CCIE.book Page 598 Monday, March 3, 2003 3:10 PM...Active mode, 115, 117 Passive mode, 117–118...

CCIE.book Page 598 Monday, March 3, 2003 3:10 PM

I N D E X

Symbols.rhosts file (UNIX), 290| (pipe), 174

Numerics1000 GE, 28100BaseT, 2810Base2, 2810Base5, 2810BaseT, 283DES (Data Encryption Standard), 238802.1Q, 33

AAAA, 208–209

accounting, 211–212authentication, 210authorization, 210–211

ABRs (Area Border Routers), 68access lists, 250

extended, 187–189options, 188–189

filtering TCP services, 322, 324IP packet debugging, 171–172standard, 182–187wildcard masks, 184

accessingCisco routers, 179

accounting, 208, 211–212ACKs (acknowledgments), 63ACS (Cisco Secure Access Control Server)

See Cisco SecureActive Directory, 133Active FTP, 115, 117adaptive cut-through switching, 30address classes, 36Adjacencies, 67administrative distances, 56–57agents (SNMP), 123Aggregator attribute (BGP), 78

Aggressive mode (IKE), 246AH (Authentication Header), 244–246alias command, 167allocating IP addresses

InterNIC, 325ambiguous test questions

decoding, 572–573application layer (OSI model), 25applications

NetRanger, 300Director, 302sensors, 300supporting platforms, 301typical network placement, 300

TFTP, 113applying

access lists to interfaces, 185–187areas, 67arguments

UNIX commands, 286ARP, 45–46AS (Autonomous System), 67AS_Path attribute (BGP), 77ASA (Adaptive Security Algorithm), 330ASBRs (Autonomous system boundary routers), 68asynchronous communications, 84–85Atomic Aggregate attribute (BGP), 78attacks

birthday attacks, 372chargen, 371CPU-intensive, 371DDoS, 371DNS poisoning, 371DoS, 370, 372E-mail, 371incident response teams, 367Land.C, 371man in the middle, 372methods of, 369motivation for, 365ping of death, 371sacrificial hosts, 370smurf, 372spoof attacks, 372TCP SYN flood, 371teardrop, 371


600

UDP bombs, 371attrib command (DOS), 285attributes

of RADIUS, 214attributes (BGP), 77–78authentication, 208, 210

HTTP, 119Kerberos, 225method lists, 217on TACACAS+ servers, 219PPP, 82

authoritative time sourcesconfiguring, 130–131stratum, 128–129

authorization, 209–211on TACACAS+ servers, 219–220

Bbackup domain controllers, 290bastion hosts, 370BECN (backward explicit congestion notification),

83BGP, 76

attributes, 77–78characteristics, 77configuring, 79messages, 76

birthday attacks, 372Blocking state (spanning tree), 31bootstrap program, 153BPDUs (Bridge Protocol Data Units), 31BRI, 80bridging, 28

port states, 31transparent, 30

broadcast domains, 30broadcasting, 292browsing, 291

Ccalculating

hosts per subnet, 37–38CAM tables, 29

CBACaudit trail messages

enabling, 451CBAC (Content-Based Access Control), 345

configuring, 346–347cd command (DOS), 284cd command (UNIX), 284CERT/CC (Computer Emergency Response Team

Coordination Center), 366certification

examobjectives, 4–7preparing for, 3, 7–8

characteristicsof RIP, 57–58of RIPv1, 58of RIPv2, 59

chargen attacks, 371chkdsk command (DOS), 284chmod command (UNIX), 289CIDR, 39CIDS (Cisco Secure Intrusion Detection System)

See also NetRangerCisco IDS, 373

sensors, 373Signature Engines, 373–374supported products, 373

Cisco IOSconfiguration files

saving, 158firewall features, 344–345intrusion prevention methods

core dumps, 379–380disabling default services, 378disabling DHCP, 377disabling TCP/UDP small servers, 376enabling sequence numbering, 378enabling TCP intercept, 379Nagle algorithm, 375–376

modes of operation, 157password recovery, 174, 176–179

Cisco Product Security Incident Response Teamweb site, 367

Cisco Secure, 297, 299AAA features, 298features, 297test topics, 297


601

Cisco Secure ScannerSee also NetSonar

Cisco Security ManagerSee CSPM

Cisco Security Wheel, 304Cisco TFTP, 113classes of IP addresses, 36classful addressing, 40classful routing protocols, 40clock sources

