Download ppt - CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 1 Selling Cisco SMB Solutions Advanced Security Selling SMB Solutions

Transcript
  • Slide 1

CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 1 Selling Cisco SMB Solutions Advanced Security Selling SMB Solutions Cisco Resellers University V2.0 Slide 2 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 2 Objectives Upon completion of this module, you will be able to perform the following tasks: Describe the features and functionality of the Cisco Low End Routers and how they meet the customer requirements. Describe the features and functionality of the Cisco Low End Switches and how they meet the customer requirements. Configure the security features for the Cisco 1841 Router and Cisco Express 500 Switch in order to help SMB to protect its sensitive data and applications. Discuss the best practices related to security using Cisco Routers and Switches and how Cisco Resellers stands a value proposition for the security of its customers businesses. Slide 3 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 3 Cisco Network Security Slide 4 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 4 Destruction of data Information theft Network disruption Steps that are taken to protect network resources and services from unauthorized actions that include: Recovery costs Legal liability Lost revenue Reduced customer satisfaction Security breaches result in: Network Security Definition Slide 5 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 5 The Security Wheel Security is a strategy, not a product. No single device or solution can protect a network against a changing variety of threats. Security is a process: Developing a policy Securing the network Monitoring for and responding to threats Testing for vulnerabilities Making improvements as needed Slide 6 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 6 Using Cisco Router and Security Device Manager Slide 7 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 7 Embedded web-based management tool Provides intelligent wizards to enable quicker and easier deployments and does not require knowledge of Cisco IOS CLI or security expertise Tools for more advanced users ACL editor VPN crypto map editor Cisco IOS CLI preview What Is Cisco SDM? Slide 8 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 8 Cisco SDM Files The sdm-v10.zip file contains the following files: sdm.tar home.html home.shtml home.tar ips.tar attack-drop.sdf sdmconfig-xxxx.cfg file: Enables HTTP server Enables SSH/Telnet Provides a default credentialusername and password Default configuration file specific to router series: For example: sdmconfig-18xx.cfg Slide 9 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 9 Installing Cisco SDM Task 1: Download the Cisco SDM files and a Cisco IOS image to a TFTP server. Task 2: Configure your router to support Cisco SDM. Task 3: Copy the Cisco SDM Files to the Router. Task 4: Start Cisco SDM. Requires a minimum 5.3 MB extra (available) router flash memory. Slide 10 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 10 Router Administration Using Cisco SDM Cisco SDM is used for configuring, managing, and monitoring a single Cisco access router. Cisco SDM allows the ability for multiple concurrent users to be logged in. It is not recommended that multiple users use Cisco SDM to modify the configuration at the same time. You can use Cisco SDM or CLI commands or both: Use CLI commands for features not supported by SDM. Use Cisco SDM to configure security policies on unsupported interfaces. Slide 11 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 11 Accessing Cisco SDM for the First Time Accessing Cisco SDM on a factory-fresh router with SDM installed: 1.Connect PC to the lowest LAN Ethernet port of the router, using crossover cable. 2.Use a static IP address for the PC: (10.10.10.2/255.255.255.0). 3.Launch a supported browser. 4.The default URL to access Cisco SDM is https://10.10.10.1. 5.The Cisco SDM default login is: Username: sdm Password: sdm Slide 12 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 12 Startup Wizard: Basic Configuration, Change Default Username and Password Slide 13 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 13 Startup Wizard: LAN Interface Configuration Slide 14 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 14 Startup Wizard: DHCP Server Configuration Slide 15 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 15 Startup Wizard: DNS Configuration Slide 16 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 16 Startup Wizard: Security Configuration Slide 17 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 17 You will lose your connection after it is delivered to the router. Use the new IP address to access SDM for further configuration. Startup Wizard: Configuration Delivery Slide 18 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 18 Accessing Cisco SDM: Ongoing Already configured router with Cisco SDM installed: 1.Use a LAN/WAN connection. 