CSI Cisco SAFE Implementation Student Guide Version 2.0 Copyright © 2004, Cisco Systems, Inc Student Guide i Copyright 2004, Cisco Systems, Inc All rights reserved Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe Copyright  2004, Cisco Systems, Inc All rights reserved CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0203R) ii Cisco SAFE Implementation (CSI) v2.0 Copyright © 2004, Cisco Systems, Inc Table of Contents COURSE INTRODUCTION 1-1 Overview Course Objectives Lab Topology Overview 1-1 1-2 1-8 SECURITY FUNDAMENTALS 2-1 Overview Objectives Need for Network Security Network Security Policy Primary Network Threats and Attacks Reconnaissance Attacks and Mitigation Access Attacks and Mitigation Denial of Service Attacks and Mitigation Worm, Virus, and Trojan Horse Attacks and Mitigation Management Protocols and Functions Summary 2-1 2-2 2-3 2-10 2-13 2-16 2-23 2-31 2-37 2-44 2-49 SAFE BLUEPRINT OVERVIEW 3-1 Overview Objectives SAFE Blueprint Overview Design Fundamentals SAFE Axioms Summary 3-1 3-2 3-3 3-7 3-13 3-32 THE CISCO SECURITY PORTFOLIO 4-1 Overview Objectives 4-1 4-2 Cisco Security Portfolio Overview Secure Connectivity—VPN Solutions Secure Connectivity—The VPN 3000 Concentrator Series Secure Connectivity—Cisco VPN-Optimized Routers Perimeter Security Firewalls—Cisco PIX Firewall and Cisco IOS Firewall Intrusion Protection—IDS Host-Based Intrusion Prevention System—CSA Identity—Access Control Solutions Copyright  2004, Cisco Systems, Inc Table of Contents 4-3 4-6 4-9 4-14 4-18 4-28 4-33 4-41 v Security Management—Cisco IP Solution Center and VMS Cisco AVVID Summary SAFE SMALL NETWORK DESIGN 5-1 Overview Objectives Small Network Design Overview Small Network Corporate Internet Module Small Network Campus Module Implementation—ISP Router Implementation—Cisco IOS Firewall Features and Configuration Implementation—PIX Firewall Implementation—CSA Summary SAFE MIDSIZE NETWORK DESIGN Overview 6-1 6-2 6-3 6-8 6-17 6-22 6-26 6-28 6-32 6-58 6-65 6-69 7-1 7-1 Objectives Design Overview Key Devices and Threat Mitigation Software Access Option Remote Site Firewall Option 7-2 7-3 7-7 7-10 7-26 VPN Hardware Client Option Remote Site Router Option Summary 7-38 7-45 7-57 SAFE ENTERPRISE NETWORK DESIGN Overview Objectives Enterprise Network Design Overview vi 5-1 5-2 5-3 5-4 5-10 5-13 5-16 5-36 5-53 5-70 6-1 Overview Objectives Midsize Network Corporate Internet Module Midsize Network Corporate Internet Module Design Guidelines Midsize Network Campus Module Midsize Network Campus Module Design Guidelines Midsize Network WAN Module Implementation—ISP Router and Edge Router Implementation—NIDS Implementation—VPN 3000 Concentrator Implementation—Layer Switch Summary REMOTE USER NETWORK IMPLEMENTATION 4-44 4-48 4-52 Cisco SAFE Implementation (CSI) v2.0 8-1 8-1 8-2 8-3 Copyright  2004, Cisco Systems, Inc Enterprise Network Campus Enterprise Network Edge Summary 8-4 8-27 8-51 SAFE: IP TELEPHONY SECURITY IN DEPTH 9-1 Overview Objectives IP Telephony Concepts IP Telephony Caveats IP Telephony Axioms Cisco IP Telephony Product Portfolio SAFE IP Telephony Design Considerations Small Network IP Telephony Design Medium Network IP Telephony Design Large Network IP Telephony Design Review Questions 9-1 9-2 9-3 9-13 9-15 9-30 9-43 9-45 9-56 9-64 9-75 SAFE: WIRELESS LAN SECURITY IN DEPTH 10-1 Overview Objectives Wireless LAN Security Concepts SAFE Wireless LAN Caveats and Axioms Wireless LAN Security Extensions Cisco Wireless LAN Product Portfolio Wireless LAN Design Approach Standard WLAN Design Enterprise Wireless LAN Design Medium Wireless LAN Design Small Wireless LAN Design Remote Wireless LAN Design SAFE WLAN Implementation Copyright  2004, Cisco Systems, Inc 10-1 10-2 10-3 10-11 10-16 10-26 10-40 10-41 10-53 10-59 10-65 10-67 10-70 Table of Contents vii viii Cisco SAFE Implementation (CSI) v2.0 Copyright  2004, Cisco Systems, Inc Course Introduction Overview This lesson includes the following topics: !" Course objectives !" Course agenda !" Participant responsibilities !" General administration !" Graphic symbols !" Participant !" Cisco !" Lab introductions security career certifications topology overview Course Objectives This topic introduces the course and the course objectives Course Objectives Upon completion of this course, you will be able to perform the following tasks: • Describe in detail the four basic types of threats that may be encountered in a network environment today • Explain how to provide a framework for implementing security features in the network infrastructure • Demonstrate first-hand knowledge of the tools and techniques used to exploit security vulnerabilities • Discuss the SAFE Blueprint and how it impacts the decision-making process • Explain why routers, switches, hosts, networks, and applications are targets • List the general process for hardening network-attached objects © 2004, Cisco Systems, Inc All rights reserved CSI 2.0—1-3 Course Objectives (Cont.) • Describe the security tools and devices that Cisco offers • Identify the functions of the modules, specific threats and key devices described in the SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks white paper • Identify the functions of the modules, specific threats, and key devices described in the SAFE: A Security Blueprint for Enterprise Networks white paper • Describe the mitigation roles of Cisco devices described in the SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks white paper © 2004, Cisco Systems, Inc All rights reserved 1-2 Cisco SAFE Implementation (CSI) v2.0 CSI 2.0—1-4 Copyright 2004, Cisco Systems, Inc Course Objectives (Cont.) • Implement specific configurations to apply the mitigation roles described in the SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks white paper • Recommend alternative devices that can fulfill the same mitigation roles described in the SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks white paper © 2004, Cisco Systems, Inc All rights reserved CSI 2.0—1-5 Course Objectives (Cont.) • Discuss the technologies and blueprint involved in building a SAFE IP telephony network • Identify the functions of the modules, specific threats, and key devices described in the SAFE: IP Telephony Security in Depth white paper • Describe the mitigation roles of Cisco devices described in the SAFE: IP Telephony Security in Depth white paper • Discuss the technologies and blueprint involved in building a SAFE Wireless LAN • Identify the functions of the modules, specific threats, and key devices described in the SAFE : Wireless LAN Security in Depth white paper • Describe the mitigation roles of Cisco devices described in the SAFE: Wireless LAN Security in Depth white paper © 2004, Cisco Systems, Inc All rights reserved Copyright 2004, Cisco Systems, Inc CSI 2.0—1-6 Course Introduction 1-3 Course Agenda Day • • • • • • • Lesson 1—Course Introduction Lesson 2—Security Fundamentals Lunch Lab—Vulnerabilities and Threats Lesson 3—SAFE Blueprint Overview Lesson 4—The Cisco Security Portfolio Lesson 5—SAFE Small Network Design Day • • • • Lab—SAFE Small Network Design Implementation Lunch Lesson 6—SAFE Midsize Network Design Lab—SAFE Midsize Network Design Implementation © 2004, Cisco Systems, Inc All rights reserved CSI 2.0—1-7 Course Agenda (Cont.) Day • • • • Lesson 7—SAFE Remote-User Network Implementation Lesson 8—SAFE Enterprise Network Design Lunch Lab—SAFE Remote-User Network Design Implementation Day • • • • Lesson 9—SAFE IP Telephony Network Design Lunch Lesson 10—SAFE Wireless LAN Network Design Lab—SAFE Wireless LAN Network Design Implementation Day • Lab—Case Study (Optional) © 2004, Cisco Systems, Inc All rights reserved 1-4 Cisco SAFE Implementation (CSI) v2.0 CSI 2.0—1-8 Copyright 2004, Cisco Systems, Inc ... Cisco SAFE Implementation (CSI) v2.0 CSI 2.0—1-4 Copyright 2004, Cisco Systems, Inc Course Objectives (Cont.) • Implement specific configurations to apply the mitigation roles described in the SAFE. .. Cisco Security Portfolio Lesson 5? ?SAFE Small Network Design Day • • • • Lab? ?SAFE Small Network Design Implementation Lunch Lesson 6? ?SAFE Midsize Network Design Lab? ?SAFE Midsize Network Design Implementation... Inc All rights reserved CSI 2.0—1-7 Course Agenda (Cont.) Day • • • • Lesson 7? ?SAFE Remote-User Network Implementation Lesson 8? ?SAFE Enterprise Network Design Lunch Lab? ?SAFE Remote-User Network