1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.

Slides:



Advertisements
Similar presentations
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Advertisements

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Course 201 – Administration, Content Inspection and SSL VPN
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Access Control Key concepts: Controlling the data flow within a network ACL (access control lists)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.
© 2002, Cisco Systems, Inc. All rights reserved..
© 1999, Cisco Systems, Inc Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.
Chapter 3: Authentication, Authorization, and Accounting
Access Control List ACL. Access Control List ACL.
Windows 7 Firewall.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
User Access to Router Securing Access.
Instructor & Todd Lammle
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Access Control List ACL’s 5/26/ What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists.
1 What Are Access Lists? –Standard –Checks Source address –Generally permits or denies entire protocol suite –Extended –Checks Source and Destination address.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
Chapter 3: Authentication, Authorization, and Accounting
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
Configuring the PIX Firewall Presented by Drew Spesard.
ACCESS CONTROL LIST.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
Configuring AAA Kamyar Miremadi Laila Sherif Summer 2005.
RADIUS What it is Remote Authentication Dial-In User Service
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
Sybex CCNA Chapter 10: Security Instructor & Todd Lammle.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Only Two Ways through the PIX Firewall
Access Control Configuration and Content Filtering
Cisco IOS Firewall Context-Based Access Control Configuration
Access Control Lists CCNA 2 v3 – Module 11
Lock and Key by Linda Wier 2/23/2019.
Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College of San Francisco Spring 2006

2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 6 – Configure Trust and Identity at Layer 3

3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 6.1 Cisco IOS Firewall Authentication Proxy 6.2 Introduction to PIX Security Appliance AAA Features 6.3 Configure AAA on the PIX Security Appliance

4 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer Cisco IOS Firewall Authentication Proxy

5 © 2005 Cisco Systems, Inc. All rights reserved. What Is the Authentication Proxy? –HTTP, HTTPS, FTP, and Telnet authentication –Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols –Once authenticated, all types of application traffic can be authorized –Works on any interface type for inbound or outbound traffic

6 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IOS Firewall Authentication Proxy The Cisco IOS Firewall authentication proxy feature enables network administrators to apply specific security policies on a per-user basis With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, HTTPS, FTP, or Telnet User access profiles are automatically retrieved and applied from a Cisco Secure Access Control Server (ACS) or other authentication server.

7 © 2005 Cisco Systems, Inc. All rights reserved. IOS Firewall Proxy Example When a user initiates an HTTP, HTTPS, FTP, or Telnet session through the firewall, it triggers the authentication proxy

8 © 2005 Cisco Systems, Inc. All rights reserved. RADIUSTACACS+ Supported AAA Servers Cisco Secure ACS UNIX Cisco Secure ACS NT/2000 TACACS + Freeware LucentLucent Cisco Secure ACS UNIX Cisco Secure ACS NT/2000

9 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Proxy Operation Users must successfully authenticate with the authentication server by entering a valid username and password. The authentication proxy uses the information in this profile to create dynamic access control entries (ACEs). The authentication proxy sets up an inactivity, or idle, timer for each user profile

10 © 2005 Cisco Systems, Inc. All rights reserved. Create auth-proxy Service in the Cisco Secure ACS Enter the new service: auth-proxy.

11 © 2005 Cisco Systems, Inc. All rights reserved. AAA Server Configuration

12 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Proxy Configuration The authentication proxy is applied in the inward direction at any interface on the router where per- user authentication and authorization occurs. Applying the authentication proxy inward at an interface causes it to intercept a user’s initial connection request. Users are authorized for services only after successful authentication with the AAA server.

13 © 2005 Cisco Systems, Inc. All rights reserved. AAA Configuration – Enable AAA –Enables the AAA functionality on the router (default = disabled) aaa new-model Router(config)#

14 © 2005 Cisco Systems, Inc. All rights reserved. aaa authentication login default method1 [method2] Specify Authentication Protocols –Defines the list of authentication methods that will be used –Methods: TACACS+, RADIUS, or both Router(config)# aaa authentication login default group tacacs+ | radius Router(config)#

15 © 2005 Cisco Systems, Inc. All rights reserved. aaa authorization auth-proxy default method1 [method2] Specify Authorization Protocols –Use the auth-proxy keyword to enable authorization proxy for AAA methods –Methods: TACACS+, RADIUS, or both Router(config)# Router(config)# aaa authorization auth-proxy default group tacacs+

16 © 2005 Cisco Systems, Inc. All rights reserved. tacacs-server host ip_addr Define a TACACS+ Server and Its Key –Specifies the TACACS+ server IP address –Specifies the TACACS+ server key Router(config)# Router(config)# tacacs-server host Router(config)# tacacs-server key secretkey tacacs-server key string Router(config)#

17 © 2005 Cisco Systems, Inc. All rights reserved. Define a RADIUS Server and Its Key –Specifies the RADIUS server IP address –Specifies the RADIUS server key Router(config)# radius-server host Router(config)# radius-server key secretkey radius-server host ip_addr Router(config)# radius-server key string Router(config)#

