ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides...
-
Upload
sheryl-potter -
Category
Documents
-
view
221 -
download
0
description
Transcript of ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides...
![Page 1: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/1.jpg)
ITEC 275 Computer Networks – Switching, Routing, and
WANs
Week 8Robert D’Andrea
Some slides provide by Priscilla Oppenheimer and used with permission
![Page 2: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/2.jpg)
Agenda• Learning Activities– Security– Threats and Risks– Security Policy– Security Mechanisms–Wireless Security– SNMP
![Page 3: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/3.jpg)
Network Security DesignThe 12 Step Program
1. Identify network assets2. Analyze security risks3. Analyze security requirements and tradeoffs4. Develop a security plan5. Define a security policy6. Develop procedures for applying security
policies
![Page 4: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/4.jpg)
The 12 Step Program (continued)7. Develop a technical implementation strategy8. Achieve buy-in from users, managers, and technical
staff9. Train users, managers, and technical staff10. Implement the technical strategy and security
procedures11. Test the security and update it if any problems are
found12. Maintain security
![Page 5: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/5.jpg)
Network Assets
Network AssetsAn enterprise's assets may be broadly
divided into two categories: physical assets which include buildings, machinery, financial assets and infrastructure. Hardware, such as, routers, internetworking devices, cabling, and switches are all necessary devices needed to conduct a business.
![Page 6: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/6.jpg)
Network AssetsNetwork Assets
The second category of assets, intangible assets which range from human capital and know-how to ideas, brands, designs and other intangible fruits of a company's creative and innovative capacity. Traditionally, physical assets have been responsible for the bulk of the value of a company, and were considered to be largely responsible for determining the competitiveness of an enterprise in the market place. In recent years, the situation has changed significantly.
![Page 7: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/7.jpg)
Network Assets
Network AssetsIncreasingly, and largely as a result of
the information technologies revolution and the growth of the service economy, companies are realizing that intangible assets are often becoming more valuable than their physical assets.
![Page 8: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/8.jpg)
Network AssetsNetwork Assets• Software(Operating systems, applications, and
data)Less Obvious Network Assets• Intellectual property is the collective wisdom
of your employees or customers is vast and waiting to be tapped. Bloomfire is a knowledge base built to capture, archive, and grow the knowledge that already exists within or about your organization.
![Page 9: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/9.jpg)
Network AssetsNetwork AssetsBloomfire develops software that allows companies to share information on a web-based application platform. The software application, launched in 2012, allows users to create team communities where people can post questions and answers, and add or create new content. The content can be uploaded in the form of videos, photos or text documents. The social platform allows users to "follow", "share", and "like" other users' content; it also has screen-recording capabilities. The software aims to increase accessibility to information within a company. The application can be accessed from a device connected to the Internet, such as a PC, laptop, tablet computer, or smartphone.
![Page 10: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/10.jpg)
Network Assets• Trade secrets is any confidential business
information which provides an enterprise a competitive edge may be considered a trade secret. Trade secrets encompass manufacturing or industrial secrets and commercial secrets. The unauthorized use of such information by persons other than the holder is regarded as an unfair practice and a violation of the trade secret.
• Company’s reputation the reputation of a business is essential to its survival. The trust and confidence of the consumer can have a direct and profound effect on a company's bottom ...
![Page 11: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/11.jpg)
Network AssetsView:Designing Security for Microsoft Networkshttps://www.youtube.com/watch?v=THP9VdIDG98
![Page 12: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/12.jpg)
Security Risks• Hacked network devices–Data can be intercepted, analyzed,
altered, or deleted–User passwords can be compromised–Device configurations can be changed
• Reconnaissance attacks (are used to initially gather information about a target network or system. At first glance, seem harmless).
• Denial-of-service (DoS) attacks are increasing
![Page 13: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/13.jpg)
Security Tradeoffs• Tradeoffs must be made between security
goals and other goals:– Affordability– Usability– Performance– Availability–ManageabilityThe cost of protecting yourself against a threat should be less than the cost of recovering if the threat were to strike you.
