FREE Monthly
Technology Updates
One-year Vendor
Product Upgrade
Protection Plan
FREE Membership to
Access.Globalknowledge
CISCO
NETWORK
SECURITY
MANAGING
Russell Lusignan, CCNP, CCNA, MCSE, MCP+I, CNA
Oliver Steudler, CCNA, CCDA, CNE
Jacques Allison, CCNP, ASE, MCSE+I
TECHNICAL EDITOR:
Florent Parent, Network Security Engineer, Viagénie Inc.
“Finally! A single resource that really
delivers solid and comprehensive
knowledge on Cisco security planning
and implementation. A must have for the
serious Cisco library.”
—David Schaer, CCSI, CCNP, CCDA, MCSE, MCDBA,
MCNI, MCNE, CCA
President, Certified Tech Trainers
1 YEAR UPGRADE
BUYER PROTECTION PLAN
112_FC 11/22/00 1:15 PM Page 1
With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we have come to know many of you personally. By
listening, we've learned what you like and dislike about typical computer
books. The most requested item has been for a web-based service that

keeps you current on the topic of the book and related technologies. In
response, we have created
, a service that
includes the following features:
■ A one-year warranty against content obsolescence that occurs as
the result of vendor product upgrades. We will provide regular web
updates for affected chapters.
■ Monthly mailings that respond to customer FAQs and provide
detailed explanations of the most difficult topics, written by content
experts exclusively for

■ Regularly updated links to sites that our editors have determined
offer valuable additional information on key topics.
■ Access to “Ask the Author”™ customer query forms that allow
readers to post questions to be addressed by our authors and
editors.
Once you've purchased this book, browse to
www.syngress.com/solutions.
To register, you will need to have the book handy to verify your purchase.
Thank you for giving us the opportunity to serve you.

112_IpSec_FM 11/8/00 8:52 AM Page i
112_IpSec_FM 11/8/00 8:52 AM Page ii
MANAGING CISCO
NETWORK SECURITY:
BUILDING ROCK-SOLID
NETWORKS
112_IpSec_FM 11/8/00 8:52 AM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the

Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold
AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow
the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not
apply to you.
You should always use reasonable case, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through
Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack
Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 AWQ692ADSE
002 KT3LGY35C4
003 C3NXC478FV
004 235C87MN25
005 ZR378HT4DB
006 PF62865JK3
007 DTP435BNR9
008 QRDTKE342V
009 6ZDRW2E94D
010 U872G6S35N
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Managing Cisco Network Security: Building Rock-Solid Networks
Copyright © 2000 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America.

Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis-
tributed in any form or by any means, or stored in a database or retrieval system, without the prior written per-
mission of the publisher, with the exception that the program listings may be entered, stored, and executed in a
computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-17-2
Copy edit by: Adrienne Rebello Proofreading by: Nancy Kruse Hannigan
Technical review by: Stace Cunningham Page Layout and Art by: Shannon Tozier
Technical edit by: Florent Parent Index by: Robert Saigh
Project Editor: Mark A. Listewnik Co-Publisher: Richard Kristof
Distributed by Publishers Group West
112_IpSec_FM 11/8/00 8:52 AM Page iv
v
Acknowledgments
We would like to acknowledge the following people for their kindness and sup-
port in making this book possible.
Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin
Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of Global
Knowledge, for their generous access to the IT industry’s best courses,
instructors and training facilities.
Ralph Troupe and the team at Callisma for their invaluable insight into the
challenges of designing, deploying and supporting world-class enterprise net-
works.
Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel,
Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan of
Publishers Group West for sharing their incredible marketing experience and
expertise.
Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for
making certain that our vision remains worldwide in scope.

Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of Harcourt
Australia for all their help.
David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong, Leslie
Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthu-
siasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Special thanks to the professionals at Osborne with whom we are proud to
publish the best-selling Global Knowledge Certification Press series.
v
112_IpSec_FM 11/8/00 8:52 AM Page v
vi
From Global Knowledge
At Global Knowledge we strive to support the multiplicity of learning styles
required by our students to achieve success as technical professionals. As
the world's largest IT training company, Global Knowledge is uniquely
positioned to offer these books. The expertise gained each year from pro-
viding instructor-led training to hundreds of thousands of students world-
wide has been captured in book form to enhance your learning experience.
We hope that the quality of these books demonstrates our commitment to
your lifelong learning success. Whether you choose to learn through the
written word, computer based training, Web delivery, or instructor-led
training, Global Knowledge is committed to providing you with the very
best in each of these categories. For those of you who know Global
Knowledge, or those of you who have just found us for the first time, our
goal is to be your lifelong competency partner.
Thank your for the opportunity to serve you. We look forward to serving
your needs again in the future.
Warmest regards,

