Вы находитесь на странице: 1из 84

Cisco Systems

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
S/KEY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
(TOKEN PASSWORD AUTHENTICATION) . . . .13
PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
PPP PAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
PPP CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
PPP EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
S-HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
SOCKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
IPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

. . . . . . . . . . . . . . . . . . .30
L2F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

CISCO SAFE: . . . . . . . . . . . . . . . . . . . . . . . .34


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
SAFE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
(VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . .53
(WAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
VPN/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
(WAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
IP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
(Denial of Service DoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Man-in-the-Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
CISCO . . . . . . . . . . . . . .
. . . . . .80
- (RFC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80


.
- ,
, . ,
, Cisco
.
(White Papers) Cisco , , .
, . , . Cisco Systems .
, (Internet
Engineering Task Force IETF) IP. , ,
, IP. , , Cisco
.

, , . :
: ,
( , , , ..).
: .
: ,
.
: , , , .
: .
: , ,
.
: , /
; ; .
: , /
; ;
.
: , .
: ,
.
-: , ( ). , , .
: , -.
(Message digest): , - ( ,
).
: .
: , ( ), .
AAA Authentication, Authorization, Accounting: , Cisco Systems.
: .
NAS Network Access Server: .

VLAN Virtual Local Area Networks: .


VPN Virtual Private Networks: .
VPDN Virtual Private Dial-Up Networks: .


, . ,
: , -. , . - .

. , , . . , , , , . ( )
(). . . .
, , , .
, , . :
, .

,
: , .


, , . 1 , , .
,
. , ( ), /.
1.

, 2. , , .
.
.

2.

, -
( ),
, , , . ,
, .
, Data Encryption Standard (DES),
3DES ( DES) International Data Encryption Algorithm (IDEA). 64 . 64 ( ), 64 , - .
, , : (ECB), (CBC), x- (CFB-x)
(OFB).
(firmware).
, ( ) . :

, .

.
- (Diffie-Hellman), .


, , . : .
,
: (. 3).
.
3.

.
, , . , / . .
4 ,
. ( ,
, , , ), , . , . , , , , , . .
4. ,

5 ,
. , , ,
. ,
. ,
. , , .
5.

, . , , , , , .
/ , , , . ,
, . /
. - . , .
RSA (, , )
ElGamal.

-
- , ,
. (-),
. ( ). (. 6.) . , ,
. - . , , , , .
6. -
-
. - :

Message Digest 4 (MD4);


Message Digest 5 (MD5);
(Secure Hash Algorithm SHA).


,
. .
-
- , ,
, ,
, .
. 7 - DES . , p ( ) g (, p, ),
. , ( ) . ( )
. -. , .
Z. Z DES . , p g, Z -
.
7. - DES
1: p g

2: ,

3: Z

, ,
, , . - ,
. .

, . .
- . 8 .
(, Digital Signature Standard DSS), /
. , . , MD5. MD5, 128 . ( ).
.
, .

8.

, , . 9 , . . ,
. .
, . ,
, .

9.


,
. 10 X.509. X.509
:

;
;
;
;
;
;
.

10. X.509

:





,

0000123
SHA, DH, 3837829
1/1/93 to 12/31/99
Alice Smith, Acme Corp.
DH, 3813710
Acme Corporation Security Dept.
SHA, DH, 239702317 ...

, CA, ,
. 11 , , , CA. , CA. . CA .

CA , , , . , .
11.

,
CA . ,
(PKI), , , ,
. , , CA, CA. .

10

,
12.
12.

/ . ,
CA X.509 . , CA . , ,
,
, :
1. CA .
2. CA , .
3. CA .
4. CA .
5. CA , .
6. CA .
7. - .
8. , -,
.


, : , . (, , , , ..) .
, , . ,
, . , , Cisco,
. , ,
. IETF, ,
web- IETF : http://www.ietf.org.


, , , . , . - .
S/Key
(token password authentication). Point-toPoint Protocol (PPP)
Password Authentication Protocol (PAP), Challenge Handshake Protocol (CHAP) Extensible Authentication
Protocol (EAP). EAP , PPP. TACACS+ Remote Access Dial-In User Service (RADIUS) , .

S/Key
S/Key, RFC 1760, MD4 MD5. , , .
S/Key /,
, . , -

11

. S/Key, , ,
(seed). , :
, .
( ). , .
( ) , .
, , - 64-
. - , .
-.
64- .
:

-, ;
(cut and paste);
.

( ). ,
2048 . , 11 , . S/Key
.

12

. , . ( UNIX /etc/skeykeys), , . , keyinit (


). -. , , , . , , , - . keyinit, ,
.
13 , S/Key ,
Telnet UNIX-,
S/Key.
IETF, (One-Time Password (OTP)
Authentication Working Group). :
http://www.ietf.org/html.charters/otp-charter.html.

13. S/Key

(Token Password Authentication)


:
- . -
, (PIN) (user ID). PIN user ID , ( , ). , ,
. .
. ,
, ,
. , . , . , .

,
. , . PIN ,
, . . , . , .

PPP
PPP (), . :

;
Link Control Protocol (LCP), ,
;

13

Network Control Protocols (NCP) .

, LCP .
, , PPP ( ) .
. , ,
. , , , PPP ,
, . .
PAP CHAP PPP. EAP PPP, .
, PPP. LCP IP Control Protocol (IPCP), IP.
- PPP. PAP CHAP , (login)
. CHAP , PPP. PAP . .
IETF PPP (pppext) :
http://www.ietf.org/html.charters/pppext-charter.html.

PPP PAP

14

14 PAP.
14. PPP PAP
(NAS) . -

- NAS , .
PAP . PAP
, , . ,
.
.

PPP CHAP
CHAP . , .
15 CHAP.

15. PPP CHAP

15

(NAS) . CHAP , . . , (ID), ( ) (


). . ,
-. , . . , . , , , LCP .
. , -

- .
, .
CHAP . ,
. .
: - CHAP MD5,
. Microsoft CHAP (MS-CHAP),
( ) . MS-CHAP : CHAP, .

PPP EAP
PPP EAP PPP, . EAP
, . . , ,
, PPP .
16 , PPP EAP.
16. PPP EAP

16

(NAS) . . ,
, . , , , MD5, S/Key, .. MD5 CHAP. ,
. , -

( , ..).
. ,
, . , , .

TACACS+
TACACS+ TACACS. TACACS
, User Datagram Protocol (UDP) Bolt, Beranek and Newman, Inc. (BBN) Military Network (MILNET). Cisco TACACS,
TACACS, TACACS+.
TACACS+ TCP. 49, IP, TACACS. RFC UDP TCP. TACACS
49.
TACACS+ /, TACACS+
NAS, TACACS+, , (, UNIX
NT). TACACS+ , (AAA Authentication, Authorization, Accounting). , , , TACACS+ , PPP PAP, PPP CHAP,
Kerberos. . , . ,
.
, .
, . , ( ).
, , , . TACACS+ , . , ,
PPP PPP IP IP. TACACS+ , IP PPP.
.
. TACACS+ . -, (, ). -, . TACACS+
. , . ,
. (update)
, .
TACACS+ , , ,
( ) .
TACACS+ TACACS+ , .
. TACACS+ , TACACS+
TACACS+.
17 ,
, TACACS+, .

17

17. TACACS+

1.
.
2. .
3. .
4. TACACS+
TACACS+.

5. TACACS+ .
6.
.
7. TACACS+ ,
.

TACACS+ : START, CONTINUE REPLY.


START CONTINUE , REPLY .
, START. START
. START TACACS+ . (
, REPLY.) START , .

18

START REPLY. REPLY ,


. REPLY ,
, .
CONTINUE.
( ). : REQUEST () RESPONSE (). REQUEST ,
, , , .
18 19 TACACS+.
18: TACACS+.

19. TACACS+

RADIUS
RADIUS Livingston Enterprises, Inc. . 1996 RADIUS
IETF. RADIUS (RFC 2058) RADIUS (RFC 2059) .
NAS RADIUS UDP. , RADIUS . , ,
, , RADIUS, .
RADIUS /. RADIUS NAS, RADIUS , UNIX NT. RADIUS,
. RADIUS , , ,
. RADIUS RADIUS - (proxy).
20 , ,
RADIUS, .
20. RADIUS

1.
.
2. .
3. .

