Managing Cisco Network Security PDF

Summary

This book provides comprehensive knowledge on Cisco security planning and implementation. It's a valuable resource for Cisco professionals and includes a vendor product upgrade protection plan. It also offers access to online resources including regular web updates, monthly mailings, and links to relevant sites.

Full Transcript

112_FC 11/22/00 1:15 PM Page 1

1B U YEAR UPGRADE
YER PROTECTION PLAN

MANAGING

CISCO NETWORK
SECURITY

“Finally! A single resource that really
delivers solid and comprehensive
knowledge on Cisco security planning
and implementation. A must have for the
serious Cisco library.”
—David Schaer, CCSI, CCNP, CCDA, MCSE, MCDBA,
MCNI, MCNE, CCA FREE Monthly
President, Certified Tech Trainers Technology Updates

One-year Vendor
Product Upgrade
Protection Plan
Russell Lusignan, CCNP, CCNA, MCSE, MCP+I, CNA
Oliver Steudler, CCNA, CCDA, CNE FREE Membership to
Jacques Allison, CCNP, ASE, MCSE+I Access.Globalknowledge
TECHNICAL EDITOR:
Florent Parent, Network Security Engineer, Viagénie Inc.
112_IpSec_FM 11/8/00 8:52 AM Page i

[email protected]

With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we have come to know many of you personally. By
listening, we've learned what you like and dislike about typical computer
books. The most requested item has been for a web-based service that
keeps you current on the topic of the book and related technologies. In
response, we have created [email protected], a service that
includes the following features:

A one-year warranty against content obsolescence that occurs as
the result of vendor product upgrades. We will provide regular web
updates for affected chapters.
Monthly mailings that respond to customer FAQs and provide
detailed explanations of the most difficult topics, written by content
experts exclusively for [email protected].
Regularly updated links to sites that our editors have determined
offer valuable additional information on key topics.
Access to “Ask the Author”™ customer query forms that allow
readers to post questions to be addressed by our authors and
editors.

Once you've purchased this book, browse to
www.syngress.com/solutions.

To register, you will need to have the book handy to verify your purchase.

Thank you for giving us the opportunity to serve you.
112_IpSec_FM 11/8/00 8:52 AM Page ii
112_IpSec_FM 11/8/00 8:52 AM Page iii

MANAGING CISCO
NETWORK SECURITY:
BUILDING ROCK-SOLID
NETWORKS
112_IpSec_FM 11/8/00 8:52 AM Page iv

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the
Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold
AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow
the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not
apply to you.

You should always use reasonable case, including backup and other appropriate precautions, when working
with computers, networks, data, and files.

Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through
Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack
Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.

KEY SERIAL NUMBER
001 AWQ692ADSE
002 KT3LGY35C4
003 C3NXC478FV
004 235C87MN25
005 ZR378HT4DB
006 PF62865JK3
007 DTP435BNR9
008 QRDTKE342V
009 6ZDRW2E94D
010 U872G6S35N

PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370

Managing Cisco Network Security: Building Rock-Solid Networks

Copyright © 2000 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis-
tributed in any form or by any means, or stored in a database or retrieval system, without the prior written per-
mission of the publisher, with the exception that the program listings may be entered, stored, and executed in a
computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-928994-17-2

Copy edit by: Adrienne Rebello Proofreading by: Nancy Kruse Hannigan
Technical review by: Stace Cunningham Page Layout and Art by: Shannon Tozier
Technical edit by: Florent Parent Index by: Robert Saigh
Project Editor: Mark A. Listewnik Co-Publisher: Richard Kristof

Distributed by Publishers Group West
112_IpSec_FM 11/8/00 8:52 AM Page v

Acknowledgments

We would like to acknowledge the following people for their kindness and sup-
port in making this book possible.

Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin
Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of Global
Knowledge, for their generous access to the IT industry’s best courses,
instructors and training facilities.

Ralph Troupe and the team at Callisma for their invaluable insight into the
challenges of designing, deploying and supporting world-class enterprise net-
works.

Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel,
Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan of
Publishers Group West for sharing their incredible marketing experience and
expertise.

Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for
making certain that our vision remains worldwide in scope.

Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of Harcourt
Australia for all their help.

David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong, Leslie
Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthu-
siasm with which they receive our books.

Kwon Sung June at Acorn Publishing for his support.

Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.

Special thanks to the professionals at Osborne with whom we are proud to
publish the best-selling Global Knowledge Certification Press series.

v
112_IpSec_FM 11/8/00 8:52 AM Page vi

From Global Knowledge
At Global Knowledge we strive to support the multiplicity of learning styles
required by our students to achieve success as technical professionals. As
the world's largest IT training company, Global Knowledge is uniquely
positioned to offer these books. The expertise gained each year from pro-
viding instructor-led training to hundreds of thousands of students world-
wide has been captured in book form to enhance your learning experience.
We hope that the quality of these books demonstrates our commitment to
your lifelong learning success. Whether you choose to learn through the
written word, computer based training, Web delivery, or instructor-led
training, Global Knowledge is committed to providing you with the very
best in each of these categories. For those of you who know Global
Knowledge, or those of you who have just found us for the first time, our
goal is to be your lifelong competency partner.

Thank your for the opportunity to serve you. We look forward to serving
your needs again in the future.

Warmest regards,

Duncan Anderson
President and Chief Executive Officer, Global Knowledge

vi
112_IpSec_FM 11/8/00 8:52 AM Page vii

Contributors

Russell Lusignan (CCNP, CCNA, MCSE, MCP+I, CNA) is a Senior
Network Engineer for Bird on a Wire Networks, a high-end dedi-
cated and fully managed Web server/ASP provider located in
Toronto, Canada. He is also a technical trainer for the Computer
Technology Institute.
Russell’s main area of expertise is in LAN routing and
switching technologies and network security implementations.
Chapters 3, 4, and 6.

David G. Schaer (CCNA, CCDA, CCNP, CCSI, MCT, MCSE,
MCP+I, MCNE, CCA) is President of Certified Tech Trainers, Inc.,
an organization specializing in the development and delivery of
custom training for Cisco CCNA and CCNP certification. He has
provided training sessions for major corporations throughout the
United States, Europe, and Central America. David enjoys kayak
fishing, horseback riding, and exploring the Everglades.

