Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.

Published byDarcy Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College of San Francisco Spring 2006

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 6 – Configure Trust and Identity at Layer 3

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 6.1 Cisco IOS Firewall Authentication Proxy 6.2 Introduction to PIX Security Appliance AAA Features 6.3 Configure AAA on the PIX Security Appliance

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer 3 6.1 Cisco IOS Firewall Authentication Proxy

5 5 © 2005 Cisco Systems, Inc. All rights reserved. What Is the Authentication Proxy? –HTTP, HTTPS, FTP, and Telnet authentication –Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols –Once authenticated, all types of application traffic can be authorized –Works on any interface type for inbound or outbound traffic

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IOS Firewall Authentication Proxy The Cisco IOS Firewall authentication proxy feature enables network administrators to apply specific security policies on a per-user basis With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, HTTPS, FTP, or Telnet User access profiles are automatically retrieved and applied from a Cisco Secure Access Control Server (ACS) or other authentication server.

7 7 © 2005 Cisco Systems, Inc. All rights reserved. IOS Firewall Proxy Example When a user initiates an HTTP, HTTPS, FTP, or Telnet session through the firewall, it triggers the authentication proxy

8 8 © 2005 Cisco Systems, Inc. All rights reserved. RADIUSTACACS+ Supported AAA Servers Cisco Secure ACS UNIX Cisco Secure ACS NT/2000 TACACS + Freeware LucentLucent Cisco Secure ACS UNIX Cisco Secure ACS NT/2000

9 9 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Proxy Operation Users must successfully authenticate with the authentication server by entering a valid username and password. The authentication proxy uses the information in this profile to create dynamic access control entries (ACEs). The authentication proxy sets up an inactivity, or idle, timer for each user profile

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Create auth-proxy Service in the Cisco Secure ACS Enter the new service: auth-proxy.

11 11 © 2005 Cisco Systems, Inc. All rights reserved. AAA Server Configuration

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Proxy Configuration The authentication proxy is applied in the inward direction at any interface on the router where per- user authentication and authorization occurs. Applying the authentication proxy inward at an interface causes it to intercept a user’s initial connection request. Users are authorized for services only after successful authentication with the AAA server.

13 13 © 2005 Cisco Systems, Inc. All rights reserved. AAA Configuration – Enable AAA –Enables the AAA functionality on the router (default = disabled) aaa new-model Router(config)#

14 14 © 2005 Cisco Systems, Inc. All rights reserved. aaa authentication login default method1 [method2] Specify Authentication Protocols –Defines the list of authentication methods that will be used –Methods: TACACS+, RADIUS, or both Router(config)# aaa authentication login default group tacacs+ | radius Router(config)#

15 15 © 2005 Cisco Systems, Inc. All rights reserved. aaa authorization auth-proxy default method1 [method2] Specify Authorization Protocols –Use the auth-proxy keyword to enable authorization proxy for AAA methods –Methods: TACACS+, RADIUS, or both Router(config)# Router(config)# aaa authorization auth-proxy default group tacacs+

16 16 © 2005 Cisco Systems, Inc. All rights reserved. tacacs-server host ip_addr Define a TACACS+ Server and Its Key –Specifies the TACACS+ server IP address –Specifies the TACACS+ server key Router(config)# Router(config)# tacacs-server host 10.0.0.3 Router(config)# tacacs-server key secretkey tacacs-server key string Router(config)#

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Define a RADIUS Server and Its Key –Specifies the RADIUS server IP address –Specifies the RADIUS server key Router(config)# radius-server host 10.0.0.3 Router(config)# radius-server key secretkey radius-server host ip_addr Router(config)# radius-server key string Router(config)#

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# access-list 111 permit tcp host 10.0.0.3 eq tacacs host 10.0.0.1 Router(config)# access-list 111 permit icmp any any Router(config)# access-list 111 deny ip any any Router(config)# interface ethernet0/0 Router(config-if)# ip access-group 111 in Allow AAA Traffic to the Router –Create an ACL to permit TACACS+ traffic from the AAA server to the firewall Source address = AAA server Destination address = interface where the AAA server resides –May want to permit ICMP –Deny all other traffic –Apply the ACL to the interface on the side where the AAA server resides

