Language: English
Pages: 577
Cisco IOS Security Configuration Guide......Page 1
Documentation Modules......Page 27
Supporting Documents and Resources......Page 30
Document Conventions......Page 31
World Wide Web......Page 32
Obtaining Technical Assistance......Page 33
Contacting TAC by Using the Cisco TAC Website......Page 34
Contacting TAC by Telephone......Page 35
Understanding Command Modes......Page 37
Getting Help......Page 38
Example: How to Find Command Options......Page 39
Using the no and default Forms of Commands......Page 41
Filtering Output from the show and more Commands......Page 42
Using Software Release Notes......Page 43
About This Guide......Page 45
Security Server Protocols......Page 46
Traffic Filtering and Firewalls......Page 47
Other Security Features......Page 48
Appendixes......Page 49
Two Levels of Security Policies......Page 50
Limiting the Scope of Access......Page 51
Keeping a Limited Number of Secrets......Page 52
Preventing Unauthorized Access into Networking Devices......Page 53
Preventing Unauthorized Access into Networks......Page 55
Preventing Fraudulent Route Updates......Page 56
Authentication, Authorization, and Accounting (AAA)......Page 57
About AAA Security Services......Page 59
Benefits of Using AAA......Page 60
Method Lists......Page 61
Where to Begin......Page 62
Enabling AAA......Page 63
What to Do Next......Page 64
Named Method Lists for Authentication......Page 65
Method Lists and Server Groups......Page 66
Method List Examples......Page 67
AAA Authentication Methods Configuration Task List......Page 68
Configuring Login Authentication Using AAA......Page 69
Login Authentication Using Local Password......Page 71
Login Authentication Using group group-name......Page 72
Configuring PPP Authentication Using AAA......Page 73
PPP Authentication Using Local Password......Page 74
PPP Authentication Using group group-name......Page 75
Configuring ARAP Authentication Using AAA......Page 76
ARAP Authentication Using Local Password......Page 78
ARAP Authentication Using Group group-name......Page 79
Configuring NASI Authentication Using AAA......Page 80
NASI Authentication Using Local Password......Page 81
NASI Authentication Using group group-name......Page 82
Enabling Password Protection at the Privileged Level......Page 83
Configuring Message Banners for AAA Authentication......Page 84
Configuring a Failed-Login Banner......Page 85
How Double Authentication Works......Page 86
Configuring Double Authentication......Page 87
Accessing the User Profile After Double Authentication......Page 88
Enabling Automated Double Authentication......Page 89
Configuring Line Password Protection......Page 91
Establishing Username Authentication......Page 92
Enabling CHAP or PAP Authentication......Page 93
Enabling PAP or CHAP......Page 94
Enabling Outbound PAP Authentication......Page 95
Refusing CHAP Authentication Requests......Page 96
Using MS-CHAP......Page 97
Authentication Examples......Page 98
RADIUS Authentication Examples......Page 99
TACACS+ Authentication Examples......Page 100
AAA Scalability Example......Page 101
Login and Failed Banner Examples......Page 102
Double Authentication Examples......Page 103
Configuration of the AAA Server for First-Stage (PPP) Authentication and Authorization Example......Page 104
Configuration of the AAA Server for Second-Stage (Per-User) Authentication and Authorization Exam.........Page 105
Complete Configuration with TACACS+ Example......Page 106
Automated Double Authentication Example......Page 109
MS-CHAP Example......Page 111
Named Method Lists for Authorization......Page 113
AAA Authorization Methods......Page 114
Method Lists and Server Groups......Page 115
AAA Authorization Configuration Task List......Page 116
Authorization Types......Page 117
Disabling Authorization for Global Configuration Commands......Page 118
Authorization Attribute-Value Pairs......Page 119
Named Method List Configuration Example......Page 120
TACACS+ Authorization Examples......Page 121
Reverse Telnet Authorization Examples......Page 122
Named Method Lists for Accounting......Page 125
Method Lists and Server Groups......Page 127
Network Accounting......Page 128
Connection Accounting......Page 131
EXEC Accounting......Page 133
System Accounting......Page 134
AAA Resource Failure Stop Accounting......Page 135
AAA Accounting Enhancements......Page 137
AAA Session MIB......Page 138
AAA Accounting Configuration Task List......Page 139
Accounting Types......Page 140
Accounting Methods......Page 141
Suppressing Generation of Accounting Records for Null Username Sessions......Page 142
Specifying AccountingNETWORK-Stop Records Before EXEC-Stop Records......Page 143
Configuring AAA Resource Accounting for Start-Stop Records......Page 144
Configuring AAA Session MIB......Page 145