Oliver Steudler (CCNA, CCDA, CNE) is a Senior Systems
Engineer at iFusion Networks in Cape Town, South Africa. He
has over 10 years of experience in designing, implementing and
troubleshooting complex networks.
Chapter 5.

vii
112_IpSec_FM 11/8/00 8:52 AM Page viii

Jacques Allison (CCNP, ASE, MCSE+I) Jacques has been
involved with Microsoft-related projects on customer networks
ranging from single domain and exchange organization migra-
tions to IP addressing and network infrastructure design and
implementation. Recently he has worked on CA Unicenter TNG
implementations for network management.
He received his engineering diploma in Computer Systems in
1996 from the Technicon Pretoria in South Africa. Jacques
began his career with Electronic Data Systems performing
desktop support, completing his MCSE in 1997.
Jacques would like to dedicate his contribution for this book to
his fiancée, Anneline, who is always there for him. He would also
like to thank his family and friends for their support.
Chapter 8.

John Barnes (CCNA, CCNP, CCSI) is a network consultant and
instructor. John has over ten years experience in the implemen-
tation, design, and troubleshooting of local and wide area net-
works as well as four years of experience as an instructor.
John is a regular speaker at conferences and gives tutorials
and courses on IPv6, IPSec, and intrusion detection. He is cur-
rently pursuing his CCIE. He would like to dedicate his efforts
on this book to his daughter, Sydney.
Chapter 2.

Russell Gillis (CISSP, MCSE, CCNA) is Associate Director of
Networking at Kalamazoo College in Kalamazoo, Michigan.
Prior to joining “K” College, Russ worked for 11 years in the
pharmaceutical industry. His experience includes workstation
support, system administration, network design, and information
security.
Chapter 1.

viii
112_IpSec_FM 11/8/00 8:52 AM Page ix

Pritpal Singh Sehmi lives in London, England. He has worked
in various IT roles and in 1995 launched Spirit of Free
Enterprise, Ltd. Pritpal is currently working on an enterprise
architecture redesign project for a large company. Pritpal is also
a freelance Cisco trainer and manages the Cisco study group
www.ccguru.com. Pritpal owes his success to his family and life-
long friend, Vaheguru Ji.
Chapter 7.

Technical Editor
Florent Parent is currently working at Viagénie, Inc. as a con-
sultant in network architecture and security for a variety of orga-
nizations, corporations, and governments. For over 10 years, he
has been involved in IP networking as a network architect, net-
work manager, and educator.
He is involved in the architecture development and deploy-
ment of IPv6 in the CA*net network and the 6Tap IPv6 exchange.
Florent participates regularly in the Internet Engineering Task
Force (IETF), especially in the IPv6 and IPSec work groups.
In addition to acting as technical editor for the book, Florent
authored the Preface and Chapter 9.

Technical Reviewer
Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E,
CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant cur-
rently located in San Antonio, TX. He has assisted several
clients, including a casino, in the development and implementa-
tion of network security plans for their organizations. He held
the positions of Network Security Officer and Computer Systems
Security Officer while serving in the United States Air Force.

ix
112_IpSec_FM 11/8/00 8:52 AM Page x

While in the Air Force, Stace was involved for over 14 years in
installing, troubleshooting, and protecting long-haul circuits
ensuring the appropriate level of cryptography necessary to pro-
tect the level of information traversing the circuit as well the cir-
cuits from TEMPEST hazards. This included American
equipment as well as equipment from Britain and Germany while
he was assigned to Allied Forces Southern Europe (NATO).
Stace has been an active contributor to The SANS Institute
booklet “Windows NT Security Step by Step.” In addition, he has
co-authored or served as the Technical Editor for over 30 books
published by Osborne/McGraw-Hill, Syngress Media, and
Microsoft Press. He is also a published author in “Internet
Security Advisor” magazine.
His wife Martha and daughter Marissa have been very sup-
portive of the time he spends with the computers, routers, and
firewalls in the “lab” of their house. Without their love and sup-
port, he would not be able to accomplish the goals he has set for
himself.

x
112_IpSec_TOC 11/7/00 3:15 PM Page xi

Contents

Preface xxi

Chapter 1 Introduction to IP Network Security 1
Introduction 2
Protecting Your Site 2
Typical Site Scenario 5
Host Security 7
Network Security 9
Availability 10
Integrity 11
Confidentiality 12
Access Control 12
Authentication 13
Authorization 14
Accounting 15
Network Communication in TCP/IP 15
Application Layer 17
Transport Layer 18
TCP 18
TCP Connection 20
UDP 21
Internet Layer 22
IP 22
ICMP 23
ARP 23
Network Layer 24
Security in TCP/IP 24
Cryptography 24
Symmetric Cryptography 25
Asymmetric Cryptography 26
Hash Function 26
Public Key Certificates 27

xi
112_IpSec_TOC 11/7/00 3:15 PM Page xii

xii Contents

Application Layer Security 28
Pretty Good Privacy (PGP) 28
Secure HyperText Transport Protocol (S-HTTP) 28
Transport Layer Security 29
Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) 29
Secure Shell (SSH) 30
Filtering 30
Network Layer Security 31
IP Security Protocols (IPSec) 31
Filtering (Access Control Lists) 34
Data Link Layer Security 34
Authentication 34
Terminal Access Controller Access
Control System Plus (TACACS+) 34
Remote Access Dial-In User Service (RADIUS) 35
Kerberos 36
Cisco IP Security Hardware and Software 37
Cisco Secure PIX Firewall 37
Cisco Secure Integrated Software 40
Cisco Secure Integrated VPN Software 40
Cisco Secure VPN Client 41
Cisco Secure Access Control Server 41
Cisco Secure Scanner 42
Cisco Secure Intrusion Detection System 42
Cisco Secure Policy Manager 43
Cisco Secure Consulting Services 43
Summary 44
FAQs 45

Chapter 2 Traffic Filtering on the Cisco IOS 47
Introduction 48
Access Lists 48
Access List Operation 49
Types of Access Lists 50
Standard IP Access Lists 52
Source Address and Wildcard Mask 53
Keywords any and host 56
Keyword log 57
Applying an Access List 58
Extended IP Access Lists 59
Keywords permit or deny 62
Protocol 62
Source Address and Wildcard-Mask 62
112_IpSec_TOC 11/7/00 3:15 PM Page xiii