NTP configuration, 128–131Cluster-List attribute (BGP), 78collisions

jam signals, 27command structure

UNIX, 285–287commands

| (pipe) modifier, 174alias, 167copy running-config startup-config, 158copy tftp flash, 114debug all, 171DOS

attrib, 285ip helper-address, 292ipconfig, 295–296route, 296

ip host, 110ip http authentication, 119ip route-cache, 168ip subnet-zero, 38logging console debug, 168service password-encryption, 181service tcp-keepalives-in, 376set vlan, 30shortcuts, creating, 167show accounting, 211–212show debugging, 163show interface, 156show interfaces, 163–165show ip access-lists, 163show ip arp, 46show ip route, 55–56, 162–163show logging, 166show process, 153show route-map, 166show startup-config, 178

show version, 155–156, 166SMTP, 127–128snmp-server enable traps config, 124snmp-server host, 124–126undebug all, 163UNIX

correlated DOS commands, 284–285community access strings

configuring on Cisco routers, 121Community attribute (BGP), 78comparing

preshared keys and manual keys, 255RADIUS and TACACS+, 224–225

components of Security Wheel, 304configuration files

loading, 158saving, 158

Configuration mode (IOS), 157configuration registers, 154–156

modifying, 177configuring

BGP, 79CBAC, 346–347Dynamic NAT, 326HSRP, 50–51IKE, 252–253, 255–256, 258–259Kerberos, 228–229Nagle algorithm, 375NTP

time sources, 128–131OSPF

in a single area, 66, 69in multiple areas, 69–70

PIX, 332–337RADIUS, 215–217RIP, 59, 61SGBP, 85SNMP support on Cisco routers, 124TACACAS+, 220–223VPDNs, 231–235VPNs, 350–351

connectionless protocols, 23connection-oriented protocols, 23

TCP, 40header format, 41packets, 41–42Telnet requests, 42, 45


602

copy command (DOS), 284copy running-config startup-config commands, 158copy tftp flash command, 114copying

IOS images from TFTP servers, 114core dumps

performing, 379–380cp command (UNIX), 284CPU, 152CPU-intensive attacks, 371creating

command shortcuts, 167extended access lists, 187–189standard access lists, 182–187VLANs, 30

credentials, 227crypto map entries, 253cryptography

key exchange management, 246IKE, 247–250, 252–253, 255–256,

258–259PKI, 348

CSACS (Cisco Secure Access Control Server), 218CSMA/CD, 27CSPM, 299CSPM (Cisco Secure Policy Manager), 299cut through switching, 30

DDATA command (SMTP), 128data encryption

3DES, 238DES, 237–238Diffie-Hellman, 240–241DSS, 238–239IPSec, 242

AH, 244–246ESP, 243–244

MD5, 239–240principles of, 235, 237

data link layer (OSI model), 22data manipulation, 369DDOS (Distributed Denial Of Service) attacks, 371debug all command, 171debug commands, 168–174

options, 169–170debugging

turning off, 163default services

disabling, 378defining

HTTP port number, 120IP address names, 110TFTP download directory, 114

del/erase command (DOS), 284deploying

NAT, 325DES (Data Encryption Standard), 237–238development

of Ethernet, 27of OSI reference model, 21

development of UNIX operating system, 284devices

asynchronous communication, 84–85broadcast domains, 30broadcasting, 292firewalls, 320VLANs

creating, 30Df command (UNIX), 284DHCP, 47

disabling, 377DHCP (Dynamic Host Configuration Protocol), 292Diffie-Hellman protocol, 240–241dir command (DOS), 284directories, 289directories (UNIX), 289–290disabled state (spanning tree), 31disabling

default services, 378DHCP, 377DNS lookup on Cisco routers, 112TCP/UDP small servers, 376Telnet login password, 113

displayingconfigured policy routes, 166router home page, 118routing tables, 55–56system log, 166

distance vector protocolsloop avoidance techniques, 59RIP, 57–59


603

configuring, 59, 61DLCIs (data-link connection identifiers), 83DMZ, 320DNS, 110–111

disabling lookup on Cisco routers, 112enabling lookup on Cisco routers, 112

DNS poisoning, 371domains, 290

trust relationships, 294trusted domains, 292

domains (Windows NT)scalability, 292

DOScommands

attrib, 285correlated UNIX commands, 284–285ipconfig, 295–296route, 296

DoS attacks, 370, 372DR (Designated Router), 68DRs

election processdisabling, 75

DSS (Data Signature Standard), 238–239DSS (digital signatures), 348dynamic crypto map entries, 254Dynamic NAT