4. RADIUS
RADIUS.
5. RADIUS Accept, Reject
Challenge.
6. RADIUS ,
, Accept, Reject Challenge.

RADIUS .
, PPP PAP CHAP,
UNIX login .

19

(Access Request), NAS RADIUS, ( ), . Access Request , , IP- NAS . . , - , , (Service-Type = Exec-User), PPP, (Service Type = Framed
User Framed Type = PPP).
RADIUS NAS Access Request, . , ,
, .
, .
RADIUS . , RADIUS ,
.
(shell framed), , IP, ( ), ,
NAS. RADIUS ,
NAS. 21
RADIUS.
21. RADIUS

20

RADIUS
. RADIUS
( , , ..), . (ISP)
RADIUS .
RADIUS , . , RADIUS , .

RADIUS IETF : http://www.ietf.org/html.charters/radius-charter.html.


, . SSL Secure Shell
Protocol (SSH), .
IETF (Transport Layer
Security TLS). (S-HTTP) web-, SSL. SOCKS , / TCP
UDP . IP
(IPSec)
( IP). X.509 , -

.
. X.509 (PKI).

SSL
SSL , Netscape. SSL ( Hypertext Transfer
Protocol [HTTP], Telnet, Network News Transfer Protocol [NNTP] File Transfer Protocol [FTP]) TCP/IP. , , ( ) TCP/IP. SSL W3 (W3C) Web- .
SSL , . .
, (, TCP), SSL Record Protocol. SSL Record Protocol . , SSL Handshake Protocol, ,
. SSL
, . SSL. SSL ,
:

. .
(, DES, RC4 ..).
, (, RSA, DSS ..).
.
(MAC).
- (, - [SHA], MD5 ..).

SSL . , . SSL , ,
, ( ), MAC, . , , , .
SSL HTTP.
SSL, .

SSH
Secure Shell (SSH) . ,
TCP/IP X11. SSH
, . SSH
.

, (,
DNSSEC, [SPKI], X.509).
SSH :

. , . .
.
, .

IDEA
( DES , DES, RC4-128, Blowfish). -

21

RSA, , , ( ). RSA, RSA.


() IP ; DNS . , RSA .
, , . SSL , TCP
SSL , TCP ,
.
SSH
IEFT Secure Shell (secsh) : http://www.ietf.org/html.charters/secsh-charter.html.
(, SSL SSH) :

(end-to-end) TCP/IP, (API) (WinSock, Berkeley Standard Distribution


[BSD] ..);
, Van
Jacobson , , TCP/IP;
- , , (MTU) ..;
.
, .

S-HTTP

22

S-HTTP , HTTP. HTTP HTTP.


( ,
). HTTP.
S-HTTP . , S-HTTP, S-HTTP
, S-HTTP,
S-HTTP . S-HTTP ( ),
. S-HTTP , .
S-HTTP (end-to-end) ,
HTTP, ,
, .
, (
). , , . S-HTTP,
.
S-HTTP , . , (, ,
, ,
; ),
, (RSA Digital Signature Standard [DSA] , DES RC2 ..), (:
Verisign). S-HTTP
.
S-HTTP . IETF web- (wts) :
http://www.ietf.org/html.charters/wts-charter.html.

SOCKS
SOCKS , / TCP UDP
.
, . SOCKS :
(, Telnet Netscape) (-)
.
SOCKS (Dave Koblas) SGI,
. , . SOCKS 4
/, TCP, Telnet, FTP ,
HTTP, Wide Area Information Server (WAIS) GOPHER. SOCKS 5, RFC 1928,
SOCKS. UDP, , ,
, IP v6.
IP, . SOCKS V.5, TCP UDP. ,
UDP SOCKS V.5 ( , ), : UDP UDP.
SOCKS . -
SOCKS ( ), ( 1080/TCP). SOCKS , . SOCKS , . , SOCKS.
SOCKS , - SOCKS ( SOCKS- ). , (Telnet, FTP, finger, whois) SOCKS, SOCKS .
, SOCKS V.5 : (, Solaris) SOCKS- ,
SOCKS shared libc (
LD_LIBRARY_PATH Solaris).

IETF, , :
http://www.ietf.org/html.charters/aft-charter.html.

IPSec
IP (IPSec) ,
IP. IPSec , RFC.
RFC, , , .

RFC 2401 (Security Architecture for the Internet Protocol) IP.


RFC 2402 (IP Authentication header) IP.
RFC 2403 (The Use of HMAC-MD5-96 within ESP and AH)
MD-5 .
RFC 2404 (The Use of HMAC-SHA-1-96 within ESP and AH)
SHA-1 .

23

RFC 2405 (The ESP DES-CBC Cipher Algorithm With Explicit IV) DES.
RFC 2406 (IP Encapsulating Security Payload (ESP)) .
RFC 2407 (The Internet IP Security Domain of Interpretation for ISAKMP) .
RFC 2408 (Internet Security Association and Key Management Protocol (ISAKMP)) .
RFC 2409 (The Internet Key Exchange (IKE)) .
RFC 2410 (The NULL Encryption Algorithm and Its Use With IPsec)
.
RFC 2411 (IP Security Document Roadmap) .
RFC 2412 (The OAKLEY Key Determination Protocol) .

, .
, , , .
IPSec ,
. (Internet Security Association Key Management Protocol ISAKMP)
. ,
, (, Oakley), .

24

Oakley Key Determination Protocol -, .


Oakley . , .
, ,
, . ,
, .
ISAKMP Oakley IKE Internet Key
Exchange. IKE, ISAKMP Oakley, ISAKMP
Oakley. ( ) , , , , . , ,
(VPN) , , (
IP), .
IPSec IP , , (
) . IPSec (. 22).
22.

, , , .
(SA), . SA :

;
;
;
.

SA ,
SA, . , ,
. SA ISAKMP. , SA . 23 ISAKMP, , , .
23. SA ISAKMP

SA , ,
. , -, MD5 128- . -, AH,
24.
24: IP

25

, IP , . ,
, -, SA, -. 25,
, AH. , (
).
25.

26
, , . AH
.
, , , SA , ,
, .
. ESP , : , 26 27.
26. ESP

27. ESP

IP, IP ESP. , IP . DES (CBC).


, , . ESP ESP .
IPSec :

,
(end-to-end);
(VPN) ;
, , TCP (, UDP);
, ,
;
AH
,
(, TCP SYN).


IETF IP (IPSEC) :
http://www.ietf.org/html.charters/ipsec-charter.html.

X.509
, , . PKI. X.509 . , (CA). RFC 1422 PKI X.509, , (PEM). RFC 1422 PKI . X.509. web-,
IPSec. X.509 3
(CRL) 2.
, ,
( ), . , , . CA . , . -

27

,
, - . PKI.
X.509 v3 (. 28).
28. X.509 v3

28

: ,
. , , ,
, ( ). ,
, . , CA .
-. , -, CA. (. 29).
29. X.509 v3
,
. , .
,
CA (, , ),
.
CA .
CRL
. CA . CRL

. - (, ),
,
CRL, , .

,
CRL. CA CRL (, , ).
CRL. .
30 CA .
30.

29

CA / . CA X.509 v3. ,
CA. ,
- , :

1. - CA .
2. CA , .
3. - CA
.
4. CA -
.
5. CA - , .
6. CA - .
, ,
. -, , , .
.
( CA?), - ( FTP Lightweight Directory
Access Protocol [LDAP] ) ( ).

IETF (PKIX) :
http://www.ietf.org/html.charters/pkix-charter.html.

30

(Virtual Private Dialup Networks VPDN)


, .
, . .
: (Layer 2 Forwarding L2F), (Point-to-Point Tunneling Protocol PPTP)
(Layer 2 Tunneling Protocol L2TP).

L2F
(Layer 2 Forwarding L2F)
Cisco Systems. ( HighLevel Data Link Control [HDLC], async HDLC Serial Line Internet Protocol [SLIP] ) , , IP. , , , , (SLIP, PPP), .
, IP, IPX AppleTalk
SLIP/PPP . , . , , , IP, .

