Xem mẫu

8 Security and Performance Management ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Terms you’ll need to understand: IP access control lists Authentication Authorization Accounting Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access Control System (TACACS) Private Internet Exchange (PIX) Firewalls Demilitarized zones (DMZ) Encryption Weighted Fair Queuing (WFQ) Priority queuing Custom queuing Techniques you’ll need to master: Describing why security and traffic filtering is important on Cisco routers Determining the proper placement of Access Control Lists to efficiently filter traffic Understanding the characteristics of AAA, RADIUS, and TACACS Knowing the queuing methods available on Cisco routers 1 2 Chapter 8 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ This chapter focuses on methods that can be used to provide you with a secure network. The aim of this chapter is to familiarize you with common security options and performance management queuing methods. This chapter covers the following CCIE blueprint objectives as determined by the Cisco Systems CCIE program: Security—Authentication, Authorization, and Accounting (AAA);Terminal Access Controller Access Control System (TACACS); RADIUS; PIX firewalls; demilitarized zones (DMZ); encryption; public/private keys; Data Encryption Standard (DES) Access Lists—Standard access lists and extended access lists, to include where and how to place and design them Performance Management—Traffic management queuing, Weighted Fair Queuing (WFQ), Resource Reservation Protocol (RSVP), traffic shaping, load balancing As with other chapters in this book, additional information is provided for complete-ness and in preparation for additional subjects as the CCIE Program expands. Basic Network Security Network security is one of the primary concerns in today’s networks. Many busi-nesses must protect sensitive data from competitors or financial details from un-authorized personnel. A good security policy protects your network against corruption, failure, and compromised data. Cisco IOS provides a number of security features, including the following: Authentication, Authorization, and Accounting (AAA) Support for security server protocols, including RADIUS,TACACS, Extended TACACS, and TACACS+ Traffic Filtering options using access lists Firewalls and DMZs Network data encryption Traffic-filtering options using access lists All the security methods described in this chapter are designed to stop unauthorized access to your router network.This section covers the security methods outlined in the preceding list, beginning with a discussion of Access Control Lists. Security and Performance Management 3 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Standard and Extended IP Access Lists Standard and extended access lists are used to filter IP traffic. An access list is basically a set of permit or deny statements. Standard access lists are used to con-trol IP traffic based on the source address only. Extended access lists can filter on source and destination addresses. Extended access lists can also be used to filter on specific protocols and port numbers. Let’s look at how a Cisco router handles access lists. Access Lists on Cisco Routers By default, a Cisco router permits all IP and TCP traffic unless an access list is defined and applied to the appropriate interface. Figure 8.1 illustrates the steps taken if an access list is configured on a Cisco router. If an incoming packet is received on a router and no access list is defined, the packet will be forwarded to the IP routing software. If an access list is defined and applied, the packet will be checked against the list, and the appropriate per-mit or deny action will be taken.The default action taken by any access list is to permit any explicitly defined statements and then to deny everything else. Note: If the keyword out or in is not applied by the administrator when defining an IP filter on an interface, the default action is to apply the filter on the Outbound traffic. Standard IP Access Lists (1 through 99) As mentioned earlier in this chapter, standard IP access lists are used for filtering on the source address only.The Cisco IOS syntax is as follows: Drop packet No Incoming packet Access list configured? Yes Is packet permitted? Yes Process packet No Process packet Figure 8.1 Access list decision taken by a Cisco router. 4 Chapter 8 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ access-list access-list-number {deny | permit} source ... ...[source-wildcard] The following describes the purpose of each field: access-list-number—A number from 1 through 99 that defines a standard access list number. New versions of IOS 12.0 or later also have standard ac-cess lists ranging from 1300-1999. deny—IP packet will be denied if a match is found. permit—IP packet will be permitted if it matches the criteria as defined by the administrator. source—Source IP address or network. Any source address can be applied by using the keyword any. source-wildcard (optional)—Wildcard mask that is to be applied to the source address. This is an inverse mask, which is further explained with a few ex-amples later in this section. The default is 0.0.0.0, which specifies an exact match. After applying the access list command as described in the preceding text, you must apply the access list to the required interface using the following command: ip access-group {access-list-number | name}{in | out} The following describes the purpose of each field: access-list-number—A number in the range from 1 through 99 that defines a standard access list number. name—If you are using named access lists then that “name” will be refer-enced here. in—keyword that designates the access list as an inbound packet filter. out—keyword that designates the access list as an outbound packet filter. This is the default action. The wildcard mask mentioned earlier in the access-list command is used to match the source address.When the wildcard mask is set to binary 0, the corresponding bit field must match—if it is set to binary 1, then the router does not care to match any bit or it is an inconsequential e bit. For example, the mask 0.0.255.255 means that the first two octets must match but the last two octets do not need to match. Hence, the commonly used phrases care bits (0’s) and don’t care bits (1’s). For further clarification, let’s look at some examples of using access lists. Security and Performance Management 5 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Suppose you have found a faulty NIC card with the address 141.108.1.99/24. You have been asked to stop packets from being sent out Serial 0 on your router but to permit everyone else. In this situation, you need to deny the host address 141.108.1.99 and permit all other host devices.The following access list would fulfill this requirement: access-list 1 deny 141.108.1.99 0.0.0.0 access-list 1 permit 141.108.1.0 0.0.0.255 Next, you would apply the access list to filter outbound (the keyword out is sup-plied) IP packets on the Serial 0 interface, like this: Interface Serial 0 ip access-group 1 out Let’s look at a more complex example of using a standard access list. In this example, suppose you have 16 networks ranging from 141.108.1.0 to 141.108.16.0, as shown in Figure 8.2. You have assigned even subnets to the Accounting Sales Department (denied Internet access) Odd Networks Even Networks 141.108.1.0 141.108.3.0 141.108.5.0 141.108.7.0 141.108.9.0 141.108.11.0 141.108.13.0 141.108.15.0 141.108.2.0 141.108.4.0 141.108.6.0 141.108.8.0 141.108.10.0 141.108.12.0 141.108.14.0 141.108.16.0 Accounting Deparment Cisco S0/0 Router, R1 Internet 7500 Figure 8.2 Standard access list example. ... - tailieumienphi.vn
nguon tai.lieu . vn