Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations


Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 2 – Security Planning and Policy

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 2.1 Discussing Network Security and Cisco 2.2 Endpoint Protection and Management 2.3 Network Protection and Management 2.4 Security Architecture 2.5 Basic Router Security

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 2 – Security Planning and Policy 2.1 Discussing Network Security and Cisco

5 5 © 2005 Cisco Systems, Inc. All rights reserved. Network Security as a Continuous Process Network security is a continuous process built around a security policy. Step 1: Secure Step 2: Monitor Step 3: Test Step 4: Improve Secure Monitor Test Improve Security Policy

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Secure Monitor Test Improve Security Policy Secure the Network Implement security solutions to stop or prevent unauthorized access or activities, and to protect information: Authentication Encryption Firewalls Vulnerability patching

7 7 © 2005 Cisco Systems, Inc. All rights reserved. Secure Monitor Test Improve Security Policy Monitor Security Detects violations to the security policy Involves system auditing and real-time intrusion detection Validates the security implementation in Step 1

8 8 © 2005 Cisco Systems, Inc. All rights reserved. Secure Monitor Test Improve Security Policy Test Security Validates effectiveness of the security policy through system auditing and vulnerability scanning

9 9 © 2005 Cisco Systems, Inc. All rights reserved. Secure Monitor Test Improve Security Policy Improve Security Use information from the monitor and test phases to make improvements to the security implementation. Adjust the security policy as security vulnerabilities and risks are identified.

10 10 © 2005 Cisco Systems, Inc. All rights reserved. What Is a Security Policy? A security policy is a formal statement of the rules by which people who are given access to an organizations technology and information assets must abide. (RFC 2196, Site Security Handbook)

11 11 © 2005 Cisco Systems, Inc. All rights reserved. Why Create a Security Policy? To create a baseline of your current security posture To set the framework for security implementation To define allowed and not allowed behaviors To help determine necessary tools and procedures To communicate consensus and define roles To define how to handle security incidents

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Security Policy Elements On the left are the network design factors upon which security policy is based On the right are basic Internet threat vectors toward which security policies are written to mitigate Topology/Trust Model Usage Guidelines Application Definition Host Addressing Vulnerabilities Denial of Service Reconnaissance Misuse Data Assessment POLICY

13 13 © 2005 Cisco Systems, Inc. All rights reserved. 2.2 Endpoint Protection and Management Module 2 – Security Planning and Policy

14 14 © 2005 Cisco Systems, Inc. All rights reserved. Host and server based security components and technologies Device Hardening Unnecessary services Default usernames and passwords Authorization to use resources Personal Firewall Anti-virus Software Operating System Patches Intrusion Detection and Prevention Passive Inline Host-based Intrusion Detection Systems Cisco Security Agent

15 15 © 2005 Cisco Systems, Inc. All rights reserved. PC management Desktop Inventory and Maintenance Update Anti-virus Definitions Update HIDS and HIPS Signatures

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Module 2 – Security Planning and Policy 2.3 Network Protection and Management

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Sample Firewall Topology

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Types of Firewalls Server Based Microsoft ISA CheckPoint BorderManager Appliance PIX Security Appliance Netscreen SonicWall Personal Norton McAfee ZoneAlarms Integrated IOS Firewall Switch Firewall

19 19 © 2005 Cisco Systems, Inc. All rights reserved. VPN Definition

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Remote Access VPNs

21 21 © 2005 Cisco Systems, Inc. All rights reserved. Site-to-Site VPNs

22 22 © 2005 Cisco Systems, Inc. All rights reserved. Network-Based Intrusion Detection

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Trust and Identity –Remote Access Dial-In User Service (RADIUS) –Terminal Access Controller Access Control System Plus (TACACS+) –Kerberos

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Network security management Security management perform several functions. They identify sensitive network resources Determine mappings between sensitive network resources and user sets. Monitor access points to sensitive network resources Log inappropriate access. Audit Necessary to verify and monitor the corporate security policy. Verifies the correct implementation of the security policy. Logging and monitoring of events can help detect any unusual behavior and possible intrusions.

25 25 © 2005 Cisco Systems, Inc. All rights reserved. CiscoWorks

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Adaptive Security Device Manager (ASDM)

27 27 © 2005 Cisco Systems, Inc. All rights reserved. Security Device Manager (SDM)

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Module 2 – Security Planning and Policy 2.4 Security Architecture

29 29 © 2005 Cisco Systems, Inc. All rights reserved. Security architecture (SAFE) – Defense in Depth

30 30 © 2005 Cisco Systems, Inc. All rights reserved. Security architecture (SAFE) SAFE is a security blueprint for networks, which is based on Cisco Architecture for Voice, Video, and Integrated Data (AVVID). SAFE consists of modules that address the distinct requirements of each network area First industry blueprint that recommends exactly which security solutions should be included in each section of the network, and why they should be deployed. Security managers do not need to redesign the entire security architecture each time a new service is added to the network.

