344 33 5MB
English Pages 577
Cisco IOS Security Configuration Guide Release 12.2
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
Customer Order Number: DOC-7811747= Text Part Number: 78-11747-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. AccessPath, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, PIX, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0102R) Cisco IOS Security Configuration Guide Copyright © 2001, Cisco Systems, Inc. All rights reserved.
C O N T E N T S
About Cisco IOS Software Documentation Documentation Objectives Audience
xxvii
xxvii
xxvii
Documentation Organization
xxvii
Documentation Modules Master Indexes
xxvii
xxx
Supporting Documents and Resources New and Changed Information Document Conventions
xxxi
xxxi
Obtaining Documentation World Wide Web
xxxii
xxxii
Documentation CD-ROM
xxxiii
Ordering Documentation
xxxiii
Documentation Feedback
xxxiii
Obtaining Technical Assistance Cisco.com
xxx
xxxiii
xxxiv
Technical Assistance Center
xxxiv
Contacting TAC by Using the Cisco TAC Website Contacting TAC by Telephone Using Cisco IOS Software
xxxv
xxxvii
Understanding Command Modes Getting Help
xxxiv
xxxvii
xxxviii
Example: How to Find Command Options Using the no and default Forms of Commands Saving Configuration Changes
xxxix xli
xlii
Filtering Output from the show and more Commands Identifying Supported Platforms Using Feature Navigator
xliii xliii
Using Software Release Notes Security Overview About This Guide
xlii
xliii
SC-1 SC-1 Cisco IOS Security Configuration Guide
iii
Contents
Authentication, Authorization, and Accounting (AAA) Security Server Protocols
SC-2
Traffic Filtering and Firewalls IP Security and Encryption Other Security Features Appendixes
SC-2
SC-3
SC-4 SC-4
SC-5
Creating Effective Security Policies
SC-6
The Nature of Security Policies
SC-6
Two Levels of Security Policies
SC-6
Tips for Developing an Effective Security Policy
SC-7
Identifying Your Network Assets to Protect
SC-7
Determining Points of Risk
SC-7
Limiting the Scope of Access Identifying Assumptions
SC-7
SC-8
Determining the Cost of Security Measures Considering Human Factors
SC-8
SC-8
Keeping a Limited Number of Secrets
SC-8
Implementing Pervasive and Scalable Security Understanding Typical Network Functions Remembering Physical Security
SC-9
SC-9
SC-9
Identifying Security Risks and Cisco IOS Solutions
SC-9
Preventing Unauthorized Access into Networking Devices Preventing Unauthorized Access into Networks Preventing Network Data Interception
SC-12
Preventing Fraudulent Route Updates
SC-12
SC-11
Authentication, Authorization, and Accounting (AAA) AAA Overview
SC-15
In This Chapter
SC-15
About AAA Security Services Benefits of Using AAA AAA Philosophy Method Lists Where to Begin
SC-15 SC-16
SC-17 SC-17
SC-18
Overview of the AAA Configuration Process
Cisco IOS Security Configuration Guide
iv
SC-19
SC-9
Contents
Enabling AAA Disabling AAA What to Do Next
SC-19 SC-20 SC-20
Configuring Authentication In This Chapter
SC-21
SC-21
Named Method Lists for Authentication Method Lists and Server Groups Method List Examples
SC-21 SC-22
SC-23
AAA Authentication General Configuration Procedure AAA Authentication Methods Configuration Task List Configuring Login Authentication Using AAA
SC-24
SC-25
Login Authentication Using Enable Password Login Authentication Using Kerberos
SC-24
SC-27
SC-27
Login Authentication Using Line Password
SC-27
Login Authentication Using Local Password
SC-27
Login Authentication Using Group RADIUS
SC-28
Login Authentication Using Group TACACS+
SC-28
Login Authentication Using group group-name Configuring PPP Authentication Using AAA PPP Authentication Using Kerberos
