Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Presentation on theme: "© 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 © 2004, Cisco Systems, Inc. All rights reserved.
1 1 1

2 Module 2 – Security Planning and Policy
Network Security 1 Module 2 – Security Planning and Policy

3 Learning Objectives 2.1 Discussing Network Security and Cisco
2.2 Endpoint Protection and Management 2.3 Network Protection and Management 2.4 Security Architecture 2.5 Basic Router Security

4 Module 2 – Security Planning and Policy
2.1 Discussing Network Security and Cisco

5 Network Security as a Continuous Process
Network security is a continuous process built around a security policy. Step 1: Secure Step 2: Monitor Step 3: Test Step 4: Improve Secure Improve Security Policy Monitor Test

6 Secure the Network Implement security solutions to stop or prevent unauthorized access or activities, and to protect information: Authentication Encryption Firewalls Vulnerability patching Secure Improve Security Policy Monitor Test

7 Monitor Security Detects violations to the security policy
Involves system auditing and real-time intrusion detection Validates the security implementation in Step 1 Secure Improve Security Policy Monitor Test

8 Test Security Validates effectiveness of the security policy through system auditing and vulnerability scanning Secure Improve Security Policy Monitor Test

9 Improve Security Secure Improve Monitor Test
Use information from the monitor and test phases to make improvements to the security implementation. Adjust the security policy as security vulnerabilities and risks are identified. Secure Improve Security Policy Monitor Test

10 What Is a Security Policy?
“A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” (RFC 2196, Site Security Handbook)

11 Why Create a Security Policy?
To create a baseline of your current security posture To set the framework for security implementation To define allowed and not allowed behaviors To help determine necessary tools and procedures To communicate consensus and define roles To define how to handle security incidents

12 Security Policy Elements
Data Assessment Vulnerabilities Host Addressing Denial of Service Application Definition POLICY Misuse Usage Guidelines Reconnaissance Topology/Trust Model On the left are the network design factors upon which security policy is based On the right are basic Internet threat vectors toward which security policies are written to mitigate

13 Module 2 – Security Planning and Policy
2.2 Endpoint Protection and Management

14 Host and server based security components and technologies
Device Hardening Unnecessary services Default usernames and passwords Authorization to use resources Personal Firewall Anti-virus Software Operating System Patches Intrusion Detection and Prevention Passive Inline Host-based Intrusion Detection Systems Cisco Security Agent

15 PC management Desktop Inventory and Maintenance
Update Anti-virus Definitions Update HIDS and HIPS Signatures

16 Module 2 – Security Planning and Policy
2.3 Network Protection and Management

17 Sample Firewall Topology

18 Types of Firewalls Server Based Microsoft ISA CheckPoint BorderManager
Appliance PIX Security Appliance Netscreen SonicWall Personal Norton McAfee ZoneAlarms Integrated IOS Firewall Switch Firewall

19 VPN Definition

20 Remote Access VPNs

21 Site-to-Site VPNs

22 Network-Based Intrusion Detection

23 Trust and Identity Remote Access Dial-In User Service (RADIUS)
Terminal Access Controller Access Control System Plus (TACACS+) Kerberos

24 Network security management
Security management perform several functions. They identify sensitive network resources Determine mappings between sensitive network resources and user sets. Monitor access points to sensitive network resources Log inappropriate access. Audit Necessary to verify and monitor the corporate security policy. Verifies the correct implementation of the security policy. Logging and monitoring of events can help detect any unusual behavior and possible intrusions.

25 CiscoWorks

26 Adaptive Security Device Manager (ASDM)

27 Security Device Manager (SDM)

28 Module 2 – Security Planning and Policy
2.4 Security Architecture

29 Security architecture (SAFE) – Defense in Depth

30 Security architecture (SAFE)
SAFE is a security blueprint for networks, which is based on Cisco Architecture for Voice, Video, and Integrated Data (AVVID). SAFE consists of modules that address the distinct requirements of each network area First industry blueprint that recommends exactly which security solutions should be included in each section of the network, and why they should be deployed. Security managers do not need to redesign the entire security architecture each time a new service is added to the network.