2.Manage the router using either HTTP or HTTPS with https:// /. Note: https:// specifies that SSL be used for a secure connection. http:// can be used if SSL is not available. Slide 19 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 19 Cisco SDM: Startup Troubleshooting Browser problem? Enable Java and JavaScript on the browser. Disable popup blockers or unsupported Java plug-ins on PC. Router not allowing access? Ensure that HTTP server is enabled on router. Ensure that the PC is not blocked on the interface by a firewall ACL. Requires HTTP/HTTPS and SSH/Telnet or SSH/Telnet and RCP access to router Open specific addresses/ports in ACL editor in advanced mode Cisco SDM installed? Access it with https:// /flash/sdm.shtml. Enter the CLI show flash command. Slide 20 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 20 Cisco SDM Main Window Layout and Navigation Menu Bar Toolbar Router Information Configuration Overview Slide 21 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 21 Cisco SDM Wizard Options LAN configuration: Configure LAN interfaces and DHCP. WAN configuration: Configure PPP, Frame Relay, and HDLC WAN interfaces. Firewall: Access two types of Firewall wizards: Simple inside/outside Advanced inside/outside/DMZ with multiple interfaces VPN: Access three types of VPN wizards: Secure site-to-site VPN Cisco Easy VPN GRE tunnel with IPSec VPN Security Audit: Perform a router security audit, with a button for router lockdown. IPS: Intrusion Prevention System QOS: Quality of Service Slide 22 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 22 Cisco Secure Access Control Server for Windows Server Slide 23 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 23 Cisco Secure ACS for Windows Server: General Features NAS Cisco Secure ACS for Windows Server TACACS+ RADIUS PAP CHAP MS-CHAP Uses TACACS+ or RADIUS between Cisco Secure ACS and NAS Allows authentication against Windows 2000 user database, Cisco Secure ACS user database, token server, or other external databases Supports PAP, CHAP, and MS-CHAP authentication on the NAS Slide 24 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 24 Cisco Secure ACS for Windows Server: ACS User Database NAS 1 NAS 2 NAS 3 Cisco Secure ACS User Database Slide 25 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 25 NAS 1 NAS 2 NAS 3 ACS User Database External User Database Cisco Secure ACS for Windows Server: External User Databases Slide 26 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 26 Administering Cisco Secure ACS for Windows Server Slide 27 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 27 TACACS+ Overview TCP Supports AAA Encrypts entire body LAN and WAN security RCMD, PPP, ARA, and NASI Supports PAP, CHAP, and MS-CHAP Router command authorization Blocks specific ports PSTN/ISDN Corporate Network TACACS+ Client TACACS+ Security Server NAS Remote User Slide 28 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 28 RADIUS Background RADIUS was developed by Livingston Enterprises, now part of Lucent Technologies. It contains a: Protocol with a frame format that uses UDP Server Client Slide 29 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 29 Enable AAA-USING SDM 1.Create a local user with privilege level 15 1 2 3 4 5 Slide 30 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 30 Enable AAA-USING SDM (Cont.) 2. Enable AAA on the router 1 2 3 4 5 Slide 31 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 31 Enable AAA-USING SDM (Cont.) 6 7 Slide 32 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 32 Define AAA Servers-USING SDM Slide 33 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 33 Define AAA Servers-USING SDM 1 2 3 Slide 34 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 34 Define AAA Servers-USING SDM Slide 35 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 35 Lab Exercise 2005 Cisco Systems, Inc. All rights reserved. SNRS v1.07-35 1.Create a user with name CTTAdmin 2.Assign the password cisco 3.Enable AAA on the router 4.Create a RADIUS Server with Address 172.30.1.2 5.Create a TACACS+ Server with Address 172.30.1.2 Slide 36 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 36 Authentication-using AAA servers (Cont.) 1 2 Slide 37 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 37 Authentication-using AAA servers (cont.) 3 4 5 Slide 38 