. 11
( 19)


crypto isakmp key keystring hostname hostname
By default, the ISAKMP identity is set to use the IP address. To use the hostname parameter, the
ISAKMP identity must be configured to use the host name with the crypto isakmp identity
hostname global configuration mode command. In addition, DNS must be accessible to resolve the

8.4.4 Task 3 - Configure the Transform Sets
A transform set is a combination of individual IPsec transforms that are designed to enact a spe-
cific security policy for traffic. During the ISAKMP IPsec SA negotiation that occurs in IKE
Phase 2 quick mode, the peers agree to use a particular transform set for protecting a particular
data flow.
Transform sets consist of a combination of an AH transform, an ESP transform, and the IPsec
mode (either tunnel or transport mode). Transform sets are limited to one AH transform and one or
two ESP transforms. Multiple transform sets can be configured. Then one or more of these trans-
form sets can be specified in a crypto map entry. The IPsec SA negotiation uses the transform set
that is defined in the crypto map entry to protect the data flows that are specified by the ACL of
that crypto map entry.
Chapter 8: Implementing Virtual Private Networks 245

To define a transform set, specify one to four transforms using the crypto ipsec transform-set
global configuration command. This command invokes crypto-transform configuration mode.
crypto ipsec transform-set transform-set-name transform1 [transform2]
[transform3] [transform4]
Each transform represents an IPsec security protocol (AH or ESP) plus the associated algorithm.
These protocols and algorithms are specified within the crypto-transform configuration mode. In a
transform set, specify the AH protocol, the ESP protocol, or both. If an ESP protocol is specified
in a transform set, an ESP encryption transform set or an ESP encryption transform set and an ESP
authentication transform set must be specified.
During the negotiation, the peers search for a transform set that has the same criteria (the combina-
tion of protocols, algorithms, and other settings) at both peers. When a transform set is found, it is
selected and applied to the protected traffic as part of the IPsec SAs of both peers.
When ISAKMP is not used to establish SAs, a single transform set must be used. In this instance,
the transform set is not negotiated.
Transform sets are negotiated during IKE Phase 2 quick mode. When configuring multiple trans-
form sets, configure the transforms from most to least secure, according to the network security
IPsec peers search for a transform set that matches at both ends and agree on one unidirectional
transform proposal per SA. For example, assume R1 and R2 are negotiating a transform set. R1
has transform sets ALPHA, BETA, and CHARLIE configured, while R2 has RED, BLUE, and
YELLOW configured. Each R1 transform set is compared against each R2 transform set in succes-
sion. R1 transform sets ALPHA, BETA, and CHARLIE are compared to R2 transform set RED.
The result is no match. All the R1 transform sets are then compared against R2 transform set
BLUE. Finally, the R1 transform sets are compared to R2 transform set YELLOW. YELLOW is
matched against the R1 transform set CHARLIE. When a transform set match is found, it is se-
lected and applied to the protected traffic as part of the IPsec SAs of both peers.

8.4.5 Task 4 - Configure the Crypto ACLs
Crypto ACLs identify the traffic flows to protect. Outbound crypto ACLs select outbound traffic
that IPsec should protect. Traffic that is not selected is sent in plaintext. If desired, inbound ACLs
can be created to filter and discard traffic that should have been protected by IPsec.
Extended IP ACLs select IP traffic to encrypt based on protocol, IP address, network, subnet, and
port. Although the ACL syntax is unchanged from extended IP ACLs, the meanings are slightly
different for crypto ACLs. For example, permit specifies that matching packets must be encrypted,
and deny specifies that matching packets are not encrypted. Traffic is not necessarily dropped be-
cause of a deny statement. Crypto ACLs are processed in a similar fashion to an extended IP ACL
applied to outbound traffic on an interface.
The command syntax for the basic form of an extended IP ACL is:
access-list access-list-number {permit | deny} protocol source source-wildcard
destination destination-wildcard
Outbound crypto ACLs define the interesting traffic to be encrypted. All other traffic passes as
Inbound crypto ACLs inform the router of which traffic should be received as encrypted traffic.
When traffic matches the permit statement, the router expects that traffic to be encrypted. If in-
bound plaintext traffic is received that matches a permit statement in the crypto ACL, that traffic is
246 CCNA Security Course Booklet, Version 1.0

dropped. This drop occurs because the plaintext traffic was expected to be protected by IPsec and
encrypted, but was not.
An administrator might want certain traffic to receive one combination of IPsec protection (au-
thentication only) and other traffic to receive a different combination (both authentication and en-
cryption). To do so, create two different crypto ACLs to define the two different types of traffic.
Different crypto map entries then use these ACLs to specify different IPsec policies.
Try to be as restrictive as possible when defining which packets to protect in a crypto ACL. Using
the any keyword to specify source or destination addresses is not recommended. The permit any
any statement is strongly discouraged because it causes all outbound traffic to be protected and all
protected traffic to be sent to the peer that is specified in the corresponding crypto map entry.
Then, all inbound packets that lack IPsec protection are silently dropped, including packets for
routing protocols, NTP, echo, echo response, and others. If the any keyword must be used in a per-
mit statement, preface the statement with a series of deny statements to filter out traffic that should
not be protected.
The crypto ACL is associated with a crypto map, which in turn is assigned to a specific interface.
Symmetric crypto ACLs must be configured for use by IPsec. When a router receives encrypted
packets back from an IPsec peer, it uses the same ACL to determine which inbound packets to de-
crypt by viewing the source and destination addresses in the ACL in reverse order. The ACL crite-
ria are applied in the forward direction to traffic exiting a router, and in the backward direction to
traffic entering the router, so that the outbound ACL source becomes the inbound ACL destination.
For example, assume that for Site 1, IPsec protection is applied to traffic between hosts on the network as the data exits the R1 S0/0/0 interface in route to Site 2 hosts on the network. For traffic from Site 1 hosts on the network to Site 2 hosts on the network, the ACL entry on R1 is evaluated as follows:

Source = hosts on network

Destination = hosts on network

For incoming traffic from Site 2 hosts on the network to Site 1 hosts on the
network, that same ACL entry on R1 is evaluated as follows:

Source = hosts on network

Destination = hosts on network

8.4.6 Task 5 - Apply the Crypto Map
Crypto map entries that are created for IPsec combine the needed configuration parameters of
IPsec SAs, including the following parameters:

Which traffic to protect using a crypto ACL

Granularity of the flow to be protected by a set of SAs

Who the remote IPsec peer is, which determines where the IPsec-protected traffic is sent

Local address used for the IPsec traffic (optional)

Which type of IPsec security is applied to this traffic, choosing from a list of one or more

transform sets
Chapter 8: Implementing Virtual Private Networks 247

Crypto map entries with the same crypto map name but different map sequence numbers are
grouped into a crypto map set.
Only one crypto map can be set to a single interface. The crypto map set can include a combina-
tion of Cisco Encryption Technology (CET) and IPsec using IKE. Multiple interfaces can share the
same crypto map set if the same policy is applied to multiple interfaces. If more than one crypto
map entry is created for a given interface, use the sequence number (seq-num) of each map entry
to rank the map entries. The smaller the sequence number, the higher the priority. At the interface
that has the crypto map set, traffic is evaluated against higher priority map entries first.
Create multiple crypto map entries for a given interface if any of these conditions exist:

Separate IPsec peers handle different data flows.