SC-28
SC-29
SC-30
PPP Authentication Using Local Password
SC-30
PPP Authentication Using Group RADIUS
SC-31
PPP Authentication Using Group TACACS+
SC-31
PPP Authentication Using group group-name
SC-31
Configuring AAA Scalability for PPP Requests
SC-32
Configuring ARAP Authentication Using AAA
SC-32
ARAP Authentication Allowing Authorized Guest Logins ARAP Authentication Allowing Guest Logins ARAP Authentication Using Line Password
SC-34 SC-34
ARAP Authentication Using Local Password ARAP Authentication Using Group RADIUS
SC-34 SC-35
ARAP Authentication Using Group TACACS+
SC-35
ARAP Authentication Using Group group-name Configuring NASI Authentication Using AAA
SC-34
SC-35
SC-36
NASI Authentication Using Enable Password
SC-37
Cisco IOS Security Configuration Guide
v
Contents
NASI Authentication Using Line Password
SC-37
NASI Authentication Using Local Password
SC-37
NASI Authentication Using Group RADIUS
SC-38
NASI Authentication Using Group TACACS+
SC-38
NASI Authentication Using group group-name Specifying the Amount of Time for Login Input
SC-38
SC-39
Enabling Password Protection at the Privileged Level
SC-39
Changing the Text Displayed at the Password Prompt
SC-40
Configuring Message Banners for AAA Authentication Configuring a Login Banner
SC-40
SC-41
Configuring a Failed-Login Banner
SC-41
Configuring AAA Packet of Disconnect
SC-42
Enabling Double Authentication
SC-42
How Double Authentication Works
SC-42
Configuring Double Authentication
SC-43
Accessing the User Profile After Double Authentication Enabling Automated Double Authentication Non-AAA Authentication Methods
SC-45
SC-47
Configuring Line Password Protection
SC-47
Establishing Username Authentication
SC-48
Enabling CHAP or PAP Authentication Enabling PPP Encapsulation Enabling PAP or CHAP
SC-49
SC-50
SC-50
Inbound and Outbound Authentication
SC-51
Enabling Outbound PAP Authentication
SC-51
Refusing PAP Authentication Requests
SC-52
Creating a Common CHAP Password
SC-52
Refusing CHAP Authentication Requests
SC-52
Delaying CHAP Authentication Until Peer Authenticates Using MS-CHAP
SC-53
Authentication Examples
SC-54
RADIUS Authentication Examples TACACS+ Authentication Examples Kerberos Authentication Examples AAA Scalability Example
Cisco IOS Security Configuration Guide
vi
SC-44
SC-57
SC-55 SC-56 SC-57
SC-53
Contents
Login and Failed Banner Examples
SC-58
AAA Packet of Disconnect Server Key Example Double Authentication Examples
SC-59
SC-59
Configuration of the Local Host for AAA with Double Authentication Examples
SC-60
Configuration of the AAA Server for First-Stage (PPP) Authentication and Authorization Example SC-60 Configuration of the AAA Server for Second-Stage (Per-User) Authentication and Authorization Examples SC-61 Complete Configuration with TACACS+ Example Automated Double Authentication Example MS-CHAP Example
SC-67
Configuring Authorization
SC-69
In This Chapter
SC-62
SC-65
SC-69
Named Method Lists for Authorization AAA Authorization Methods
SC-70
Method Lists and Server Groups AAA Authorization Types
SC-69
SC-71
SC-72
AAA Authorization Prerequisites
SC-72
AAA Authorization Configuration Task List
SC-72
Configuring AAA Authorization Using Named Method Lists Authorization Types
SC-73
Authorization Methods
SC-74
Disabling Authorization for Global Configuration Commands Configuring Authorization for Reverse Telnet Authorization Attribute-Value Pairs
TACACS+ Authorization Examples
SC-76
SC-77 SC-78
Reverse Telnet Authorization Examples
In This Chapter
SC-75
SC-76
Named Method List Configuration Example RADIUS Authorization Example