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 38 Configure VTY Access for AAA Authentication 1 2 No default vty access 4 3 Slide 39 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 39 Lab Exercise 2005 Cisco Systems, Inc. All rights reserved. SNRS v1.07-39 1.Change de Default Authentication Method from Local to Group RADIUS to Method 1 and Local to Method 2 2.Configure VTY Access to permit telnet access 3.Connect to the terminal server and make a Telnet to the router Rx. 4.Login With the user ISAdminp Slide 40 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 40 Managing IP Traffic with ACLs Slide 41 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 41 Manage IP traffic as network access grows Filter packets as they pass through the router Why Use ACLs? Slide 42 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 42 Standard ACL Checks source address Generally permits or denies entire protocol suite Extended ACL Checks source and destination address Generally permits or denies specific protocols Types of ACLs Slide 43 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 43 How to Identify ACLs Standard IP lists (1-99) test conditions of all IP packets from source addresses. Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Standard IP lists (1300-1999) (expanded range). Extended IP lists (2000-2699) (expanded range). Other ACL number ranges test conditions for other networking protocols. Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name). Slide 44 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 44 A List of Tests: Deny or Permit Slide 45 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 45 0 means check value of corresponding address bit. 1 means ignore value of corresponding address bit. Wildcard Bits: How to Check the Corresponding Address Bits Slide 46 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 46 172.30.16.29 0.0.0.0 checks all of the address bits. Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29). Check all of the address bits (match all). Verify an IP host address, for example: Wildcard Bits to Match a Specific IP Host Address Slide 47 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 47 Test conditions: Ignore all the address bits (match any). An IP host address, for example: Accept any address: any Abbreviate expression with keyword any Wildcard Bits to Match Any IP Address Slide 48 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 48 ACL Configuration Guidelines ACL numbers indicate which protocol is filtered. One ACL per interface, per protocol, per direction is allowed. The order of ACL statements controls testing. The most restrictive statements go at the top of the list. The last ACL test is always an implicit deny any statement, so every list needs at least one permit statement. ACLs must be created before applying them to interfaces. ACLs filter traffic going through the router. ACLs do not filter traffic originating from the router. Slide 49 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 49 ACL Configuration Guidelines The order of ACL statements is crucial. Recommended: Use a text editor on a PC to create the ACL statements, then cut and paste them into the router. Top-down processing is important. Place the more specific test statements first. Statements cannot be rearranged or removed. Use the no access-list number command to remove the entire ACL. Exception: Named ACLs permit removal of individual statements. Implicit deny any will be applied to all packets that do not match any ACL statement unless the ACL ends with an explicit permit any statement. Slide 50 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 50 ACL Configuration 1 2 Slide 51 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 51 ACL Configuration (Cont.) 1 2 3 4 5 6 Slide 52 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 52 ACL Configuration (Cont.) Slide 53 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 53 Lab Exercise 2005 Cisco Systems, Inc. All rights reserved. SNRS v1.07-53 1.Create an ACL that Deny the telnet traffic into the router from AAA Server. 