Different IPsec security must be applied to different types of traffic (to the same or separate

IPsec peers). For example, if traffic between one set of subnets needs to be authenticated, and
traffic between another set of subnets needs to be both authenticated and encrypted. In this
case, define the different types of traffic in two separate ACLs, and create a separate crypto
map entry for each crypto ACL.
IKE is not used to establish a particular set of SAs, and multiple ACL entries must be

specified, create separate ACLs (one per permit entry) and specify a separate crypto map entry
for each ACL.
Use the crypto map global configuration command to create or modify a crypto map entry and
enter crypto map configuration mode. Set the crypto map entries that reference dynamic maps to
the lowest priority in a crypto map set (they should have the largest sequence numbers). The com-
mand syntax and parameter definitions are as follows:
crypto map map-name seq-num cisco
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]
no crypto map map-name [seq-num]
Using the crypto map command in global configuration mode enters crypto-map configuration
mode. From here, various IPsec components are configured, including which crypto ACL, peer ad-
dress, and transform set to use.
ACLs for crypto map entries that are tagged as IPsec-manual are restricted to a single permit entry,
and subsequent entries are ignored. The SAs that are established by that particular crypto map
entry are for a single data flow only. To support multiple manually established SAs for different
kinds of traffic, define multiple crypto ACLs and then apply each one to a separate IPsec-manual
crypto map entry. Each ACL includes one permit statement that defines the traffic that it must pro-
Two peers can be specified in a crypto map for redundancy. If the first peer cannot be contacted,
the second peer is used. There is no limit to the number of redundant peers that can be configured.
After the crypto map parameters are configured, assign the crypto map set to interfaces using the
crypto map interface configuration command.

The crypto map is applied to the outgoing interface of the VPN tunnel using the crypto com-
mand in interface configuration mode.
crypto map map-name
is the name of the crypto map set to apply to the interface.

Make sure that the routing information that is needed to send packets into the tunnel is also config-
248 CCNA Security Course Booklet, Version 1.0

All IP traffic passing through the interface where the crypto map is applied is evaluated against the
applied crypto map set. If a crypto map entry sees outbound IP traffic that should be protected and
the crypto map specifies the use of IKE, an SA is negotiated with the remote peer according to the
parameters that are included in the crypto map entry.

8.4.7 Verify and Troubleshoot the IPsec Configuration
VPNs can be complex and sometimes do not operate as expected. For this reason, there are a vari-
ety of useful commands to verify the operation of VPNs and to troubleshoot when necessary.
The best time to become familiar with these commands and their output is when the network is op-
erating correctly. This way, anomalies can be detected when using them for troubleshooting.
To view all configured crypto maps, use the show crypto map command. This command verifies
configurations and shows the SA lifetime. The show running-config command also reveals many
of these same settings.
Use the show crypto isakmp policy command to display configured IKE policies and the de-
fault IKE policy settings. This command is useful because it reveals all ISAKMP (IKE) configura-
tion information.
Use the show crypto ipsec transform-set command to show all configured transform sets. Be-
cause transform sets determine the level of protection that the data will have as it is tunneled, it is
important to verify the strength of the IPsec protection policy.
One of the more useful commands is show crypto ipsec sa. If the output indicates that an SA is
established, the rest of the configuration is assumed to be working. Within the output, the pkts en-
crypt and pkts decrypt values indicate that traffic is flowing through the tunnel.
A similar useful command is show crypto isakmp sa. This command displays all current IKE
SAs. QM_IDLE status indicates an active IKE SA.
To use debugging commands to troubleshoot VPN connectivity, connect to the Cisco IOS router
with a terminal connection.
The debug crypto isakmp command displays detailed information about the IKE Phase 1 and
IKE Phase 2 negotiation processes. The debug crypto ipsec command displays detailed infor-
mation about IPsec events.
As with other debug commands, use the debug crypto isakmp command with caution, because
debug processes can cause performance problems on the device. Use the undebug all command
to turn off the debug as soon as possible.

8.5 Implementing Site-to-Site IPsec VPNs with
8.5.1 Configuring IPsec Using SDM
In addition to configuring IPsec VPNs via CLI, it is possible to configure them using an SDM wiz-
To select and start a VPN wizard, follow these steps:
Step 1. Click Configure in the main toolbar.
Step 2. Click the VPN button on the left to open the VPN page.
Chapter 8: Implementing Virtual Private Networks 249

Step 3. Choose a wizard from the VPN window.
Step 4. Click the VPN implementation subtype.
Step 5. Click the Launch the selected task button to start the wizard.
The Cisco SDM VPN wizards use two sources to create a VPN connection: user input during a
step-by-step wizard process, and preconfigured VPN components.
The Cisco SDM provides some default VPN components: two IKE policies and an IPsec transform
set for the quick setup wizard.
The VPN wizards create other components during the step-by-step configuration process. Some
components must be configured before the wizards can be used. For instance, PKI components
must be configured before using the PKI wizard.
The VPN navigation bar contains three major sections:

The VPN tab - Contains the wizards to create a site-to-site VPN, Easy VPN Remote, Easy

VPN Server, and dynamic multipoint VPN. The VPN wizards simplify the configuration of
individual VPN components. The individual IPsec components section can then be used to
modify parameters that might have been misconfigured during the VPN wizard step-by-step
The SSL VPN tab - Used to configure SSL VPNs parameters.

VPN components - Used to configure VPN components such as IPsec, IKE, Easy VPN

Server group policies and browser proxy settings, Public Key Infrastructure (for IKE
authentication using digital certificates), and VPN Keys Encryption. The VPN components
option appears if the Cisco IOS software image on the router supports type 6 encryption, also
referred to as VPN key encryption. Use this window to specify a master key when encrypting
VPN keys, such as PSKs, Cisco Easy VPN keys, and Extended Authentication (XAUTH)
keys. When the keys are encrypted, they are not readable by someone viewing the router
configuration file.
Use a web browser to start the Cisco SDM on a router. Select the VPN wizard by choosing
Configure > VPN > Site-to-Site VPN.
To create and configure a classic site-to-site VPN, click the Create a Site-to-Site VPN radio but-
ton on the Create Site-to-Site VPN tab. Then click the Launch the selected task button.
A window displays the Quick setup option and the Step by step wizard option.
The Quick setup option uses the Cisco SDM default IKE policies and IPsec transform sets. It en-
ables a junior administrator to quickly set up an IPsec VPN using best practice security parame-
The Step by step wizard allows the administrator to specify all the finer details of the IPsec VPN.
Click the Next button to configure the parameters of the VPN connection.

