2 Privilege levels in Cisco routers Configures the specified privilege levelRouter(config) # privilege exec all level 5 show ipSets the password for the specified privilege level.Router(config)# enable secret password level 6 0 letmein0 indicates an unencrypted password string follows,5 indicates an encrypted password string followsRouter# show privilegeCurrent privilege level is 15Set the configure command to privilege level 14Router(config) # privilege exec level 14 configureRouter(config) # enable secret level 14 SecretPswd14Cisco IOS offers 16 privilege levelsUser Exec mode: Level 1Privilege EXEC mode: Level 15Levels of access to commands, called privilege levels can be configured to protect the system from unauthorized access toAllow access to the specified command or,‘All’ keyword is used to enable access to all commands that start with the specified string
3 General FrameworkJ. Wang. Computer Network Security Theory and Practice. Springer 2008
4 What is a DMZ?A DMZ is a computer network that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public InternetAlso known as aData Management Zone orDemarcation ZonePerimeter NetworkConnecting our private network to the un-trusted network (aka the internet), we should control the flow of the traffic in a secured manner by a firewall device. With firewall, all the traffic are forced to pass through a single concentrated checkpoint where all traffic will be controlled, authenticated, filtered, and logged according to the policies set. With this way, we can significantly reduce, but not eliminate the amount of unauthorized traffic reaching our internal network.
5 Typical components of DMZ network Web servers that need to be made available to the general public, such as company's primary Web presence advertising its products or services.Public DNS servers that resolve the names in your domain for users outside your organization to the appropriate IP addresses.Public FTP servers on which you provide files to the publicDownloads of your product manuals orSoftware driversAnonymous SMTP relays that forward e- mail from the Internet to internal mail server(s)Servers running complex e-commerce Internet and extranet applicationsProxy ServersInternet users can access the public resources but they cannot get into our private / internal corporate networks.
6 Split ConfigurationsMail services can be split between servers on the DMZ and the internal network.Internal mail server handles e- mail from one computer to another on the internal network.Mail that comes in or is sent to computers outside the internal network over the Internet is handled by an SMTP gateway located in the DMZ.For e-commerce systemsFront-end server, directly accessible by Internet users is in the DMZ,Back-end servers that store sensitive information are on the internal network.LAN interfaceDMZ interface
7 DMZ with two firewallsDMZ that uses two firewalls, called a back to back DMZ.Advantage of this configurationFast packet filtering firewall/router at the front end (the Internet edge) to increase performance of your public servers,Slower application layer filtering (ALF) firewall at the back end (next to the corporate LAN) to provide more protection to the internal network without negatively impacting performance for your public servers
8 Tri-homed DMZWhen a single firewall is used to create a DMZ, it's called a trihomed DMZ.The firewall computer or appliance has interfaces to three separate networks:The internal interface to the trusted network (the internal LAN)The external interface to the untrusted network (the public Internet)The interface to the semi- trusted network (the DMZ)
9 Creating a DMZ Infrastructure Two important characteristics of the DMZ are:A different network ID from the internal networkA DMZ can use either public or private IP addresses, depending on its architecturesubnet the IP address block that is assigned by your ISPIf using private IP addresses for the DMZ, a Network Address Translation (NAT) device will be requiredIt is separated from both the Internet and the internal network by a firewall
10 Security of DMZThe level of security within the DMZ also depends on the nature of the servers that are placed there. We can divide DMZs into two security categories:DMZs designed for unauthenticated or anonymous accessDMZs designed for authenticated accessThe level of security within the DMZ also depends on the nature of the servers that are placed there. We can divide DMZs into two security categories:DMZs designed for unauthenticated or anonymous accessDMZs designed for authenticated accessIf you have a Web server that you want everybody on the Internet to be able to access, (such as a Web presence advertising your company), you'll have to allow anonymous access. You can't easily provide authentication credentials to every stranger who happens upon your site. However, if your Internet-facing servers on the DMZ are used by partners, customers, or employees working off-site, you can require authentication to access them. This makes it more difficult for a hacker to gain access.
11 Host Security on the DMZ Be sure to set strong passwords and use RADIUS or other certificate based authentication for accessing the management console remotely.To allow you to manage the router through a Web page, it runs an HTTP server. It is a good security practice to disable the HTTP server, as it can serve as a point of attack.username richard privilege 15 secret bigXdogYlover Router(config)# username natalie privilege 15 secret BIGxDOGyLOVER Router(config)# ip http server Router(config)# ip http authentication local Set up your VTY access for SSH (optional, but recommended): Router(config)# username name secret password Router(config)# line vty 0 4Router(config-line)# transport input sshRouter(config-line)# transport output ssh Router(config-line) login localDifferent privilege levels to usersRouter(config)#privilege exec all level 5 show ip
12 Specify Traffic exiting corporate network The corporate network zone houses private servers and internal clients. No other network should be able to access it.Configure an extended access list to specify which traffic can exit out the networkGAD(config)#access-list 101 permit ip anyGAD(config)#access-list 101 deny ip any anyGAD(config)#interface fa1GAD(config-if)#ip access-group 101 inCan Host A ping the Web Server?Can Host A ping Host B?Can Host B ping the Web Server?Can Host B ping Host A?/24/24/24
13 Limit Traffic allowed into corporate network Traffic can be allowed into the corporate network must be limited.Traffic entering the corporate network will be coming from either the Internet or the DMZ.Allow all traffic that originated from the corporate network can be allowed back into that network. Enter the following:GAD(config)#access-list 102 permit tcp any any establishedPermit ICMP into the network. This will allow the internal hosts to receive ICMP messagesGAD(config)#access-list 102 permit icmp any any echo-replyGAD(config)#access-list 102 permit icmp any any unreachableNo other traffic is desired into the corporate networkGAD(config)#access-list 102 deny ip any anyFinally, apply the access-list to the corporate network Fast Ethernet port.GAD(config)#interface ethernet1GAD(config-if)#ip access-group 102 out/24/24/24Can Host A ping the Web Server?Can Host A ping Host B?Can Host B ping the Web Server?Can Host B ping Host A
14 Protect the DMZ Network Configure an extended access list to protect the DMZ networkGAD(config)#access-list 111 permit ip anyGAD(config)#access-list 111 deny ip any anyGAD(config)#interface ethernetfa0GAD(config-if)#ip access-group 111 inSpecify which traffic can enter the DMZ network. Traffic entering the DMZ network will be coming from either the Internet or the corporate network requesting World Wide Web services.Configure an outbound extended access-list specifying that World Wide Web requests be allowed into the network.GAD(config)#access-list 112 permit tcp any host eq wwwWhat command would be entered to allowDNS, and FTP requests into the DMZ?For management purposes, it would be useful to let corporate users ping the Web Server but not for Internet users.GAD(config)#access-list 112 permit icmp hostGAD(config)#access-list 112 deny ip any anyGAD(config)#interface fa ethernet 0GAD(config-if)#ip access-group 112 out/24/24/24
15 Deter SpoofingSpoofing - A common method to attempt to forge a valid internal source IP addresses.To deter spoofing, it is decided to configure an access list so that Internet hosts cannot easily spoof an internal network addresses.Three common source IP addresses that hackers attempt to forge are valid internal addresses (e.g., ), loopback addresses (i.e.,127.x.x.x), and multicast addresses (i.e., 224.x.x.x – 239.x.x.x).GAD(config)#access-list 121 deny ip anyGAD(config)#access-list 121 deny ip anyGAD(config)#access-list 121 deny ip anyGAD(config)#access-list 121 permit ip any anyGAD(config)#interface serial 0GAD(config-if)#ip access-group 121 in/24/24/24