2.Connect to AAA Server using remote desktop 3.Test your ACL from the AAA Server Slide 54 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 54 Cisco IOS Firewall Slide 55 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 55 The Cisco IOS Firewall Feature Set The Cisco IOS Firewall contains the following three main features: Context-based Access Control (CBAC) Authentication proxy Intrusion Prevention System Slide 56 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 56 TCP UDP Cisco IOS Firewall CBAC Packets are inspected entering the firewall by CBAC if they are not specifically denied by an ACL. CBAC permits or denies specified TCP and UDP traffic through a firewall. A state table is maintained with session information. ACLs are dynamically created or deleted. CBAC protects against DoS attacks. Intern et Slide 57 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 57 Cisco IOS Firewall Authentication Proxy HTTP, HTTPS, FTP, and Telnet authentication Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols Slide 58 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 58 Cisco IOS Firewall Intrusion Prevention System Acts as an inline Cisco IOS intrusion prevention sensor. When a packet or packets match a signature, it can perform any of the following configurable actions: Alarm: Send an alarm to a Security Device Manager or syslog server. Drop: Drop the packet. Reset: Send TCP resets to terminate the session. Identifies 700+ common attacks. TCP UDP Intern et Slide 59 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 59 How CBAC Works ip inspect name FWRULE tcp 1 Control traffic is inspected by the CBAC rule. 2 CBAC creates a dynamic ACL allowing return traffic back through the firewall. Port 2447 Port 23 4 CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session. 3 CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application. It also monitors and protects against application- specific attacks. access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447 Slide 60 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 60 Supported Protocols TCP (single channel) UDP (single channel) RPC FTP TFTP UNIX R-commands (such as rlogin, rexec, and rsh) SMTP HTTP (Java blocking) ICMP Java SQL*Net RTSP (such as Real Networks) H.323 (such as NetMeeting, ProShare, CUseeMe) Other multimedia Microsoft NetShow StreamWorks VDOLive SIP Slide 61 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 61 Alerts and Audit Trails CBAC generates real-time alerts and audit trails. Audit trail features use syslog to track all network transactions. With CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. Slide 62 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 62 Firewall Wizard: Basic Firewall Interface Configuration Slide 63 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 63 Firewall Wizard: One-Step Firewall Configuration Summary Slide 64 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 64 Advanced Firewall Wizard: Interface Configuration Slide 65 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 65 Advanced Firewall Wizard: DMZ Service Configuration Slide 66 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 66 Advanced Firewall Wizard: Configure Inspection Rules Slide 67 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 67 Configuring IPS Using SDM Enable Cisco IOS IPS with a Factory Default SDF Using Cisco SDM Slide 68 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 68 IPS Policies Wizard: Welcome Slide 69 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 69 IPS Wizard: Interfaces Window Slide 70 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 70 IPS Wizard: SDF Locations Slide 71 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 71 IPS Wizard: Signature Configuration Configuration Delivery Signature Compilation Status and Slide 72 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 72 IPS Wizard: Signature List Slide 73 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 73 IPS Wizard: Global Settings Slide 74 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 74 VPN Wizard: Main Window Slide 75 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 75 VPN Wizard Slide 76 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 76 VPN Wizard: VPN Connection Configuration Slide 77 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 77 Security Audit: Overview The security audit compares router configuration against a predefined checklist of best practices (ICSA, TAC approved). Examples of the audit include (but are not limited to) the following: Shut down unneeded servers on the router (BOOTP, finger, tcp/udp small-servers). Shut down unneeded services on the router (CDP, ip source-route, ip classless). Apply the firewall to the outside interfaces. Disable SNMP or enable it with hard-to-guess community strings. Shut down unused interfaces, no ip proxy-arp. Force passwords for console and vty lines. Force an enable secret password. Enforce the use of ACLs. Slide 78 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 78 Security Audit Slide 79 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 79 Security Audit: Fix Security Problems Slide 80 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 80 Monitor Mode Overview Interface Status Firewall Status VPN Status Slide 81 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 81 Additional Tasks Slide 82 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 82 Lab Exercise 2005 Cisco Systems, Inc. All rights reserved. SNRS v1.07-82 Slide 83 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 83 Lab Exercise 2005 Cisco Systems, Inc. All rights reserved. SNRS v1.02-83 Slide 84 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 84 Cisco IOS Firewall Authentication Proxy Slide 85 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 85 What Is the Authentication Proxy? HTTP, HTTPS, FTP, and Telnet authentication. Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols. Once authenticated, all types of application traffic can be authorized. Works on any interface type for inbound or outbound traffic. Slide 86 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 86 Using the Authentication Proxy Internet FTP Server Telnet Server Client Host AAA Server Web Server Client Host Slide 87 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 87 Authentication Proxy Configuration User AAA Server Inside Outside For outbound proxy authentication Enable the authentication proxy to intercept inward HTTP, HTTPS, FTP, or Telnet traffic from the inside. For inbound proxy authentication Enable the authentication proxy to intercept inward HTTP, HTTPS, FTP, or Telnet traffic from the outside. For outbound proxy authenticationAdd an ACL to block inward traffic from the inside, except from the AAA server. For inbound proxy authentication Add an ACL to block inward traffic from the outside. User Web, FTP, or Telnet Server Slide 88 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 88 Enter the new service: auth-proxy. Create auth-proxy Service in the Cisco Secure ACS Slide 89 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 89 Create a User Authorization Profile in the Cisco Secure ACS Check auth-proxy. Check Custom attributes. Enter ACLs to apply after the user authenticates. proxyacl#1=permit tcp any any priv-lvl=15 Enter the privilege level of the user; it must be 15 for all users. Slide 90 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 90 proxyacl#1=permit tcp any any eq 443 (HTTPS) proxyacl#2=permit icmp any host 172.30.0.50 proxyacl#3=permit tcp any any eq ftp proxyacl#4=permit tcp any any eq smtp proxyacl#5=permit tcp any any eq telnet priv-lvl=15 User Authorization Profiles proxyacl#n=permit protocol any {any | host ip_addr | ip_addr wildcard_mask} [eq auth_service] priv-lvl=15 Defines the allowable protocols, services, and destination addresses. The source address is always any and is replaced in the router with the IP address of host making the request. Privilege level must be set to 15 for all users Slide 91 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 91 aaa new-model Enable AAA Enables the AAA functionality on the router (default = disabled) Router(config)# Slide 92 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 92 aaa authentication login default method1 [method2] Specify Authentication Protocols Defines the list of authentication methods that will be used Methods: TACACS+, RADIUS, or both Router(config)# aaa authentication login default group tacacs+ Router(config)# Slide 93 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 93 aaa authorization auth-proxy default method1 [method2] Specify Authorization Protocols Use the auth-proxy keyword to enable authorization proxy for AAA methods Methods: TACACS+, RADIUS, or both Router(config)# Router(config)# aaa authorization auth-proxy default group tacacs+ Slide 94 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 94 tacacs-server host ip_addr Define a TACACS+ Server and Its Key Specifies the TACACS+ server IP address Specifies the TACACS+ server key Router(config)# Router(config)# tacacs-server host 10.0.0.3 Router(config)# tacacs-server key secretkey tacacs-server key string Router(config)# Slide 95 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 95 Define a RADIUS Server and Its Key Specifies the RADIUS server IP address Specifies the RADIUS server key Router(config)# radius-server host 10.0.0.3 Router(config)# radius-server key secretkey radius-server host ip_addr Router(config)# radius-server key string Router(config)# Slide 96 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 96 Router(config)# access-list 111 permit tcp host 10.0.0.3 eq tacacs host 10.0.0.1 Router(config)# access-list 111 permit icmp any any Router(config)# access-list 111 deny ip any any Router(config)# interface ethernet0/0 Router(config-if)# ip access-group 111 in Allow AAA Traffic to the Router Create an ACL to permit TACACS+ traffic from the AAA server to the