8.5.2 VPN Wizard - Quick Setup
The quick setup option uses a single window to configure the VPN connection and includes the
following parameters:

Interface to use for the VPN connection (usually the outside interface)

Peer identity information, which includes the type of peer and IP address of the peer

250 CCNA Security Course Booklet, Version 1.0

Authentication method, either PSKs (specify the secret) or digital certificates (choose a

certificate that has been created beforehand)
Traffic to encrypt by identifying the source interface and destination IP subnet

Cisco SDM provides a default IKE policy to govern authentication, a default transform set to con-
trol data encryption, and a default IPsec rule that encrypts all traffic between the router and the re-
mote device.
When all parameters are set, verify the configuration on the summary page before clicking Finish.
Quick setup is best used when both the local router and the remote system are Cisco routers using
Cisco SDM. Quick setup configures 3DES encryption if it is supported by the Cisco IOS image.
Otherwise, it configures DES encryption. If AES or SEAL encryption is required, the Step-by-Step
wizard must be used.

8.5.3 VPN Wizard - Step-by-Step Setup
The Step-by-Step wizard requires multiple steps to configure the VPN connection and includes the
following parameters:

Connection settings, including outside interface, peer identity, and authentication credentials

IKE proposals, such as priority, encryption, the Hashed Message Authentication Code

(HMAC) algorithm, IKE authentication method, Diffie-Hellman (DH) group, and IKE
IPsec transform set information, including name, integrity algorithm, encryption algorithm,

mode of operation (tunnel or transport), and compression
Traffic to protect by identifying the single source and destination subnets or defining an ACL

to use for more complex VPNs

The first task in the Step-by-Step wizard is to configure the connection settings.
Step 1. Choose the outside interface to connect to the IPsec peer over the untrusted network.
Step 2. Specify the IP address of the peer.
Step 3. Choose the authentication method and specify the credentials. Use long and random PSKs
to prevent brute-force and dictionary attacks against IKE.
Step 4. Click Next to proceed to the next task.
The second task in the Step-by-Step wizard is to configure IKE proposals. A custom IKE proposal
can be created, or the default IKE proposal can be used.
Custom IKE Proposal
To create a custom IKE proposal, a new IKE must be added.
Step 1. Click the Add button to define a proposal and specify the IKE proposal priority, encryp-
tion algorithm, hashing algorithm, IKE authentication method, DH group, and IKE lifetime.
Step 2. Click OK when configuring the IKE proposal is completed.
Step 3. When finished with adding IKE policies, choose the proposal to use. Click Next to pro-
ceed to the next task.
Predefined IKE Proposal
Chapter 8: Implementing Virtual Private Networks 251

To use the predefined IKE proposal, click Next on the IKE Proposal page. The predefined IKE
proposal is chosen by default.
The third task in the Step-by-Step wizard is to configure a transform set. A custom IPsec transform
set can be created, or a predefined IPsec transform set can be used.
Custom IPsec Transform Set
To create a custom IPsec transform set, a new IPsec transform set must be added.
Step 1. Click the Add button to define the transform set and specify the name, integrity algorithm,
encryption algorithm, mode of operation, and optional compression.
Step 2. Click OK when configuring the transform set is completed.
Step 3. When finished adding transform sets, choose the transform set to use, and click Next to
proceed to the next task.
Predefined IPsec Transform Set
To use the IPsec transform set, click Next on the Transform Set page. The predefined transform set
is chosen by default.
The fourth task in the Step-by-Step wizard is to configure which traffic needs protection.
To protect all traffic from one IP subnet to another:
Step 1. From the Traffic to Protect window, click the Protect all traffic between the following
subnets radio button.
Step 2. Define the IP address and subnet mask of the local network where IPsec traffic originates.
Step 3. Define the IP address and subnet mask of the remote network where IPsec traffic is sent.
To specify a Custom ACL (IPsec rule) that defines the traffic types to be protected:
Step 1. From the Traffic to Protect window, click the Create/Select an access-list for IPSec traf-
fic radio button.
Step 2. Click the ellipsis (...) button to choose an existing ACL or to create a new one.
Step 3. To use an existing ACL, choose the Select an existing rule (ACL) option. To create a new
ACL, choose the Create a new rule (ACL) and select option.
When creating a new ACL to define traffic that needs protection, a window that lists the created
access rule entries is displayed:
Step 1. Give the access rule a name and description.
Step 2. Click the Add button to start adding rule entries.
After a new ACL is created, entries must be specified within the ACL.
Step 1. Choose an action from the Select an Action list box and enter a description of the rule
entry in the Description text box.
Step 2. Define the source hosts or networks in the Source Host/Network pane, and the destination
hosts or networks in the Destination Host/Network pane. Each rule entry defines one pair of
source and destination addresses or networks. Be sure to use wildcard bits and not the subnet mask
bits in the Wildcard Mask field.
Step 3. (Optional) To provide protection for a specific protocol, choose the protocol radio button
(TCP, UDP, or ICMP) and the port numbers. If IP is chosen as the protocol, the rule applies to all
IP traffic.
252 CCNA Security Course Booklet, Version 1.0

At the end of the configuration, the wizard presents a summary of the configured parameters. To
modify the configuration, click the Back button. Click the Finish button to complete the configu-

8.5.4 Verifying, Monitoring, and Troubleshooting VPNs
After the IPsec VPN is configured, it is necessary to test the VPN to verify operation.
To test the configuration of the VPN tunnel, choose Configure > VPN > Site-to-Site VPN > Edit
Site-to-Site VPN and click the Test Tunnel button.
The Generate Mirror button can also be clicked to generate a mirroring configuration that is re-
quired on the other end of the tunnel. This is useful if the other router does not have Cisco SDM
and must use the command-line interface (CLI) to configure the tunnel.
To see all IPsec tunnels, their parameters, and status, choose Monitor > VPN Status > IPsec