configuring, 326dynamic NAT, 327

EEBGP (external BGP), 78EIGRP, 62–63

example configuration, 64, 66election process (DRs)

disabling, 75e-mail

SMTP, 127commands, 127–128

E-mail attacks, 371enable passwords

setting, 180enabling

DNS lookup on Cisco routers, 112FastEther Channel, 31

HSRP, 49Nagle algorithm, 376portfast on Cisco switches, 31sequence numbering, 378TCP intercept, 379

encapsulation, 26HDLC, 80LCP, 82PPP, 81

encrypting passwords, 181encryption technologies, 235

3DES, 238DES, 237–238Diffie-Hellman, 240–241DSS, 238–239IPSec, 242

AH, 244–246ESP, 243–244

MD5, 239–240principles of, 235, 237

ESP (Encapsulation Security Payload), 243–244establishing

Telnet connections, 179Ethernet

bridge port states, 31CSMA/CD, 27FEC, 31intefaces, states of, 165media specification, 27–28spanning tree, 30

examFAQs, 576objectives, 4–7preparing for, 3, 7–8, 575study tips, 569–570

example configurationsEIGRP, 64, 66

extended access lists, 187–189options, 188–189

external links, 68

FFAQs regarding exam, 576FAQs regarding lab exam, 578–580FAQs regarding qualfication exam, 576–577


604

FC (feasibility condition), 63feasible distance, 63features

of RADIUS, 215of TACACAS+ servers, 220

FEC (FastEther Channel), 31FECN (forward explicit congestion notification), 83fields

of IP packets, 34–35of show ip route command output, 56of TCP packets, 41–42

file systemsNTFS, 293UNIX, 289

directories, 289–290files

attributesmodifying, 285

filtering TCP services, 322, 324firewalls, 320

Cisco IOS features, 344–345CSPM, 299PIX, 328

commands, 339–341configuring, 332–337DMZs, 330stateful packet screening, 330–331static routing, 337–338

flagschmod command, 289UNIX commands, 286

Flags fieldTCP packets, 42

Flash memory, 151Forwarding state (spanning tree), 31Frame Relay, 83frames, 22

BPDUs, 31framing

ISDN, 80FTP, 53

Active mode, 115, 117Passive mode, 117–118

functionalityof NetBIOS, 291

Ggateways

HSRP, 47configuring, 50–51enabling, 49

generatingkeepalive packets, 376

Global, 293Global domain model, 293global groups, 294gratuitous ARP, 46grep command (UNIX), 287

Hhashing, 238–239hashing algorithms

MD5, 239–240SHA, 239–240

HDLC, 80Hello packets

EIGRP, 63Hello packets (OSPF), 67HELO command (SMTP), 127help command (DOS), 284hiding

secret passwords, 181hijacking, 369holdtime, 63host IDSs, 372hosts per subnet

calculating, 37–38HSRP, 47

configuring, 50–51enabling, 49

HTTPdefining port number, 120security

SSL, 121user authentication, 119

HTTP (Hypertext Transfer Protocol), 118hybrid routing protocols

EIGRP, 62–63configuration example, 64, 66


605

IIBGP (internal BGP), 78ICMP, 52–53IDSs, 372

Cisco IDSSignature Engines, 373–374supported products, 373

IDSs (intrusion detection systems)NetRanger, 300

Director, 302sensors, 300supporting platforms, 301typical network placement, 300

IETF (Internet Engineering Task Force) web site, 368

ifconfig command (UNIX), 287IKE, 246

configuring, 252–253, 255–256, 258–259phase I, 247phase II, 248–250, 252

in, 53incident response teams, 367inform requests (SNMP), 122Initial configuration mode (IOS), 157inside global addresses, 324inside local addresses, 324instances, 227Interface configuration mode (IOS), 157interfaces, 156

access lists, applying, 185–187Ethernet

states, 165Internet Domain Survey web site, 368Internet newsgroups, 368InterNic, 325intruders

methods of attack, 369IOS images

copying from TFTP servers, 114IP, 33

address classes, 36packets, 34–35subnets, 36

IP addressingARP, 45–46CIDR, 39

classful addressing, 40DHCP, 47DNS, 110–111

enabling lookup on Cisco routers, 112logical AND operation, 37name resolution on Windows NT systems, 292RARP, 46subnets, 36subnetting

calculating hosts per subnet, 37–38VLSM, 38–39

IP GRE (generic routing encapsulation) tunnelsconfiguring, 349–351

ip helper-address command, 292ip host command, 110ip http authentication command, 119IP multicast, 83IP packet debugging, 171–172ip route-cache command, 168ip subnet-zero command, 38ipconfig command, 295–296IPSec, 242

