Cisco IOS Network Security

Documentation from the Cisco IOS™ Reference Library

Cisco Inc.

Publisher: Cisco Press, 1998, 542 pages

ISBN: 1-57870-057-4

Keywords: IT Security, Networks

Last modified: April 24, 2021, 8:39 p.m.

Synopsis

Creating and maintaining secure network environments continues to be of utmost importance for administrators and engineering today. Cisco IOS Network Security is the definitive resource for both dial-in and local users. Through the use of real-world examples, you will discover the most current security technologies available and learn how to implement and support these technologies on a network.

With this book, you will learn how to configure Authentication, Authorization, and Accounting (AAA), make the most of traffic filtering, understand network data encryption, and discover a host of other security features. Understanding Cisco network security solutions, protocols, and services, will help you make more intelligent, cost-effective, and quantifiable decisions for your network.

Table of Contents

    1. Security Overview
      • About this Network Security Book
      • Creating Effective Security Policies
      • Identifying Security Risks and Cisco IOS Solutions
      • Creaating a Firewall with Cisco IOS Software
  • Part I: Authentication, Authorization and Accounting (AAA)
    1. AAA Overview
      • AAA Security Services
      • Where to Begin
      • What to Do Next
    2. Configuring Authentication
      • AAA Authentication Method Lists
      • AAA Authentication Methods
      • Non-AAA Authentication Methods
      • Authentication Examples
    3. Authentication Commands
      • aaa authentication arap
      • aaa authentication enable default
      • aaa authentication local-override
      • aaa authentication login
      • aaa authentication nasi
      • aaa authentication password-prompt
      • aaa authentication ppp
      • aaa authentication username-prompt
      • aaa new-model
      • access-profile
      • arap authentication
      • login authentication
      • login tacacs
      • nasi authentication
      • ppp authentication
      • ppp chap hostname
      • ppp chap password
      • ppp chap refuse
      • ppp chap wait
      • ppp pap sent-username
      • ppp use-tacacs
    4. Configuration Authorization
      • AAA Authorization Types
      • AAA Authorization Methods
      • AAA Authorization Prerequisites
      • AAA Authorization Configuration Task List
      • Configuration Authorization
      • Disabling Authorization for Global Configuration Commands
      • Authorization Attribute-Value Pair
      • Authorization Configuration Examples
    5. Authorization Accounting
      • aaa authorization
      • aaa authorization config-commands
      • aaa new-model
    6. Configuring Accounting
      • AAA Accounting Types
      • AAA Accounting Prerequisites
      • AAA Accounting Configuration Task List
      • Enabling Accounting
      • Monitoring Accounting
      • Accounting Attribute-Value Pairs
      • Accounting Configuration Example
    7. Accounting Commands
      • aaa accounting
      • aaa accounting suppress null-username
      • aaa accounting update
      • Show accounting
  • Part II: Security Server Protocols
    1. Configuring RADIUS
      • RADIUS Overview
      • RADIUS Operation
      • RADIUS Configuration Task List
      • Configuring Router to RADIUS Server Communication
      • Configuring Router for Vendor-Proprietary RADIUS Server Communication
      • Configuring Router to Query RADIUS Server for Static Routes and IP Addresses
      • Specifying RADIUS Authentication
      • Specifying RADIUS Authorization
      • Specifying RADIUS Accounting
      • RADIUS Attributes
      • Vendor-Proprietary RADIUS Attributes
      • RADIUS Configuration Examples
      • RADIUS Authenticaation and Authorizaation Example
    2. RADIUS Commands
      • ip radius source-interface
      • radius-server configure-nas
      • radius-server dead-time
      • radius-server host
      • radius-server host non-standard
      • radius-server key
      • radius-server retransmit
      • radius-server timeout
    3. Configuring TACACS+
      • TACACS+ Overview
      • TACACS+ Operation
      • TACACS+ Configuration Task List
      • Identifying the TACACS+ Server Host
      • Setting the TACACS+ Authentication Key
      • Specifying TACACS+ Authentication
      • Specifying TACACS+ Authorization
