Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA

Cisco Press

CCSP Self-Study

CCSP SECUR
Exam Certification Guide

Greg Bastien
Christian Abera Degu

2408_CCSP.book Page i Thursday, November 13, 2003 2:38 PM

ii
CCSP Self-Study

CCSP SECUR Exam Certification Guide

Greg Bastien, Christian Abera Degu
Copyright© 2004 Cisco Systems, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher,
except for the inclusion of brief quotations in a review.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

Library of Congress Cataloging-in-Publication Number: 2002109331
ISBN: 1-58720-072-4

First Printing December 2003

Warning and Disclaimer

This book is designed to provide information about selected topics for the Cisco SECUR exam for the CCSP certification. Every effort
has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor
responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from
the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or
Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the
validity of any trademark or service mark.

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information,
please contact:

U.S. Corporate and Government Sales 1-800-382-3419

For sales outside of the U.S. please contact:


International Sales 1-317-581-3793

2408_CCSP.book Page ii Thursday, November 13, 2003 2:38 PM

iii

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and preci-
sion, undergoing rigorous development that involves the unique expertise of members from the professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of
this book or otherwise alter it to better suit your needs, you can contact us through e-mail at Please make
sure to include the book title and ISBN in your message.
We greatly appreciate your assistance.

Publisher

: John Wait

Editor-In-Chief

: John Kane

Cisco Representative

: Anthony Wolfenden

Cisco Press Program Manager


: Nannette M. Noble

Executive Editor

: Brett Bartow

Acquisitions Editor:

Michelle Grandin

Production Manager

: Patrick Kanouse

Senior Development Editor

: Christopher Cleveland

Development Editor

: Howard Jones

Copy Editor

: Keith Cline

Technical Editors

: Brad Dunsmore, Leon Katcharian, Inti Shah,
John Stuppi


Team Coordinator

: Tammi Barnett

Book and Cover Designer

: Louisa Adair

Production Team

: Octal Publishing, Inc.

Indexer

: Eric Schroeder

2408_CCSP.book Page iii Thursday, November 13, 2003 2:38 PM

iv

About the Authors

Greg Bastien

, CCNP, CCSP, CISSP, is currently a partner with Trinity Information Management
Services, Inc., as a consultant to the federal government. He holds a position as adjunct professor at
Strayer University, teaching networking and network security classes. He completed his undergrad-
uate and graduate degrees at Embry-Riddle Aeronautical University while on active duty as a heli-
copter flight instructor in the U.S. Army.


Christian Abera Degu

, CCNP, CCDP, CCSP, currently works for Veridian Networks/General
Dynamics as a consulting engineer to the Federal Energy Regulatory Commission. He received
his undergraduate degree from Strayer University and his graduate degree in computer information
systems from George Mason University. He lives with his family in Alexandria, Virginia.

2408_CCSP.book Page iv Thursday, November 13, 2003 2:38 PM

v

About the Technical Reviewers

Brad Dunsmore

is a new product instructor with the Advanced Services group for Cisco Systems.
He develops and deploys network solutions and training for Cisco Systems engineers, Cisco sales
engineers, selected training partners, and customers. He specializes in SS7 offload solutions, WAN
communication methods, and Cisco security products. He developed the Building Enhanced Cisco
Security Networks course for Cisco and he currently holds the following industry certifications:
CCNP, CCDP, CCSP, INFOSEC, MCSE+I, and MCDBA. He recently passed his written exam for
the CCIE R/S certification and is currently working on his laboratory exam.

Leon Katcharian

is an education specialist at Cisco Systems, Inc., where he develops and delivers
training for Cisco network security products. He has more than 20 years of experience in the data-
networking field, having been a technical support engineer, a technical instructor, and a course
developer. Leon has worked as a technical support engineer or in an educational role for Motorola

Information Systems Group, GeoTel Communications, ON Technology, Altiga Networks, and Cisco
Systems. He holds a bachelor of science degree in business from Eastern Nazarene College along
with several industry certifications. Leon is currently the lead course developer for the Securing
Cisco IOS Networks (SECUR) curriculum.