SC-74
SC-75
Authorization Configuration Examples
Configuring Accounting
SC-73
SC-78
SC-81
SC-81
Named Method Lists for Accounting
SC-81
Method Lists and Server Groups
SC-83
AAA Accounting Methods
SC-84
Cisco IOS Security Configuration Guide
vii
Contents
AAA Accounting Types
SC-84
Network Accounting
SC-84
Connection Accounting EXEC Accounting
SC-87
SC-89
System Accounting
SC-90
Command Accounting Resource Accounting
SC-91 SC-91
AAA Resource Failure Stop Accounting
SC-91
AAA Resource Accounting for Start-Stop Records AAA Accounting Enhancements
SC-93
AAA Broadcast Accounting
SC-94
AAA Session MIB
SC-93
SC-94
AAA Accounting Prerequisites
SC-95
AAA Accounting Configuration Task List
SC-95
Configuring AAA Accounting Using Named Method Lists Accounting Types
SC-96
SC-96
Accounting Record Types Accounting Methods
SC-97
SC-97
Suppressing Generation of Accounting Records for Null Username Sessions Generating Interim Accounting Records
SC-99
Generating Accounting Records for Failed Login or Session
SC-99
Specifying Accounting NETWORK-Stop Records Before EXEC-Stop Records Configuring AAA Resource Failure Stop Accounting
SC-100
Configuring AAA Resource Accounting for Start-Stop Records Configuring AAA Broadcast Accounting
Monitoring Accounting
SC-101
SC-101
SC-102
Troubleshooting Accounting
SC-102
Accounting Attribute-Value Pairs
SC-102
Accounting Configuration Examples
SC-102
Configuring Named Method List Example Configuring AAA Resource Accounting
SC-103 SC-105
Configuring AAA Broadcast Accounting Example
SC-105
Configuring Per-DNIS AAA Broadcast Accounting Example
Cisco IOS Security Configuration Guide
viii
SC-100
SC-101
Configuring Per-DNIS AAA Broadcast Accounting Configuring AAA Session MIB
SC-98
SC-106
SC-99
Contents
AAA Session MIB Example
SC-106
Security Server Protocols Configuring RADIUS
SC-109
In This Chapter
SC-109
About RADIUS
SC-109
RADIUS Operation
SC-110
RADIUS Configuration Task List
SC-111
Configuring Router to RADIUS Server Communication
SC-112
Configuring Router to Use Vendor-Specific RADIUS Attributes
SC-114
Configuring Router for Vendor-Proprietary RADIUS Server Communication
SC-115
Configuring Router to Query RADIUS Server for Static Routes and IP Addresses Configuring Router to Expand Network Access Server Port Information Configuring AAA Server Groups
SC-116
SC-116
SC-117
Configuring AAA Server Groups with Deadtime Configuring AAA DNIS Authentication
SC-118
SC-119
Configuring AAA Server Group Selection Based on DNIS Configuring AAA Preauthentication
SC-119
SC-121
Setting Up the RADIUS Profile for DNIS or CLID Preauthentication Setting Up the RADIUS Profile for Call Type Preauthentication
SC-122
SC-123
Setting Up the RADIUS Profile for Preauthentication Enhancements for Callback Setting Up the RADIUS Profile for Modem Management
SC-124
Setting Up the RADIUS Profile for Subsequent Authentication
SC-124
Setting Up the RADIUS Profile for Subsequent Authentication Type Setting Up the RADIUS Profile to Include the Username
Configuring a Guard Timer
SC-125
SC-126
SC-127
Specifying RADIUS Authentication Specifying RADIUS Authorization Specifying RADIUS Accounting
SC-127 SC-127
SC-127
Configuring RADIUS Login-IP-Host Configuring RADIUS Prompt
SC-125
SC-125
Setting Up the RADIUS Profile for Two-Way Authentication Setting Up the RADIUS Profile to Support Authorization
SC-123
SC-128
SC-128
Configuring Suffix and Password in RADIUS Access Requests Monitoring and Maintaining RADIUS
SC-129
SC-129
Cisco IOS Security Configuration Guide
ix
Contents
RADIUS Attributes
SC-129
Vendor-Proprietary RADIUS Attributes RADIUS Tunnel Attributes
