1 ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ 8 Security and Performance Management Terms you’ll need to understand: ✓ IP access control lists ✓ Authentication ✓ Authorization ✓ Accounting ✓ Remote Authentication Dial-In User Service (RADIUS) ✓ Terminal Access Controller Access Control System (TACACS) ✓ Private Internet Exchange (PIX) Firewalls ✓ Demilitarized zones (DMZ) ✓ Encryption ✓ Weighted Fair Queuing (WFQ) ✓ Priority queuing ✓ Custom queuing Techniques you’ll need to master: ✓ Describing why security and traffic filtering is important on Cisco routers ✓ Determining the proper placement of Access Control Lists to efficiently filter traffic ✓ Understanding the characteristics of AAA, RADIUS, and TACACS ✓ Knowing the queuing methods available on Cisco routers 2 ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ Chapter 8 This chapter focuses on methods that can be used to provide you with a secure network. The aim of this chapter is to familiarize you with common security options and performance management queuing methods. This chapter covers the following CCIE blueprint objectives as determined by the Cisco Systems CCIE program: ➤ Security—Authentication, Authorization, and Accounting (AAA); Terminal Access Controller Access Control System (TACACS); RADIUS; PIX firewalls; demilitarized zones (DMZ); encryption; public/private keys; Data Encryption Standard (DES) ➤ Access Lists—Standard access lists and extended access lists, to include where and how to place and design them ➤ Performance Management—Traffic management queuing, Weighted Fair Queuing (WFQ), Resource Reservation Protocol (RSVP), traffic shaping, load balancing As with other chapters in this book, additional information is provided for complete- ness and in preparation for additional subjects as the CCIE Program expands. Basic Network Security Network security is one of the primary concerns in today’s networks. Many busi- nesses must protect sensitive data from competitors or financial details from un- authorized personnel. A good security policy protects your network against corruption, failure, and compromised data. Cisco IOS provides a number of security features, including the following: ➤ Authentication, Authorization, and Accounting (AAA) ➤ Support for security server protocols, including RADIUS, TACACS, Extended TACACS, and TACACS+ ➤ Traffic Filtering options using access lists ➤ Firewalls and DMZs ➤ Network data encryption ➤ Traffic-filtering options using access lists All the security methods described in this chapter are designed to stop unauthorized access to your router network. This section covers the security methods outlined in the preceding list, beginning with a discussion of Access Control Lists. 3 ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ Security and Performance Management Standard and Extended IP Access Lists Standard and extended access lists are used to filter IP traffic. An access list is basically a set of permit or deny statements. Standard access lists are used to con- trol IP traffic based on the source address only. Extended access lists can filter on source and destination addresses. Extended access lists can also be used to filter on specific protocols and port numbers. Let’s look at how a Cisco router handles access lists. Access Lists on Cisco Routers By default, a Cisco router permits all IP and TCP traffic unless an access list is defined and applied to the appropriate interface. Figure 8.1 illustrates the steps taken if an access list is configured on a Cisco router. If an incoming packet is received on a router and no access list is defined, the packet will be forwarded to the IP routing software. If an access list is defined and applied, the packet will be checked against the list, and the appropriate per- mit or deny action will be taken. The default action taken by any access list is to permit any explicitly defined statements and then to deny everything else. Note: If the keyword out or in is not applied by the administrator when defining an IP filter on an interface, the default action is to apply the filter on the Outbound traffic. Standard IP Access Lists (1 through 99) As mentioned earlier in this chapter, standard IP access lists are used for filtering on the source address only. The Cisco IOS syntax is as follows: Incoming packet Drop packet Process packet Process packet Access list configured? Is packet permitted? Yes Yes No No Figure 8.1 Access list decision taken by a Cisco router. 4 ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ Chapter 8 access-list access-list-number {deny | permit} source . .