8.6 Implementing Remote-Access VPNs
8.6.1 The Changing Corporate Landscape
How many hours are spent by employees traveling to and from work everyday? What if there are
traffic jams? How could these hours be put to productive use? The answer is telecommuting.
Telecommuting is sometimes referred to as teleworking. Telecommuting employees have flexibil-
ity in location and hours. Employers offer telecommuting because they can save on real estate,
utility, and other overhead costs. Organizations that have the greatest success with a telecommut-
ing program ensure that telecommuting is voluntary, subject to management discretion, opera-
tionally feasible, and results in no additional costs.
Telecommuting organizations take full advantage of new technologies and new ways of working.
With telecommuting, the focus is on the actual work performed rather than on the location where it
is performed. This aspect of telecommuting moves us closer to a global society, allowing individu-
als across the world to work together. As one of the key workplace transformers of the next
decade, there is little doubt that it will inevitably and dramatically reshape how work is performed.
Telecommuting offers organizational, social, and environmental benefits. Studies have shown that
telecommuting improves employee lifestyles by decreasing job-related stresses. It can also accom-
modate those with health problems or disabilities. Telecommuting helps reduce energy consump-
tion by decreasing transportation related pollution. It also increases organizational profits,
improves recruitment and retention, and can offer possibilities for increased service and interna-
tional reach. Telecommuters in different time zones can ensure that a company is virtually open for
business around the clock.
Although telecommuting has many benefits, there may be some drawbacks. For example, telecom-
muters working from home can experience distractions that they would not have at work. Addi-
tionally, companies that offer telecommuting programs have to manage more risk, because data
must travel across public networks, and organizations must rely on employees to maintain secure
Telecommuters typically need high-speed access to the Internet. This access can be provided using
broadband connections, such as DSL, Cable or satellite Internet connections. Although a dialup
connection can be used to access the Internet, the access speed is very slow and is not generally
considered adequate for telecommuting.
Chapter 8: Implementing Virtual Private Networks 253

Laptop or desktop computers are also required, and many implementations also require a VoIP
phone to provide seamless telephone services.
Security is a huge concern for companies. Remote access to corporate locations is implemented
using remote VPN access.

8.6.2 Introducing Remote-Access VPNs
The ubiquity of the Internet, combined with today™s VPN technologies, allows organizations to
cost-effectively and securely extend the reach of their networks to anyone, anyplace, anytime.
VPNs have become the logical solution for remote-access connectivity for many reasons. VPNs
provide secure communications with access rights tailored to individual users, such as employees,
contractors, and partners. They also enhance productivity by extending the corporate network and
applications securely while reducing communication costs and increasing flexibility.
Using VPN technology, employees can essentially take their office, including access to emails and
network applications, with them. VPNs can also allow contractors and partners to have limited ac-
cess to the specific servers, web pages, or files required. This network access allows them to con-
tribute to business productivity without compromising network security.
There are two primary methods for deploying remote-access VPNs:

Secure Sockets Layer (SSL)

IP Security (IPsec)

The type of VPN method implemented is based on the access requirements of the users and the or-
ganization™s IT processes.
Both IPsec and SSL VPN technologies offer access to virtually any network application or re-
source. SSL VPNs offer such features as easy connectivity from non-company-managed desktops,
little or no desktop software maintenance, and user-customized web portals upon login.
IPsec exceeds SSL in many significant ways:

Number of applications that are supported

Strength of its encryption

Strength of its authentication

Overall security

When security is an issue, IPsec is the superior choice. If support and ease of deployment are the
primary issues, consider SSL.
IPsec and SSL VPN are complementary because they solve different problems. Depending on its
needs, an organization can implement one or both. This complementary approach allows a single
device such as an ISR router or an ASA firewall appliance to address all remote-access user re-
quirements. While many solutions offer either IPsec or SSL, Cisco remote-access VPN solutions
offer both technologies integrated on a single platform with unified management. Offering both
IPsec and SSL technologies enables organizations to customize their remote-access VPN without
any additional hardware or management complexity.
254 CCNA Security Course Booklet, Version 1.0

8.6.3 SSL VPNs
Cisco IOS SSL VPN is an emerging technology that provides remote-access connectivity from al-
most any Internet-enabled location using a web browser and its native SSL encryption. Originally
developed by Netscape, SSL has been universally accepted on the Web.
SSL VPN does not require a software client to be preinstalled on the endpoint host. It provides re-
mote-access connectivity for corporate resources to any authorized user from any Internet-enabled
The SSL protocol supports a variety of different cryptographic algorithms for operations such as
authenticating the server and client to each other, transmitting certificates, and establishing session
keys. Cisco SSL VPN solutions can be customized for businesses of any size. These solutions de-
liver many remote-access connectivity features and benefits:

Web-based clientless access and full network access without preinstalled desktop software.

This facilitates customized remote access based on user and security requirements, and
minimizes desktop support costs.
Protection against viruses, worms, spyware, and hackers on a VPN connection by integrating

network and endpoint security in the Cisco SSL VPN platform. This reduces cost and
management complexity by eliminating the need for additional security equipment and
management infrastructure.
Simple, flexible, and cost-effective licensing. SSL uses a single license. There is no per-

feature license to purchase or manage. User count upgrades are flexible and cost effective. An
implementation can start with as few as 10 users and scale as the needs change.
Single device for both SSL VPN and IPsec VPN. This reduces cost and management

complexity by facilitating robust remote access and site-to-site VPN services from a single
platform with unified management.
SSL VPNs provide different types of access:


Thin client

Full client

SSL VPN provides three modes of remote access on Cisco IOS routers: clientless, thin client, and
full client. ASA devices have two modes: clientless (which includes clientless and thin client port
forwarding) and AnyConnect client (which replaces full tunnel).
Clientless Access Mode
In clientless mode, the remote user accesses the internal or corporate network using a web browser
on the client machine. Clientless access requires no specialized VPN software or applet on the user
desktop. All VPN traffic is transmitted and delivered through a standard web browser. No other
software is required, eliminating many support issues. Using a clientless connection, all web-en-
abled and some client/server applications, such as intranets, applications with Web interfaces,
email, calendaring, and file servers, can be accessed.
Not all client/server applications are accessible to SSL clients; however, this limited access is often
a perfect fit for business partners or contractors who should have access only to a limited set of re-
sources on the organization™s network. It does not work for employees that require full network ac-
Chapter 8: Implementing Virtual Private Networks 255

