Presentation is loading. Please wait.

Presentation is loading. Please wait.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Published byJavion Jeffress Modified over 10 years ago

Similar presentations

Presentation on theme: "Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits."— Presentation transcript:

1 Point Protection 111

2 Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits

3 NOC ISPs Backbone RISK Assessment Remote StaffOffice Staff Penetration Interception Penetration Interception DOS AAA

4 NOC ISPs Backbone Lock Down the VTY and Console Ports Remote StaffOffice Staff Penetration AAA VTY, Console, rACLs, and VTY ACL

5 NOC ISPs Backbone Encrypt the Traffic from Staff to Device Remote StaffOffice Staff Interception AAA SSH from Staff to Device

6 NOC ISPs Backbone Staff AAA to get into the Device Remote StaffOffice Staff Penetration AAA AAA on the Device

7 NOC ISPs Backbone Radius is not an SP AAA Option! Remote StaffOffice Staff Interception AAA SSH from Staff to Device encrypts the password via secure TCP Sessions Radius sends unencrypted traffic to the AAA server via UDP! Why make a big deal about SSH to the router when you choose to put your network at risk using Radius as a AAA solution?

8 NOC ISPs Backbone One Time Password – Checking the ID Remote StaffOffice Staff Penetration AAA One-Time Password Token cardToken card Soft tokenSoft token S-keyS-key How do you insure that the engineer is authenticated vs a penetrated computer authenticated? OTP

9 NOC ISPs Backbone DOSing the AAA Infrastructure Remote StaffOffice Staff DOS the AAA Servers AAA OTP DOS the AAA Ports

10 NOC ISPs Backbone Use a Firewall to Isolate the AAA Servers Remote StaffOffice Staff DOS the AAA Servers AAA OTP DOS the AAA Ports Statefull inspection is another reason to select TCP base AAA over UDP. NOC Firewall Separate AAA Firewall to protect from internal and external threats.

11 AAA OTP AAA Node Peer B Peer A Distribute AAA Servers and Config Backup IXP-W IXP- E Upstream A Upstream B POP NOC G Sink Hole Network Upstream B AAA OTP AAA Node

12 TACACS+ URLs TACACS+ Open Source –ftp://ftp-eng.cisco.com/pub/tacacs/ftp://ftp-eng.cisco.com/pub/tacacs/ –Includes the IETF Draft, Source, and Specs. Extended TACACS++ server –http://freshmeat.net/projects/tacpp/ TACACS + mods –http://www.shrubbery.net/tac_plus/

13 The Old World: Router Perspective Policy enforced at process level (VTY ACL, Kernel ACL, SNMP ACL, etc.) Some early features such as ingress ACL used when possible untrusted telnet, snmp Attacks, junk Router CPU

14 The New World: Router Perspective Central policy enforcement, prior to process level Granular protection schemes On high-end platforms, hardware implementations Protecting The Router Control Plane draft-ietf-opsec- protect-control-plane-04 untrusted telnet, snmp Attacks, junk Router CPU Protection

15 Watch the Config! There has been many times where the only way you know someone has violated the router is that a config has changed. If course you need to be monitoring your configs.

16 Config Monitoring RANCID - Really Awesome New Cisco config Differ (but works with lots of routers – used a lot with Juniper Routers) http://www.shrubbery.net/rancid/ http://www.nanog.org/mtg-0310/rancid.html Rancid monitors a device's configuration (software & hardware) using CVS. Rancid logs into each of the devices in the device table file, runs various show commands, processes the output, and emails any differences from the previous collection to staff.

Download ppt "Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits."

Similar presentations

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.

 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.

Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.
Access Control Key concepts: Controlling the data flow within a network ACL (access control lists)

Access Control Key concepts: Controlling the data flow within a network ACL (access control lists)

Similar presentations

Ads by Google