Contents xiii

Destination Address and Wildcard Mask 63
Source and Destination Port Number 63
Established 65
Named Access Lists 67
Editing Access Lists 69
Problems with Access Lists 70
Lock-and-Key Access Lists 71
Reflexive Access Lists 77
Building Reflexive Access Lists 79
Applying Reflexive Access Lists 82
Reflexive Access List Example 82
Context-based Access Control 84
The Control-based Access Control Process 86
Configuring Control-based Access Control 86
Inspection Rules 89
Applying the Inspection Rule 89
Configuring Port to Application Mapping 91
Configuring PAM 91
Protecting a Private Network 92
Protecting a Network Connected to the Internet 93
Protecting Server Access Using Lock-and-Key 94
Protecting Public Servers Connected to the Internet 96
Summary 97
FAQs 98

Chapter 3 Network Address Translation (NAT) 99
Introduction 100
NAT Overview 100
Overview of NAT Devices 100
Address Realm 101
NAT 101
Transparent Address Assignment 102
Transparent Routing 103
Public, Global, and External Networks 104
Private and Local Networks 105
Application Level Gateway 105
NAT Architectures 106
Traditional or Outbound NAT 106
Network Address Port Translation (NAPT) 108
Static NAT 109
Twice NAT 111
Guidelines for Deploying NAT and NAPT 113
112_IpSec_TOC 11/7/00 3:15 PM Page xiv

xiv Contents

Configuring NAT on Cisco IOS 116
Configuration Commands 116
Verification Commands 121
Configuring NAT between a
Private Network and Internet 122
Configuring NAT in a Network with DMZ 124
Considerations on NAT and NAPT 127
IP Address Information in Data 127
Bundled Session Applications 127
Peer-to-Peer Applications 128
IP Fragmentation with NAPT En Route 128
Applications Requiring Retention of
Address Mapping 128
IPSec and IKE 129
Summary 129
FAQs 130

Chapter 4 Cisco PIX Firewall 131
Introduction 132
Overview of the Security Features 133
Differences Between IOS 4.x and 5.x 137
Initial Configuration 139
Installing the PIX Software 140
Basic Configuration 140
Installing the IOS over TFTP 143
Command Line Interface 145
IP Configuration 146
IP Address 147
Configuring NAT and NAPT 149
Security Policy Configuration 153
Security Strategies 153
Deny Everything That Is Not Explicitly Permitted 154
Allow Everything That Is Not Explicitly Denied 154
Identify the Resources to Protect 156
Demilitarized Zone (DMZ) 157
Identify the Security Services to Implement 158
Authentication and Authorization 158
Access Control 159
Confidentiality 159
URL, ActiveX, and Java Filtering 160
Implementing the Network Security Policy 160
Authentication Configuration in PIX 160
Access Control Configuration in PIX 163
112_IpSec_TOC 11/7/00 3:15 PM Page xv

Contents xv

Securing Resources 165
URL, ActiveX, and Java Filtering 168
PIX Configuration Examples 170
Protecting a Private Network 170
Protecting a Network Connected to the Internet 172
Protecting Server Access Using Authentication 174
Protecting Public Servers Connected
to the Internet 176
Securing and Maintaining the PIX 182
System Journaling 182
Securing the PIX 184
Summary 185
FAQs 186

Chapter 5 Virtual Private Networks 189
Introduction 190
What Is a VPN? 190
Overview of the Different VPN Technologies 190
The Peer Model 191
The Overlay Model 192
Link Layer VPNs 192
Network Layer VPNs 193
Transport and Application Layer VPNs 194
Layer 2 Transport Protocol (L2TP) 195
Configuring Cisco L2TP 196
LAC Configuration Example 197
LNS Configuration Example 197
IPSec 198
IPSec Architecture 201
Security Association 202
Anti-Replay Feature 203
Security Policy Database 203
Authentication Header 204
Encapsulating Security Payload 205
Manual IPSec 205
Internet Key Exchange 206
Authentication Methods 207
IKE and Certificate Authorities 208
IPSec Limitations 209
Network Performance 209
Network Troubleshooting 210
Interoperability with Firewalls and Network Address
Translation Devices 210
112_IpSec_TOC 11/7/00 3:15 PM Page xvi

xvi Contents

IPSec and Cisco Encryption Technology (CET) 210
Configuring Cisco IPSec 211
IPSec Manual Keying Configuration 212
IPSec over GRE Tunnel Configuration 218
Connecting IPSec Clients to Cisco IPSec 226
Cisco Secure VPN Client 226
Windows 2000 228
Linux FreeS/WAN 229
BSD Kame Project 230
Summary 231
FAQs 231

Chapter 6 Cisco Authentication, Authorization,
and Accounting Mechanisms 233
Introduction 234
AAA Overview 234
AAA Benefits 238
Cisco AAA Mechanisms 239
Supported AAA Security Protocols 239
RADIUS 239
TACACS+ 243
Kerberos 246
RADIUS, TACACS+, or Kerberos 254
Authentication 255
Login Authentication Using AAA 258
PPP Authentication Using AAA 261
Enable Password Protection for Privileged
EXEC Mode 263
Authorization 263
Configure Authorization 265
TACACS+ Configuration Example 266
Accounting 268
Configuring Accounting 269
Suppress Generation of Accounting Records
for Null Username Sessions 271
RADIUS Configuration Example 271
Typical RAS Configuration Using AAA 271
Typical Firewall Configuration Using AAA 276
Authentication Proxy 280
How the Authentication Proxy Works 280
Comparison with the Lock-and Key Feature 281
Benefits of Authentication Proxy 282
Restrictions of Authentication Proxy 282
Configuring Authentication Proxy 283
112_IpSec_TOC 11/7/00 3:15 PM Page xvii

Contents xvii

Configuring the HTTP Server 283
Configure Authentication Proxy 284
Authentication Proxy Configuration Example 285
Summary 286
FAQs 287

