CCIE.book Page 598 Monday, March 3, 2003 3:10 PM...Active mode, 115, 117 Passive mode, 117–118...
Transcript of CCIE.book Page 598 Monday, March 3, 2003 3:10 PM...Active mode, 115, 117 Passive mode, 117–118...
-
CCIE.book Page 598 Monday, March 3, 2003 3:10 PM
-
I N D E X
Symbols.rhosts file (UNIX), 290| (pipe), 174
Numerics1000 GE, 28100BaseT, 2810Base2, 2810Base5, 2810BaseT, 283DES (Data Encryption Standard), 238802.1Q, 33
AAAA, 208–209
accounting, 211–212authentication, 210authorization, 210–211
ABRs (Area Border Routers), 68access lists, 250
extended, 187–189options, 188–189
filtering TCP services, 322, 324IP packet debugging, 171–172standard, 182–187wildcard masks, 184
accessingCisco routers, 179
accounting, 208, 211–212ACKs (acknowledgments), 63ACS (Cisco Secure Access Control Server)
See Cisco SecureActive Directory, 133Active FTP, 115, 117adaptive cut-through switching, 30address classes, 36Adjacencies, 67administrative distances, 56–57agents (SNMP), 123Aggregator attribute (BGP), 78
Aggressive mode (IKE), 246AH (Authentication Header), 244–246alias command, 167allocating IP addresses
InterNIC, 325ambiguous test questions
decoding, 572–573application layer (OSI model), 25applications
NetRanger, 300Director, 302sensors, 300supporting platforms, 301typical network placement, 300
TFTP, 113applying
access lists to interfaces, 185–187areas, 67arguments
UNIX commands, 286ARP, 45–46AS (Autonomous System), 67AS_Path attribute (BGP), 77ASA (Adaptive Security Algorithm), 330ASBRs (Autonomous system boundary routers), 68asynchronous communications, 84–85Atomic Aggregate attribute (BGP), 78attacks
birthday attacks, 372chargen, 371CPU-intensive, 371DDoS, 371DNS poisoning, 371DoS, 370, 372E-mail, 371incident response teams, 367Land.C, 371man in the middle, 372methods of, 369motivation for, 365ping of death, 371sacrificial hosts, 370smurf, 372spoof attacks, 372TCP SYN flood, 371teardrop, 371
CCIE.book Page 599 Monday, March 3, 2003 3:10 PM
-
600
UDP bombs, 371attrib command (DOS), 285attributes
of RADIUS, 214attributes (BGP), 77–78authentication, 208, 210
HTTP, 119Kerberos, 225method lists, 217on TACACAS+ servers, 219PPP, 82
authoritative time sourcesconfiguring, 130–131stratum, 128–129
authorization, 209–211on TACACAS+ servers, 219–220
Bbackup domain controllers, 290bastion hosts, 370BECN (backward explicit congestion notification),
83BGP, 76
attributes, 77–78characteristics, 77configuring, 79messages, 76
birthday attacks, 372Blocking state (spanning tree), 31bootstrap program, 153BPDUs (Bridge Protocol Data Units), 31BRI, 80bridging, 28
port states, 31transparent, 30
broadcast domains, 30broadcasting, 292browsing, 291
Ccalculating
hosts per subnet, 37–38CAM tables, 29
CBACaudit trail messages
enabling, 451CBAC (Content-Based Access Control), 345
configuring, 346–347cd command (DOS), 284cd command (UNIX), 284CERT/CC (Computer Emergency Response Team
Coordination Center), 366certification
examobjectives, 4–7preparing for, 3, 7–8
characteristicsof RIP, 57–58of RIPv1, 58of RIPv2, 59
chargen attacks, 371chkdsk command (DOS), 284chmod command (UNIX), 289CIDR, 39CIDS (Cisco Secure Intrusion Detection System)
See also NetRangerCisco IDS, 373
sensors, 373Signature Engines, 373–374supported products, 373
Cisco IOSconfiguration files
saving, 158firewall features, 344–345intrusion prevention methods
core dumps, 379–380disabling default services, 378disabling DHCP, 377disabling TCP/UDP small servers, 376enabling sequence numbering, 378enabling TCP intercept, 379Nagle algorithm, 375–376
