Security Best Practices in Cisco IOS® and Other Techniques to Help Your Network Survive in Today's Internet/Extranet Envirome

Security Best Practices in Cisco IOS® and Other Techniques to Help your Network Survive in Today’s Internet/Extranet Enviroments Mike Peeters SE Toronto

• SAFE Blueprint • Understanding Todays Threats and Vulnerabilities • Securing the Router • Securing the Routing Protocols • Limiting the impact of DOS Attacks • In Conclusion

Closed Network

PSTN

Remote Site Frame Relay X.25 Leased Line PSTN

• Most security designed when networks were simple and static • Primarily single-point products (access- control) with no network integration or intelligence • Such legacy products are still seen as default security solutions (a “cure-all”) • Today, there are serious drawbacks to relying on such “overlay” security to protect sophisticated networks and services

Internet connections have dramatically increased as a frequent point of attack (from 59% in 2000 to 70% in 2001.) Of those organizations reporting attacks, we learn: § 27% say they don't know if there had been unauthorized access or misuse § 21% reported from two to five incidents in one year § 58% reported ten or more incidents in a single year – something isn’t working!

•• RapidRapid penetrationpenetration andand propagationpropagation throughthrough existingexisting securitysecurity solutionssolutions •• ExtensiveExtensive impact;impact; expensiveexpensive recoveryrecovery •• ExploitedExploited existingexisting andand knownknown vulnerabilities,vulnerabilities, andand bypassedbypassed legacylegacy securitysecurity devicesdevices •• CouldCould bebe preventedprevented andand mitigatedmitigated

• Major Computer Company... Code Red/Nimda $9 million for remediation 12,000 IT hours for Code Red 6,500 IT hours for Nimda • Multibillion dollar financial institution... Nimda 75% of core routers down at any given time Lost trading server for half day ($13 million impact)

Important Lesson Learned: Security Needs to Be Designed and Implemented Around, In and Through the Network

• Attackers are taking advantage of complex networks and sophisticated Internet services

• In this environment, everything is a target: Routers, Switches, Hosts, Networks (local and remote), Applications, Operating Systems, Security Devices, Remote Users, Business Partners, Extranets, etc. • Threats to today’s networks are not addressed by most legacy security products • In fact, there is no single security device which can protect all of these targets

• Integrates security and network issues • Includes specific configurations for Cisco and partner solutions • Based on existing, shipping capabilities • Over 3,000 hours of lab testing • Currently, five SAFE white papers: SAFE for Enterprise, SAFE for SMB, SAFE Blueprint for IP Telephony, Wireless LAN Security in Depth, Safe for VPNs

Management Building E-Commerce

ISP

Distribution Corporate Internet Edge Core

Server VPN/Remote Access

PSTN

WAN FR/ATM

Secure Perimeter Security Identity Security Connectivity Security Monitoring Management

VPN Firewalls IDS/Scanning Authentication Policy

• Integration – into network infrastructure compatibility with network services • Integration – functional interoperability intelligent interaction between elements • Convergence – with other technology initiatives

• Reconnaissance Unauthorized discovery and mapping of systems, services, or vulnerabilities • Access Unauthorized data manipulation, system access, or privilege escalation • Denial of Service Disable or corrupt networks, systems, or services

• Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, file explorer, srvinfo, dumpacl • Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts

• Network mapper is a utility for port scanning large networks: TCP connect() scanning, TCP SYN (half open) scanning TCP FIN, Xmas, or NULL (stealth) scanning TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters) TCP ACK and window scanning UDP raw ICMP port unreachable scanning ICMP scanning (ping-sweep) TCP ping scanning Direct (non portmapper) RPC scanning Remote OS identification by TCP/IP fingerprinting (nearly 500)

• nmap {Scan Type(s)} [Options] • Example: my-unix-host% nmap -sT my-router Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ ) Interesting ports on my-router.example.com (10.12.192.1) (The 1521 ports scanned but not shown below are in state closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 80/tcp open http

• Exploiting passwords Brute force Cracking tools • Exploit poorly configured or managed services Anonymous ftp, tftp, remote registry access, nis,… Trust relationships: rlogin, rexec,… IP source routing File sharing: NFS, windows file sharing