SC-130
SC-130
RADIUS Configuration Examples
SC-130
RADIUS Authentication and Authorization Example
SC-131
RADIUS Authentication, Authorization, and Accounting Example Vendor-Proprietary RADIUS Configuration Example RADIUS Server with Server-Specific Values Example
SC-131
SC-132 SC-133
Multiple RADIUS Servers with Global and Server-Specific Values Example Multiple RADIUS Server Entries for the Same Server IP Address Example RADIUS Server Group Examples
AAA Server Group Selection Based on DNIS Example AAA Preauthentication Examples
SC-136
SC-138
L2TP Access Concentrator Examples L2TP Network Server Examples
In This Chapter
SC-138
SC-139
SC-141
SC-141
About TACACS+
SC-141
TACACS+ Operation
SC-142
TACACS+ Configuration Task List
SC-143
Identifying the TACACS+ Server Host
SC-144
Setting the TACACS+ Authentication Key Configuring AAA Server Groups
SC-145
SC-145
Configuring AAA Server Group Selection Based on DNIS Specifying TACACS+ Authentication Specifying TACACS+ Authorization Specifying TACACS+ Accounting TACACS+ AV Pairs
SC-148
TACACS+ Authorization Example TACACS+ Accounting Example Cisco IOS Security Configuration Guide
SC-147 SC-148
TACACS+ Authentication Examples
x
SC-147
SC-148
TACACS+ Configuration Examples
SC-134
SC-135
RADIUS User Profile with RADIUS Tunneling Attributes Example
Configuring TACACS+
SC-134
SC-134
Multiple RADIUS Server Entries Using AAA Server Groups Example
Guard Timer Examples
SC-133
SC-148 SC-150
SC-151
SC-146
SC-137
Contents
TACACS+ Server Group Example
SC-151
AAA Server Group Selection Based on DNIS Example TACACS+ Daemon Configuration Example Configuring Kerberos
SC-151
SC-152
SC-153
In This Chapter
SC-153
About Kerberos
SC-153
Kerberos Client Support Operation
SC-155
Authenticating to the Boundary Router Obtaining a TGT from a KDC
SC-155
SC-156
Authenticating to Network Services Kerberos Configuration Task List
SC-156
SC-157
Configuring the KDC Using Kerberos Commands Adding Users to the KDC Database Creating SRVTABs on the KDC Extracting SRVTABs
SC-157
SC-158
SC-158
SC-159
Configuring the Router to Use the Kerberos Protocol Defining a Kerberos Realm Copying SRVTAB Files
SC-159
SC-160
SC-160
Specifying Kerberos Authentication Enabling Credentials Forwarding
SC-161 SC-161
Opening a Telnet Session to the Router
SC-162
Establishing an Encrypted Kerberized Telnet Session Enabling Mandatory Kerberos Authentication Enabling Kerberos Instance Mapping Monitoring and Maintaining Kerberos Kerberos Configuration Examples
SC-162
SC-163
SC-163 SC-164
SC-164
Kerberos Realm Definition Examples SRVTAB File Copying Example
SC-164
SC-164
Kerberos Configuration Examples Encrypted Telnet Session Example
SC-164 SC-174
Traffic Filtering and Firewalls Access Control Lists: Overview and Guidelines In This Chapter
SC-177
SC-177
About Access Control Lists
SC-177 Cisco IOS Security Configuration Guide
xi
Contents
What Access Lists Do
SC-177
Why You Should Configure Access Lists When to Configure Access Lists
SC-178
Basic Versus Advanced Access Lists Overview of Access List Configuration Creating Access Lists
SC-178
SC-179 SC-179
SC-179
Assigning a Unique Name or Number to Each Access List Defining Criteria for Forwarding or Blocking Packets
SC-180
SC-181
Creating and Editing Access List Statements on a TFTP Server Applying Access Lists to Interfaces
SC-182
SC-182
Finding Complete Configuration and Command Information for Access Lists Cisco IOS Firewall Overview About Firewalls
SC-183
SC-183
The Cisco IOS Firewall Solution
SC-183
The Cisco IOS Firewall Feature Set Creating a Customized Firewall
SC-184
SC-184