modes of operation, 157password recovery, 174, 176–179
Cisco Product Security Incident Response Teamweb site, 367
Cisco Secure, 297, 299AAA features, 298features, 297test topics, 297
CCIE.book Page 600 Monday, March 3, 2003 3:10 PM
-
601
Cisco Secure ScannerSee also NetSonar
Cisco Security ManagerSee CSPM
Cisco Security Wheel, 304Cisco TFTP, 113classes of IP addresses, 36classful addressing, 40classful routing protocols, 40clock sources
NTP configuration, 128–131Cluster-List attribute (BGP), 78collisions
jam signals, 27command structure
UNIX, 285–287commands
| (pipe) modifier, 174alias, 167copy running-config startup-config, 158copy tftp flash, 114debug all, 171DOS
attrib, 285ip helper-address, 292ipconfig, 295–296route, 296
ip host, 110ip http authentication, 119ip route-cache, 168ip subnet-zero, 38logging console debug, 168service password-encryption, 181service tcp-keepalives-in, 376set vlan, 30shortcuts, creating, 167show accounting, 211–212show debugging, 163show interface, 156show interfaces, 163–165show ip access-lists, 163show ip arp, 46show ip route, 55–56, 162–163show logging, 166show process, 153show route-map, 166show startup-config, 178
show version, 155–156, 166SMTP, 127–128snmp-server enable traps config, 124snmp-server host, 124–126undebug all, 163UNIX
correlated DOS commands, 284–285community access strings
configuring on Cisco routers, 121Community attribute (BGP), 78comparing
preshared keys and manual keys, 255RADIUS and TACACS+, 224–225
components of Security Wheel, 304configuration files
loading, 158saving, 158
Configuration mode (IOS), 157configuration registers, 154–156
modifying, 177configuring
BGP, 79CBAC, 346–347Dynamic NAT, 326HSRP, 50–51IKE, 252–253, 255–256, 258–259Kerberos, 228–229Nagle algorithm, 375NTP
time sources, 128–131OSPF
in a single area, 66, 69in multiple areas, 69–70
PIX, 332–337RADIUS, 215–217RIP, 59, 61SGBP, 85SNMP support on Cisco routers, 124TACACAS+, 220–223VPDNs, 231–235VPNs, 350–351
connectionless protocols, 23connection-oriented protocols, 23
TCP, 40header format, 41packets, 41–42Telnet requests, 42, 45
CCIE.book Page 601 Monday, March 3, 2003 3:10 PM
-
602
copy command (DOS), 284copy running-config startup-config commands, 158copy tftp flash command, 114copying
IOS images from TFTP servers, 114core dumps
performing, 379–380cp command (UNIX), 284CPU, 152CPU-intensive attacks, 371creating
command shortcuts, 167extended access lists, 187–189standard access lists, 182–187VLANs, 30
credentials, 227crypto map entries, 253cryptography
key exchange management, 246IKE, 247–250, 252–253, 255–256,
258–259PKI, 348
CSACS (Cisco Secure Access Control Server), 218CSMA/CD, 27CSPM, 299CSPM (Cisco Secure Policy Manager), 299cut through switching, 30
DDATA command (SMTP), 128data encryption
3DES, 238DES, 237–238Diffie-Hellman, 240–241DSS, 238–239IPSec, 242
AH, 244–246ESP, 243–244
MD5, 239–240principles of, 235, 237
data link layer (OSI model), 22data manipulation, 369DDOS (Distributed Denial Of Service) attacks, 371debug all command, 171debug commands, 168–174
options, 169–170debugging
turning off, 163default services
disabling, 378defining
HTTP port number, 120IP address names, 110TFTP download directory, 114
del/erase command (DOS), 284deploying
NAT, 325DES (Data Encryption Standard), 237–238development
of Ethernet, 27of OSI reference model, 21
development of UNIX operating system, 284devices
