Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networks and Protocols CE00997-3 Week 10b. Overview of Network Security.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Networks and Protocols CE00997-3 Week 10b. Overview of Network Security."— Presentation transcript:

1 Networks and Protocols CE00997-3 Week 10b

2 Overview of Network Security

3 Key Terms Confidentiality Integrity Availability Vulnerability Threat Reconnaissance Access Denial of Service Encryption Security Wheel

4 The Closed Network

5 The Network Today

6 Trends that Affect Security Increase of network attacks Increased sophistication of attacks Increased dependence on the network Lack of trained personnel Lack of awareness Lack of security policies Wireless access Legislation Litigation

7 Legal and Governmental Policy Issues – Organizations that operate vulnerable networks will face increasing and substantial liability. – US Federal legislation mandating security includes the following: GLB financial services legislation Government Information Security Reform Act HIPAA CIPA

8 The Goals of Network Security Availability Confidentiality Integrity

9 Key Elements of Network Security

10 Network Vulnerabilities, Threats, and Attacks Technology Configuration Policy

11 Threat Capabilities—More Dangerous and Easier to Use

12 Network Threats There are four general categories of security threats to the network: – Unstructured threats – Structured threats – External threats – Internal threats Internet External exploitation External exploitation Internal exploitation Internal exploitation Dial-in exploitation Dial-in exploitation Compromised host

13 Four Classes of Network Attacks – Reconnaissance attacks – Access attacks – Denial of service attacks – Worms, viruses, and Trojan horses

14 Specific Attack Types All of the following can be used to compromise your system: – Packet sniffers – IP weaknesses – Password attacks – DoS or DDoS – Man-in-the-middle attacks – Application layer attacks – Trust exploitation – Port redirection – Virus – Trojan horse – Operator error – Worms

15 Reconnaissance Attacks Network reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications.

16 Reconnaissance Attack Example Sample domain name query Sample IP address query

17 Reconnaissance Attack Mitigation – Network reconnaissance cannot be prevented entirely. – IDSs at the network and host levels can usually notify an administrator when a reconnaissance gathering attack (for example, ping sweeps and port scans) is under way.

18 Packet Sniffers A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. The following are the packet sniffer features: – Packet sniffers exploit information passed in clear text. Protocols that pass information in the clear include the following: Telnet FTP SNMP POP – Packet sniffers must be on the same collision domain. Host AHost B Router ARouter B

19 Packet Sniffer Mitigation The following techniques and tools can be used to mitigate sniffers: – Authentication—Using strong authentication, such as one-time passwords, is a first option for defense against packet sniffers. – Switched infrastructure—Deploy a switched infrastructure to counter the use of packet sniffers in your environment. – Antisniffer tools—Use these tools to employ software and hardware designed to detect the use of sniffers on a network. – Cryptography—The most effective method for countering packet sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant. Host AHost B Router ARouter B

20 IP Spoofing – IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. – Two general techniques are used during IP spoofing: A hacker uses an IP address that is within the range of trusted IP addresses. A hacker uses an authorized external IP address that is trusted. – Uses for IP spoofing include the following: IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data. A hacker changes the routing tables to point to the spoofed IP address, then the hacker can receive all the network packets that are addressed to the spoofed address and reply just as any trusted user can.

21 IP Spoofing Mitigation The threat of IP spoofing can be reduced, but not eliminated, through the following measures: – Access control—The most common method for preventing IP spoofing is to properly configure access control. – RFC 2827 filtering—You can prevent users of your network from spoofing other networks (and be a good Internet citizen at the same time) by preventing any outbound traffic on your network that does not have a source address in your organization's own IP range. – Additional authentication that does not use IP-based authentication—Examples of this include the following: Cryptographic (recommended) Strong, two-factor, one-time passwords

22 DoS Attacks

23 DDoS Attack Example

24 DoS Attack Mitigation The threat of DoS attacks can be reduced through the following three methods: – Antispoof features—Proper configuration of antispoof features on your routers and firewalls – Anti-DoS features—Proper configuration of anti-DoS features on routers and firewalls – Traffic rate limiting—Implement traffic rate limiting with the networks ISP

25 Password Attacks Hackers can implement password attacks using several different methods: – Brute-force attacks – Dictionary Attacks – Trojan horse programs – IP spoofing – Packet sniffers

26 Password Attack Example L0phtCrack can take the hashes of passwords and generate the clear text passwords from them. Passwords are computed using two different methods: – Dictionary cracking – Brute force computation

27 Password Attacks Mitigation The following are mitigation techniques: – Do not allow users to use the same password on multiple systems. – Disable accounts after a certain number of unsuccessful login attempts. – Do not use plain text passwords. OTP or a cryptographic password is recommended. – Use “strong” passwords. Strong passwords are at least eight characters long and contain uppercase letters, lowercase letters, numbers, and special characters.