AH, 244–246ESP, 243–244

is, 223ISDN

commands, 82layer 2 protocols, 80

authentication, 82HDCL, 80LCP, 82NCP, 82PPP, 81

ISDN (Integrated Services Digital Network), 79framing, 80

ISL (Inter-Switch Link), 33ISO (Organization for Standardization), 21ISOC (Internet Society) web site, 368

Jjam signals, 27


606

KKDC (Key Distribution Center), 228KDC (key distribution center), 225keepalive packets

generating, 376Kerberos, 225

configuring, 228–229Kerberos realm, 227key exchange management

IKE, 246configuring, 252–253, 255–256, 258–259phase I, 247phase II, 248–250, 252

LL2F, 229

VPDNs, 231L2TP, 229

VPDNs, 231lab

See self-study lablab exam, 577–578

FAQs, 578–580sample, 583–584, 586–597

Land.C attacks, 371lastlog file (UNIX), 290Layer 2

See also network layerlayer of OSI reference model

network layerspanning tree, 30switching, 28–30

layers of OSI reference modelapplication layer, 25data link layer, 22network layer, 23

IP, 33–37physical layer, 21presentation layer, 24session layer, 24transport layer, 24

LCP, 82LDAP (Lightweight Directory Access Protocol), 133Learning state (spanning tree), 31

leases (DHCP)viewing, 47

links, 289link-state protocols

OSPF, 66, 68example configuration, 71, 73, 75media types, 70multiple area configuration, 69–70single area configuration, 66, 69virtual links, 71

Listening state (spanning tree), 31LLC sublayer, 22LMhosts file, 292loading

configuration files, 158local groups, 294Local Preference attribute (BGP), 77logging console debug command, 168logical AND operation, 37loops

spanning tree, 30bridge port states, 31

split horizon, 58lost passwords

recovering, 174, 176–179ls command (UNIX), 284LSAs (link-state advertisements), 68

MMAC sublayer, 22MAIL command (SMTP), 128man command (UNIX), 284, 287man in the middle attacks, 372managed devices, 123manual keys

versus preshared keys, 255masquerading, 369master domain model, 293MD5 (Message Digest 5), 239–240MED attribute (BGP), 77media specifications of Ethernet, 27–28memory

NVRAM, 151RAM, 151ROM, 153


607

System Flash, 151messages

BGP, 76method lists, 217methods of attacks, 369metrics

administrative distance, 56–57MIBs, 122, 124modes of IOS operation, 157modifying

configuration registers, 177UNIX permissions, 289

monitoringNAT, 327motivation for attacks, 365multicasting, 83multiple master domain model, 293mv command (UNIX), 284, 287

NNagle algorithm

preventing Cisco IOS from attacks, 375–376Nagle, John, 375name resolution

DNS, 110–111enabling lookup on Cisco routers, 112

on Windows NT, 292NAT, 324

deploying, 325Dynamic NAT

configuring, 326monitoring, 327operation on Cisco routers, 326

NCP, 82NetBEUI, 290NetBIOS (Network Basic Input/Output System),

290NetBT, 291NetRanger, 300

Director, 302sensors, 300supporting platforms, 301typical network placement, 300

NetSonar, 302, 304See also Cisco Secure Scanner

netstat command (UNIX), 287

network IDS, 372network layer

bridgingBPDUs, 31port states

BPDUs, 31ICMP, 52–53IP, 33

address classes, 36logical AND operation, 37packets, 34–35subnets, 36

spanning tree protocol, 30subnetting

VLSM, 38–39switching, 28–29

CAM tables, 29cut through, 30store and forward, 30

network layer (OSI model), 23network management

SNMP, 121community access strings, configuring on

Cisco routers, 121configuring on Cisco routers, 124examples of, 126managed devices, 123MIBs, 122, 124notifications, 122, 124

