IOS security configuration guide

Citation preview

Cisco IOS Security Configuration Guide Release 12.2

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

Customer Order Number: DOC-7811747= Text Part Number: 78-11747-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. AccessPath, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, PIX, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0102R) Cisco IOS Security Configuration Guide Copyright © 2001, Cisco Systems, Inc. All rights reserved.

C O N T E N T S

About Cisco IOS Software Documentation Documentation Objectives Audience

xxvii

xxvii

xxvii

Documentation Organization

xxvii

Documentation Modules Master Indexes

xxvii

xxx

Supporting Documents and Resources New and Changed Information Document Conventions

xxxi

xxxi

Obtaining Documentation World Wide Web

xxxii

xxxii

Documentation CD-ROM

xxxiii

Ordering Documentation

xxxiii

Documentation Feedback

xxxiii

Obtaining Technical Assistance Cisco.com

xxx

xxxiii

xxxiv

Technical Assistance Center

xxxiv

Contacting TAC by Using the Cisco TAC Website Contacting TAC by Telephone Using Cisco IOS Software

xxxv

xxxvii

Understanding Command Modes Getting Help

xxxiv

xxxvii

xxxviii

Example: How to Find Command Options Using the no and default Forms of Commands Saving Configuration Changes

xxxix xli

xlii

Filtering Output from the show and more Commands Identifying Supported Platforms Using Feature Navigator

xliii xliii

Using Software Release Notes Security Overview About This Guide

xlii

xliii

SC-1 SC-1 Cisco IOS Security Configuration Guide

iii

Contents

Authentication, Authorization, and Accounting (AAA) Security Server Protocols

SC-2

Traffic Filtering and Firewalls IP Security and Encryption Other Security Features Appendixes

SC-2

SC-3

SC-4 SC-4

SC-5

Creating Effective Security Policies

SC-6

The Nature of Security Policies

SC-6

Two Levels of Security Policies

SC-6

Tips for Developing an Effective Security Policy

SC-7

Identifying Your Network Assets to Protect

SC-7

Determining Points of Risk

SC-7

Limiting the Scope of Access Identifying Assumptions

SC-7

SC-8

Determining the Cost of Security Measures Considering Human Factors

SC-8

SC-8

Keeping a Limited Number of Secrets

SC-8

Implementing Pervasive and Scalable Security Understanding Typical Network Functions Remembering Physical Security

SC-9

SC-9

SC-9

Identifying Security Risks and Cisco IOS Solutions

SC-9

Preventing Unauthorized Access into Networking Devices Preventing Unauthorized Access into Networks Preventing Network Data Interception

SC-12

Preventing Fraudulent Route Updates

SC-12

SC-11

Authentication, Authorization, and Accounting (AAA) AAA Overview

SC-15

In This Chapter

SC-15

About AAA Security Services Benefits of Using AAA AAA Philosophy Method Lists Where to Begin

SC-15 SC-16

SC-17 SC-17

SC-18

Overview of the AAA Configuration Process

Cisco IOS Security Configuration Guide

iv

SC-19

SC-9

Contents

Enabling AAA Disabling AAA What to Do Next

SC-19 SC-20 SC-20

Configuring Authentication In This Chapter

SC-21

SC-21

Named Method Lists for Authentication Method Lists and Server Groups Method List Examples

SC-21 SC-22

SC-23

AAA Authentication General Configuration Procedure AAA Authentication Methods Configuration Task List Configuring Login Authentication Using AAA

SC-24

SC-25

Login Authentication Using Enable Password Login Authentication Using Kerberos

SC-24

SC-27

SC-27

Login Authentication Using Line Password

SC-27

Login Authentication Using Local Password

SC-27

Login Authentication Using Group RADIUS

SC-28

Login Authentication Using Group TACACS+

SC-28

Login Authentication Using group group-name Configuring PPP Authentication Using AAA PPP Authentication Using Kerberos