• Exploit application holes Mishandled input data: Access outside application domain, buffer overflows, race conditions • Protocol weaknesses: Fragmentation, TCP session hijacking • Trojan horses: Programs that plant a backdoor into a host

0 15 16 31

4-Bit Header 8-Bit Type of 4-Bit Version 4-Bit Header 16-Bit Total Length (In Bytes) Length Service (TOS) 16-Bit Identification 3-Bit 13-Bit Fragment Offset 16-Bit Identification Flags 8-Bit Time to Live (TTL) 8-Bit Protocol 16-Bit Header Checksum

32-Bit Source IP Address

32-Bit Destination IP Address

Options (If Any)

Data

C Attacker

A Hi, My Name Is B

A, C via Ra B via Ethernet

Rb B B,C via Ra B via Rb -> B A C via Rc A -> B

A Ra

A -> B Rc C

Routing Based on Routing Tables

Rb Rb B B Unknown C via Rc -> B via Ra, A A -> B via Ra, Rb

A Ra

A -> B via Ra, Rb Rc C

Routing Based on IP Datagram Option

C R1, R2 C->A via A Unknown Internet B via Internet

A Unknown C->A via R1, B via R1 R2

A Unknown B via DMZ R1 B

C->A via R1, R2 DMZ

A Intranet R2 A via Intranet B via DMZ C->A via R1,R2 C Unknown

C C ->A via B A Unknown B via Internet Internet

A Unknown A via Ethernet Dialup PPP C via PPP B B via PPP C->A via

A Intranet B (Acting as Router)

C->A via B

B Is a Friend Allow Access Rb B

B->A via C,Rc A Ra Ra A->B via Ra

, Rc B->A via C,Rc,Ra ,C Rc C A->B via Ra, Rc,C B->A via C, Rc,Ra

A->B via Ra, Rc,C

0 15 16 31

16-Bit Source Port Number 16-Bit Destination Port Number

32-Bit Sequence Number

32-Bit Acknowledgment Number

4-Bit Header Reserved U A P R S F R C S S Y I 16-Bit Window Size Length (6 Bits) G K H T N N 16-Bit TCP Checksum 16-Bit Urgent Pointer

TCP Options

Data

B A flags=SYN, seq=(Sb,?)

) seq=(Sa,Sb flags=SYN+ACK,

flags=ACK, seq =(Sb,Sa)

) seq=(Sb,Sa flags=ACK, data=“Username:”

B A C Masquerading as B seq=(Sb,?) flags=SYN,

=(Sa,Sb) seq ) flags=SYN+ACK, seq=(Sb,Sa flags=ACK, ) seq=(Sb,Sa flags=ACK, C Guesses Sa data=“Username:”

,Sb) seq=(Sa+9 flags=ACK, A Believes the Connection myname” Comes from B and Starts data=“ the Application (e.g. rlogin)

• C masquerades as B • A believes the connection is coming from trusted B • C does not see the back traffic • For this to work, the real B must not be up, and C must be able to guess A’s sequence number

B A C flags=SYN, Masquerading B seq=(Sb,?) B Initiates a Connection ) seq=(Sa,Sb with A and Is Authenticated flags=SYN+ACK, By Application on A flags=ACK, seq =(Sb,Sa) ) seq=(Sb,Sa “Password:”, “Xyzzy” , seq =(Sa+9,Sb) 9) seq=(Sb+5,Sa+ “delete *”, C Guesses Sa, Sb C Inserts Invalid Data

• IP largest data is 65,535 == 2^16-1 • IP fragments a large datagram into smaller datagrams to fit the MTU • Fragments are identified by fragment offset field • Destination host reassembles the original datagram

Before Fragmentation:

TL=1300, FO=0 Data Length 1280

IP Header IP Data

After Fragmentation (MTU = 500):

TL=500, FO=0 Data Length 480

TL=500, FO=480 Data Length 480

TL=340, FO=960 Data Length 320

Received from the Network:

TL=500, FO=0 Data Length 480

TL=340, FO=960 Data Length 320

TL=500, FO=480 Data Length 480

Reassembly Buffer, 65.535 Bytes

Kernel Memory at Destination Host

• Send invalid IP datagram • Fragment offset + fragment size > 65,535 • Usually containing ICMP echo request (ping) • Not limited to ping of death!

