Cramsession™ for Cisco CCNP Managing Cisco
Network Security
This study guide will help you to prepare for the Cisco MCNS (Managing
Cisco Network Security) 640-442 exam that will give you a specialization for
your CCNP (Cisco Certified Network Professional) certification if taken before
January 1st, 2001. Exam topics include basic configuration of PIX firewalls,
configuring Cisco routers as firewalls, understanding of network security and
policies, understanding of AAA processes and various encryption
technologies employed in Cisco networks.
Notice: While every precaution has been taken in the preparation of this material, neither the author nor BrainBuzz.com assumes any liability in the event
of loss or damage directly or indirectly caused by any inaccuracies or incompleteness of the material contained in this document. The information in this
document is provided and distributed "as-is", without any expressed or implied warranty. Your use of the information in this document is solely at your own
risk, and Brainbuzz.com cannot be held liable for any damages incurred through the use of this material. The use of product names in this work is for
information purposes only, and does not constitute an endorsement by, or affiliation with BrainBuzz.com. Product names used in this work may be
registered trademarks of their manufacturers. This document is protected under US and international copyright laws and is intended for individual, personal
use only. For more details, visit our
legal page.
Check for the newest version of this Cramsession
Rate this Cramsession
Feedback Forum for this Cramsession/Exam
More Cramsession Resources:
Search for Related Jobs
IT Resources & Tech Library
SkillDrill - skills assessment
CramChallenge - practice questions
Certification & IT Newsletters
Discounts, Freebies & Product Info
/> /> /> />

/> /> />© 2000 All Rights Reserved - BrainBuzz.com

Cramsession
:

Cisco CCNP Managing Cisco Network Security



TM


© 2000 All Rights Reserved – BrainBuzz.com

1

Contents:
Contents: ....................................................................................................... 1

Establishing A Network Security Policy.......................................................... 2

Evaluating Network Security Threats ............................................................... 2

Basic Categories of Security Threats............................................................. 2

Motivations of Network Security Threats ....................................................... 2

Outlining A Network Security Policy................................................................. 3

Securing The Dialup Connection................................................................... 4

Configuring the Network Access Server for AAA Security ................................... 5


Overview of Basic AAA Configuration Process ................................................ 6

Securing The Internet Connection ................................................................ 7

Cisco IOS Firewall ......................................................................................... 7

Configuring the PIX Firewall ........................................................................ 9

PIX Firewall Basics ........................................................................................ 9

Configuring Access Through the PIX Firewall ...................................................11

Configuring Advanced Features .....................................................................12

Encryption Technology...............................................................................13

Basic Cryptography ......................................................................................13

Overview of IKE & IPSEC ..............................................................................14

Configuring IPSEC with IKE ...........................................................................15

Configuring IKE ...........................................................................................16











Cramsession
:

Cisco CCNP Managing Cisco Network Security



TM


© 2000 All Rights Reserved – BrainBuzz.com

2

Establishing A Network Security Policy

Evaluating Network Security Threats

A security threat can be as simple as snooping your network’s normal
operation or as complex as taking control of your entire network. It is
important then to be familiar with the three basic categories of network
security threats.

Basic Categories of Security Threats
• Unauthorized Access - Unauthorized access is when an unauthorized
individual gains access to the network or any network resource with the

possibility of taking that resource or tampering with it
• Impersonation – Impersonation is the process of identifying yourself as a
different individual by using the same credentials as that particular
individual uses. There are several ways that this is done. One of the
more common ways is by eavesdropping on your network and gaining
access to usernames and password when these are exchanged via
unsecured means. Sniffer programs, as they are commonly referred as,
are small software packages that enable someone to snoop into current
network conversations and extract users’ credentials.
• Denial of Service – Denial of Service is an attack on your network by a
malicious individual in order to interfere in your networks normal
operation. This is a common type of attack that has gained notoriety due
to the growth of the Internet.
Motivations of Network Security Threats
It is important to understand the different motivations that some individuals
may have in posing a security threat to your network. It is a common
perception that network security attacks are perpetrated from your external
network, which is the Internet. Therefore, the firewall is an important piece
in protecting your network against these said attacks. Here are some of the
more basic motivations in launching an attack on your network.
• Greed – The intruder’s purpose is to take control or possession of any
network resource such as corporate data so that he/she may sell it for
money.

Cramsession
:

Cisco CCNP Managing Cisco Network Security




TM


© 2000 All Rights Reserved – BrainBuzz.com

3

• Notoriety – The intruder attempts to break in to networks that are said to
be secure proving his skill to gain respect from his peers.
• Revenge – The intruder has been fired or laid off and is looking for some
type of reprisal. The most common occurrence of this is the damaging of
important corporate data.
Outlining A Network Security Policy
• Define physical security-Defining physical security controls pertain to
the physical infrastructure that your network is built on. This can be
the various physical components that comprise your network such as
servers, routers, switches and cabling. Ensuring the security of these
components should be the foundation of your network security policy.
Imagine having the strictest password policy but having your wiring
closet open to anyone in the vicinity.