asynchronous communication, 84–85broadcast domains, 30broadcasting, 292firewalls, 320VLANs
creating, 30Df command (UNIX), 284DHCP, 47
disabling, 377DHCP (Dynamic Host Configuration Protocol), 292Diffie-Hellman protocol, 240–241dir command (DOS), 284directories, 289directories (UNIX), 289–290disabled state (spanning tree), 31disabling
default services, 378DHCP, 377DNS lookup on Cisco routers, 112TCP/UDP small servers, 376Telnet login password, 113
displayingconfigured policy routes, 166router home page, 118routing tables, 55–56system log, 166
distance vector protocolsloop avoidance techniques, 59RIP, 57–59
CCIE.book Page 602 Monday, March 3, 2003 3:10 PM
-
603
configuring, 59, 61DLCIs (data-link connection identifiers), 83DMZ, 320DNS, 110–111
disabling lookup on Cisco routers, 112enabling lookup on Cisco routers, 112
DNS poisoning, 371domains, 290
trust relationships, 294trusted domains, 292
domains (Windows NT)scalability, 292
DOScommands
attrib, 285correlated UNIX commands, 284–285ipconfig, 295–296route, 296
DoS attacks, 370, 372DR (Designated Router), 68DRs
election processdisabling, 75
DSS (Data Signature Standard), 238–239DSS (digital signatures), 348dynamic crypto map entries, 254Dynamic NAT
configuring, 326dynamic NAT, 327
EEBGP (external BGP), 78EIGRP, 62–63
example configuration, 64, 66election process (DRs)
disabling, 75e-mail
SMTP, 127commands, 127–128
E-mail attacks, 371enable passwords
setting, 180enabling
DNS lookup on Cisco routers, 112FastEther Channel, 31
HSRP, 49Nagle algorithm, 376portfast on Cisco switches, 31sequence numbering, 378TCP intercept, 379
encapsulation, 26HDLC, 80LCP, 82PPP, 81
encrypting passwords, 181encryption technologies, 235
3DES, 238DES, 237–238Diffie-Hellman, 240–241DSS, 238–239IPSec, 242
AH, 244–246ESP, 243–244
MD5, 239–240principles of, 235, 237
ESP (Encapsulation Security Payload), 243–244establishing
Telnet connections, 179Ethernet
bridge port states, 31CSMA/CD, 27FEC, 31intefaces, states of, 165media specification, 27–28spanning tree, 30
examFAQs, 576objectives, 4–7preparing for, 3, 7–8, 575study tips, 569–570
example configurationsEIGRP, 64, 66
extended access lists, 187–189options, 188–189
external links, 68
FFAQs regarding exam, 576FAQs regarding lab exam, 578–580FAQs regarding qualfication exam, 576–577
CCIE.book Page 603 Monday, March 3, 2003 3:10 PM
-
604
FC (feasibility condition), 63feasible distance, 63features
of RADIUS, 215of TACACAS+ servers, 220
FEC (FastEther Channel), 31FECN (forward explicit congestion notification), 83fields
of IP packets, 34–35of show ip route command output, 56of TCP packets, 41–42
file systemsNTFS, 293UNIX, 289
directories, 289–290files
attributesmodifying, 285
filtering TCP services, 322, 324firewalls, 320
Cisco IOS features, 344–345CSPM, 299PIX, 328
commands, 339–341configuring, 332–337DMZs, 330stateful packet screening, 330–331static routing, 337–338
flagschmod command, 289UNIX commands, 286
Flags fieldTCP packets, 42
Flash memory, 151Forwarding state (spanning tree), 31Frame Relay, 83frames, 22
BPDUs, 31framing
ISDN, 80FTP, 53
Active mode, 115, 117Passive mode, 117–118
functionalityof NetBIOS, 291
Ggateways
HSRP, 47configuring, 50–51enabling, 49
generatingkeepalive packets, 376
Global, 293Global domain model, 293global groups, 294gratuitous ARP, 46grep command (UNIX), 287
Hhashing, 238–239hashing algorithms
MD5, 239–240SHA, 239–240
HDLC, 80Hello packets
EIGRP, 63Hello packets (OSPF), 67HELO command (SMTP), 127help command (DOS), 284hiding
