Developed in collaboration with a training and certification team from Cisco, Computer Network Security is an exploration of the state-of-the-art and good practices in setting up a secure computer system. Concrete examples are offered in each chapter, to help the reader to master the concept and apply the security configuration. This book is intended for students preparing for the CCNA Security Exam (210-260 IINS)? whether at professional training centers, technical faculties, or training centers associated with the �Cisco Academy� program. It is also relevant to anyone interested in computer security, be they professionals in this field or users who want to identify the threats and vulnerabilities of a network to ensure better security. Sadiqui A. Computer Network Security 1 Title 5 Copyright 6 Contents 7 Preface 13 Introduction 15 Introduction to CCNA Security 15 Prerequisites 15 Conventions for command syntax 15 1. Fundamentals of Network Security 17 1.1. Introduction 17 1.1.1. The main objectives of securing a network 18 1.1.2. Information security terminology 18 1.2. Types of network security 20 1.2.1. Physical security 20 1.2.2. Logical security 20 1.2.3. Administrative security 21 1.3. The main risks related to the logical security of the network 21 1.3.1. Different kinds of network attacks 21 1.3.2. Network security measures 23 1.3.3. Vulnerability audit measures 24 1.4. Exercises to test learning 24 2. Securing Network Devices 31 2.1. Types of network traffic 31 2.2. Securing the management plan 32 2.3. Securing passwords 32 2.4. Implementing connection restrictions 33 2.4.1. Configuring a login banner 33 2.4.2. Configuring connection parameters 33 2.5. Securing access through console lines, VTY and auxiliaries 34 2.5.1. Securing access through the console line and deactivating the auxiliary line 34 2.5.2. Securing VTY access with ssh 34 2.6. Allocation of administrative roles 35 2.6.1. Privilege levels of the IOS system 35 2.6.2. Configuring a privilege level 35 2.6.3. Setting a privilege level per user 36 2.6.4. Setting a privilege level for console, VTY, and auxiliary line access 36 2.6.5. Securing access with the management of “views” and “super-views 37 2.6.6. Securing configuration files and the IOS system 38 2.6.7. Using automated security features 39 2.7. Securing the control plane 40 2.7.1. Introduction 40 2.7.2. MD5 authentication 40 2.7.3. Configuring OSPF protocol authentication 40 2.7.4. Configuring EIGRP protocol authentication 41 2.7.5. Configuring RIP authentication 42 2.8. Exercises for application 42 3. Supervising a Computer Network 57 3.1. Introduction 57 3.2. Implementing an NTP server 58 3.2.1. Introduction to the NTP 58 3.2.2. How the NTP works 58 3.2.3. NTP configuration 59 3.3. Implementing a Syslog server 60 3.3.1. Introduction to the Syslog 60 3.3.2. How Syslog works 61 3.3.3. Configuring a Syslog client 62 3.4. Implementing the Simple Network Management Protocol (SNMP) 62 3.4.1. Introducing the SNMP 62 3.4.2. How SNMP works 63 3.4.3. SNMP configuration 65 3.5. Exercises for application 66 4. Securing Access Using AAA 83 4.1. Introduction 83 4.2. AAA authentication 84 4.2.1. Local AAA authentication 84 4.2.2. AAA authentication based on a server 85 4.3. AAA authorizations 87 4.4. AAA traceability 87 4.5. Exercises for application 88 5. Using Firewalls 95 5.1. Introducing firewalls 96 5.2. Types of firewalls 96 5.3. Setting up a firewall 96 5.4. Different firewall strategies 97 5.5. ACL-based firewalls 97 5.5.1. Introduction 97 5.5.2. The location of ACLs 97 5.5.3. IPv4 ACLs 97 5.5.4. IPv6 ACLs 98 5.5.5. ACL recommendation 99 5.6. Zone-based firewalls 100 5.6.1. Introduction 100 5.6.2. Types of security zones in a network 100 5.6.3. Rules applied to interzone traffic 101 5.6.4. Terminology 102 5.6.5. Configuring a ZFW 102 5.7. Creating zones 102 5.8. Creating Class-Maps 102 5.9. Creating the Policy-Map to apply the Class-Maps 103 5.10. Defining the zone pairs 103 5.11. Applying the policy maps to the zone pairs 103 5.12. Assigning interfaces to zones 103 5.13. Exercises for application 104 6. Putting in Place an Intrusion Prevention System (IPS) 117 6.1. Introduction to a detector 118 6.2. The differences