Presentation is loading. Please wait.

Presentation is loading. Please wait.

N ETWORK S ECURITY (NWS620S) Chapter 4: Securing Communication Devices and Network Protocols.

Published byHelena Roberts Modified over 8 years ago

Similar presentations

Presentation on theme: "N ETWORK S ECURITY (NWS620S) Chapter 4: Securing Communication Devices and Network Protocols."— Presentation transcript:

1 N ETWORK S ECURITY (NWS620S) Chapter 4: Securing Communication Devices and Network Protocols

2 C ONTENTS Communications Protocol Communication devices Securing Communication Devices Securing Communication protocols

3 W HAT IS C OMMUNICATION P ROTOCOL A communications protocol defines the rules for sending PDU from one node in a network to another node A protocol can be implemented in software or in hardware or both A protocol must define: syntax – how to format data Procedures on how to process PDUs error recovery flow control segmentation service access point selection connection management Timing

4 C OMMUNICATION P ROTOCOLS HTTP TCP IP ICMP UDP List is too long

5 C OMMUNICATION D EVICES Computers Laptops Mobile phones Routers Switches Access points

6 S ECURITY G OALS Confidentiality Integrity Availability Authenticity Accountabily

7 S ECURING COMMUNICATION DEVICES Use of strong passwords Passwords Not same one for all devices and systems Strong password OTP Access control physical Shutting down unused devices and ports

8 All routers need a locally configured password for privileged access and other access. C ISCO R OUTER P ASSWORDS R1 R1(config)# enable secret cisco R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# login R1(config)# line aux 0 R1(config-line)# password cisco R1(config-line)# login R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login

9 To steal passwords, attackers: Shoulder surf. Guess passwords based on the user's personal information. Sniff TFTP packets containing plaintext configuration files. Use readily available brute force attack tools such as L0phtCrack or Cain & Abel. Strong passwords are the primary defense against unauthorized access to a router! C ISCO R OUTER P ASSWORDS

10 S TRONG P ASSWORDS Passwords should NOT use dictionary words Dictionary words are vulnerable to dictionary attacks. Passwords may include the following: Any alphanumeric character. A mix of uppercase and lowercase characters. Symbols and spaces. A combination of letters, numbers, and symbols. Note: Password-leading spaces are ignored, but all spaces after the first character are NOT ignored.

11 Change passwords frequently. Implement a policy defining when and how often the passwords must be changed. Limits the window of opportunity for a hacker to crack a password. Limits the window of exposure after a password has been cracked. Local rules can make passwords even safer. S TRONG P ASSWORDS

12 E NFORCE M INIMUM P ASSWORD L ENGTHS Make passwords lengthy. IOS 12.3 and later passwords can be 0 to 16 characters in length. The best practice is to have a minimum of 10 characters. To enforce the minimum length use the global command: security passwords min-length length The command affects all “new” router passwords. Existing router passwords are unaffected. Any attempt to create a new password that is less than the specified length fails and results in an “ Password too short ” error message.

13 By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. After that, the interface times out and logs out of the session. The timer can be adjusted using the exec-timeout command in line configuration mode for each of the line types that are used. exec-timeout minutes seconds Note: exec-timeout 0 0 means that there will be no timeout and the session will stay active for an unlimited time. Great for Labs … Bad in production networks! Never set the value to 0! D ISABLE U NATTENDED C ONNECTIONS

14 Encrypt all passwords in the router configuration file. E NCRYPT A LL P ASSWORDS service password-encryption Router(config)# R1(config)# service password-encryption R1(config)# exit R1# show running-config enable password 7 06020026144A061E ! line con 0 password 7 094F471A1A0A login ! line aux 0 password 7 01100F175804575D72 login line vty 0 4 password 7 03095A0F034F38435B49150A1819 login

15 In this sample config, if more than 5 login failures occur within 60 seconds, then all logins will be disabled for 120 seconds. This command must be issued before any other login command can be used. The command also helps provide DoS detection and prevention. The PERMIT-ADMIN commands exempt administrative stations from the disabled login. If not configured, all login requests will be denied during the Quiet-Mode. D ISABLE L OGIN FOR E XCESSIVE A TTEMPTS R1# configure terminal R1(config)# username ADMIN secret cisco54321 R1(config)# line vty 0 4 R1(config-line)# login local R1(config)# exit R1(config)# login block-for 120 attempts 5 within 60 R1(config)# ip access-list standard PERMIT-ADMIN R1(config-std-nacl)# remark Permit only Administrative hosts R1(config-std-nacl)# permit 192.168.10.10 R1(config-std-nacl)# permit 192.168.11.10 R1(config-std-nacl)# exit R1(config)# login quiet-mode access-class PERMIT-ADMIN R1(config)# login delay 10 R1(config)# login on-success log R1(config)# login on-failure log R1(config)# exit

16 S WITCH P ORT S ECURITY S ECURE U NUSED P ORTS Disabling unused ports is a simple, yet efficient security guideline.

17 S WITCH P ORT S ECURITY P ORT S ECURITY : O PERATION  Port security limits the number of valid MAC addresses allowed on a port.  The MAC addresses of legitimate devices are allowed access, while other MAC addresses are denied.  Any additional attempts to connect by unknown MAC addresses generate a security violation.  Secure MAC addresses can be configured in a number of ways: Static secure MAC addresses Dynamic secure MAC addresses Sticky secure MAC addresses

18 S WITCH P ORT S ECURITY P ORT S ECURITY : V IOLATION M ODES  IOS considers a security violation when either of these situations occurs: The maximum number of secure MAC addresses for that interface have been added to the CAM, and a station whose MAC address is not in the address table attempts to access the interface. An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.  There are three possible actions to take when a violation is detected: Protect Restrict Shutdown

19 S WITCH P ORT S ECURITY C ONFIGURING P ORT S ECURITY S TICKY

20 S ECURING C OMMUNICATION P ROTOCOLS Encryption SSH for remote access IPSec Virtual Private Networks Access control mechanisms ACLs Passwords

21 S ECURE R EMOTE A CCESS C ONFIGURING SSH

22 S ECURITY C ONCERNS IN LAN S DHCP S POOFING  DHCP is a network protocol used to automatically assign IP information.  Two types of DHCP attacks are: DHCP spoofing DHCP starvation  In DHCP spoofing attacks, a fake DHCP server is placed in the network to issue DHCP addresses to clients.  DHCP starvation is often used before a DHCP spoofing attack to deny service to the legitimate DHCP server.

23 S ECURITY C ONCERNS IN LAN S DHCP S POOF A TTACK

24 S WITCH P ORT S ECURITY DHCP S NOOPING DHCP Snooping specifies which switch ports can respond to DHCP requests

Download ppt "N ETWORK S ECURITY (NWS620S) Chapter 4: Securing Communication Devices and Network Protocols."

Similar presentations

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing And Switching 2.0.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing And Switching 2.0.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.
Chapter 2: Introduction to Switched Networks

Chapter 2: Introduction to Switched Networks
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Network Protocols and Communications Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Network Protocols and Communications Introduction to Networks.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.

CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Securing Network Devices

Securing Network Devices
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Similar presentations

Ads by Google