secret passwords, 181hijacking, 369holdtime, 63host IDSs, 372hosts per subnet
calculating, 37–38HSRP, 47
configuring, 50–51enabling, 49
HTTPdefining port number, 120security
SSL, 121user authentication, 119
HTTP (Hypertext Transfer Protocol), 118hybrid routing protocols
EIGRP, 62–63configuration example, 64, 66
CCIE.book Page 604 Monday, March 3, 2003 3:10 PM
-
605
IIBGP (internal BGP), 78ICMP, 52–53IDSs, 372
Cisco IDSSignature Engines, 373–374supported products, 373
IDSs (intrusion detection systems)NetRanger, 300
Director, 302sensors, 300supporting platforms, 301typical network placement, 300
IETF (Internet Engineering Task Force) web site, 368
ifconfig command (UNIX), 287IKE, 246
configuring, 252–253, 255–256, 258–259phase I, 247phase II, 248–250, 252
in, 53incident response teams, 367inform requests (SNMP), 122Initial configuration mode (IOS), 157inside global addresses, 324inside local addresses, 324instances, 227Interface configuration mode (IOS), 157interfaces, 156
access lists, applying, 185–187Ethernet
states, 165Internet Domain Survey web site, 368Internet newsgroups, 368InterNic, 325intruders
methods of attack, 369IOS images
copying from TFTP servers, 114IP, 33
address classes, 36packets, 34–35subnets, 36
IP addressingARP, 45–46CIDR, 39
classful addressing, 40DHCP, 47DNS, 110–111
enabling lookup on Cisco routers, 112logical AND operation, 37name resolution on Windows NT systems, 292RARP, 46subnets, 36subnetting
calculating hosts per subnet, 37–38VLSM, 38–39
IP GRE (generic routing encapsulation) tunnelsconfiguring, 349–351
ip helper-address command, 292ip host command, 110ip http authentication command, 119IP multicast, 83IP packet debugging, 171–172ip route-cache command, 168ip subnet-zero command, 38ipconfig command, 295–296IPSec, 242
AH, 244–246ESP, 243–244
is, 223ISDN
commands, 82layer 2 protocols, 80
authentication, 82HDCL, 80LCP, 82NCP, 82PPP, 81
ISDN (Integrated Services Digital Network), 79framing, 80
ISL (Inter-Switch Link), 33ISO (Organization for Standardization), 21ISOC (Internet Society) web site, 368
Jjam signals, 27
CCIE.book Page 605 Monday, March 3, 2003 3:10 PM
-
606
KKDC (Key Distribution Center), 228KDC (key distribution center), 225keepalive packets
generating, 376Kerberos, 225
configuring, 228–229Kerberos realm, 227key exchange management
IKE, 246configuring, 252–253, 255–256, 258–259phase I, 247phase II, 248–250, 252
LL2F, 229
VPDNs, 231L2TP, 229
VPDNs, 231lab
See self-study lablab exam, 577–578
FAQs, 578–580sample, 583–584, 586–597
Land.C attacks, 371lastlog file (UNIX), 290Layer 2
See also network layerlayer of OSI reference model
network layerspanning tree, 30switching, 28–30
layers of OSI reference modelapplication layer, 25data link layer, 22network layer, 23
IP, 33–37physical layer, 21presentation layer, 24session layer, 24transport layer, 24
LCP, 82LDAP (Lightweight Directory Access Protocol), 133Learning state (spanning tree), 31
leases (DHCP)viewing, 47
links, 289link-state protocols
OSPF, 66, 68example configuration, 71, 73, 75media types, 70multiple area configuration, 69–70single area configuration, 66, 69virtual links, 71
Listening state (spanning tree), 31LLC sublayer, 22LMhosts file, 292loading
configuration files, 158local groups, 294Local Preference attribute (BGP), 77logging console debug command, 168logical AND operation, 37loops
spanning tree, 30bridge port states, 31
split horizon, 58lost passwords