Thin Client Mode
Thin client mode, sometimes called TCP port forwarding, assumes that the client application uses
TCP to connect to a well-known server and port. In this mode, the remote user downloads a Java
applet by clicking the link provided on the portal page. The Java applet acts as a TCP proxy on the
client machine for the services configured on the SSL VPN gateway. The Java applet starts a new
SSL connection for every client connection.
The Java applet initiates an HTTP request from the remote user client to the SSL VPN gateway.
The name and port number of the internal email server is included in the HTTP request. The SSL
VPN gateway creates a TCP connection to that internal email server and port.
Thin client mode is often referred to as a type of clientless mode and can be used anywhere that
clientless VPNs are supported. It extends the capability of the cryptographic functions of the web
browser to enable remote access to TCP-based applications such as POP3, SMTP, IMAP, Telnet,
and SSH.
Full Tunnel Client Access Mode
Full tunnel client mode enables access to the corporate network completely over an SSL VPN tun-
nel, which is used to move data at the Network (IP) Layer. This mode supports most IP-based ap-
plications, such as Microsoft Outlook, Microsoft Exchange, Lotus Notes Email, and Telnet. Being
part of the SSL VPN is transparent to the applications run on the client. A Java applet is down-
loaded to handle the tunneling between the client host and the SSL VPN gateway. The user can use
any application as if the client host was on the internal network.
This VPN client, because it is dynamically downloaded and updated without any manual software
distribution or interaction from the end user, requires little or no desktop support by IT organiza-
tions, thereby minimizing deployment and operations costs. Like clientless access, full network ac-
cess offers full access control customization based on the access privileges of the end user. Full
network access is a natural choice for employees who need remote access to the same applications
and network resources that they use when in the office or for any client/server application that can-
not be delivered across a web-based clientless connection.
Establishing an SSL session involves a few steps:
Step 1. The user makes an outbound connection to TCP port 443.
Step 2. The router responds with a digital certificate, which contains a public key that is digitally
signed by a trusted certificate authority (CA).
Step 3. The user™s computer generates a shared secret key that both parties use.
Step 4. The shared secret is encrypted with the public key of the router and transmitted to the
router. The router software is able to easily decrypt the packet using its private key. Now both par-
ticipants in the session know the shared secret key.
Step 5. The key is used to encrypt the SSL session.
SSL utilizes encryption algorithms with key lengths from 40 to 128 bits.
Before SSL VPN services are implemented in Cisco IOS routers, the current environment must be
analyzed to determine which features and modes might be useful in the implementation.
There are many SSL VPN design considerations:

User connectivity - Determine whether the users connect to the corporate network from

public shared computers, such as a computer in a library or at an Internet kiosk. In this case,
use clientless SSL VPN mode.
256 CCNA Security Course Booklet, Version 1.0

Router feature - A Cisco IOS router can run various features, such as IPsec VPN tunnels,

routing engines, and firewall processes. Enabling the SSL VPN feature can add considerable
load if the router is already running a number of features.
Router hardware - The SSL VPN process is fairly CPU and memory intensive. Before

implementing an SSL VPN on the Cisco IOS router, make sure to leverage the hardware-
accelerated SSL VPN engines such as AIM-VPN/SSL-1, AIM-VPN/SSL-2, and AIM-
VPN/SSL-3. Check www.cisco.com for more information about the SSL VPN hardware
Infrastructure planning - It is important to consider the placement of the VPN termination

devices. Before implementing the SSL VPN feature in Cisco IOS, ask questions such as:
Should the SSL VPN be placed behind a firewall? If so, what ports should be opened? Should
the decrypted traffic be passed through another set of firewalls? If so, what ports should be
Implementation scope - Network security administrators need to determine the size of the

SSL VPN deployment, especially the number of simultaneous users that will connect to gain
network access. If one Cisco IOS router is not enough to support the required number of
users, traditional load balancers or server-clustering schemes must be considered to
accommodate all potential remote users.
SSL VPNs are a viable option for many organizations, however, the configuration of SSL VPNs is
beyond the scope of this course. Visit www.cisco.com to learn about the required configuration
commands to implement SSL VPNs as well as to download reference guides.

8.6.4 Cisco Easy VPN
While SSL VPNs are useful in many instances, many applications require the security of an IPsec
VPN connection for authentication and to encrypt data. Establishing a VPN connection between
two sites can be complicated and typically requires coordination between the network administra-
tors at each site to configure the VPN parameters. When deploying VPNs for telecommuters and
small branch offices, ease of deployment is critical if technical resources are not available for VPN
configuration on the remote site router.
The Cisco Easy VPN solution feature offers flexibility, scalability, and ease of use for site-to-site
and remote-access VPNs. It consists of three components:

Cisco Easy VPN Server - A Cisco IOS router or Cisco PIX / ASA Firewall acting as the VPN

head-end device in site-to-site or remote-access VPNs.
Cisco Easy VPN Remote - A Cisco IOS router or Cisco PIX / ASA Firewall acting as a

remote VPN client.
Cisco Easy VPN Client - An application supported on a PC used to access a Cisco VPN

Most of the VPN parameters are defined on the Cisco IOS Easy VPN Server to simplify deploy-
ment. When a remote client initiates a VPN tunnel connection, the Cisco Easy VPN Server pushes
the IPsec policies to the client and creates the corresponding IPsec VPN tunnel connection.
The remote devices can be mobile workers running the Cisco Easy VPN client software on PCs to
easily establish VPN connections with the Cisco Easy VPN Server-enabled device through the In-
ternet. It can also be a Cisco device running the Cisco Easy VPN Remote feature, enabling it to be
a client of the Easy VPN Server. This means that individuals at small branch offices no longer
need to run VPN client software on their PCs.
Chapter 8: Implementing Virtual Private Networks 257

The Cisco Easy VPN Server makes it possible for mobile and remote workers using VPN Client
software on their PCs to create secure IPsec tunnels to access their headquarters™ intranet where
critical data and applications exist. It enables Cisco IOS routers and Cisco PIX and ASA Firewalls
to act as VPN head-end devices in site-to-site or remote-access VPNs. Remote office devices use
the Cisco Easy VPN Remote feature or the Cisco VPN Client application to connect to the server,
which then pushes defined security policies to the remote VPN device. This ensures that those con-
nections have up-to-date policies in place before the connection is established.
The Cisco Easy VPN Remote enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN
3002 hardware clients or software clients to act as remote VPN clients. These devices can receive
security policies from a Cisco Easy VPN Server, minimizing VPN configuration requirements at
the remote location. This cost-effective solution is ideal for remote offices with little IT support or
for large customer premises equipment (CPE) deployments where it is impractical to individually
configure multiple remote devices.
When a client connects to a server, the negotiation to secure the VPN occurs:

The VPN client initiates the IKE Phase 1 process. If a pre-shared key is used for
Step 1.
authentication, the VPN Client initiates aggressive mode. If digital certificates are used for
authentication, the VPN Client initiates main mode.
The VPN client establishes an ISAKMP SA. To reduce the amount of manual
Step 2.
configuration on the VPN Client, Easy VPN ISAKMP proposals include every combination of
encryption and hash algorithms, authentication methods, and DH group sizes.
The Easy VPN Server accepts the SA proposal. The ISAKMP policy can consist
Step 3.
of several proposals, but the Easy VPN Server uses the first match, so always configure the
most secure policies first. Device authentication ends and user authentication begins at this
The Easy VPN Server initiates a username and password challenge. The
Step 4.
information that is entered is checked against authentication entities using authentication,
authorization, and accounting (AAA) protocols such as RADIUS and TACACS+. Token cards
can also be used via AAA proxy. VPN devices that are configured to handle remote VPN
clients should always enforce user authentication.
The mode configuration process is initiated. The remaining system parameters
Step 5.
(IP address, DNS, split tunnel attributes, and so on) are pushed to the VPN client at this time
using mode configuration.
The reverse route injection (RRI) process is initiated. RRI ensures that a static
Step 6.
route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client.
IPsec quick mode completes the connection. The connection is complete after
Step 7.
IPsec SAs have been created.