PPTP
Point-to-Point Tunneling Protocol (PPTP) Microsoft.
PPP, . /, , NAS, (VPN). PPTP
(PNS) , ,
PPTP (PAC), . PPTP -

, (PSTN) ISDN . PPTP


(GRE) PPP, . PPTP IPSec.

L2TP
, L2F PPTP . Cisco Microsoft ( IETF) ,
(Layer 2 Tunneling Protocol L2TP).
(L2F PPTP), L2TP.
, , L2TP.
31.
31.

31


IETF (pppext) :
http://www.ietf.org/html.charters/pppext-charter.html.


, . . LDAP DNSSEC.

LDAP
Lightweight Directory Access Protocol (LDAP) . LDAP . 1995 . .500. X.500
,
. LDAP , /.
, .500,
X.500 Directory
Access Protocol (DAP). RFC 1777 2 LDAP.
3, . LDAP TCP
LDAP, , .500.
:

, ;

, , ;

, , ( 3).
, LDAP, , . , , .
. , -
. 32.
32. LDAP

32

1 2 LDAP .
LDAP , ,
. ,
.
. LDAP , , DIT. , : RDN,
. RDN
, . - , , ,

, .
LDAP :

.
, 1 2, 3.

- .

RDN
.

, .

3, , - ; , .
. LDAP 2 , ( ), Kerberos 4.
3 SASL . SASL . , .
ASID
(, ) IETF LDAP, , :
http://www.ietf.org/html.charters/asid-charter.html http://www.ietf.org/html.charters/ldapext-charter.html.

DNSSEC
DNS .
. DSN
.
.
DNS , . DSN.
, DNS. ,
. , DNS, . .
DSN.
IETF Domain Name System Security (dnssec)
:
http://www.ietf.org/html.charters/dnssec-charter.html.

33

Cisco SAFE:

Cisco (SAFE) , . SAFE ,


. SAFE
.
, . ,
. SAFE Cisco .
SAFE. , . , , , , . , .
, ,
. . , ,
.
, . , , .
,
. , .

34

, . Cisco
Systems .
.
, . . , , ,
, .

. , , . , . , ,
, ,
. , .
(VPN) , .
, , VPN. VPN, ( ,
(certificate authorities CA)). . (, ,
). , , SAFE, .
SAFE Cisco . . ,

. SAFE , .
.
, . , .



SAFE .
. , :

;
( );
;

;
;
.

- ( ), SAFE ,
. , , , , .
, . , . SAFE . .
, SAFE . , , ,
- , .
, ,
,
, .
,
.

. , , . .
,
. ,
Cisco IOS ,
. , . , .

- , SAFE .
. -, , . -,

35

, ,
.
33 SAFE.
. - (ISP) , ,
- .
33.
, 34,
.

.
. , ,
,
, 80 %
. , , ..
.
34. - SAFE.

36

,
. , , SAFE. , , .

SAFE

. ,
. . .
, , . ,
. :

SNMP;

TACACS+;
;
;
.

, ,
: http://www.cisco.com/warp/customer/707/21.html

( , ), , . , . ,
, . ,
:

,
auto, (off). , .
, VLAN ( ), . , , VLAN 3. :
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
VLAN, 3. , , .
.
VLAN . , ,
VLAN VLAN ,
. - VLAN , , .

VLAN
(private VLAN). ,
,
VLAN. , , (promiscuous ports).
. . , web-, FTP (DNS).
DNS, .
,
, .
, .

. , . , , ,
. ,
. , http://www.whitehouse.gov ( ),
- s2-0.whitehouse.net ( ). , .
. web-
, , , . , web- , . , -

37

, . , - . : , .
.
, . , ,
.
, . , (denial of service DoS).

, .
(distributed denial of service
DDoS). , IP-. , , . DS3 (45 /),
web-. . , , . , DDoS.
, . DS1
(1,5 /). , DS3 .
1 / ( , DDoS
Unix 50 M/), . , , . , , . .
.

38

-. ,
. .
.
DDoS ICMP, TCP SYN UDP. .
TCP SYN 80 (http)
.
, .
80 ,
web-. , ,
, .
RFC 1918
RFC 2827. RFC 1918 , ,
. RFC 2827 IP- . RFC 1918 2827 , , . -
WAN DDoS, , . - RFC 2827,
. DDoS, , .

, , .
(, , )
( , , -

, FTP ).
, ,
(intrusion detection system IDS), . IDS - ,
, . . , (host-based IDS HIDS), . , -. ,
. - (HIDS)

NIDS (network IDS), .
- , NIDS. Cisco HIDS
, NIDS . .
,
. , ,
. , . IDS . ,
HIDS , HIDS .
NIDS, :
( ) , . NIDS , - ,
, .
, , , . , . NIDS , , ,
. , NIDS , . IP- -
HTTP, .
DoS.
,
, , UDP. . . RFC 2827 , . ,
, ,
. , , , (stateful filtering), .
IDS, .
NIDS TCP (TCP reset).
, . TCP reset .
, , .
. NIDS .
NIDS,
, NIDS . NIDS, ,
. , NIDS,
. , IDS, ,

39

, . ,
, IDS , .


? . , ?
. , , .
? ?
? ,
? , ? , ? (-) .
. ? , ?
, ?
,
(out-of-band OOB). , , ,
. , .
( ), .
, .
, , . , (OOB)
. .

40

- . (syslog data), .
,
. , ,
- . , , , . , , 2,
, , (IDS). , IDS,
. , .
. - , . NTP
(Network Time Protocol), .
, .
, , , -, .
, - , , . , , SSL (secure socket layer) SSH (secure
shell), . SNMP , .
, SNMP . SNMP (SNMP community string) , Unix-.
. ,

. . , FTP TFTP.


: . , , , .
. .

, , , , . , . , , .
. ,
, . , , , . , .
. DoS.
, , , , / war-dialer.
, . , . , , , .
.

, .
35.

41


, SAFE. -
,
.
36.

42

SNMP SNMP;

NIDS NIDS ;

() Syslog NIDS;

( ) , ;

NIDS ;

2 ( ) IOS.
37. :

IOS ;

Man-in-the-Middle , , , ;

, ,
, , -;

IP- IOS ( ) , ;


, .
38. :

43


, SAFE , IOS, (VPN). ,
, , . ,
, IOS, . , IPSec . Cisco,
. IOS , syslog , Telnet, SSH SNMP,
.
, . .
, , .

: Cisco IOS,
, , .
reverse-telnet Cisco . -

( , , -
, SNMP) . ( ) IPSec, .
,
. , .
.
, . - , , .
, ,
IOS, . , . , HIDS NIDS,
. , .
SNMP .
SNMP ,
. SAFE SNMP , . SNMP .

44

(syslog). Syslog . syslog. , , syslog. , -


.
SAFE
(CLI). SAFE , .
. , .

, . , . ,
. IPSec, SSH SSL , . , , , community strings, , .

. IDS,
.
, , .

SAFE .
.

3 .

39. :

.


,
Cisco ,
.
SAFE
,
, ,
.

. ,
(QoS) . .
.

3 2 .
40. :

3.

IP- RFC 2827


.

41. ,



, , .
, , , - (,
, ..).
, .
.
, , ,
(VLAN) , -

45

- .
, ,
.
, 3. RFC 2827 . ,
IP (VoIP) CallManager IP. VoIP
, . (QoS).

,
, .

SAFE , , 2. , .

2 2 .

IP- IP-.
42. :

VLAN .
,

.

46

43.

,
.
,
, -
, . , 2, , , 3. , ,
, .
.

. IDS,
3.

3 3 NIDS.

CallManager IP-, .


, DNS.

SMTP POP3.
44. :


.

,
,
.
, HIDS.

IP- RFC 2827


.
.
,
VLAN .
HIDS ,
.

45.



. ,

, ,
.

.

HIDS,
NIDS, (VLAN),
( ).
NIDS ,
, .
, , , SMTP, Telnet, FTP WWW. NIDS, , , VLAN. .
, .

, , ,
. -

47

NIDS 3 (blades) NIDS


.