recovering, 174, 176–179ls command (UNIX), 284LSAs (link-state advertisements), 68
MMAC sublayer, 22MAIL command (SMTP), 128man command (UNIX), 284, 287man in the middle attacks, 372managed devices, 123manual keys
versus preshared keys, 255masquerading, 369master domain model, 293MD5 (Message Digest 5), 239–240MED attribute (BGP), 77media specifications of Ethernet, 27–28memory
NVRAM, 151RAM, 151ROM, 153
CCIE.book Page 606 Monday, March 3, 2003 3:10 PM
-
607
System Flash, 151messages
BGP, 76method lists, 217methods of attacks, 369metrics
administrative distance, 56–57MIBs, 122, 124modes of IOS operation, 157modifying
configuration registers, 177UNIX permissions, 289
monitoringNAT, 327motivation for attacks, 365multicasting, 83multiple master domain model, 293mv command (UNIX), 284, 287
NNagle algorithm
preventing Cisco IOS from attacks, 375–376Nagle, John, 375name resolution
DNS, 110–111enabling lookup on Cisco routers, 112
on Windows NT, 292NAT, 324
deploying, 325Dynamic NAT
configuring, 326monitoring, 327operation on Cisco routers, 326
NCP, 82NetBEUI, 290NetBIOS (Network Basic Input/Output System),
290NetBT, 291NetRanger, 300
Director, 302sensors, 300supporting platforms, 301typical network placement, 300
NetSonar, 302, 304See also Cisco Secure Scanner
netstat command (UNIX), 287
network IDS, 372network layer
bridgingBPDUs, 31port states
BPDUs, 31ICMP, 52–53IP, 33
address classes, 36logical AND operation, 37packets, 34–35subnets, 36
spanning tree protocol, 30subnetting
VLSM, 38–39switching, 28–29
CAM tables, 29cut through, 30store and forward, 30
network layer (OSI model), 23network management
SNMP, 121community access strings, configuring on
Cisco routers, 121configuring on Cisco routers, 124examples of, 126managed devices, 123MIBs, 122, 124notifications, 122, 124
Network Neighborhood, 291newsgroups
reporting security breaches, 368Next Hop attribute (BGP), 77NMSs (network management systems), 123NOOP command (SMTP), 128normal files, 289notifications (SNMP), 122, 124NSSAs (Not-so-stubby areas), 70NTFS (New Technology File System), 293NTP
configuring clock sources, 128–131NVRAM (nonvolatile RAM), 151NWLink, 291
CCIE.book Page 607 Monday, March 3, 2003 3:10 PM
-
608
Ooperating systems
UNIXcommand structure, 285–287commands, 284–285development of, 284file systems, 289–290permissions, 288–289
Windows NT, 290browsing, 291domains, 290global groups, 294local groups, 294name resolution, 292permissions, 293–294SAM, 293scalability, 292trust relationships, 294workgroups, 290
Origin attribute (BGP), 77Originator ID attribute (BGP), 78OSI reference model
application layer, 25data link layer, 22development of, 21network layer, 23
IP, 33–37spanning tree, 30switching, 28–30
peer-to-peer communication, 26physical layer, 21presentation layer, 24session layer, 24transport layer, 24versus TCP/IP model, 25
OSPF, 66, 68example configuration, 71, 73, 75media types, 70multiple area configuration, 69–70single area configuration, 66, 69virtual links, 71
outside global addresses, 324outside local addresses, 324
Ppacket filtering, 321
CBAC, 345configuring, 346–347
extended access lists, 187–189options, 188–189
standard access lists, 182–187packets
AH, 245–246Hello
EIGRP, 63IP, 34–35
debugging, 171–172rerouting, 369TCP, 41–42
partitioning System Flash, 151Passive FTP, 117–118passwd file (UNIX), 290password recovery, 174, 176–179passwords
authentication, 210method lists, 217
enable passwords, setting, 180encrypting, 181virtual terminal passwords, setting, 182