Duncan Anderson
President and Chief Executive Officer, Global Knowledge
112_IpSec_FM 11/8/00 8:52 AM Page vi
vii
Contributors
Russell Lusignan (CCNP, CCNA, MCSE, MCP+I, CNA) is a Senior
Network Engineer for Bird on a Wire Networks, a high-end dedi-
cated and fully managed Web server/ASP provider located in
Toronto, Canada. He is also a technical trainer for the Computer
Technology Institute.
Russell’s main area of expertise is in LAN routing and
switching technologies and network security implementations.
Chapters 3, 4, and 6.
David G. Schaer (CCNA, CCDA, CCNP, CCSI, MCT, MCSE,
MCP+I, MCNE, CCA) is President of Certified Tech Trainers, Inc.,
an organization specializing in the development and delivery of
custom training for Cisco CCNA and CCNP certification. He has
provided training sessions for major corporations throughout the
United States, Europe, and Central America. David enjoys kayak
fishing, horseback riding, and exploring the Everglades.
Oliver Steudler (CCNA, CCDA, CNE) is a Senior Systems
Engineer at iFusion Networks in Cape Town, South Africa. He
has over 10 years of experience in designing, implementing and
troubleshooting complex networks.
Chapter 5.
112_IpSec_FM 11/8/00 8:52 AM Page vii
viii
Jacques Allison (CCNP, ASE, MCSE+I) Jacques has been
involved with Microsoft-related projects on customer networks
ranging from single domain and exchange organization migra-

tions to IP addressing and network infrastructure design and
implementation. Recently he has worked on CA Unicenter TNG
implementations for network management.
He received his engineering diploma in Computer Systems in
1996 from the Technicon Pretoria in South Africa. Jacques
began his career with Electronic Data Systems performing
desktop support, completing his MCSE in 1997.
Jacques would like to dedicate his contribution for this book to
his fiancée, Anneline, who is always there for him. He would also
like to thank his family and friends for their support.
Chapter 8.
John Barnes (CCNA, CCNP, CCSI) is a network consultant and
instructor. John has over ten years experience in the implemen-
tation, design, and troubleshooting of local and wide area net-
works as well as four years of experience as an instructor.
John is a regular speaker at conferences and gives tutorials
and courses on IPv6, IPSec, and intrusion detection. He is cur-
rently pursuing his CCIE. He would like to dedicate his efforts
on this book to his daughter, Sydney.
Chapter 2.
Russell Gillis (CISSP, MCSE, CCNA) is Associate Director of
Networking at Kalamazoo College in Kalamazoo, Michigan.
Prior to joining “K” College, Russ worked for 11 years in the
pharmaceutical industry. His experience includes workstation
support, system administration, network design, and information
security.
Chapter 1.
112_IpSec_FM 11/8/00 8:52 AM Page viii
ix
Pritpal Singh Sehmi lives in London, England. He has worked

in various IT roles and in 1995 launched Spirit of Free
Enterprise, Ltd. Pritpal is currently working on an enterprise
architecture redesign project for a large company. Pritpal is also
a freelance Cisco trainer and manages the Cisco study group
www.ccguru.com. Pritpal owes his success to his family and life-
long friend, Vaheguru Ji.
Chapter 7.
Technical Editor
Florent Parent is currently working at Viagénie, Inc. as a con-
sultant in network architecture and security for a variety of orga-
nizations, corporations, and governments. For over 10 years, he
has been involved in IP networking as a network architect, net-
work manager, and educator.
He is involved in the architecture development and deploy-
ment of IPv6 in the CA*net network and the 6Tap IPv6 exchange.
Florent participates regularly in the Internet Engineering Task
Force (IETF), especially in the IPv6 and IPSec work groups.
In addition to acting as technical editor for the book, Florent
authored the Preface and Chapter 9.
Technical Reviewer
Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E,
CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant cur-
rently located in San Antonio, TX. He has assisted several
clients, including a casino, in the development and implementa-
tion of network security plans for their organizations. He held
the positions of Network Security Officer and Computer Systems
Security Officer while serving in the United States Air Force.
112_IpSec_FM 11/8/00 8:52 AM Page ix
x
While in the Air Force, Stace was involved for over 14 years in

