Index
Numerics
3DES, 412
802.11 standards, RF bands, 348
802.1x attacks, mitigating, 254, 256
802.1x authentication, configuring
on Cisco Aironet Wireless Access Points, 342β343
on Cisco Catalyst switches, 337β342
A
services, 284
services, 282
services, 283
dependencies, 269
method lists, server groups, 281β282
AAA client server mode, AAA server, 290β291
ACCEPT response (TACACS+), 276
acceptable use policies, 10
access attacks, 208
Access Control Matrix, 13
access control process (CSA), 618
access modes (SSL VPN), 525
Access-Accept response (RADIUS), 272
Access-Request packets, 272
accounting, 269
AAA, 281
AAA service types, 284
ACLs (access control lists), 21, 49, 185β187
applying to interfaces, 30β31
classification ACLs, 48
configuring for PVLAN attack mitigation, 249β251
creating, 29
directionality, 32
distributed time-based, 45
downloadable IP ACLs, 293
established, 43
general guidelines, 36
iACLs, 47
inbound, 32
infrastructure ACLs, 62
MAC ACLs, 97
named, 39
names, assigning, 29
outbound, 33
packet flow rules, 33
Port ACLs, 94
rACLs, 46
reflexive, 42
Router ACLs, 94
time-based, 44
traffic characterization, 212β215, 218
transit ACLs, 47
Turbo ACLs, 46
VACLs, 95
when to use, 23
ACS. See Cisco Secure ACS
AD (anomaly detection), 597β598
Adaptive Security Algorithm, 150β152
application layer protocol inspection, 148β150
stateful packet inspection, 148
advanced Cisco IOS Firewall features
e-mail inspection engine, 128
Firewall ACL Bypass, 129
HTTP inspection engine, 127
router-generated traffic inspection, 131
transparent IOS Firewall, 130
advanced level 3 operation, CS-MARS, 686
advisory policies, 749
AES (Advanced Encryption Standard), 412
agent kit management (CSA), 626, 629
Agent User Interface control page (CSA MC), 632, 634
aggressive mode (IKE), 436
aging mechanisms (port security), 93
AH, 433
AIC (Application Inspection and Control), 136, 578
AIM (Adaptive Identification and Mitigation), 142
anomaly detection and mitigation systems, 641β643, 649β650
antenna, 349
anti-replay service, IPsec VPN, 434
APEC (Asia-Pacific Economic Cooperation), 766
APIPA (automatic private IP addressing), 27
application layer protocol inspection, 148β150
applying ACLs to interfaces, 30β31
ARC (Attack Response Controller), 593
ARP packets, rate limiting, 106
ARP spoofing, 209
ASDM (Cisco Adaptive Security Device Manager), 145
HTTP access, 77
ASR (Asymmetric Routing Support), 197
ASR (Attack Severity Rating), 584
assigning names to ACLs, 29
asymmetric key cryptography, 412, 416
atomic engines, 578
attack vectors, 208
attacks
access, 208
anomaly detection and mitigation systems, 641β643
DDoS, 641
Layer 2 mitigation techniques, 242
BPDU Guard, configuring, 252
DHCP snooping, configuring, 253β254
switch Port Security feature, 242β244
VLAN configuration, modifying, 247β249
VTP passwords, configuring, 246β247
Layer 3 mitigation techniques
traffic characterization, 212β215, 218
traffic classification, 224
traffic policing, 229
reconnaissance, 208
risk assessment, 211
security incident response, 256β257
authentication, 268. See also authentication protocols
AAA login methods, 280
AAA service types, 282
client-based, 352
MAC-based, 352
two-factor authentication systems
Cisco Secure ACS, support for, 315β316
S/KEY, 313
authentication protocols
RADIUS, 270
packets, 271
security, 273
TACACS+, 274
packets, 275
security, 277
authentication proxy, 114
authentication server (IEEE 802.1x), 331
authenticator (IEEE 802.1x), 330
authorization, 269
AAA, 280
AAA service types, 283
authorized port state, 332β333
autoloading device configuration, 70
AUX port, interactive device access, 65
availability, 9
B
banner tokens, 66
baselines, 12
basic level 1
operation, CS-MARS, 685
Biba security model, 13
BLM (Bell-LaPadula Model), 13
block cipher, 411
BOOTP, 69
BPDU Guard, 98
configuring for STP attack mitigation, 252
BPDUs (bridge protocol data units), 98
buffer overflows, 209
bypassing NAT
Identity NAT, 179
Policy NAT, 183
Static identity NAT, 180
C
CAA (Clean Access Agent), 380
cable-based failover, 196
CBAC (Context-Based Access Control), 114β115
audit trails, 117
configuring, 122
dynamic ACL entries, 119
embryonic sessions, 120
global timeouts/thresholds, configuring, 123
inspection rule, configuring, 123
interface, configuring, 122
IP access list, configuring, 123
packet inspection, 118
per-host DoS prevention, 120
session state table, 118
supported protocols, 121
threshold values, 118
timeout values, 118
traffic filtering, 116
traffic inspection, 116
verifying configuration, 126
CDP (Cisco Discovery Protocol), 68
certificate enrollment (PKI), 447β448
challenge/response OTP, 313
Chinese Wall security model, 13
CIDEE (Cisco Intrustion Detection Event Exchange), 576
Cisco AIP-SSM (ASA Advanced Inspection and Prevention Security Services Module), 567