SC-28

SC-29

SC-30

PPP Authentication Using Local Password

SC-30

PPP Authentication Using Group RADIUS

SC-31

PPP Authentication Using Group TACACS+

SC-31

PPP Authentication Using group group-name

SC-31

Configuring AAA Scalability for PPP Requests

SC-32

Configuring ARAP Authentication Using AAA

SC-32

ARAP Authentication Allowing Authorized Guest Logins ARAP Authentication Allowing Guest Logins ARAP Authentication Using Line Password

SC-34 SC-34

ARAP Authentication Using Local Password ARAP Authentication Using Group RADIUS

SC-34 SC-35

ARAP Authentication Using Group TACACS+

SC-35

ARAP Authentication Using Group group-name Configuring NASI Authentication Using AAA

SC-34

SC-35

SC-36

NASI Authentication Using Enable Password

SC-37

Cisco IOS Security Configuration Guide

v

Contents

NASI Authentication Using Line Password

SC-37

NASI Authentication Using Local Password

SC-37

NASI Authentication Using Group RADIUS

SC-38

NASI Authentication Using Group TACACS+

SC-38

NASI Authentication Using group group-name Specifying the Amount of Time for Login Input

SC-38

SC-39

Enabling Password Protection at the Privileged Level

SC-39

Changing the Text Displayed at the Password Prompt

SC-40

Configuring Message Banners for AAA Authentication Configuring a Login Banner

SC-40

SC-41

Configuring a Failed-Login Banner

SC-41

Configuring AAA Packet of Disconnect

SC-42

Enabling Double Authentication

SC-42

How Double Authentication Works

SC-42

Configuring Double Authentication

SC-43

Accessing the User Profile After Double Authentication Enabling Automated Double Authentication Non-AAA Authentication Methods

SC-45

SC-47

Configuring Line Password Protection

SC-47

Establishing Username Authentication

SC-48

Enabling CHAP or PAP Authentication Enabling PPP Encapsulation Enabling PAP or CHAP

SC-49

SC-50

SC-50

Inbound and Outbound Authentication

SC-51

Enabling Outbound PAP Authentication

SC-51

Refusing PAP Authentication Requests

SC-52

Creating a Common CHAP Password

SC-52

Refusing CHAP Authentication Requests

SC-52

Delaying CHAP Authentication Until Peer Authenticates Using MS-CHAP

SC-53

Authentication Examples

SC-54

RADIUS Authentication Examples TACACS+ Authentication Examples Kerberos Authentication Examples AAA Scalability Example

Cisco IOS Security Configuration Guide

vi

SC-44

SC-57

SC-55 SC-56 SC-57

SC-53

Contents

Login and Failed Banner Examples

SC-58

AAA Packet of Disconnect Server Key Example Double Authentication Examples

SC-59

SC-59

Configuration of the Local Host for AAA with Double Authentication Examples

SC-60

Configuration of the AAA Server for First-Stage (PPP) Authentication and Authorization Example SC-60 Configuration of the AAA Server for Second-Stage (Per-User) Authentication and Authorization Examples SC-61 Complete Configuration with TACACS+ Example Automated Double Authentication Example MS-CHAP Example

SC-67

Configuring Authorization

SC-69

In This Chapter

SC-62

SC-65

SC-69

Named Method Lists for Authorization AAA Authorization Methods

SC-70

Method Lists and Server Groups AAA Authorization Types

SC-69

SC-71

SC-72

AAA Authorization Prerequisites

SC-72

AAA Authorization Configuration Task List

SC-72

Configuring AAA Authorization Using Named Method Lists Authorization Types

SC-73

Authorization Methods

SC-74

Disabling Authorization for Global Configuration Commands Configuring Authorization for Reverse Telnet Authorization Attribute-Value Pairs