Inti Shah

has worked in the networking industry for more than 15 years in both enterprise and
service provider environments. He has extensive expertise in designing and delivering large-scale
networks, complex e-business solutions, intrusion detection, firewall, and VPN services. Inti currently
works for Energis in the UK and holds the Cisco CCNA, CCNP, CCSP, CCIP Security, Check Point
CCSA, and CCSE accreditations. He is currently pursuing his CCIE Security accreditation.

John Stuppi

, CCIE No. 11154, is a network consulting engineer for Cisco Systems. John advises
Cisco customers in the planning, design, and implementation of VPN and security related solutions,
including IDS, IPSec VPNs, and firewall deployments. John is a CISSP and holds an Information
Systems Security (INFOSEC) Professional certification. In addition, John has a BSEE from Lehigh
University and an MBA from Rutgers University. John lives in Ocean Township, New Jersey with
his wife, Diane, and his two wonderful children, Thomas and Allison.

2408_CCSP.book Page v Thursday, November 13, 2003 2:38 PM

vi

Dedications

This book is dedicated to In Ho Park (February 27, 1973—December 16, 2001): CCNA, CCNP, and
a good friend.


2408_CCSP.book Page vi Thursday, November 13, 2003 2:38 PM

vii

Acknowledgments

This book has been a very challenging, yet rewarding project. We sincerely appreciate the efforts of
all those who helped to keep us focused throughout the process. We would especially like to thank
Michelle Grandin, acquisitions editor, and the “development editor team” of Christopher Cleveland
and Howard Jones for their guidance and encouragement. We would also like to thank the technical
reviewers for their attention to detail, ability to decipher 2 a.m. techno-babble and offer up reason-
able alternatives, and the sense of humor needed to hash through mountains of draft manuscripts.
Last but not least, we would like to thank Andy and Mark for getting the ball rolling on the project.

2408_CCSP.book Page vii Thursday, November 13, 2003 2:38 PM

viii

Contents at a Glance

Foreword xxiii
Introduction xxiv

PART I An Overview of Network Security 2

Chapter 1 Network Security Essentials 5
Chapter 2 Attack Threats Defined and Detailed 23
Chapter 3 Defense in Depth 43


PART II Managing Cisco Routers 56

Chapter 4 Basic Router Management 59
Chapter 5 Secure Router Administration 79

PART III Authentication, Authorization, and Accounting (AAA) 98

Chapter 6 Authentication 101
Chapter 7 Authentication, Authorization, and Accounting 115
Chapter 8 Configuring RADIUS and TACACS+ on Cisco IOS Software 137
Chapter 9 Cisco Secure Access Control Server 157
Chapter 10 Administration of Cisco Secure Access Control Server 175

PART IV The Cisco IOS Firewall Feature Set 188

Chapter 11 Securing the Network with a Cisco Router 191
Chapter 12 Access Lists 203
Chapter 13 The Cisco IOS Firewall 219
Chapter 14 Context-Based Access Control (CBAC) 231
Chapter 15 Authentication Proxy and the Cisco IOS Firewall 251
Chapter 16 Intrusion Detection and the Cisco IOS Firewall 279

2408_fmatter.fm Page viii Thursday, November 13, 2003 3:22 PM

ix

PART V Virtual Private Networks 300

Chapter 17 Building a VPN Using IPSec 303
Chapter 18 Scaling a VPN Using IPSec with a Certificate Authority 339

Chapter 19 Configuring Remote Access Using Easy VPN 359
Chapter 20 Scaling Management of an Enterprise VPN Environment 379

PART VI Scenarios 400

Chapter 21 Final Scenarios 403
Appendix Answers to the “Do I Know This Already?” Quizzes and Q&A Sections 427
Glossary 463
Index 472

2408_CCSP.book Page ix Thursday, November 13, 2003 2:38 PM

x

Contents

Foreword xxiii
Introduction xxiv

Part I An Overview of Network Security 2

Chapter 1 Network Security Essentials 5

“Do I Know This Already?” Quiz 5

Foundation Topics 9

Definition of Network Security 9
Balancing Business Need with Security Requirement 9
Security Policies 9


