Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA

Cisco Press

CCSP Self-Study

CCSP SECUR
Exam Certification Guide

Greg Bastien
Christian Abera Degu

2408_CCSP.book Page i Thursday, November 13, 2003 2:38 PM

ii
CCSP Self-Study

CCSP SECUR Exam Certification Guide

Greg Bastien, Christian Abera Degu
Copyright© 2004 Cisco Systems, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher,
except for the inclusion of brief quotations in a review.


International Sales 1-317-581-3793 [email protected]

2408_CCSP.book Page ii Thursday, November 13, 2003 2:38 PM

iii

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and preci-
sion, undergoing rigorous development that involves the unique expertise of members from the professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of
this book or otherwise alter it to better suit your needs, you can contact us through e-mail at [email protected]. Please make
sure to include the book title and ISBN in your message.
We greatly appreciate your assistance.

Publisher

: John Wait

Editor-In-Chief

: John Kane

Cisco Representative

: Anthony Wolfenden

Cisco Press Program Manager



Team Coordinator

: Tammi Barnett

Book and Cover Designer

: Louisa Adair

Production Team

: Octal Publishing, Inc.

Indexer

: Eric Schroeder

2408_CCSP.book Page iii Thursday, November 13, 2003 2:38 PM

iv

About the Authors

Greg Bastien

, CCNP, CCSP, CISSP, is currently a partner with Trinity Information Management
Services, Inc., as a consultant to the federal government. He holds a position as adjunct professor at
Strayer University, teaching networking and network security classes. He completed his undergrad-
uate and graduate degrees at Embry-Riddle Aeronautical University while on active duty as a heli-
copter flight instructor in the U.S. Army.

Information Systems Group, GeoTel Communications, ON Technology, Altiga Networks, and Cisco
Systems. He holds a bachelor of science degree in business from Eastern Nazarene College along
with several industry certifications. Leon is currently the lead course developer for the Securing
Cisco IOS Networks (SECUR) curriculum.

Inti Shah

has worked in the networking industry for more than 15 years in both enterprise and
service provider environments. He has extensive expertise in designing and delivering large-scale
networks, complex e-business solutions, intrusion detection, firewall, and VPN services. Inti currently
works for Energis in the UK and holds the Cisco CCNA, CCNP, CCSP, CCIP Security, Check Point
CCSA, and CCSE accreditations. He is currently pursuing his CCIE Security accreditation.

John Stuppi

, CCIE No. 11154, is a network consulting engineer for Cisco Systems. John advises
Cisco customers in the planning, design, and implementation of VPN and security related solutions,
including IDS, IPSec VPNs, and firewall deployments. John is a CISSP and holds an Information
Systems Security (INFOSEC) Professional certification. In addition, John has a BSEE from Lehigh
University and an MBA from Rutgers University. John lives in Ocean Township, New Jersey with
his wife, Diane, and his two wonderful children, Thomas and Allison.

2408_CCSP.book Page v Thursday, November 13, 2003 2:38 PM

vi

Dedications

This book is dedicated to In Ho Park (February 27, 1973—December 16, 2001): CCNA, CCNP, and
a good friend.

PART II Managing Cisco Routers 56

Chapter 4 Basic Router Management 59
Chapter 5 Secure Router Administration 79

PART III Authentication, Authorization, and Accounting (AAA) 98

Chapter 6 Authentication 101
Chapter 7 Authentication, Authorization, and Accounting 115
Chapter 8 Configuring RADIUS and TACACS+ on Cisco IOS Software 137
Chapter 9 Cisco Secure Access Control Server 157
Chapter 10 Administration of Cisco Secure Access Control Server 175

PART IV The Cisco IOS Firewall Feature Set 188

Chapter 11 Securing the Network with a Cisco Router 191
Chapter 12 Access Lists 203
Chapter 13 The Cisco IOS Firewall 219
Chapter 14 Context-Based Access Control (CBAC) 231
Chapter 15 Authentication Proxy and the Cisco IOS Firewall 251
Chapter 16 Intrusion Detection and the Cisco IOS Firewall 279

2408_fmatter.fm Page viii Thursday, November 13, 2003 3:22 PM

ix

PART V Virtual Private Networks 300

Chapter 17 Building a VPN Using IPSec 303
Chapter 18 Scaling a VPN Using IPSec with a Certificate Authority 339


Security Policy Goals 12
Security Guidelines 13
Management Must Support the Policy 13
The Policy Must Be Consistent 13
The Policy Must Be Technically Feasible 14
The Policy Should Not Be Written as a Technical Document 14
The Policy Must Be Implemented Globally Throughout the Organization 14
The Policy Must Clearly Define Roles and Responsibilities 15
The Policy Must Be Flexible Enough to Respond to Changing Technologies and Organization-
al Goals 15
The Policy Must Be Understandable 15
The Policy Must Be Widely Distributed 16
The Policy Must Specify Sanctions for Violations 16
The Policy Must Include an Incident Response Plan for Security Breaches 16
Security Is an Ongoing Process 17

Network Security as a Process 17
Network Security as a Legal Issue 18

Foundation Summary 19

Security Policies 19

Security Policy Goals 19
Security Guidelines 20

Network Security as a Process 20

Q&A 21

Reconnaissance Attacks 34
Access Attacks 34
DoS Attacks 36

Foundation Summary 37

Vulnerabilities 37

Self-Imposed Vulnerabilities 37

Threats 38

Intruder Motivation 38

Types of Attacks 39

Q&A 40

Chapter 3 Defense in Depth 43

“Do I Know This Already?” Quiz 43

Foundation and Supplemental Topics 46

Overview of Defense in Depth 46

Components Used for Defense in Depth 47
Physical Security 51

Foundation Summary 52


“Do I Know This Already?” Quiz 79

Foundation Topics 83

Privilege Levels 83
Securing Console Access 84
Configuring the Enable Password 84

enable secret 86

service password-encryption 87
Configuring Multiple Privilege Levels 87
Warning Banners 89
Interactive Access 90
Securing vty Access 90
Secure Shell (SSH) Protocol 91

Setting Up a Cisco IOS Router or Switch as an SSH Client 91

Port Security for Ethernet Switches 92

Configuring Port Security 93

Foundation Summary 95
Q&A 96

Part III Authentication, Authorization, and Accounting (AAA) 98

Chapter 6 Authentication 101


Authentication 119
Authorization 120
Accounting 120

2408_CCSP.book Page xii Thursday, November 13, 2003 2:38 PM