• Define logical security controls – Logical security controls provide
boundaries within your network segments. This process is done when
traffic is filtered from one segment of your network to the next. The
two main logical boundaries used are:

o Subnet Boundaries
o VLAN Boundaries


• Ensure data and system integrity – Data that passes to and from your
network needs to be identified as valid traffic. Valid traffic can further
be described as expected network traffic that is supported traffic,
unspoofed traffic and traffic in which the data has not been altered.
This is the main reason why firewalls are implemented. A firewall
ensures your data’s validity and integrity ingressing and egressing your
network.

• Ensure data confidentiality – Data confidentiality pertains to encryption.
The key in this process is deciding which data is to be encrypted and
which is not be encrypted. This should be carefully evaluated so that
key data that pose as the greatest risk if compromised is encrypted.

• Develop policies and procedures for the staff that is responsible for the
network – Specific guidelines should be in place for the staff that is
responsible for the maintenance of the network infrastructure. This
should ensure that these policies are balanced between securing your
network and allowing the staff to carry out their responsibilities in an
efficient manner. These policies may include the following:


Cramsession
:

Cisco CCNP Managing Cisco Network Security



TM



© 2000 All Rights Reserved – BrainBuzz.com

4

o Backups – One of the most important tasks in network
management is being able to back up the data that is stored in
that network. Polices and procedures should be in place to
provide the staff, that is responsible for the backups, the steps in
securing those backups.
o Equipment Certification – Network equipment that is introduced
into the network should adhere to specific security requirements.
o Audit Trails – Keeping a log of what goes on in your network
greatly enhances your ability to determine if there is any
suspicious activity going on in your network environment.

• Develop appropriate security awareness training – Training should be
provided to all staff in order for them to be informed of the various
security measures that your network employs. It is very important that
the staff is made aware of the many problems that may arise due to
security related issues.


Securing The Dialup Connection
Dialup connections to your corporate network are usually comprised of
several dial in infrastructures. These could be direct dial in connections from
mobile users and telecommuters. There is also the virtual dial in process of
remote branches via the Internet through a corporate Virtual Private Network
(VPN). Therefore, it is recommended that you secure these dial in access
points with a firewall device that implements some kind of intrusion detection

and auditing function. Regardless of how dial in access is provided to the
corporate network, the main security concerns lie in the following areas:

• Identifying the caller
• Identifying the location of the caller
• Identifying the destination of the caller
• Logging of accessed applications and data
• Logging of the duration of the connection
• Guaranteeing authenticated communication
• Guaranteeing private communication




Cramsession
:

Cisco CCNP Managing Cisco Network Security



TM


© 2000 All Rights Reserved – BrainBuzz.com

5

Configuring the Network Access Server for AAA Security
Access control is the process of controlling who is allowed access to the

network and what services they are allowed to use. Authentication,
Authorization and Accounting (AAA) network security services provide the
principal structure though which you set up access control on your router or
network server. AAA offers the following benefits:

• Increased flexibility
• Scalability
• Standard authentication methods, such as RADIUS, TACACS+ and
Kerberos
• Multiple backup systems

AAA is designed to enable you to configure the type of authentication and
authorization you would use on a per line (per user) or per service basis. You
define the type of authentication and authorization you want by creating
method lists, then apply those method lists to specific services or interfaces.
Method lists are lists defining the authentication methods to be used, in order,
to authenticate a dial in user. These lists enable you to assign one or more
security protocols to be used for authentication, thus creating a backup
system for authentication to be used in case the initial method fails. AAA is
comprised of three independent security functions.

Authentication
– Authentication is the process of identifying users, including
their login and password dialog scripts, challenge and response, messaging support
and encryption.

Authorization
– Authorization provides the process of determining what a
remote user is authorized to access in the network such as network resources or
services. AAA authorization works by putting together a set of attributes that

identify what a user is authorized to perform. These attributes are compared the
information contained in a database for a given user. The result is returned to AAA
to determine the user’s actual capabilities and restrictions. This database can be
local on the access server or remotely on a TACACS+ or RADIUS server.

Accounting –
Accounting is the process of tracking the different types of services
that remotely connected users are accessing. Activities are logged to either a

Cramsession
:

Cisco CCNP Managing Cisco Network Security



TM


© 2000 All Rights Reserved – BrainBuzz.com

6

RADIUS or TACACS security server in the form of accounting records. This data can
then be analyzed for client billing, auditing or network management.


Overview of Basic AAA Configuration Process
• Enable AAA by issuing this command in global mode
aaa new-model

• If you are using separate security servers, configure security control
parameters, such as RADIUS, TACACS+ or Kerberos
• Define the method lists for authentication by issuing this command
aaa authentication
For example, if you would like to specify RADIUS as the default
method for logging in, the command would be:
aaa authentication login default radius
To log in using the local username database on the router, the
command would be:
aaa authentication login default local
To log in using PPP and specify the local username database, the
command would be:
aaa authentication ppp default local
This example would allow authentication to succeed even if the
TACACS+ server returns an error.
aaa authentication ppp default tacacs+ none
• Apply the method list to a particular interface
This example applies the method list to interface serial 0
interface serial 0
ppp authentication chap pap default
• Configure authorization using this command
aaa authorization
This example allows authorization on the network via TACACS+
aaa authorization network tacacs+
This example specifies TACACS+ as the method for user authorization
when trying to establish a reverse telnet session
aaa authorization reverse-access tacacs+