.
.

3 .
46. :

48




,
.

IP- RFC 2827



, .

, ,
.

.
47.

.
,

.
3,
,
. , .
, .

,
, , SAFE. NIDS, IDS, 3.
NIDS , . -

( SAFE) ,
.


, .
48. 1

49

49. 2

-
- - , . (VPN) ,
VPN. . .
50. -

50

SMTP - .

DNS DNS , .

FTP/HTTP .

NIDS 47.

URL URL,
.
51. -:

(ISP), .

IDS .

HIDS.

, IDS.

(DoS) CAR ISP


TCP .

IP- RFC 2827 1918 ISP .

HIDS
.

IDS , .

VLAN.

HIDS.
52. -

51


, . , , . , 2 3, , .
, ISP,
, ,
(D)DoS. , ISP
RFC 1918 2827,
.
, ( IP-) .
. RFC 1918
2827 , ISP. , ,
, , . ,
, . , IPSec, -

VPN/ , . ,
VPN IPSec,
. VPN IP- , , , , , .
NIDS, , , 47 . ISP

, NIDS .
NIDS , , . , ,
, .
. TCP
SYN .
,
, . ( HIDS NIDS), . , ,
. , web- , , .
. xterm web- . , VLAN , . , VLAN .

52

, URL,
, URL. ,
URL- - . URL-
WWW.
URL, URL-. , WWW, . URL ,
IP- web- ,
. HIDS , - .
NIDS.
, .
, , , . NIDS NIDS, , , . ,
(HTTP, FTP, SMTP ..).
DNS .
, .
(zone-transfers), , DNS. SMTP , ,
. SMTP
7 .
NIDS, ,
. , -

, . , . ,
SMTP, ,
TCP- 25, .
, , , - .
( reset), , , SMTP.

. , , , NIDS . , . , , NIDS
, . , , ,
, . , . , , NIDS, ,
. ,
(ISP) , .
, .
,
, -. , . , 2,
, -.
(VPN)
, : VPN, , , . , , ,
.
53. VPN /

VPN

XAUTH IPSec.

VPN GRE/IPSec.


TACACS+ .

NIDS

47.

53

54. VPN / :

54

Internet Key
Exchange (IKE) Encapsulated Security Payload (ESP).

() .

, ,
.

Man-in-the-Middle .

.
55. VPN /


,
. ,
. .
VPN
VPN , -. IP- , -

VPN. .
IPSec, , PPTP L2TP, .
SAFE IPSec, , , , , .
VPN IKE (UDP 500). IKE , .
XAUTH, IKE (draft RFC), , -
IP. VPN .
.
. IP- MODCFG, IKE. IP-
(DNS WINS), MODCFG . , SAFE .
. IPSec, 3DES ( ) SHA-HMAC ( ). ,
VPN, VPN . VPN
, VPN.

IPSec . ,
.


, .
1 CHAP. VPN , . IP-, IP- .
VPN
VPN, , GRE, IPSec ESP (Encapsulated Security Payload).
, , -,
VPN. .
ESP (IP 50) IKE (UDP 500).
GRE , .
(multicast).
( EIGRP Enhanced Interior
Gateway Routing Protocol), GRE ,
GRE ( VPN).
VPN , 3DES SHAHMAC. VPN IPSec.

, . -

55

, . NIDS ,
VPN. IPSec (IKE/ESP). NIDS IPSec, .
.
NIDS , . . , , ,
(shunning) (TCP reset) .

VPN , . ,
.

- / .
L2TP / PPTP VPN.
Certificate Authorities (CA).
IKE (IKE keep-alive resilience mechanism).
VPN (MPLS).

(WAN)

.
Frame Relay.

IOS , (QoS).

56

56. :

IP- 3.


, .

57.

,
-
. IOS.
, ,
.

, , ,
. , IPSec.

,
. -

.
58.

Web-
.

,
web-.

,
.

NIDS .
3 ISP .

59. :

57


(ACL)
.

(IDS).

(DoS) (ISP)
(D)DoS.

IP- RFC 2827 1918


.

HIDS .

; ICMP .

HIDS .

60.


, : web-, .
(ISP) . ,
.

58

, , HTTP web-
IP- DNS, ISP. DNS , , .
.
, web- . , , web-.
web- , web- , .
.
web-, web-
. HTTP SSL .
- . web- , SSL.
. , SQL,
, . . , (backend), .
, , , , , .
. web, .
web- ().
,
(HIDS). , root kit.
, .
,
, ISP. , ,

ISP , ,
web-. ,
( BGP Border Gateway Protocol). . (D)DoS (ISP) , SAFE. ISP RFC 1918 RFC 2827.
(ISP). 3, . 3 BGP,
, (ISP) . -, 3 , ISP, . -, 3 (IDS).
IDS, web-, IDS . 10 % ,
- , , ,
. NIDS, , , ,
. , , web- , , HIDS, . -, ,
.
,
(NIDS).
, (web, , ) , .
,
(SSH, FTP, Telnet ..), . .
2, , , VLAN, ,
, ,
. , , web-
web-.
( )
(out-of-band).

(ISP).
( ) . -,
ISP LAN . , , , . , (D)DoS. -, - . .
.
. . .

. : web-
.
.
, . .

59

. , , . ,
. .
(IDS) , .


. , ,
. , .
. 3.
,
.
VPN/
-. : NIDS. , , , . , .
VPN/ . , ,
. -

(D)DoS ISP.

60

NIDS.
, . ,
HIDS, (NIDS). (, ) , .
, .
. . , , , ,
.


SAFE .
, , , . , .
.
. , , , .
, , SAFE . , VPN/ , ,
. , VPN , . VPN

, , .
SAFE . , , , . . ,
. .
SAFE , .
SAFE . , , , . :

;
;
, , (, ) (certificate authority);
VPN (WAN).

.
SAFE,
, . . , , . , .

, SAFE.
! turn off unnecessary services
!
no ip domain-lookup
no cdp run
no ip http server
no ip source-route
no service finger
no ip bootp server
no service udp-small-s
no service tcp-small-s
!
!turn on logging and snmp
!
service timestamp log datetime localtime
logging 192.168.253.56
logging 192.168.253.51
snmp-server community Txo~QbW3XM ro 98
!
!set passwords and access restrictions
!
service password-encryption
enable secret %Z<)|z9~zq
no enable password
no access-list 99
access-list 99 permit 192.168.253.0 0.0.0.255
access-list 99 deny any log
no access-list 98
access-list 98 permit host 192.168.253.51
access-list 98 deny any log
line vty 0 4
access-class 99 in

61

login
password 0 X)[^j+#T98
exec-timeout 2 0
line con 0
login
password 0 X)[^j+#T98
exec-timeout 2 0
line aux 0
transport input none
password 0 X)[^j+#T98
no exec
exit
banner motd #
This is a private system operated for and by Cisco VSEC BU.
Authorization from Cisco VSEC management is required to use this system.
Use by unauthorized persons is prohibited.
#
!
!Turn on NTP
!
clock timezone PST -8
clock summer-time PST recurring

62

ntp authenticate
ntp authentication-key 1 md5 -UN&/6[oh6
ntp trusted-key 1
ntp access-group peer 96
ntp server 192.168.254.57 key 1
access-l 96 permit host 192.168.254.57
access-l 96 deny any log
!
!Turn on AAA
!
aaa new-model
aaa authentication login default tacacs+
aaa authentication login no_tacacs line
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
tacacs-server host 192.168.253.54 single
tacacs-server key SJj)j~t]6line con 0
login authentication no_tacacs

OSPF
OSPF . , MD5 , (OOB).
interface Vlan13
ip address 10.1.13.3 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 024D105641521F0A7E
ip ospf priority 3
!
router ospf 1
area 0 authentication message-digest
network 10.1.0.0 0.0.255.255 area 0
distribute-list 1 out
distribute-list 1 in
!
access-list 1 deny 192.168.0.0 0.0.255.255
access-list 1 permit any


. , VLAN,
IP- .
interface FastEthernet1/0
ip address 192.168.254.15 255.255.255.0
ip access-group 101 in
ip access-group 102 out
no cdp enable