Received from the Network:

TL=1020, FO=0 Data Length 1000

…64 IP Fragments with Data Length 1000…

TL=1020, FO=65000 Data Length 1000

BUG: Buffer Exceeded

Reassembly Buffer, 65.535 Bytes

64 IP Fragments

Kernel Memory at Destination Host

C B A Masquerading as B

seq=(Sb,?) flags=SYN,

) seq=(Sa,Sb flags=SYN+ACK, A Allocates Kernel Resource for Handling the Starting Connection

No Answer from B… 120 Sec Timeout Denial of Services Free the Resource Kernel Resources Exhausted

160.154.5.0 Attempt to Overwhelm WAN ICMP REPLY D=172.18.1.2 S=160.154.5.10 Link to Destination ICMP REPLY D=172.18.1.2 S=160.154.5.11

ICMP REPLY D=172.18.1.2 S=160.154.5.12 ICMP REPLY D=172.18.1.2 S=160.154.5.13 ICMP REPLY D=172.18.1.2 S=160.154.5.13 172.18.1.2 ICMP REPLY D=172.18.1.2 S=160.154.5.14

ICMP REQ D=160.154.5.255 S= 172.18.1.2 Directed Broadcast PING

Attacker

Use Reconnaissance Tools to Locate Vulnerable Hosts to Be Used as Masters and Daemon Agents

Innocent Master

Attacker

Innocent Daemon Agents

1. Use master and agent programs on all cracked hosts 2. Create a hierarchical covert control channel using innocent looking ICMP packets whose Innocent payload contains DDoS Master Innocent commands; Some DDoS further encrypt the payload... PS-543 Daemon Agents 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 40 DDoS Step 3: Launch the Attack

Innocent Master

Attacker

Attack Alice NOW !

Victim Innocent Master A Innocent

• Physical access to console port means no password needed upon reboot • Telnet: Enable password should be different than login password • SNMP: SNMP Community strings are transmitted in clear (v1,v2) • Passwords/community strings are stored in clear text on TFTP servers (No service config)

• Use good passwords

• Understand the different password protection mechanisms service password-encryption enable password 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1 Beware:Beware:line conEvenEven 0 passwordspasswords thatthat areare encryptedencrypted inin thethe password 7 00071A150754 configurationconfiguration areare7 notnot encryptedencrypted onon thethe wirewire asas anan • 5 => MD5administratoradministrator protection logslogs intointo thethe routerrouter Cannot be decrypted • 7 => Cisco proprietary encryption method • Use TACAS+/RADIUS for authentication

snmp-server community RO/RW Use Views and ACL’s to prevent unauthorized access. snmp-server host Use snmp-server host for trap forwarding and authentication of traps. snmp-server trap-source <> Use source interface to uniquely identify a device

• Change your community strings! Do not use public, private, secret! • Use different community strings for the RO and RW communities. • Use mixed alphanumeric characters in the community strings: SNMP community strings can be cracked, too!

• SNMP V3 integrated in routers and switches. • HP OpenView has plugin for SNMP v3.

• Cisco Enterprise Network Management has at this time no plans to support SNMP version 3. We advise people to use IPsec, to accomplish a secure connection.

• How do you tell when someone is attempting to access your router? • Consider some form of audit trails: Using the syslog feature SNMP traps and alarms Implementing TACACS+, Radius, Kerberos, or third party solutions like one-time password token cards

• To log messages to a syslog server host, use the logging global configuration command logging host logging trap level • To log to internal buffer use: logging buffered size

•To source the log event to a common address:

• Add timestamping service facility for logs. service timestamps log datetime localtime show-timezone msec • Add the encryption service facility for console and VTY passwords. service password-encryption

• ntp server 192.168.41.40 • ntp server 192.168.41.41 • ntp source Ethernet0/1 • service timestamps log datetime localtime show-timezone • service timestamps debug datetime localtime show-timezone • clock timezone EST –5 • clock summer-time EDT recurring

• Some services turned on by default (< IOS 12.x), should be turned off to save memory and prevent security breaches/attacks no service finger no service pad no service udp-small-servers no service tcp-small-servers no ip bootp server

• Check these services as well no ip source-route no mop enabled no ip rsh-enable no ip rcmd rcp-enable no ip identd no ip http

