514 Chapter 20: Using AAA to Scale Access Control Foundation Summary AAA consists of three components, outlined in Table 20-10. AAA has two access modes, character and packet. The mode is determined by the interface. Review Table 20-11 as a guide to the interfaces and their associated modes. Table 20-12 outlines the differences between RADIUS and TACACS+. Table 20-10 AAA AAA Component Answers This Question Additional Authentication Who am I? Username/password combination Authorization Am I allowed to do this? May assign IP addresses, etc. Accounting What have people done? When was it done and for how long? Table 20-11 AAA Access Modes Interface Mode Description Aux Character Auxiliary DTE ports Console Character Console port TTY Character Async port vty Character Virtual terminal line PPP Packet PPP on serial or ISDN interface Arap Packet AppleTalk Remote Access protocol on serial interfaces NASI Packet NetWare Access Server Interface on serial interfaces Table 20-12 RADIUS and TACACS+ Differences RADIUS TACACS+ UDP TCP Password encryption Packet encryption Not multiprotocol Multiprotocol No individual command control Individual command control Supports basic interoperability Proprietary system 150x01x.book Page 514 Monday, June 18, 2007 8:52 AM Foundation Summary 515 The CLI commands are simple and effective. 1. Turn on AAA using the aaa new model command. 2. Set the server addresses using the radius-server host or tacacs-server host command. 3. Set the server key with the radius-server key or tacacs=server key command. 4. Set the authentication method with the aaa authentication command. 5. Set the Authorization levels with the aaa authorization command. 6. Set accounting with the aaa accounting command. Review the following eight commands: aa aa aa aa aa aa nn nn ee ee ww ww mm mm oo oo dd dd ee ee ll ll rr rr aa aa dd dd ii ii uu uu ss ss ss ss ee ee rr rr vv vv ee ee rr rr hh hh oo oo ss ss tt tt { hostname | ip-address } [aa aa uu uu tt tt hh hh pp pp oo oo rr rr tt tt port-number ] [aa aa cc cc cc cc tt tt pp pp oo oo rr rr tt tt port- number ] [tt tt ii ii mm mm ee ee oo oo uu uu tt tt seconds ] [rr rr ee ee tt tt rr rr aa aa nn nn ss ss mm mm ii ii tt tt retries ] [kk kk ee ee yy yy string ] [aa aa ll ll ii ii aa aa ss ss { hostname | ip- address }] tt tt aa aa cc cc aa aa cc cc ss ss ss ss ee ee rr rr vv vv ee ee rr rr hh hh oo oo ss ss tt tt { hostname | ip-address } [kk kk ee ee yy yy string ] [nn nn aa aa tt tt ] [pp pp oo oo rr rr tt tt [ integer ]] [ss ss ii ii nn nn gg gg ll ll ee ee cc cc oo oo nn nn nn nn ee ee cc cc tt tt ii ii oo oo nn nn ] [tt tt ii ii mm mm ee ee oo oo uu uu tt tt [ integer ]] rr rr aa aa dd dd ii ii uu uu ss ss ss ss ee ee rr rr vv vv ee ee rr rr kk kk ee ee yy yy {00 00 string | 77 77 string | string } tt tt aa aa cc cc aa aa cc cc ss ss ss ss ee ee rr rr vv vv ee ee rr rr kk kk ee ee yy yy {00 00 string | 77 77 string | string } aa aa aa aa aa aa aa aa uu uu tt tt hh hh ee ee nn nn tt tt ii ii cc cc aa aa tt tt ii ii oo oo nn nn pp pp pp pp pp pp {dd dd ee ee ff ff aa aa uu uu ll ll tt tt | list-name } method1 [ method2 ] aa aa aa aa aa aa aa aa uu uu tt tt hh hh oo oo rr rr ii ii zz zz aa aa tt tt ii ii oo oo nn nn { nn nn ee ee tt tt ww ww oo oo rr rr kk kk | ee ee xx xx ee ee cc cc | cc cc oo oo mm mm mm mm aa aa nn nn dd dd ss ss level | rr rr ee ee vv vv ee ee rr rr ss ss ee ee aa aa cc cc cc cc ee ee ss ss ss ss } {dd dd ee ee ff ff aa aa uu uu ll ll tt tt | list-name } [ method1 [ method2 ]] aa aa aa aa aa aa aa aa cc cc cc cc oo oo uu uu nn nn tt tt ii ii nn nn gg gg {aa aa uu uu tt tt hh hh pp pp rr rr oo oo xx xx yy yy | ss ss yy yy ss ss tt tt ee ee mm mm | nn nn ee ee tt tt ww ww oo oo rr rr kk kk | ee ee xx xx ee ee cc cc | cc cc oo oo nn nn nn nn ee ee cc cc tt tt ii ii oo oo nn nn | cc cc oo oo mm mm mm mm aa aa nn nn dd dd ss ss level } {dd dd ee ee ff ff aa aa uu uu ll ll tt tt | list-name } [vv vv rr rr ff ff vrf-name ] {ss ss tt tt aa aa rr rr tt tt ss ss tt tt oo oo pp pp | ss ss tt tt oo oo pp pp oo oo nn nn ll ll yy yy | nn nn oo oo nn nn ee ee } [bb bb rr rr oo oo aa aa dd dd cc cc aa aa ss ss tt tt ] gg gg rr rr oo oo uu uu pp pp groupname SDM provides a graphical alternative to the CLI. You need to become familiar with the layout and usage of SDM. One of the best ways to accomplish this is to download a copy of SDM and use it to configure a spare router. Table 20-13 lists and describes the five main debugging commands available for AAA. Table 20-13 AAA debug Commands Command Description debug aaa authentication Displays information on authentication events debug aaa authorization Displays information on authorization events debug aaa accounting Displays information on accounting events debug radius Displays information associated with RADIUS debug tacacs Displays information associated with TACACS 150x01x.book Page 515 Monday, June 18, 2007 8:52 AM 516 Chapter 20: Using AAA to Scale Access Control