[source-wildcard] The following describes the purpose of each field: ➤ access-list-number—A number from 1 through 99 that defines a standard access list number. New versions of IOS 12.0 or later also have standard ac- cess lists ranging from 1300-1999. ➤ deny—IP packet will be denied if a match is found. ➤ permit—IP packet will be permitted if it matches the criteria as defined by the administrator. ➤ source—Source IP address or network. Any source address can be applied by using the keyword any. ➤ source-wildcard (optional)—Wildcard mask that is to be applied to the source address. This is an inverse mask, which is further explained with a few ex- amples later in this section. The default is 0.0.0.0, which specifies an exact match. After applying the access list command as described in the preceding text, you must apply the access list to the required interface using the following command: ip access-group {access-list-number | name}{in | out} The following describes the purpose of each field: ➤ access-list-number—A number in the range from 1 through 99 that defines a standard access list number. ➤ name—If you are using named access lists then that “name” will be refer- enced here. ➤ in—keyword that designates the access list as an inbound packet filter. ➤ out—keyword that designates the access list as an outbound packet filter. This is the default action. The wildcard mask mentioned earlier in the access-list command is used to match the source address. When the wildcard mask is set to binary 0, the corresponding bit field must match—if it is set to binary 1, then the router does not care to match any bit or it is an inconsequential e bit. For example, the mask 0.0.255.255 means that the first two octets must match but the last two octets do not need to match. Hence, the commonly used phrases care bits (0’s) and don’t care bits (1’s). For further clarification, let’s look at some examples of using access lists. 5 ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ Security and Performance Management Suppose you have found a faulty NIC card with the address 141.108.1.99/24. You have been asked to stop packets from being sent out Serial 0 on your router but to permit everyone else. In this situation, you need to deny the host address 141.108.1.99 and permit all other host devices. The following access list would fulfill this requirement: access-list 1 deny 141.108.1.99 0.0.0.0 access-list 1 permit 141.108.1.0 0.0.0.255 Next, you would apply the access list to filter outbound (the keyword out is sup- plied) IP packets on the Serial 0 interface, like this: Interface Serial 0 ip access-group 1 out Let’s look at a more complex example of using a standard access list. In this example, suppose you have 16 networks ranging from 141.108.1.0 to 141.108.16.0, as shown in Figure 8.2. You have assigned even subnets to the Accounting Internet Cisco Router, R1 7500 141.108.1.0 141.108.3.0 141.108.5.0 141.108.7.0 141.108.9.0 141.108.11.0 141.108.13.0 141.108.15.0 Odd Networks 141.108.2.0 141.108.4.0 141.108.6.0 141.108.8.0 141.108.10.0 141.108.12.0 141.108.14.0 141.108.16.0 Even Networks Sales Department (denied Internet access) Accounting Deparment S0/0 Figure 8.2 Standard access list example. 6 ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ Chapter 8 department and odd subnets to Sales. You do not want the Sales department to access the Internet, as shown in Figure 8.2. To solve this issue, you configure a standard access list. Figure 8.2 displays a simple requirement to block all odd networks from accessing the Internet. You could configure the router to deny all the odd networks, but that would require many configuration lines. Note: Access lists are CPU process intensive because the router has to go through every entry in the access list for each packet until a match is made. If you wish to determine the actual effect an access list has on your router then compare the CPU processes prior to and after activating an access list, remember to check on a regular basis in order to see the big picture. Instead, let’s say that you permit only even networks with one configuration line. To accomplish this, you need to convert all networks to binary to see if there is any pattern that you can use in the wildcard mask. Table 8.1 displays the number 1 through 16 in both decimal and binary format. Notice that odd networks always end in the binary value of 1 and even networks end with 0. Therefore, you can apply your access lists to match on the even net- work and deny everything else. Even numbers will always end in binary 0. You do Table 8.1 Example calculation of numbers in binary. Decimal Binary 1 00000001 2 00000010 3 00000011 4 00000100 5 00000101 6 00000110 7 00000111 8 00001000 9 00001001 10 00001010 11 00001011 12 00001100 13 00001101 14 00001110 15 00001111 16 00010000 7 ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ Security and Performance Management not care about the first seven bits, but you must have the last bit set to 0. The wildcard mask that will apply this condition is 111111110. This converts to deci- mal value of 254. Hence, the following access list will only permit even networks: access 