![Page 14: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/14.jpg)
A Security Plan
• High-level document that proposes what an organization is going to do to meet security requirements. This is a corporate level decision.
• Specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy
![Page 15: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/15.jpg)
A Security Plan
• Should reference the network topology and include a list of network services that will be provided. The list should specify who provides the services, who has access to the services, how access is provided, and who administers the services.
![Page 16: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/16.jpg)
A Security Policy
• Informs users, managers, and technical staff of their obligations for protecting technology and information assets. Normally, this is an agreement employees sign as a part of their tenure.
![Page 17: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/17.jpg)
A Security Policy
• Per RFC 2196, “The Site Security Handbook,” a security policy is a– “Formal statement of the rules by which people
who are given access to an organization’s technology and information assets must abide.”
• The policy should address– Access, accountability, authentication, privacy,
and computer technology purchasing guidelines
![Page 18: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/18.jpg)
Security Mechanisms
• Physical security ( Limited access toresources )
• Authentication (Who is requestingnetwork services)
• Authorization (Who can access networkresources)
• Accounting (Auditing – collecting data)• Data encryption (a process of scrambling
data to protect it’s integrity)
![Page 19: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/19.jpg)
Security Mechanisms
• Packet filters (can be set up on routers, firewalls, and servers to accept or deny packets from
a particular address or service) • Firewalls (a device that enforces security policies at the boundary between two or more networks). Traditional,
are best suited for small businesses needs.
![Page 20: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/20.jpg)
Security Mechanisms• Detect and prevent denial of service (DoS) attacks with TCP
Intercept, Context-Based Access Control (CBAC), and rate-limiting techniques
• Use Network-Based Application Recognition (NBAR) to detect and filter unwanted and malicious traffic
• Use router authentication to prevent spoofing and routing attacks• Activate basic Cisco IOS filtering features like standard,
extended, timed, lock-and-key, and reflexive ACLs to block various types of security threats and attacks, such as spoofing, DoS, Trojan horses, and worms
• Use black hole routing, policy routing, and Reverse Path Forwarding (RPF) to protect against spoofing attacks
![Page 21: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/21.jpg)
Security Mechanisms• Apply stateful filtering of traffic with CBAC, including dynamic port
mapping• Use Authentication Proxy (AP) for user authentication• Perform address translation with NAT, PAT, load distribution, and other
methods• Implement stateful NAT (SNAT) for redundancy• Use Intrusion Detection System (IDS) to protect against basic types of
attacks• Obtain how-to instructions on basic logging and learn to easily interpret
results• Apply IPSec to provide secure connectivity for site-to-site and remote
access connections• Read about many, many more features of the IOS firewall for mastery of
router security
![Page 22: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/22.jpg)
Security Mechanisms
The Cisco IOS firewall offers you the feature-rich functionality that you've come to expect from best-of-breed firewalls: address translation, authentication, encryption, stateful filtering, failover, URL content filtering, ACLs, NBAR, and many others. Cisco Router Firewall Security teaches you how to use the Cisco IOS firewall to enhance the security of your perimeter routers and, along the way, take advantage of the flexibility and scalability that is part of the Cisco IOS Software package.
![Page 23: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/23.jpg)
Security Mechanisms
• Intrusion Detection Systems (IDS) (detects malicious events and notifies an administrator using email, paging, or logging of the occurrences).• Intrusion Prevention Systems (IPS) (blocks traffic by adding rules to a firewall or by being configured to inspect traffic as it enters a firewall).
![Page 24: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/24.jpg)
Encryption for Confidentiality and Integrity
• Public/Private key encryption - Asymmetric key system- All devices use the public key to encrypt
data to be sent.- Receiving devices decrypt the data using a
private key• Digital signature
- Encrypt part of your document with a private key- Receiver decrypts document using your public key
![Page 25: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/25.jpg)
Encryption for Confidentiality and Integrity
After encrypting your document with your private key, you can encrypt the document with another public key (IRS). The IRS decrypts the document twice.