Network Neighborhood, 291newsgroups

reporting security breaches, 368Next Hop attribute (BGP), 77NMSs (network management systems), 123NOOP command (SMTP), 128normal files, 289notifications (SNMP), 122, 124NSSAs (Not-so-stubby areas), 70NTFS (New Technology File System), 293NTP

configuring clock sources, 128–131NVRAM (nonvolatile RAM), 151NWLink, 291


608

Ooperating systems

UNIXcommand structure, 285–287commands, 284–285development of, 284file systems, 289–290permissions, 288–289

Windows NT, 290browsing, 291domains, 290global groups, 294local groups, 294name resolution, 292permissions, 293–294SAM, 293scalability, 292trust relationships, 294workgroups, 290

Origin attribute (BGP), 77Originator ID attribute (BGP), 78OSI reference model

application layer, 25data link layer, 22development of, 21network layer, 23

IP, 33–37spanning tree, 30switching, 28–30

peer-to-peer communication, 26physical layer, 21presentation layer, 24session layer, 24transport layer, 24versus TCP/IP model, 25

OSPF, 66, 68example configuration, 71, 73, 75media types, 70multiple area configuration, 69–70single area configuration, 66, 69virtual links, 71

outside global addresses, 324outside local addresses, 324

Ppacket filtering, 321

CBAC, 345configuring, 346–347

extended access lists, 187–189options, 188–189

standard access lists, 182–187packets

AH, 245–246Hello

EIGRP, 63IP, 34–35

debugging, 171–172rerouting, 369TCP, 41–42

partitioning System Flash, 151Passive FTP, 117–118passwd file (UNIX), 290password recovery, 174, 176–179passwords

authentication, 210method lists, 217

enable passwords, setting, 180encrypting, 181virtual terminal passwords, setting, 182

PAT, 324path vector protocols

BGP, 76attributes, 77–78configuring, 79messages, 76

PDM (PIX Device Manager), 299peer-to-peer communication, 26performing

core dumps, 379–380perimeter routers, 321permissions

UNIX, 288–289Windows NT, 293–294

PFS (perfect forward secrecy), 249physical layer (OSI model), 21ping command (DOS), 285ping command (UNIX), 285ping of death attack, 371ping requests

test characters, 52–53


609

PIXstateful packet screening, 330

PIX (Private Internet Exchange), 328commands, 339–341configuring, 332–337DMZs, 330software features, 342–344stateful packet screening, 330–331static routing, 337–338

PKI (Public Key Infrastructure), 348Poison Reverse updates, 59policy routes

displaying, 166portfast

enabling, 31PPP, 81preparing for exam, 3, 7–8, 575

FAQs, 576objectives, 4–7

preparing for lab examsample lab, 583–584, 586–597

preparing for qualification exam, 573–574presentation layer (OSI model), 24pre-shared keys

versus manual keys, 453preshared keys

versus manual keys, 255preventing Cisco IOS from attacks

disabling default services, 378disabling DHCP, 377disabling TCP/UDP small servers, 376enabling sequence numbering, 378enabling TCP intercept, 379Nagle algorithm, 375–376performing core dumps, 379–380

PRI, 80primary domain controllers, 290principal (Kerberos), 228privilege levels

authorization, 210–211Privileged EXEC mode (IOS), 158proxy servers, 321

Qqualfication exam

FAQs, 576–577qualification exam

preparing for, 573–574See also lab examstudy tips, 570–571

decoding ambiguity, 572–573QUIT command (SMTP), 128

RRADIUS, 212

attributes, 214configuring, 215–217features, 215security protocol support, 214versus TACACAS+, 224–225

RAM, 151RARP, 46RCPT command (SMTP), 128read command (SNMP), 123recovering lost or unknown passwords, 174,

176–179redundancy

HSRP, 47configuring, 50–51enabling, 49

remote accessVPDNs, 229, 231

configuring, 231–235remote router access, 179rename command (DOS), 284reporting security breaches

Internet newsgroups, 368rerouting packets, 369resolving

IP addresses to MAC addressesARP, 45–46

rm command (UNIX), 284rmdir command (UNIX), 287ROM (read-only memory), 153ROM boot mode (IOS), 157root bridge elections, 30root bridges, 31route command, 296router hardware

configuration registers, 154–156


610

CPU, 152interfaces, 156NVRAM, 151RAM, 151ROM, 153System Flash, 151

routersremote access, 179

routing protocols, 53, 55BGP, 76

attributes, 77–78configuring, 79messages, 76

default administrative distances, 56–57EIGRP, 62–63

example configuration, 64, 66OSPF, 66, 68

example configuration, 71, 73, 75multiple area configuration, 69–70single area configuration, 66, 69virtual links, 71