firewall Source address = AAA server Destination address = interface where the AAA server resides May want to permit ICMP Deny all other traffic Apply the ACL to the interface on the side where the AAA server resides Slide 97 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 97 Router(config)# ip http server Router(config)# ip http authentication aaa Enable the Router HTTP or HTTPS Server for AAA Enables the HTTP server on the router Sets the HTTP server authentication method to AAA Proxy uses HTTP server for communication with a client ip http server Router(config)# ip http authentication aaa Router(config)# ip http secure-server Router(config)# Enables the HTTPS server on the router Slide 98 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 98 ip auth-proxy {inactivity-timer min | absolute-timer min} Authentication inactivity timer in minutes (default = 60 minutes) Absolute activity timer in minutes (default = 0 minutes) Set Global Timers Router(config)# Router(config)# ip auth-proxy inactivity- timer 120 Slide 99 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 99 Router(config)# ip auth-proxy name aprule http Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule Define and Apply Authentication Proxy Rules Creates an authorization proxy rule Applies an authorization proxy rule to an interface For outbound authentication, apply to inside interface For inbound authentication, apply to outside interface ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-time min] [absolute- timer min][list {acl | acl-name}] Router(config)# ip auth-proxy auth-proxy-name Router(config-if)# Slide 100 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 100 Authentication Proxy Rules with ACLs Creates an authorization proxy rule with an ACL ip auth-proxy name auth-proxy-name http list {acl-num | acl-name} Router(config)# Router(config)# ip auth-proxy name aprule http list 10 Router(config)# access-list 10 permit 10.0.0.0 0.0.0.255 Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule Slide 101 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 101 clear ip auth-proxy cache {* | ip_addr} Clear the Authentication Proxy Cache Clears authentication proxy entries from the router Router# Slide 102 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 102 Lab Exercise 2005 Cisco Systems, Inc. All rights reserved. SNRS v1.02-102 Slide 103 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 103 Cisco IOS Firewall Intrusion Prevention System Slide 104 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 104 Cisco IOS Firewall Intrusion Prevention System 1 Attack 2 Drop Packet 3 Reset Connection 4 Alar m Network Managemen t Console Slide 105 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 105 Features Uses the underlying routing infrastructure Ubiquitous protection of network assets Inline deep packet inspection IPS signature support Customized signature support Parallel signature scanning Named and numbered extended ACL support Slide 106 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 106 Response Options Alarm Sends alarms to the Cisco VMS, syslog server, or buffer Forwards the packet Reset: Sends packets with a reset flag to both session participants if TCP forwards the packet Drop: Immediately drops the packet Slide 107 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 107 Configuration Tasks Install Cisco IOS Firewall IPS on the router. Specify location of Signature Definition File (SDF) Create an IPS rule Attach a policy to a signature (optional) Apply IPS rule at an interface Configure logging via syslog or SDEE. Verify the configuration. Slide 108 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 108 ip ips sdf location url Router (config)# Router(config)# ip ips sdf location disk2:attack-drop.sdf Specify Location of SDF (Optional) Specifies the location in which the router will load the SDF attack-drop.sdf. If this command is not issued, the router will load the default, built-in signatures. Slide 109 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 109 Create IPS Rule ip ips name ips-name [list acl] Creates an IPS rule Router (config)# Router(config)# ip ips name MYIPS Creates an IPS rule named MYIPS that will be applied to an interface Slide 110 CTT Corp. Derechos reservados 11-2005 CHANNEL READINESS PROGRAM FOR CISCO PARTNERS 1 - 110 ip ips signature signature-id [:sub-signature-id] {delete | disable | list acl-list} Attaches a policy to a given signature Router (config)# Router(config)# ip ips signature 1000 disable Attach a Policy to a Given Signature (Optional) Disables signature 1000 in the SDF Slide 111


Recommended

How to Sell Cisco SMB Products and Win Against the Competition!
