405–407
preventing with Cisco IOS Firewalls, 206TED (Tunnel Endpoint Discovery), configuring,
379–391
TED (Tunnel Endpoint Discovery), configuring
NSPP.book Page 771 Tuesday, October 22, 2002 8:27 AM
772
TFN (tribal flood network) attack, 409–411TFN2K attack, 411threats, assessing, 6–7three-legged firewalls, creating DMZs, 27three-message exchange, L2TP, 246threshold values, CBAC, 204–205thwarting attacks with ACLs
DoS attacks, 580–582fraggle attacks, 578–579smurf attacks, 576–578SYN floods, 579–580
timeout negotiation, 293timeout values
CBAC, 204–205PIX, 637
timers, OSPF configuration, 101tiny fragment attacks, 174–175, 588TLS (Transport-Layer Security) messages, 118token buckets, 614–616top-down processing (ACLs), 571topographical designs, physical security, 36ToS (type of service), marking packets, 605–607traffic. See also traffic filters
classifying with NBAR, 599–600recognizable protocols, 600–603
controlling with CAR, 613–614compound interest measurement, 615–616dropping malicious traffic, 616–618token buckets, 614
network flows, 594policing, 607
traffic filtersACLs, 572–573
blocking IMP packets, 573–575blocking known offenders, 575blocking spoofed IP addresses, 575extended, 569–571functionality, 567–568, 573impact on performance, 590implicit deny all entry, 571logging facility, 573standard, 568thwarting DoS attacks, 580–582thwarting fraggle attacks, 578–579thwarting smurf attacks, 576–578thwarting SYN floods, 579–580top-down processing, 571
black hole filtering, 87–88PIX Firewall, 165
transform payloads, IKE SA timeout negotiation, 284
transport layer inspection, Cisco IOS Firewall, 202transport mode (IPsec) encapsulation, 314Trinoo DDoS attack, 408troubleshooting
AAA, 670–677IDS problems, 666–670IOS Firewalls, 647–648
common problems, 651–652debug commands, 650–651show commands, 648–649
IPsec problems, 661–666NAT, 629–633PIX, 633–634, 643–645
common problems, 643–645connectivity, 645–647
trunking, VLAN security, 106Tsutomu Shimomura, 421–422TTL field (VRRP packets), 51TTY lines, 55
controlling router access, 58Tunnel ID field (L2TP header), 250tunnel mode (IPsec) encapsulation, 314–316tunneling
IPsec, IKE negotiationaggressive mode exchange process,
302–306main mode exchange process, 280–302
L2TP, 243compulsory tunnels, 245, 251–270control connection establishment, 246header format, 248–250session establishment, 247–248setup process, 246tunnel layers, 244voluntary tunnels, 245
voluntary, 373–379with GRE between private networks, 227–230
turbo ACLs, 590–591configuring, 591–593
Type field L2TP header, 250VRRP packets, 52
TFN (tribal flood network) attack
NSPP.book Page 772 Tuesday, October 22, 2002 8:27 AM
773
UUDP (User Datagram Protocol)
transmission through PIX, 150NBAR recognized protocols, 600–602
unauthorized access, restricting with ACLs, 572–573
Unicast Reverse Path Forwarding. See URPFunicode exploits, 418unintentional inside attackers, 403UNIX director
configuring routers as sensors, 449–454internal architecture, 430
configd daemon, 431eventd daemon, 432fileXferd daemon, 431loggerd daemon, 431POP, 432postofficed daemon, 430sapd daemon, 431smid daemon, 431
shunning configuration, 462–463versus CSPM IDS Console, 429
unstable routing tables, controlling, 94maximum-prefix command, 97route dampening, 95–96
URPF (Unicast Reverse Path Forwarding), 88–89applying, 90configuring, 89PIX Firewall, 168
V-Wvendor-specific attributes supported on Cisco
routers, 530–531Version field
L2TP header, 250VRRP packets, 52
Virtual IP Address field (HSRP), 46virtual reassembly, 163Virtual Router Redundancy Protocol. See VRRPvirtual routers, 42Virtual Rtr ID field (VRRP packets), 52
viruses, Code Red worm, 608–610VLANs, 105
basic security rules, 105–106versus private VLANs, 111
voluntary tunneling, 245, 373–379VPDN (Virtual Private Dialup Networking),
544–547VPNs
application layer, 219data link layer, 219encrypted, 218extranet, 220high-availability IPsec over GRE, 360–365intranet, 220IPsec, 653–654
debugs, 654–658show commands, 658–660
misconfigured access lists, troubleshooting, 662network layer, 219nonencrypted, 218one-to-many router IPsec, 355–360remote-access IPsec implementations, 366–368router-to-router IPsec
using digital signatures, 338–349using preshared key authentication,
325–338using RSA encrypted nonces, 349–354
VRRP (Virtual Router Redundancy Protocol)failure detection, 51master router selection, 50packet format, 51–54versus HSRP, 50
vty router access, 55controlling, 55–57
vulnerabilitiesassessing, 6–7of NAT, 131of underlying firewall operating systems, 140
vulnerabilities
NSPP.book Page 773 Tuesday, October 22, 2002 8:27 AM
774
X-Y-Zx-auth (extended authentication), 318–320, 539–541
for remote-access clients, 539–540VPN users, 541
x bits field (L2TP header), 250
ZLB ACKs, 248zoning secure networks, 25–26
case study, 30–31DMZs, 26–30
x-auth (extended authentication)
NSPP.book Page 774 Tuesday, October 22, 2002 8:27 AM