TACACS+ Authorization Examples

SC-76

SC-77 SC-78

Reverse Telnet Authorization Examples

In This Chapter

SC-75

SC-76

Named Method List Configuration Example RADIUS Authorization Example

SC-74

SC-75

Authorization Configuration Examples

Configuring Accounting

SC-73

SC-78

SC-81

SC-81

Named Method Lists for Accounting

SC-81

Method Lists and Server Groups

SC-83

AAA Accounting Methods

SC-84

Cisco IOS Security Configuration Guide

vii

Contents

AAA Accounting Types

SC-84

Network Accounting

SC-84

Connection Accounting EXEC Accounting

SC-87

SC-89

System Accounting

SC-90

Command Accounting Resource Accounting

SC-91 SC-91

AAA Resource Failure Stop Accounting

SC-91

AAA Resource Accounting for Start-Stop Records AAA Accounting Enhancements

SC-93

AAA Broadcast Accounting

SC-94

AAA Session MIB

SC-93

SC-94

AAA Accounting Prerequisites

SC-95

AAA Accounting Configuration Task List

SC-95

Configuring AAA Accounting Using Named Method Lists Accounting Types

SC-96

SC-96

Accounting Record Types Accounting Methods

SC-97

SC-97

Suppressing Generation of Accounting Records for Null Username Sessions Generating Interim Accounting Records

SC-99

Generating Accounting Records for Failed Login or Session

SC-99

Specifying Accounting NETWORK-Stop Records Before EXEC-Stop Records Configuring AAA Resource Failure Stop Accounting

SC-100

Configuring AAA Resource Accounting for Start-Stop Records Configuring AAA Broadcast Accounting

Monitoring Accounting

SC-101

SC-101

SC-102

Troubleshooting Accounting

SC-102

Accounting Attribute-Value Pairs

SC-102

Accounting Configuration Examples

SC-102

Configuring Named Method List Example Configuring AAA Resource Accounting

SC-103 SC-105

Configuring AAA Broadcast Accounting Example

SC-105

Configuring Per-DNIS AAA Broadcast Accounting Example

Cisco IOS Security Configuration Guide

viii

SC-100

SC-101

Configuring Per-DNIS AAA Broadcast Accounting Configuring AAA Session MIB

SC-98

SC-106

SC-99

Contents

AAA Session MIB Example

SC-106

Security Server Protocols Configuring RADIUS

SC-109

In This Chapter

SC-109

About RADIUS

SC-109

RADIUS Operation

SC-110

RADIUS Configuration Task List

SC-111

Configuring Router to RADIUS Server Communication

SC-112

Configuring Router to Use Vendor-Specific RADIUS Attributes

SC-114

Configuring Router for Vendor-Proprietary RADIUS Server Communication

SC-115

Configuring Router to Query RADIUS Server for Static Routes and IP Addresses Configuring Router to Expand Network Access Server Port Information Configuring AAA Server Groups

SC-116

SC-116

SC-117

Configuring AAA Server Groups with Deadtime Configuring AAA DNIS Authentication

SC-118

SC-119

Configuring AAA Server Group Selection Based on DNIS Configuring AAA Preauthentication

SC-119

SC-121

Setting Up the RADIUS Profile for DNIS or CLID Preauthentication Setting Up the RADIUS Profile for Call Type Preauthentication

SC-122

SC-123

Setting Up the RADIUS Profile for Preauthentication Enhancements for Callback Setting Up the RADIUS Profile for Modem Management

SC-124

Setting Up the RADIUS Profile for Subsequent Authentication

SC-124

Setting Up the RADIUS Profile for Subsequent Authentication Type Setting Up the RADIUS Profile to Include the Username

Configuring a Guard Timer

SC-125

SC-126

SC-127

Specifying RADIUS Authentication Specifying RADIUS Authorization Specifying RADIUS Accounting

SC-127 SC-127

SC-127

Configuring RADIUS Login-IP-Host Configuring RADIUS Prompt

SC-125

SC-125

Setting Up the RADIUS Profile for Two-Way Authentication Setting Up the RADIUS Profile to Support Authorization

SC-123

SC-128

SC-128

Configuring Suffix and Password in RADIUS Access Requests Monitoring and Maintaining RADIUS

SC-129

SC-129

Cisco IOS Security Configuration Guide

ix

Contents

RADIUS Attributes

SC-129

Vendor-Proprietary RADIUS Attributes RADIUS Tunnel Attributes

SC-130

SC-130

RADIUS Configuration Examples

SC-130

RADIUS Authentication and Authorization Example

SC-131

RADIUS Authentication, Authorization, and Accounting Example Vendor-Proprietary RADIUS Configuration Example RADIUS Server with Server-Specific Values Example