• All interfaces on an Internet facing router should have the follow as a default: no ip redirects no ip directed-broadcast no ip proxy-arp

• Lets network administrators discover neighbouring Cisco equipment, model numbers and software versions • Should not be activated on any public facing interface: IXP, customer, upstream ISP – unless part of the peering agreement. • Disable per interface no cdp enable

Defiant#show cdp neighbors detail ------Device ID: Excalabur Entry address(es): IP address: 4.1.2.1 Platform: cisco RSP2, Capabilities: Router Interface: FastEthernet1/1, Port ID (outgoing port): FastEthernet4/1/0 Holdtime : 154 sec

Version : Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-K3PV-M), Version 12.0(9.5)S, EARLY DEPLOYMENT MAINTEN ANCE INTERIM SOFTWARE Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Fri 03-Mar-00 19:28 by htseng

• Use a good login banner, or nothing at all:

banner login ^ Authorised access only

Disconnect IMMEDIATELY if you are not an authorised user! ^

• Encryption '7' on a Cisco is reversible • The “enable secret” password encrypted via a one-way algorithm enable secret no enable password service password-encryption

• Default idle timeout on async ports is 10 minutes 0 seconds exec-timeout 10 0 • Timeout of 0 means permanent connection • TCP keepalives on incoming network connections service tcp-keepalives-in • Kills unused connections

• Access to VTYs should be controlled, not left open; consoles should be used for last resort admin only: access-list 3 permit 215.17.1.0 0.0.0.255 access-list 3 deny any line vty 0 4 access-class 3 in exec-timeout 5 0 transport input telnet ssh transport output none transport preferred none password 7 045802150C2E

• Use more robust ACLs with the logging feature to spot the probes on your network access-list 199 permit tcp 1.2.3.0 0.0.0.255 any access-list 199 permit tcp 1.2.4.0 0.0.0.255 any access-list 199 deny tcp any any range 0 65535 log access-list 199 deny ip any any log

• Secure shell supported from IOS 12.1 • Obtain, load and run appropriate crypto images on router • Set up SSH on router Beta7200(config)#crypto key generate rsa • Add it as input transport line vty 0 4 transport input telnet ssh

• Account per user, with passwords aaa new-model aaa authentication login neteng local username joe password 7 1104181051B1 username jim password 7 0317B21895FE line vty 0 4 login neteng access-class 3 in • Username/password is more resistant to attack than a plain password

• Use distributed authentication system aaa new-model aaa authentication login default tacacs+ enable aaa authentication enable default tacacs+ enable aaa accounting exec start-stop tacacs+ ip tacacs source-interface Loopback0 tacacs-server host 215.17.1.1 tacacs-server key CKr3t# line vty 0 4 access-class 3 in

User-Name Group-cmd priv-lvl service NAS-Portname task_id NAS-IP-reason

bgreene NOC enable 0 shell tty0tty0 4 210.210.51.224 bgreene NOC exit 0 shell tty0tty0 5 210.210.51.224 bgreene NOC no aaa accounting exec 0 shell tty0tty0 6 210.210.51.224 Workshop bgreene NOC exit 0 shell tty0tty0 8 210.210.51.224 pfs NOC enable 0 shell tty0tty0 11 210.210.51.224 pfs NOC exit 0 shell tty0tty0 12 210.210.51.224 bgreene NOC enable 0 shell tty0tty0 14 210.210.51.224 bgreene NOC show accounting 15 shell tty0tty0 16 210.210.51.224 bgreene NOC write terminal 15 shell tty0tty0 17 210.210.51.224 bgreene NOC configure 15 shell tty0tty0 18 210.210.51.224 bgreene NOC exit 0 shell tty0tty0 20 210.210.51.224 bgreene NOC write terminal 15 shell tty0tty0 21 210.210.51.224 bgreene NOC configure 15 shell tty0tty0 22 210.210.51.224 bgreene NOC aaa new--model 15 shell tty0tty0 23 210.210.51.224 bgreene NOC aaa authorization commands 15 shell tty0tty0 24 210.210.51.224 0 default tacacstacacs+ none bgreene NOC exit 0 shell tty0tty0 25 210.210.51.224 bgreene NOC ping 15 shell tty0tty0 32 210.210.51.224 bgreene NOC show running--config 15 shell tty66tty66 35 210.210.51.224 bgreene NOC router ospf 210 15 shell tty66tty66 45 210.210.51.224 bgreene NOC debug ip ospf events 15 shell tty66tty66 46 210.210.51.224

