CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Greg Bastien; Earl Carter; Christian Degu

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Copyright

About the Authors

About the Technical Reviewers

Acknowledgments

Icons Used in This Book

Command Syntax Conventions

Introduction

Why the "Second Edition"?

Who Should Read This Book?

How to Use This Book

Certification Exam and This Preparation Guide

Overview of the Cisco Certification Process

Cisco Security Specialist in the Real World

PIX AND Cisco IOS Commands

Rules of the Road

Chapter 1. Network Security

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 2. Firewall Technologies and the Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 3. Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 4. System Management/Maintenance

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 5. Understanding Cisco PIX Firewall Translation and Connection

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 6. Getting Started with the Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 7. Configuring Access

How Best to Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 8. Syslog and the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 9. Routing and the PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 10. Cisco PIX Firewall Failover

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 11. Virtual Private Networks

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Scenario

Chapter 12. Configuring Access VPNs

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 13. PIX Device Manager

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 14. CiscoWorks Management Center for Firewalls (PIX MC)

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 15. Content Filtering on the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 16. Overview of AAA and the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 17. Configuration of AAA on the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 18. Attack Guards and Advanced Protocol Handling

How To Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 19. Firewall Services Module

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 20. Case Study and Sample Configuration

Remote Offices

Firewall

Growth Expectation

Task 1: Basic Configuration for the Cisco PIX Firewall

Task 2: Configuring Access Rules on HQ

Task 3: Configuring Authentication

Task 4: Configuring Logging

Task 5: Configuring a VPN Between HQ and Remote Sites

Task 6: Configuring a Remote Access VPN to HQ

Task 7: Configuring Failover

What Is Wrong with This Picture?

Appendix A. Answers to the "Do I Know This Already?" Quizzes and Q&A Sections

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Chapter 14

Chapter 15

Chapter 16

Chapter 17

Chapter 18

Chapter 19

Chapter 20

Index
توضیحات
افزودن یادداشت جدید






  • Foundation and Supplemental Topics


    This chapter does not contain any foundation topics. However, if you take a look at the foundation topics throughout the book, you will discover that understanding the foundation topics will be difficult if you do not already understand the supplemental topics.


    Overview of Network Security


    In the past, the term information security was used to describe the physical security measures used to keep vital government or business information from being accessed by the public and to protect it against alteration or destruction. These measures included storing valuable documents in locked filing cabinets or safes and restricting physical access to areas where those documents were kept. With the proliferation of computers and electronic media, the old way of accessing data changed. As technology continued to advance, computer systems were interconnected to form computer networks, allowing systems to share resources, including data.

    The ultimate computer network, which interconnects almost every publicly accessible computer network, is the Internet. Although the methods of securing data have changed dramatically, the concept of network security remains the same as that of information security.

    Because computers can warehouse, retrieve, and process tremendous amounts of data, they are used in nearly every facet of our lives. Computers, networks, and the Internet are integral parts of many businesses. Our dependence on computers continues to increase as businesses and individuals become more comfortable with technology and as technology advances make systems more user-friendly and easier to interconnect.

    A single computer system requires automated tools to protect data on that system from users who have local system access. A computer system that is on a network (a distributed system) requires that the data on that system be protected not only from local access but also from unauthorized remote access and from interception or alteration of data during transmission between systems. Network security is not a single product, process, or policy but rather a combination of products and processes that support a defined policy. Network security is the implementation of security devices, policies, and processes to prevent unauthorized access to network resources or alteration or destruction of resources or data.


    Vulnerabilities, Threats, and Attacks


    Attackers who attempt to access a system or network use various methods to find and exploit specific targets. This section discusses the basic concepts of a cyber attack.


    Vulnerabilities

    To understand cyber attacks, you must remember that computers, no matter how advanced, are still just machines that operate based on predetermined instruction sets. Operating systems and other software packages are simply compiled instruction sets that the computer uses to transform input into output. A computer cannot determine the difference between authorized input and unauthorized input unless this information is written into the instruction sets. Any point in a software package at which a user can alter the software or gain access to a system (that was not specifically designed into the software) is called a vulnerability. In most cases, a hacker gains access to a network or computer by exploiting a vulnerability. It is possible to remotely connect to a computer on any of 65,535 ports.

    Different applications configure a system to listen on specific ports. It is possible to scan a computer to determine which ports are listening, and what applications are running on that system. By knowing what vulnerabilities are associated with which applications, you can determine what vulnerabilities exist and how to exploit them. As hardware and software technology continue to advance, the "other side" continues to search for and discover new vulnerabilities. For this reason, most software manufacturers continue to produce patches for their products as vulnerabilities are discovered.