Cisco Aironet Wireless LAN Access Point, configuring 802.1 authentication, 342β343
Cisco AnyConnect VPN Client, 192, 530
Cisco ASA 5500 Series Adaptive Security appliances, 143
software, 144
SSH access, 77
Telnet access, 76
Cisco ASDM (Adapative Security Device Manager), 732
features, 732
supported firewalls and software versions, 738
Syslog to Access Rule Correlation, 737
user requirements, 738
Cisco AutoMitigate, 672
Cisco Catalyst switches, 83
802.1 authentication, configuring, 337β342
ACLs
MAC ACLs, 97
Port ACLs, 94
Router ACLs, 94
advanced security features, CoPP, 107β109
FWSM module, 198
installing, 200
OS software, 199
port-level traffic control
protected ports, 85
storm control, 84
PVLANs, 85
port blocking, 91
SUP 720, CPU rate limiters, 109
Cisco Clean Access Manager, 379
Cisco ContextCorrelation, 672
Cisco DDoS Anomaly Detection and Mitigation solution, 643, 649
anomaly detection and mitigation process, 649β650
Cisco Guard DDoS Mitigation, 647β649
Cisco Traffic Anomaly Detector, 644β647
Cisco Easy VPN, implementing, 456β461
Cisco FWSM (Firewall Services Module), 143β144
Cisco Guard DDoS Mitigation, 647β649
Cisco IBNS (Identity-Based Networking Services), 327
Cisco Secure ACS, 328
external database support, 329
Cisco IDM (IPS Device Manager), 601, 740β741
system requirments, 742
Cisco IDSM-2 (IDS Service Module), 565β567
Cisco IOS Firewalls, 113
advanced features
e-mail inspection engine, 128
Firewall ACL Bypass, 129
HTTP inspection engine, 127
router-generated traffic inspection, 131
transparent IOS Firewall, 130
CBAC, 115
audit trails, 117
dynamic ACL entries, 119
embryonic sessions, 120
packet inspection, 118
per-host DoS prevention, 120
session state table, 118
supported protocols, 121
threshold values, 118
timeout values, 118
traffic filtering, 116
traffic inspection, 116
Cisco IOS Resilient Configuration, 67
Cisco IOS Software, Auto-Secure feature, 75β76
Cisco IPS 4200 Series sensors, 563β564
Cisco IPS appliance
IPS inline interface pair mode, configuring, 604β608
IPS inline VLAN pair mode, configuring, 601β603
Cisco IPS Sensor OS Software, 572β574
communication protocols, 575
IPS rate limiting, 594
security policies, 596
sensor software partitions, 577
TR, 584
user roles, 576
virtualization, 595
Cisco IPS-AIM, 568
Cisco NAC appliance, 376. See also Cisco NAC Framework solution
comparing with NAC framework, 378
components, 379
deployment scenarios, 380β381
Cisco NAC Framework solution, 382β383
concentrator support, 390
deployment scenarios, 391
posture states, 385
protocols, 385
router support, 388
security policy enforcement, 392
wireless access point support, 390
wireless LAN controllers support, 391
Cisco Network Intrusion Prevenion solutions, 562
Cisco AIP-SSM, 567
Cisco IPS 4200 Series sensors, 563β564
Cisco IPS-AIM, 568
Cisco IPS Sensor OS software, 572β574
communication protocols, 575
interface roles, 585, 588β589
IPS rate limiting, 594
security policies, 596
sensor software partitions, 577
TR, 584
user roles, 576
virtualization, 595
high availability
fail-open mechanism, 598β599
failover, 599
load-balancing, 600
Cisco PIX 500
SSH access, 77
Telnet access, 76
Cisco PIX 500 Series Security appliances, 140
software, 144
Cisco SDM (Cisco Router and Security Device Manager), 721
Cisco SDN (Self-Defending Network) solutions, 373, 767
Cisco NAC, 376
AAA client server model, AAA server, 290β291
for RADIUS-enabled token server, 317, 321
for RSA SecurID token server, 321β322
Dowloadable IP ACLs feature, 293
MAR, 295
NAC support, 296
NAF, 294
NAP, 296
NAR, 295
protocol compliance, RADIUS, 291β292
RAC, 294
shell command authorization sets, 294
SPC, 293
two-factor authentication systems, support for, 315β316
Cisco Secure ACS SE (Cisco Secure ACS Solution Engine), 307β308
Cisco SecureVector, 672
Cisco Security Appliance
Adaptive Security Algorithm, 150β152
Cisco AnyConnect VPN Client, 192
IP routing, 159
static route tracking, 160
static routes, 160
OS software, 145
redundant interfaces, configuring, 158β159
Routed Firewall mode, 146
security contexts, 152
routed mode, 153
Transparent Firewall mode, 146β147
Cisco Security Manager, 700
client/server requirements, 716β718
configuration views, 707β708
device management, 710
firewall management system, 703
platform management, 706
traffic flow requirements, 719β721
VPN management, 704
Cisco Traffic Anomaly Detector, 644β647
Cisco Trust and Identity Management Solutions, 326
Cisco IBNS, 327
Cisco Secure ACS, 328
external database support, 329
Cisco Unitifed Wireless Network solution, 368β370
Clark-Wilson security model, 13
classes of IP addresses, 24β26
classification ACLs, 48
Clean Access Server, 379
clear-text passwords, 55
client authentication, 352
Client mode (Cisco Easy VPN), 458