installing, troubleshooting, and protecting long-haul circuits
ensuring the appropriate level of cryptography necessary to pro-
tect the level of information traversing the circuit as well the cir-
cuits from TEMPEST hazards. This included American
equipment as well as equipment from Britain and Germany while
he was assigned to Allied Forces Southern Europe (NATO).
Stace has been an active contributor to The SANS Institute
booklet “Windows NT Security Step by Step.” In addition, he has
co-authored or served as the Technical Editor for over 30 books
published by Osborne/McGraw-Hill, Syngress Media, and
Microsoft Press. He is also a published author in “Internet
Security Advisor” magazine.
His wife Martha and daughter Marissa have been very sup-
portive of the time he spends with the computers, routers, and
firewalls in the “lab” of their house. Without their love and sup-
port, he would not be able to accomplish the goals he has set for
himself.
112_IpSec_FM 11/8/00 8:52 AM Page x
Contents
xi
Preface xxi
Chapter 1 Introduction to IP Network Security 1
Introduction 2
Protecting Your Site 2
Typical Site Scenario 5
Host Security 7
Network Security 9
Availability 10
Integrity 11
Confidentiality 12

Access Control 12
Authentication 13
Authorization 14
Accounting 15
Network Communication in TCP/IP 15
Application Layer 17
Transport Layer 18
TCP 18
TCP Connection 20
UDP 21
Internet Layer 22
IP 22
ICMP 23
ARP 23
Network Layer 24
Security in TCP/IP 24
Cryptography 24
Symmetric Cryptography 25
Asymmetric Cryptography 26
Hash Function 26
Public Key Certificates 27
112_IpSec_TOC 11/7/00 3:15 PM Page xi
xii Contents
Application Layer Security 28
Pretty Good Privacy (PGP) 28
Secure HyperText Transport Protocol (S-HTTP) 28
Transport Layer Security 29
Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) 29
Secure Shell (SSH) 30

Filtering 30
Network Layer Security 31
IP Security Protocols (IPSec) 31
Filtering (Access Control Lists) 34
Data Link Layer Security 34
Authentication 34
Terminal Access Controller Access
Control System Plus (TACACS+) 34
Remote Access Dial-In User Service (RADIUS) 35
Kerberos 36
Cisco IP Security Hardware and Software 37
Cisco Secure PIX Firewall 37
Cisco Secure Integrated Software 40
Cisco Secure Integrated VPN Software 40
Cisco Secure VPN Client 41
Cisco Secure Access Control Server 41
Cisco Secure Scanner 42
Cisco Secure Intrusion Detection System 42
Cisco Secure Policy Manager 43
Cisco Secure Consulting Services 43
Summary 44
FAQs 45
Chapter 2 Traffic Filtering on the Cisco IOS 47
Introduction 48
Access Lists 48
Access List Operation 49
Types of Access Lists 50
Standard IP Access Lists 52
Source Address and Wildcard Mask 53
Keywords any and host 56

Keyword log 57
Applying an Access List 58
Extended IP Access Lists 59
Keywords permit or deny 62
Protocol 62
Source Address and Wildcard-Mask 62
112_IpSec_TOC 11/7/00 3:15 PM Page xii
Contents xiii
Destination Address and Wildcard Mask 63
Source and Destination Port Number 63
Established 65
Named Access Lists 67
Editing Access Lists 69
Problems with Access Lists 70
Lock-and-Key Access Lists 71
Reflexive Access Lists 77
Building Reflexive Access Lists 79
Applying Reflexive Access Lists 82
Reflexive Access List Example 82
Context-based Access Control 84
The Control-based Access Control Process 86
Configuring Control-based Access Control 86
Inspection Rules 89
Applying the Inspection Rule 89
Configuring Port to Application Mapping 91
Configuring PAM 91
Protecting a Private Network 92
Protecting a Network Connected to the Internet 93
Protecting Server Access Using Lock-and-Key 94
Protecting Public Servers Connected to the Internet 96