!
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

101
101
101
101
101
101
101
101
102

permit icmp any any


permit tcp 192.168.253.0 0.0.0.255 host 192.168.254.15 established
permit udp 192.168.253.0 0.0.0.255 host 192.168.254.15 gt 1023
permit tcp 192.168.253.0 0.0.0.255 host 192.168.254.15 eq telnet
permit udp host 192.168.253.51 host 192.168.254.15 eq snmp
permit udp host 192.168.253.53 host 192.168.254.15 eq tftp
permit udp host 192.168.254.57 host 192.168.254.15 eq ntp
deny ip any any log
deny ip any any log

, CAT OS
SAFE. IOS , .
!
!Turn on NTP
!
set timezone PST -8
set summertime PST
set summertime recurring
set ntp authentication enable
set ntp key 1 trusted md5 -UN&/6[oh6
set ntp server 192.168.254.57 key 1
set ntp client enable
!
! turn off un-needed services
!
set cdp disable
set ip http server disable
!
!turn on logging and snmp
!
set logging server 192.168.253.56
set logging server 192.168.253.51
set logging timestamp enable
set snmp community read-only Txo~QbW3XM
set ip permit enable snmp
set ip permit 192.168.253.51 snmp
!
!Turn on AAA
!
set tacacs server 192.168.253.54 primary
set tacacs key SJj)j~t]6set authentication login tacacs enable telnet
set authentication login local disable telnet
set authorization exec enable tacacs+ deny telnet
set accounting exec enable start-stop tacacs+
set accounting connect enable start-stop tacacs+
!
!set passwords and access restrictions
!
set banner motd <c>
This is a private system operated for and by Cisco VSEC BU.
Authorization from Cisco VSEC management is required to use this system.
Use by unauthorized persons is prohibited.
<c>
!console password is set by set password
!enter old password followed by new password
!console password = X)[^j+#T98
!
!enable password is set by set enable
!enter old password followed by new password
!enable password = %Z<)|z9~zq
!
!the following password configuration only works the first time
!
set password
X)[^j+#T98
X)[^j+#T98
set enable

63

cisco
%Z<)|z9~zq
%Z<)|z9~zq
!
!the above password configuration only works the first time
!
set logout 2
set ip permit enable telnet
set ip permit 192.168.253.0 255.255.255.0 telnet

(). , HIDS ( ClickNet Entercept).


http://www.clicknet.com


61. :

2 Cisco Catalyst 3500XL (
)
Cisco 3640 IOS (eIOS-21)
Cisco 2511 IOS (
)
Cisco Secure Intrusion
Detection System (CSIDS)
RSA SecureID OTP Server
Cisco Secure Access
Control Server
CiscoWorks 2000
Cisco Secure Policy Manager
netForensics syslog analysis tool

ClickNet Entercept HIDS

64

EIOS-21
IOS Firewall, :
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip

inspect audit-trail
inspect max-incomplete low 150
inspect max-incomplete high 250
inspect one-minute low 100
inspect one-minute high 200
inspect udp idle-time 20
inspect dns-timeout 3
inspect tcp idle-time 1800
inspect tcp finwait-time 3
inspect tcp synwait-time 15
inspect tcp max-incomplete host 40 block-time 0
inspect name mgmt_fw tcp timeout 300
inspect name mgmt_fw udp
inspect name mgmt_fw tftp
inspect name mgmt_fw http
inspect name mgmt_fw fragment maximum 256 timeout 1
audit notify log
audit po max-events 100

:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key A%Xr)7,_) address 172.16.224.24
crypto isakmp key A%Xr)7,_) address 172.16.224.23
!

crypto ipsec transform-set vpn_module_mgmt esp-3des esp-sha-hmac


!
crypto map mgmt1 100 ipsec-isakmp
set peer 172.16.224.24
set transform-set vpn_module_mgmt
match address 111
crypto map mgmt1 200 ipsec-isakmp
set peer 172.16.224.23
set transform-set vpn_module_mgmt
match address 110
access-list 110 permit ip 192.168.253.0 0.0.0.255 host 172.16.224.23
access-list 110 permit udp 192.168.254.0 0.0.0.255 host 172.16.224.23
access-list 111 permit ip 192.168.253.0 0.0.0.255 host 172.16.224.24
access-list 111 permit udp 192.168.254.0 0.0.0.255 host 172.16.224.24

, ,
IDS. 45000 CSIDS, 5000
ClickNet HIDS.
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

114
114
114
114
114
114
114
114
114
114
114

permit icmp 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255 echo-reply


permit udp 192.168.254.0 0.0.0.255 host 192.168.253.56 eq syslog
permit udp 192.168.254.0 0.0.0.255 host 192.168.253.51 eq syslog
permit udp 192.168.254.0 0.0.0.255 host 192.168.253.50 eq 45000
permit tcp 192.168.254.0 0.0.0.255 host 192.168.253.50 eq 5000
permit udp 192.168.254.0 0.0.0.255 host 192.168.253.53 eq tftp
permit udp 192.168.254.0 0.0.0.255 host 192.168.254.57 eq ntp
permit tcp 192.168.254.0 0.0.0.255 host 192.168.253.54 eq tacacs
permit udp 192.168.254.0 0.0.0.255 host 192.168.253.54 eq 1645
permit udp 192.168.254.0 0.0.0.255 host 192.168.253.52 eq syslog
deny ip any any log

, :
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

113
113
113
113
113
113
113
113
113
113
113
113
113
113
113
113
113
113
113

permit icmp 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255


permit icmp 192.168.253.0 0.0.0.255 host 192.168.253.57
permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.57 eq telnet
permit tcp 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255 eq telnet
permit tcp 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255 eq 443
permit tcp 192.168.253.0 0.0.0.255 192.168.254.0 0.0.0.255 eq 22
permit udp host 192.168.253.50 192.168.254.0 0.0.0.255 eq 45000
permit tcp host 192.168.253.50 192.168.254.0 0.0.0.255 eq 5000
permit udp host 192.168.253.51 192.168.254.0 0.0.0.255 eq snmp
permit udp host 192.168.253.53 gt 1023 host 192.168.253.57 gt 1023
permit udp 192.168.253.0 0.0.0.255 host 192.168.254.57 eq ntp
permit tcp host 192.168.253.54 eq tacacs host 192.168.253.57 gt 1023
permit icmp 192.168.253.0 0.0.0.255 host 172.16.224.23
permit icmp 192.168.253.0 0.0.0.255 host 172.16.224.24
permit tcp 192.168.253.0 0.0.0.255 host 172.16.224.23 eq telnet
permit tcp 192.168.253.0 0.0.0.255 host 172.16.224.24 eq telnet
permit udp host 192.168.253.51 host 172.16.224.23 eq snmp
permit udp host 192.168.253.51 host 172.16.224.24 eq snmp
deny ip any any log

, . , .
. , , .
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

112
112
112
112
112
112
112
112
112
112
112
112

permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit

esp
esp
udp
udp
udp
udp
udp
udp
udp
udp
udp
udp

host
host
host
host
host
host
host
host
host
host
host
host

172.16.224.23
172.16.224.24
172.16.224.24
172.16.224.23
172.16.224.24
172.16.224.23
172.16.224.24
172.16.224.23
172.16.224.24
172.16.224.23
172.16.224.24
172.16.224.23

host
host
host
host
host
host
host
host
host
host
host
host

10.1.20.57
10.1.20.57
10.1.20.57 eq isakmp
10.1.20.57 eq isakmp
192.168.253.56 eq syslog
192.168.253.56 eq syslog
192.168.253.51 eq syslog
192.168.253.51 eq syslog
192.168.253.53 eq tftp
192.168.253.53 eq tftp
192.168.253.57 eq ntp
192.168.253.57 eq ntp

65

access-list
access-list
access-list
access-list
access-list

112
112
112
112
112

permit tcp host 172.16.224.24 host 192.168.253.54 eq tacacs


permit tcp host 172.16.224.23 host 192.168.253.54 eq tacacs
permit icmp host 172.16.224.24 192.168.253.0 0.0.0.255 echo-reply
permit icmp host 172.16.224.23 192.168.253.0 0.0.0.255 echo-reply
deny ip any any log