• IP has a provision to allow source IP host to specify route through Internet • should turn this off, unless it is specifically required: no ip source-route

• All Routers who use any static route to Null0 should put no ip unreachables • interface Null0 no ip unreachables ! ip route Null0

• Routing protocol can be attacked Denial of service Smoke screens False information Reroute packets

May Be Accidental or Intentional

Configure Routing Authentication

Campus Signs Route Verifies Updates Signature

Signature Route Updates

Certifies Authenticity of Neighbor and Integrity of Route Updates

Route Updates Router A

Hash Function

Signature Route Updates Hash

Signature

Signature = Encrypted Hash of Routing Update

Router B Receiving Router Separates Signature Routing Update Signature Routing Update Routing Update and Signature

Routing Update Re-Hash the Signature Routing Update

Decrypt Using Hash Preconfigured Key Function

Hash

• Authenticates routing update packets • Shared key included in routing updates Plain text—Protects against accidental problems only Message Digest 5 (MD5)—Protects against accidental and intentional problems

• OSPF area authentication Two types Simple password Message Digest (MD5)

ip ospf authentication-key key (this goes under the specific interface) area area-id authentication (this goes under "router ospf ")

ip ospf message-digest-key keyid md5 key (used under the interface) area area-id authentication message-digest (used under "router ospf ")

• OSPF interface ethernet1 ip address 10.1.1.1 255.255.255.0 ip ospf message-digest- key 100 md5 cisco ! router ospf 1 network 10.1.1.0 0.0.0.255 area 0 area 0 authentication message-digest PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 76 What Ports Are open on the Router?

• It may be useful to see what sockets/ports are open on the router • Show ip sockets

7206-UUNET-SJ#show ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF 17 192.190.224.195 162 204.178.123.178 2168 0 0 0 0 17 --listen-- 204.178.123.178 67 0 0 9 0 17 0.0.0.0 123 204.178.123.178 123 0 0 1 0 17 0.0.0.0 0 204.178.123.178 161 0 0 1 0

• Route filtering • Packet filtering • Rate limits

ISP A

ISP B

Traffic Coming into a Network from ISP or another Customer Customer Network

ISP A

ISP B

Traffic Going out of Network from Another ISP or Customer Customer Network

• Quick review 0.0.0.0/8 and 0.0.0.0/32—Default and broadcast 127.0.0.0/8—Host loopback 192.0.2.0/24—TEST-NET for documentation 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16—RFC 1918 private addresses 169.254.0.0/16—End node auto-config for DHCP

• Two flavors of route filtering: Distribute list—Widely used Prefix list—Increasingly used (BGP only) • Both work fine—Engineering preference

You should not be sending any IP packets out to the Internet with a source address other then the address that has been allocated to your network!

• Static access list on the edge of the network • Dynamic access list with AAA profiles • Unicast RPF

Deny Source Address 165.21.0.0/16

165.21.20.0/24

Customer 165.21.61.0/24 Internet Backbone 165.21.0.0/16 Serial 0/1 165.21.19.0/24

Deny Source Address 165.21.X.0/16 165.21.10.0/24 (Depending on Customer’s IP Address Block

Filter Applied on Ex. IP Addresses with a Source of Downstream 165.21.10.1 would be Blocked on the Aggregation and Interface Going to that Customer NAS Routers

Extended Access List: access-list 101 permit icmp any any Summary of Message Types 0 Echo Reply 3 Destination Unreachable no ip unreachables (IOS will not send) 4 Source Quench 5 Redirect no ip redirects (IOS will not accept) 8 Echo 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply

ICMP Codes are not shown

RFC 792: INTERNET CONTROL MESSAGE PROTOCOL

• Filter packets with internal addresses as source to prevent IP spoofing attacks • Filter packets with RFC-reserved addresses as source to prevent IP address spoofing attacks • Filter bootp, TFTP, SNMP, and traceroute as incoming to prevent against remote access and reconnaissance attacks • Allow incoming pings to the external interface of the perimeter router only from the ISP host. • Permit DNS requests to the DMZ server on the bastion host ( TCP port 53, Not UDP Port 53)