31 31 © 2005 Cisco Systems, Inc. All rights reserved. Security architecture (SAFE) SAFE: A Security Blueprint for Enterprise Networks SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks SAFE: VPN IPSec Virtual Private Networks in Depth SAFE: Wireless LAN Security in Depth - version 2 SAFE: IP Telephony Security in Depth SAFE: IDS Deployment, Tuning, and Logging in Depth SAFE: Worm Mitigation

32 32 © 2005 Cisco Systems, Inc. All rights reserved. The Cisco Self-Defending Network Allows organizations to use their existing platforms Identify, prevent, and adapt to both known and unknown security threats. –Secure Connectivity. –Threat Defense. –Trust and Identity Solutions.

33 33 © 2005 Cisco Systems, Inc. All rights reserved. Secure Connectivity Information transported across an internal wired and wireless infrastructure remains confidential

34 34 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Threat Defense System Solutions and intelligent networking technologies to identify and mitigate both known and unknown threats from inside and outside an organization

35 35 © 2005 Cisco Systems, Inc. All rights reserved. Trust and Identity Solutions Secure network access and admission at any point in the network, Isolates and controls infected or unpatched devices

36 36 © 2005 Cisco Systems, Inc. All rights reserved. The Cisco Trust and Identity Management Identity Management Centralized management of remote devices Authentication, Authorization, and Accounting (AAA) Identity Based Networking Services (IBNS) 802.1x to automatically identify users Appropriate degree of access privilege based on policy. Rogue wireless access points. Network Admission Control (NAC) Trusted endpoint having a current antivirus image, OS version, or patch update. Permit, deny, or restrict network access Quarantine and remediate non-compliant devices.

37 37 © 2005 Cisco Systems, Inc. All rights reserved. Cisco integrated security Security functionality that is provided on a networking device Identity Based Networking Services IBNS Cisco Perimeter Security

38 38 © 2005 Cisco Systems, Inc. All rights reserved. Plan, Design, Implement, Operate, Optimize (PDIOO) Network designs must easily adapt to implement the next generation of technology Stages of network life cycle The PDIOO methodology can be applied to all technologies Designer should define key deliverables and associated actions

39 39 © 2005 Cisco Systems, Inc. All rights reserved. Planning and Design Planning Phase Logic of future designs can be tested for flaws. Helps to avoid logical mistake being replicated Focuses on technical as well as financial criteria it is important to identify all the stakeholders Design Phase Products, protocols, and features are chosen based on criteria defined in the planning stage Network diagrams

40 40 © 2005 Cisco Systems, Inc. All rights reserved. Implement, Operate, Optimize Implementation Phase Detailed, customized deliverables to help avoid risks and meet expectations Ensures smooth deployment even when issues arise Operation Phase Protect the network investment Help the staff prevent problems, maximize system utility, and accelerate problem resolution Optimization Phase Can be hardening servers against security threats or adding QoS to the network for latency-sensitive traffic

41 41 © 2005 Cisco Systems, Inc. All rights reserved. Module 2 – Security Planning and Policy 2.5 Basic Router Security

42 42 © 2005 Cisco Systems, Inc. All rights reserved. Controlling Access Console Port TTY VTY A console is a terminal connected to a router console port. The terminal can be a dumb terminal or PC with terminal emulation software.

43 43 © 2005 Cisco Systems, Inc. All rights reserved. Configure the Console Port User-Level Password Creates the user-level password ConUser1 The password is unencrypted Boston(config)# line console 0 Boston(config-line)# login Boston(config-line)# password ConUser1 router(config)# line console line-number router(config-line)# login router(config-line)# Password password Enters console line configuration mode Enables password checking at login Sets the user-level password to password

44 44 © 2005 Cisco Systems, Inc. All rights reserved. Configure a VTY User-Level Password Boston(config)# line vty 0 4 Boston(config-line)# login Boston(config-line)# password CantGessMeVTY router(config)# line vty start-line-number end-line-number router(config-line)# login Enters VTY line configuration mode Specifies the range of VTY lines to configure Enables password checking at login for VTY (Telnet) sessions Sets the user-level password to password router(config-line)# password

45 45 © 2005 Cisco Systems, Inc. All rights reserved. Configure an Auxiliary User-Level Password Boston(config)# line aux 0 Boston(config-line)# login Boston(config-line)# password NeverGessMeAux router(config)# line aux line-number router(config-line)# login Enters auxiliary line configuration mode Enables password checking at login for Aux connections Sets the user-level password to password router(config-line)# password

46 46 © 2005 Cisco Systems, Inc. All rights reserved. Setting Timeouts for Router Lines router(config-line)# exec-timeout minutes [seconds] Default is 10 minutes Terminates an unattended console connection Provides an extra safety factor when an administrator walks away from an active console session Terminates an unattended console/auxiliary connection after 3 minutes and 30 seconds Boston(config)# line console 0 Boston(config-line)#exec-timeout 3 30 Boston(config)# line aux 0 Boston(config-line)#exec-timeout 3 30

47 47 © 2005 Cisco Systems, Inc. All rights reserved. Login Banner Banners should be used on all network devices A banner should include A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use. A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both. A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court. Specific notices required by specific local laws. A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership.