62. :


3 Cisco Catalyst 6500 Layer 3
Switches


63. :

66


3 Cisco Catalyst 6500 Layer 3
Switches
EL3SW-5
3 . VLAN 5 , VLAN 6 (R&D),
VLAN 7 IP- , VLAN 8 IP- .
interface Vlan5
ip address 10.1.5.5 255.255.255.0
ip access-group 105 in
!
interface Vlan6
ip address 10.1.6.5 255.255.255.0
ip access-group 106 in
!
interface Vlan7
ip address 10.1.7.5 255.255.255.0
ip access-group 107 in
!
interface Vlan8
ip address 10.1.8.5 255.255.255.0
ip access-group 108 in
!
access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.7.0 0.0.0.255
access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.8.0 0.0.0.255
access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 105 permit ip 10.1.5.0 0.0.0.255 any
access-list 105 deny ip any any log
access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.5.0 0.0.0.255
access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.7.0 0.0.0.255
access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.8.0 0.0.0.255
access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 106 deny ip 10.1.6.0 0.0.0.255 10.1.16.0 0.0.0.255

access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

106
106
107
107
107
107
108
108
108
108

permit ip 10.1.6.0 0.0.0.255


deny ip any any log
permit ip 10.1.7.0 0.0.0.255
permit ip 10.1.7.0 0.0.0.255
permit ip 10.1.7.0 0.0.0.255
deny ip any any log
permit ip 10.1.8.0 0.0.0.255
permit ip 10.1.8.0 0.0.0.255
permit ip 10.1.8.0 0.0.0.255
deny ip any any log

any
10.1.8.0 0.0.0.255
10.1.16.0 0.0.0.255
host 10.1.11.50
10.1.7.0 0.0.0.255
10.1.16.0 0.0.0.255
host 10.1.11.50


64. :


2 Cisco Catalyst 4003 Layer 2 Switches
IP- Cisco IP Phone

EL2SW-11 12
VLAN 2, . ,
VLAN. , , IP-.
VLAN IP- .
set
set
set
set
set
set
set

vlan 5 2/5,2/17
vlan 6 2/6,2/18
vlan 99 2/34
vlan 999 2/1-3,2/7-16,2/19-33
port disable 2/7-33
trunk 2/1-34 off
trunk 2/4 on dot1q 1,5-8

67


65. :


3 Cisco Catalyst 6500 Layer 3
Switch
Cisco Catalyst 6500
Intrusion Detection Module
Cisco CallManager
ClickNet Entercept HIDS
EL3SW-1 2
VLAN
VLAN. .
! CAT OS Config
!
#private vlans
set pvlan 11 437
set pvlan 11 437 3/3-4,3/14
set pvlan mapping 11 437 15/1

!
! MSFC Config
!
interface Vlan11
ip address 10.1.11.1 255.255.255.0
ip access-group 111 in
no ip redirects

,
RFC 2827.
interface Vlan11
ip address 10.1.11.1 255.255.255.0
ip access-group 111 in
!
interface Vlan15
ip address 10.1.15.1 255.255.255.0
ip access-group 115 in
!
interface Vlan16
ip address 10.1.16.1 255.255.255.0
ip access-group 116 in
ip access-group 126 out
!
access-list 111 permit ip 10.1.11.0 0.0.0.255 any
access-list 111 deny ip any any log
access-list 115 permit ip 10.1.15.0 0.0.0.255 any
access-list 115 deny ip any any log
access-list 116 permit ip 10.1.16.0 0.0.0.255 10.1.7.0 0.0.0.255
access-list 116 permit ip 10.1.16.0 0.0.0.255 10.1.8.0 0.0.0.255
access-list 116 permit ip 10.1.16.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 116 deny ip any any log
access-list 126 permit ip 10.1.7.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 126 permit ip 10.1.8.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 126 permit ip 10.1.11.0 0.0.0.255 10.1.16.0 0.0.0.255

68

capture port Cat 6000 IDS:


#module 4 : 2-port Intrusion Detection System
set module name 4
set module enable 4
set vlan 1 4/1
set vlan 99 4/2
set port name 4/1 Sniff-4
set port name 4/2 CandC-4
set trunk 4/1 nonegotiate dot1q 1-1005,1025-4094
set security acl capture-ports 4/1


66. :


3 Cisco Catalyst 6500
Layer 3 Switch

-
67. -:


Cisco
Secure PIX Firewall
CSIDS
2
Catalyst 3500 Layer 2 switches
Cisco 7100
IOS Router
ClickNet Entercept HIDS
URL
Websense URL Filtering
Server

EPIX-31 33
PIX.
ACL. In , Out ,
pss (DMZ), url , mgmt .
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

out deny ip any 192.168.254.0 255.255.255.0


out deny ip any 192.168.253.0 255.255.255.0
out permit icmp any any echo-reply
out permit tcp any host 172.16.225.52 eq www
out permit tcp any host 172.16.225.52 eq ftp
out permit tcp any host 172.16.225.50 eq smtp
out permit udp any host 172.16.225.51 eq domain
out permit esp host 172.16.224.23 host 172.16.224.57
out permit esp host 172.16.224.24 host 172.16.224.57
out permit udp host 172.16.224.23 host 172.16.224.57 eq isakmp
out permit udp host 172.16.224.24 host 172.16.224.57 eq isakmp
in deny ip any 192.168.254.0 255.255.255.0
in deny ip any 192.168.253.0 255.255.255.0
in permit icmp any any echo
in permit udp host 10.1.11.50 host 172.16.225.51 eq domain
in permit tcp 10.0.0.0 255.0.0.0 host 172.16.225.52 eq www
in permit tcp 10.0.0.0 255.0.0.0 host 10.1.103.50 eq 15871
in permit tcp host 10.1.11.51 host 172.16.225.50 eq smtp
in permit tcp host 10.1.11.51 host 172.16.225.50 eq 20389
in permit tcp 10.0.0.0 255.0.0.0 host 172.16.225.52 eq ftp
in deny ip any 172.16.225.0 255.255.255.0
in permit ip 10.0.0.0 255.0.0.0 any
in permit esp host 10.1.20.57 host 172.16.224.23
in permit esp host 10.1.20.57 host 172.16.224.24
in permit udp host 10.1.20.57 host 172.16.224.23 eq isakmp
in permit udp host 10.1.20.57 host 172.16.224.24 eq isakmp
pss deny ip any 192.168.254.0 255.255.255.0
pss deny ip any 192.168.253.0 255.255.255.0
pss permit tcp host 172.16.225.50 host 10.1.11.51 eq 20025
pss permit tcp host 172.16.225.50 host 10.1.11.51 eq 20389
pss deny ip 172.16.225.0 255.255.255.0 10.0.0.0 255.0.0.0
pss permit tcp host 172.16.225.50 any eq smtp
pss permit udp host 172.16.225.51 any eq domain
url permit udp host 10.1.103.50 host 172.16.225.51 eq domain

69

access-list url permit ip any any


access-list mgmt permit icmp 192.168.253.0 255.255.255.0 any

EIOS-23 24
HSRP (hot standby router protocol) , HSRP .
interface FastEthernet0/0
ip address 172.16.226.23 255.255.255.0
standby 2 timers 5 15
standby 2 priority 110 preempt delay 2
standby 2 authentication k&>9NG@6
standby 2 ip 172.16.226.100
standby 2 track ATM4/0 50


:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key A%Xr)7,_) address 172.16.224.57
!
crypto ipsec transform-set vpn_module_mgmt esp-3des esp-sha-hmac
!
crypto map mgmt1 100 ipsec-isakmp
set peer 172.16.224.57
set transform-set vpn_module_mgmt
match address 103
access-list 103 permit ip host 172.16.224.23 192.168.253.0 0.0.0.255
access-list 103 permit udp host 172.16.224.23 192.168.254.0 0.0.0.255

ACL , :