    Threats

    Potential threats are broken into the following two categories:

    • Structured threats Threats that are preplanned and focus on a specific target. A structured threat is an organized effort to breach a specific network or organization.

    • Unstructured threats Threats that are random and tend to be the result of hackers looking for a target of opportunity. These threats are the most common because an abundance of script files are available on the Internet to users who want to scan unprotected networks for vulnerabilities. Because the scripts are free and run with minimal input from the user, they are widely used across the Internet. Many unstructured threats are not of a malicious nature or for any specific purpose. The people who carry them out are usually just novice hackers looking to see what they can do.



    Types of Attacks

    The types of cyber attackers and their motivations are too numerous and varied to list. They range from the novice hacker who is attracted by the challenge, to the highly skilled professional who targets an organization for a specific purpose (such as organized crime, industrial espionage, or state-sponsored intelligence gathering). Threats can originate from outside the organization or from inside. External threats originate outside an organization and attempt to breach a network either from the Internet or via dialup access. Internal threats originate from within an organization and are usually the result of employees or other personnel who have some authorized access to internal network resources. Studies indicate that internal attacks perpetrated by disgruntled employees or former employees are responsible for the majority of network security incidents within most organizations.

    There are three major types of network attacks, each with its own specific goal:

    • Reconnaissance attack An attack designed not to gain access to a system or network but only to search for and track vulnerabilities that can be exploited later.

    • Access attack An attack designed to exploit vulnerability and to gain access to a system on a network. After gaining access, the goal of the user is to

      - Retrieve, alter, or destroy data.

      - Add, remove, or change network resources, including user access.

      - Install other exploits that can be used later to gain access to the network.

    • Denial of service (DoS) attack An attack designed solely to cause an interruption on a computer or network.



    Reconnaissance Attacks

    The goal of this type of attack is to perform reconnaissance on a computer or network. The goal of this reconnaissance is to determine the makeup of the targeted computer or network and to search for and map any vulnerability. A reconnaissance attack can indicate the potential for other, more-invasive attacks. Many reconnaissance attacks are written into scripts that allow novice hackers or script kiddies to launch attacks on networks with a few mouse clicks. Here are some of the more common reconnaissance attacks:

    • Domain Name Service (DNS) query Provides the unauthorized user with such information as what address space is assigned to a particular domain and who owns that domain.

    • Ping sweep Tells the unauthorized user how many hosts are active on the network. It is possible to drop ICMP packets at the perimeter devices, but this occurs at the expense of network troubleshooting.

    • Vertical scan Scans the service ports of a single host and requests different services at each port. This method enables the unauthorized user to determine what type of operating system and services are running on the computer.

    • Horizontal scan Scans an address range for a specific port or service. A very common horizontal scan is the FTP sweep. This is done by scanning a network segment, looking for replies to connection attempts on port 21.

    • Block scan A combination of the vertical scan and the horizontal scan. In other words, it scans a network segment and attempts connections on multiple ports of each host on that segment.



    Access Attacks

    As the name implies, the goal of an access attack is to gain access to a computer or network. Having gained access, the user may be able to perform many different functions. These functions can be broken into three distinct categories:

    • Interception Gaining unauthorized access to a resource. This could be access to confidential data such as personnel records, payroll records, or research and development projects. As soon as the user gains access, he might be able to read, write to, copy, or move this data. If an intruder gains access, the only way to protect your sensitive data is to save it in an encrypted format (beforehand). This prevents the intruder from being able to read the data.

    • Modification Having gained access, the unauthorized user can alter the resource. This includes not only altering file content but also altering system configurations, changing the level of authorized system access, and escalating authorized privilege levels. Unauthorized system access is achieved by exploiting vulnerability in either the operating system or a software package running on that system. Unauthorized privilege escalation occurs when a user who has a low-level but authorized account attempts to gain higher-level or more-privileged user account information or to increase his or her own privilege level. This gives the user greater control over the target system or network.

    • Fabrication With access to the target system or network, the unauthorized user can create false objects and introduce them into the environment. This can include altering data or inserting packaged exploits such as a virus, worm, or Trojan horse, which can continue attacking the network from within.

      - Virus Computer viruses range from annoying to destructive. They consist of computer code that attaches itself to other software running on the computer. This way, each time the attached software opens, the virus reproduces and can continue growing until it wreaks havoc on the infected computer.

      - Worm A worm is a virus that exploits vulnerabili
      ties on networked systems to replic
      ate itself. A worm scans a network, looking for a computer with a specific vulnerability. When it finds a host, it copies itself to that system and begins scanning from there as well.