RIP, 57–59configuring, 59, 61

routing tablesviewing, 55–56

RSET command (SMTP), 128RTO (Retransmission Timeout), 63

SSA (Security Association), 242sacrificial hosts, 370SAM (Security Accounts Manager), 293SAML command (SMTP), 128sample lab exam, 583–584, 586–597saving

configuration files, 158scalability

Windows NT, 292secret passwords

hiding, 181security, 321

AAA, 208–209accounting, 211–212authentication, 210authorization, 210–211

CBACconfiguring, 346–347

encryption technologies, 2353DES, 238DES, 237–238Diffie-Hellman, 240–241DSS, 238–239IPSec, 242–246MD5, 239–240principles of, 235, 237

firewalls, 320Cisco IOS features, 344–345

HTTP, 118authentication, 119

IKE, 246configuring, 252–253, 255–256, 258–259phase I, 247phase II, 248–250, 252

Kerberos, 225configuring, 228–229

NAT, 324configuring Dynamic NAT, 326deploying, 325monitoring, 327operation on Cisco routers, 326

packet filteringTCP services, 322, 324

PAT, 324PIX, 328

commands, 339–341configuring, 332–337DMZs, 330software features, 342–344stateful packet screening, 330–331static routing, 337–338

PKI, 348RADIUS, 212

attributes, 214configuring, 215–217features, 215security protocol support, 214

SSH, 132–133SSL, 121TACACS+, 218

authentication, 219authorization, 219–220configuring, 220–223


611

features, 220versus RADIUS, 224–225

VPDNs, 229, 231configuring, 231–235

VPNs, 349configuring, 350–351

security server protocols, 212Security Wheel, 304self-study lab

ACS configuration, 461–464, 466, 468, 470advanced PIX configuration, 458–460BGP routing configuration, 438, 440–442Catalyst Ethernet switch setup, 403, 405–409,

411–413DHCP configuration, 438dynamic ACL/lock and key feature

configuration, 448–449final configurations, 470–471, 473–475,

477–480, 482–485Frame Relay setup, 397–399, 401–402IGP routing, 419–423

OSPF configuration, 423, 425–429, 431–432

IOS firewall configuration, 450–451IP access list configuration, 442–444IPSec configuration, 452–454, 456–457ISDN configuration, 432–437local IP host address configuration, 414physical connectivity, 403PIX configuration, 414, 416–418setup, 393–395

communications server, 396–397TCP intercept configuration, 444, 446time-based access list configuration, 446, 448

SEND, 128SEND command (SMTP), 128Sendmail, 127sensors

Cisco IDSs, 373sequence numbering

enabling, 378servers

RADIUS, 212service password-encryption command, 181service tcp keepalive command

enabling Nagle algorithm, 376service tcp-keepalives-in command, 376

session hijacking, 369session layer (OSI model), 24session replay, 369set vlan command, 30SGBP, 86

configuring, 85SGBP (Stack Group Bidding Protocol), 85SHA (Secure Hash Algorithm), 239–240shadow file (UNIX), 290show accounting command, 211–212show commands, 160–161show debugging command, 163show interface command, 156show interfaces command, 163–165show ip access-lists command, 163show ip arp command, 46show ip route command, 55–56, 162–163show logging command, 166show process command, 153show route-map command, 166show startup-config command, 178show version command, 155–156, 166SIA (Stuck in Active), 63Signature Engines, 373–374single domain model, 293single logon, 226sliding windows, 44SMTP

commands, 127–128SMTP (Simple Mail Transfer Protocol), 127smurf attacks, 372SNMP, 121

community access stringsconfiguring on Cisco routers, 121

configuring on Cisco routers, 124examples of, 126managed devices, 123MIBs, 122, 124notifications, 122, 124

snmp-server community command (SNMP), 124snmp-server enable traps config command, 124snmp-server host command, 124–126social engineering, 367software