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# ip http server Router(config)# ip http authentication aaa Enable the Router HTTP or HTTPS Server –Enables the HTTP server on the router –Sets the HTTP server authentication method to AAA –Proxy uses HTTP server for communication with a client ip http server Router(config)# ip http authentication aaa Router(config)# ip http secure-server Router(config)# –Enables the HTTPS server on the router

20 20 © 2005 Cisco Systems, Inc. All rights reserved. ip auth-proxy {inactivity-timer min | absolute-timer min} –Authentication inactivity timer in minutes (default = 60 minutes) –Absolute activity timer in minutes (default = 0 minutes) Set Global Timers Router(config)# Router(config)# ip auth-proxy inactivity- timer 120

21 21 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# ip auth-proxy name aprule http Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule Define and Apply Authentication Proxy Rules –Creates an authorization proxy rule –Applies an authorization proxy rule to an interface For outbound authentication, apply to inside interface For inbound authentication, apply to outside interface ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-time min] [absolute- timer min][list {acl | acl-name}] Router(config)# ip auth-proxy auth-proxy-name Router(config-if)#

22 22 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Proxy Rules with ACLs –Creates an authorization proxy rule with an access list ip auth-proxy name auth-proxy-name http list {acl-num | acl-name} Router(config)# Router(config)# ip auth-proxy name aprule http list 10 Router(config)# access-list 10 permit 10.0.0.0 0.0.0.255 Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule An authentication proxy rule can be associated with an ACL, providing control over which hosts use the authentication proxy.

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer 3 6.2 Introduction to PIX Security Appliance AAA Features

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Types of Authentication Three types of authentication are available on the PIX Security Appliance: 1.Access authentication 2.Cut-through proxy authentication 3.Tunnel access authentication

25 25 © 2005 Cisco Systems, Inc. All rights reserved. Types of Authentication For cut-through proxy authentication, the PIX Security Appliance can be configured to require user authentication for a session through the PIX, as specified in the aaa authentication command. –Only Telnet, FTP, HTTPS, and HTTP sessions can be intercepted to authenticate users. Once authenticated, the PIX then shifts the session flow and all traffic flows directly between the server and the client while maintaining session state information. For tunnel access authentication, the PIX Security Appliance can be configured to require a remote tunnel user to authenticate prior to full tunnel establishment.

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Types of Authentication

27 27 © 2005 Cisco Systems, Inc. All rights reserved. AAA Server Support The PIX Security Appliance supports authentication and authorization using its own local server, an internal database, or an external AAA server. –Accounting is tracked on an external accounting server. The protocol for communications between the PIX Security Appliance and an external AAA sever varies by AAA feature. – see next figure

28 28 © 2005 Cisco Systems, Inc. All rights reserved. AAA Server Support

29 29 © 2005 Cisco Systems, Inc. All rights reserved. Module 6 – Configure Trust and Identity at Layer 3 6.3 Configure AAA on the PIX Security Appliance

30 30 © 2005 Cisco Systems, Inc. All rights reserved. Types of Access Authentication

31 31 © 2005 Cisco Systems, Inc. All rights reserved. Remote PIX Access Telnet access to the Security appliance console is available from any internal interface Telnet access to the outside interface is only available thorugh an IPSec tunnel. SSH access to the Security appliance console is available from any interface.

32 32 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Configuration Steps

33 33 © 2005 Cisco Systems, Inc. All rights reserved. Add Users to the Local User Database

34 34 © 2005 Cisco Systems, Inc. All rights reserved. Cut-Through Proxy

35 35 © 2005 Cisco Systems, Inc. All rights reserved. Authentication of Non-Telnet, FTP, or HTTP Traffic

36 36 © 2005 Cisco Systems, Inc. All rights reserved. Virtual Telnet

37 37 © 2005 Cisco Systems, Inc. All rights reserved. Virtual HTTP

38 38 © 2005 Cisco Systems, Inc. All rights reserved. User Authorization

39 39 © 2005 Cisco Systems, Inc. All rights reserved. Downloadable ACLs

40 40 © 2005 Cisco Systems, Inc. All rights reserved. Enable Accounting Match

41 41 © 2005 Cisco Systems, Inc. All rights reserved. Admin Accounting

42 42 © 2005 Cisco Systems, Inc. All rights reserved. Command Accounting

43 43 © 2005 Cisco Systems, Inc. All rights reserved. 43 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College."

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.


S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

Similar presentations

Ads by Google