© 1999, Cisco Systems, Inc. C-1 Chapter 2 Evaluating Network Security Threats

© 1999, Cisco Systems, Inc. MCNS v2.0C-2 Objectives Upon completion of this chapter you will be able to perform the following tasks: Identify the need for network security Identify the causes of network security problems Identify the most pervasive and significant security threats for campus, dialup, and Internet environments based on a case study network scenario

© 1999, Cisco Systems, Inc. MCNS v2.0C-3 Review Questions 1. What are the three primary reasons for network security issues? A.Technology weaknesses B.Configuration weaknesses C.Policy weaknesses 2. Which of the general network threats pose a risk to Internet connections? A.All of the general categories B.More threats are being created over time

© 1999, Cisco Systems, Inc. MCNS v2.0C-4 Review Questions (cont.) 3. What resources are available to learn network attack types and methods to thwart them? A.Publications such as Maximum Security, Internet Security for Business B.Web sites such as CERT, COAST, Cisco CCO C.Newsgroups such as alt.2600 D.Each of the resources points to still more resources

© 1999, Cisco Systems, Inc. C-5 Chapter 3 Configuring the NAS for AAA Security

© 1999, Cisco Systems, Inc. MCNS v2.0C-6 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe network access server port types and access control methods Configure the network access server to enable AAA processes to use a local database with a CiscoSecure NAS Test the network access server AAA configuration using applicable debugging and testing commands

© 1999, Cisco Systems, Inc. MCNS v2.0C-7 Review Questions 1. What are the two network access server modes that can be secured by AAA commands? A. Character (line mode) with tty, vty, aux, and cty ports B. Packet (interface mode) with async, group-async, BRI, and serial (PRI) ports

© 1999, Cisco Systems, Inc. MCNS v2.0C-8 Review Questions (cont.) 2. What is being configured in each of the fields of the following command? aaa authentication ppp sales if-needed local A. aaa authen ppp–Specifies the PPP operation for this authentication process B. sales–Assigns the profile name sales to this process C. if-needed–Specifies the if-needed authentication method for the PPP authentication operation, which requires no authentication if the user is already authenticated D. local–If the if-needed method fails, uses the local database method for PPP authentication

© 1999, Cisco Systems, Inc. C-9 Chapter 4 Configuring CiscoSecure ACS and TACAS+

© 1999, Cisco Systems, Inc. MCNS v2.0C-10 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the features and architecture of CiscoSecure ACS 2.4 for Windows NT Configure CiscoSecure ACS for NT to perform AAA functions Describe the features and architecture of CiscoSecure ACS 2.3 for UNIX Configure the network access server to enable AAA processes to use a TACACS remote service

© 1999, Cisco Systems, Inc. MCNS v2.0C-11 Review Questions 1. Describe the pros and cons of using the NT User Database. PROS: A. Single database simplifies administration B. Can reuse existing username and password entries in the database C. Enables single login for users CONS: A. Cannot repopulate another database with usernames and passwords located in NT SAM hive B. Cannot store third-party passwords such as CHAP passwords C. Cannot run token card algorithm in NT SAM hive

© 1999, Cisco Systems, Inc. MCNS v2.0C-12 Review Questions (cont.) 2. What do you need to configure in the NT User Manager? A. Username and password pairs in NT User Database. B. User group must include the policy Log on Locally. C. User profile must not have change password at next login" or "disable account" selected. D. Enable "Grant dialin permissions" from the dial-up menu if you want to optionally control user login privileges from within NT. E. The callback number should not be configured.

© 1999, Cisco Systems, Inc. MCNS v2.0C-13 Review Questions (cont.) 3. What is configured using the CiscoSecure ACS Web interface? A.User profiles B.Group profiles C.Network access server information, including authorization parameters D.CiscoSecure ACS services E.Token server configuration F.Remote administrators G.Reports and activities H.Can also view online documentation

© 1999, Cisco Systems, Inc. MCNS v2.0C-14 Review Questions (cont.) 4. How is AAA accounting information reported in CiscoSecure ACS? A.Accounting information can be viewed under "Reports and Activity" via the Web browser interface B.Report files in.csv format can be imported into other database and spreadsheet applications for evaluation 5. Where should you start in troubleshooting CiscoSecure ACS problems? A. The Failed Attempts Report under Reports and Activity via the Web browser interface

