Tài liệu Managing Cisco Network Security pptx

FREE Monthly

Technology Updates

One-year Vendor

Product Upgrade

Protection Plan

FREE Membership to

Access.Globalknowledge

CISCO NETWORK

SECURITY

MANAGING

Russell Lusignan, CCNP, CCNA, MCSE, MCP+I, CNA

Oliver Steudler, CCNA, CCDA, CNE

Jacques Allison, CCNP, ASE, MCSE+I

TECHNICAL EDITOR:

Florent Parent, Network Security Engineer, Viagénie Inc.

“Finally! A single resource that really

delivers solid and comprehensive

knowledge on Cisco security planning

and implementation. A must have for the

serious Cisco library.”

—David Schaer, CCSI, CCNP, CCDA, MCSE, MCDBA,

MCNI, MCNE, CCA

President, Certified Tech Trainers

1 YEAR UPGRADE

BUYER PROTECTION PLAN

112_FC 11/22/00 1:15 PM Page 1

With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco

study guides in print, we have come to know many of you personally. By

listening, we've learned what you like and dislike about typical computer

books. The most requested item has been for a web-based service that

keeps you current on the topic of the book and related technologies. In

response, we have created [email protected], a service that

includes the following features:

■ A one-year warranty against content obsolescence that occurs as

the result of vendor product upgrades. We will provide regular web

updates for affected chapters.

■ Monthly mailings that respond to customer FAQs and provide

detailed explanations of the most difficult topics, written by content

experts exclusively for [email protected].

■ Regularly updated links to sites that our editors have determined

offer valuable additional information on key topics.

■ Access to “Ask the Author”™ customer query forms that allow

readers to post questions to be addressed by our authors and

editors.

Once you've purchased this book, browse to

www.syngress.com/solutions.

To register, you will need to have the book handy to verify your purchase.

Thank you for giving us the opportunity to serve you.

[email protected]

112_IpSec_FM 11/8/00 8:52 AM Page i

112_IpSec_FM 11/8/00 8:52 AM Page ii

MANAGING CISCO

NETWORK SECURITY:

BUILDING ROCK-SOLID

NETWORKS

112_IpSec_FM 11/8/00 8:52 AM Page iii

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production

(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the

Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold

AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci￾dental or consequential damages arising out from the Work or its contents. Because some states do not allow

the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not

apply to you.

You should always use reasonable case, including backup and other appropriate precautions, when working

with computers, networks, data, and files.

Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through

Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack

Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are

trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

001 AWQ692ADSE

002 KT3LGY35C4

003 C3NXC478FV

004 235C87MN25

005 ZR378HT4DB

006 PF62865JK3

007 DTP435BNR9

008 QRDTKE342V

009 6ZDRW2E94D

010 U872G6S35N

PUBLISHED BY

Syngress Publishing, Inc.

800 Hingham Street

Rockland, MA 02370

Managing Cisco Network Security: Building Rock-Solid Networks

Copyright © 2000 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America.

Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis￾tributed in any form or by any means, or stored in a database or retrieval system, without the prior written per￾mission of the publisher, with the exception that the program listings may be entered, stored, and executed in a

computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-928994-17-2

Copy edit by: Adrienne Rebello Proofreading by: Nancy Kruse Hannigan

Technical review by: Stace Cunningham Page Layout and Art by: Shannon Tozier

Technical edit by: Florent Parent Index by: Robert Saigh

Project Editor: Mark A. Listewnik Co-Publisher: Richard Kristof

Distributed by Publishers Group West

112_IpSec_FM 11/8/00 8:52 AM Page iv

v

Acknowledgments

We would like to acknowledge the following people for their kindness and sup￾port in making this book possible.

Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin

Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of Global

Knowledge, for their generous access to the IT industry’s best courses,

instructors and training facilities.

Ralph Troupe and the team at Callisma for their invaluable insight into the

challenges of designing, deploying and supporting world-class enterprise net￾works.

Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel,

Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan of

Publishers Group West for sharing their incredible marketing experience and

expertise.

Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for

making certain that our vision remains worldwide in scope.

Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of Harcourt

Australia for all their help.

David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong, Leslie

Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthu￾siasm with which they receive our books.

Kwon Sung June at Acorn Publishing for his support.

Ethan Atkin at Cranbury International for his help in expanding the Syngress

program.

Special thanks to the professionals at Osborne with whom we are proud to

publish the best-selling Global Knowledge Certification Press series.

v

112_IpSec_FM 11/8/00 8:52 AM Page v

vi

From Global Knowledge

At Global Knowledge we strive to support the multiplicity of learning styles

required by our students to achieve success as technical professionals. As

the world's largest IT training company, Global Knowledge is uniquely

positioned to offer these books. The expertise gained each year from pro￾viding instructor-led training to hundreds of thousands of students world￾wide has been captured in book form to enhance your learning experience.

We hope that the quality of these books demonstrates our commitment to

your lifelong learning success. Whether you choose to learn through the

written word, computer based training, Web delivery, or instructor-led

training, Global Knowledge is committed to providing you with the very

best in each of these categories. For those of you who know Global

Knowledge, or those of you who have just found us for the first time, our

goal is to be your lifelong competency partner.

Thank your for the opportunity to serve you. We look forward to serving

your needs again in the future.

Warmest regards,

Duncan Anderson

President and Chief Executive Officer, Global Knowledge

112_IpSec_FM 11/8/00 8:52 AM Page vi

vii

Contributors

Russell Lusignan (CCNP, CCNA, MCSE, MCP+I, CNA) is a Senior

Network Engineer for Bird on a Wire Networks, a high-end dedi￾cated and fully managed Web server/ASP provider located in

Toronto, Canada. He is also a technical trainer for the Computer

Technology Institute.

Russell’s main area of expertise is in LAN routing and

switching technologies and network security implementations.

Chapters 3, 4, and 6.

David G. Schaer (CCNA, CCDA, CCNP, CCSI, MCT, MCSE,

MCP+I, MCNE, CCA) is President of Certified Tech Trainers, Inc.,

an organization specializing in the development and delivery of

custom training for Cisco CCNA and CCNP certification. He has

provided training sessions for major corporations throughout the

United States, Europe, and Central America. David enjoys kayak

fishing, horseback riding, and exploring the Everglades.

Oliver Steudler (CCNA, CCDA, CNE) is a Senior Systems

Engineer at iFusion Networks in Cape Town, South Africa. He

has over 10 years of experience in designing, implementing and

troubleshooting complex networks.

Chapter 5.

112_IpSec_FM 11/8/00 8:52 AM Page vii

viii

Jacques Allison (CCNP, ASE, MCSE+I) Jacques has been

involved with Microsoft-related projects on customer networks

ranging from single domain and exchange organization migra￾tions to IP addressing and network infrastructure design and

implementation. Recently he has worked on CA Unicenter TNG

implementations for network management.

He received his engineering diploma in Computer Systems in

1996 from the Technicon Pretoria in South Africa. Jacques

began his career with Electronic Data Systems performing

desktop support, completing his MCSE in 1997.

Jacques would like to dedicate his contribution for this book to

his fiancée, Anneline, who is always there for him. He would also

like to thank his family and friends for their support.

Chapter 8.

John Barnes (CCNA, CCNP, CCSI) is a network consultant and

instructor. John has over ten years experience in the implemen￾tation, design, and troubleshooting of local and wide area net￾works as well as four years of experience as an instructor.

John is a regular speaker at conferences and gives tutorials

and courses on IPv6, IPSec, and intrusion detection. He is cur￾rently pursuing his CCIE. He would like to dedicate his efforts

on this book to his daughter, Sydney.

Chapter 2.

Russell Gillis (CISSP, MCSE, CCNA) is Associate Director of

Networking at Kalamazoo College in Kalamazoo, Michigan.