28 Man-in-the-Middle Attacks – A man-in-the-middle attack requires that the hacker have access to network packets that come across a network. – A man-in-the-middle attack is implemented using the following: Network packet sniffers Routing and transport protocols – Possible man-in-the-middle attack uses include the following: Theft of information Hijacking of an ongoing session Traffic analysis DoS Corruption of transmitted data Introduction of new information into network sessions Host AHost B Router ARouter B Data in clear text

29 Man-in-the-Middle Mitigation Man-in-the-middle attacks can be effectively mitigated only through the use of cryptography (encryption). Host AHost B Router AISPRouter B A man-in-the-middle attack can only see cipher text IPSec tunnel

30 Application Layer Attacks Application layer attacks have the following characteristics: – Exploit well known weaknesses, such as protocols, that are intrinsic to an application or system (for example, sendmail, HTTP, and FTP) – Often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall) – Can never be completely eliminated, because new vulnerabilities are always being discovered

31 Application Layer Attacks Mitigation Some measures you can take to reduce your risks are as follows: – Read operating system and network log files, or have them analyzed by log analysis applications. – Subscribe to mailing lists that publicize vulnerabilities. – Keep your operating system and applications current with the latest patches. – IDSs can scan for known attacks, monitor and log attacks, and in some cases, prevent attacks.

32 Trust Exploitation

33 Trust Exploitation Mitigation – Systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall. – Such trust should be limited to specific protocols and should be validated by something other than an IP address where possible. SystemA User = psmith; Pat Smith SystemB compromised by a hacker User = psmith; Pat Smith Hacker User = psmith; Pat Smithson Hacker blocked

34 Port Redirection

35 Unauthorized Access – Unauthorized access includes any unauthorized attempt to access a private resource: Not a specific type of attack Refers to most attacks executed in networks today Initiated on both the outside and inside of a network – The following are mitigation techniques for unauthorized access attacks: Eliminate the ability of a hacker to gain access to a system Prevent simple unauthorized access attacks, which is the primary function of a firewall

36 Virus and Trojan Horses – Viruses refer to malicious software that are attached to another program to execute a particular unwanted function on a user’s workstation. End-user workstations are the primary targets. – A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool. A Trojan horse is mitigated by antivirus software at the user level and possibly the network level.

37 Vulnerabilities Exist at all OSI Layers

38 Security Framework and Policy

39 What Is a Security Policy? “A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” (RFC 2196, Site Security Handbook)

40 Why Create a Security Policy? – To create a baseline of your current security posture – To set the framework for security implementation – To define allowed and not allowed behaviors – To help determine necessary tools and procedures – To communicate consensus and define roles – To define how to handle security incidents

41 Security Policy Elements On the left are the network design factors upon which security policy is based On the right are basic Internet threat vectors toward which security policies are written to mitigate Topology/Trust Model Usage Guidelines Application Definition Host Addressing Vulnerabilities Denial of Service Reconnaissance Misuse Data Assessment POLICY

42 Network Security as a Continuous Process Network security is a continuous process built around a security policy. – Step 1: Secure – Step 2: Monitor – Step 3: Test – Step 4: Improve Secure Monitor Test Improve Security Policy

43 Secure Monitor Test Improve Security Policy Secure the Network Implement security solutions to stop or prevent unauthorized access or activities, and to protect information: – Authentication – Encryption – Firewalls – Vulnerability patching

44 Secure Monitor Test Improve Security Policy Monitor Security – Detects violations to the security policy – Involves system auditing and real-time intrusion detection – Validates the security implementation in Step 1

45 Secure Monitor Test Improve Security Policy Test Security Validates effectiveness of the security policy through system auditing and vulnerability scanning

46 Secure Monitor Test Improve Security Policy Improve Security – Use information from the monitor and test phases to make improvements to the security implementation. – Adjust the security policy as security vulnerabilities and risks are identified.