![Page 26: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/26.jpg)
Encryption for Confidentiality and Integrity
![Page 27: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/27.jpg)
Encryption for Confidentiality and Integrity
Figure 8-1. Public/Private Key System for Ensuring Data Confidentiality
Figure 8-2. Public/Private Key System for Sending a Digital Signature
![Page 28: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/28.jpg)
Modularizing Security DesignCisco supports reputation filtering and
global correlation services, so that an IPS can keep-up-to-date on global security trends and more accurately deny traffic from networks known to be currently associated with botnets, spam, and other malware.
![Page 29: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/29.jpg)
Modularizing Security Design• Security defense in depth– Network security should be multilayered with
many different techniques used to protect the network.
![Page 30: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/30.jpg)
Modularizing Security Design• Belt-and-suspenders approach– Don’t get caught with your pants down. Each
mechanism should have a backup mechanism.The belt and suspender ensure security of
the pants (system) staying up. Use a dedicated firewall to limit access to resources and a packet-filtering router that adds another line of defense ( multilayer of defense).
![Page 31: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/31.jpg)
Modularizing Security Design
• Secure all components of a modular design:– Internet connections– Public servers and e-commerce servers– Remote access networks and VPNs– Network services and network management– Server farms– User services–Wireless networks
![Page 32: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/32.jpg)
Securing Internet Connections• Physical security• Firewalls and packet filters• Audit logs, authentication, authorization• Well-defined exit and entry points• Routing protocols that support authenticationInternet routers should be backed up with additional filters to prevent DoS (Denial of Service) and other attacks. In turn, these filters should be backed up additional filters placed on firewall devices. Monitor Internet
![Page 33: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/33.jpg)
Cisco SAFE• Cisco SAFE Security Reference Model addresses
security in every module of a modular network architecture.
![Page 34: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/34.jpg)
Securing Public Servers
• Place servers in a DMZ that is protected via firewalls
• Run a firewall on the server itself• Enable DoS (denial of service) protection– Limit the number of connections per timeframe
• Use reliable operating systems with the latest security patches
• Maintain modularity– Front-end Web server doesn’t also run other services
![Page 35: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/35.jpg)
Security Topologies
EnterpriseNetwork
DMZ
Web, File, DNS, Mail Servers
Internet
![Page 36: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/36.jpg)
Security Topologies
Internet
Enterprise NetworkDMZ
Web, File, DNS, Mail Servers
Firewall
![Page 37: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/37.jpg)
Securing Remote-Access and Virtual Private Networks (VPN)
• Physical security• Firewalls• Authentication, authorization, and auditing• Encryption• One-time passwords
![Page 38: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/38.jpg)
Securing Remote-Access and Virtual Private Networks
• Security protocols– Remote users and routers should authenticate with
CHAP – Authentication, authorization, and accounting is
RADIUS. The database includes authentication and configuration information. Specifies types of services a user is permitted to implement (PPP, FTP, Telnet).
– IPsec is an IETF standard that provides confidentiality, data integrity, and authentication between participating peers at the IP layer, IPsec provides a secure path between remote users and a VPN concentrator, and between remote sites and a VPN site-to-site gateway.
![Page 39: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/39.jpg)
Securing Remote-Access and Virtual Private Networks
Virtual Private Networkhttps://www.youtube.com/watch?v=q4P4BjjXghQ
IP Securityhttp://www.youtube.com/watch?v=taUdRQHfjMQ
![Page 40: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/40.jpg)
Securing Network Services• Treat each network device (routers, switches, and
so on) as a high-value host and harden it against possible intrusions
• Require login IDs and passwords for accessing devices– Require extra authorization for risky configuration
commands• Use SSH (Secure Shell) rather than Telnet• Change the welcome banner to be less welcoming
![Page 41: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/41.jpg)
Securing Network Services• Routing protocols should be selected that
support authentication, including RIPv2, OSPF, EIGRP, and BGP4.
