1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights...
-
Upload
adrian-reese -
Category
Documents
-
view
215 -
download
0
Transcript of 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights...
1© 2005 Cisco Systems, Inc. All rights reserved. 111© 2004, Cisco Systems, Inc. All rights reserved.
2© 2005 Cisco Systems, Inc. All rights reserved.
Network Security 1
Module 2 – Security Planning and Policy
3© 2005 Cisco Systems, Inc. All rights reserved.
Learning Objectives
2.1 Discussing Network Security and Cisco
2.2 Endpoint Protection and Management
2.3 Network Protection and Management
2.4 Security Architecture
2.5 Basic Router Security
4© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Security Planning and Policy
2.1 Discussing Network Security and Cisco
5© 2005 Cisco Systems, Inc. All rights reserved.
Network Security as a Continuous Process
• Network security is a continuous process built around a security policy.
Step 1: Secure
Step 2: Monitor
Step 3: Test
Step 4: Improve
Secure
Monitor
Test
Improve Security Policy
6© 2005 Cisco Systems, Inc. All rights reserved.
Secure
Monitor
Test
Improve Security Policy
Secure the Network
• Implement security solutions to stop or prevent unauthorized access or activities, and to protect information:
Authentication
Encryption
Firewalls
Vulnerability patching
7© 2005 Cisco Systems, Inc. All rights reserved.
Secure
Monitor
Test
Improve Security Policy
Monitor Security
Detects violations to the security policy
Involves system auditing and real-time intrusion detection
Validates the security implementation in Step 1
8© 2005 Cisco Systems, Inc. All rights reserved.
Secure
Monitor
Test
Improve Security Policy
Test Security
• Validates effectiveness of the security policy through system auditing and vulnerability scanning
9© 2005 Cisco Systems, Inc. All rights reserved.
Secure
Monitor
Test
Improve Security Policy
Improve Security
Use information from the monitor and test phases to make improvements to the security implementation.
Adjust the security policy as security vulnerabilities and risks are identified.
10© 2005 Cisco Systems, Inc. All rights reserved.
What Is a Security Policy?
• “A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”
• (RFC 2196, Site Security Handbook)
11© 2005 Cisco Systems, Inc. All rights reserved.
Why Create a Security Policy?
To create a baseline of your current security posture
To set the framework for security implementation
To define allowed and not allowed behaviors
To help determine necessary tools and procedures
To communicate consensus and define roles
To define how to handle security incidents
12© 2005 Cisco Systems, Inc. All rights reserved.
Security Policy Elements
• On the left are the network design factors upon which security policy is based
• On the right are basic Internet threat vectors toward which security policies are written to mitigate
Topology/Trust ModelTopology/Trust Model
Usage GuidelinesUsage Guidelines
Application DefinitionApplication Definition
Host AddressingHost Addressing
VulnerabilitiesVulnerabilities
Denial of ServiceDenial of Service
ReconnaissanceReconnaissance
MisuseMisuse
Data AssessmentData Assessment
POLICY
13© 2005 Cisco Systems, Inc. All rights reserved.
2.2 Endpoint Protection and Management
Module 2 – Security Planning and Policy
14© 2005 Cisco Systems, Inc. All rights reserved.
Host and server based security components and technologies
• Device Hardening Unnecessary services
Default usernames and passwords
Authorization to use resources
• Personal Firewall
• Anti-virus Software
• Operating System Patches
• Intrusion Detection and Prevention Passive
Inline
• Host-based Intrusion Detection Systems Cisco Security Agent
15© 2005 Cisco Systems, Inc. All rights reserved.
PC management
• Desktop Inventory and Maintenance
• Update Anti-virus Definitions
• Update HIDS and HIPS Signatures
16© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Security Planning and Policy
2.3 Network Protection and Management
17© 2005 Cisco Systems, Inc. All rights reserved.
Sample Firewall Topology
18© 2005 Cisco Systems, Inc. All rights reserved.
Types of Firewalls
Server Based
Microsoft ISA
CheckPoint
BorderManager
Appliance
PIX Security Appliance
Netscreen
SonicWall
Personal
Norton
McAfee
ZoneAlarms
Integrated
IOS Firewall
Switch Firewall
19© 2005 Cisco Systems, Inc. All rights reserved.