© 1999, Cisco Systems, Inc. C-15 Chapter 5 Configuring PIX Firewall Basics

© 1999, Cisco Systems, Inc. MCNS v2.0C-16 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Identify PIX Firewall features and components Configure a PIX Firewall to work with a Cisco router Configure basic PIX Firewall features to protect Internet access to an enterprise based on a case study network design Test and verify basic PIX Firewall operation

© 1999, Cisco Systems, Inc. MCNS v2.0C-17 Review Questions 1. Which PIX Firewall features enable PIX to have high performance? A. Stateful operation: adaptive security algorithm B. Cut-through proxy authentication C. Secure, real-time embedded system 2. What is the basic PIX Firewall security policy for inbound and outbound connections? A. Inbound: All inbound connections are denied unless specifically authenticated, enabled by a static or conduit, or as a response to a valid user request B. Outbound: All connections are allowed unless specifically denied by access lists

© 1999, Cisco Systems, Inc. MCNS v2.0C-18 Review Questions (cont.) 3. What are three of the advantages of the PIX Adaptive Security Algorithm? A.Stateful connection security B.Tracks source and destination ports and addresses, TCP sequences, and additional TCP flags C.Random TCP sequence numbers D.Tracks TCP and UDP session state E.Outbound traffic return session backflow tracking F.Supports authentication, authorization, and syslog accounting

© 1999, Cisco Systems, Inc. MCNS v2.0C-19 Review Questions (cont.) 4. List the six commands needed to get the PIX running and providing basic network security? A.nameif ethernetX B.interface ethernetX C.ip address D.global E.nat F.route

© 1999, Cisco Systems, Inc. MCNS v2.0C-20 Review Questions (cont.) 5. Does the PIX 515 support FDDI and Token Ring interfaces? No. 6. What command is used to verify interface function and correct cable connection? show interface

© 1999, Cisco Systems, Inc. C-21 Chapter 6 Configuring Access through the PIX Firewall

© 1999, Cisco Systems, Inc. MCNS v2.0C-22 Objectives Upon completion of this chapter, you will be able to complete the following tasks: Configure outbound and inbound access through the PIX Firewall based on a case study network design Test and verify correct PIX operation

© 1999, Cisco Systems, Inc. MCNS v2.0C-23 Review Questions 1. What function does the nat 0 command serve? It disables address translation so that outside hosts can access inside hosts. 2. Two commands can be used to enable NAT. What are they? A. global B. static 3. PAT supports more than 64,000 hosts. What approximate percentage of that number can be connected at the same time? 25%

© 1999, Cisco Systems, Inc. MCNS v2.0C-24 Review Questions (cont.) 4. When running multimedia applications through the PIX, does it matter if PAT is enabled? Yes. Some multimedia applications need access to specific ports. This may cause a conflict with the port mappings that PAT provides. 5. Which command has precedence, static, or nat and global? Why is this important? Static. It is important because a nat command only grants outbound access to hosts not specified in the static statement. 6. In V-4.4(1) of the PIX s/w, can the conduit command be used with either the global or static commands? Is either of them required with the conduit command? Yes. No.

© 1999, Cisco Systems, Inc. C-25 Chapter 7 Configuring Multiple Interfaces and AAA on the PIX Firewall

© 1999, Cisco Systems, Inc. MCNS v2.0C-26 Objectives Upon completion of this chapter, you will be able to: Configure multiple interfaces on the PIX Firewall to protect a bastion host based on a case study network Configure AAA features of the PIX Firewall to work with Cisco CiscoSecure ACS based on a case study network Test and verify correct PIX operation

© 1999, Cisco Systems, Inc. MCNS v2.0C-27 Review Questions 1. What is the advantage of using multiple perimeter interfaces? A. Platform extensibility B. Security Policy enforcement 2. What command replaced the aaa-tacacs and aaa- radius commands? aaa-server 3. What quantity of group tags does PIX software allow, and how many servers are allowed in each? A. 16 group tags B. 16 servers in each group tag

© 1999, Cisco Systems, Inc. MCNS v2.0C-28 Review Questions (cont.) 4. When adding, changing, or removing a global statement, what is the next command to enter after saving the configuration? clear xlate

© 1999, Cisco Systems, Inc. C-29 Chapter 8 Configuring Advanced PIX Firewall Features

© 1999, Cisco Systems, Inc. MCNS v2.0C-30 Objectives Upon completion of this chapter, you will be able to: Configure PIX Firewall advanced features to protect Internet access to an enterprise network based on a case study network Test and verify correct PIX operation

