Sunday, March 14, 2010

CCNA Security 3

There are three general deployment scenarios for a Cisco IOS router:1) Single Perimeter - The router establishes the trusted network boundary at the Internet and protects a single LAN.
2) Two Perimeters - A firewall establishes a second perimeter behind the router.
3) Screened Subnet - A DMZ is established on a firewall that, in turn, is deployed inside the Cisco IOS router.

Cisco ISRs features include:
1) USB Port - USB eToken, USB Flash
2) Unified Network Services - PVDM modules, Media Authentication and Encryption with SRST
3) Integrated Security - 3DES and AES, NAC
4) Mobility - 3G WAN, Wireless LAN
5) Application Intelligence - Performance routing, Cisco WAAS

Cisco router passwords can be a minimum of 0 characters by default, but best practices require 10 characters or more. You can apply a weak encryption to the passwords (Type 7) through:
service password-encryption

However, the encryption is so weak that we can decrypt them simply by putting them on certain Internet decryption service sites. However, this helps with shoulder surfing.

You can create views much analogously similar to the ones we have in Database Design. Views are created from the global configuration mode:
conf t
parser view ISP
secret 0 secretlongpassword
commands exec include ping
commands exec include all show
commands exec include all configure
commands configure include access-l
commands configure include all interface
commands configure include all ip

To log into the view, use:
enable view ISP>

The five basic services that SDM manages are:
1) Wireless
2) Routing
3) Security
4) Switching
5) QoS

AAA stands for Authentication, Authorization and Accounting.

Cisco Secure ACS Solution Engine is an appliance-based solution. Cisco Secure ACS provides RADIUS and TACACS+ services. It also works with many external databases including Active Directory, LDAP, Novell Directory Services and ODBC. It is configured through a Web-based GUI.

RADIUS has rich accounting, and TACACS+ is capable of customizable user-level policies such as command authorization. RADIUS uses UDP:1812/1813/(Cisco's Default are 1645/1646) for transport and TACACS+ uses TCP:49. RADIUS is open source while TACACS+ is proprietary.

When designing an AAA solution, remote administrative access is also known as character mode. Another name for remote network access is packet mode. Exec policies are those that define access rules to the router. Network policies are those that define access through the router.

To display a list of all local AAA users who have been locked out, use:
show aaa local user lockout

To display detailed statistics of all logged in users:
show aaa user all

To display current sessions of users have been AAA'ed by the AAA module:
show aaa sessions

The three main tasks in setting up external AAA is:
1) Configuring the AAA Network (Client and Server)
2) Setting up users in Cisco Secure ACS (Or other servers)
3) Identify Traffic to which AAA will be applied (Client)

No comments :

Post a Comment