Summary 97
FAQs 98
Chapter 3 Network Address Translation (NAT) 99
Introduction 100
NAT Overview 100
Overview of NAT Devices 100
Address Realm 101
NAT 101
Transparent Address Assignment 102
Transparent Routing 103
Public, Global, and External Networks 104
Private and Local Networks 105
Application Level Gateway 105
NAT Architectures 106
Traditional or Outbound NAT 106
Network Address Port Translation (NAPT) 108
Static NAT 109
Twice NAT 111
Guidelines for Deploying NAT and NAPT 113
112_IpSec_TOC 11/7/00 3:15 PM Page xiii
xiv Contents
Configuring NAT on Cisco IOS 116
Configuration Commands 116
Verification Commands 121
Configuring NAT between a
Private Network and Internet 122
Configuring NAT in a Network with DMZ 124
Considerations on NAT and NAPT 127
IP Address Information in Data 127
Bundled Session Applications 127

Peer-to-Peer Applications 128
IP Fragmentation with NAPT En Route 128
Applications Requiring Retention of
Address Mapping 128
IPSec and IKE 129
Summary 129
FAQs 130
Chapter 4 Cisco PIX Firewall 131
Introduction 132
Overview of the Security Features 133
Differences Between IOS 4.x and 5.x 137
Initial Configuration 139
Installing the PIX Software 140
Basic Configuration 140
Installing the IOS over TFTP 143
Command Line Interface 145
IP Configuration 146
IP Address 147
Configuring NAT and NAPT 149
Security Policy Configuration 153
Security Strategies 153
Deny Everything That Is Not Explicitly Permitted 154
Allow Everything That Is Not Explicitly Denied 154
Identify the Resources to Protect 156
Demilitarized Zone (DMZ) 157
Identify the Security Services to Implement 158
Authentication and Authorization 158
Access Control 159
Confidentiality 159
URL, ActiveX, and Java Filtering 160

Implementing the Network Security Policy 160
Authentication Configuration in PIX 160
Access Control Configuration in PIX 163
112_IpSec_TOC 11/7/00 3:15 PM Page xiv
Contents xv
Securing Resources 165
URL, ActiveX, and Java Filtering 168
PIX Configuration Examples 170
Protecting a Private Network 170
Protecting a Network Connected to the Internet 172
Protecting Server Access Using Authentication 174
Protecting Public Servers Connected
to the Internet 176
Securing and Maintaining the PIX 182
System Journaling 182
Securing the PIX 184
Summary 185
FAQs 186
Chapter 5 Virtual Private Networks 189
Introduction 190
What Is a VPN? 190
Overview of the Different VPN Technologies 190
The Peer Model 191
The Overlay Model 192
Link Layer VPNs 192
Network Layer VPNs 193
Transport and Application Layer VPNs 194
Layer 2 Transport Protocol (L2TP) 195
Configuring Cisco L2TP 196
LAC Configuration Example 197

LNS Configuration Example 197
IPSec 198
IPSec Architecture 201
Security Association 202
Anti-Replay Feature 203
Security Policy Database 203
Authentication Header 204
Encapsulating Security Payload 205
Manual IPSec 205
Internet Key Exchange 206
Authentication Methods 207
IKE and Certificate Authorities 208
IPSec Limitations 209
Network Performance 209
Network Troubleshooting 210
Interoperability with Firewalls and Network Address
Translation Devices 210
112_IpSec_TOC 11/7/00 3:15 PM Page xv
xvi Contents
IPSec and Cisco Encryption Technology (CET) 210
Configuring Cisco IPSec 211
IPSec Manual Keying Configuration 212
IPSec over GRE Tunnel Configuration 218
Connecting IPSec Clients to Cisco IPSec 226
Cisco Secure VPN Client 226
Windows 2000 228
Linux FreeS/WAN 229
BSD Kame Project 230
Summary 231
FAQs 231

Chapter 6 Cisco Authentication, Authorization,
and Accounting Mechanisms 233
Introduction 234
AAA Overview 234
AAA Benefits 238
Cisco AAA Mechanisms 239
Supported AAA Security Protocols 239
RADIUS 239
TACACS+ 243
Kerberos 246
RADIUS, TACACS+, or Kerberos 254
Authentication 255
Login Authentication Using AAA 258
PPP Authentication Using AAA 261
Enable Password Protection for Privileged
EXEC Mode 263
Authorization 263
Configure Authorization 265
TACACS+ Configuration Example 266
Accounting 268
Configuring Accounting 269
Suppress Generation of Accounting Records
for Null Username Sessions 271
RADIUS Configuration Example 271
Typical RAS Configuration Using AAA 271
Typical Firewall Configuration Using AAA 276
Authentication Proxy 280
How the Authentication Proxy Works 280
Comparison with the Lock-and Key Feature 281
Benefits of Authentication Proxy 282