Other Guidelines for Configuring Your Firewall
SC-188
Configuring Lock-and-Key Security (Dynamic Access Lists) In This Chapter
SC-191
About Lock-and-Key
SC-192
Benefits of Lock-and-Key When to Use Lock-and-Key How Lock-and-Key Works
SC-192 SC-192 SC-193
Compatibility with Releases Before Cisco IOS Release 11.1 Risk of Spoofing with Lock-and-Key
SC-194
Router Performance Impacts with Lock-and-Key Prerequisites to Configuring Lock-and-Key Configuring Lock-and-Key
Dynamic Access Lists
SC-194
SC-196
SC-196
Lock-and-Key Authentication
SC-197
The autocommand Command
SC-197
Verifying Lock-and-Key Configuration Maintaining Lock-and-Key
SC-198
SC-198
Displaying Dynamic Access List Entries Cisco IOS Security Configuration Guide
SC-194
SC-195
Lock-and-Key Configuration Guidelines
xii
SC-191
SC-198
SC-193
SC-182
Contents
Manually Deleting Dynamic Access List Entries Lock-and-Key Configuration Examples
SC-199
SC-199
Lock-and-Key with Local Authentication Example
SC-199
Lock-and-Key with TACACS+ Authentication Example
SC-200
Configuring IP Session Filtering (Reflexive Access Lists) In This Chapter
SC-201
SC-201
About Reflexive Access Lists
SC-201
Benefits of Reflexive Access Lists What Is a Reflexive Access List?
SC-202 SC-202
How Reflexive Access Lists Implement Session Filtering With Basic Access Lists
SC-202
With Reflexive Access Lists
SC-203
Where to Configure Reflexive Access Lists How Reflexive Access Lists Work
SC-203
SC-203
Temporary Access List Entry Characteristics When the Session Ends
SC-202
SC-203
SC-204
Restrictions on Using Reflexive Access Lists
SC-204
Prework: Before You Configure Reflexive Access Lists Choosing an Interface: Internal or External
SC-205
Reflexive Access Lists Configuration Task List
SC-206
External Interface Configuration Task List
SC-206
Internal Interface Configuration Task List
SC-206
Defining the Reflexive Access List(s)
SC-204
SC-207
Mixing Reflexive Access List Statements with Other Permit and Deny Entries Nesting the Reflexive Access List(s) Setting a Global Timeout Value
SC-208
SC-209
Reflexive Access List Configuration Examples
SC-209
External Interface Configuration Example
SC-209
Internal Interface Configuration Example
SC-211
Configuring TCP Intercept (Preventing Denial-of-Service Attacks) In This Chapter
SC-207
SC-213
SC-213
About TCP Intercept
SC-213
TCP Intercept Configuration Task List Enabling TCP Intercept
SC-214
SC-214
Setting the TCP Intercept Mode
SC-215 Cisco IOS Security Configuration Guide
xiii
Contents
Setting the TCP Intercept Drop Mode Changing the TCP Intercept Timers
SC-215 SC-215
Changing the TCP Intercept Aggressive Thresholds Monitoring and Maintaining TCP Intercept TCP Intercept Configuration Example
SC-217
SC-217
Configuring Context-Based Access Control In This Chapter
SC-216
SC-219
SC-219
About Context-Based Access Control What CBAC Does
SC-220
Traffic Filtering
SC-220
Traffic Inspection
SC-220
Alerts and Audit Trails Intrusion Detection
SC-221
SC-221
What CBAC Does Not Do How CBAC Works
SC-219
SC-222
SC-222
How CBAC Works—Overview How CBAC Works—Details
SC-222 SC-223
When and Where to Configure CBAC The CBAC Process
SC-225
SC-225
Supported Protocols
SC-226
CBAC Supported Protocols
SC-226
RTSP and H.323 Protocol Support for Multimedia Applications Restrictions
SC-229
FTP Traffic and CBAC
SC-229
IPSec and CBAC Compatibility Memory and Performance Impact CBAC Configuration Task List
SC-229 SC-229
SC-230
Picking an Interface: Internal or External
SC-230
Configuring IP Access Lists at the Interface Basic Configuration
SC-232
External Interface
SC-234
Internal Interface
SC-234