8.6.5 Configure a VPN Server with SDM
Configuring Cisco Easy VPN Server functionality using SDM consists of two major tasks:
Task 1. Configure prerequisites, such as AAA, privileged users, and the enable secret password,
based on the chosen VPN design.
Task 2. Configure the Cisco Easy VPN Server.
From the SDM main page, click the Configure button, then click the VPN Task button and select
the Easy VPN Server option. If AAA has not been previously configured, the wizard asks to con-
258 CCNA Security Course Booklet, Version 1.0

figure it. If AAA is disabled on the router, configure AAA before Easy VPN Server configuration
begins and create at least one administrative user.
After the Easy VPN Server wizard is launched, the Interface and Authentication window displays.
Specify the router interface where the VPN connection will terminate (e.g., Unnumbered to Serial
0/0/1) and the authentication method (e.g., pre-shared keys or digital certificates).
Click Next to display the IKE Proposals window. When configuring IKE proposals, use the default
policy that is predefined by SDM or add a custom IKE Policy specifying these required parame-

IKE policy priority

Authentication (PRE-SHARE or RSA-SIG)

D-H group (1, 2, or 5)

Encryption algorithm (DES, 3DES or AES)

Hash (SHA-1 or MD5)

IKE lifetime

Cisco SDM provides a default transform set. Use the default or create a new IPsec transform set
configuration using these parameters:

Transform set name

Encryption algorithm (DES, 3DES, AES, or SEAL)

HMAC (SHA-1 or MD5)

Optional compression

Mode of operation (tunnel or transport)

The Group Authorization and Group Policy Lookup window appears next. There are three options
to choose from for the location where Easy VPN group policies can be stored:

Local - All groups are in the router configuration in NVRAM.

RADIUS - The router uses the RADIUS server for group authorization.

RADIUS and Local - The router can look up policies stored in an AAA server database that

can be reached via RADIUS.
Click Next to configure the Group Authorization parameters. Click the Add button to add a new
group policy. The General tab allows configuration of the following parameters:

Group name

Pre-shared keys

IP Address pool information

Maximum connections allowed

Other tabs address the following options:


Split Tunneling

Chapter 8: Implementing Virtual Private Networks 259

Client Settings

XAuth Options

Client Update

After all the steps are completed, the Easy VPN Server wizard presents a summary of the config-
ured parameters. Click Back to correct any errors in the configuration. Otherwise, click Finish to
apply the configuration to the router.
The Easy VPN Server configuration can then be verified. Run a test to confirm the correct tunnel
configuration by clicking the Test VPN Server button at the bottom of the Edit Easy VPN Server
page. This will present the VPN Troubleshooting window which displays the VPN validation re-

8.6.6 Connect with a VPN Client
The Cisco VPN Client is simple to deploy and operate. It allows organizations to establish end-to-
end, encrypted VPN tunnels for secure connectivity for mobile employees or telecommuters. This
thin design IPsec-implementation is compatible with all Cisco VPN products.
When preconfigured for mass deployments, initial logins require little user intervention. Cisco
VPN Client supports the innovative Cisco Easy VPN capabilities, delivering a uniquely scalable,
cost-effective, and easy-to-manage remote access VPN architecture that eliminates the operational
costs associated with maintaining a consistent policy and key management method.
The Cisco Easy VPN feature allows the Cisco VPN Client to receive security policies on a VPN
tunnel connection from the central site VPN device (Cisco Easy VPN Server), minimizing config-
uration requirements at the remote location. This simple and highly scalable solution is ideal for
large remote access deployments where it is impractical to configure policies individually for mul-
tiple remote PCs.
When the Cisco Easy VPN client is installed, open the Cisco Easy VPN client window to start an
IPsec VPN connection on a PC.
The application lists the available preconfigured sites. Double-click a site. In the user authentica-
tion dialog box, authenticate to the site. After authentication, the Cisco Easy VPN Client displays a
connected status.
Configuring the Easy VPN client is beyond the scope of this course. Check www.cisco.com for
more information.
260 CCNA Security Course Booklet, Version 1.0

Chapter Summary
Refer to Packet Refer to
Tracer Activity Lab Activity
for this chapter for this chapter

Your Chapter Notes
Chapter 8: Implementing Virtual Private Networks 261
262 CCNA Security Course Booklet, Version 1.0

Managing a Secure Network

Chapter Introduction
Mitigating network attacks requires a comprehensive, end-to-end approach that includes creating
and maintaining security policies based on the security needs of an organization. The first step in
establishing an organization™s security needs is to identify likely threats and perform a risk analy-
sis, the results of which are used to establish the security hardware and software implementations,
mitigation policies, and network design.
To help simplify network design, it is recommended that all security mechanisms come from a sin-
gle vendor. The Cisco Self-Defending Network (SDN) is a comprehensive, end-to-end solution for
network security. Cisco Security Manager and Cisco MARS provide network management options
for Cisco SDN solutions.
After the network is designed, operations security entails the day-to-day practices necessary to
first deploy and later maintain the secure system. Part of maintaining a secure system is network
security testing. Security testing is performed by the operations team, to ensure that all security
implementations are operating as expected. Testing is also used to provide insight into business
continuity planning, which addresses the continuing operations of an organization in the event of a
disaster, disruption, or prolonged service interruption.
After a secure network is implemented and continuity plans are established, those plans and docu-
ments must be continuously updated based on the changing needs of the organization. For this rea-
son, it is necessary to understand the system development life cycle (SDLC) for the purposes of
evaluating system changes and adjusting security implementations. The SDLC includes five
phases: initiation, acquisition and development, implementation, operations and maintenance, and
disposition. It is important to include security considerations in all phases of the SDLC.
A network security system cannot completely prevent assets from being vulnerable to threats. New
attacks are developed and vulnerabilities identified that can be used to circumvent security solu-
tions. Additionally, technical, administrative, and physical security systems can be defeated if the
end user community does not adhere to security practices and procedures. A comprehensive secu-
rity policy must be maintained which identifies an organization™s assets, specifies the security
hardware and software requirements for protecting those assets, clarifies the roles and responsibili-
ties of personnel, and establishes the proper protocol for responding to security breaches. If secu-
rity policies are established and followed, organizations can minimize the loss and damages
resulting from attacks.
In a comprehensive hands-on lab for the chapter, Security Policy Development and
Implementation, learners create a basic security policy, harden network routers, configure remote
access and authentication options, configure NTP and logging, configure a CBAC firewall, config-
ure a ZPF firewall, configure IPS using CLI and SDM, back up and secure router images and con-
figuration files, harden network switches, configure remote access and authentication options,
mitigate STP attacks, and configure and test remote access IPsec VPNs. The lab is found in the lab
manual on Academy connection at cisco.netacad.net.
A comprehensive Packet Tracer activity, Configure a Network for Secure Operation, provides
learners additional practice implementing the technologies introduced in this final chapter. Learn-
264 CCNA Security Course Booklet, Version 1.0