How to Sell Cisco SMB Products and Win Against the Competition! Documents
Detailed Lab Testing Report DR120119C SMB … Lab Testing Report DR120119C SMB Managed Switch Comparison Cisco D-Link Hewlett-Packard Netgear 16 January 2013 Miercom ... SMB Ethernet
Detailed Lab Testing Report DR120119C SMB … Lab Testing Report DR120119C SMB Managed Switch Comparison Cisco D-Link Hewlett-Packard Netgear 16 January 2013 Miercom ... SMB Ethernet Documents
Cisco SMB overview · 2018. 10. 30. · ...with ATC Cisco SMB overview Ing. Jan Krška, CISCO, SMB account manager Michal Gebauer, ATComputers, Product manager CISCO
Cisco SMB overview · 2018. 10. 30. · ...with ATC Cisco SMB overview Ing. Jan Krška, CISCO, SMB account manager Michal Gebauer, ATComputers, Product manager CISCO Documents
Cisco SMB Specialization.pdf
Cisco SMB Specialization.pdf Documents
Herzlich Willkommen zur Cisco SMB Partner …...im Partner Locator 84%: Höhere Margen als Belohnung für Leistungen im SMB-Markt 86%: Mehr Cisco Support – ICAM, CAM, TMM 93%: Gemeinsame
Herzlich Willkommen zur Cisco SMB Partner …...im Partner Locator 84%: Höhere Margen als Belohnung für Leistungen im SMB-Markt 86%: Mehr Cisco Support – ICAM, CAM, TMM 93%: Gemeinsame Documents
Quick Hit Briefing: Cisco SMB Telepresence and Callway ... · PDF fileQuick Hit Briefing: Cisco SMB Telepresence and ... Bi-weekly briefing series targeted at SMB ... Expert in London
Quick Hit Briefing: Cisco SMB Telepresence and Callway ... · PDF fileQuick Hit Briefing: Cisco SMB Telepresence and ... Bi-weekly briefing series targeted at SMB ... Expert in London Documents
Cisco 810-401 Exam - Selling Business Outcomes
Cisco 810-401 Exam - Selling Business Outcomes Documents
Cisco - SMB/UC Solution Selling 201 · 2015-09-12 · Solution Selling 201 Ray Arasteh Cisco Technology Solutions Engineer Ingram Micro. ... mobility, video Advanced UC applications
Cisco - SMB/UC Solution Selling 201 · 2015-09-12 · Solution Selling 201 Ray Arasteh Cisco Technology Solutions Engineer Ingram Micro. ... mobility, video Advanced UC applications Documents
Sales Call Readiness: Win Against the Competition by Selling Cisco SMB Products
Sales Call Readiness: Win Against the Competition by Selling Cisco SMB Products Documents
시스코 SMB 솔루션소개 - Cisco · 1.SMB 고객의요구사항 2.시스코SMB 솔루션의비전과전략 3.시스코SMB 신제품소개: SBCS 솔루션 4.시스코Linksys 소개
시스코 SMB 솔루션소개 - Cisco · 1.SMB 고객의요구사항 2.시스코SMB 솔루션의비전과전략 3.시스코SMB 신제품소개: SBCS 솔루션 4.시스코Linksys 소개 Documents
Das neue Cisco SMB Partner Programm: mehr Umsatz bei
Das neue Cisco SMB Partner Programm: mehr Umsatz bei Documents
Cisco Selling Business Outcomes 810-401
Cisco Selling Business Outcomes 810-401 Career
Cisco SMB ProdGuide En
Cisco SMB ProdGuide En Documents
Networking Fundamentals - Cisco - Global Home · PDF file© 2006 Cisco Systems, Inc. All rights reserved. SMBUF-1 SMB University: Selling Cisco SMB Foundation Solutions Networking
Networking Fundamentals - Cisco - Global Home · PDF file© 2006 Cisco Systems, Inc. All rights reserved. SMBUF-1 SMB University: Selling Cisco SMB Foundation Solutions Networking Documents
SMB University Catalogue€¦ · Cisco SMB University Catalogue SMB University Catalogue last updated: 11/15/2007 SIP TRUNKING How to configure SIP trunking on a UC520 This SBCS Tutorial
SMB University Catalogue€¦ · Cisco SMB University Catalogue SMB University Catalogue last updated: 11/15/2007 SIP TRUNKING How to configure SIP trunking on a UC520 This SBCS Tutorial Documents
Selling Business Email to SMB End Customers
Selling Business Email to SMB End Customers Documents
Detailed Lab Testing Report DR120119C SMB Managed … · Detailed Lab Testing Report DR120119C SMB Managed Switch Comparison Cisco D-Link Hewlett-Packard Netgear ... 1.0 Executive
Detailed Lab Testing Report DR120119C SMB Managed … · Detailed Lab Testing Report DR120119C SMB Managed Switch Comparison Cisco D-Link Hewlett-Packard Netgear ... 1.0 Executive Documents
Cisco Systems: Social selling at Cisco, presented by Jennifer Roberts
Cisco Systems: Social selling at Cisco, presented by Jennifer Roberts Social Media