VPN Definition
20© 2005 Cisco Systems, Inc. All rights reserved.
Remote Access VPNs
21© 2005 Cisco Systems, Inc. All rights reserved.
Site-to-Site VPNs
22© 2005 Cisco Systems, Inc. All rights reserved.
Network-Based Intrusion Detection
23© 2005 Cisco Systems, Inc. All rights reserved.
Trust and Identity
– Remote Access Dial-In User Service (RADIUS)
– Terminal Access Controller Access Control System Plus (TACACS+)
– Kerberos
24© 2005 Cisco Systems, Inc. All rights reserved.
Network security management
• Security management perform several functions.
They identify sensitive network resources
Determine mappings between sensitive network resources and user sets.
Monitor access points to sensitive network resources
Log inappropriate access.
• Audit
Necessary to verify and monitor the corporate security policy.
Verifies the correct implementation of the security policy.
Logging and monitoring of events can help detect any unusual behavior and possible intrusions.
25© 2005 Cisco Systems, Inc. All rights reserved.
CiscoWorks
26© 2005 Cisco Systems, Inc. All rights reserved.
Adaptive Security Device Manager (ASDM)
27© 2005 Cisco Systems, Inc. All rights reserved.
Security Device Manager (SDM)
28© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Security Planning and Policy
2.4 Security Architecture
29© 2005 Cisco Systems, Inc. All rights reserved.
Security architecture (SAFE) – Defense in Depth
30© 2005 Cisco Systems, Inc. All rights reserved.
Security architecture (SAFE)
• SAFE is a security blueprint for networks, which is based on Cisco Architecture for Voice, Video, and Integrated Data (AVVID).
• SAFE consists of modules that address the distinct requirements of each network area
• First industry blueprint that recommends exactly which security solutions should be included in each section of the network, and why they should be deployed.
• Security managers do not need to redesign the entire security architecture each time a new service is added to the network.
31© 2005 Cisco Systems, Inc. All rights reserved.
Security architecture (SAFE)
SAFE: A Security Blueprint for Enterprise Networks
SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks
SAFE: VPN IPSec Virtual Private Networks in Depth
SAFE: Wireless LAN Security in Depth - version 2
SAFE: IP Telephony Security in Depth
SAFE: IDS Deployment, Tuning, and Logging in Depth
SAFE: Worm Mitigation
32© 2005 Cisco Systems, Inc. All rights reserved.
The Cisco Self-Defending Network
• Allows organizations to use their existing platforms
• Identify, prevent, and adapt to both known and unknown security threats.
–Secure Connectivity.
–Threat Defense.
–Trust and Identity Solutions.
33© 2005 Cisco Systems, Inc. All rights reserved.
Secure Connectivity
Information transported across an internal wired and wireless infrastructure remains confidential
34© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Threat Defense System
Solutions and intelligent networking technologies to identify and mitigate both known and unknown threats from inside and outside an organization
35© 2005 Cisco Systems, Inc. All rights reserved.
Trust and Identity Solutions• Secure network access and admission at any point in the network,
• Isolates and controls infected or unpatched devices
36© 2005 Cisco Systems, Inc. All rights reserved.
The Cisco Trust and Identity Management
• Identity Management
Centralized management of remote devices
Authentication, Authorization, and Accounting (AAA)
• Identity Based Networking Services (IBNS)
802.1x to automatically identify users
Appropriate degree of access privilege based on policy.
Rogue wireless access points.
• Network Admission Control (NAC)
Trusted endpoint having a current antivirus image, OS version, or patch update.
Permit, deny, or restrict network access
Quarantine and remediate non-compliant devices.
37© 2005 Cisco Systems, Inc. All rights reserved.
Cisco integrated security
• Security functionality that is provided on a networking device
Identity Based Networking Services IBNS
Cisco Perimeter Security
38© 2005 Cisco Systems, Inc. All rights reserved.
Plan, Design, Implement, Operate, Optimize (PDIOO)
• Network designs must easily adapt to implement the next generation of technology
• Stages of network life cycle
• The PDIOO methodology can be applied to all technologies
• Designer should define key deliverables and associated actions
39© 2005 Cisco Systems, Inc. All rights reserved.