Restrictions of Authentication Proxy 282
Configuring Authentication Proxy 283
112_IpSec_TOC 11/7/00 3:15 PM Page xvi
Contents xvii
Configuring the HTTP Server 283
Configure Authentication Proxy 284
Authentication Proxy Configuration Example 285
Summary 286
FAQs 287
Chapter 7 Intrusion Detection 289
Introduction 290
What Is Intrusion Detection? 290
Network Attacks and Intrusions 290
Poor Network Perimeter/Device Security 291
Network Sniffers 291
Scanner Programs 291
Network Topology 292
Unattended Modems 292
Poor Physical Security 293
Application and Operating Software Weaknesses 293
Software Bugs 293
Web Server/Browser-based Attacks 293
Getting Passwords—Easy Ways in Cracking Programs 293
Trojan Horse Attacks 294
Virus or Worm Attacks 294
Human Failure 295
Poorly Configured Systems 295
Information Leaks 295
Malicious Users 296
Weaknesses in the IP Suite of Protocols 296

Layer 7 Attacks 298
Layer 5 Attacks 299
Layer 3 and 4 Attacks 300
Network and Host-based
Intrusion Detection 305
Network IDS 305
Host IDS 308
What Can’t IDSs Do? 308
Deploying in a Network 309
Sensor Placement 310
Network Vulnerability Analysis Tools 311
Cisco’s Approach to Security 311
Cisco Secure Scanner (NetSonar) 311
Minimum System Specifications for
Secure Scanner V2.0 311
Searching the Network for Vulnerabilities 312
Viewing the Results 314
Keeping the System Up-to-Date 317
112_IpSec_TOC 11/7/00 3:15 PM Page xvii
xviii Contents
Cisco Secure Intrusion Detection System (NetRanger) 320
What Is NetRanger? 320
Before You Install 324
Director and Sensor Setup 324
General Operation 327
nrConfigure 327
Data Management Package (DMP) 329
Cisco IOS Intrusion Detection System 331
Configuring IOS IDS Features 332
Associated Commands 335

Cisco Secure Integrated Software (Firewall Feature Set) 335
Summary 337
FAQs 337
Chapter 8 Network Security Management 341
Introduction 342
PIX Firewall Manager 342
PIX Firewall Manager Overview 342
PIX Firewall Manager Benefits 344
Supported PIX Firewall IOS Version Versus
PIX Firewall Manager Version 345
Installation Requirements for PIX Firewall Manager 346
PIX Firewall Manager Features 348
Using PIX Firewall Manager 352
Configuration 352
Installation Errors in PIX Firewall Manager 354
A Configuration Example 356
CiscoWorks 2000 ACL Manager 361
ACL Manager Overview 361
ACL Manager Device and Software Support 364
Installation Requirements for ACL Manager 364
ACL Manager Features 366
Using a Structure Access Control Lists
Security Policy 366
Increase Deployment Time for Access Control Lists 367
Ensure Consistency of Access Control Lists 367
Keep Track of Changes Made on the Network 368
Troubleshooting and Error Recovery 368
Basic Operation of ACL Manager 369
Using ACL Manager 372
Configuration 372

An ACL Manager Configuration Example 374
Cisco Secure Policy Manager 378
Cisco Secure Policy Manager Overview 379
112_IpSec_TOC 11/7/00 3:15 PM Page xviii
Contents xix
The Benefits of Using Cisco Secure Policy Manager 379
Installation Requirements for Cisco
Secure Policy Manager 380
Cisco Secure Policy Manager Features 382
Cisco Firewall Management 382
VPN and IPSec Security Management 382
Security Policy Management 384
Network Security Deployment Options 385
Cisco Secure Policy Manager Device and
Software Support 386
Using Cisco Secure Policy Manager 388
Configuration 388
CSPM Configuration Example 389
Cisco Secure ACS 393
Cisco Secure ACS Overview 393
Cisco Secure ACS Benefits 394
Installation Requirements for Cisco Secure ACS 395
Cisco Secure ACS Features 395
Placing Cisco Secure ACS in Your Network 397
Cisco Secure ACS Device and Software Support 398
Using Cisco Secure ACS 399
Configuration 399
Cisco Secure ACS Configuration Example 401
Summary 405
FAQs 405