SC-131

SC-132 SC-133

Multiple RADIUS Servers with Global and Server-Specific Values Example Multiple RADIUS Server Entries for the Same Server IP Address Example RADIUS Server Group Examples

AAA Server Group Selection Based on DNIS Example AAA Preauthentication Examples

SC-136

SC-138

L2TP Access Concentrator Examples L2TP Network Server Examples

In This Chapter

SC-138

SC-139

SC-141

SC-141

About TACACS+

SC-141

TACACS+ Operation

SC-142

TACACS+ Configuration Task List

SC-143

Identifying the TACACS+ Server Host

SC-144

Setting the TACACS+ Authentication Key Configuring AAA Server Groups

SC-145

SC-145

Configuring AAA Server Group Selection Based on DNIS Specifying TACACS+ Authentication Specifying TACACS+ Authorization Specifying TACACS+ Accounting TACACS+ AV Pairs

SC-148

TACACS+ Authorization Example TACACS+ Accounting Example Cisco IOS Security Configuration Guide

SC-147 SC-148

TACACS+ Authentication Examples

x

SC-147

SC-148

TACACS+ Configuration Examples

SC-134

SC-135

RADIUS User Profile with RADIUS Tunneling Attributes Example

Configuring TACACS+

SC-134

SC-134

Multiple RADIUS Server Entries Using AAA Server Groups Example

Guard Timer Examples

SC-133

SC-148 SC-150

SC-151

SC-146

SC-137

Contents

TACACS+ Server Group Example

SC-151

AAA Server Group Selection Based on DNIS Example TACACS+ Daemon Configuration Example Configuring Kerberos

SC-151

SC-152

SC-153

In This Chapter

SC-153

About Kerberos

SC-153

Kerberos Client Support Operation

SC-155

Authenticating to the Boundary Router Obtaining a TGT from a KDC

SC-155

SC-156

Authenticating to Network Services Kerberos Configuration Task List

SC-156

SC-157

Configuring the KDC Using Kerberos Commands Adding Users to the KDC Database Creating SRVTABs on the KDC Extracting SRVTABs

SC-157

SC-158

SC-158

SC-159

Configuring the Router to Use the Kerberos Protocol Defining a Kerberos Realm Copying SRVTAB Files

SC-159

SC-160

SC-160

Specifying Kerberos Authentication Enabling Credentials Forwarding

SC-161 SC-161

Opening a Telnet Session to the Router

SC-162

Establishing an Encrypted Kerberized Telnet Session Enabling Mandatory Kerberos Authentication Enabling Kerberos Instance Mapping Monitoring and Maintaining Kerberos Kerberos Configuration Examples

SC-162

SC-163

SC-163 SC-164

SC-164

Kerberos Realm Definition Examples SRVTAB File Copying Example

SC-164

SC-164

Kerberos Configuration Examples Encrypted Telnet Session Example

SC-164 SC-174

Traffic Filtering and Firewalls Access Control Lists: Overview and Guidelines In This Chapter

SC-177

SC-177

About Access Control Lists

SC-177 Cisco IOS Security Configuration Guide

xi

Contents

What Access Lists Do

SC-177

Why You Should Configure Access Lists When to Configure Access Lists

SC-178

Basic Versus Advanced Access Lists Overview of Access List Configuration Creating Access Lists

SC-178

SC-179 SC-179

SC-179

Assigning a Unique Name or Number to Each Access List Defining Criteria for Forwarding or Blocking Packets

SC-180

SC-181

Creating and Editing Access List Statements on a TFTP Server Applying Access Lists to Interfaces

SC-182

SC-182

Finding Complete Configuration and Command Information for Access Lists Cisco IOS Firewall Overview About Firewalls

SC-183

SC-183

The Cisco IOS Firewall Solution

SC-183

The Cisco IOS Firewall Feature Set Creating a Customized Firewall

SC-184

SC-184

Other Guidelines for Configuring Your Firewall

SC-188

Configuring Lock-and-Key Security (Dynamic Access Lists) In This Chapter

SC-191

About Lock-and-Key

SC-192

Benefits of Lock-and-Key When to Use Lock-and-Key How Lock-and-Key Works

SC-192 SC-192 SC-193

Compatibility with Releases Before Cisco IOS Release 11.1 Risk of Spoofing with Lock-and-Key