      - Trojan horse A Trojan horse is a program that usually claims to perform one function (such as a game) but also does something completely different (such as corrupting data on your hard disk). Many different types of Trojan horses get attached to systems. The effects of these programs range from minor user irritation to total destruction of the computers file system. Trojan horses are sometimes used to exploit systems by creating user accounts on systems so that an unauthorized user can gain access or upgrade her privilege level. Trojans are also commonly used to enlist computers for a distributed denial of service (DDoS) attack without the knowledge of the system owner.


    Denial of Service Attacks


    A DoS attack is designed to deny user access to computers or networks. These attacks usually target specific services and attempt to overwhelm them by making numerous requests concurrently. If a system is not protected and cannot react to a DoS attack, that system may be very easy to overwhelm by running scripts that generate multiple requests.

    It is possible to greatly increase a DoS attacks magnitude by launching it from multiple systems against a single target. This practice is called a distributed denial of service (DDoS) attack. A common practice by hackers is to use a Trojan horse to take control of other systems and enlist them in a DDoS attack.


    Security Policies


    Security policies are created based upon the security philosophy of the organization. The policy should be a "top-down" policy that is consistent, understandable (nontechnical), widely disseminated within the organization, and fully supported by management. The technical team uses the security policy to design and implement the organizations security structure. The security policy is a formal statement that specifies a set of rules required for gaining access to network assets. The security policy is not a technical document; it is a business document that lays out the permitted and prohibited activities and the tasks and responsibilities regarding security. The network security policy is the core of the network security process. Every organization that maintains networked assets should have a written network security policy. At a minimum, that policy should fulfill the following objectives:

    • Analyze the threat based on the type of business performed and type of network exposure

    • Determine the organizations security requirements

    • Document the network infrastructure and identify potential security breach points

    • Identify specific resources that require protection and develop an implementation plan


    Note

    An effective network security policy must include physical security to prevent unauthorized users from gaining local access to equipment.

    The security process is the implementation of the security policy. It is broken into four steps that run continuously, as shown in Figure 1-1. It is important to emphasize that this is a continuous process, that each step leads to the next, and that you should evaluate the results of each step and constantly improve your security posture.


    Figure 1-1. Security Process

    Step 1: Secure


    Step 1 is to implement your network security design. This includes hardening your network systems by installing security devices such as firewalls, intrusion detection sensors, and AAA (authentication, authorization, and accounting) servers. Firewalls on the network perimeter prevent unwanted traffic from entering the network. Firewalls within the network verify that only authorized traffic moves from one network segment to another. Restrict access to resources to only authorized users, and implement a strong password convention. Implement data encryption to protect data that is passing from one network to another across an unsecured connection (via the Internet) or to protect sensitive data within your network. Cisco PIX Firewall and Cisco Secure IDS are both industry-leading network security devices that are commonly used for securing the network perimeter and monitoring all traffic that traverses critical points on the network. The purpose of this step is to prevent unauthorized access to the network and to protect network resources.

    Step 2: Monitor


    After you secure your network, you should monitor the network to ensure that you can detect potential security incidents. By installing Cisco Secure IDS at key points of the network (as part of Step 1), you can monitor both internal and external traffic. It is important to monitor both internal and external traffic because you can check for violations of your network security policy from internal sources and attacks from external sources and determine if any external attacks have breached your network. All your perimeter devices, including firewalls and perimeter routers, provide log data that can be used to verify that your secure configuration is functioning properly and can be filtered to look for specific incidents.

    Step 3: Test


    Step 3 involves testing the effectiveness of your security design and is the completed by continuing to monitor the solution and generating traffic that should be mitigated by the solution that you implemented. Verify that the security equipment is properly configured and functioning correctly. Several excellent tools are available that you can use to verify the capabilities of your design and determine how effective your security devices will be as they are currently configured.

    Step 4: Improve


    Step 4 involves using the data from your intrusion detection sensors and your test data to improve the design. An effective security policy is always a work in progress. It continues to improve with every cycle of the process. This does not necessarily mean implementing new hardware with every cycle. The improvement cycle could involve changing certain organizational procedures or documenting new potential threats and vulnerabilities.

    The security process is ongoing and constantly changing based on the results of evaluations that occur as part of each step of the process.


    Network Security as a "Legal Issue"


    Organizations are expected to exercise "reasonable care" to ensure that they protect assets on their networks and to ensure that their network resources are not used against others. Consider the following scenario: An employee of Company X uses his computer (without authorization) to scan the Internet and eventually finds a server that belongs to Company Y that he is able to take control of using a documented exploit. The employee then uses that server to break into the database server at Insurance Company Z and steal the medical records of a celebrity that contain very sensitive and potentially damaging personal information. The stolen information is later distributed to the public. Who is responsible? Of course the employee is ultimately responsible but probably lacks the financial resources that make it worthwhile for the celebrity to seek legal recourse. However, companies X, Y, and Z will all likely become involved in legal action as a result of this theft.