Q&A The questions and scenarios in this book are designed to be challenging and to make sure that you know the answer. Rather than allowing you to derive the answers from clues hidden inside the questions themselves, the questions challenge your understanding and recall of the subject. Hopefully, mastering these questions will help you limit the number of exam questions on which you narrow your choices to two options and then guess. You can find the answers to these questions in Appendix A. For more practice with exam-like question formats, use the exam engine on the CD-ROM. 1. Name some consequences of using TACACS+ instead of RADIUS for AAA. 2. Your boss tells you to implement accounting for the payroll system, but tells you that authentication is not necessary because the payroll program takes care of authentication itself. Why should you be wary of this approach? 3. You are asked to design the AAA system for a multinational bank with more than 10,000 users. Would you choose RADIUS or TACACS+? Why? 4. You have recently added authentication to the vty lines on your router. A new user is not able to access the router. What is the most likely cause? 5. You have recently added a new user to your system. Her job is to configure routers. She is able to access some commands but not others. What is most likely the problem? 6. You are currently tracking the starting and ending times of access on a certain application. All you really need to track is the last access time. Which command should you use to change this? 7. Your TACACS+ system is not working properly. By using the debug commands, you are able to determine that the TACACS+ server takes too long to reply. What command should you be looking at to correct the problem? 150x01x.book Page 516 Monday, June 18, 2007 8:52 AM 150x01x.book Page 517 Monday, June 18, 2007 8:52 AM Exam Topic List This chapter covers the following topics that you need to master for the CCNP ISCW exam: ■ Layered Device Structure—Examines the concepts of a Layered Device Structure. A layered security device provides security on many different IOS layers. ■ Firewall Technology Basics—Explores the three basic forms of firewall technology: Application Layer Gateway (ALG), stateful filtering, and stateless filtering. ■ Cisco IOS Firewall Feature Set—Covers the most common features of the Cisco IOS Firewall Feature Set, which is a powerful tool that provides many security options. ■ Cisco IOS Firewall Operation—Describes how the Cisco IOS Firewall accomplishes packet filtering by using several differing features. ■ Cisco IOS Firewall Packet Inspection and Proxy Firewalls—Covers how the capabilities of the Cisco IOS Firewall Feature set combine to provide the best possible protection for the network. 150x01x.book Page 518 Monday, June 18, 2007 8:52 AM C H A P T E R 21 Cisco IOS Threat Defense Features This chapter explores the advantages, concepts, and strategy behind the Cisco IOS Firewall offerings. Using a layered device as part of the overall security strategy allows the administrator great flexibility in access control. Using a demilitarized zone (DMZ) helps to isolate security breaches outside of the internal portion of the corporate network. If a security breach does occur, the rest of the network can remain intact. For example, “hacking” a web server that is positioned in a DMZ will not enable the hacker to penetrate into the internal portion of the network. In this chapter, you will examine the differences between packet filters, application layer gateways (ALG), and stateful packet filters, learn about the Cisco IOS Firewall feature set, and discover how the Cisco IOS Firewall operates. Chapter 22, “Implementing Cisco IOS Firewall Features,” covers how to implement the Cisco IOS Firewall. “Do I Know This Already?” Quiz The purpose of the “Do I Know This Already?” quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 13-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you to determine how to spend your limited study time. Table 21-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics. Table 21-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping Foundation Topics Section Questions Covered in This Section Score Layered Device Structure 1–2 Firewall Technology Basics 3–8 Cisco IOS Firewall Feature Set 9–10 Cisco IOS Firewall Operation 11–12 Cisco IOS Firewall Packet Inspection and Proxy Firewalls 13 Total Score 150x01x.book Page 519 Monday, June 18, 2007 8:52 AM 520 Chapter 21: Cisco IOS Threat Defense Features 1. Why is it advised that each server be placed on a separate DMZ? a. It forces the administrator to deal with more ACLs, thereby ensuring that there is more security. b. It helps prevent one compromised server from becoming a launching platform for more security breaches. c. It helps the accounting department by tracking each server independently. d. It provides a way of tracking the use of each server. 