client/server requirements, Cisco Security Manager, 716β718
clientless Citrix support (SSL VPN), 527
Clientless Mode (SSL VPN), 525
COBIT (Control Objectives for Information and Related Technology), 752
versus ISO/IEC 27002, 753
βCode of Practice for Information Security Management,β 751
color-aware policing, 229
Command and Control interface (IPS), 585
command authorization, configuring with TACACS+, 285β286
commands
show interfaces rate-limit, 227
switcheport port-security, 93
community PVLAN ports, 86
comparing
Cisco NAC appliance and NAC framework solution, 378
hardware- and software-based firewalls, 140
MPLS VPN and IPsec VPN, 536β537
RADIUS and TACACS+, 278
VPLS and VPWS, 552
components
of Cisco NAC appliance, 379
of Cisco NAC Framework solution, 386, 388
of CSA, 622
concentrators supported on Cisco NAC Framework solution, 390
confidentiality, 9
configuration views (Cisco Security Manager), 707β708
configuring
classfication ACLs, 48
directionality, 32
distibuted time-based, 45
established, 43
iACLs, 47
named, 39
rACLs, 46
reflexive, 42
time-based, 44
transit ACLs, 47
Turbo ACLs, 46
CAR, 226
CBAC, 122
global timeouts/thresholds, 123
inspection rule, 123
interface, 122
IP access list, 123
verifying configuration, 126
Cisco Aironet Wireless Access Points, 802.1x authentication, 342β343
Cisco Catalyst switches, 802.1x authentication, 337β340, 342
Cisco DDoS Anomaly Detection and Mitigation solution, Cisco Traffic Anomaly Detector, 653β659
Cisco Guard DDoS Mitigation, Cisco Traffic Anomaly Detector, 660β666
Cisco IPS appliance
IPS inline interface pair mode, 604β608
IPS inline VLAN pair mode, 601β603
Cisco Security Appliance
failover, configuring, 195
redundant interfaces, 158β159
command authorization with TACACS+, 285β286
CSA, parameters, 636
CS-MARS, parameters, 691β693
DMVPN
DHDD topology, 483
hierarchical topology, 499β500
MHSD topology, 498
server load-balancing topology, 484β485
interactive device access via VTY, 63
IP Source Guard, 102
IP source tracking, 220
login authentication
password retry lockout, 286β287
MQC, 228
port security, 93
PPP, AAA using RADIUS, 285
TCP Intercept, 233
traffic policing, 229
connectionless VPN, 539
connection-oriented VPN, 539
console port, interactive device access, 62
CONTINUE response (TACACS+), 277
control plane, 108
CoPP (Control Plane Policing), 107
correlation, 616
CPL (Cisco Policy Language), configuring ZFW, 134β136
CPU rate limiters, 109
crypto map table, 474
crypto socket table, 474
cryptographic VPN technologies, 421
asymmetric key cryptography, 412, 416
symmetric key cryptography, 410β412
cryptosystems, 407
CSA (Cisco Security Agent), 614β615
access control process, 618
agent kit management, 626, 629
components, 622
configuration parameters, 636
correlation, 616
global correlation, 618
rule modules, 635
CSA MC (Management Console), 622β623
Agent User Interface control page, 632β634
CSA agent kit management, 626, 629
CSA group management, 630β632
CSA host management, 624β626
CS-MARS (Cisco Security Monitoring, Analysis, and Response System), 669
device support list, 675
event processing, 677
false positive processing, 678
incidents, 676
levels of operation, 685β687
mitigation devices, 685
reporting devices, 684
rules, 676
security threat mitigation, 672β674
sessions, 676
software versioning, 683
standalone deployment, 680β681
topological awareness, 674β675
web-based management interface, 689
custom signatures, configuring, 609β610
D
DAI (Dynamic ARP Inspection), 103
ARP packets, rate limiting, 106
ARP spoofing attacks, mitigating, 245β246
ARP validation checks, performing, 107
in DHCP environment, 105
in non-DHCP environment, 106
data link layer. See Layer 2 access control;Layer 2 attack mitigation techniques;Layer 2 security
data plane, 107
DCV (Device-Centric View), 707
debugging traffic with ACLs, 49
decryption, 408
default method lists (AAA), 279
deployment scenarios
for Cisco NAC appliance, 380β381
for Cisco NAC Framework solution, 391
for CS-MARS
levels of operation, 685β687
standalone deployment, 680β681
for MPLS VPN, 538
DES, 412
Detect mode (AD), 598
device management (Cisco Security Manager), 710
device security, 53
BOOTP, 69
CDP, 68
Cisco IOS Resilient Configuration, 67
device configuration, autoloading, 70
DHCP, 69
Finger, 69
FTP servers, 70
Gratuitous ARP, 72
HTTP, 73
infrastructure ACLs, 62
interactive access
via AUX port, 65
via console port, 62
IP directed broadcast, 72
IP mask reply, 72
IP source routing, 71
IP Unreachable, 73
NTP, 74
PAD, 70
password protection, 55
encryption, 57
strong passwords, creating, 56β57
physical security, 55
privilege levels, 61
Proxy ARP, 71
SNMP, 75
TCP/UDP small-servers, 69
TFTP, 70
user authentication, 60
DHCP (Dynamic Host Configuration Protocol), 69
configuring for DHCP spoofing attack mitigation, 253β254