Chapter 9 Security Processes and Managing
Cisco Security Fast Track 407
Introduction 408
What Is a Managing
Cisco Security Fast Track? 408
Introduction to Cisco Network Security 408
Network Security 409
Network Communications in TCP/IP 409
Security in TCP/IP 410
Traffic Filtering on the Cisco IOS 412
Access Lists 412
Standard and Extended Access Lists 412
Reflexive Access Lists 413
Context-based Access Control 414
Network Address Translation (NAT) 414
Private Addresses 414
Network Address Translation 415
Static NAT 415
112_IpSec_TOC 11/7/00 3:15 PM Page xix
xx Contents
Traditional or Outbound NAT 416
Network Address Port Translation (NAPT or PAT) 416
Considerations 416
Cisco PIX Firewall 417
Security Policy Configuration 418
Securing and Maintaining the PIX 418
Virtual Private Networks (VPNs) 419
L2TP 419
IPSec 419
Network Troubleshooting 421

Interoperability with Firewalls and Network Address
Translation Devices 421
Cisco Authentication, Authorization and
Accounting Mechanisms 421
Authentication 422
Authorization 423
Accounting 423
Intrusion Detection 424
What Is Intrusion Detection? 424
Cisco Secure Scanner (NetSonar) 425
Cisco Secure NetRanger 425
Cisco Secure Intrusion Detection Software 426
Network Security Management 426
Cisco PIX Firewall Manager 427
CiscoWorks 2000 ACL Manager 427
Cisco Secure Policy Manager 428
Cisco Secure Access Control Manager 429
General Security Configuration Recommendations on Cisco 429
Remote Login and Passwords 429
Disable Unused Network Services 431
Logging and Backups 433
Traffic Filtering 433
Physical Access 435
Keeping Up-to-Date 435
Summary 437
FAQs 437
Index 439
112_IpSec_TOC 11/7/00 3:15 PM Page xx
The Challenges of Security
Providing good internetwork security and remaining current on new

hardware and software products is a never-ending task. Every network
security manager aims to achieve the best possible security because
the risks are real and the stakes are high. An enterprise must decide
what level of security is required, taking into account which assets to
protect as well as the impact of the measures on costs, personnel, and
training. Perfect security is an impossibility, so one must aim for the
best possible security by devising a plan to manage the known risks
and safe-guard against the potential risks. Defining the enterprise secu-
rity policy is the first step in implementing good security.
Many security tools are available to help reduce the vulnerability of
your network. For example, a firewall can be deployed at the network
perimeter to offer an effective protection against many attacks. But a
firewall is only one piece in the network security infrastructure. Good
host security, regular assessment of the overall vulnerability of the net-
work (audits), good authentication, authorization, accounting practices,
and intrusion detection are all valuable tools in combatting network
attacks and ensure a network security manager’s “peace of mind.”
Cisco Systems is the worldwide leader in IP networking solutions.
They offer a wide array of market-leading network security products:
dedicated appliances, routers, and switches, most of which come with
some form of security software. Currently, Cisco products comprise
much of the Internet’s backbone. An in-depth knowledge of how to con-
figure Cisco IP network security technology is a must for anyone
Preface
xxi
112_IpSec_pref 11/8/00 8:55 AM Page xxi
xxii Preface
working in today’s internetworked world. This book will provide you
with the hands-on Cisco security knowledge you need to get ahead, and
stay ahead.