18 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# access-list 111 permit tcp host eq tacacs host Router(config)# access-list 111 permit icmp any any Router(config)# access-list 111 deny ip any any Router(config)# interface ethernet0/0 Router(config-if)# ip access-group 111 in Allow AAA Traffic to the Router –Create an ACL to permit TACACS+ traffic from the AAA server to the firewall Source address = AAA server Destination address = interface where the AAA server resides –May want to permit ICMP –Deny all other traffic –Apply the ACL to the interface on the side where the AAA server resides

19 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# ip http server Router(config)# ip http authentication aaa Enable the Router HTTP or HTTPS Server –Enables the HTTP server on the router –Sets the HTTP server authentication method to AAA –Proxy uses HTTP server for communication with a client ip http server Router(config)# ip http authentication aaa Router(config)# ip http secure-server Router(config)# –Enables the HTTPS server on the router

20 © 2005 Cisco Systems, Inc. All rights reserved. ip auth-proxy {inactivity-timer min | absolute-timer min} –Authentication inactivity timer in minutes (default = 60 minutes) –Absolute activity timer in minutes (default = 0 minutes) Set Global Timers Router(config)# Router(config)# ip auth-proxy inactivity- timer 120

21 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# ip auth-proxy name aprule http Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule Define and Apply Authentication Proxy Rules –Creates an authorization proxy rule –Applies an authorization proxy rule to an interface For outbound authentication, apply to inside interface For inbound authentication, apply to outside interface ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-time min] [absolute- timer min][list {acl | acl-name}] Router(config)# ip auth-proxy auth-proxy-name Router(config-if)#

22 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Proxy Rules with ACLs –Creates an authorization proxy rule with an access list ip auth-proxy name auth-proxy-name http list {acl-num | acl-name} Router(config)# Router(config)# ip auth-proxy name aprule http list 10 Router(config)# access-list 10 permit Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule An authentication proxy rule can be associated with an ACL, providing control over which hosts use the authentication proxy.

23 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer Introduction to PIX Security Appliance AAA Features

24 © 2005 Cisco Systems, Inc. All rights reserved. Types of Authentication Three types of authentication are available on the PIX Security Appliance: 1.Access authentication 2.Cut-through proxy authentication 3.Tunnel access authentication

25 © 2005 Cisco Systems, Inc. All rights reserved. Types of Authentication For cut-through proxy authentication, the PIX Security Appliance can be configured to require user authentication for a session through the PIX, as specified in the aaa authentication command. –Only Telnet, FTP, HTTPS, and HTTP sessions can be intercepted to authenticate users. Once authenticated, the PIX then shifts the session flow and all traffic flows directly between the server and the client while maintaining session state information. For tunnel access authentication, the PIX Security Appliance can be configured to require a remote tunnel user to authenticate prior to full tunnel establishment.

26 © 2005 Cisco Systems, Inc. All rights reserved. Types of Authentication

27 © 2005 Cisco Systems, Inc. All rights reserved. AAA Server Support The PIX Security Appliance supports authentication and authorization using its own local server, an internal database, or an external AAA server. –Accounting is tracked on an external accounting server. The protocol for communications between the PIX Security Appliance and an external AAA sever varies by AAA feature. – see next figure

28 © 2005 Cisco Systems, Inc. All rights reserved. AAA Server Support

29 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer Configure AAA on the PIX Security Appliance

30 © 2005 Cisco Systems, Inc. All rights reserved. Types of Access Authentication

31 © 2005 Cisco Systems, Inc. All rights reserved. Remote PIX Access Telnet access to the Security appliance console is available from any internal interface Telnet access to the outside interface is only available thorugh an IPSec tunnel. SSH access to the Security appliance console is available from any interface.

32 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Configuration Steps

33 © 2005 Cisco Systems, Inc. All rights reserved. Add Users to the Local User Database

34 © 2005 Cisco Systems, Inc. All rights reserved. Cut-Through Proxy

35 © 2005 Cisco Systems, Inc. All rights reserved. Authentication of Non-Telnet, FTP, or HTTP Traffic

36 © 2005 Cisco Systems, Inc. All rights reserved. Virtual Telnet

37 © 2005 Cisco Systems, Inc. All rights reserved. Virtual HTTP

38 © 2005 Cisco Systems, Inc. All rights reserved. User Authorization

39 © 2005 Cisco Systems, Inc. All rights reserved. Downloadable ACLs

40 © 2005 Cisco Systems, Inc. All rights reserved. Enable Accounting Match

41 © 2005 Cisco Systems, Inc. All rights reserved. Admin Accounting

42 © 2005 Cisco Systems, Inc. All rights reserved. Command Accounting

43 © 2005 Cisco Systems, Inc. All rights reserved. 43 © 2005, Cisco Systems, Inc. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.