Chapter 7 Intrusion Detection 289
Introduction 290
What Is Intrusion Detection? 290
Network Attacks and Intrusions 290
Poor Network Perimeter/Device Security 291
Network Sniffers 291
Scanner Programs 291
Network Topology 292
Unattended Modems 292
Poor Physical Security 293
Application and Operating Software Weaknesses 293
Software Bugs 293
Web Server/Browser-based Attacks 293
Getting Passwords—Easy Ways in Cracking Programs 293
Trojan Horse Attacks 294
Virus or Worm Attacks 294
Human Failure 295
Poorly Configured Systems 295
Information Leaks 295
Malicious Users 296
Weaknesses in the IP Suite of Protocols 296
Layer 7 Attacks 298
Layer 5 Attacks 299
Layer 3 and 4 Attacks 300
Network and Host-based
Intrusion Detection 305
Network IDS 305
Host IDS 308
What Can’t IDSs Do? 308
Deploying in a Network 309
Sensor Placement 310
Network Vulnerability Analysis Tools 311
Cisco’s Approach to Security 311
Cisco Secure Scanner (NetSonar) 311
Minimum System Specifications for
Secure Scanner V2.0 311
Searching the Network for Vulnerabilities 312
Viewing the Results 314
Keeping the System Up-to-Date 317
112_IpSec_TOC 11/7/00 3:15 PM Page xviii

xviii Contents

Cisco Secure Intrusion Detection System (NetRanger) 320
What Is NetRanger? 320
Before You Install 324
Director and Sensor Setup 324
General Operation 327
nrConfigure 327
Data Management Package (DMP) 329
Cisco IOS Intrusion Detection System 331
Configuring IOS IDS Features 332
Associated Commands 335
Cisco Secure Integrated Software (Firewall Feature Set) 335
Summary 337
FAQs 337

Chapter 8 Network Security Management 341
Introduction 342
PIX Firewall Manager 342
PIX Firewall Manager Overview 342
PIX Firewall Manager Benefits 344
Supported PIX Firewall IOS Version Versus
PIX Firewall Manager Version 345
Installation Requirements for PIX Firewall Manager 346
PIX Firewall Manager Features 348
Using PIX Firewall Manager 352
Configuration 352
Installation Errors in PIX Firewall Manager 354
A Configuration Example 356
CiscoWorks 2000 ACL Manager 361
ACL Manager Overview 361
ACL Manager Device and Software Support 364
Installation Requirements for ACL Manager 364
ACL Manager Features 366
Using a Structure Access Control Lists
Security Policy 366
Increase Deployment Time for Access Control Lists 367
Ensure Consistency of Access Control Lists 367
Keep Track of Changes Made on the Network 368
Troubleshooting and Error Recovery 368
Basic Operation of ACL Manager 369
Using ACL Manager 372
Configuration 372
An ACL Manager Configuration Example 374
Cisco Secure Policy Manager 378
Cisco Secure Policy Manager Overview 379
112_IpSec_TOC 11/7/00 3:15 PM Page xix

Contents xix

The Benefits of Using Cisco Secure Policy Manager 379
Installation Requirements for Cisco
Secure Policy Manager 380
Cisco Secure Policy Manager Features 382
Cisco Firewall Management 382
VPN and IPSec Security Management 382
Security Policy Management 384
Network Security Deployment Options 385
Cisco Secure Policy Manager Device and
Software Support 386
Using Cisco Secure Policy Manager 388
Configuration 388
CSPM Configuration Example 389
Cisco Secure ACS 393
Cisco Secure ACS Overview 393
Cisco Secure ACS Benefits 394
Installation Requirements for Cisco Secure ACS 395
Cisco Secure ACS Features 395
Placing Cisco Secure ACS in Your Network 397
Cisco Secure ACS Device and Software Support 398
Using Cisco Secure ACS 399
Configuration 399
Cisco Secure ACS Configuration Example 401
Summary 405
FAQs 405

Chapter 9 Security Processes and Managing
Cisco Security Fast Track 407
Introduction 408
What Is a Managing
Cisco Security Fast Track? 408
Introduction to Cisco Network Security 408
Network Security 409
Network Communications in TCP/IP 409
Security in TCP/IP 410
Traffic Filtering on the Cisco IOS 412
Access Lists 412
Standard and Extended Access Lists 412
Reflexive Access Lists 413
Context-based Access Control 414
Network Address Translation (NAT) 414
Private Addresses 414
Network Address Translation 415
Static NAT 415
112_IpSec_TOC 11/7/00 3:15 PM Page xx

xx Contents

Traditional or Outbound NAT 416
Network Address Port Translation (NAPT or PAT) 416
Considerations 416
Cisco PIX Firewall 417
Security Policy Configuration 418
Securing and Maintaining the PIX 418
Virtual Private Networks (VPNs) 419
L2TP 419
IPSec 419
Network Troubleshooting 421
Interoperability with Firewalls and Network Address
Translation Devices 421
Cisco Authentication, Authorization and
Accounting Mechanisms 421
Authentication 422
Authorization 423
Accounting 423
Intrusion Detection 424
What Is Intrusion Detection? 424
Cisco Secure Scanner (NetSonar) 425
Cisco Secure NetRanger 425
Cisco Secure Intrusion Detection Software 426
Network Security Management 426
Cisco PIX Firewall Manager 427
CiscoWorks 2000 ACL Manager 427
Cisco Secure Policy Manager 428
Cisco Secure Access Control Manager 429
General Security Configuration Recommendations on Cisco 429
Remote Login and Passwords 429
Disable Unused Network Services 431
Logging and Backups 433
Traffic Filtering 433
Physical Access 435
Keeping Up-to-Date 435
Summary 437
FAQs 437

Index 439
112_IpSec_pref 11/8/00 8:55 AM Page xxi

Preface

The Challenges of Security
Providing good internetwork security and remaining current on new
hardware and software products is a never-ending task. Every network
security manager aims to achieve the best possible security because
the risks are real and the stakes are high. An enterprise must decide
what level of security is required, taking into account which assets to
protect as well as the impact of the measures on costs, personnel, and
training. Perfect security is an impossibility, so one must aim for the
best possible security by devising a plan to manage the known risks
and safe-guard against the potential risks. Defining the enterprise secu-
rity policy is the first step in implementing good security.
Many security tools are available to help reduce the vulnerability of
your network. For example, a firewall can be deployed at the network
perimeter to offer an effective protection against many attacks. But a
firewall is only one piece in the network security infrastructure. Good
host security, regular assessment of the overall vulnerability of the net-
work (audits), good authentication, authorization, accounting practices,
and intrusion detection are all valuable tools in combatting network
attacks and ensure a network security manager’s “peace of mind.”
Cisco Systems is the worldwide leader in IP networking solutions.
They offer a wide array of market-leading network security products:
dedicated appliances, routers, and switches, most of which come with
some form of security software. Currently, Cisco products comprise
much of the Internet’s backbone. An in-depth knowledge of how to con-
figure Cisco IP network security technology is a must for anyone

xxi
112_IpSec_pref 11/8/00 8:55 AM Page xxii

xxii Preface

working in today’s internetworked world. This book will provide you
with the hands-on Cisco security knowledge you need to get ahead, and
stay ahead.