2. When using multiple DMZs, what equipment is required (select all that apply)? a. A Cisco PIX Firewall must be used. b. A router with multiple interfaces must be used. c. A LAN switch must be used. d. A VPN Concentrator must be used. e. All these answers are correct. 3. What type of equipment would be employed to prevent the user from any direct access to a server? a. Packet filter b. Hybrid packet filter c. Stateful packet filter d. ALG 4. What type of firewall is best used when only UDP is used for access? a. Packet filter b. Authentication proxy c. ALG d. Stateful packet filter CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of self-assessment. Giving yourself credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. 150x01x.book Page 520 Monday, June 18, 2007 8:52 AM “Do I Know This Already?” Quiz 521 5. Which type of equipment is used to provide data from a server while still preventing direct access to that server? a. Packet filter b. ALG c. Stateful packet filter d. Hybrid packet filter 6. How does a stateful packet filter’s use of access control lists (ACL) differ from a packet filter’s use of ACLs? a. ACLs are not required in a stateless filter. b. ACLs are not required in a stateful filter. c. ACLS require a separate database, such as SQL, in a stateful filter. d. ACLs are static in a stateless filter. e. ACLs are dynamically changed in a stateless filter. f. ACLs are dynamically changed in a stateful filter. 7. How does a stateful packet filter handle UDP packets? a. Defaults back to packet filter b. Allows only FTP UDP packets c. Defaults to a stateless firewall d. Blocks UDP traffic e. Allows UDP traffic 8. What does a stateful packet filter maintain? a. A connection database b. A session database c. A user database d. A connection table e. A session table f. A user table 9. What type of firewall is the Cisco IOS Firewall? a. Packet firewall b. Application layer gateway c. Stateful d. Hybrid 150x01x.book Page 521 Monday, June 18, 2007 8:52 AM 522 Chapter 21: Cisco IOS Threat Defense Features 10. How does the Cisco IOS Firewall handle streaming video such as VDOLive or Streamworks? a. It ignores all streaming video, allowing it to pass. b. It ignores all streaming video, blocking it. c. It is fully aware of streaming video and blocks or passes as configured. d. Streaming video is allowed if the configuration is globally set. 11. What is unique about how the Cisco IOS Firewall handles ACLs? a. The Cisco IOS Firewall does not require ACLS. b. They are dynamically changed during operation. c. They are automatically generated. d. They must be applied before the inspection rule is applied. 12. How does the Cisco IOS Firewall handle UDP traffic (select all that apply)? a. It ignores all UDP traffic, allowing it to pass. b. It defaults to stateless modes. c. It uses timeouts for UDP traffic. d. It prevents all UDP traffic from passing. 13. Which of the following is not a benefit of the Cisco IOS Firewall? a. Allows combinations of proxy, stateless, and stateful firewall technologies b. Defaults to stateless when stateful is not practicable c. Ignores streaming video d. Can provide proxy services The answers to the “Do I Know This Already?” quiz are found in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.” The suggested choices for your next step are as follows: ■ 8 or fewer overall score—Read the entire chapter. This includes the “Foundation Topics,” “Foundation Summary,” and “Q&A” sections. ■ 9 to 12 overall score—Begin with the “Foundation Summary” section, and then go to the “Q&A” section. ■ 12 or more overall score—If you want more review on these topics, skip to the “Foundation Summary” section and then go to the “Q&A” section. Otherwise, move to the next chapter. 150x01x.book Page 522 Monday, June 18, 2007 8:52 AM Layered Device Structure 523 Foundation Topics Layered Device Structure The Cisco IOS Firewall uses DMZs as a way of isolating services from the internal network. By creating a buffer zone, these DMZs create networks that are neither entirely internal nor entirely external to the corporate network. Traditionally, the DMZ exists between the corporate network and the Internet. There is no requirement for a DMZ to allow access from either the internal network or the Internet. For example, a payroll server could be attached to a DMZ that allows access only from the internal network. This would allow the administrator to restrict access to certain machines or users on the corporate network while ensuring that users on the Internet never even see the server. Take a moment to look at Figure 21-1. Notice that from an access viewpoint the DMZ is positioned between the corporate network and the Internet. Figure 21-1 Cisco DMZ DMZ access is controlled by dedicated firewalls, such as the Cisco PIX Firewall, or by a router with multiple interfaces. Dedicated servers on the DMZ provide services such as web, FTP, or e-mail services. The DMZ may also host a gateway to applications that require outbound connectivity. FTP Server DMZ Inside Network Trusted Outside Network Untrusted Packets from Outside Packets from Inside E-mail Server 150x01x.book Page 523 Monday, June 18, 2007 8:52 AM [...]