Accounting Configuration Examples......Page 146
Configuring Named Method List Example......Page 147
Configuring AAA Broadcast Accounting Example......Page 149
AAA Session MIB Example......Page 150
Security Server Protocols......Page 151
About RADIUS......Page 153
RADIUS Operation......Page 154
RADIUS Configuration Task List......Page 155
Configuring Router to RADIUS Server Communication......Page 156
Configuring Router to Use Vendor-Specific RADIUS Attributes......Page 158
Configuring Router for Vendor-Proprietary RADIUS Server Communication......Page 159
Configuring Router to Expand Network Access Server Port Information......Page 160
Configuring AAA Server Groups......Page 161
Configuring AAA Server Groups with Deadtime......Page 162
Configuring AAA Server Group Selection Based on DNIS......Page 163
Configuring AAA Preauthentication......Page 165
Setting Up the RADIUS Profile for DNIS or CLID Preauthentication......Page 166
Setting Up the RADIUS Profile for Preauthentication Enhancements for Callback......Page 167
Setting Up the RADIUS Profile for Subsequent Authentication......Page 168
Setting Up the RADIUS Profile to Include the Username......Page 169
Setting Up the RADIUS Profile to Support Authorization......Page 170
Specifying RADIUS Accounting......Page 171
Configuring RADIUS Prompt......Page 172
RADIUS Attributes......Page 173
RADIUS Configuration Examples......Page 174
RADIUS Authentication, Authorization, and Accounting Example......Page 175
Vendor-Proprietary RADIUS Configuration Example......Page 176
Multiple RADIUS Servers with Global and Server-Specific Values Example......Page 177
Multiple RADIUS Server Entries Using AAA Server Groups Example......Page 178
AAA Server Group Selection Based on DNIS Example......Page 179
AAA Preauthentication Examples......Page 180
RADIUS User Profile with RADIUS Tunneling Attributes Example......Page 181
L2TP Access Concentrator Examples......Page 182
L2TP Network Server Examples......Page 183
About TACACS+......Page 185
TACACS+ Operation......Page 186
TACACS+ Configuration Task List......Page 187
Identifying the TACACS+ Server Host......Page 188
Configuring AAA Server Groups......Page 189
Configuring AAA Server Group Selection Based on DNIS......Page 190
Specifying TACACS+ Authorization......Page 191
TACACS+ Authentication Examples......Page 192
TACACS+ Authorization Example......Page 194
AAA Server Group Selection Based on DNIS Example......Page 195
TACACS+ Daemon Configuration Example......Page 196
About Kerberos......Page 197
Authenticating to the Boundary Router......Page 199
Authenticating to Network Services......Page 200
Configuring the KDC Using Kerberos Commands......Page 201
Creating SRVTABs on the KDC......Page 202
Configuring the Router to Use the Kerberos Protocol......Page 203
Copying SRVTAB Files......Page 204
Enabling Credentials Forwarding......Page 205
Establishing an Encrypted Kerberized Telnet Session......Page 206
Enabling Kerberos Instance Mapping......Page 207
Kerberos Configuration Examples......Page 208
Encrypted Telnet Session Example......Page 218
Traffic Filtering and Firewalls......Page 219
What Access Lists Do......Page 221
When to Configure Access Lists......Page 222
Creating Access Lists......Page 223
Assigning a Unique Name or Number to Each Access List......Page 224
Defining Criteria for Forwarding or Blocking Packets......Page 225
Finding Complete Configuration and Command Information for AccessLists......Page 226
The Cisco IOS Firewall Solution......Page 227
Creating a Customized Firewall......Page 228
Other Guidelines for Configuring Your Firewall......Page 232
In This Chapter......Page 235
When to Use Lock-and-Key......Page 236
Compatibility with Releases Before CiscoIOS Release 11.1......Page 237
Prerequisites to Configuring Lock-and-Key......Page 238
Configuring Lock-and-Key......Page 239
Dynamic Access Lists......Page 240
The autocommand Command......Page 241
Displaying Dynamic Access List Entries......Page 242
Lock-and-Key with Local Authentication Example......Page 243
Lock-and-Key with TACACS+ Authentication Example......Page 244
About Reflexive Access Lists......Page 245
With Basic Access Lists......Page 246
Temporary Access List Entry Characteristics......Page 247
Prework: Before You Configure Reflexive Access Lists......Page 248
Choosing an Interface: Internal or External......Page 249
Internal Interface Configuration Task List......Page 250
Mixing Reflexive Access List Statements with Other Permit and Deny Entries......Page 251
Nesting the Reflexive Access List(s)......Page 252
External Interface Configuration Example......Page 253
Internal Interface Configuration Example......Page 255
About TCP Intercept......Page 257
Enabling TCP Intercept......Page 258
Changing the TCP Intercept Timers......Page 259
Changing the TCP Intercept Aggressive Thresholds......Page 260