About This Book
This book focuses on how to configure and secure IP networks utilizing
the various security technologies offered by Cisco Systems. Inside are
numerous configuration examples combined with extensive instruction
from security veterans, that will provide you with the information you
need to implement a network solution and manage any-sized IP net-
work security infrastructure.
Although many books cover IP network security, we will concentrate
specifically on security configurations using exclusively Cisco products.
We supply you with exactly the information you need to know: what
security solutions are available, how to apply those solutions in real-
world cases, and what factors you should consider when choosing and
implementing the technology.

Organization
Chapter 1 covers general system and network security concepts and
introduces the different security mechanisms available through TCP/IP.
Chapters 2, 3 and 4 deal with security through access control and
advanced filtering mechanisms available in Cisco IOS routers and PIX
firewall. Network Address Translation (NAT) is also covered in Chapter
3. Virtual Private Networks, AAA mechanisms, and intrusion detection
follow in the next chapters. Network security management software
available from Cisco is covered in Chapter 8. Chapter 9, the “Fast
Track” chapter, provides an excellent review of the entire book and con-
tains additional bonus coverage containing tips on general security pro-
cesses. This will provide you with a quick jump on the key network
security factors to weigh in choosing your security solutions.

www.syngress.com
112_IpSec_pref 11/8/00 8:55 AM Page xxiii

Preface xxiii

Chapter 1: Introduction to IP Network Security provides an overview of
the components that comprise system and network security. The
chapter introduces some basic networking concepts (IP, TCP, UCP,
ICMP) and discusses some of the security mechanisms available in
TCP/IP. We also introduce some of the essential network security prod-
ucts available from Cisco
Chapter 2: Traffic Filtering on the Cisco IOS focuses on access control
through traffic filtering. We cover some of the different traffic filtering
mechanisms available on the Cisco IOS such as the standard,
extended, and reflexive access lists, as well as Context-based Access
Control (CBAC). Many configuration recommendations and examples
are presented.
Chapter 3: Network Address Translation (NAT) provides detailed cov-
erage of Network Address Translation (NAT) mechanisms with configu-
ration examples on Cisco IOS and PIX firewall.
Chapter 4: Cisco PIX Firewall covers the main features of PIX firewall
with recommendations on security policy configuration. Many configu-
ration examples using advanced features such as AAA, NAT, and URL
filtering are presented. Note that the PIX Firewall Manager graphical
user interface is covered in Chapter 8.
Chapter 5: Virtual Private Networks provides an overview of Virtual
Private Network (VPN) technologies available for the Cisco product line.
A description of L2TP and IPSec protocols are presented and configura-
tion examples using Cisco Secure VPN client and Windows 2000 are
provided.
Chapter 6: Cisco Authentication, Authorization, and Accounting
Mechanisms discusses the authentication, authorization, and
accounting (AAA) security services available on Cisco products. The dif-
ferent security servers supported in Cisco, TACACS+, Radius and
Kerberos are also explained. Note that the Cisco Secure Access Control
Server is presented in Chapter 8.
Chapter 7: Intrusion Detection is the main focus of this chapter and
includes an overview of several methods used to attack networks. We
discuss host and network intrusion and focus on the intrusion detec-
tion and vulnerability scanner products available from Cisco.

www.syngress.com
112_IpSec_pref 11/8/00 8:55 AM Page xxiv

xxiv Preface

Chapter 8: Network Security Management provides a look at the net-
work security management tools available from Cisco: PIX Firewall
Manager, CiscoWorks 2000 Access Control Lists Manager, Cisco Secure
Security Manager (CSPM), and Cisco Secure Access Control Server.
Chapter 9: Security Processes and the Managing Cisco Security Fast
Track provides a concise review of Cisco IP network security, detailing
the essential concepts covered in the book. This chapter also includes a
section on general security configuration recommendations for all net-
works. You can use these recommendations as a checklist to help you
limit the exposure and vulnerability of your security infrastructure.

Audience
This book is intended primarily for network managers and network
administrators who are responsible for implementing IP network secu-
rity in a Cisco environment. However, it is also useful for people who
are interested in knowing more about the security features available in
Cisco products in general. The book is designed to be read from begin-
ning to end, but each chapter can stand alone as a useful reference
should you want detailed coverage of a particular topic. Readers who
want a quick understanding of the information contained in the book
can read Chapter 9 first.
This book will give the reader a good understanding of what security
solutions are available from Cisco and how to apply those solutions in
real-world cases. These solutions will give the security managers and
administrators the necessary tools and knowledge to provide the best
protection for their network and data.

Editor’s Acknowledgement
I would like to thank Mark Listewnik from Syngress Publishing for his
support; Marc Blanchet, colleague and friend, for his help, encourage-
ment and guidance; all my colleagues and friends at Viagénie; and,
especially, my wife Caroline for her exceptional support and patience.
––Florent Parent

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 1

Chapter 1

Introduction to IP
Network Security

Solutions in this chapter:

Protecting Your Site
Network Communication in TCP/IP
Security in TCP/IP
Cisco IP Security Hardware and Software