ers secure the routers with strong passwords and password encryption, secure the console and
VTY lines, configure login banners, configure local AAA authentication, configure SSH, config-
ure syslog, configure NTP, harden the network routers, configure CBAC, configure ZPF, and se-
cure the network switches. Packet Tracer activities for CCNA Security are found on Academy
Connection at cisco.netacad.net.

9.1 Principles of Secure Network Design
9.1.1 Ensuring a Network is Secure
Mitigating network attacks requires a comprehensive, end-to-end approach:

Secure network devices with AAA, SSH, role-based CLI, syslog, SNMP, and NTP.

Secure services using AutoSecure and one-step lockdown.

Protect network endpoints, such as workstations and servers, against viruses, Trojan Horses,

and worms with Cisco NAC, Cisco IronPort, and Cisco Security Agent.
Use Cisco IOS Firewall and accompanying ACLs to secure resources internally while

protecting those resources from outside attacks.
Supplement Cisco IOS Firewall with Cisco IPS technology to evaluate traffic using an attack

signature database.
Protect the LAN by following Layer 2 and VLAN recommended practices and by using a

variety of technologies, including BPDU guard, root guard, PortFast, and SPAN.
Despite these security techniques, hackers are continuously developing new ways to attack net-
works. An important part of implementing a secure network is creating and maintaining security
policies to mitigate existing as well as new kinds of attacks. These policies enforce a structured,
informed, consistent approach to securing the network. When developing security policies, several
questions must be answered:

Business needs - What does the organization want to do with the network? What are the

organizational needs? Regardless of the security implications, business needs must come first.
Threat Identification - What are the most likely types of threats given the organization™s

purpose? For example, a financial institution will face different threats than a university.
Risk analysis - What is the cost versus benefit analysis of implementing various security

technologies? How do the latest security techniques affect the network environment and what
is the risk if they are not implemented?
Security needs - What are the policies, standards, and guidelines needed to address business

needs and risks?
Industry-recommended practices - What are the reliable, well-understood, and

recommended security practices that similar organizations currently employ?
Security operations - What are the current procedures for incident response, monitoring,

maintenance, and auditing of the system for compliance?
Many security assumptions are made when designing and implementing a secure network. Unfor-
tunately, unfounded assumptions about how and where the system will be used can lead to broken,
misconfigured, or bypassed security mechanisms. An example of a bad assumption is that more
users need to use a protocol, such as FTP, than is actually the case.
Chapter 9: Managing a Secure Network 265

A wrong assumption has negative ramifications for all design work. It might influence one design
decision, and then propagate to other decisions that depend on it. Wrong decisions are especially
dangerous in early stages of secure system design when threats are modeled and risks are assessed.
It is often easy to correct or enhance a single implementation aspect of a system, such as a firewall
configuration. However, design errors, such as where that firewall is placed, are either extremely
hard or impossible to correct without substantial investments in time and technology.
There are guidelines to help you avoid making wrong assumptions:

Expect that any aspect of a security system might fail. When designing a system, perform

what-if analysis for failures of every element, assess the probability of failure, and analyze all
possible consequences of a failure, taking into account cascading failures of other elements.
Identify any elements that fail-open. Fail-open occurs when a failure results in a complete

bypass of the security function. Ideally, any security element should be fail-safe. If the
element fails, it should default to a secure state, such as blocking all traffic.
Try to identify all attack possibilities. One way to accomplish this is with a top-down analysis

of possible system failures, which involves evaluating the simplicity and probability of every
attack on a system. This type of analysis is commonly referred to as an attack tree analysis.
Evaluate the probability of exploitation. Focus on the resources that are needed to create an

attack, not the obscurity of a particular vulnerability. Be sure to account for technological
Assume that people make mistakes. For example, end users might use a system improperly,

compromising its security unintentionally.
Attackers might not use common and well-established techniques to compromise a system.

Instead, they might hammer the system with seemingly random attacks, looking for possible
information on how the system behaves under unexpected conditions.
Check all assumptions with other people. They might have a fresh perspective on potential

threats and their probability. The more people that question the assumptions, the more likely a
bad assumption will be identified.

9.1.2 Threat Identification and Risk Analysis
One of the first steps to establishing an organization™s security needs is to identify likely threats.
Threat identification provides an organization with a list of threats that a system is subject to in a
particular environment. When identifying threats, it is important to ask two questions:

What are the possible vulnerabilities of a system?

What are the consequences if system vulnerabilities are exploited?

For example, threat identification for connecting an e-banking system would include:

Internal system compromise - The attacker uses the exposed e-banking servers to break into

an internal bank system.
Stolen customer data - An attacker steals the personal and financial data of bank customers

from the customer database.
Phony transactions from an external server - An attacker alters the code of the e-banking

application and runs arbitrary transactions impersonating a legitimate user.
266 CCNA Security Course Booklet, Version 1.0

Phony transactions if the customer PIN or smart card is stolen - An attacker steals the

identity of a customer and runs malicious transactions from the compromised account.
Insider attack on the system - A bank employee finds a flaw in the system to mount an

Data input errors - A user inputs incorrect data or makes incorrect transaction requests.

Data center destruction - A cataclysmic event severely damages or destroys the data center.

Identifying vulnerabilities on a network entails understanding the important applications that are
used as well as the different vulnerabilities of that application and hardware. This can require a
significant amount of research on the part of the network administrator.
Risk analysis is the systematic study of uncertainties and risks. It estimates the probability and
severity of threats to a system and provides an organization with a prioritized list. Risk analysts
identify the risks, determine how and when those risks might arise, and estimate the impact (finan-
cial or otherwise) of adverse outcomes.
The first step in developing a risk analysis is to evaluate each threat to determine its severity and

Internal system compromise - Extremely severe and likely if untrusted software is used to

pass data to the inside network.
Stolen customer data - Severe and likely if the external server is vulnerable to intrusions,

which could compromise the operating system or application.
Phony transactions if external server is broken into - Severe and likely if the external server

is vulnerable to intrusions, which could compromise the operating system or application.
Phony transactions if customer PIN or smart card is stolen - Limited severity because

individual accounts are compromised. Likely only if the stolen credentials are not detected
Insider attack on the system - Extremely severe and likely based on past insider attacks on

company data.
Data input errors - Moderate severity and likely because of human error.