DHCP Snooping, configuring, 100β102
DHCP spoofing attacks, mitigating, 253β254
DHDD (dual hub dual DMVPN) topology, 483
DHSD (dual hub single DMPVN) topology, configuring, 488β498
Diffie-Hellman algorithm, 414
Dijkstra algorithm, 163
directionality of ACLs, 32
distributed time-based ACLs, 45
DMVPN (Dynamic Multipoint VPN), 469β470
components, 472
data structures, 474
and GET VPN, 506
hub-and-spoke designs, 476
DHDD topology, 483
server load-balancing topology, 484β485
mesh spoke-to-spoke designs, 486
operation, 473
domino effect, 16
donβt care bits, 28
Downloadable IP ACLs, 293
DSA (Digital Signature Algorithm), 415
DVTI (dynamic VTI), 443
dynamic NAT, 173
configuring, 176
dynamic routing protocols, 473
E
EAP (Extensible Authentication Protocol), 334, 355, 385
EAP-TTLS, 359
LEAP, 364
technologies, comparing, 365β366
EAP-TTLS, 359
ECMP (equal-cost multiple path) forwarding, configuring, 162β163
EIGRP (Enhanced IGRP), configuring on Cisco Security Appliance, 168β170
e-mail inspection engine, 128
e-mail policies, 10
elite, 210
embryonic connections, 215
embryonic sessions, 120
encrypted passwords, 57
encryption, 408
access control process, 618
agent kit management, 626β629
components, 622
configuration parameters, 636
correlation, 616
global correlation, 618
rule modules, 635
endpoint software, 386
enforcement methods (Cisco NAC Framework), 392
Enterprise Mode (WPA), 354
ERROR response (TACACS+), 276
ESP, 432
established ACLs, 43
EtherChannel Guard, 99
ethics policies, 10
event management systems, 669
event processing in CS-MARS, 677
events, 676
examples of security policies, 10
EXEC banners, 65
external interfaces, 122
external zone (AD), 597
F
false positive processing in CS-MARS, 678
features
of Cisco ASDM, 732
of Cisco Security Manager, 700β702
Finger, 69
Firewall ACL Bypass, 129
firewall management system (Cisco Security Manager), 703
firewalls, 139
Adaptive Security Algorithm, security levels, 157β158
Cisco ASA 5500 Series Adaptive Security appliances, 143β144
Cisco IOS Firewall, 113
Cisco PIX 500 Series Security appliances, 140
software, 144
Cisco Security Appliance
Cisco AnyConnect VPN Client, 192
redundant interfaces, configuring, 158β159
Routed Firewall mode, 146
Transparent Firewall mode, 146β147
Cisco Security Appliance software, OS software, 145
FWSM, 198
installing, 200
OS software, 199
Identity NAT, 179
order of processing, 184
static NAT, 176
Policy NAT, 183
security contexts, 152
routed mode, 153
stateful packet inspection, 148
Static identity NAT, 180
flood engines, 578
flooding, 210
fraggle attacks, 212
frameworks, 751
COBIT, 752
versus ISO/IEC 27002, 753
FTP servers, 70
functional roles of CSA, 619, 622
FWSM (Firewalll Services Module), 198
installing, 200
OS software, 199
G
GAME (Generic Authorization Message Exchange), 386
GC (global controller) deployment, CS-MARs, 682β683
GCKS (Group Controller/Key Server), 507
GDOI (Group Domain of Interpretation), 507β511
GET (Group Entrusted Transport) VPN, 503
benefits of, 506
deployment options, 507
and DMVPN, 506
features of, 504
functional components, 507
group member ACL, 512
IP header preservation, 511
versus IPsec VPNs, 504
GLBA (Gramm-Leach-Bliley Act), 754
Cisco solutions for, 756
penalties for violations, 756
requirements, 755
global correlation, CSA, 618
Gratuitous ARP, 72
GRE (Generic Routing Encapsulation) protocol, 472
group management (CSA), 630β632
Group Member, 508
H
hackers, 210
hardening devices
BOOTP, 69
CDP, 68
Cisco IOS Resilient Configuration, 67
device configuration, autoloading, 70
DHCP, 69
Finger, 69
FTP servers, 70
Gratuitous ARP, 72
HTTP, 73
ICMP Unreachable, 73
infrastructure ACLs, 62
interactive access
via AUX port, 65
via console port, 62
IP directed broadcast, 72
IP mask reply, 72
IP source routing, 71
NTP, 74
PAD, 70
physical security, 55
privilege levels, 61
Proxy ARP, 71
SNMP, 75
TCP/UDP small-servers, 69
TFTP, 70
user authentication, 60
with password protection, 55
encryption, 57
strong passwords, creating, 56β57
hardware-based firewalls versus software-based, 140
hash value, 409
HCAP (Host Credential Authorization Protocol), 386
hierarchical DMVPN topology, configuring, 499β500
high availability, 598
IPS fail-open mechanism, 599
IPS failover mechanism, 599
load balancing, 600
HIPAA (Health Insurance Portability and Accountability Act), 757
Cisco solutions for, 759
penaties for violations, 758
requirements, 758
HMAC (keyed-hash message authentication code), 418
host management (CSA), 624β626
host-based attacks, life cycle, 614
HTTP (HyperText Transfer Protocol), 73
device access from ASDM, 77
HTTP inspection engine, 127
hub-and-spoke designs (DMVPN), 476
DHDD topology, configuring, 483
server load-balancing topology, configuring, 484β485
hybrid VPNs, 425
I