    Defense in Depth


    Securing a network requires significantly more than implementing a strong network perimeter. The installation of a firewall is a part of the perimeter defense, but it cannot ensure that the entire network is secure. The concept of defense in depth refers to the military strategy of having multiple layers of defense. It is an architecture that includes a strong perimeter, intrusion detection/prevention at key points on the network, network monitoring and logging, and a design that allows administrators to dynamically alter the network in response to attacks.

    Of course, the concept of defense in depth must always be balanced with the business need of the organization. It simply would not make sense to implement a complex and expensive security architecture for a home office with a couple of computers that do not contain any sensitive data.


    Cisco AVVID and Cisco SAFE


    Cisco has two programs in placeCisco AVVID and Cisco SAFEto help network architects design secure network solutions. Both programs are based on proven solutions that have been tested for full functionality and interoperability and both programs use the strategy of defense in depth.

    Cisco AVVID?


    AVVID is the Cisco Architecture for Voice, Video, and Integrated Data. Cisco AVVID is an open architecture that is used by Cisco partners to develop various solutions. Every Cisco partner solution is rigorously tested for interoperability with Cisco products. Cisco AVVID is designed for large enterprise networks that require an infrastructure that can support emerging applications such as IP telephone, content delivery, and storage. This network of networks concept allows the use of a single network infrastructure to support the concurrent operation of multiple solutions. The Cisco Enterprise Solutions Engineering team creates design guides for use when planning enterprise network infrastructure using Cisco products, software, and features. These solutions provide the following benefits:

    • Network performance This is measured by the following three metrics rather than just throughput:

      - Application response time Measures how quickly an application responds to changes on a network and network congestion by changing its link speed.

      - Device performance Measures the limitations in performance of individual network devices such as switches or routers. A poorly performing device can become a bottleneck to the network, so it is important to ensure that devices are not overtaxed. Device performance measures errors, drops, and CPU usage as well as packet-per-second throughput.

      - Protocol performance Measures the ability of devices to operate dynamically by verifying that devices and the network can handle the use of routing protocols and the Spanning Tree Protocol (STP).

    • Scalability A scalable solution must allow a network to grow into the future. The network must be designed to allow growth in the following areas:

      - Topology A topology must be selected so that changes do not require major reconfiguration of the entire network.

      - Addressing The addressing scheme that you choose should be affected only minimally by changes to the network and should allow for route summarization.

      - Routing protocols The design should be such that changes in the network are easily handled by the routing protocols.

    • Availability Availability is always a major concern to network managers. A networks ability to overcome outages and adapt to changes is paramount. Three availability issues are incorporated into the Cisco AVVID design model:

      - Equipment and link redundancy This includes not only redundant components and high-availability configurations but also redundancy within the equipment, such as dual power supplies and other features designed into the modular products.

      - Protocol resiliency The focus here is to use the most resilient protocol. Multiple redundant protocols do not necessarily provide the best solution.

      - Network capacity design A network design should allow for significant expansion and support the capacity needs and redundancy to reduce the impact of a redundant link failure.


    The Cisco AVVID network infrastructure design incorporates many different topologies and technologies to provide optimum efficiency and stability.

    Cisco SAFE


    Cisco Security Architecture for Enterprises (SAFE) is available for different sizes of networks. The Cisco white papers SAFE: A Security Blueprint for Enterprise Networks and SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks are guides for network designers and focus on the implementation of secure network designs. Cisco SAFE is based on Cisco AVVID. SAFE uses best practices and the interoperability of various Cisco and Cisco partner products. There are several SAFE white papers available on Cisco.com that focus on the following design fundamentals (from the Cisco Systems white paper "SAFE: A Security Blueprint for Enterprise Networks," copyright 2000):

    • Security and attack mitigation based on policy

    • Security implementation throughout the infrastructure (not just specialized security devices)

    • Secure management and reporting

    • Authentication and authorization of users and administrators to critical network resources

    • Intrusion detection for critical resources and subnets

    • Support for emerging networked applications


    The SAFE blueprint is composed of the critical areas of network security:

    • Perimeter security Protects access to the network by controlling access on the networks entry and exit points

    • Secure connectivity Provides secure communications via virtual private networks (VPNs)

    • Application security Ensures that critical servers and applications are protected

    • Identity Provides secure authentication and authorization services to ensure that access is restricted to only authorized users.

    • Security management and monitoring Allows for centralized management of security resources and the detection of unauthorized activity on the network


    Note

    Cisco SAFE Implementation (exam 642-541) is a requirement for CCSP Certification. For more information, refer to http://www.cisco.com/go/certifications


      • / 191