70

access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

112
112
112
112
112
112
112
112
112
112
112
112
112

permit udp host 172.16.224.57 host 172.16.224.23 eq isakmp


permit esp host 172.16.224.57 host 172.16.224.23
permit tcp 192.168.253.0 0.0.0.255 host 172.16.224.23 established
permit udp 192.168.253.0 0.0.0.255 host 172.16.224.23 gt 1023
permit tcp 192.168.253.0 0.0.0.255 host 172.16.224.23 eq telnet
permit udp host 192.168.253.51 host 172.16.224.23 eq snmp
permit udp host 192.168.254.57 host 172.16.224.23 eq ntp
permit icmp any any
deny ip any host 172.16.224.23 log
deny ip any host 172.16.226.23 log
deny ip any host 172.16.145.23 log
permit ip 172.16.224.0 0.0.0.255 any
permit ip 172.16.225.0 0.0.0.255 any

ACL , (ISP). , RFC 1918 , . RFC 1918.


access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

150
150
150
150
150
150
150
150

deny ip 10.0.0.0 0.255.255.255 any


deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.224.0 0.0.7.255 any
permit ip any 172.16.224.0 0.0.7.255
permit ip any 172.16.145.0 0.0.0.255
permit esp any 172.16.226.0 0.0.0.255 fragments
deny ip any any fragments
deny ip any any log

, VPN/ . , IKE ESP:


access-list
access-list
access-list
access-list
access-list
access-list
access-list

160
160
160
160
160
160
160

permit esp any host


permit esp any host
permit esp any host
permit udp any host
permit udp any host
permit udp any host
deny ip any any log

172.16.226.27
172.16.226.28
172.16.226.48
172.16.226.27 eq isakmp
172.16.226.28 eq isakmp
172.16.226.48 eq isakmp

Catalyst 3500XL Private VLANs


VLAN :
interface FastEthernet0/1
port protected
!
interface FastEthernet0/2
port protected

VPN/
68. VPN / :

71

M Cisco Secure PIX Firewall
CSIDS
2 Catalyst 3500 Layer 2 switches
Cisco 7100 IOS Router
Cisco VPN 3060 Concentrator
Cisco IOS Access Server
ClickNet Entercept HIDS
Websense URL Filtering Server
EPIX-32 34
PIX.
ACL. In , Out VPN, dun , ra VPN , mgmt
.
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

in deny ip any 192.168.253.0 255.255.255.0


in deny ip any 192.168.254.0 255.255.255.0
in permit icmp any any
in permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq smtp
in permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq pop3
in permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq www
in permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq ftp
in permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq netbios-ns
in permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq netbios-dgm
in permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq domain
out deny ip any 192.168.253.0 255.255.255.0
out deny ip any 192.168.254.0 255.255.255.0
out permit icmp any any
out permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq smtp

72

access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

out permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq pop3


out permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq www
out permit tcp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq ftp
out permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq netbios-ns
out permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq netbios-dgm
out permit udp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 eq domain
out permit tcp 10.0.0.0 255.0.0.0 172.16.255.0 255.255.255.0 eq www
out permit tcp 10.0.0.0 255.0.0.0 172.16.255.0 255.255.255.0 eq ftp
ra deny ip any 192.168.253.0 255.255.255.0
ra deny ip any 192.168.254.0 255.255.255.0
ra permit icmp any any
ra permit tcp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq smtp
ra permit tcp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq pop3
ra permit tcp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq www
ra permit tcp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq ftp
ra permit udp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq netbios-ns
ra permit udp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq netbios-dgm
ra permit udp 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0 eq domain
ra deny ip 10.1.198.0 255.255.254.0 10.0.0.0 255.0.0.0
ra permit tcp 10.1.198.0 255.255.254.0 172.16.225.0 255.255.255.0 eq www
ra permit tcp 10.1.198.0 255.255.254.0 172.16.225.0 255.255.255.0 eq ftp
ra deny ip 10.1.198.0 255.255.254.0 172.16.224.0 255.255.248.0
ra permit ip 10.1.198.0 255.255.254.0 any
dun deny ip any 192.168.253.0 255.255.255.0
dun deny ip any 192.168.254.0 255.255.255.0
dun permit icmp any any
dun permit tcp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq smtp
dun permit tcp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq pop3
dun permit tcp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq www
dun permit tcp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq ftp
dun permit udp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq netbios-ns
dun permit udp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq netbios-dgm
dun permit udp 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0 eq domain
dun deny ip 10.1.196.0 255.255.254.0 10.0.0.0 255.0.0.0
dun permit tcp 10.1.196.0 255.255.255.0 172.16.225.0 255.255.255.0 eq www
dun permit tcp 10.1.196.0 255.255.255.0 172.16.225.0 255.255.255.0 eq ftp
dun deny ip 10.1.196.0 255.255.254.0 172.16.224.0 255.255.248.0
dun permit ip 10.1.196.0 255.255.254.0 any
mgmt permit icmp 192.168.253.0 255.255.255.0 any

NAT, VPN
- :
static
static
static
static
static
static
static
static

(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)
(inside,ravpn)

128.0.0.0 128.0.0.0 netmask 128.0.0.0


64.0.0.0 64.0.0.0 netmask 192.0.0.0 0
32.0.0.0 32.0.0.0 netmask 224.0.0.0 0
16.0.0.0 16.0.0.0 netmask 240.0.0.0 0
8.0.0.0 8.0.0.0 netmask 248.0.0.0 0 0
4.0.0.0 4.0.0.0 netmask 252.0.0.0 0 0
2.0.0.0 2.0.0.0 netmask 254.0.0.0 0 0
1.0.0.0 1.0.0.0 netmask 255.0.0.0 0 0

0 0
0
0
0

EIOS-27 28
(VPN), :
!
! Basic Crypto Information
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 7Q!r$y$+xE address 172.16.132.2
crypto isakmp key 52TH^m&^qu address 172.16.131.2
!
!
crypto ipsec transform-set smbranch esp-3des esp-sha-hmac
mode transport
!
crypto map secure1 100 ipsec-isakmp
set peer 172.16.132.2

set transform-set smbranch


match address 105
crypto map secure1 300 ipsec-isakmp
set peer 172.16.131.2
set transform-set smbranch
match address 107
!
!
! GRE Tunnel Information
!
interface Tunnel0
ip address 10.1.249.27 255.255.255.0
tunnel source 172.16.226.27
tunnel destination 172.16.132.2
crypto map secure1
!
interface Tunnel1
ip address 10.1.247.27 255.255.255.0
tunnel source 172.16.226.27
tunnel destination 172.16.131.2
crypto map secure1
!
!
! EIGRP Routing to keep links up
!
router eigrp 1
redistribute static
passive-interface FastEthernet0/1
passive-interface FastEthernet4/0
network 10.0.0.0
distribute-list 2 out
distribute-list 2 in
!
! Crypto ACLs
!
access-list 105 permit gre host 172.16.226.27 host 172.16.132.2
access-list 107 permit gre host 172.16.226.27 host 172.16.131.2
!
! Inbound ACLs from Internet
!
access-list 110 permit udp 172.16.0.0 0.0.255.255 host 172.16.226.27 eq isakmp
access-list 110 permit esp 172.16.0.0 0.0.255.255 host 172.16.226.27
access-list 110 permit gre 172.16.0.0 0.0.255.255 host 172.16.226.27
access-list 110 deny ip any any log

(WAN)
69. :


Cisco 3640 IOS Router
EIOS-61
:
!
! Inbound from the WAN
!
access-list 110 deny ip any 192.168.253.0 0.0.0.255 log
access-list 110 deny ip any 192.168.254.0 0.0.0.255 log
access-list 110 permit ospf any any
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255

73

access-list 110 permit ip 10.2.0.0 0.0.255.255 172.16.224.0 0.0.7.255


access-list 110 deny ip any any log
!
! Inbound from the Campus
!
access-list 111 deny ip any 192.168.253.0 0.0.0.255 log
access-list 111 deny ip any 192.168.254.0 0.0.0.255 log
access-list 111 permit ospf any any
access-list 111 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 111 permit ip 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 111 permit ip 10.4.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 111 permit ip 172.16.224.0 0.0.7.255 10.2.0.0 0.0.255.255
access-list 111 deny ip any any log

74

, , , .
( , ,
..), , . ,
. web-, , .
.
,
, .. , . , , . .
-, . .
. . , . , , hack, crack
phreak , .
-, . , . , . , , IP- , .