I&A (identification and authentication, 311
iACLs (infrastructure protection ACLs), 47
IBNS (Identity-Based Networking Services), 326
ICMP flood attacks, characterizing, 212β215
IDAPI, 576
IDCONF, 576
identification, 311
Identity NAT, 179
IDIOM, 576
idle time, 93
IDM (Cisco IPS Device Manager), 78, 601, 740β742
IDS (intrusion detection systems), 561
IEEE 802.1x, 332
components of, 330
EAP methods, 334
multipoint solution, deploying, 335β336
point-to-point solution, deploying, 334
IEEE 802.11 protocol standards, 348
IETF L3VPN, 550
IETF website, 534
IKE (Internet Key Exchange), 435β437
illegal zone (AD), 597
implementing
ACLs, 36
IPsec VPN, 449
Inactive mode (AD), 598
in-band mode (Cisco NAC Appliance), 381
inbound ACLs, 32
incidents, 676
incoming banners, 66
Information Flow security model, 13
information sensitivity policies, 10
informative policies, 749
infrastructure ACLs, 62
initializing
Cisco DDoS Anomaly Detection and Mitigation solution, Cisco Traffic Anomaly Detector, 655β656
Cisco Guard DDoS Mitigation, Cisco Traffic Anomaly Detector, 661β662
inline-on-a-stick, 592
inline interface mode (IPS sensor software), 591
installing FWSM module, 200
integrity, 9
interfaces, applying ACLs to, 30β31
intermediate level 2 operation, CS-MARS, 685
internal interfaces, 122
internal zone (AD), 597
inverse masks, 28
IP addressing, 23
inverse masks, 28
private addresses, 26
subnet masks, 28
IP directed broadcast, 72
IP header preservation, 511
IP mask reply, 72
IP named ACLs, 39
IP routing, 159
static route tracking, 160
static routes, 160
IP Source Guard, 102
IP source routing, 71
using IP Source Guard, 222
using uRPF, 222
IP Unreachable, 73
IPS (Intrusion Prevention Systems), 561
Cisco AIP-SSM, 567
Cisco IPS 4200 Series sensors, 563β564
Cisco IPS Sensor OS Software, 572β574
communication protocols, 575
IPS rate limiting, 594
security policies, 596
sensor software partitions, 577
TR, 584
user roles, 576
virtualization, 595
Cisco IPS-AIM, 568
high availability, 598
IPS fail-open mechanism, 599
IPS failover mechanism, 599
load-balancing, 600
WLAN IPS solution, 367
IPS 4200 series applance sensors, 78
ACLs, 79
HTTP/HTTPS access, 79
SSH access, 79
Telnet access, 79
user accounts, 80
IPS blocking, configuring, 609β610
IPS fail-open mechanism, 599
IPS failover mechanism, 599
IPS inline interface pair mode, configuring, 604, 606β608
IPS inline VLAN pair mode, configuring, 601β603
IPS management (Cisco Security Manager), 704β705
IPsec VPN, 425
anti-replay service, 434
components, 472
data structures, 474
hub-and-spoke designs, 476β485
mesh spoke-to-spoke designs, 486β500
operation, 473
IKE, 435
implementing, 449
ISAKMP profiles, 441
phase 1 negotiation, 436
phase 2 negotiation, 437
profiles, 443
remote access
implementing, 455
site-to-site, implementing, 451β455
versus GET VPNs, 504
versus SSL VPNS, 522
IPv4, 23
IPv6, 23
IRT (Incident Response Team), 257β258
5-step reaction process, 259β261
ISAKMP, 435
profiles, 441
islands of security, 15
ISM (Industrial, Scientific, and Medical) radio spectrum, 348
ISO/IEC 17799 specification, 751β752
ISO/IEC 27001 specification, 752
ISO/IEC 27002 specification, 752
versus COBIT, 753
isolated PVLAN ports, 86
L
L2VPN, 551
service architectures, 552
L3 VPN, 542
components, 543
VRF tables, 543
label switching, 533
in MPLS, 536
Lattice security model, 13
Layer 2 access control
Cisco Trust and Identity Management Solutions, 326
IEEE 802.1x, 332
components, 330
EAP methods, 334
multipoint solution, deploying, 335β336
point-to-point solution, deploying, 334
Layer 2 attack mitigation techniques, 242
BPDU Guard, configuring, 252
DHCP snooping, configuring, 253β254
ROOT Guard, configuring, 252β253
switch Port Security feature, 242β244
VLAN configuration, modifying, 247β249
Layer 2 security, 83
best practices, 109
Layer 3 attack mitigation techniques
IP spoofing, 220
using uRPF, 222
NBAR
PDLM, 231
protocol discovery, 230
NetFlow, 239
PBR, 234
TCP Intercept, 232
as firewall feature, 234
configuring, 233
traffic characterization, 212
traffic classification, 224
traffic policing, 229
LC (local controller) deployment, CS-MARs, 680β681
LDP (Label Distribution Protocol), 535
LEAP (Lightweight EAP), 364
Learn mode (AD), 598
legislation for regulatory compliance, 754
GLBA, 754
Cisco solutions for, 756
penalties for violations, 756
requirements, 755
HIPAA, 757
Cisco solutions for, 759
penalties for violations, 758
requirements, 758
in Asia-Pacific region, 766
in Europe, 766
in USA, 765
SOX, 760
Cisco solutions for, 764
penalties for violations, 763
LFIB (Label Forwarding Information Base), 535
load balancing, 600
login authentication
configuring with TACACS+, 285β286
password retry lockout, configuring, 286β287
login banners, 65
Loop Guard, 99
loop prevention, STP
BPDU guard, 98
EtherChannel Guard, 99