Security Policy Goals 12
Security Guidelines 13
Management Must Support the Policy 13
The Policy Must Be Consistent 13
The Policy Must Be Technically Feasible 14
The Policy Should Not Be Written as a Technical Document 14
The Policy Must Be Implemented Globally Throughout the Organization 14
The Policy Must Clearly Define Roles and Responsibilities 15
The Policy Must Be Flexible Enough to Respond to Changing Technologies and Organization-
al Goals 15
The Policy Must Be Understandable 15
The Policy Must Be Widely Distributed 16
The Policy Must Specify Sanctions for Violations 16
The Policy Must Include an Incident Response Plan for Security Breaches 16
Security Is an Ongoing Process 17

Network Security as a Process 17
Network Security as a Legal Issue 18

Foundation Summary 19

Security Policies 19

Security Policy Goals 19
Security Guidelines 20

Network Security as a Process 20

Q&A 21


Chapter 2 Attack Threats Defined and Detailed 23

“Do I Know This Already?” Quiz 23

Foundation Topics 27

Vulnerabilities 27

Self-Imposed Vulnerabilities 27
Lack of Effective Policy 28
Configuration Weakness 29
Technology Weakness 30

2408_CCSP.book Page x Thursday, November 13, 2003 2:38 PM

xi

Threats 31
Intruder Motivation 31

Lack of Understanding of Computers or Networks 31
Intruding for Curiosity 32
Intruding for Fun and Pride 32
Intruding for Revenge 32
Intruding for Profit 32
Intruding for Political Purposes 33

Types of Attacks 33


Reconnaissance Attacks 34
Access Attacks 34
DoS Attacks 36

Foundation Summary 37

Vulnerabilities 37

Self-Imposed Vulnerabilities 37

Threats 38

Intruder Motivation 38

Types of Attacks 39

Q&A 40

Chapter 3 Defense in Depth 43

“Do I Know This Already?” Quiz 43

Foundation and Supplemental Topics 46

Overview of Defense in Depth 46

Components Used for Defense in Depth 47
Physical Security 51

Foundation Summary 52

Q&A 54

Part II Managing Cisco Routers 56

Chapter 4 Basic Router Management 59

“Do I Know This Already?” Quiz 59

Foundation Topics 63

Router Configuration Modes 63
Accessing the Cisco Router CLI 66

Configuring CLI Access 68

Cisco IOS Firewall Features 69

Foundation Summary 71

Router Configuration Modes 71
Accessing the Cisco Router CLI 72
Cisco IOS Firewall Features 72

Q&A 75

2408_CCSP.book Page xi Thursday, November 13, 2003 2:38 PM

xii

Chapter 5 Secure Router Administration 79


“Do I Know This Already?” Quiz 79

Foundation Topics 83

Privilege Levels 83
Securing Console Access 84
Configuring the Enable Password 84

enable secret 86

service password-encryption 87
Configuring Multiple Privilege Levels 87
Warning Banners 89
Interactive Access 90
Securing vty Access 90
Secure Shell (SSH) Protocol 91

Setting Up a Cisco IOS Router or Switch as an SSH Client 91

Port Security for Ethernet Switches 92

Configuring Port Security 93

Foundation Summary 95
Q&A 96

Part III Authentication, Authorization, and Accounting (AAA) 98

Chapter 6 Authentication 101


“Do I Know This Already?” Quiz 101

Foundation Topics 104

Authentication 104

Configuring Line Password Authentication 104
Configuring Username Authentication 105
Remote Security Servers 105
TACACS Overview 106
RADIUS Overview 107
Kerberos Overview 109

PAP and CHAP Authentication 109

PAP 110
CHAP 110
MS-CHAP 111

Foundation Summary 112
Q&A 113

Chapter 7 Authentication, Authorization, and Accounting 115

“Do I Know This Already?” Quiz 115

Foundation Topics 119

AAA Overview 119


Authentication 119
Authorization 120
Accounting 120

2408_CCSP.book Page xii Thursday, November 13, 2003 2:38 PM