47 Network Security Models

48 Security Products and Solutions Appliances Series VPN 3000 Concentrator/Client PIX Security Appliance Integrated Switch VPN Module Appliances Series VPN 3000 Concentrator/Client PIX Security Appliance Integrated Switch VPN Module Cisco Access Control Server Software Identity Based Network Services (IBNS) 802.1X ext. Cisco Access Control Server Software Identity Based Network Services (IBNS) 802.1X ext. Identity Services Extended Perimeter Security Intrusion Protection Security Management Appliances PIX Security Appliance Integrated Firewall Switch Module (FWSM) Appliances PIX Security Appliance Integrated Firewall Switch Module (FWSM) Appliances Cisco 4200 Series PIX Firewall Host Based Integrated Switch IDS Module (IDSM) Appliances Cisco 4200 Series PIX Firewall Host Based Integrated Switch IDS Module (IDSM) SOHO 90, 830,1700, 2600, 3600, 3700, 7000 series Secure Connectivity Device Managers PDM IDM/IEV CiscoWorksV PN/Securiy Management Solution CiscoWorks Hosting Solution Engine Device Managers PDM IDM/IEV CiscoWorksV PN/Securiy Management Solution CiscoWorks Hosting Solution Engine Cisco IOS VPN Cisco IOS IDS Cisco IOS Firewall SOHO 90, 830,1700, 2600, 3600, 3700, 7000 series

49 User Identity Mechanisms for proving who you are – Both people and devices can be authenticated Three authentication attributes: – Something you know – Something you have – Something you are Common approaches to Identity: – Passwords – Tokens – PKI (Digital Certificates) – Biometrics

50 Cisco ACS 3.1 and Appliance Windows 2000 & NT RADIUS and TACACS+ High performance (400+ authentications per second) Wireless security enhancements Supports any access: wireless, Firewall, VPN, voice, content or switched 802.1x provides IBNS for wireless and switch port authentication Support for directory services and LDAP

51 Types of Firewalls – Server Based Microsoft ISA CheckPoint BorderManager – Appliance PIX Security Appliance Netscreen SonicWall – Personal Norton McAfee ZoneAlarms – Integrated IOS Firewall Switch Firewall

52 Solution Breadth Switch Module Switch Module IOS FW Router IOS FW Router VPN Client VPN Client PIX Appliance PIX Appliance Mgmt Firewall Solutions Firewall Service Module (FWSM) VPN Client Software — Built in Personal FW 800 1700 2600 3xxx 7xxx PIX 501 PIX 506E PIX 515E PIX 525 PIX 535 Secure CLI Secure CLI Web UI Embedded Mgr Web UI Embedded Mgr Enterprise Mgmt VMS Enterprise Mgmt VMS

53 SMB Connectivity Performance Gigabit Ethernet PIX Security Appliance Lineup Enterprise ROBO PIX 515E PIX 525 PIX 535 SOHO PIX 501 PIX 506E Service Provider Stateful Inspection Firewall Appliance is Hardened OS IPSec VPN Integrated Intrusion Detection Hot Standby, Stateful Failover Easy VPN Client/Server VoIP Support

54 Security Offerings Secure Operating System Foundation IP Services IOS Firewall Network Integrated Solutions VPNFirewall Intrusion Protection V 3 PN IPsec CBAC Stateful Inspection IDSSSHSSL ACLAAANATL2TP/EAPMSCHAPv2 PKI 802.1X BGPGRE Multicast Application Aware QoS DHCP/DNS MPLSVoIP EIGRPOSPFMultiprotocol HTTPS Secure ARP uRPF Authentication per user via AAA Command Authorization via AAA Device Access by Privilege Level Activity Logging Netflow IP Comp SNMPv3 (Unicast Reverse Path Forward)

55 Catalyst Switch Integration Firewall IDS Virtual Private Network Appliance Capabilities Cisco Infrastructure © 2002, Cisco Systems, Inc. All rights reserved. VPNSSLNAMIDSFirewall Security Services Modules

56 Secure Connectivity Defines “peers” – Two devices in a network that need to connect – Tunnel makes peers seem virtually next to each other – Ignores network complexity in between Technologies – Point-to-Point Tunneling Protocol (PPTP) – Layer 2 Tunneling Protocol (L2TP) – IP Security (IPSec) – Secure Shell (SSH) – Secure Sockets Layer (SSL) – Transport Layer Security (TLS)

57 Solution Breadth Switch Module Switch Module Router VPN Client VPN Client PIX Mgmt 3000 Concentrator 3000 Concentrator VPN Solutions 3005 3015 3080 VPN Service Module (VPNSM) VPN Client Software 3002 800 1700 2600 3xxx 7xxx PIX 501 PIX 506E PIX 515E PIX 525 PIX 535 Secure Menu, CLI Secure Menu, CLI Web UI Embedded Mgr Web UI Embedded Mgr Enterprise Mgmt VMS Enterprise Mgmt VMS 3030 3060

58 SMB Connectivity Performance VPN 3000 Concentrator Lineup Enterprise ROBO SOHO Service Provider High Performance VPN Appliance Centralized Remote Access Control Scalable Platform Redundancy Advanced Client Feature support FIPS 140 Level 2 DES/3DES/AES NAT Transparency Cisco VPN 3005 Cisco VPN 3015 Cisco VPN 3030 Cisco VPN 3060 Cisco VPN 3080 Cisco VPN 3002 Hardware Client