1
112_IpSec_01 11/6/00 7:32 PM Page 2

2 Chapter 1 Introduction to IP Network Security

Introduction
The “2000 CSI/FBI Computer Crime and Security Survey,” conducted in
early 2000 by the Computer Security Institute (CSI) with participation by
the San Francisco office of the Federal Bureau of Investigation (FBI),
showed that 90 percent of survey participants from large U.S. corporations,
financial institutions, medical institutions, universities, and government
agencies detected security breaches in 1999. About 70 percent of the par-
ticipants experienced breaches more serious than viruses or employee Web
abuse. Forty-two percent of survey participants (273 organizations) claimed
financial losses totaling over 265 million dollars from cyber attacks. These
security threats were composed of an assortment of attacks and abuses
that originated both internally and externally to their network borders.
The CSI survey showed financial losses were larger than in any pre-
vious year in eight out of twelve categories. The largest loss was attributed
to theft of proprietary information, followed by financial fraud, virus,
insider net abuse, and unauthorized insider access.
Many organizations are increasing their use of electronic commerce for
business-to-business and business-to-consumer transactions. New initia-
tives, such as Applications Service Providers (ASPs), expose vital corporate
information and services to the Internet. People have altered the way that
they work, now extending the workday or working full time from home.
Telecommuters and mobile workers now require remote access to informa-
tion resources normally protected within the organization’s network.
Businesses and individuals now depend upon information systems and
data communications to perform essential functions on a daily basis. In
this environment of increasingly open and interconnected communication
systems and networks, information security is crucial for protecting pri-
vacy, ensuring availability of information and services, and safeguarding
integrity. These new technologies and increased connectivity via public
access networks and extranets have allowed businesses to improve effi-
ciency and lower costs, but at the price of increased exposure of valuable
information assets to threats.

Protecting Your Site
Attack techniques are constantly evolving. Over the last twenty years, tools
for attacking information systems have become more powerful, but more
importantly, easier to use. Ease of use has lowered the technical knowl-
edge required to conduct an attack, and has thus increased the pool of
potential attackers exponentially. Script Kiddie is a term used to indicate a
person that just needs to acquire a program to launch an attack and
doesn’t need to understand how it works.

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 3

Introduction to IP Network Security Chapter 1 3

Many network security failures have been widely publicized in the
world press. An advantage to this unfortunate situation is the lowered
resistance from upper management to support security initiatives. Getting
upper management support is the first step in creating an effective net-
work security program. Management must provide the authority to imple-
ment security processes and procedures. Management commits to security
of information assets by documenting the authority and obligations of
departments or employees in an information security policy, and supports
it by providing the resources to build and maintain an effective security
program.
An effective security program includes awareness, prevention, detec-
tion, measurement, management, and response to minimize risk. There is
no such thing as perfect security. The determined and persistent attacker
can find a way to defeat or bypass almost any security measure. Network
security is a means of reducing vulnerabilities and managing risk.
Awareness should be tailored to the job requirements of employees. You
must make employees understand why they need to take information secu-
rity seriously. End-users choosing weak passwords or falling for social
engineering attacks can easily neutralize the best technical security solu-
tions. Upper management must provide for training, motivation, and codes
of conduct to employees to comply with security measures.

NOTE
Don’t ignore the human factors in designing or implementing a security
plan. Security is a tradeoff between productivity and protection. If you
want to realize acceptance and cooperation, avoid unreasonable con-
straints on end-users. If security measures are too cumbersome, people
will circumvent them and take the path of least resistance to getting
their work done. People will often fail before equipment fails.
Social engineering is when someone uses social skills to deceive an
employee to gain unauthorized access. For example, an unauthorized
person could pretend to help an authorized user in an attempt to trick
them out of their passwords or access codes. Social engineering attacks
bypass technical or logical security controls. Defeating social engineering
attacks depends on having users that are aware of the need to protect
information and can recognize attempts to deceive them. They follow
procedures, like verifying the identity of anyone seeking sensitive infor-
mation, that are designed to reduce the likelihood of inappropriate
disclosure.

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 4

4 Chapter 1 Introduction to IP Network Security

Awareness also applies to network and system administrators.
Information security covers an enormous range of skills and knowledge.
Pursue your education on a continuous basis. You need to be aware of
trends in attack methods, the threats that could damage your systems,
and the safeguards that you can deploy to counter them.
Security is a continuous process that includes the stages of protect,
detect, analyze, manage, and recover. This book covers many of Cisco’s
security products that provide protection from threats, detection of net-
work security incidents, measurement of vulnerability and policy compli-
ance, and management of security policy across an extended organization.
These are the tools that you have to mount defenses against threats.
Protection of assets must be cost effective. In analyzing your security
needs, you first identify what assets you want to protect, and the value of
those assets. Determine the threats that may damage these assets, and the
likelihood of those threats occurring. Prioritize the relationships, so you
concentrate on mitigating the risks with the highest potential damage, and
greatest likelihood of occurring. To determine how to protect the asset,
consider the cost of your protection measured against the value of the
asset that you’re trying to protect. You don’t want to spend more for pre-
venting a potential adversity than the asset is worth.
Monitor your network and systems to detect attacks and probes—and
know what “normal” for your network and systems looks like. If you are not
used to seeing normal behavior on your network, you may not recognize or
be able to isolate an attack. Many systems on the network can provide
clues and status information in their logs. Be sure to log enough informa-
tion that you can recognize and record an attack, and examine these logs
carefully. Use intrusion detection systems to watch the network traffic.

TIP
It is a good idea to synchronize the clocks of all your network devices
and systems. Accurate time will help you compare logs that originate on
different systems located in different parts of your network. You will be
better able to reconstruct a complex sequence of events spanning mul-
tiple systems. Synchronized clocks will also assist forensic investigators
coordinating events that may occur in various parts of the Internet.
Distributed attacks or relayed attacks can involve many systems in dif-
ferent parts of the world.
Some services, such as Kerberos, are dependent on having a consis-
tent time reference across systems. If the time on systems is outside of
specification, Kerberos will deny access because the design assumes that
it may be encountering a replay attack.

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 5

Introduction to IP Network Security Chapter 1 5

Recovery is as important as protection. A planned response to recover
from incidents or attacks is a necessary part of network security. Have a
plan in place, so you know what to do when a security crisis arises. It is a
lot easier to think about what needs to be done and who needs to be noti-
fied while you’re not in the middle of a crisis. A well thought-out plan can
help you make the right decisions, save valuable time, and minimize
damage in an emergency.
Management of security requires coordination and planning. The perva-
sive need for communications and the complexity of networks that support
those needs has made security management a difficult task. Security will be
only as good as the weakest link in the security chain. Security manage-
ment tools that can create, distribute, and audit consistent security config-
urations and policies are critical for large and distributed organizations.