SC-194

Router Performance Impacts with Lock-and-Key Prerequisites to Configuring Lock-and-Key Configuring Lock-and-Key

Dynamic Access Lists

SC-194

SC-196

SC-196

Lock-and-Key Authentication

SC-197

The autocommand Command

SC-197

Verifying Lock-and-Key Configuration Maintaining Lock-and-Key

SC-198

SC-198

Displaying Dynamic Access List Entries Cisco IOS Security Configuration Guide

SC-194

SC-195

Lock-and-Key Configuration Guidelines

xii

SC-191

SC-198

SC-193

SC-182

Contents

Manually Deleting Dynamic Access List Entries Lock-and-Key Configuration Examples

SC-199

SC-199

Lock-and-Key with Local Authentication Example

SC-199

Lock-and-Key with TACACS+ Authentication Example

SC-200

Configuring IP Session Filtering (Reflexive Access Lists) In This Chapter

SC-201

SC-201

About Reflexive Access Lists

SC-201

Benefits of Reflexive Access Lists What Is a Reflexive Access List?

SC-202 SC-202

How Reflexive Access Lists Implement Session Filtering With Basic Access Lists

SC-202

With Reflexive Access Lists

SC-203

Where to Configure Reflexive Access Lists How Reflexive Access Lists Work

SC-203

SC-203

Temporary Access List Entry Characteristics When the Session Ends

SC-202

SC-203

SC-204

Restrictions on Using Reflexive Access Lists

SC-204

Prework: Before You Configure Reflexive Access Lists Choosing an Interface: Internal or External

SC-205

Reflexive Access Lists Configuration Task List

SC-206

External Interface Configuration Task List

SC-206

Internal Interface Configuration Task List

SC-206

Defining the Reflexive Access List(s)

SC-204

SC-207

Mixing Reflexive Access List Statements with Other Permit and Deny Entries Nesting the Reflexive Access List(s) Setting a Global Timeout Value

SC-208

SC-209

Reflexive Access List Configuration Examples

SC-209

External Interface Configuration Example

SC-209

Internal Interface Configuration Example

SC-211

Configuring TCP Intercept (Preventing Denial-of-Service Attacks) In This Chapter

SC-207

SC-213

SC-213

About TCP Intercept

SC-213

TCP Intercept Configuration Task List Enabling TCP Intercept

SC-214

SC-214

Setting the TCP Intercept Mode

SC-215 Cisco IOS Security Configuration Guide

xiii

Contents

Setting the TCP Intercept Drop Mode Changing the TCP Intercept Timers

SC-215 SC-215

Changing the TCP Intercept Aggressive Thresholds Monitoring and Maintaining TCP Intercept TCP Intercept Configuration Example

SC-217

SC-217

Configuring Context-Based Access Control In This Chapter

SC-216

SC-219

SC-219

About Context-Based Access Control What CBAC Does

SC-220

Traffic Filtering

SC-220

Traffic Inspection

SC-220

Alerts and Audit Trails Intrusion Detection

SC-221

SC-221

What CBAC Does Not Do How CBAC Works

SC-219

SC-222

SC-222

How CBAC Works—Overview How CBAC Works—Details

SC-222 SC-223

When and Where to Configure CBAC The CBAC Process

SC-225

SC-225

Supported Protocols

SC-226

CBAC Supported Protocols

SC-226

RTSP and H.323 Protocol Support for Multimedia Applications Restrictions

SC-229

FTP Traffic and CBAC

SC-229

IPSec and CBAC Compatibility Memory and Performance Impact CBAC Configuration Task List