59 Cisco VPN Software Client Supported Operating Systems Windows 95, 98, NT, 2K ME XP Solaris, Linux Mac OS X Virtual Adapter (Win2K / XP) Common Graphical Interface for Windows and Mac VPN Clients (New GUI) Alerts (Delete With Reason) Personal Firewall Enhancements (including AYT for Cisco Security Agent & Sygate) Coexistence with Third-Party VPN Vendors Encryption using DES, 3DES, or AES Terminate on Cisco IOS routers, PIX firewalls, VPN 3000 Centralized Configuration & Policy Management v3.6 is FIPS 140-1 Level 1 Certified

60 SMB Connectivity Performance VPN Router Lineup Enterprise ROBO SOHO Service Provider High Performance Integrated VPN Appliance Scalable Platform Redundancy Advanced Client Feature support DES/3DES/AES Cisco 1761-VPN Cisco 2600/2691-VPN Cisco 3600-VPN Cisco 3700-VPN Cisco 7x00-VPN Cisco 806 and 1721-VPN

61 Solution Breadth Switch Sensor Switch Sensor Router Sensor Router Sensor Host Sensor Host Sensor Firewall Sensor Firewall Sensor Mgmt Network Sensor Network Sensor IDS Solutions 4210 4235 4250 IDSM-2 Server Agent Desktop Agent 800 1700 2600 3xxx 7xxx PIX 501 PIX 506E PIX 515E PIX 525 PIX 535 Secure Command Line Secure Command Line Web UI Embedded Mgr Web UI Embedded Mgr Enterprise Mgmt VMS Enterprise Mgmt VMS 4250-XL

62 Security and Identity Management Solutions Lineup

63 Cisco AVVID Architecture E-Learning Supply Chain Workforce Optimization Customer Care Internet Commerce Intelligent Network Services Network Platforms Multicast Load Balancing CachingDNSServicesManagementAccounting Real Time ServicesQoSSecurity Intelligent Network Classification Internet Business Integrators Internet Middleware Layer Messaging Contact Center Voice Call Processing Collaboration Video on Demand Personal Productivity Policy Management Content Distribution Address Management Security SLA Management Clients Multimedia

64 SAFE Modular Blueprint Enterprise campus Enterprise edge Service provider edge Building distribution Building distribution Management Server Core Edge distribution Edge distribution E-commerce Corporate Internet Corporate Internet VPN and remote access WAN ISP B ISP A PSTN Frame or ATM Frame or ATM

65 Security Resources on the Internet Cisco Connection Online—http://www.cisco.comhttp://www.cisco.com SecurityFocus.com—http://www.securityfocus.comhttp://www.securityfocus.com SANS—http://www.sans.orghttp://www.sans.org CERT—http://www.cert.orghttp://www.cert.org CIAC—http://www.ciac.org/ciachttp://www.ciac.org/ciac CVE—http://cve.mitre.orghttp://cve.mitre.org Computer Security Institute—http://www.gocsi.comhttp://www.gocsi.com Center for Internet Security—ttp://www.cisecurity.orgttp://www.cisecurity.org Cisco Connection Online— – http://www.cisco.com/go/security http://www.cisco.com/go/security Cisco Product Specific Incident Response Team (PSIRT)— – http://www.cisco.com/go/psirt http://www.cisco.com/go/psirt

66 Summary – The need for network security has increased as networks have become more complex and interconnected. – The following are the four types of security threats: Structured Unstructured Internal External – There are many common attack methods and techniques used by hackers Reconnaissance Access Denial of Service

67 Summary (cont.) – The Security Wheel is the graphical representation of security as a continuous process built around a security policy which includes securing, monitoring, testing and improving network security. – There are many components of a complete security policy – Common management protocols are integral to maintaining a secure infrastructure – Five key areas of network security are Perimeter Security Secure Connectivity Identity Services Intrusion Detection Management

Download ppt "Networks and Protocols CE00997-3 Week 10b. Overview of Network Security."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Network Security Network Attacks and Mitigation 張晃崚 CCIE #13673, CCSI #31340 區域銷售事業處 副處長 麟瑞科技.

Network Security Network Attacks and Mitigation 張晃崚 CCIE #13673, CCSI #31340 區域銷售事業處 副處長 麟瑞科技.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
1 Packet Sniffers Prepared By: Amer Alhorini Supervised By: Dr. Lo'ai Tawalbeh NYIT New York Institute of Technology.

1 Packet Sniffers Prepared By: Amer Alhorini Supervised By: Dr. Lo'ai Tawalbeh NYIT New York Institute of Technology.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW)
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
NETWORK SECURITY.

NETWORK SECURITY.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.

Similar presentations

Ads by Google