      • Specifying TACACS+ Accounting
      • TACACS+ AV Pairs
      • TACACS+ Configuration Examples
    4. Configuring TACACS and Extended TACACS
      • TACACS Protocol Description
      • TACACS and Extended TACACS Confihuration Task List
      • Setting TACACS Password Protection at the User Level
      • Disabling Password Checking at the User Level
      • Setting Optional Password Verification
      • Setting TACACS Password Protection at the Privileged Level
      • Disabling Password Checking at the Privileged Level
      • Setting Notification of User Accounts
      • Setting Authentication of User Actions
      • Establishing the TACACS Server Host
      • Setting Limits on Login Attempts
      • Specifying the Amount of Time for Login Input
      • Enabling the Extended TACACS Mode
      • Enabling TACACS for PPP Authentication
      • Enabling Standard TACACS for ARA Authentication
      • Enabling Extended TACACS for ARA Authentication
      • Enabling TACACS to Use a Specific IP Address
      • TACACS Configuration Examples
    5. TACACS, Extended TACACS, and TACACS+ Commands
      • arap use-tacacs
      • enable last-resort
      • enable use-tacacs
      • ip tacacs source-interface
      • tacacs-server attempts
      • tacacs-server authenticate
      • tacacs-server directed-request
      • tacacs-server extended
      • tacacs-server host
      • tacacs-server key
      • tacacs-server last-resort
      • tacacs-server login-timeout
      • tacacs-server notify
      • tacacs-server optional-passwords
      • tacacs-server retransmit
      • tacacs-server timeout
    6. Configuring Kerberos
      • Kerberos Overview
      • Kerberos Client Support Operation
      • Kerberos Configuration Task List
      • Configuring the KDC Using Kerberos Commands
      • Configuring the Router to Use Kerberos Protocol
      • Monitoring and Maintaining Kerberos
      • Kerberos Configuration Examples
    7. Kerberos Commands
      • clear kerberos creds
      • connect
      • kerberos clients mandatory
      • kerberos credentials forward
      • kerberos instance map
      • kerberos local-realm
      • kerberos preauth
      • kerberos realm
      • kerberos server
      • kerberos srvtab remote
      • key config-key
      • show kerberos creds
      • telnet
  • Part III: Traffic Filtering
    1. Access Control Lists: Overview and Guidelines
      • In this Chapter
      • About Access Control Lists
      • Overview of Access List Configuration
      • Find Complete Configuration and Command Information for Access Lists
    2. Configuration Lock-and-Key Security (Dynamic Access Lists)
      • In this Chapter
      • About Lock-and-Key
      • Compatibility with Releases Prior to Cisco IOS Release 11.1
      • Risk of Spoofing with Lock-and-Key
      • Router Performance Impacts with Lock-and-Key
      • Prerequisites to Configuring Lock-and-Key
      • Configuring Lock-and-Key
      • Verifying Lock-and-Key Configuration
      • Lock-and-Key Maintenance
      • Lock-and-Key Configuration Examples
    3. Lock-and-Key Commands
      • access-enable
      • access-template
      • clear access-tamplate
      • show ip accounting
    4. Configuring IP Session Filtering (Reflexive Access Lists)
      • In This Cgapter
      • About Reflexive Access Lists
      • Prework: Before You Configure Reflexive Access Lists
      • Configuring Reflexive Access Lists
      • Reflexive Access Lists Configuration Examples
    5. Reflexive Access List Commands
      • evaluate
      • ip reflexive-list timeout
      • permit (reflexive)
    6. Configuring TCP Intercept (Prevent Denial-of-Service Attacks)
      • In This Chapter
      • About TCP Intercept
      • TCP Intercept Configuration Task List
      • Enabling TCP Intercept
      • Setting the TCP Intercept Mode
      • Setting the TCP Intercept Drop-Mode
      • Changing the TCP Intercept Timers
      • Changing the TCP Intercept Aggressive Thresholds
      • Monitoring and Maintaining TCP Intercept
      • TCP Intercept Configuration Example
    7. TCP Intercept Commands
      • ip tcp intercept connection-timeout
      • ip tcp intercept drop-mode
      • ip tcp intercept finrst-timeout
      • ip tcp intercept list
      • ip tcp intercept max-incomplete high
      • ip tcp intercept max-incomplete low
      • ip tcp intercept mode
      • ip tcp intercept one-minute high