• Static and default routes are good choices because they eliminate the need to accept routing updates.
• Execute minimal necessary services and establish trust in only authenticated partners.
![Page 42: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/42.jpg)
Securing Server Farms• Deploy network and host IDSs to monitor server
subnets and individual servers• Configure filters that limit connectivity from the
server in case the server is compromised• Fix known security bugs in server operating
systems• Require authentication and authorization for
server access and management• Limit root password to a few people• Avoid guest accounts
![Page 43: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/43.jpg)
Securing User Services• Specify which applications are allowed to
run on networked PCs in the security policy• Require personal firewalls and antivirus
software on networked PCs– Implement written procedures that specify how
the software is installed and kept current• Encourage users to log out when leaving
their desks• Consider using 802.1X port-based security
on switches
![Page 44: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/44.jpg)
Securing Wireless Networks• Place wireless LANs (WLANs) in their own
subnet or VLAN– Simplifies addressing and makes it easier to
configure packet filters• Require all wireless (and wired) laptops to run
personal firewall and antivirus software• Disable beacons that broadcast the SSID, and
require MAC address authentication– Except in cases where the WLAN is used by visitors
![Page 45: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/45.jpg)
Securing Wireless Networks• IEEE802.11 Specifies Two Forms of Authentication
- Open key the client is always authenticated. used for guest access.- Shared key authentication, a WEP (Wired
Equivalent Privacy) static key must be properly configured in both the client and the access point.Man-in-the-middle is another form of eavesdropping
![Page 46: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/46.jpg)
WLAN Security Options• Wired Equivalent Privacy (WEP) vulnerable to passive
attacks and inductive key derivations. If the key is determined, it must be changed on the access point and every client.
• IEEE 802.11i• Wi-Fi Protected Access (WPA)• IEEE 802.1X Extensible Authentication Protocol (EAP)
– Lightweight EAP or LEAP (Cisco)– Protected EAP (PEAP)
• Virtual Private Networks (VPNs)• Any other acronyms we can think of?)• Service Set Identifier (SSID)
![Page 47: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/47.jpg)
Wired Equivalent Privacy (WEP)
• Defined by IEEE 802.11• Users must possess the appropriate WEP key
that is also configured on the access point– 64 or 128-bit key (or passphrase)
• WEP encrypts the data using the RC4 stream cipher method
• Infamous for being crackeable
![Page 48: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/48.jpg)
WEP Alternatives
• Vendor enhancements to WEP• Temporal Key Integrity Protocol (TKIP)– Every frame has a new and unique WEP key
• Advanced Encryption Standard (AES) • IEEE 802.11i (implemented as WEP2)• Wi-Fi Protected Access (WPA) from the
Wi-Fi Alliance
![Page 49: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/49.jpg)
Extensible Authentication Protocol (EAP)
• With 802.1X and EAP, devices take on one of three roles:– The supplicant resides on the wireless LAN client– The authenticator resides on the access point - An authentication server resides on a RADIUS server EAP authenticates users. 802.11 authenticates device based (wireless LAN devices)
![Page 50: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/50.jpg)
EAP (Continued)• An EAP supplicant on the client obtains credentials
from the user, which could be a user ID and password
• The credentials are passed by the authenticator to the server and a session key is developed
• Periodically the client must re-authenticate to maintain network connectivity
• Re-authentication generates a new, dynamic WEP key
![Page 51: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/51.jpg)
Cisco’s Lightweight EAP (LEAP)• Standard EAP plus mutual authentication– The user and the access point must authenticate
• Used on Cisco and other vendors’ products• Mutual authentication means the client
authenticates the server and the server authenticates the client.
![Page 52: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/52.jpg)
Other EAPs• EAP-Transport Layer Security (EAP-TLS) was developed by
Microsoft– Requires certificates for clients and servers.