PAT, 324path vector protocols
BGP, 76attributes, 77–78configuring, 79messages, 76
PDM (PIX Device Manager), 299peer-to-peer communication, 26performing
core dumps, 379–380perimeter routers, 321permissions
UNIX, 288–289Windows NT, 293–294
PFS (perfect forward secrecy), 249physical layer (OSI model), 21ping command (DOS), 285ping command (UNIX), 285ping of death attack, 371ping requests
test characters, 52–53
CCIE.book Page 608 Monday, March 3, 2003 3:10 PM
-
609
PIXstateful packet screening, 330
PIX (Private Internet Exchange), 328commands, 339–341configuring, 332–337DMZs, 330software features, 342–344stateful packet screening, 330–331static routing, 337–338
PKI (Public Key Infrastructure), 348Poison Reverse updates, 59policy routes
displaying, 166portfast
enabling, 31PPP, 81preparing for exam, 3, 7–8, 575
FAQs, 576objectives, 4–7
preparing for lab examsample lab, 583–584, 586–597
preparing for qualification exam, 573–574presentation layer (OSI model), 24pre-shared keys
versus manual keys, 453preshared keys
versus manual keys, 255preventing Cisco IOS from attacks
disabling default services, 378disabling DHCP, 377disabling TCP/UDP small servers, 376enabling sequence numbering, 378enabling TCP intercept, 379Nagle algorithm, 375–376performing core dumps, 379–380
PRI, 80primary domain controllers, 290principal (Kerberos), 228privilege levels
authorization, 210–211Privileged EXEC mode (IOS), 158proxy servers, 321
Qqualfication exam
FAQs, 576–577qualification exam
preparing for, 573–574See also lab examstudy tips, 570–571
decoding ambiguity, 572–573QUIT command (SMTP), 128
RRADIUS, 212
attributes, 214configuring, 215–217features, 215security protocol support, 214versus TACACAS+, 224–225
RAM, 151RARP, 46RCPT command (SMTP), 128read command (SNMP), 123recovering lost or unknown passwords, 174,
176–179redundancy
HSRP, 47configuring, 50–51enabling, 49
remote accessVPDNs, 229, 231
configuring, 231–235remote router access, 179rename command (DOS), 284reporting security breaches
Internet newsgroups, 368rerouting packets, 369resolving
IP addresses to MAC addressesARP, 45–46
rm command (UNIX), 284rmdir command (UNIX), 287ROM (read-only memory), 153ROM boot mode (IOS), 157root bridge elections, 30root bridges, 31route command, 296router hardware
configuration registers, 154–156
CCIE.book Page 609 Monday, March 3, 2003 3:10 PM
-
610
CPU, 152interfaces, 156NVRAM, 151RAM, 151ROM, 153System Flash, 151
routersremote access, 179
routing protocols, 53, 55BGP, 76
attributes, 77–78configuring, 79messages, 76
default administrative distances, 56–57EIGRP, 62–63
example configuration, 64, 66OSPF, 66, 68
example configuration, 71, 73, 75multiple area configuration, 69–70single area configuration, 66, 69virtual links, 71
RIP, 57–59configuring, 59, 61
routing tablesviewing, 55–56
RSET command (SMTP), 128RTO (Retransmission Timeout), 63
SSA (Security Association), 242sacrificial hosts, 370SAM (Security Accounts Manager), 293SAML command (SMTP), 128sample lab exam, 583–584, 586–597saving
configuration files, 158scalability
Windows NT, 292secret passwords
hiding, 181security, 321
AAA, 208–209accounting, 211–212authentication, 210authorization, 210–211
CBACconfiguring, 346–347
encryption technologies, 2353DES, 238DES, 237–238Diffie-Hellman, 240–241DSS, 238–239IPSec, 242–246MD5, 239–240principles of, 235, 237
firewalls, 320Cisco IOS features, 344–345
HTTP, 118authentication, 119