Prior to joining “K” College, Russ worked for 11 years in the

pharmaceutical industry. His experience includes workstation

support, system administration, network design, and information

security.

Chapter 1.

112_IpSec_FM 11/8/00 8:52 AM Page viii

ix

Pritpal Singh Sehmi lives in London, England. He has worked

in various IT roles and in 1995 launched Spirit of Free

Enterprise, Ltd. Pritpal is currently working on an enterprise

architecture redesign project for a large company. Pritpal is also

a freelance Cisco trainer and manages the Cisco study group

www.ccguru.com. Pritpal owes his success to his family and life￾long friend, Vaheguru Ji.

Chapter 7.

Technical Editor

Florent Parent is currently working at Viagénie, Inc. as a con￾sultant in network architecture and security for a variety of orga￾nizations, corporations, and governments. For over 10 years, he

has been involved in IP networking as a network architect, net￾work manager, and educator.

He is involved in the architecture development and deploy￾ment of IPv6 in the CA*net network and the 6Tap IPv6 exchange.

Florent participates regularly in the Internet Engineering Task

Force (IETF), especially in the IPv6 and IPSec work groups.

In addition to acting as technical editor for the book, Florent

authored the Preface and Chapter 9.

Technical Reviewer

Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E,

CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant cur￾rently located in San Antonio, TX. He has assisted several

clients, including a casino, in the development and implementa￾tion of network security plans for their organizations. He held

the positions of Network Security Officer and Computer Systems

Security Officer while serving in the United States Air Force.

112_IpSec_FM 11/8/00 8:52 AM Page ix

x

While in the Air Force, Stace was involved for over 14 years in

installing, troubleshooting, and protecting long-haul circuits

ensuring the appropriate level of cryptography necessary to pro￾tect the level of information traversing the circuit as well the cir￾cuits from TEMPEST hazards. This included American

equipment as well as equipment from Britain and Germany while

he was assigned to Allied Forces Southern Europe (NATO).

Stace has been an active contributor to The SANS Institute

booklet “Windows NT Security Step by Step.” In addition, he has

co-authored or served as the Technical Editor for over 30 books

published by Osborne/McGraw-Hill, Syngress Media, and

Microsoft Press. He is also a published author in “Internet

Security Advisor” magazine.

His wife Martha and daughter Marissa have been very sup￾portive of the time he spends with the computers, routers, and

firewalls in the “lab” of their house. Without their love and sup￾port, he would not be able to accomplish the goals he has set for

himself.