Loop Guard, 99
root guard, 98
lost passwords, recovering, 56β60
LSP (Label Switch Path), 535
LSRs (Label Switch Routers), 534
M
MAC ACLs, 97
MAC authentication, 352
main mode (IKE), 436
management plane, 107
MAR (Machine Access Restrictions), 295
mathematical algorithm OTP, 312
MD (Message Digest) algorithms, 416
mechanics of Cisco NAC Framework solution, 383β384
mesh spoke-to-spoke designs (DMVPN), 486
DHSD topology, configuring, 488β498
hierarchical topology, configuring, 499β500
MHSD topology, configuring, 498
meta engine, 579
method lists, configuring server groups, 281β282
MHSD (multihub single DMPVN) topology, configuring, 498
mitigating
replay attacks with OTP, 313
mitigation devices, 685
MITM attacks, 209
monitor mode, Cisco SDM, 728β729
MOTD banners, 65
MP-BGP Peering, 543
MPF (Modular Policy Framework), 190
MPLS (Multi-Protocol Label Switching)
core architecture, 534
label switching, 536
LFIB, 535
LSP, 535
LSRs, 534
packet forwarding, 536
MPLS Forwarding, 543
MPLS VPN, 533
deployment scenarios, 538
L2VPN, 551
service architectures, 552
L3 VPN, 542
components, 543
VRF tables, 543
MQC (Modular QoS CLI), Unconditional Packet Discard feature, 227
MSFC (Multilayer Switch Feature Card) placement
in multiple context mode, 201
in single context mode, 200
multifactor authentication, I&A, 311
multilayer perimeter solution, 15
multipoint 802.1x solution, deploying, 335β336
multistring engine, 579
MVP (Multi-Verification Process) architecture, 647
MyDoom worm, 619
N
NAC (Network Access Control), 296, 326, 375
Cisco NAC, 376
for WLANs, 366
noncompliant hosts, handling, 375
NAC framework, comparing with Cisco NAC appliance, 378
NAC-L2-802.1x (Cisco NAC Framework), security policy enforcement, 399β401
NAC-L2-IP (Cisco NAC Framework), security policy enforcement, 396β399
NAC-L3-IP (Cisco NAC Framework), security policy enforcement, 394β396
NAF (Network Access Filter), 294
named ACLs, 39
named method lists (AAA), 279
NAP (Network Access Profiles), 296
NAR (Network Access Restrictions), 295
dynamic NAT, 173
configuring, 176
dynamic PAT, 174
configuring, 176
Identity NAT, 179
NAT Exemption, 182
order of processing, 184
Policy NAT, 183
Static identity NAT, 180
static NAT, configuring, 176
NAT exemption, 182
NBAR (Network Based Application Recognition), 230
PDLM, 231
protocol discovery, 230
NetFlow, 239
Network Extension mode (Cisco Easy VPN), 458
Network Extension Plus+ mode (Cisco Easy VPN), 459
NHRP (Next Hop Resolution Protocol), 472
NHRP mapping table, 474
noncryptographic VPN technologies, 421
nonstateful failover mode, 194
normalizer engine, 579
NTP (Network Time Protocol), 74
numbers, assigning to ACLs, 29
O
one-step lockdown feature, Cisco SDM, 726β728
βopen-accessβ policy, 351
open authentication, 352
OSI model, data link layer, 83
OSPF (Open Shortest Path First), 163
configuring on Cisco Security Appliance, 164β167
OTP (one-time passwords), 312
replay attacks, countering, 313
S/KEY, 313
outbound ACLs, 33
out-of-band mode (Cisco NAC Appliance), 381
P
packet classification, 224
packet flow rules (ACLs), 33
packet forwarding in MPLS, 536
packet sniffing, 210
packets
ARP, rate limiting, 106
RADIUS, 271
TACACS+, 275
PACLs (per-port VLAN ACL), 223
PAD, 70
PAM (Port-to-Application Mapping), 114
pass phrases, 56
password cracking, 209
password policies, 11
password protection, 55
encryption, 57
strong passwords, creating, 56β57
password recovery, 56
password retry lockout, configuring, 286β287
passwords, OTP, 312
replay attacks, countering, 313
S/KEY, 313
PBR (policy-based routing), 234
PCV (Policy-Cenric View), 708
PDIOO model, 6
PDLM (Packet Description Language Module), 231
PDM (Cisco PIX Device Manager), 739β740
PE (Provider Edge) routers, 534
PEAP (Protected EAP), 362β364
enabling for 802.1x attack mitigation, 254β256
percentage-based policing and shaping, 229
Personal Mode (WPA), 354
physical security, 55
ping sweeps, 209
PKCS (Public-Key Cryptography Standards), 415
PKI (Public Key Infrastructure), 445
certificate enrollment, 447β448
plaintext, 408
platform management (Cisco Security Manager), 706
point-to-point 802.1x solution, deploying, 334
policies, 635
configuring on Cisco Traffic Anomaly Detector, 658
policing, 229
Policy NAT, 183
Port ACLs, 94
port blocking, 91
port scanning, 209
Port Security feature
CAM table overflow attacks, mitigating, 242β243
MAC spoofing attacks, mitigating, 243β244
port-level traffic control
protected ports, 85
storm control, 84
ports required for CS-MARS operation, 687β689
posture states (Cisco NAC Framework solution), 385
PPP (Point-to-Point Protocol), configuring AAA using RADIUS, 285
private IP addresses, 26
privilege levels, 61
professional attackers, 210
profiles
IPsec, 443
SPC, 293
promiscuous mode (IPS sensor software), 589
promiscuous PVLAN ports, 86