Configuring Global Timeouts and Thresholds Half-Open Sessions
SC-236
Defining an Inspection Rule Cisco IOS Security Configuration Guide
xiv
SC-232
SC-236
SC-234
SC-227
Contents
Configuring Application-Layer Protocol Inspection Configuring Generic TCP and UDP Inspection Applying the Inspection Rule to an Interface Configuring Logging and Audit Trail
SC-240
SC-241
SC-242
RTSP with RDT
SC-243
RTSP with TCP Only (Interleaved Mode) RTSP with SMIL
SC-243
SC-244
RTSP with RTP (IP/TV) H.323 V2
SC-239
SC-240
Other Guidelines for Configuring a Firewall Verifying CBAC
SC-236
SC-244
SC-245
Monitoring and Maintaining CBAC
SC-245
Debugging Context-Based Access Control Generic Debug Commands
SC-246
SC-246
Transport Level Debug Commands
SC-247
Application Protocol Debug Commands
SC-247
Interpreting Syslog and Console Messages Generated by CBAC Denial-of-Service Attack Detection Error Messages SMTP Attack Detection Error Messages Java Blocking Error Messages FTP Error Messages
SC-248
SC-249
SC-249
SC-250
CBAC Configuration Examples
SC-250
Ethernet Interface Configuration Example ATM Interface Configuration Example
SC-251
SC-251
Remote Office to ISP Configuration Example
SC-253
Remote Office to Branch Office Configuration Example Two-Interface Branch Office Configuration Example
SC-255 SC-258
Multiple-Interface Branch Office Configuration Example Configuring Cisco IOS Firewall Intrusion Detection System In This Chapter
SC-248
SC-249
Audit Trail Messages Turning Off CBAC
SC-248
SC-261 SC-269
SC-269
About the Firewall Intrusion Detection System
SC-269
Compatibility with Cisco Secure Intrusion Detection Functional Description
SC-270
SC-271
Cisco IOS Security Configuration Guide
xv
Contents
When to Use Cisco IOS Firewall IDS Memory and Performance Impact
SC-272 SC-272
Cisco IOS Firewall IDS Signature List
SC-273
Cisco IOS Firewall IDS Configuration Task List Initializing Cisco IOS Firewall IDS Initializing the Post Office
SC-278
SC-278
SC-279
Configuring and Applying Audit Rules Verifying the Configuration
SC-281
SC-283
Monitoring and Maintaining Cisco IOS Firewall IDS Cisco IOS Firewall IDS Configuration Examples
SC-283
SC-284
Cisco IOS Firewall IDS Reporting to Two Directors Example Adding an ACL to the Audit Rule Example Disabling a Signature Example
SC-285
Adding an ACL to Signatures Example
SC-286
Dual-Tier Signature Response Example Configuring Authentication Proxy In This Chapter
SC-285
SC-286
SC-289
SC-289
About Authentication Proxy
SC-289
How the Authentication Proxy Works Secure Authentication
SC-290
SC-292
Operation with JavaScript
SC-292
Operation Without JavaScript Using the Authentication Proxy
SC-292
SC-293
When to Use the Authentication Proxy Applying the Authentication Proxy
SC-294
SC-295
Operation with One-Time Passwords
SC-296
Compatibility with Other Security Features NAT Compatibility CBAC Compatibility
SC-297 SC-297
VPN Client Compatibility
SC-297
Compatibility with AAA Accounting
SC-297
Protection Against Denial-of-Service Attacks
SC-298
Risk of Spoofing with Authentication Proxy
SC-298
Comparison with the Lock-and-Key Feature
SC-298
Restrictions Cisco IOS Security Configuration Guide
xvi
SC-296
SC-299
SC-284
Contents
Prerequisites to Configuring Authentication Proxy Authentication Proxy Configuration Task List Configuring AAA
SC-299
SC-300
SC-300
Configuring the HTTP Server
SC-302
Configuring the Authentication Proxy Verifying the Authentication Proxy
SC-302 SC-303
Checking the Authentication Proxy Configuration
SC-303
Establishing User Connections with JavaScript
SC-304
Establishing User Connections Without JavaScript Monitoring and Maintaining the A