Typical Site Scenario
Business needs and technology are both evolving rapidly. A revolution in
the ways that people work and companies interact is being brought about
by the capabilities provided by telecommunications. Networks have to pro-
vide availability, integrity, and confidentiality under diverse conditions.
Networks must provide ubiquitous connectivity to all corners of your
organization, including branch offices, mobile workers, and telecommuters.
It may also include connections to business partners. Services made acces-
sible to the public to improve availability and lower costs increase the expo-
sure of some systems to millions of people. Figure 1.1 shows a typical site
scenario.
The headquarters is a source of information vital to the operation of the
organization. It also needs to collect data from all parts of the organization
to conduct business, manage resources, and monitor the status of its busi-
ness environment. This central site must accommodate many types of con-
nections. It may use multiple wide area network (WAN) technologies to
connect to branch offices or business partners. These connections may be
permanent or on-demand. It should provide dial-up for mobile users or
telecommuters. Most organizations also have an Internet connection to
provide public information or business services.
The central site network is usually confined to a small geographic area.
It may be a single building or a campus environment, but it will form the
core of the network. Small or medium organizations may only have a pres-
ence at one geographic location, and large enterprises have several core
sites on various continents, interconnected by a global WAN. This central
site will have a mix of private servers, public servers, printers, worksta-
tions, and network equipment. The design of the network and the provision
of services must be flexible to meet with changing needs and priorities of
the organization.

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 6

6 Chapter 1 Introduction to IP Network Security

Figure 1.1 A typical site scenario.

WAN
Central
Site

Headquarters
Branch
Office
Laptop

Internet

Telecommuter

Business
Laptop Partner
PDA

Campus
Network

Before the advent of virtual private network (VPN) technology, remote
connections were usually through expensive dedicated lines, or smaller
organizations may have used on-demand connection technologies such as
dial-up over Integrated Services Digital Network (ISDN) or Public Switched
Telephone Network (PSTN). VPN has allowed companies to shift their con-
nections to the Internet and save money, but still provide confidentiality
and integrity to their communication traffic.
Branch offices can be located on the other side of the city or scattered
across a continent. They may exist to provide business services, distribu-
tion, sales, or technical services closer to the location of customers. These
offices can have one, two, or up to hundreds of employees. A branch office
usually has business needs to access information securely at the head-
quarters site or other branch offices, but due to its smaller size, is con-

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 7

Introduction to IP Network Security Chapter 1 7

strained by cost for its connectivity options. When the cost or business
needs are justified, the branch office would have a permanent connection
to the central headquarters. Most branch offices will also have an Internet
connection.
Business partners may be collaborative partners, manufacturers, or
supply chain partners. Technologies such as Electronic Data Interchange
(EDI) over proprietary networks have been used by large businesses to per-
form transactions, but are difficult and expensive to use. Many companies
have implemented extranets by using dedicated network connections to
share data and operate joint business applications. Extranets and busi-
ness-to-business transactions are popular because they reduce business
transaction cycle times and allow companies to reduce costs and invento-
ries while increasing responsiveness and service. This trend will only con-
tinue to grow. Business-to-business interactions are now rapidly shifting to
the Internet. Extranets can be built over the Internet using VPN technology.
Mobile users and telecommuters typically use dial-up services for con-
nectivity to their headquarters or local office. Newer technologies such as
Digital Subscriber Line (DSL) or cable modems offer permanent, high-
speed Internet access to the home-based telecommuters.

TIP
It is well known that modems inside your campus network can create a
backdoor to your network by dialing out to another network, or being
left in answer mode to allow remote access directly to a workstation on
your internal network. These backdoors bypass the firewall and other
security measures that you may have in place.
The always-on Internet connections from home now offer the ability
to create the backdoor remotely. It is possible to have an employee or
contractor online with a modem to the corporate network remote access
facility, while they still have an Internet connection through their DSL or
cable modem. Attention to detail in the security policy, workstation con-
figuration, and user awareness is critical to ensure that vulnerabilities
don’t creep into your system.

Host Security
Any vendor’s software is susceptible to harboring security vulnerabilities.
Almost every day, Web sites that track security vulnerabilities, such as
CERT, are reporting new vulnerability discoveries in operating systems,

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 8

8 Chapter 1 Introduction to IP Network Security

application software, server software, and even in security software or
devices. Patches are implemented for these known bugs, but new vulnera-
bility discoveries continue. Sometimes patches fix one bug, only to intro-
duce another. Even open source software that has been widely used for ten
years is not immune to harbouring serious vulnerabilities. In June 2000,
CERT reported that MIT Kerberos had multiple buffer overflow vulnerabili-
ties that could be used to gain root access.
Many sites do not keep up with applying patches and thus, leave their
systems with known vulnerabilities. It is important to keep all of your soft-
ware up-to-date. Many of the most damaging attacks have been carried out
through office productivity software and e-mail. Attacks can be directed at
any software and can seriously affect your network.
The default configuration of hosts makes it easy to get them up and
running, but many default services are unnecessary. These unnecessary
services increase the vulnerabilities of the system. On each host, all
unnecessary services should be shut down. Misconfigured hosts also
increase the risk of an unauthorized access. All default passwords and
community names must be changed.

TIP
SANS (System Administration, Networking, and Security) Institute has
created a list of the top ten Internet security threats from the consensus
of a group of security experts. The list is maintained at www.sans.org/
topten.htm. Use this list as a guide for the most urgent and critical vul-
nerabilities to repair on your systems.
This effort was started because experience has shown that a small
number of vulnerabilities are used repeatedly to gain unauthorized
access to many systems.
SANS has also published a list of the most common mistakes made
by end-users, executives, and information technology personnel. It is
available at www.sans.org/mistakes.htm.

The increased complexity of systems, the shortage of well-trained
administrators, and the lack of enough resources all contribute to reducing
security of hosts and applications. We cannot depend on hosts to protect
themselves from all threats.
To protect your infrastructure, you must apply security in layers. This
layered approach is also called defense in depth. You should create appro-
priate barriers inside your system so that intruders who may gain access

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 9

Introduction to IP Network Security Chapter 1 9

to one part of it do not automatically get access to the rest of the system.
Use firewalls to minimize the exposure of private servers from public net-
works. Firewalls are the first line of defense while packet filtering on
routers can supplement the protection of firewalls and provide internal
access boundaries.
Access to hosts that contain confidential information needs to be care-
fully controlled. Inventory the hosts on your network, and use this list to
categorize the protection that they will need. Some hosts will be used to
provide public access, such as the corporate Web site or online storefront;
others will contain confidential information that may be used only by a
single department or workgroup. Plan the type of access needed and deter-
mine the boundaries of access control for these resources.