112_IpSec_FM 11/8/00 8:52 AM Page x

Contents

xi

Preface xxi

Chapter 1 Introduction to IP Network Security 1

Introduction 2

Protecting Your Site 2

Typical Site Scenario 5

Host Security 7

Network Security 9

Availability 10

Integrity 11

Confidentiality 12

Access Control 12

Authentication 13

Authorization 14

Accounting 15

Network Communication in TCP/IP 15

Application Layer 17

Transport Layer 18

TCP 18

TCP Connection 20

UDP 21

Internet Layer 22

IP 22

ICMP 23

ARP 23

Network Layer 24

Security in TCP/IP 24

Cryptography 24

Symmetric Cryptography 25

Asymmetric Cryptography 26

Hash Function 26

Public Key Certificates 27

112_IpSec_TOC 11/7/00 3:15 PM Page xi

xii Contents

Application Layer Security 28

Pretty Good Privacy (PGP) 28

Secure HyperText Transport Protocol (S-HTTP) 28

Transport Layer Security 29

Secure Sockets Layer (SSL) and

Transport Layer Security (TLS) 29

Secure Shell (SSH) 30

Filtering 30

Network Layer Security 31

IP Security Protocols (IPSec) 31

Filtering (Access Control Lists) 34

Data Link Layer Security 34

Authentication 34

Terminal Access Controller Access

Control System Plus (TACACS+) 34

Remote Access Dial-In User Service (RADIUS) 35

Kerberos 36

Cisco IP Security Hardware and Software 37

Cisco Secure PIX Firewall 37

Cisco Secure Integrated Software 40

Cisco Secure Integrated VPN Software 40

Cisco Secure VPN Client 41

Cisco Secure Access Control Server 41

Cisco Secure Scanner 42

Cisco Secure Intrusion Detection System 42

Cisco Secure Policy Manager 43

Cisco Secure Consulting Services 43

Summary 44

FAQs 45

Chapter 2 Traffic Filtering on the Cisco IOS 47

Introduction 48

Access Lists 48

Access List Operation 49

Types of Access Lists 50

Standard IP Access Lists 52

Source Address and Wildcard Mask 53

Keywords any and host 56

Keyword log 57

Applying an Access List 58

Extended IP Access Lists 59

Keywords permit or deny 62

Protocol 62

Source Address and Wildcard-Mask 62

112_IpSec_TOC 11/7/00 3:15 PM Page xii

Contents xiii

Destination Address and Wildcard Mask 63

Source and Destination Port Number 63

Established 65

Named Access Lists 67

Editing Access Lists 69

Problems with Access Lists 70

Lock-and-Key Access Lists 71

Reflexive Access Lists 77

Building Reflexive Access Lists 79

Applying Reflexive Access Lists 82

Reflexive Access List Example 82

Context-based Access Control 84

The Control-based Access Control Process 86

Configuring Control-based Access Control 86

Inspection Rules 89

Applying the Inspection Rule 89

Configuring Port to Application Mapping 91

Configuring PAM 91

Protecting a Private Network 92

Protecting a Network Connected to the Internet 93

Protecting Server Access Using Lock-and-Key 94

Protecting Public Servers Connected to the Internet 96

Summary 97

FAQs 98

Chapter 3 Network Address Translation (NAT) 99

Introduction 100

NAT Overview 100

Overview of NAT Devices 100

Address Realm 101

NAT 101

Transparent Address Assignment 102

Transparent Routing 103

Public, Global, and External Networks 104

Private and Local Networks 105

Application Level Gateway 105

NAT Architectures 106

Traditional or Outbound NAT 106

Network Address Port Translation (NAPT) 108

Static NAT 109

Twice NAT 111

Guidelines for Deploying NAT and NAPT 113

112_IpSec_TOC 11/7/00 3:15 PM Page xiii

xiv Contents

Configuring NAT on Cisco IOS 116

Configuration Commands 116

Verification Commands 121

Configuring NAT between a

Private Network and Internet 122

Configuring NAT in a Network with DMZ 124

Considerations on NAT and NAPT 127

IP Address Information in Data 127

Bundled Session Applications 127

Peer-to-Peer Applications 128

IP Fragmentation with NAPT En Route 128

Applications Requiring Retention of

Address Mapping 128

IPSec and IKE 129

Summary 129

FAQs 130

Chapter 4 Cisco PIX Firewall 131

Introduction 132

Overview of the Security Features 133

Differences Between IOS 4.x and 5.x 137

Initial Configuration 139

Installing the PIX Software 140

Basic Configuration 140

Installing the IOS over TFTP 143

Command Line Interface 145

IP Configuration 146

IP Address 147

Configuring NAT and NAPT 149

Security Policy Configuration 153

Security Strategies 153

Deny Everything That Is Not Explicitly Permitted 154

Allow Everything That Is Not Explicitly Denied 154

Identify the Resources to Protect 156

Demilitarized Zone (DMZ) 157

Identify the Security Services to Implement 158

Authentication and Authorization 158

Access Control 159

Confidentiality 159

URL, ActiveX, and Java Filtering 160

Implementing the Network Security Policy 160

Authentication Configuration in PIX 160

Access Control Configuration in PIX 163

112_IpSec_TOC 11/7/00 3:15 PM Page xiv