© 1999, Cisco Systems, Inc. MCNS v2.0C-31 Review Questions 1. List three advanced PIX Firewall features that enhance network security. A. Java Applet blocking B. URL filtering C. Control SNMP access 2. What two things are needed for Failover to work? A. Two identical PIX Firewalls B. A failover cable 3. Which commands are used together to enable a permanent connection through PIX? A. link B. linkpath

© 1999, Cisco Systems, Inc. MCNS v2.0C-32 Review Questions (cont.) 4. Two conduits are needed to enable PPTP on a PIX. What are they for? A. TCP Port 1723 B. GRE protocol 5. Can PIX Firewall Manager and Cisco Security Manager run on the same machine at the same time? No. 6. What advantages does PFM have over the command-line interface for PIX configuration and management? A. GUI-based configuration and management enables point- and-click policy settings B. Can manage multiple PIX Firewalls from a single point C. Provides general reporting capabilities D. Provides URL and FTP logging for audits

© 1999, Cisco Systems, Inc. C-33 Chapter 9 Configuring a Cisco Perimeter Router

© 1999, Cisco Systems, Inc. MCNS v2.0C-34 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Identify perimeter security problems and solutions Identify Cisco IOS TM software perimeter security features Configure a Cisco router as a perimeter router to protect Internet access from common security threats based on a case study network design

© 1999, Cisco Systems, Inc. MCNS v2.0C-35 Review Questions 1. What are the Cisco IOS software features useful for implementing perimeter security? A. Cisco IOS Firewall feature set B. Standard and extended access lists C. NAT D. PAT E. TCP Intercept to control SYN DoS attacks F.Lock and Key security

© 1999, Cisco Systems, Inc. MCNS v2.0C-36 Review Questions (cont.) 2. What features are included in the Cisco IOS Firewall feature set? A. Context-based access lists B. Java blocking C. DoS detection and prevention D. Audit trail E. Real-time alerts F. ConfigMaker support

© 1999, Cisco Systems, Inc. MCNS v2.0C-37 Review Questions (cont.) 3. Which Cisco IOS software commands would you use on a perimeter router to block echo and finger inquiries from the Internet? A. no service tcp-small-servers B. no service udp-small-servers C. no service finger commands 4. Write an access list that will allow traffic to a Web server on the XYZ Company DMZ. A. access list 110 permit tcp any host eq www

© 1999, Cisco Systems, Inc. MCNS v2.0C-38 Review Questions (cont.) 5. What are some limitations of using access lists for network security? A.Cannot detect data attacks such as viruses, worms, or Trojan horses B.Cannot completely protect against denial-of-service attacks C.Access lists are difficult to maintain

© 1999, Cisco Systems, Inc. C-39 Chapter 10 Configuring Cisco Secure Integrated Software

© 1999, Cisco Systems, Inc. MCNS v2.0C-40 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Identify Cisco Secure Integrated Software features Configure Cisco Secure Integrated Software features to secure a case study network

© 1999, Cisco Systems, Inc. MCNS v2.0C-41 Review Questions 1. Define four features of CBAC. A.Secure per-application filtering. B.Support for advanced protocols. C.Control downloading of Java applets. D.DoS detection and prevention. E.Real-time alerts F.TCP/UDP Transaction logs G.Administration

© 1999, Cisco Systems, Inc. MCNS v2.0C Place the following configuration steps in the correct order: 1. Pick an interface: Internal or External 2. Configure IP Access Lists at the Interface 3. Configure Global Timeouts and Thresholds 4. Define an inspection rule 5. Apply the Inspection Rule to an Interface 6. Test and verify CBAC. Review Questions (cont.)

© 1999, Cisco Systems, Inc. MCNS v2.0C What command would you use to verify CBAC inspection of application protocol inspection of packets? A. debug ip inspect protocol Review Questions (cont.)