Network Security
The purpose of information and network security is to provide availability,
integrity, and confidentiality (see Figure 1.2). These terms are described in
the following sections. Different systems and businesses will place different
importance on each of these three characteristics. For example, although
Internet Service Providers (ISPs) may be concerned with confidentiality and
integrity, they will be more concerned with protecting availability for their
customers. The military places more emphasis on confidentiality with its
system of classifications of information and clearances for people to access
it. A financial institution must be concerned with all three elements, but
they will be measured closely on the integrity of their data.

Figure 1.2 Balancing availability, integrity, and confidentiality.

Confidentiality

Information
Asset

Availability Integrity

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 10

10 Chapter 1 Introduction to IP Network Security

You should consider the security during the logical design of a network.
Security considerations can have an effect on the physical design of the
network. You need to know the specifications that will be used to purchase
network equipment, software features or revision levels that need to be
used, and any specialized devices used to provide encryption, quality of
service, or access control.
Networks can be segmented to provide separation of responsibility.
Departments such as finance, research, or engineering can be restricted so
only the people that need access to particular resources can enter a net-
work. You need to determine the resources to protect, the origin of threats
against them, and where your network security perimeters should be
located. Determine the level of availability, confidentiality, and integrity
appropriate for controlling access to those segmented zones. Install
perimeter devices and configurations that meet your security requirements.
Controlling access to the network with firewalls, routers, switches, remote
access servers, and authentication servers can reduce the traffic getting to
critical hosts to just authorized users and services.
Keep your security configuration up-to-date and ensure that it meets
the information security policy that you have set. In the course of oper-
ating a network, many changes can be made. These changes often open
new vulnerabilities. You need to continuously reevaluate the status of net-
work security and take action on any vulnerabilities that you find.

Availability
Availability ensures that information and services are accessible and func-
tional when needed. Redundancy, fault tolerance, reliability, failover,
backups, recovery, resilience, and load balancing are the network design
concepts used to assure availability. If systems aren’t available, then
integrity and confidentiality won’t matter.
Build networks that provide high availability. Your customers and end-
users will perceive availability as being the entire system—application,
servers, network, and workstation. If they can’t run their applications, then
it is not available. To provide high availability, ensure that security pro-
cesses are reliable and responsive. Modular systems and software,
including security systems, need to be interoperable.
Denial of Service (DoS) attacks are aimed at attacking the availability of
networks and servers. DoS attacks can create severe losses for organiza-
tions. In February 2000, large Web sites such as Yahoo!, eBay, Amazon,
CNN, ZDNet, E*Trade, Excite, and Buy.com were knocked off line or had
availability reduced to about 10 percent for many hours by Distributed
Denial of Service Attacks (DDoS). Actual losses were hard to estimate, but
probably totalled millions of dollars for these companies.

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 11

Introduction to IP Network Security Chapter 1 11

TIP
Having a good inventory and documentation of your network is impor-
tant for day-to-day operations, but in a disaster you can’t depend on
having it available. Store the configurations and software images of net-
work devices off-site with your backups from servers, and keep them up-
to-date. Include documentation about the architecture of your network.
All of this documentation should be available in printed form because
electronic versions may be unavailable or difficult to locate in an emer-
gency. This information will save valuable time in a crisis.

Cisco makes many products designed for high availability. These
devices are characterized by long mean time between failure (MTBF) with
redundant power supplies, and hot-swappable cards or modules. For
example, devices that provide 99.999 percent availability would have about
five minutes of downtime per year.
Availability of individual devices can be enhanced by their configura-
tion. Using features such as redundant uplinks with Hot Standby Router
Protocol (HSRP), fast convergent Spanning Tree, or Fast Ether Channel
provides a failover if one link should fail. Uninterruptible Power Supplies
(UPSs) and back-up generators are used to protect mission-critical equip-
ment against power outages.
Although not covered in this book, Cisco IOS includes reliability fea-
tures such as:
Hot Standby Router Protocol (HSRP)
Simple Server Redundancy Protocol (SSRP)
Deterministic Load Distribution (DLD)

Integrity
Integrity ensures that information or software is complete, accurate, and
authentic. We want to keep unauthorized people or processes from making
any changes to the system, and to keep authorized users from making
unauthorized changes. These changes may be intentional or unintentional.
For network integrity, we need to ensure that the message received is
the same message that was sent. The content of the message must be
complete and unmodified, and the link is between valid source and desti-
nation nodes. Connection integrity can be provided by cryptography and
routing control.

www.syngress.com
112_IpSec_01 11/6/00 7:32 PM Page 12

12 Chapter 1 Introduction to IP Network Security

Integrity also extends to the software images for network devices that
are transporting data. The images must be verified as authentic, and they
have not been modified or corrupted. When copying an image into flash
memory, verify that the checksum of the bundled image matches the
checksum listed in the README file that comes with the upgrade.

Confidentiality
Confidentiality protects sensitive information from unauthorized disclosure
or intelligible interception. Cryptography and access control are used to
protect confidentiality. The effort applied to protecting confidentiality
depends on the sensitivity of the information and the likelihood of it being
observed or intercepted.
Network encryption can be applied at any level in the protocol stack.
Applications can provide end-to-end encryption, but each application must
be adapted to provide this service. Encryption at the transport layer is
used frequently today, but this book focuses on encryption at the Open
Systems Interconnection (OSI) network layer. Virtual private networks (cov-
ered in more detail in Chapter 5, “Virtual Private Networks”) can be used to
establish secure channels of communication between two sites or between
an end-user and a site. Encryption can be used at the OSI data link layer,
but at this level, encryption is a point-to-point solution and won’t scale to
the Internet or even to private internetworks. Every networking device in
the communication pathway would have to participate in the encryption
scheme. Physical security is used to prevent unauthorized access to net-
work ports or equipment rooms. One of the risks at these low levels is the
attachment of sniffers or packet analyzers to the network.

Access Control
Access control is the process of limiting the privilege to use system
resources. There are three types of controls for limiting access:
Administrative Controls are based upon policies. Information security
policies should state the organization’s objectives regarding control over
access to resources, hiring and management of personnel, and security
awareness.
Physical Controls include