About This Book
This book focuses on how to configure and secure IP networks utilizing
the various security technologies offered by Cisco Systems. Inside are
numerous configuration examples combined with extensive instruction
from security veterans, that will provide you with the information you
need to implement a network solution and manage any-sized IP net-
work security infrastructure.
Although many books cover IP network security, we will concentrate
specifically on security configurations using exclusively Cisco products.
We supply you with exactly the information you need to know: what
security solutions are available, how to apply those solutions in real-
world cases, and what factors you should consider when choosing and
implementing the technology.
Organization
Chapter 1 covers general system and network security concepts and
introduces the different security mechanisms available through TCP/IP.
Chapters 2, 3 and 4 deal with security through access control and
advanced filtering mechanisms available in Cisco IOS routers and PIX
firewall. Network Address Translation (NAT) is also covered in Chapter
3. Virtual Private Networks, AAA mechanisms, and intrusion detection
follow in the next chapters. Network security management software
available from Cisco is covered in Chapter 8. Chapter 9, the “Fast
Track” chapter, provides an excellent review of the entire book and con-
tains additional bonus coverage containing tips on general security pro-
cesses. This will provide you with a quick jump on the key network
security factors to weigh in choosing your security solutions.
www.syngress.com
112_IpSec_pref 11/8/00 8:55 AM Page xxii
www.syngress.com
Chapter 1: Introduction to IP Network Security provides an overview of

the components that comprise system and network security. The
chapter introduces some basic networking concepts (IP, TCP, UCP,
ICMP) and discusses some of the security mechanisms available in
TCP/IP. We also introduce some of the essential network security prod-
ucts available from Cisco
Chapter 2: Traffic Filtering on the Cisco IOS focuses on access control
through traffic filtering. We cover some of the different traffic filtering
mechanisms available on the Cisco IOS such as the standard,
extended, and reflexive access lists, as well as Context-based Access
Control (CBAC). Many configuration recommendations and examples
are presented.
Chapter 3: Network Address Translation (NAT) provides detailed cov-
erage of Network Address Translation (NAT) mechanisms with configu-
ration examples on Cisco IOS and PIX firewall.
Chapter 4: Cisco PIX Firewall covers the main features of PIX firewall
with recommendations on security policy configuration. Many configu-
ration examples using advanced features such as AAA, NAT, and URL
filtering are presented. Note that the PIX Firewall Manager graphical
user interface is covered in Chapter 8.
Chapter 5: Virtual Private Networks provides an overview of Virtual
Private Network (VPN) technologies available for the Cisco product line.
A description of L2TP and IPSec protocols are presented and configura-
tion examples using Cisco Secure VPN client and Windows 2000 are
provided.
Chapter 6: Cisco Authentication, Authorization, and Accounting
Mechanisms discusses the authentication, authorization, and
accounting (AAA) security services available on Cisco products. The dif-
ferent security servers supported in Cisco, TACACS+, Radius and
Kerberos are also explained. Note that the Cisco Secure Access Control
Server is presented in Chapter 8.

Chapter 7: Intrusion Detection is the main focus of this chapter and
includes an overview of several methods used to attack networks. We
discuss host and network intrusion and focus on the intrusion detec-
tion and vulnerability scanner products available from Cisco.
Preface xxiii
112_IpSec_pref 11/8/00 8:55 AM Page xxiii
xxiv Preface
Chapter 8: Network Security Management provides a look at the net-
work security management tools available from Cisco: PIX Firewall
Manager, CiscoWorks 2000 Access Control Lists Manager, Cisco Secure
Security Manager (CSPM), and Cisco Secure Access Control Server.
Chapter 9: Security Processes and the Managing Cisco Security Fast
Track provides a concise review of Cisco IP network security, detailing
the essential concepts covered in the book. This chapter also includes a
section on general security configuration recommendations for all net-
works. You can use these recommendations as a checklist to help you
limit the exposure and vulnerability of your security infrastructure.
Audience
This book is intended primarily for network managers and network
administrators who are responsible for implementing IP network secu-
rity in a Cisco environment. However, it is also useful for people who
are interested in knowing more about the security features available in
Cisco products in general. The book is designed to be read from begin-
ning to end, but each chapter can stand alone as a useful reference
should you want detailed coverage of a particular topic. Readers who
want a quick understanding of the information contained in the book
can read Chapter 9 first.
This book will give the reader a good understanding of what security
solutions are available from Cisco and how to apply those solutions in
real-world cases. These solutions will give the security managers and

administrators the necessary tools and knowledge to provide the best
protection for their network and data.
Editor’s Acknowledgement
I would like to thank Mark Listewnik from Syngress Publishing for his
support; Marc Blanchet, colleague and friend, for his help, encourage-
ment and guidance; all my colleagues and friends at Viagénie; and,
especially, my wife Caroline for her exceptional support and patience.
––Florent Parent
www.syngress.com
112_IpSec_pref 11/8/00 8:55 AM Page xxiv