Data center destruction - Extremely severe but not likely because it requires an event of epic

proportions, such as a natural disaster.

After the threats are evaluated for severity and likelihood, the information is used in a risk analy-
sis. There are two types of risk analysis in information security, quantitative and qualitative.
Quantitative Risk Analysis
Quantitative risk analysis uses a mathematical model that assigns a monetary figure to the value of
assets, the cost of threats being realized, and the cost of security implementations. Monetary fig-
ures are typically based on an annual cost.
Qualitative Risk Analysis
There are various ways of conducting qualitative risk analysis. One method uses a scenario-based
model. This approach is best for large cities, states, and countries because it is impractical to try to
list all the assets, which is the starting point for any quantitative risk analysis. For example, by the
time a typical national government lists all of its assets, the list would have hundreds or thousands
of changes and would no longer be accurate.
Chapter 9: Managing a Secure Network 267

With qualitative risk analysis, research is exploratory and cannot always be graphed or proven
mathematically. It focuses mostly on the understanding of why risk is present and how various so-
lutions work to resolve the risk. Quantitative risk analysis is more mathematically precise and typi-
cally used by organizations as cost justification for proposed countermeasures. For this reason, the
next topic investigates the specifics of building a quantitative risk analysis.
Quantitative Risk Analysis
Quantitative analysis relies on specific formulas to determine the value of the risk decision vari-
ables. These include formulas that calculate the asset value (AV), exposure factor (EF), single loss
expectancy (SLE), annualized rate of occurrence (ARO), and annualized loss expectancy (ALE).
Asset Value
The asset value includes the purchase price, the cost of deployment, and the cost of maintenance.
In the instance of a database or a web server, the AV should also include the cost of development.
AV is not an easy number to calculate.
Exposure Factor
The exposure factor is an estimate of the degree of destruction that could occur. For example, sup-
pose water flooding is a possibility that could affect the e-banking data center. What is the likeli-
hood that it could destroy the data center? Would the destruction be 60 percent, 80 percent, or 100
percent? The risk assessment team must evaluate all possibilities and then make a determination.
Assuming that a backup copy of all media and data is stored offsite, the only losses are to the hard-
ware and productivity. Therefore, a flood would have a 60 percent destruction factor.
As another example, consider data entry errors, which are much less damaging than a flood. A sin-
gle data entry error is most likely less than a fraction of a percent in exposure, or .001 percent.
Single Loss Expectancy
The single loss expectancy calculation represents the expected loss from a single occurrence of the
threat. The SLE is defined as AV multiplied by EF. Using the previous examples, the SLE calcula-
tions result in the following:
Flood threat

Exposure Factor is 60 percent

AV of the enterprise is US$10,000,000

SLE is US$10,000,000 * .60 = US$6,000,000

Data entry error

Exposure Factor is .001 percent

AV of data and databases is US$1,000,000

SLE is US$1,000,000 * 0.00001 = US$10

Annualized Rate of Occurrence
The annualized rate of occurrence estimates the frequency of an event and is used to calculate the
Using the previous examples, the type of flood to affect the data center would be a flood-of-the-
century event, so it has a 1/100 chance of occurring this year, making the ARO for the flood 1/100.
268 CCNA Security Course Booklet, Version 1.0

Expect a data entry error to occur 500 times a day. Because the organization is open for business
250 days per year, estimate the ARO for the data entry error to be 500 * 250, or 125,000 total oc-
Annualized Loss Expectancy
Risk analysts calculate the ALE in annualized terms to address the cost to the organization if the
organization does nothing to counter existing threats. The ALE is derived from multiplying the
SLE by the ARO. The ALE calculations for the examples are surprising.
Flood threat

SLE is US$6,000,000

ARO is .01

ALE is US$6,000,000 * .01 = US$60,000

Data input error

SLE is US$10

ARO is 125,000

ALE is US$10 * 125,000 = US$1,250,000

A decision to spend US$50,000 to enhance the security of database applications to reduce data
entry errors significantly is now an easy decision. It is equally easy to reject a proposal to enhance
the defenses against floods that cost US$3,000,000.
It is necessary to perform a quantitative risk analysis for all threats identified during the threat
identification process.
A list of all identified threats should state each expected issue, the relative cost of that issue, and
the total cost if all expected threats are realized. This list should then be prioritized based on the
most serious threat and relative cost.
If an organization had a list of 10 expected threats, it could then prioritize the threats and address
the most serious ones first. This prioritization enables management to focus resources where they
do the most good. For example, suppose an organization compiled this list of threats and costs:

Insider network abuse - US$1,000,000 in lost productivity

Data input error - US$500,000

Worm outbreak - US$100,000

Viruses - US$10,000

Laptop theft - US$10,000

Assume that a current anti-virus solution is in place and decision makers must decide whether to
update it. Based on quantitative analysis, decision makers could determine that resources are best
used toward addressing insider network abuse and not toward the new anti-virus solution.
In incidents that involve national security, it is not advisable to base decisions on cost.
Chapter 9: Managing a Secure Network 269

9.1.3 Risk Management and Risk Avoidance
When the threats are identified and the risks are assessed, a protection strategy must be deployed
to protect against the risks. There are two very different methods to handle risks:

Risk management - This method deploys protection mechanisms to reduce risks to

acceptable levels. Risk management is perhaps the most basic and the most difficult aspect of
building secure systems, because it requires a good knowledge of risks, risk environments,
and mitigation methods.
Risk avoidance - This method eliminates risk by avoiding the threats altogether, which is

usually not an option in the commercial world, where controlled, or managed, risk enables
Consider the bank that wants to provide e-banking services. Risk management can be illustrated
by high-level strategy decisions, which describe how to mitigate each risk. Keep in mind that not
all mitigation techniques are implemented based on the risk versus cost formula used in the quanti-
tative risk analysis:

Internal system compromise - Provide the minimum necessary privileges to internal users to

perform specific tasks, and use secure applications that minimizes inside access.
Stolen customer data - Keep all customer data on inside servers, and only transfer data to the

outside on demand.
Phony transactions if external server is broken into - Allow only man-in-the-middle attacks

on the external server, and design the external server application so that it does not allow
arbitrary transactions to be called for any customer account.
Phony transactions if customer PIN or smart card is stolen - Use a quick refresh of


. 11
( 19)