31 Security architecture (SAFE)
SAFE: A Security Blueprint for Enterprise Networks SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks SAFE: VPN IPSec Virtual Private Networks in Depth SAFE: Wireless LAN Security in Depth - version 2 SAFE: IP Telephony Security in Depth SAFE: IDS Deployment, Tuning, and Logging in Depth SAFE: Worm Mitigation

32 The Cisco Self-Defending Network
Allows organizations to use their existing platforms Identify, prevent, and adapt to both known and unknown security threats. Secure Connectivity. Threat Defense. Trust and Identity Solutions.

33 Secure Connectivity Information transported across an internal wired and wireless infrastructure remains confidential

34 Cisco Threat Defense System
Solutions and intelligent networking technologies to identify and mitigate both known and unknown threats from inside and outside an organization

35 Trust and Identity Solutions
Secure network access and admission at any point in the network, Isolates and controls infected or unpatched devices

36 The Cisco Trust and Identity Management
Centralized management of remote devices Authentication, Authorization, and Accounting (AAA) Identity Based Networking Services (IBNS) 802.1x to automatically identify users Appropriate degree of access privilege based on policy. Rogue wireless access points. Network Admission Control (NAC) Trusted endpoint having a current antivirus image, OS version, or patch update. Permit, deny, or restrict network access Quarantine and remediate non-compliant devices.

37 Cisco integrated security
Security functionality that is provided on a networking device Identity Based Networking Services IBNS Cisco Perimeter Security

38 Plan, Design, Implement, Operate, Optimize (PDIOO)
Network designs must easily adapt to implement the next generation of technology Stages of network life cycle The PDIOO methodology can be applied to all technologies Designer should define key deliverables and associated actions

39 Planning and Design Planning Phase Design Phase
Logic of future designs can be tested for flaws. Helps to avoid logical mistake being replicated Focuses on technical as well as financial criteria it is important to identify all the stakeholders Design Phase Products, protocols, and features are chosen based on criteria defined in the planning stage Network diagrams

40 Implement, Operate, Optimize
Implementation Phase Detailed, customized deliverables to help avoid risks and meet expectations Ensures smooth deployment even when issues arise Operation Phase Protect the network investment Help the staff prevent problems, maximize system utility, and accelerate problem resolution Optimization Phase Can be hardening servers against security threats or adding QoS to the network for latency-sensitive traffic

41 Module 2 – Security Planning and Policy
2.5 Basic Router Security

42 Controlling Access Console Port TTY VTY
A console is a terminal connected to a router console port. The terminal can be a dumb terminal or PC with terminal emulation software.

43 Configure the Console Port User-Level Password
router(config)# line console line-number Enters console line configuration mode router(config-line)# login Enables password checking at login router(config-line)# Password password Sets the user-level password to password Boston(config)# line console 0 Boston(config-line)# login Boston(config-line)# password ConUser1 Creates the user-level password ConUser1 The password is unencrypted

44 Configure a VTY User-Level Password
router(config)# line vty start-line-number end-line-number Enters VTY line configuration mode Specifies the range of VTY lines to configure router(config-line)# login Enables password checking at login for VTY (Telnet) sessions router(config-line)# password password Sets the user-level password to password Boston(config)# line vty 0 4 Boston(config-line)# login Boston(config-line)# password CantGessMeVTY

45 Configure an Auxiliary User-Level Password
router(config)# line aux line-number Enters auxiliary line configuration mode router(config-line)# login Enables password checking at login for Aux connections router(config-line)# password password Sets the user-level password to password Boston(config)# line aux 0 Boston(config-line)# login Boston(config-line)# password NeverGessMeAux

46 Setting Timeouts for Router Lines
router(config-line)# exec-timeout minutes [seconds] Default is 10 minutes Terminates an unattended console connection Provides an extra safety factor when an administrator walks away from an active console session Boston(config)# line console 0 Boston(config-line)#exec-timeout 3 30 Boston(config)# line aux 0 Boston(config-line)#exec-timeout 3 30 Terminates an unattended console/auxiliary connection after 3 minutes and 30 seconds

47 Login Banner Banners should be used on all network devices
A banner should include A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use. A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both. A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court. Specific notices required by specific local laws. A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership.