protect mode (port security), 92
protected ports, 85
protocol compliance (Cisco Secure ACS), RADIUS, 291β292
protocol headers, IPsec VPN, 432, 434
protocols in Cisco NAC Framework solution, 385
Proxy ARP, 71
PVLAN attacks, mitigating, 249β251
PVLAN edge, 85
PVLANs, 85
configuring, 89β 91
port blocking, 91
configuring, 93
secondary VLANs, 87
support for on Catalyst switches, 88
R
RAC (RADIUS Authorization Components), 294
rACls (receive ACLs), 46
radio waves, 347
Cisco Secure ACS compliance with, 291β292
packets, 271
password encryption, 273
PPP, configuring AAA, 285
security, 273
versus TACACS+, 278
RADIUS-enabled token server, configuring Cisco Secure ACS, 317β321
rate limiting, 594
ARP packets, 106
RBAC (Role-Based Access Control), 711β712
RDEP2, 576
reconnaissance attacks, 208
recovering lost passwords, 56β60
redundant interfaces, configuring on Cisco Security Appliance, 158β159
reflexive ACLs, 42
regulatory policies, 749
legislation, 754
in Asia-Pacific region, 766
in Europe, 766
in USA, 765
REJECT response (TACACS+), 276
remote access IPsec VPN
Cisco Easy VPN, implementing, 456β461
implementing, 455
replay attacks, countering with OTP, 313
reporting devices, 684
restrict mode (port security), 92
RF bands in 802.11 standards, 348
RFC 1918, 26
RFCs, IPsec VPN-related, 426β428, 430
RIP, configuring on Cisco Security Appliance, 167β168
RIRs (Regional Internet Registries), 27
risk assessment, 211
Layer 2 mitigation techniques, 242
BPDU Guard, configuring, 252
DHCP snooping, configuring, 253β254
switch Port Security feature, 242β244
VLAN configuration, modifying, 247β249
Layer 3 mitigation techniques
traffic characterization, 212β218
traffic classification, 224
traffic policing, 229
risk assessment policies, 11
ROOT Guard, configuring for STP attack mitigation, 252β253
root guard, 98
Routed Firewall mode (Cisco Security Appliance), 146
routed mode, multiple security contexts, 153
Router ACLs, 94
router security audit feature, Cisco SDM, 725
router-generated traffic inspection, 131
routers supported on Cisco NAC Framework solution, 388
routers supported on Cisco SDM, 729β730
RSA algorithm, 414
RSA SecurID token server, configuring Cisco Secure ACS, 321β322
RTT (Round Trip Time), 216
rule modules, 635
rules, 676
S
S/KEY, 313
Safe Blueprint, 6
script kiddies, 210
SDEE (Security Device Event Exchange), 576
SDM (Cisco Router and Security Device Manager)
one-step lockdown feature, 726β728
router security audit feature, 725
supported rotuers and IOS versions, 729β730
system requirements, 730β731
SDN (Cisco Self-Defending Network), 373
Cisco NAC, 376
secondary VLANs, 87
secure VPN, 424β425, 540. See also IPsec VPN
anti-replay service, 434
IKE, 435
ISAKMP profiles, 441
phase 1 negotiation, 436
phase 2 negotiation, 437
profiles, 443
security contexts, 152
routed mode, 153
security incident response, 256β257
5-step reaction process, 259β261
security policies, 9β10, 596, 616, 749
device security policy, 53
enforcement, Cisco NAC Framework solution, 392
security violation modes (port security), 92
security zones, 133
sensing interface (IPS), 586
server groups, configuring, 281β282
service engine, 579
services
accounting, 284
authentication, 282
authorization, 283
sessions, CS-MARS, 676
SFR (Signature Fidelity Rating), 584
SHA (Secure Hash Algorithm), 418
shared-key authentication, 352
shell command authorization sets, 294
shift in security paradigm, 7
show interfaces rate-limit command, 227
SHSD (single hub single DMVPN) topology, 477β482
shutdown mode (port security), 92
signatureless endpoint security, 614
custom, configuring, 609β610
single-channel TCP/UDP inspection, 121
site-to-site IPsec VPNs, implementing, 451β455
SLB (server load-balancing) topology, configuring, 484β485
SLIP-PPP banner messages, 66
smurf attacks, characterizing, 212, 214β215
SNMP (Simple Network Management Protocol), 75
software versioning, CS-MARS, 683
software-based firewalls versus hardware-based, 140
source routing, 71
SOX (Sarbanes-Oxley Act), 760
Cisco solutions for, 764
penalties for violations, 763
SPC (Shared Profile Components), 293
SPI (stateful packet inspection), 114
spread-spectrum technology, 347
SSH (Secure Shell)
device access from Cisco PIX 500, ASA 5500, 77
device access, configuring, 64
SSID (Service Set Identifiers), 351
SSL VPNs
access methods, 525
Cisco AnyConnect VPN Client, 530
Citrix support, 527
deployment options, 524
standalone deployment, CS-MARS, 680β681
state engine, 579
stateful failover mode, 194
stateful packet inspection, 148
static identity NAT, 180
static NAT, configuring, 176
static PAT, 178
static route tracking, 160
static routes, 160
static WEP, 353
STM (security threat mitigation) systems, CS-MARS, 672β675
storm control, 84
STP
BPDU guard, 98
EtherChannel Guard, 99