TCP Intercept Configuration Example......Page 261
About Context-Based Access Control......Page 263
Traffic Inspection......Page 264
Intrusion Detection......Page 265
How CBAC Works—Overview......Page 266
How CBAC Works—Details......Page 267
The CBAC Process......Page 269
CBAC Supported Protocols......Page 270
RTSP and H.323 Protocol Support for Multimedia Applications......Page 271
Memory and Performance Impact......Page 273
Picking an Interface: Internal or External......Page 274
Basic Configuration......Page 276
Configuring Global Timeouts and Thresholds......Page 278
Configuring Application-Layer Protocol Inspection......Page 280
Configuring Generic TCP and UDP Inspection......Page 283
Configuring Logging and Audit Trail......Page 284
Other Guidelines for Configuring a Firewall......Page 285
Verifying CBAC......Page 286
RTSP with TCP Only (Interleaved Mode)......Page 287
RTSP with RTP (IP/TV)......Page 288
Monitoring and Maintaining CBAC......Page 289
Generic Debug Commands......Page 290
Application Protocol Debug Commands......Page 291
SMTP Attack Detection Error Messages......Page 292
Audit Trail Messages......Page 293
CBAC Configuration Examples......Page 294
ATM Interface Configuration Example......Page 295
Remote Office to ISP Configuration Example......Page 297
Remote Office to Branch Office Configuration Example......Page 299
Two-Interface Branch Office Configuration Example......Page 302
Multiple-Interface Branch Office Configuration Example......Page 305
About the Firewall Intrusion Detection System......Page 313
Compatibility with Cisco Secure Intrusion Detection......Page 314
Functional Description......Page 315
Memory and Performance Impact......Page 316
Cisco IOS Firewall IDS Signature List......Page 317
Initializing Cisco IOS Firewall IDS......Page 322
Initializing the Post Office......Page 323
Configuring and Applying Audit Rules......Page 325
Monitoring and Maintaining Cisco IOS Firewall IDS......Page 327
Cisco IOS Firewall IDS Reporting to Two Directors Example......Page 328
Disabling a Signature Example......Page 329
Dual-Tier Signature Response Example......Page 330
About Authentication Proxy......Page 333
How the Authentication Proxy Works......Page 334
Operation Without JavaScript......Page 336
Using the Authentication Proxy......Page 337
When to Use the Authentication Proxy......Page 338
Applying the Authentication Proxy......Page 339
Compatibility with Other Security Features......Page 340
Compatibility with AAA Accounting......Page 341
Comparison with the Lock-and-Key Feature......Page 342
Prerequisites to Configuring Authentication Proxy......Page 343
Configuring AAA......Page 344
Configuring the Authentication Proxy......Page 346
Checking the Authentication Proxy Configuration......Page 347
Establishing User Connections with JavaScript......Page 348
Establishing User Connections Without JavaScript......Page 349
Displaying Dynamic ACL Entries......Page 350
Authentication Proxy Configuration Example......Page 351
Interface Configuration Example......Page 352
Authentication Proxy, IPSec, and CBAC Configuration Example......Page 353
Router 2 Configuration Example......Page 354
Router 1 Configuration Example......Page 357
Router 2 Configuration Example......Page 358
AAA Server User Profile Example......Page 360
CiscoSecure ACS 2.3 for Windows NT......Page 361
CiscoSecure ACS 2.3 for UNIX......Page 362
Livingston Radius Server......Page 363
Ascend Radius Server......Page 364
About Port to Application Mapping......Page 365
System-Defined Port Mapping......Page 366
User-Defined Port Mapping......Page 367
PAM Configuration Task List......Page 368
Verifying PAM......Page 369
Invalid Port Mapping Entry Example......Page 370
Mapping Different Applications to the Same Port Example......Page 371
IP Security and Encryption......Page 373
IPSec Encryption Technology......Page 375
Internet Key Exchange Security Protocol......Page 376
Configuring IPSec Network Security......Page 377
Supported Standards......Page 378
List of Terms......Page 379
Supported Switching Paths......Page 381
Overview of How IPSec Works......Page 382
Nesting of IPSec Traffic to Multiple Peers......Page 383
Setting Global Lifetimes for IPSec Security Associations......Page 384
How These Lifetimes Work......Page 385
Creating Crypto Access Lists......Page 386
Crypto Access List Tips......Page 387
Defining Mirror Image Crypto Access Lists at Each IPSec Peer......Page 388
Using the any Keyword in Crypto Access Lists......Page 389
Defining Transform Sets......Page 390
About Crypto Maps......Page 392
Creating Crypto Map Entries to Establish Manual Security Associations......Page 393
Creating Crypto Map Entries that Use IKE to Establish Security Associations......Page 395
Creating Dynamic Crypto Maps......Page 396
Applying Crypto Map Sets to Interfaces......Page 399