Planning and Design
• Planning Phase
Logic of future designs can be tested for flaws.
Helps to avoid logical mistake being replicated
Focuses on technical as well as financial criteria
it is important to identify all the stakeholders
• Design Phase
Products, protocols, and features are chosen based on criteria defined in the planning stage
Network diagrams
40© 2005 Cisco Systems, Inc. All rights reserved.
Implement, Operate, Optimize
• Implementation Phase
Detailed, customized deliverables to help avoid risks and meet expectations
Ensures smooth deployment even when issues arise
• Operation Phase
Protect the network investment
Help the staff prevent problems, maximize system utility, and accelerate problem resolution
• Optimization Phase
Can be hardening servers against security threats or adding QoS to the network for latency-sensitive traffic
41© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Security Planning and Policy
2.5 Basic Router Security
42© 2005 Cisco Systems, Inc. All rights reserved.
Controlling Access
• Console Port
• TTY
• VTY
• A console is a terminal connected to a router console port.• The terminal can be a dumb terminal or PC with terminal emulation software.
43© 2005 Cisco Systems, Inc. All rights reserved.
Configure the Console Port User-Level Password
Creates the user-level password ConUser1
The password is unencrypted
Boston(config)# line console 0Boston(config-line)# loginBoston(config-line)# password ConUser1
router(config)#
line console line-number
router(config-line)#
login
router(config-line)#
Password password
• Enters console line configuration mode
• Enables password checking at login
• Sets the user-level password to password
44© 2005 Cisco Systems, Inc. All rights reserved.
Configure a VTY User-Level Password
Boston(config)# line vty 0 4Boston(config-line)# loginBoston(config-line)# password CantGessMeVTY
router(config)#
line vty start-line-number end-line-number
router(config-line)#
login
• Enters VTY line configuration mode
• Specifies the range of VTY lines to configure
• Enables password checking at login for VTY (Telnet) sessions
• Sets the user-level password to password
router(config-line)#
password password
45© 2005 Cisco Systems, Inc. All rights reserved.
Configure an Auxiliary User-Level Password
Boston(config)# line aux 0Boston(config-line)# loginBoston(config-line)# password NeverGessMeAux
router(config)#
line aux line-number
router(config-line)#
login
• Enters auxiliary line configuration mode
• Enables password checking at login for Aux connections
• Sets the user-level password to password
router(config-line)#
password password
46© 2005 Cisco Systems, Inc. All rights reserved.
Setting Timeouts for Router Lines
router(config-line)#
exec-timeout minutes [seconds]• Default is 10 minutes
• Terminates an unattended console connection
• Provides an extra safety factor when an administrator walks away from an active console session
• Terminates an unattended console/auxiliary connection after 3 minutes and 30 seconds
Boston(config)# line console 0Boston(config-line)#exec-timeout 3 30
Boston(config)# line aux 0Boston(config-line)#exec-timeout 3 30
47© 2005 Cisco Systems, Inc. All rights reserved.
Login Banner
• Banners should be used on all network devices
• A banner should include
A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use.
A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both.
A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court.
Specific notices required by specific local laws.
• A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership.
48© 2005 Cisco Systems, Inc. All rights reserved.
Configuring Banner Messages
router(config)#
banner {exec | incoming | login | motd |slip-ppp} d message d
• Specify what is “proper use” of the system
• Specify that the system is being monitored
• Specify that privacy should not be expected when using this system
• Do not use the word “welcome”
• Have legal department review the content of the message
Boston(config)# banner motd #WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. #
49© 2005 Cisco Systems, Inc. All rights reserved.
SSH
SSH Server and Client
SSH Client
TCP Port 22
50© 2005 Cisco Systems, Inc. All rights reserved.
SSH Server Configuration
Router(config)#
hostname host-name
Router(config)#
ip domain-name domain-name.com
Router(config)#
crypto key generate rsa
Router(config)#
line vty 0 4
Router(config-line)#
transport input ssh
51© 2005 Cisco Systems, Inc. All rights reserved.
Passwords
• Passwords are the most critical tools in controlling access to a router. There are two password protection schemes in Cisco IOS:
• Type 7 uses the Cisco-defined encryption algorithm.
• Type 5 uses an MD5 hash, which is much stronger.