between an IDS and an IPS 118 6.3. Types of IPS 119 6.4. Cisco IP solutions 119 6.5. Modes of deploying IPS 119 6.6. Types of alarms 120 6.7. Detecting malicious traffic 120 6.7.1. Modes of detection 120 6.7.2. Signature-based detection 120 6.7.3. Other modes of detecting malicious traffic 121 6.8. Signature micro-engines 122 6.9. Severity levels of the signatures 123 6.10. Monitoring and managing alarms and alerts 124 6.11. List of actions to be taken during an attack 124 6.12. Configuration of an IOS IPS 125 6.13. Recommended practices 127 6.14. Exercises for application 128 7. Securing a Local Network 141 7.1. Introduction 141 7.2. Types of attacks on Layer 2 142 7.2.1. MAC address flooding attacks 142 7.2.2. MAC spoofing attack 143 7.2.3. The DHCP starvation attack 143 7.2.4. VLAN hopping attacks 144 7.2.5. STP-based attacks 146 7.3. The best security practices for protecting Layer 2 147 7.4. Exercises for application 148 8. Cryptography 159 8.1. Basic concepts in cryptography 159 8.1.1. Definition 159 8.1.2. Terminology 160 8.2. The different classifications of cryptology 160 8.2.1. Traditional cryptography 161 8.2.2. Modern cryptography 162 8.2.3. Symmetric and asymmetric encryption 163 8.3. Key management 165 8.3.1. Introduction 165 8.3.2. Diffie-Hellman key exchange 165 8.4. Hash functions 167 8.5. HMAC codes 167 8.6. Asymmetric cryptography 167 8.6.1. Introduction 167 8.6.2. How it works 168 8.6.3. Digital signatures 169 8.6.4. Public key infrastructure 171 8.7. Exercises for application 175 9. IPsec VPNs 189 9.1. The IPsec protocol 189 9.1.1. Objectives of IPsec 189 9.1.2. Basic IPsec protocols 190 9.1.3. The IPsec framework 190 9.1.4. The IPsec security association 191 9.1.5. IPsec modes 191 9.2. IKE protocol 192 9.2.1. Introduction 192 9.2.2. Components of IKE 192 9.2.3. IKE phases 192 9.3. The site-to-site VPN configuration 194 9.3.1. Introduction 194 9.3.2. Configuration of IPsec VPN 195 9.4. Exercises for application 197 10. Studying Advanced Firewalls 205 10.1. Cisco ASA firewalls 205 10.1.1. Introduction 205 10.1.2. ASA models 206 10.1.3. Modes for using ASA devices 206 10.1.4. An overview of ASA 5505 207 10.1.5. ASA levels of security 208 10.1.6. Configuring an ASA with CLI 209 10.2. Exercises for application 214 10.3. Configuring Cisco elements with graphical tools 226 10.3.1. An overview of the CCP 226 10.3.2. An overview of the ASDM 226 10.3.3. Using CCP and ASDM 226 10.4. The TMG 2010 firewall 227 10.4.1. Introduction 227 10.4.2. Installation and configuration 227 References 259 Index 261 Other titles from iSTE in Computer Engineering 265 The classic and authoritative reference in the field of computer security, now completely updated and revised. With the continued presence of large-scale computers; the proliferation of desktop, laptop, and handheld computers; and the vast international networks that interconnect them, the nature and extent of threats to computer security have grown enormously. Now in its fifth edition, Computer Security Handbook continues to provide authoritative guidance to identify and to eliminate these threats where possible, as well as to lessen any losses attributable to them. With seventy-seven chapters contributed by a panel of renowned industry professionals, the new edition has increased coverage in both breadth and depth of all ten domains of the Common Body of Knowledge defined by the International Information Systems Security Certification Consortium (ISC) Developed in collaboration with a training and certification team from Cisco, Computer Network Security is an exploration of the state-of-the-art and good practices in setting up a secure computer system. Concrete examples are offered in each chapter, to help the reader to master the concept and apply the security configuration. This book is intended for students preparing for the CCNA Security Exam (210-260 IINS) ? whether at professional training centers, technical faculties, or training centers associated with the ᑼisco Academyň program. It is also relevant to anyone interested in computer security, be they professionals in this field or users who want to identify the threats and vulnerabilities of a network to ensure better security