, , .
. , , . , TPC/IP. . , . - (IP) . IP . , (RFC Request for Comments), , , IP. ,
IP , , , , . , IP, .


, , promiscuous mode ( , , ). , . . . ,
(Telnet, FTP, SMTP, POP3 ..), , (, ).
, . . /,
,
. ( ). ,
, , ,

. , .
:

. .
, . (OTP One-Time Passwords). , , , , . , , -,
, -, -. -
. (token) ,
( ) . , , . ,
. , (, ),
.
. . , ,
Ethernet, , , .
, .
-.
, , . , , , . - ,
. , LOpht Heavy Industries, AntiSniff. http://www.l0pht.com/antisniff/
. , . , , , ( ). Cisco IPSec. IPSec
IP.
SSH (Secure Shell) SSL (Secure Socket Layer).

IP-
IP- , , ,
. . -, IP-,
IP-, , . IP- . DoS, , .
IP- ,
.
, IP-. , , . , .
IP-, , .
( ) :
. IP-
. IP-, , , . ,
IP-, . , .

RFC 2827. ( ). ,
IP- . ,
RFC 2827, (ISP). ,
, . , ISP IP- 15.1.1.0/24, , ISP , 15.1.1.0/24. , ,
, . ,
, . , , RFC 2827 (10.0.0.0/8), ( ) ( 10.1.5.0/24).
IP- , :
. IP- ,

75

IP-. . . , .

(Denial of Service DoS)


DoS, , . ,
. DoS ,
, DoS . ,
DoS ,
. DoS, , :

TCP SYN Flood


Ping of Death
Tribe Flood Network (TFN) Tribe Flood Network 2000 (TFN2K)
Trinco
Stacheldracht
Trinity

(CERT Computer Emergency Response Team),


DoS. http://www.cert.org/tech_tips/denial_of_service.html

76

DoS .
- . DoS , .
( web- FTP-) DoS , , , , . DoS -, TCP ICMP (Internet Control Message Protocol). DoS
, . , . , . , , ,
, . , DoS (DDoS distributed DoS).
DoS :

-. - DoS. , , RFC 2827. , .


-DoS. -DoS .
.
(traffic rate limiting). (ISP) . , . ICMP, . (D)DoS ICMP.


, (brute force attack),
, IP- . IP-
, ,
. (brute force attack).
, (, ). ,
, . , , ,
.
, ( ) : , . , , , ,
.
, , .
/ . , , .
, . -

. , (#, %, $ ..). , . ,
. , , ,
, .
, . , . L0phtCrack, Windows NT.
, , .
http://www.l0phtcrack.com/

Man-in-the-Middle
Man-in-the-Middle , . ,
, , , . , . , , , DoS,
.
Man-in-the-Middle .
, , . , (, ), Man-in-the-Middle .


. (sendmail, HTTP, FTP).
, , (
, ). , (). , , .
, ,
. , , web-, 80. web- web-, . ,
80.
.
. .
, , :

- - / .
:
Bugtrad (http://www.securityfocus.com) CERT (http://www.cert.com)
().
, (IDS). IDS:
o IDS (NIDS) , . NIDS
, , / ;
o - IDS (HIDS) .
.
IDS ,
. , . IDS . IDS .
IDS , .


. - , , . DNS, - (ping sweep) . DNS , . - (ping
sweep) , DNS, , .
, , ,

77

. , , . , .
. , , ICMP - , -, , . , -.
, IP-. IDS , (ISP), ,
.


, . , . . DNS, SMTP HTTP. , ,
. ,
, , . ,
.
.
, , . , , IP-, .

78

, , . , .
(DMZ), , . , .
, , . , , . ,
, netcat. http://www.avian.org
(. ). , - IDS
(HIDS).


.
. elnet, elnet . elnet authorization required to use this
resource ( ). ,
. , .
.
. Telnet ,
web- . , . , .


. ,
. , command.com ( Windows) , command.com. , , , . , , . ,
, . , .
,
, , . . . .

?
,
, . RFC 2196 (
) :
, ,
.
. RFC 2196
. , web-:

RFC 2196 Site Security Handbook ( )


http://www.ietf.org/rfc/rfc2196.txt

http://www.aits.uillinois.edu/security/securestandards.html

http://www.knowcisco.com/content/1578700434/ch06.shtml


, . ,
. ,
. , , .

.
. , . : , .
( ). . , IP. , ,
.
HIDS. . ,
.
, -, .
NIDS. . , , . , . ( )
(), 7.
IOS. . Cisco IOS.
IOS. , .
.
2. (VLAN) Ethernet. Ethernet
10/100 Gigabit Ethernet, VLAN 2.
3. , 2, , (QoS) . 3 .
. .
, .
SMTP. , SMTP. ( ).
: , ,
.
URL. , . URL, , , . , , .
VPN. IPSec,

79

VPN . , (WAN) , .
. , . , IP-,
..

Cisco

80

Cisco SAFE http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html


Improving Security on Cisco Routers http://www.cisco.com/warp/customer/707/21.html
PIX Firewall http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/
Cisco IOS Firewall Feature Set http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/
Cisco Secure IDS http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/
Cisco Secure Scanner http://www.cisco.com/warp/public/cc/pd/sqsw/nesn/
Cisco Secure Access Control Server http://www.cisco.com/warp/public/cc/pd/sqsw/sq/
Cisco VPN 3000 Concentrator http://www.cisco.com/warp/public/cc/pd/hb/vp3000/
Catalyst 6000 series http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/
NetFlow White Paper http://wwwin.cisco.com/Mkt/cc/cisco/mkt/core/netflow/nflow_wp.htm

- (RFC)
RFC 2196 Site Security Handbook ( ) http://www.ietf.org/rfc/rfc2196.txt
RFC 1918 Address Allocation for Private Internets ( )
http://www.ietf.org/rfc/rfc1918.txt
RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing ( : DoS, ) http://www.ietf.org/rfc/rfc2827.txt


VLAN Security Test Report ( VLAN) http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
AntiSniff () http://www.l0pht.com/antisniff/
L0phtCrack http://www.l0pht.com/l0phtcrack/
Denial of Service Attacks ( DoS) http://www.cert.org/tech_tips/denial_of_service.html
Computer Emergency Response Team (CERT )
http://www.cert.org
Security Focus (Bugtraq) http://www.securityfocus.com
Avian Research (netcat) http://www.avian.org
University of Illinois Security Policy ( )
http://www.aits.uillinois.edu/security/securestandards.html
Design and Implementation of the Corporate Security Policy ( ) http://www.knowcisco.com/content/1578700434/ch06.shtml


ClickNet Entercept Host-Based IDS http://www.clicknet.com
RSA SecureID OTP System http://www.rsasecurity.com/products/securid/
Content Technologies MIMESweeper Email Filtering System
http://www.contenttechnologies.com
URL Websense URL Filtering http://www.websense.com/products/integrations/ciscopix.cfm
(Syslog) netForensics Syslog Analysis http://www.netforensics.com/

: .


Cisco Systems, Inc.
113054 ,

., 52
. 1, 4-
.: +7 (095) 961 14 10
: +7 (095) 961 14 69
World Wide Web: www.cisco.com
World Wide Web: www.cisco.ru


Cisco Systems, Inc.
252004, ,

. , 42-44
.: +380 (44) 490-12-06/46
: +380 (44) 490-12-00
www.cisco.ua

Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the
Cisco Connection Online Web site at http://www.cisco.com.
//www.cisco.ru.
Argentina Australia Austria Belgium Brazil Canada Chile China (PRC) Colombia Costa Rica Czech Republic Denmark
England Finland France Germany Greece Hungary India Indonesia Ireland Israel Italy Japan Korea Luxemburg Malaysia
Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Russia Saudi Arabia Scotland Singapore
South Africa Spain Sweden Switzerland Taiwan, ROC Thailand Turkey United Arab Emirates United States Venezuela
Copyright 2001 Cisco Systems Inc. All rights reserved. Printed in Russia. Cisco IOS is the trademark; and Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks
of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners.