Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 2 City College.

Published byCleopatra O’Neal’ Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 2 City College."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 2 City College of San Francisco Spring 2006

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 2 – Security Planning and Policy

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Learning Objectives –2.1 Discussing Network Security and Cisco –2.2 Endpoint Protection and Management –2.3 Network Protection and Management –2.4 Security Architecture –2.5 Basic Router Security

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 2 – Security Planning and Policy 2.1 Discussing Network Security and Cisco

5 5 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Network Security as a Continuous Process Network security is a continuous process built around a security policy. –Step 1: Secure –Step 2: Monitor –Step 3: Test –Step 4: Improve Secure Monitor Test Improve Security Policy

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Secure the Network Implement security solutions to stop or prevent unauthorized access or activities, and to protect information: –Authentication –Encryption –Firewalls –Vulnerability patching Secure Monitor Test Improve Security Policy

7 7 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Secure Monitor Test Improve Security Policy Monitor Security –Detects violations to the security policy –Involves system auditing and real-time intrusion detection –Validates the security implementation in Step 1

8 8 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Secure Monitor Test Improve Security Policy Test Security Validates effectiveness of the security policy through system auditing and vulnerability scanning

9 9 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Secure Monitor Test Improve Security Policy Improve Security –Use information from the monitor and test phases to make improvements to the security implementation. –Adjust the security policy as security vulnerabilities and risks are identified.

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# What Is a Security Policy? “A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” (RFC 2196, Site Security Handbook)

11 11 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Why Create a Security Policy? –To create a baseline of your current security posture –To set the framework for security implementation –To define allowed and not allowed behaviors –To help determine necessary tools and procedures –To communicate consensus and define roles –To define how to handle security incidents

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Security Policy Elements On the left are the network design factors upon which security policy is based On the right are basic Internet threat vectors toward which security policies are written to mitigate Topology/Trust Model Usage Guidelines Application Definition Host Addressing Vulnerabilities Denial of Service Reconnaissance Misuse Data Assessment POLICY

13 13 © 2005 Cisco Systems, Inc. All rights reserved. 2.2 Endpoint Protection and Management Module 2 – Security Planning and Policy

14 14 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Types of Firewalls –Server Based Microsoft ISA CheckPoint Zone Alarm –Appliance PIX Security Appliance/ASA Netscreen SonicWall –Personal Norton McAfee ZoneAlarms –Integrated IOS Firewall Switch Firewall

15 15 © 2005 Cisco Systems, Inc. All rights reserved. Module 2 – Security Planning and Policy 2.3 Network Protection and Management

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Sample Firewall Topology

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# VPN Definition

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Remote Access VPNs

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Site-to-Site VPNs

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Adaptive Security Device Manager (ASDM)

21 21 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Security Device Manager (SDM)

22 22 © 2005 Cisco Systems, Inc. All rights reserved. Module 2 – Security Planning and Policy 2.4 Security Architecture

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Secure Connectivity

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Cisco Threat Defense System

25 25 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Identity Based Networking Services (IBNS)

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Plan, Design, Implement, Operate, Optimize (PDIOO)

27 27 © 2005 Cisco Systems, Inc. All rights reserved. Module 2 – Security Planning and Policy 2.5 Basic Router Security

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# SSH SSH Server and Client SSH Client TCP Port 22

29 29 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# SSH Server Configuration Router(config)# hostname host-name Router(config)# ip domain-name domain-name.com Router(config)# crypto key generate rsa Router(config)# line vty 0 4 Router(config-line)# transport input ssh

30 30 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Controlling Access Console Port TTY VTY A console is a terminal connected to a router console port. The terminal can be a dumb terminal or PC with terminal emulation software.

31 31 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Passwords Passwords are the most critical tools in controlling access to a router. There are two password protection schemes in Cisco IOS: Type 7 uses the Cisco-defined encryption algorithm. Type 5 uses an MD5 hash, which is much stronger. Cisco recommends that Type 5 encryption be used instead of Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands. Service password encryption should be used. Use good password practices when creating passwords. Configure both username and password combinations.

32 32 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Good Password Practices Avoid dictionary words, names, phone numbers, and dates. Include at least one lowercase letter, uppercase letter, digit, and special character. Make all passwords at least eight characters long. Avoid more than four digits or same-case letters in a row. Change passwords often.

33 33 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Initial Configuration Dialog --- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no] y Configuring global parameters: Enter host name [Router]: Boston The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret: CantGessMe The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password: WontGessMe The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: CantGessMeVTY..

34 34 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Configure the Enable Password Using enable secret router(config)# enable secret password Encrypts the password in the router configuration file Uses a strong encryption algorithm based on MD5 Boston(config)# enable secret Curium96 Boston# show running-config ! hostname Boston ! no logging console enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ !

35 35 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Configure the Console Port User-Level Password –Creates the user-level password ConUser1 –The password is unencrypted Boston(config)# line console 0 Boston(config-line)# login Boston(config-line)# password ConUser1 router(config)# line console line-number router(config-line)# login router(config-line)# Password password Enters console line configuration mode Enables password checking at login Sets the user-level password to password

36 36 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Configure a VTY User-Level Password Boston(config)# line vty 0 4 Boston(config-line)# login Boston(config-line)# password CantGessMeVTY router(config)# line vty start-line-number end-line-number router(config-line)# login Enters VTY line configuration mode Specifies the range of VTY lines to configure Enables password checking at login for VTY (Telnet) sessions Sets the user-level password to password router(config-line)# password

37 37 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Configure an Auxiliary User-Level Password Boston(config)# line aux 0 Boston(config-line)# login Boston(config-line)# password NeverGessMeAux router(config)# line aux line-number router(config-line)# login Enters auxiliary line configuration mode Enables password checking at login for Aux connections Sets the user-level password to password router(config-line)# password

38 38 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Encrypting Passwords Using service password-encryption router(config)# service password-encryption Encrypts all passwords in the router configuration file Uses a weak encryption algorithm that can be easily cracked Boston(config)# service password-encryption Boston# show running-config ! line con 0 password 7 0956F57A109A ! line vty 0 4 password 7 034A18F366A0 ! line aux 0 password 7 7A4F5192306A

39 39 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Setting Timeouts for Router Lines router(config-line)# exec-timeout minutes [seconds] Default is 10 minutes Terminates an unattended console connection Provides an extra safety factor when an administrator walks away from an active console session Terminates an unattended console/auxiliary connection after 3 minutes and 30 seconds Boston(config)# line console 0 Boston(config-line)#exec-timeout 3 30 Boston(config)# line aux 0 Boston(config-line)#exec-timeout 3 30

40 40 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Setting Multiple Privilege Levels router(config)# privilege mode {level level command | reset command} Level 1 is predefined for user-level access privileges Levels 2–14 may be customized for user-level privileges Level 15 is predefined for enable mode (enable command) Boston(config)# privilege exec level 2 ping Boston(config)# enable secret level 2 Patriot

41 41 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Login Banner Banners should be used on all network devices A banner should include A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use. A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both. A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court. Specific notices required by specific local laws. A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership.

42 42 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# Configuring Banner Messages router(config)# banner {exec | incoming | login | motd | slip-ppp} d message d Specify what is “proper use” of the system Specify that the system is being monitored Specify that privacy should not be expected when using this system Do not use the word “welcome” Have legal department review the content of the message Boston(config)# banner motd # WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. #

43 43 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# 43 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 2 City College."

Similar presentations

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved..

© 2003, Cisco Systems, Inc. All rights reserved..
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
Cisco Router. Overview Understanding and configuring the Cisco Internetwork Operating System (IOS) Connecting to a router Bringing up a router Logging.

Cisco Router. Overview Understanding and configuring the Cisco Internetwork Operating System (IOS) Connecting to a router Bringing up a router Logging.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College.
Introduction to the Cisco IOS

Introduction to the Cisco IOS
CCNA Guide to Cisco Networking Fundamentals Fourth Edition

CCNA Guide to Cisco Networking Fundamentals Fourth Edition
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Configuring a Network Operating System Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Configuring a Network Operating System Introduction to Networks.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.

CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Summer Classes Router - Initial Configuration By Roshan Chaudhary Lecturer Islington College.

Summer Classes Router - Initial Configuration By Roshan Chaudhary Lecturer Islington College.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
1 Semester 2 Module 3 Configuring a Router Yuda college of business James Chen

1 Semester 2 Module 3 Configuring a Router Yuda college of business James Chen
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Configuring a Network Operating System Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Configuring a Network Operating System Introduction to Networks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google