Loop Guard, 99
Root Guard, 98
STP attacks, mitigating, 252β253
stream cipher, 410
string engine, 579
subnet masks, 28
SUP 720, CPU rate limiters, 109
supplicant (IEEE 802.1x), 330
supported devices on Cisco Security Manager, 715β716
supported firewalls on Cisco ASDM, 738
supported routers on Cisco SDM, 729β730
SVTI (static VTI), 443
sweep engine, 579
switches supported on Cisco NAC Framework solution, 388β390
switchport port-security command, 93
symmetric key cryptography, 410β412
SYN attacks, characterizing, 215, 218
Syslog to Access Rule Correlation (Cisco ASDM), 737
system requirements
for Cisco IDM, 742
T
TACACS+, 274
command authorization, configuring, 285β286
login authentication, configuring, 285β286
packets, 275
security, 277
versus RADIUS, 278
tag switching, 533
TCP hijacking, 209
TCP Intercept, 232
as firewall feature, 234
configuring, 233
TCP normalization, 145
TCP/UDP small-servers, 69
TCV (Topology-Centric View), 708
TDP (Tag Distribution Protocol), 535
Telnet, configuring device access, 63
from Cisco PIX 500, 76
TFTP (Trivial File Transfer Protocol), 70
Thick Client Mode (SSL VPN), 525
Thin Client Mode (SSL VPN), 525
threat modeling, 211
time-based ACLs, 44
time-synchronized OTP, 313
TKIP (Temporal Key Integrity Protocol), 353
TLS (Transport Layer Security) protocol, 521
RADIUS-enabled token server, configuring Cisco Secure ACS, 317β321
RSA SecurID token server, configuring Cisco Secure ACS, 321β322
topological awareness of CS-MARS, 674β675
TR (Threat Rating), 584
traffic anomaly engine, 579
traffic characterization, 212
traffic classification, 224, 227
traffic flow requirements, Cisco Security Manager, 719, 721
traffic flows in CS-MARS, 687β689
traffic ICMP engine, 579
traffic marking, 224
traffic policing, 229
traffic, debugging, 49
transit ACLs, 47
Transparent Firewall mode (Cisco Security Appliance), 146β147
transparent IOS Firewall, 130
transparent mode, multiple security contexts, 153β155
transport mode (IPsec), 430
tree-based DMVPN topology, configuring, 499β500
trojan engine, 579
Trojans, 209
comparing L2 and L3 VPNs, 540β541
L2VPN, 551
service architectures, 552
L3 VPN, 542
components, 543
VRF tables, 543
tunnel mode (IPsec), 430
Turbo ACLs, 46
TVR (Target Value Rating), 584
two-factor authentication systems
Cisco Secure ACS, support for, 315β316
S/KEY, 313
Two-Rate Policing, 229
Type 5 passwords, 55
Type 7 passwords, 55
U
unauthorized port state, 332β333
Unconditional Packet Discard feature (MQC), 227
antispoofing, 222
user authentication, 60
user requirements, Cisco ASDM, 738
V
VACLs (VLAN ACLs), 95
verifying CBAC configuration, 126
VFR (Virtual Fragmentation and Reassembly), 130β131
virtualization, 595
viruses, 208
VLAN configuration, modifying for VLAN hopping attack mitigation, 247β249
VPLS (Virtual Private LAN Service), 552
implementing, 554
VPN management (Cisco Security Manager), 704
VPN Route Target Communities, 543
VPNs, 420
connection-oriented, 539
connectionless, 539
extranet VPNs, 420
GET VPNs, 503
benefits of, 506
deployment options, 507
DMVPN, 506
features of, 504
functional components, 507
group member ACL, 512
IP header preservation, 511
versus IPsec VPNs, 504
hybrid VPNs, 425
Internet VPNs, 420
intranet VPNs, 420
IPsec VPN, 425
anti-replay service, 434
IKE, 435
ISAKMP profiles, 441
phase 1 negotiation, 436
phase 2 negotiation, 437
profiles, 443
for WLANs, 367
MPLS VPN, 533
deployment scenarios, 538
SSL
access methods, 525
Cisco AnyConnect VPN Client, 530
Citrix support, 527
deployment options, 524
Trusted VPN technologies, 424, 540
comparing L2 and L3 VPNs, 540β541
VPWS (Virtual Private Wire Service), 552β553
VRF tables, 543
VTP passwords, mitigating VTP attacks, 246β247
VTY port, interactive device access, 63β64
W
web-based management interface, CS-MARS, 689
websites, IETF, 534
WEP (Wired Equivalent Privacy), 353
Wi-FI Alliance, 348
wireless access points supported on Cisco NAC Framework solution, 390
wireless bridges, 349
wireless LAN controllers supported on Cisco NAC Framework solution, 391
wireless NIC, 349
wire-speed ACLs. See VACLs
WLAN IPS solution, 367
WLANs, 347
AP, 349
Cisco Unitifed Wireless Network solution, 368β370
components of, 349
IEEE protocol standards, 348
NAC, 366
security, 350
attacks, mitigating, 367β368
available technologies, 351
client authentication, 352
EAP, 355
EAP-TTLS, 359
LEAP, 364
MAC authentication, 352
βopen-accessβ policy, 351
SSID, 351
WEP, 353
spread-spectrum technology, 347
VPN IPsec, 367
wireless NIC, 349
workflow mode (Cisco Security Manager), 710β711
worms, 208
WPA (Wi-Fi Protected Access), 353β354
WPA2, 354
X-Y-Z
zero-day attacks, MyDoom worm, 619
ZFW (Zone-Based Policy Firewall), 115, 132
AIC, 136
security zones, 133
zone filters, configuring on Cisco Traffic Anomaly Detector, 657
zones (AD), 597