IKE, 246configuring, 252–253, 255–256, 258–259phase I, 247phase II, 248–250, 252
Kerberos, 225configuring, 228–229
NAT, 324configuring Dynamic NAT, 326deploying, 325monitoring, 327operation on Cisco routers, 326
packet filteringTCP services, 322, 324
PAT, 324PIX, 328
commands, 339–341configuring, 332–337DMZs, 330software features, 342–344stateful packet screening, 330–331static routing, 337–338
PKI, 348RADIUS, 212
attributes, 214configuring, 215–217features, 215security protocol support, 214
SSH, 132–133SSL, 121TACACS+, 218
authentication, 219authorization, 219–220configuring, 220–223
CCIE.book Page 610 Monday, March 3, 2003 3:10 PM
-
611
features, 220versus RADIUS, 224–225
VPDNs, 229, 231configuring, 231–235
VPNs, 349configuring, 350–351
security server protocols, 212Security Wheel, 304self-study lab
ACS configuration, 461–464, 466, 468, 470advanced PIX configuration, 458–460BGP routing configuration, 438, 440–442Catalyst Ethernet switch setup, 403, 405–409,
411–413DHCP configuration, 438dynamic ACL/lock and key feature
configuration, 448–449final configurations, 470–471, 473–475,
477–480, 482–485Frame Relay setup, 397–399, 401–402IGP routing, 419–423
OSPF configuration, 423, 425–429, 431–432
IOS firewall configuration, 450–451IP access list configuration, 442–444IPSec configuration, 452–454, 456–457ISDN configuration, 432–437local IP host address configuration, 414physical connectivity, 403PIX configuration, 414, 416–418setup, 393–395
communications server, 396–397TCP intercept configuration, 444, 446time-based access list configuration, 446, 448
SEND, 128SEND command (SMTP), 128Sendmail, 127sensors
Cisco IDSs, 373sequence numbering
enabling, 378servers
RADIUS, 212service password-encryption command, 181service tcp keepalive command
enabling Nagle algorithm, 376service tcp-keepalives-in command, 376
session hijacking, 369session layer (OSI model), 24session replay, 369set vlan command, 30SGBP, 86
configuring, 85SGBP (Stack Group Bidding Protocol), 85SHA (Secure Hash Algorithm), 239–240shadow file (UNIX), 290show accounting command, 211–212show commands, 160–161show debugging command, 163show interface command, 156show interfaces command, 163–165show ip access-lists command, 163show ip arp command, 46show ip route command, 55–56, 162–163show logging command, 166show process command, 153show route-map command, 166show startup-config command, 178show version command, 155–156, 166SIA (Stuck in Active), 63Signature Engines, 373–374single domain model, 293single logon, 226sliding windows, 44SMTP
commands, 127–128SMTP (Simple Mail Transfer Protocol), 127smurf attacks, 372SNMP, 121
community access stringsconfiguring on Cisco routers, 121
configuring on Cisco routers, 124examples of, 126managed devices, 123MIBs, 122, 124notifications, 122, 124
snmp-server community command (SNMP), 124snmp-server enable traps config command, 124snmp-server host command, 124–126social engineering, 367software
Cisco Secure, 297, 299AAA features, 298features, 297
CCIE.book Page 611 Monday, March 3, 2003 3:10 PM
-
612
test topics, 297NetSonar, 302, 304
software features of PIX, 342–344SOML command (SMTP), 128spanning tree, 30
bridge port states, 31special files, 289SPI (Security Parameters Index), 243split horizon, 58spoof attacks, 372SRTT (Smooth Route Trip Time), 63SSH (Secure Shell), 132–133SSL (Secure Socket Layer), 121standard access lists, 182–187standard IP access lists, 183
wildcard masks, 184standards bodies
CERT/CC, 366startup config