1 permit 141.108.2.0 0.0.254.255 The preceding access list will match networks 2, 4, 6, 8, 10, 12, 14, and 16 in the third octet. The default action is to deny all else, so only even networks will be allowed and odd networks will be blocked by default. Next, you would apply the access list to the outbound interface. Listing 8.1 describes the full configuration. Let’s take a minute to briefly review inverse masks. Assume that you want to let in a certain number of hosts. If we were routing to these hosts, we would define the hosts as 150.124.10.0 255.255.255.240. To use the same limits in an access list, we would take the subnet mask and subtract it from 255.255.255.255 as follows: 255.255.255.255 minus 255.255.255.240 equals 0.0.0.16 Listing 8.1 Access list example. Interface 0/0 ip access-group 1 out access-list 1 permit 141.108.2.0 0.0.254.255 Extended Access Lists Extended access lists range from 100 through 199 and 2,000 through 2,699. IP extended access lists (expanded range) in IOS 12.0 and greater. Alternatively, you can use a named access list with later releases of the IOS 12.0 or later. As men- tioned earlier in this chapter, extended access lists can be applied to both source and destination addresses as well as filter protocol types and port numbers. Lets look at some examples of extended access lists that will allow you to filter several different types of traffic: For Internet Control Message Protocol (ICMP), you can also use the syntax shown in Listing 8.2. Listing 8.2 Access list for ICMP traffic. access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] [icmp-message] [precedence precedence] [tos tos] [log] For Internet Group Management Protocol (IGMP), you can use the syntax shown in Listing 8.3. 8 ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ Chapter 8 Listing 8.3 Access list for IGMP traffic. access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] For TCP, you can use the syntax shown in Listing 8.4. Listing 8.4 Access list for TCP traffic. access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence] [tos tos] [log] For User Datagram Protocol (UDP), you can use the syntax shown in Listing 8.5. Listing 8.5 Access list for UDP traffic. access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [precedence precedence] [tos tos] [log] As you can see, extended access lists have a range of options to suit any require- ment. The most commonly used extended access list options are: ➤ access-list-number—Provides a number ranging from 100 through 199 that defines an extended access list. ➤ deny—Denies access if the conditions are matched. ➤ permit—Permits access if the conditions are matched. ➤ protocol—Specifies the protocol you are filtering. Some common options include eigrp, gre, icmp, igmp, igrp, ip, ospf, tcp, and udp. ➤ source—Specifies the source address. ➤ source-wildcard—Specifies the wildcard mask. ➤ destination—Identifies the destination network. ➤ destination-wildcard—Identifies the destination mask. You should be able to demonstrate your understanding of standard and extended access lists. You are not expected to memorize the available options in an extended access list. The options are provided in this chapter for your reference only. When constructing access lists the built in help feature is extremely helpful. 9 ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ Security and Performance Management The example in Listing 8.6 permits Domain Naming System (DNS) packets, ICMP echo and echo replies, OSPF, and BGP packets. (BGP runs over TCP using port 179). In Listing 8.6, the access list numbered as 100 is not concerned about specific host addresses or networks, but rather ranges of networks. Listing 8.6 Extended access list example. access-list 100 permit tcp any any eq smtp ! Permits Simple Mail Transfer Protocols access-list 100 permit udp any any eq domain ! Permits DNS queries access-list 100 permit icmp any any echo ! Permits ICMP ping requests access-list 100 permit icmp any any echo-reply ! Permits ICMP replies access 100 permit ospf any any ! Permits OSPF packets access 100 permit tcp any any eq bgp ! Permits BGP to any device In Listing 8,6, the any keyword is shorthand for 0.0.0.0 255.255.255.255, which means that the address of the device is irrelevant. This address can be entered in shorthand as any. If any IP packet arrives to the router and does not match the specified criteria, the packet will be dropped. The Cisco CD documentation provides additional quality examples of access lists. You should take some time to study Cisco’s examples. For further informa- tion, see the “Need to Know More” section at the end of this chapter. Authentication, Authorization, and Accounting (AAA) AAA provides a method used to identify which users are logged into a router and each user’s authority level. AAA also provides the capability to monitor user ac- tivity and provide