... know, for a fact, are not in the configuration How do you explain this? 9 What is the purpose of an authentication proxy server? 150x01x.book Page 535 Monday, June 18, 2007 8:52 AM 150x01x.book Page 536 Monday, June 18, 2007 8:52 AM Exam Topic List This chapter covers the following topics that you need to master for the CCNP ISCW exam: ■ Configure a Cisco IOS Firewall Using the CLI—Describes the five steps... understand, as demonstrated in Example 22-5 Example 22-5 show ip inspect session Command Output s Router#show ip inspect session Established Sessions Session 70A64274 (172.16.1.12:3 295 6)=>(10.10.1.5:25) tcp SIS_OPEN Created 00:00:07, Last heard 00:00:03 Bytes sent (initiator:responder) [137:3 19] acl created 2 Inbound access-list acl_from_outside applied to interface Ethernet0/0 Example 22-6 shows the output... 8:52 AM 542 Chapter 22: Implementing Cisco IOS Firewalls Example 22-2 shows how to define the inspection rules for this example Example 22-2 IP Inspection Rules i Router(config)#ip inspect name from_outside ftp alert off audit-trail on timeout 60 i Router(config)#ip inspect name from_outside http alert on audit-trail on timeout 30 The preceding example sets the timeout for FTP to 60 seconds No alerts... lists can be found at Cisco.com The access list in Example 22-1 would be applied to the outside interface This access list allows users outside the network to connect to the SMTP server residing at 10.10.1 .9 and the HTTP server residing at 10.10.1.15 Example 22-1 Extended Access List ip access-list extended acl_from_outside permit tcp any host 10.10.1 .9 eq 25 permit tcp any host 10.10.1.15 eq 80 deny... dropped Configuring the ACL can be simple or complex, depending on the requirements Example 21-1 shows a simple ACL configuration that allows FTP traffic to enter a specific server, as shown in the example in Figure 21-3 150x01x.book Page 526 Monday, June 18, 2007 8:52 AM 526 Chapter 21: Cisco IOS Threat Defense Features Example 21-1 Packet Filtering ACL a Router(config)#access-list 100 permit tcp any... in this example use audit trails Step 4: Apply the Inspection Rules and the ACL to the Interface Now that the ACL and inspection rules have been defined, you must apply these to the interface Audit trails will be used, so your first task is to enable audit trails in the global configuration Alerts have also been chosen These are simple to set up with the global commands executed in Example 22-3 Example... understanding and recall of the subject Hopefully, mastering these questions will help you limit the number of exam questions on which you narrow your choices to two options and then guess You can find the answers to these questions in Appendix A For more practice with exam- like question formats, use the exam engine on the CD-ROM 1 You are designing a network that should have three servers available for access... TCP and UDP traffic ■ Maintains a state table ■ Modifies ACLs dynamically ■ Protects against DoS attacks ■ Inspects packets passing through the interface 150x01x.book Page 5 29 Monday, June 18, 2007 8:52 AM Cisco IOS Firewall Operation 5 29 Authentication Proxy The Authentication Proxy provides authentication and authorization on a per-user basis through either Remote Authentication Dial-In User Service (RADIUS)... interface within the Basic Firewall Wizard b You must use the CLI or the Advanced Firewall Wizard to edit policies for a specific protocol on an interface 150x01x.book Page 5 39 Monday, June 18, 2007 8:52 AM “Do I Know This Already?” Quiz 5 39 c d 7 You may use the Basic Firewall Wizard on a router with more than two trusted interfaces You may use the Basic Firewall Wizard on a router with more than one DMZ... connections For example, when a TCP inspection rule is added to an interface, a TCP reset (RST) packet is not allowed into the interface unless there has previously been a TCP connection established with the machine sending the reset When using inspection rules, you must apply an ACL to the interface Any packet may be rejected by the inspection rule, the ACL, or both The packet is first examined by the . Monday, June 18, 2007 8:52 AM Exam Topic List This chapter covers the following topics that you need to master for the CCNP ISCW exam: ■ Layered Device Structure—Examines the concepts of a Layered. limit the number of exam questions on which you narrow your choices to two options and then guess. You can find the answers to these questions in Appendix A. For more practice with exam- like question. intact. For example, “hacking” a web server that is positioned in a DMZ will not enable the hacker to penetrate into the internal portion of the network. In this chapter, you will examine the