11 Security Basics

7/30/2019 11 Security Basics

1/55

1999, Cisco Systems, Inc.www.cisco.com

Module 11:Security Basics


2/55

11-2CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com

Agenda

Why Security?

Security Technology

Identity

Integrity

Active Audit


3/55


All Networks Need Security

No matter the companysize, security is important

Internet connection is tobusiness in the late 1990swhat telephones were tobusiness in the late 1940s

Even small company sitesare cracked


4/55


5/55


Denial of Service Loss of Integrity

BankCustomer

Deposit $1000 Deposit $ 100

Security Threats

Loss of Privacy

m-y-p-a-s-s-w-o-r-d d-a-n

telnet company.orgusername: danpassword:

Impersonation

Im Bob.Send Me All Corporate

Correspondencewith Cisco.

Bob

CPU


6/55


Security Objective: BalanceBusiness Needs with Risks

Access Security

Authentication

AuthorizationAccounting

Assurance

Confidentiality

Data Integrity

Policy Management

Connectivity

PerformanceEase of Use

Manageability

Availability


7/5511-7CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com

Doors, locks, &guards

Keys & badgesSurveillancecameras &

motion sensors

Firewalls &access controls

AuthenticationIntrusiondetection system

Complementary mechanisms thattogether provide in-depth defense

Network Security Components:Physical Security Analogy


8/55 1999, Cisco Systems, Inc.www.cisco.com

Security Technology

3-8CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com



Policy

Identity

Accurately identify users

Determine what users are allowed to do

Integrity Ensure network availability

Provide perimeter security

Ensure privacy

Active audit Recognize network weak spots

Detect and react to intruders

Elements of Security


10/55 1999, Cisco Systems, Inc.www.cisco.com

Security Technology

Identity




Identity

Uniquely and accuratelyidentify users,applications, services,and resources

Username/password,PAP, CHAP, AAAserver, one-timepassword, RADIUS,TACACS+, Kerberos,MS-login, digitalcertificates, directoryservices, NetworkAddress Translation



AAAServer

Dial-In User NetworkAccess Server

CampusPPP

PAP

Password

ID/PasswordID/PasswordID/Password

Public

Network

Username/Password

User dials in with password to NAS

NAS sends ID/password to AAA server

AAA server authenticates user ID/passwordand tells NAS to accept (or reject)

NAS accepts (or rejects) call



NetworkAccess Server

PPPPAP or CHAP

PublicNetwork

PAP and CHAP Authentication

Password Authentication Protocol (PAP)

Authenticates caller only

Passes password in clear text

Challenge Handshake AuthenticationProtocol (CHAP)

Authenticates both sides

Password is encrypted


14/55



1 2 34 5 67

098

1 2 34 5 67

098

Authentication, Authorization, andAccounting (AAA)

Tool for enforcingsecurity policy

Authentication Verifies identity

Who are you?

Authorization Configures integrity

What are you permittedto do?

Accounting Assists with audit

What did you do?



AAA Services

Centralized security database High availability

Same policy across many access points

Per-user access control

Single network login

Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password

TACACS+

RADIUS

ID/UserProfileID/UserProfileID/UserProfile

AAAServer

Dial-InUser

NetworkAccess Server

Campus

Internet UserGatewayRouter Firewall

InterceptConnections

PublicNetwork

Internet



RADIUSServer

RemoteAccess User

AccessServer

RADIUS is an industry standardRFC 2138, RFC 2139

Cisco has full IETF RFC implementation

Cisco has implemented many nonstandardvendor proprietary attributes

Cisco hardware will work well with non-CiscoRADIUS AAA servers

Cisco is committed to providing the best RADIUS solution

RADIUS


18/55


Local or centralized

Cisco continues to expandTACACS+ and add features inCisco IOS 11.3

Cisco customers benefit fromadditional functionality withCiscoSecure server of bothTACACS+ and RADIUS

Cisco enterprisecustomers continue

to ask forTACACS+features

TACACS

TACACS Database

Username/PasswordAdditional Information

TACACS+ Authentication


19/55


Lock-and-Key Security

Dynamically assigns access control lists on a per-user basis

Allows a remote host to access a local host via the Internet

Allows local hosts to access a host on a remote network

Authorized User

Corporate Site

Non-Authorized User

Internet


20/55


Calling Line Identification

1234

Call Setup Messagewith Local ISDNNumbers

Station ISDNNumber

A 1234

Compare with Known Numbers

Accept Call

PPP CHAPAuthentication

(Optional)

Station A

ISDN


21/55


22/55


DES

Public Key

Private Key

Public Key

Private Key

WAN

How Public Key Works

By exchanging public keys, two devices candetermine a new unique key (the secret key)known only to them


23/55


If verification is successful,

document has not been altered

BobsDocument

Hash

MessageHash

BobsPrivate Key

EncryptDigital

Signature

BobsPublic Key

BobsDocument

MessageHash

Same?