• Cisco recommends that Type 5 encryption be used instead of Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands.
• Service password encryption should be used.
• Use good password practices when creating passwords.
• Configure both username and password combinations.
52© 2005 Cisco Systems, Inc. All rights reserved.
Good Password Practices
• Avoid dictionary words, names, phone numbers, and dates.
• Include at least one lowercase letter, uppercase letter, digit, and special character.
• Make all passwords at least eight characters long.
• Avoid more than four digits or same-case letters in a row.
• Change passwords often.
53© 2005 Cisco Systems, Inc. All rights reserved.
Initial Configuration Dialog
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no] y
Configuring global parameters:
Enter host name [Router]: Boston
The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration.
Enter enable secret: CantGessMe
The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images.
Enter enable password: WontGessMe
The virtual terminal password is used to protect access to the router over a network interface.
Enter virtual terminal password: CantGessMeVTY..
54© 2005 Cisco Systems, Inc. All rights reserved.
Configure the Enable Password Using enable secret
router(config)#
enable secret password• Encrypts the password in the router configuration file
• Uses a strong encryption algorithm based on MD5
Boston(config)# enable secret Curium96
Boston# show running-config!hostname Boston!no logging consoleenable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/!
55© 2005 Cisco Systems, Inc. All rights reserved.
Encrypting Passwords Usingservice password-encryption
router(config)#
service password-encryption• Encrypts all passwords in the router configuration file
• Uses a weak encryption algorithm that can be easily cracked
Boston(config)# service password-encryption
Boston# show running-config!line con 0password 7 0956F57A109A!line vty 0 4password 7 034A18F366A0!line aux 0password 7 7A4F5192306A
56© 2005 Cisco Systems, Inc. All rights reserved.
Setting Multiple Privilege Levels
router(config)#
privilege mode {level level command | reset command}
• Level 1 is predefined for user-level access privileges
• Levels 2–14 may be customized for user-level privileges
• Level 15 is predefined for enable mode (enable command)
Boston(config)# privilege exec level 2 pingBoston(config)# enable secret level 2 Patriot
57© 2005 Cisco Systems, Inc. All rights reserved.
Setting Multiple Privilege Levels
58© 2005 Cisco Systems, Inc. All rights reserved.
IOS network services
• Some services can be restricted or disabled to improve security
• Support only traffic and protocols a network needs.
• show proc
Small services such as echo, discard, and chargen – no service tcp-small-servers or no service udp-small-servers
BOOTP – no ip bootp server
Finger – no service finger
Hypertext Transfer Protocol (HTTP) – no ip http server
Simple Network Management Protocol (SNMP) – no snmp-server
59© 2005 Cisco Systems, Inc. All rights reserved.
IOS network services
• Pass through the router, special packets, or remote router configuration
Cisco Discovery Protocol (CDP) – no cdp run
Remote configuration. – no service config
Source routing – no ip source-route
• Interfaces
Unused interfaces – shutdown
No SMURF attacks – no ip directed-broadcast
Ad-hoc routing – no ip proxy-arp
60© 2005 Cisco Systems, Inc. All rights reserved.
Routing protocol authentication and update filtering
• Attacker who sends false routing update packets to an unprotected router can easily corrupt its routing table.
Re-route network traffic as desired.
• Protect the routing tables from unauthorized and malicious changes
Use only static routes
Authenticate route table updates
61© 2005 Cisco Systems, Inc. All rights reserved.
Routing protocol authentication and update filtering
• Routing protocol authentication is vulnerable to eavesdropping and spoofing of routing updates.
–Message Digest 5 (MD5)
OSPF
RIPv2
Enhanced IGRP
BGP
• Passive Interfaces
–Prevent other routers on the network from learning about routes dynamically.
–Keep parties from learning about the existence of routes or routing protocols
62© 2005 Cisco Systems, Inc. All rights reserved.
NTP, SNMP, router name, DNS
• NTP Service
• SNMP Services
Erase existing community strings
Set a hard-to-guess, read-only community string.
Apply a simple IP access list to SNMP denying all traffic.
Disable SNMP system shutdown and trap features
• Router Name and DNS Name Resolution
ip name-server addresses
no ip domain-lookup
hostname
636363© 2005, Cisco Systems, Inc. All rights reserved.