© 1999, Cisco Systems, Inc. C-44 Chapter 11 Understanding Cisco OIS IPSec Support

© 1999, Cisco Systems, Inc. MCNS v2.0C-45 Objective Upon completion of this chapter, you will be able to perform the following task: Identify IPSec encryption protocols implemented in Cisco IOS Software

© 1999, Cisco Systems, Inc. MCNS v2.0C-46 Review Questions 1. What is the difference between ESP Transport mode and ESP Tunnel mode? ESP Tunnel mode encapsulates the entire datagram and gives it a new IP Header. 2. What elements of security does AH provide? A.Data Integrity B.Origin Authentication C.Replay protection (optional) 3. What element of security does AH not provide? A.Confidentiality

© 1999, Cisco Systems, Inc. MCNS v2.0C-47 Review Questions (cont.) 4. Can IPSec be configured without IKE? Yes 5. What are three of the benefits of IKE? A.Automated IPSec security parameter distribution B.Can specify a lifetime for IPSec security association C.Can change encryption keys during IPSec session D.Allows IPSec to provide anti-replay services E.CA support F.Dynamic authentication of peers 6. What is the Primary purpose of a CA? To verify the identity of an entity in a digital transmission

© 1999, Cisco Systems, Inc. C-48 Configuring Cisco IOS IPSec Chapter 12

© 1999, Cisco Systems, Inc. MCNS v2.0C-49 Objectives Upon completion of this chapter, you will be able to: Identify Cisco IOS commands used to configure and test IPSec in Cisco routers Configure IPSec between Cisco routers to create a secure communication environment based on a case study network design

© 1999, Cisco Systems, Inc. MCNS v2.0C Place the following configuration steps into the order in which they should be performed: 1. Exchange DSS public key 2. Generate routers DSS public/private keys 3. Configure per-session encryption policy 4. Define global encryption policy Review Questions

© 1999, Cisco Systems, Inc. MCNS v2.0C Which command defines and controls per session encryption policy? A.crypto gen-signature-keys B.crypto key-exchange C.crypto map D.access-list Review Questions (cont.)

© 1999, Cisco Systems, Inc. MCNS v2.0C What is the correct command to test an encrypted connection between routers? A.test crypto initiate-session 4. What is the correct command to verify which packets are being encrypted? A.show crypto engine connections active Review Questions (cont.)

© 1999, Cisco Systems, Inc. C-53 Scaling Cisco IOS IPSec Networks Chapter 13

© 1999, Cisco Systems, Inc. MCNS v2.0C-54 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Configure IPSec between Cisco routers for Certificate Authority support to create a secure communication environment based on a case study network design Manage multiple IKE/IPSec peers with crypto map sets Create Dynamic crypto maps

© 1999, Cisco Systems, Inc. MCNS v2.0C-55 Review Questions 1. What is the purpose of a CA server? To certify the correctness and ownership of the public IPSec encryption keys of a remote peer Maintain and distribute accurate CRL in a timely manner Provide non-repudiation services to prove that a transaction actually occurred 2. Which CA components does IOS support? IKE PKCS #7 PKCS #10 RSA keys X.509v3 certificates

© 1999, Cisco Systems, Inc. MCNS v2.0C-56 Review Questions (cont.) 3. What types of certificates are stored on a router? Its own certificate The CAs certificate Two Registration Authority (RA) certificates (if the CA supports RA) Apply crypto maps to interfaces 4. How many CRL are stored on a router? One if the CA does not support RA Multiple CRL if the CA supports RA

© 1999, Cisco Systems, Inc. MCNS v2.0C-57 Review Questions (cont.) 5. What is the common element in every crypto map entry? A sequence number 6. Can a single crypto map entry support flows to multiple IPSec peers? Yes

© 1999, Cisco Systems, Inc. C-58 Chapter 14 Cisco Secure VPN Client

© 1999, Cisco Systems, Inc. MCNS v2.0C-59 Objectives Install the Cisco Secure VPN Client. Configure the Cisco Secure VPN Client. Operate the Cisco Secure VPN Client in a VPN Session. Request & Import CA certificates. After completing this course you will be able to complete the following tasks.

© 1999, Cisco Systems, Inc. MCNS v2.0C-60 Review Questions 1. What are the encryption algorithms supported by the client? DES, 3DES, MD-5, and SHA-1 2. What are the major areas to configure when installing the client? Global Policy Setting Securing Connections Identity Individual Security Policies

© 1999, Cisco Systems, Inc. MCNS v2.0C-61 Review Questions (cont.) 3. What parameters must be configured for the connection? Connection Security Remote Party Identity and Addressing Port and Protocol Secure Gateway and Tunnel Option 4. What parameters are needed to configure your identity? Certificate Port Name

© 1999, Cisco Systems, Inc. MCNS v2.0C-62 Review Questions (cont.) 5. Can Phase 1 negotiations be either Aggressive or Main modes? Yes 6. What are some of the reasons to use certificates? Verify identity Provide non-repudiation for transactions Security