48 48 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Banner Messages router(config)# banner {exec | incoming | login | motd | slip-ppp} d message d Specify what is proper use of the system Specify that the system is being monitored Specify that privacy should not be expected when using this system Do not use the word welcome Have legal department review the content of the message Boston(config)# banner motd # WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. #

49 49 © 2005 Cisco Systems, Inc. All rights reserved. SSH SSH Server and Client SSH Client TCP Port 22

50 50 © 2005 Cisco Systems, Inc. All rights reserved. SSH Server Configuration Router(config)# hostname host-name Router(config)# ip domain-name domain-name.com Router(config)# crypto key generate rsa Router(config)# line vty 0 4 Router(config-line)# transport input ssh

51 51 © 2005 Cisco Systems, Inc. All rights reserved. Passwords Passwords are the most critical tools in controlling access to a router. There are two password protection schemes in Cisco IOS: Type 7 uses the Cisco-defined encryption algorithm. Type 5 uses an MD5 hash, which is much stronger. Cisco recommends that Type 5 encryption be used instead of Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands. Service password encryption should be used. Use good password practices when creating passwords. Configure both username and password combinations.

52 52 © 2005 Cisco Systems, Inc. All rights reserved. Good Password Practices Avoid dictionary words, names, phone numbers, and dates. Include at least one lowercase letter, uppercase letter, digit, and special character. Make all passwords at least eight characters long. Avoid more than four digits or same-case letters in a row. Change passwords often.

53 53 © 2005 Cisco Systems, Inc. All rights reserved. Initial Configuration Dialog --- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no] y Configuring global parameters: Enter host name [Router]: Boston The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret: CantGessMe The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password: WontGessMe The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: CantGessMeVTY..

54 54 © 2005 Cisco Systems, Inc. All rights reserved. Configure the Enable Password Using enable secret router(config)# enable secret password Encrypts the password in the router configuration file Uses a strong encryption algorithm based on MD5 Boston(config)# enable secret Curium96 Boston# show running-config ! hostname Boston ! no logging console enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ !

55 55 © 2005 Cisco Systems, Inc. All rights reserved. Encrypting Passwords Using service password-encryption router(config)# service password-encryption Encrypts all passwords in the router configuration file Uses a weak encryption algorithm that can be easily cracked Boston(config)# service password-encryption Boston# show running-config ! line con 0 password 7 0956F57A109A ! line vty 0 4 password 7 034A18F366A0 ! line aux 0 password 7 7A4F5192306A

56 56 © 2005 Cisco Systems, Inc. All rights reserved. Setting Multiple Privilege Levels router(config)# privilege mode {level level command | reset command} Level 1 is predefined for user-level access privileges Levels 2–14 may be customized for user-level privileges Level 15 is predefined for enable mode (enable command) Boston(config)# privilege exec level 2 ping Boston(config)# enable secret level 2 Patriot

57 57 © 2005 Cisco Systems, Inc. All rights reserved. Setting Multiple Privilege Levels

58 58 © 2005 Cisco Systems, Inc. All rights reserved. IOS network services Some services can be restricted or disabled to improve security Support only traffic and protocols a network needs. show proc Small services such as echo, discard, and chargen – no service tcp-small-servers or no service udp-small-servers BOOTP – no ip bootp server Finger – no service finger Hypertext Transfer Protocol (HTTP) – no ip http server Simple Network Management Protocol (SNMP) – no snmp-server

59 59 © 2005 Cisco Systems, Inc. All rights reserved. IOS network services Pass through the router, special packets, or remote router configuration Cisco Discovery Protocol (CDP) – no cdp run Remote configuration. – no service config Source routing – no ip source-route Interfaces Unused interfaces – shutdown No SMURF attacks – no ip directed-broadcast Ad-hoc routing – no ip proxy-arp

60 60 © 2005 Cisco Systems, Inc. All rights reserved. Routing protocol authentication and update filtering Attacker who sends false routing update packets to an unprotected router can easily corrupt its routing table. Re-route network traffic as desired. Protect the routing tables from unauthorized and malicious changes Use only static routes Authenticate route table updates

61 61 © 2005 Cisco Systems, Inc. All rights reserved. Routing protocol authentication and update filtering Routing protocol authentication is vulnerable to eavesdropping and spoofing of routing updates. –Message Digest 5 (MD5) OSPF RIPv2 Enhanced IGRP BGP Passive Interfaces –Prevent other routers on the network from learning about routes dynamically. –Keep parties from learning about the existence of routes or routing protocols

62 62 © 2005 Cisco Systems, Inc. All rights reserved. NTP, SNMP, router name, DNS NTP Service SNMP Services Erase existing community strings Set a hard-to-guess, read-only community string. Apply a simple IP access list to SNMP denying all traffic. Disable SNMP system shutdown and trap features Router Name and DNS Name Resolution ip name-server addresses no ip domain-lookup hostname

63 63 © 2005, Cisco Systems, Inc. All rights reserved.


Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations


Ads by Google