SC-229 SC-229

SC-230

Picking an Interface: Internal or External

SC-230

Configuring IP Access Lists at the Interface Basic Configuration

SC-232

External Interface

SC-234

Internal Interface

SC-234

Configuring Global Timeouts and Thresholds Half-Open Sessions

SC-236

Defining an Inspection Rule Cisco IOS Security Configuration Guide

xiv

SC-232

SC-236

SC-234

SC-227

Contents

Configuring Application-Layer Protocol Inspection Configuring Generic TCP and UDP Inspection Applying the Inspection Rule to an Interface Configuring Logging and Audit Trail

SC-240

SC-241

SC-242

RTSP with RDT

SC-243

RTSP with TCP Only (Interleaved Mode) RTSP with SMIL

SC-243

SC-244

RTSP with RTP (IP/TV) H.323 V2

SC-239

SC-240

Other Guidelines for Configuring a Firewall Verifying CBAC

SC-236

SC-244

SC-245

Monitoring and Maintaining CBAC

SC-245

Debugging Context-Based Access Control Generic Debug Commands

SC-246

SC-246

Transport Level Debug Commands

SC-247

Application Protocol Debug Commands

SC-247

Interpreting Syslog and Console Messages Generated by CBAC Denial-of-Service Attack Detection Error Messages SMTP Attack Detection Error Messages Java Blocking Error Messages FTP Error Messages

SC-248

SC-249

SC-249

SC-250

CBAC Configuration Examples

SC-250

Ethernet Interface Configuration Example ATM Interface Configuration Example

SC-251

SC-251

Remote Office to ISP Configuration Example

SC-253

Remote Office to Branch Office Configuration Example Two-Interface Branch Office Configuration Example

SC-255 SC-258

Multiple-Interface Branch Office Configuration Example Configuring Cisco IOS Firewall Intrusion Detection System In This Chapter

SC-248

SC-249

Audit Trail Messages Turning Off CBAC

SC-248

SC-261 SC-269

SC-269

About the Firewall Intrusion Detection System

SC-269

Compatibility with Cisco Secure Intrusion Detection Functional Description

SC-270

SC-271

Cisco IOS Security Configuration Guide

xv

Contents

When to Use Cisco IOS Firewall IDS Memory and Performance Impact

SC-272 SC-272

Cisco IOS Firewall IDS Signature List

SC-273

Cisco IOS Firewall IDS Configuration Task List Initializing Cisco IOS Firewall IDS Initializing the Post Office

SC-278

SC-278

SC-279

Configuring and Applying Audit Rules Verifying the Configuration

SC-281

SC-283

Monitoring and Maintaining Cisco IOS Firewall IDS Cisco IOS Firewall IDS Configuration Examples

SC-283

SC-284

Cisco IOS Firewall IDS Reporting to Two Directors Example Adding an ACL to the Audit Rule Example Disabling a Signature Example

SC-285

Adding an ACL to Signatures Example

SC-286

Dual-Tier Signature Response Example Configuring Authentication Proxy In This Chapter

SC-285

SC-286

SC-289

SC-289

About Authentication Proxy

SC-289

How the Authentication Proxy Works Secure Authentication

SC-290

SC-292

Operation with JavaScript

SC-292

Operation Without JavaScript Using the Authentication Proxy

SC-292

SC-293

When to Use the Authentication Proxy Applying the Authentication Proxy

SC-294

SC-295

Operation with One-Time Passwords

SC-296

Compatibility with Other Security Features NAT Compatibility CBAC Compatibility

SC-297 SC-297

VPN Client Compatibility

SC-297

Compatibility with AAA Accounting

SC-297

Protection Against Denial-of-Service Attacks

SC-298

Risk of Spoofing with Authentication Proxy

SC-298

Comparison with the Lock-and-Key Feature

SC-298

Restrictions Cisco IOS Security Configuration Guide

xvi

SC-296

SC-299

SC-284

Contents

Prerequisites to Configuring Authentication Proxy Authentication Proxy Configuration Task List Configuring AAA

SC-299

SC-300

SC-300

Configuring the HTTP Server

SC-302

Configuring the Authentication Proxy Verifying the Authentication Proxy

SC-302 SC-303

Checking the Authentication Proxy Configuration

SC-303

Establishing User Connections with JavaScript

SC-304

Establishing User Connections Without JavaScript Monitoring and Maintaining the A