48 Configuring Banner Messages
router(config)# banner {exec | incoming | login | motd | slip-ppp} d message d Specify what is “proper use” of the system Specify that the system is being monitored Specify that privacy should not be expected when using this system Do not use the word “welcome” Have legal department review the content of the message Boston(config)# banner motd # WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. #

49 SSH SSH Server and Client TCP Port 22 SSH Client

50 SSH Server Configuration
Router(config)# hostname host-name Router(config)# ip domain-name Router(config)# crypto key generate rsa Router(config)# line vty 0 4 Router(config-line)# transport input ssh

51 Passwords Passwords are the most critical tools in controlling access to a router. There are two password protection schemes in Cisco IOS: Type 7 uses the Cisco-defined encryption algorithm. Type 5 uses an MD5 hash, which is much stronger. Cisco recommends that Type 5 encryption be used instead of Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands. Service password encryption should be used. Use good password practices when creating passwords. Configure both username and password combinations.

52 Good Password Practices
Avoid dictionary words, names, phone numbers, and dates. Include at least one lowercase letter, uppercase letter, digit, and special character. Make all passwords at least eight characters long. Avoid more than four digits or same-case letters in a row. Change passwords often.

53 Initial Configuration Dialog
--- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no] y Configuring global parameters: Enter host name [Router]: Boston The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret: CantGessMe The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password: WontGessMe The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: CantGessMeVTY

54 Configure the Enable Password Using enable secret
router(config)# enable secret password Encrypts the password in the router configuration file Uses a strong encryption algorithm based on MD5 Boston(config)# enable secret Curium96 Boston# show running-config ! hostname Boston ! no logging console enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ !

55 Encrypting Passwords Using service password-encryption
router(config)# service password-encryption Encrypts all passwords in the router configuration file Boston(config)# service password-encryption Boston# show running-config ! line con 0 password F57A109A ! line vty 0 4 password 7 034A18F366A0 ! line aux 0 password 7 7A4F A Uses a weak encryption algorithm that can be easily cracked

56 Setting Multiple Privilege Levels
router(config)# privilege mode {level level command | reset command} Level 1 is predefined for user-level access privileges Levels 2–14 may be customized for user-level privileges Level 15 is predefined for enable mode (enable command) Boston(config)# privilege exec level 2 ping Boston(config)# enable secret level 2 Patriot

57 Setting Multiple Privilege Levels

58 IOS network services Some services can be restricted or disabled to improve security Support only traffic and protocols a network needs. show proc Small services such as echo, discard, and chargen – no service tcp-small-servers or no service udp-small-servers  BOOTP – no ip bootp server  Finger – no service finger  Hypertext Transfer Protocol (HTTP) – no ip http server  Simple Network Management Protocol (SNMP) – no snmp-server

59 IOS network services Pass through the router, special packets, or remote router configuration Cisco Discovery Protocol (CDP) – no cdp run  Remote configuration. – no service config  Source routing – no ip source-route Interfaces Unused interfaces – shutdown No SMURF attacks – no ip directed-broadcast Ad-hoc routing – no ip proxy-arp

60 Routing protocol authentication and update filtering
Attacker who sends false routing update packets to an unprotected router can easily corrupt its routing table. Re-route network traffic as desired. Protect the routing tables from unauthorized and malicious changes Use only static routes Authenticate route table updates

61 Routing protocol authentication and update filtering
Routing protocol authentication is vulnerable to eavesdropping and spoofing of routing updates. Message Digest 5 (MD5) OSPF RIPv2 Enhanced IGRP BGP Passive Interfaces Prevent other routers on the network from learning about routes dynamically. Keep parties from learning about the existence of routes or routing protocols

62 NTP, SNMP, router name, DNS
NTP Service SNMP Services Erase existing community strings Set a hard-to-guess, read-only community string. Apply a simple IP access list to SNMP denying all traffic. Disable SNMP system shutdown and trap features Router Name and DNS Name Resolution ip name-server addresses no ip domain-lookup  hostname

63 © 2005, Cisco Systems, Inc. All rights reserved.
63 63 63

Download ppt "© 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations

Ads by Google