Decrypt

Hash

Digital Signatures


24/55


Certificate Authority

Certificate Authority (CA) verifies identity

CA signs digital certificate containing

devices public key Certificate equivalent to an ID card

Partners include Verisign, Entrust,Netscape, and Baltimore Technologies

?B A N K

CA CAInternet


25/55


Network Address Translation

Provides dynamic or static translation of private addresses toregistered IP addresses

Eliminates readdressing overheadLarge admin. cost benefit

Conserves addressesHosts can share a single registered IPaddress for all external communications via port-level multiplexing

Permits use of a single IP address range in multiple intranets

Hides internal addresses

Augmented by EasyIP DHCP host function

10.0.0.1

SA 10.0.0.1

Inside LocalIP Address

Inside GlobalIP Address

10.0.0.1

10.0.0.2

171.69.58.80

171.69.58.81

SA 171.69.58.8

Internet


26/55


Security Technology

Integrity



27/55


IntegrityNetwork Availability

Ensure the networkinfrastructureremains available

TCP Intercept, route

authentication


28/55


TCP Intercept

Connection Transferred

ConnectionEstablished

RequestIntercepted

Protects networks against denial of service attacks

TCP SYN flooding can overwhelm server and cause it to denyservice, exhaust memory, or waste processor cycles

TCP Intercept protects network by intercepting TCPconnection requests and replying on behalf of the destination

Can be configured to passively monitor TCP connectionrequests and respond if connection fails to be establishedin a configurable interval


29/55


Route Authentication

Home Gateway

Internet

Enables routers to identify one another andverify each others legitimacy before

accepting route updates

Ensures that routers receive legitimateupdate information from a trusted source

Trusted Source


30/55


IntegrityPerimeter Security

Control access to

critical networkapplications, data,and services

Access control lists,

firewall technologies,content filtering,CBAC, authentication


31/55

P li E f t U i


32/55


Inbound Telnet

Stopped Here

Home Gateway

Internet

Policy Enforcement UsingAccess Control Lists

Ability to stop or reroute traffic based onpacket characteristics

Access control on incoming or outgoing interfaces

Works together with NetFlow to provide high-speedenforcement on network access points

Violation logging provides useful informationto network managers


33/55


Importance of Firewalls

Permit secureaccess to resources

Protect networksfrom:

Unauthorizedintrusion from both

external and internalsources

Denial of service(DOS) attacks


34/55


What Is a Firewall?

All traffic from inside to outside and viceversa must pass through the firewall

Only authorized traffic, as defined by the localsecurity policy, is allowed in or out

The firewall itself is immune to penetration


35/55


Router with ACLs

Users

Users

ProtectedNetwork

E-mailServer

MicroWebserver

zip 100

Micro Webserver

Web Server PublicAccess

ISP andInternet

Packet-Filtering Routers


36/55


37/55


FirewallMail

ServerWWWServer

Internet

Stateful Sessions

Highest performance security

Maintains complete session state

Connection oriented Tracks complete connection Establishment and termination

Strong audit capability

Easy to add new applications


38/55


Company Network

.5

1

5 1020

40Meg

Per/Sec

Video Audio

Private link Web commerce

Internet

Performance Requirements


39/55


IntegrityPrivacy

Provide authenticated

private communicationon demand

VPNs, IPSec, IKE,encryption, DES, 3DES,

digital certificates,CET, CEP


40/55


41/55


What Is IPSec?