accounting information. To start AAA on a Cisco router, you issue the aaa new-model IOS command. Let’s now define the what Authentication, Authorization, and Accounting is and a common example on a Cisco router. Authentication Authentication allows the administrators to identify who can connect to a router, by including the user’s user name and password. Normally, when a user connects to a router remotely via Telnet, the user only needs to supply a password and the 10 ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ Chapter 8 administrator has no way of knowing the user’s user name. With AAA authenti- cation, whenever a user logs on, the user must enter a user name and password pair (which has been assigned by the administrator). The following code snippet shows an example of a remote user accessing an AAA- configured Cisco router: User Access Verification Username: benjamin Password: xxxxxxxx San-Fran> As you can see in the preceding code, the user must enter a valid username and password to gain access to the router. Typically, there is a database that contains the valid usernames that reside locally on the router or on a remote security server. Authorization Authorization comes into play after authentication. Authorization allows ad- ministrators to control the level of access users have after they successfully gain access to the router. Cisco IOS allows certain access levels (called privilege levels) that control which IOS commands the user can issue. For example, a user with a 0 privilege level cannot issue any IOS commands. A user with a privilege level of 15 can perform all valid IOS commands. The local or remote security server can grant access levels. You can display your privileged level on a Cisco router with the show privilege command, as shown in the following code snippet: R1#show privilege Current privilege level is 15 Keep in mind that the higher the privilege, the more capabilities a user has with the IOS command set. Accounting Accounting occurs after the authentication and authorization steps have been completed. Accounting allows administrators to collect information about users. Specifically, administrators can track which user logged into which router, which IOS commands a user issued, and how many bytes were transferred during a user’s session. For example, accounting enables administrators to monitor which routers have had their configurations changed. Accounting information can be collected by a router or by a remote security server. To display local account infor- mation on a Cisco router collecting accounting information, you issue the show accounting IOS command. [...].. .Security and Performance Management 11 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Note: You must use AAA if you intend to use RADIUS or TACACS security server protocols After AAA is configured, you can use external security servers to run external security protocols—such as RADIUS or TACACS—that will stop unauthorized access to your network Both RADIUS and TACACS... used between the router and the RADIUS server Security and Performance Management 13 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Unix operating system When a TACACS server authenticates a user, the following events occur: 1 The remote user is prompted for a username and password 2 The user name and password is sent across the data network and is authenticated 3 The... from 1 through 99 Answers c and d are incorrect, because extended MAC address lists range from 1100 through 1199 and IPX access lists can range from 1000 through 1099, 800 through 899, 900 through 999, and 1200 through 1299 Security and Performance Management 29 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Need to Know More? Cisco IOS Network Security Cisco Press, Indianapolis,... protocols will have some share of the bandwidth, which typically makes this setup the preferred queuing method Security and Performance Management 21 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Let’s consider the example of sending IP, IPX, and AppleTalk in relation to custom queuing In this example, the queue is defined globally and then applied to the interface, as... queues on a Cisco router Each priority queue is made up four queues—high, medium, normal, and low Answers a, b, and c are incorrect, because 16 is the correct answer Security and Performance Management 25 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Question 6 What IOS command is used to enable priority queuing on a WAN interface? ❍ a queue 1 ❍ b priority-queue . Encryption Standard (DES) ➤ Access Lists—Standard access lists and extended access lists, to include where and how to place and design them ➤ Performance Management Traffic. ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○ Security and Performance Management Standard and Extended IP Access Lists Standard and extended access lists are used to filter