Cisco Secure, 297, 299AAA features, 298features, 297


612

test topics, 297NetSonar, 302, 304

software features of PIX, 342–344SOML command (SMTP), 128spanning tree, 30

bridge port states, 31special files, 289SPI (Security Parameters Index), 243split horizon, 58spoof attacks, 372SRTT (Smooth Route Trip Time), 63SSH (Secure Shell), 132–133SSL (Secure Socket Layer), 121standard access lists, 182–187standard IP access lists, 183

wildcard masks, 184standards bodies

CERT/CC, 366startup config

viewing, 178stateful packet screening

PIX, 330–331stateful security, 330states of Ethernet interfaces, 165static NAT, 327static routing

PIX configuration, 337–338store and forward switching, 30stratum, 128–129

configuring NTP time sources, 130–131Stubby areas, 70study tips for exam, 569–570, 575study tips for qualification exam, 570–571

decoding ambiguity, 572–573subnets, 36subnetting, 36

calculating host per subnet, 37–38CIDR, 39–40VLSM, 38–39

successors (EIGRP), 63Summary, 574summary links, 68switching, 28–29

CAM tables, 29cut through, 30portfast

enabling, 31

store and forward, 30trunks, 31

System Flash, 151system log

displaying, 166

TTACACS+, 218

authentication, 219authorization, 219–220configuring, 220–223features, 220versus RADIUS, 224–225

TCP, 40ARP, 45–46DHCP, 47FTP, 53header format, 41HSRP, 47

configuring, 50–51enabling, 49

ICMP, 52–53packets, 41–42RARP, 46services

filtering, 322, 324Telnet, 53Telnet requests, 42, 45TFTP, 53

TCP half close, 44TCP intercept

enabling, 379TCP load distribution, 328TCP SYN Flood attacks, 371TCP three-way handshake, 44TCP/IP

FTP protocolActive mode, 115, 117Passive mode, 117–118

vulnerabilities, 369–370TCP/IP model

versus OSI reference model, 25teardrop attacks, 371Telnet, 53

disabling login password, 113


613

Telnet connectionsestablishing, 179

Telnet requests, 42, 45test characters (ping), 52–53TFTP, 53, 113

defining download directory, 114TGT (Ticket Granting Ticket), 228time sources

stratum, 128–129time sources (NTP)

configuring, 130–131timestamps, 226topology table (EIGRP), 63Totally stubby areas, 70traceroute command (UNIX), 285tracert command (DOS), 285transform sets (IKE)

defining, 253transparent bridging, 30transport layer (OSI model), 24Transport mode (IPSec), 242trap command (SNMP), 123traps (SNMP), 122triggered updates, 59trunks, 31trusted domains, 292trusting domains, 294Tunnel mode (IPSec), 242tunneling

IP GRE, 349–351VPDNs, 229, 231

configuring, 231–235turning off debugging, 163

UUDP bombs, 371undebug all command, 163UNIX

command structure, 285–287commands

correlated DOS commands, 284–285development of, 284file systems, 289

directories, 289–290permissions, 288–289

unknown passwordsrecovering, 174, 176–179

URLsCisco security products, 304

user accountsUNIX

permissions, 288–289Windows NT

permissions, 293–294user authentication

HTTP, 119User EXEC mode (IOS), 158

Vversions

of SNMP, 121viewing

configuration register, 155DHCP leases, 47home pages, 118interfaces, 156routing tables, 55–56startup config, 178

virtual links, 71virtual terminal passwords

setting, 182VLANs (virtual LANs)

creating, 30VLSM, 38–39VPDNs, 229, 231

configuring, 231–235VPNs, 349

configuring, 350–351VRFY command (SMTP), 128vulnerabilities

of TCP/IP, 369–370vulnerable network systems

investigating with NetSonar, 302, 304

Wweb sites

Cisco Product Security Incident Response Team, 367


614

IETF, 368Internet Domain Survey, 368ISOC, 368

Weight attribute (BGP), 78wildcard masks, 184Windows, 291Windows Active Directory, 133Windows NT, 290

browsing, 291domains, 290

trust relationships, 294global groups, 294local groups, 294name resolution, 292permissions, 293–294SAM, 293scalability, 292workgroups, 290

WINS (Windows Internet Naming Services), 292workgroups, 290write command (SNMP), 123wtmp file (UNIX), 290

Xxcopy command (DOS), 284


CCIE.book Page 598 Monday, March 3, 2003 3:10 PM...Active mode, 115, 117 Passive mode, 117–118...

Documents

Transcript of CCIE.book Page 598 Monday, March 3, 2003 3:10 PM...Active mode, 115, 117 Passive mode, 117–118...