Network-layer encryption and authentication

Open standards for ensuring secureprivate communications over any IPnetwork, including the Internet

Provides a necessary componentof a standards-based, flexible solutionfor deploying a network-wide security policy

Data protected with network encryption,digital certification, and device authentication

Implemented transparently in network infrastructure

Includes routers, firewalls, PCs, and servers

Scales from small to very large networks


42/55


Router to Router

Router to Firewall

PC to Router

PC to Server

PC to Firewall

IPSec Everywhere!


43/55


Automatically negotiates policy to protectcommunication

Authenticated Diffie-Hellman key exchange

Negotiates (possibly multiple) security associationsfor IPSec

3DES, MD5, and RSA Signatures,OR

IDEA, SHA, and DSS Signatures,OR

Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures

IKE Policy Tunnel

IKEInternet Key Exchange


44/55


Router A Router B

1. Outbound packet fromAlice to BobNo IPSecsecurity association yet

2. Router As IKE beginsnegotiation withrouter Bs IKE

3. Negotiation complete;router A and router B now havecomplete IPSec SAs in place

IKE IKE

4. Packet is sent from Alice toBob protected by IPSec SA

IKE Tunnel

Router A Router B

How IPSec Uses IKE


45/55


EncryptionDES and 3DES

Widely adopted standard

Encrypts plain text, whichbecomes cyphertext

DES performs 16 rounds

Triple DES (3DES)

The 56-bit DES algorithm runs three times

112-bit triple DES includes two keys 168-bit triple DES includes three keys

Accomplished on a VPN client,server, router, or firewall


46/55


Exhaustive search is the only way to breakDES keys (so far)

Would take hundreds of years on fastest generalpurpose computers (56-bit DES)

Specialized computer would cost $1,000,000 but could crackkeys in 35 minutes (Source: M.J. Wiener)

Internet enables multiple computers to worksimultaneously

Electronic Frontier Foundation and distributed.netcracked a 56-bit DES challenge in 22 hours and 15minutes

Consensus of the cryptographic community is that 56-bitDES, if not currently insecure, will soon be insecure

Breaking DES Keys


47/55


Security Technology

Active Audit



48/55


Firewalls, authorization, and encryption do not provideVISIBILITY into these problems

Why Active Audit?

The hacker might be an employee or trusted partner Up to 80% of security breaches come from the

inside (Source: FBI)

Your defense might be ineffective

One out of every three intrusions occur where a firewallis in place (Source: Computer Security Institute)

Your employees might make mistakes

Misconfigured firewalls, servers, etc.

Your network will grow and change Each change introduces new security risks


49/55


Why Active Audit?

Network security requires a layereddefense

Point security PLUS active systems to measure

vulnerabilities and monitor for misuse Network perimeter and the intranet

Security is an ongoing, operational

process Must be constantly measured, monitored, and

improved

Active Audit Network


50/55


Active AuditNetworkVulnerability Assessment

Assess and report onthe security status ofnetwork components

Scanning (active,passive), vulnerability

database

Active AuditIntrusion Detection


51/55


Active AuditIntrusion DetectionSystem

Identify and react toknown or suspectednetwork intrusion oranomalies Passive promiscuous

monitoring

Database of threats orsuspect behavior

Communicationinfrastructure or accesscontrol changes


52/55


IDS Attack Detection

Context:(Header)

Content:(Data)

AtomicSingle Packet

CompositeMultiple Packets

Ping of Death

Land Attack

Port Sweep

SYN Attack

TCP Hijacking

MS IE Attack

DNS Attacks

Telnet Attacks

Character Mode

Attacks


53/55


Actively audit and

verify policy Detect intrusion

and anomalies

Report

Active Audit

UNIVERSALPASSPORT

KjkjkjdgdkkjdkjfdkIkdfjkdj

IkejkejKkdkdfdKKjkdjd

KjkdjfkdKjkdKjdkfjkdj Kjdk

USA

************************

************************

Kdkfldkaloeekjfkjajjakjkjkjkajkjfiejijgkd

kdjfkdkdkdkddfkdjfkdjkdkdkfjdkkdjkfd

kfjdkfjdkjkdjkdjkajkjfdkjfkdjkfjkjajjajdjfla

kjdfkjeiieiefkeieooei

UNIVERSALPASSPORT

S


54/55


Security is a mission-criticalbusiness requirement for all

networks Security requires a global,

corporate-wide policy

Security requires amultilayered implementation

Summary


55/55

11 Security Basics

Documents

Transcript of 11 Security Basics