WIXLIB

Implementing Cisco IOSNetwork Security (IINS)Catherine PaquetCisco Press800 East 96th StreetIndianapolis, IN 46240

iiImplementing Cisco IOS Network Security (IINS)Implementing Cisco IOS Network Security (IINS)Catherine PaquetCopyright 2009 Cisco Systems, Inc.Published by:Cisco Press800 East 96th StreetIndianapolis, IN 46240 USAAll rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying, recording, or by any information storage and retrievalsystem, without written permission from the publisher, except for the inclusion of brief quotations in areview.Printed in the United States of AmericaFifth Printing: January 2012Library of Congress Cataloging-in-Publication Data:Paquet, Catherine.Implementing Cisco IOS network security (IINS) / Catherine Paquet.p. cm.ISBN-13: 978-1-58705-815-8 (hardcover)ISBN-10: 1-58705-815-4 (hardcover)1. Computer networks--Security measures. 2. Cisco IOS. I. Title.TK5105.59.P375 2009005.8--dc222009008780ISBN-13: 978-1-58705-815-8ISBN-10: 1-58705-815-4Warning and DisclaimerThis book is designed to provide information about implementing Cisco IOS network security. It providesthe information necessary to prepare for Cisco exam 640-553, Implementing Cisco IOS Network Security(IINS). For those who already possess a CCNA certification, passing exam 640-553 provides the additional certification of CCNA Security. Every effort has been made to make this book as complete and asaccurate as possible, but no warranty or fitness is implied.The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall haveneither liability nor responsibility to any person or entity with respect to any loss or damages arising fromthe information contained in this book or from the use of the discs or programs that may accompany it.The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

iiiTrademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use ofa term in this book should not be regarded as affecting the validity of any trademark or service mark.Corporate and Government SalesThe publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S.Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.comFor sales outside the United States please contact: International Salesinternational@pearsoned.comFeedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each bookis crafted with care and precision, undergoing rigorous development that involves the unique expertise ofmembers from the professional technical community.Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we couldimprove the quality of this book, or otherwise alter it to better suit your needs, you can contact us throughemail at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message.We greatly appreciate your assistance.Publisher: Paul BogerBusiness Operation Manager Cisco Press: Anand SundaramAssociate Publisher: Dave DusthimerManager Global Certification: Erik UllandersonExecutive Editor: Brett BartowManaging Editor: Patrick KanouseProject Editor: Seth KerneySenior Development Editor: Christopher ClevelandCopy Editor: Keith ClineTechnical Editors: Dave Chapman and Andrew WhitakerEditorial Assistant: Vanessa EvansBook Designer: Louisa AdairCover Designer: Louisa AdairComposition: Mark ShirarIndexer: Tim WrightProofreader: Leslie JosephAmericas HeadquartersCisco Systems, Inc.San Jose, CAAsia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.SingaporeEurope HeadquartersCisco Systems International BVAmsterdam, The NetherlandsCisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing theWay We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, theCisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step,Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers,Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, andthe WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

ivImplementing Cisco IOS Network Security (IINS)About the AuthorCatherine Paquet is a practitioner in the field of internetworking, network security, andsecurity financials. She has authored or contributed to eight books thus far with CiscoPress. Catherine has in-depth knowledge of security systems, remote access, and routingtechnology. She is a Cisco Certified Security Professional (CCSP) and a Cisco CertifiedNetwork Professional (CCNP). Catherine is also a certified Cisco instructor with Cisco’slargest training partner, Global Knowledge, Inc. She also works on IT security projects fordifferent organizations on a part-time basis. Following her university graduation from theCollège Militaire Royal de St-Jean (Canada), she worked as a system analyst, LAN manager,MAN manager, and eventually as a WAN manager. In 1994, she received a master’sdegree in business administration (MBA) with a specialty in management informationsystems (MIS) from York University.Recently, she has been presenting a seminar on behalf of Cisco Systems (EmergingMarkets) on the topic of the business case for network security in 22 countries. In 2002and 2003, Catherine volunteered with the U.N. mission in Kabul, Afghanistan, to trainAfghan public servants in the area of networking.Catherine lives in Toronto with her husband. They have two children, who are bothattending university.About the Technical ReviewersDavid Chapman, CISSP-ISSAP, CCSP, is an independent information security consultantspecializing in vulnerability assessments, penetration testing, and the design and implementation of secure network infrastructures. His protocol expertise includes TCP/IP,IPsec, 802.11 wireless, BGP, IPX, SNA, AppleTalk, Frame Relay, PPP, HDLC, LLC, andNetBIOS/SMB. David is the coauthor of Cisco Secure PIX Firewalls, from Cisco Press.Andrew Whitaker, CCSP, is the Director of Enterprise InfoSec and Networking forTechTrain, where he performs penetration tests and teaches ethical hacking and Ciscocourses. He has been working in the IT industry for more than 10 years, specializing inCisco and security technologies, and has performed penetration tests for numerous financial institutions and Fortune 500 companies. Andrew is the coauthor of PenetrationTesting and Network Defense, from Cisco Press.

vDedicationThis book is dedicated to my father, Maurice Paquet, who passed away during this project. Just days before his death, from his hospital bed, this 92-year-old enthusiastic andincessant learner would ask the nurse to pass him his laptop! That was my dad: an inquisitive, lucid, articulate, and sensitive man. Dad, I miss you more than words can say.

viImplementing Cisco IOS Network Security (IINS)AcknowledgmentsI’d like to give special recognition to Dave Chapman and Andrew Whitaker for providingtheir expert technical knowledge in editing this book. They were not afraid to point outinaccuracies and make recommendations to improve the manuscript.A big “thank you” goes out to the production team for this book. Brett Bartow, SethKerney, and especially Christopher Cleveland have been incredibly professional and apleasure to work with. I couldn’t have asked for a finer team.

viiContents at a GlanceChapter 1Introduction to Network Security Principles3Chapter 2Perimeter SecurityChapter 3Network Security Using Cisco IOS FirewallsChapter 4Fundamentals of CryptographyChapter 5Site-to-Site VPNsChapter 6Network Security Using Cisco IOS IPSChapter 7LAN, SAN, Voice, and Endpoint Security OverviewAppendixAnswers to Chapter Review Questions111227305371437569493

viiiImplementing Cisco IOS Network Security (IINS)ContentsChapter 1Introduction to Network Security PrinciplesExamining Network Security FundamentalsThe Need for Network SecurityNetwork Security ObjectivesData Classification33811Security Controls14Response to a Security BreachLaws and Ethics31819Examining Network Attack Methodologies24Adversaries, Motivations, and Classes of AttackClasses of Attack and MethodologyThe Principles of Defense in DepthIP Spoofing AttacksAvailability Attacks283034Confidentiality AttacksIntegrity Attacks24404549Best Practices to Defeat Network AttacksExamining Operations Security57Secure Network Life Cycle ManagementPrinciples of Operations SecurityNetwork Security Testing56576063Disaster Recovery and Business Continuity Planning66Understanding and Developing a Comprehensive NetworkSecurity Policy 69Security Policy Overview69Security Policy Components70Standards, Guidelines, and Procedures74Security Policy Roles and ResponsibilitiesRisk Analysis and Management76Principles of Secure Network DesignSecurity Awareness758287Cisco Self-Defending Networks91Changing Threats and Challenges91Building a Cisco Self-Defending NetworkCisco Integrated Security Portfolio9993