Monitoring and Maintaining IPSec......Page 400
IPSec Configuration Example......Page 401
In This Chapter......Page 403
Supported Standards......Page 404
Purpose of CAs......Page 405
Implementing IPSec Without CAs......Page 406
Implementing IPSec with CAs......Page 407
About Registration Authorities......Page 408
Managing NVRAM Memory Usage......Page 409
Configuring the Routers Host Name and IP Domain Name......Page 410
Declaring a Certification Authority......Page 411
Configuring a Root CA (Trusted Root)......Page 412
Requesting Your Own Certificates......Page 413
Requesting a Certificate Revocation List......Page 414
Deleting RSA Keys from Your Router......Page 415
Deleting Certificates from the Configuration......Page 416
What to Do Next......Page 417
CA Interoperability Configuration Examples......Page 418
Multiple CAs Configuration Examples......Page 420
In This Chapter......Page 421
Supported Standards......Page 422
List of Terms......Page 423
IKE Aggressive Mode Behavior......Page 424
Enabling or Disabling IKE......Page 425
Why Do You Need to Create These Policies?......Page 426
How Do IKE Peers Agree upon a Matching Policy?......Page 427
Which Value Should You Select for Each Parameter?......Page 428
Additional Configuration Required for IKE Policies......Page 429
Manually Configuring RSA Keys......Page 430
Setting ISAKMP Identity......Page 431
Specifying RSA Public Keys of All the Other Peers......Page 432
Configuring Mask Preshared Keys......Page 433
Configuring Preshared Keys Using a AAA Server......Page 434
Configuring Internet Key Exchange Mode Configuration......Page 435
Configuring Internet Key Exchange Extended Authentication (Xauth)......Page 436
Configuring Tunnel Endpoint Discovery (TED)......Page 437
TED Versions......Page 438
TED Restrictions......Page 439
IKE Configuration Examples......Page 440
Configuring Preshared Keys Using a AAA Server Example......Page 441
Configuring Xauth with Dynamic Crypto Map Example......Page 442
Other Security Features......Page 445
Protecting Access to Privileged EXEC Commands......Page 447
Protecting Passwords with Enable Password and Enable Secret......Page 448
Encrypting Passwords......Page 449
Setting the Privilege Level for a Command......Page 450
Recovering a Lost Enable Password......Page 451
Password Recovery Process......Page 452
Password Recovery Procedure 1......Page 453
Password Recovery Procedure 2......Page 454
Recovering a Lost Line Password......Page 456
Configuring Identification Support......Page 457
Defining an Enable Password for System Operators Examples......Page 458
Username Examples......Page 459
Benefits of Neighbor Authentication......Page 461
How Neighbor Authentication Works......Page 462
MD5 Authentication......Page 463
Key Management (Key Chains)......Page 464
Finding Neighbor Authentication Configuration Information......Page 465
IPSO Configuration Task List......Page 467
Specifying How IP Security Options Are Processed......Page 468
Configuring Extended IP Security Options......Page 469
Configuring the DNSIX Audit Trail Facility......Page 470
Specifying Transmission Parameters......Page 471
Example 1......Page 472
Example 3......Page 473
About Unicast Reverse Path Forwarding......Page 475
How Unicast RPF Works......Page 476
Per-Interface Statistics......Page 477
Implementing Unicast RPF......Page 479
Where to Use Unicast RPF......Page 480
Where Not to Use Unicast RPF......Page 483
Restrictions......Page 484
Related Features and Technologies......Page 485
Configuring Unicast RPF......Page 486
Dropped Boot Requests......Page 488
Monitoring and Maintaining Unicast RPF......Page 489
Unicast RPF with Inbound and Outbound Filters Example......Page 490
Unicast RPF with ACLs and Logging Example......Page 491
About Secure Shell......Page 493
Restrictions......Page 494
Prerequisites to Configuring SSH......Page 495
Configuring SSH Server......Page 496
Verifying SSH......Page 497
SSH Configuration Examples......Page 498
SSH on a Cisco 7200 Series Router Example......Page 499
SSH on a Cisco 7500 Series Router Example......Page 500
SSH on a Cisco 1200 Gigabit Switch Router Example......Page 502
Appendixes......Page 505
IETF Attributes Versus VSAs......Page 507
RADIUS Packet Format......Page 508
Dictionary File......Page 509
Users File......Page 510
Supported RADIUS IETF Attributes......Page 511
Comprehensive List of RADIUS Attribute Descriptions......Page 514
Supported Vendor-Proprietary RADIUS Attributes......Page 523
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions......Page 528
RADIUS Vendor-Specific Attributes (VSA)......Page 535
RADIUS Disconnect-Cause Attribute Values......Page 541
TACACS+ Authentication and Authorization AV Pairs......Page 543
TACACS+ Accounting AV Pairs......Page 552
Index......Page 559
Index......Page 561