Allow Source Address 165.21.X.0/16 (Depending on the IP Address Block Allocated to the Customer)

165.21.20.0/24

Customer 165.21.61.0/24 Internet Backbone 165.21.0.0/16 Serial 0/1 165.21.19.0/24

Block Source Address from All Other Networks 165.21.10.0/24

Ex. IP Addresses with a Source of Filter Applied on 10.1.1.1 Would Be Blocked Downstream Aggregation and NAS Routers

• Only allow packets with valid internal addresses as source to prevent IP spoofing attacks • Filter packets with RFC-reserved addresses as source to prevent IP address spoofing attacks

• Source based feature (!) • On input path on an interface After input ACL check • Requires CEF • Small to no performance impact • Does not look inside tunnels (GRE, IPinIP, …) • History: Coming from Multicast world • Strict available from 12.0 • Enhancements from 12.1(2)T (ACL & logging)

PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 94 Strict uRPF Check (Unicast Reverse Path Forwarding) router(config-if)# ip verify unicast reverse-path or: ip verify unicast source reachable-via rx allow-default i/f 2 i/f 2

i/f 1 i/f 3 i/f 1 i/f 3 S D data S D data

FIB: FIB: ...... S -> i/f 1 S -> i/f 2 ...... Same i/f: Other i/f: Forward Drop PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 95 Loose uRPF Check (Unicast Reverse Path Forwarding) router(config-if)# ip verify unicast source reachable-via any i/f 2 i/f 2

i/f 1 i/f 3 i/f 1 i/f 3 S D data S D data

FIB: FIB: ...... S -> i/f x ...... ? . .

Traffic Tokens Matching • Rate limiting Specification • Several ways to filter Traffic Burst Traffic Limit Measurement • “Token bucket” Instrumentation implementation

Next Action Conforming Action Policy Traffic Policy

• Token bucket configurable parameters Committed rate (bits/sec) Configurable in increments of 8Kbits Normal burst size (bytes) To handle temporary burst over the committed rate limit without paying a penalty. Minimum value is Committed Rate divided by 2000 Extended burst size (bytes) Burst in excess of the normal burst size To gradually drop packet in more RED-like fashion instead of entering into tail-drop scenario

interface xy ACL Ave. Rate Burst Excess rate-limit output access-group 102 256000 8000 8000 Traffic can burst 8K above 256K conform-action transmit exceed-action drop average for 8k ! worth of data access-list 102 permit icmp any any echo access-list 102 permit icmp any any echo-reply

• Limit inbound TCP SYN packets to 8 Kbps interface xy rate-limit input access-group 103 8000 8000 8000 conform-action transmit exceed-action drop ! access-list 103 deny tcp any host 142.142.42.1 established access-list 103 permit tcp any host 142.142.42.1

• The NSA’s Router Security document and the NIST’s recommendations on data security provide a good starting point for creating default IOS router configurations.

• http://www.fcw.com/fcw/articles/2002/0128/web-nist-01-28-02.asp • http://csrc.nist.gov/publications/drafts/ITcontingency-planning- guideline.pdf • http://www.cisecurity.org/ • Cisco’s own SAFE training provides important tips to customers: • http://www.cisco.com/warp/public/707/newsflash.html

• http://www.cisco.com/warp/public/779/largeent/issues/security/safe.ht ml • http://cisco.com/warp/public/707/21.html#flood

• MCNS – Managing Cisco Network Security • CSIDS – Cisco Secure Intrusion Detection Systems • CSIHS – Cisco Secure IDS Host Sensor • CSPFA - Cisco Secure PIX Firewall Advanced • CSPM – Cisco Secure Policy Manger • CSVPN – Cisco Secure Virtual Private Networks • CSDI – Cisco SAFE Design Implementation

Cisco Secure PIX Firewalls (CSPFA) Released December 2001

Cisco Secure Virtual Private Networks (CSVPN) Released December 2001

Managing Cisco Network Security (MCSN) Released January 2001

Cisco Secure Intrusion Detection System (CSIDS) Released October 2001

Available at bookstores, computer stores, and online booksellers