      • ip tcp intercept one-minute low
      • ip tcp intercept watch-timeout
      • show tcp intercept connections
      • show tcp intercept statistics
  • Part IV: Network Data Encryption
    1. Configuring Network Data Encryption
      • Why Encryption?
      • Cisco's Implementation of Encryption
      • Prework: Before You Configure Encryption
      • Configuring Encryption
      • Configuring Encyption with GRE Tunnels
      • Configuring Encyption with an ESA in a VIP2
      • Configuring Encyption with an ESA in a Cisco 7200 Series Router
      • Customizing Encyption (Configure Options)
      • Turning of ENcryption
      • Testing and Troubleshooting Encryption
      • Encryption Configuration Examples
    2. Network Data Encryption Commands
      • access-list (encryption)
      • clear crypto connection
      • crypto algorithm 40-bit-des
      • crypto algorithm des
      • crypto clear-latch
      • crypto esa
      • crypto gen-signature-keys
      • crypto key-exchange
      • crypto key-exchange passive
      • crypto key-timeout
      • crypto map (global configuration)
      • crypto map (interface configuration)
      • crypto pregen-dh-pairs
      • crypto public-key
      • crypto sdu connections
      • crypto sdu entities
      • crypto zeroize
      • deny
      • ip access-list extended (encryption)
      • match address
      • permit
      • set algorithm 40-bit-des
      • set algorithm des
      • set peer
      • show crypto algorithms
      • show crypto card
      • show crypto connections
      • show crypto enginge brief
      • show crypto engine configurations
      • show crypto engine connections active
      • show crypto engine connections dropped-packets
      • show crypto key-timeout
      • show crypto map
      • show crypto map interface
      • show crypto map tag
      • show crypto mypubkey
      • show crypto pregen-dh-pairs
      • show crypto pubkey
      • show crypto pubkey name
      • show crypto pubkey serial
      • test crypto initiate-session
  • Part V: Other Security Features
    1. Configuring Passwords and Privileges
      • Protecting Access to Privilege EXEC Commands
      • Encryption Passwords
      • Configuring Multiple Privilege Levels
      • Recovering a Lost Enable Password
      • Recovering a Lost Line Password
      • Configuring Identification Support
      • Passwords and Privileges Configuration Examples
    2. Passwords and Privileges Commands
      • enable
      • enable password
      • enable secret
      • ip identd
      • password
      • privilege level (global)
      • privilege level (line)
      • service password-encryption
      • show privilege
      • username
    3. Neighbor Router Authentication: Overview and Guidelines
      • In This Chapter
      • Benefits of Neighbor AUthentication
      • Protocols That Use Neighbor Authentication
      • When to Configure Neighbor Authentication
      • How Neighbor Authentication Works
      • Key Management (Key Chains)
    4. Configuring IP Security Options
      • In This Chapter
      • Configuring Basic IP Security Options
      • Configuring Extended IP Security Options
      • Configuring the DNSIX Audit Trail Facility
      • IPSO Configuration Examples
    5. IP Security Options Commands
      • dnsix-dmdp retries
      • dnsix-nat authorized-redirection
      • dnsix-nat primary
      • dnsix-nat secondary
      • dnsix-nat source
      • dnsix-nat transmit-count
      • ip security add
      • ip security aeso
      • ip security dedicated
      • ip security eso-info
      • ip security eso-max
      • ip securityeso-min
      • ip security extended-allow
      • ip security first
      • ip security ignore-authorities
      • ip security implicit labelling
      • ip security multilevel
      • ip security reserved-allowed
      • ip security strip
      • show dnsix
  • Appendixes
    1. RADIUS Attributes
      • RADIUS IETF Attributes
      • RADIUS Accounting Attributes
      • RADIUS Vendor-Proprietary Attributes
    2. TACACS+ Attribute-Value Pairs
      • TACACS+ AV Pairs
      • TACACS+ Accounting AV Pairs

Reviews

Cisco IOS Network Security

Reviewed by Roland Buresund

Bad ** (2 out of 10)

Last modified: Nov. 15, 2008, 1:45 a.m.

Opinion

Extremely boring. Avoid at all costs, unless you need an IOS reference.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required