viewing, 178stateful packet screening
PIX, 330–331stateful security, 330states of Ethernet interfaces, 165static NAT, 327static routing
PIX configuration, 337–338store and forward switching, 30stratum, 128–129
configuring NTP time sources, 130–131Stubby areas, 70study tips for exam, 569–570, 575study tips for qualification exam, 570–571
decoding ambiguity, 572–573subnets, 36subnetting, 36
calculating host per subnet, 37–38CIDR, 39–40VLSM, 38–39
successors (EIGRP), 63Summary, 574summary links, 68switching, 28–29
CAM tables, 29cut through, 30portfast
enabling, 31
store and forward, 30trunks, 31
System Flash, 151system log
displaying, 166
TTACACS+, 218
authentication, 219authorization, 219–220configuring, 220–223features, 220versus RADIUS, 224–225
TCP, 40ARP, 45–46DHCP, 47FTP, 53header format, 41HSRP, 47
configuring, 50–51enabling, 49
ICMP, 52–53packets, 41–42RARP, 46services
filtering, 322, 324Telnet, 53Telnet requests, 42, 45TFTP, 53
TCP half close, 44TCP intercept
enabling, 379TCP load distribution, 328TCP SYN Flood attacks, 371TCP three-way handshake, 44TCP/IP
FTP protocolActive mode, 115, 117Passive mode, 117–118
vulnerabilities, 369–370TCP/IP model
versus OSI reference model, 25teardrop attacks, 371Telnet, 53
disabling login password, 113
CCIE.book Page 612 Monday, March 3, 2003 3:10 PM
-
613
Telnet connectionsestablishing, 179
Telnet requests, 42, 45test characters (ping), 52–53TFTP, 53, 113
defining download directory, 114TGT (Ticket Granting Ticket), 228time sources
stratum, 128–129time sources (NTP)
configuring, 130–131timestamps, 226topology table (EIGRP), 63Totally stubby areas, 70traceroute command (UNIX), 285tracert command (DOS), 285transform sets (IKE)
defining, 253transparent bridging, 30transport layer (OSI model), 24Transport mode (IPSec), 242trap command (SNMP), 123traps (SNMP), 122triggered updates, 59trunks, 31trusted domains, 292trusting domains, 294Tunnel mode (IPSec), 242tunneling
IP GRE, 349–351VPDNs, 229, 231
configuring, 231–235turning off debugging, 163
UUDP bombs, 371undebug all command, 163UNIX
command structure, 285–287commands
correlated DOS commands, 284–285development of, 284file systems, 289
directories, 289–290permissions, 288–289
unknown passwordsrecovering, 174, 176–179
URLsCisco security products, 304
user accountsUNIX
permissions, 288–289Windows NT
permissions, 293–294user authentication
HTTP, 119User EXEC mode (IOS), 158
Vversions
of SNMP, 121viewing
configuration register, 155DHCP leases, 47home pages, 118interfaces, 156routing tables, 55–56startup config, 178
virtual links, 71virtual terminal passwords
setting, 182VLANs (virtual LANs)
creating, 30VLSM, 38–39VPDNs, 229, 231
configuring, 231–235VPNs, 349
configuring, 350–351VRFY command (SMTP), 128vulnerabilities
of TCP/IP, 369–370vulnerable network systems
investigating with NetSonar, 302, 304
Wweb sites
Cisco Product Security Incident Response Team, 367
CCIE.book Page 613 Monday, March 3, 2003 3:10 PM
-
614
IETF, 368Internet Domain Survey, 368ISOC, 368
Weight attribute (BGP), 78wildcard masks, 184Windows, 291Windows Active Directory, 133Windows NT, 290
browsing, 291domains, 290
trust relationships, 294global groups, 294local groups, 294name resolution, 292permissions, 293–294SAM, 293scalability, 292workgroups, 290
WINS (Windows Internet Naming Services), 292workgroups, 290write command (SNMP), 123wtmp file (UNIX), 290
Xxcopy command (DOS), 284
CCIE.book Page 614 Monday, March 3, 2003 3:10 PM