• Protected EAP (PEAP) is supported by Cisco, Microsoft, and RSA Security– Uses a certificate for the client to authenticate the RADIUS
server– The server uses a username and password to authenticate
the client• EAP-MD5 has no key management features or dynamic key
generation– Uses challenge text like basic WEP authentication– Authentication is handled by RADIUS server
![Page 53: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/53.jpg)
VPN Software on Wireless Clients• VPN is the safest way to do wireless networking for
corporations• Wireless client requires VPN software• Connects to VPN concentrator at HQ• Creates a tunnel for sending all traffic• VPN security provides:– User authentication– Strong encryption of data– Data integrity
![Page 54: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/54.jpg)
Network Management• Helps an organization achieve availability,
performance, and security goals • Helps an organization measure how well
design goals are being met and adjust network parameters if they are not being met
• Facilitates scalability– Helps an organization analyze current network
behavior, apply upgrades appropriately, and troubleshoot any problems with upgrades
![Page 55: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/55.jpg)
Network Management Design• Consider scalability, traffic patterns, data
formats, cost/benefit tradeoffs• Determine which resources should be
monitored• Determine metrics for measuring performance• Determine which and how much data to
collect
![Page 56: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/56.jpg)
Proactive Network Management
• Plan to check the health of the network during normal operation, not just when there are problems
• Recognize potential problems as they develop
• Optimize performance• Plan upgrades appropriately
![Page 57: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/57.jpg)
Network Management Processes According to the ISO
1. Fault management2. Configuration management3. Accounting management4. Performance management5. Security management
![Page 58: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/58.jpg)
Fault Management• Detect, isolate, diagnose, and correct problems• Report status to end users and managers• Track trends related to problems
![Page 59: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/59.jpg)
Configuration Management
• Keep track of network devices and their configurations
• Maintain an inventory of network assets• Log versions of operating systems and
applications
![Page 60: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/60.jpg)
Accounting Management
• Keep track of network usage by departments or individuals
• Facilitate usage-based billing• Find users who use more resources than they
should
![Page 61: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/61.jpg)
Performance Management
• Monitor end-to-end performance• Also monitor component performance
(individual links and devices)• Test reachability• Measure response times• Measure traffic flow and volume• Record route changes
![Page 62: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/62.jpg)
Security Management• Maintain and distribute user names and
passwords• Generate, distribute, and store encryption keys• Analyze router, switch, and server
configurations for compliance with security policies and procedures
• Collect, store, and examine security audit logs
![Page 63: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/63.jpg)
Network Management Components
• A managed device is a network node that collects and stores management information
• An agent is network-management software that resides in a managed device
• A network-management system (NMS) runs applications to display management data, monitor and control managed devices, and communicate with agents
![Page 64: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/64.jpg)
Network Management ArchitectureNMS
Management Database
Agent
Management Database
Agent
Management Database
Agent
Managed Devices
![Page 65: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/65.jpg)
Architecture Concerns
• In-band versus out-of-band monitoring– In-band is easier to develop, but results in
management data being impacted by network problems
• Centralized versus distributed monitoring– Centralized management is simpler to develop
and maintain, but may require huge amounts of information to travel back to a centralized network operations center (NOC)
![Page 66: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/66.jpg)
Simple Network Management Protocol (SNMP)
• Most popular network management protocol• SNMPv3 should gradually supplant
(substitute) versions 1 and 2 because it offers better authentication and better control of the set command.
• SNMP works with Management Information Bases (MIBs).
![Page 67: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/67.jpg)
Simple Network Management Protocol (SNMP)
What is a MIB? A MIB (Management Information Base) is a text
file which has been written using the ASN.1 (Abstract Syntax Notation) format. This text file is human readable but is special in that it can be compiled by a computer program called a MIB compiler, and then will result in creation of objects called OIDS (Object Identifiers), that can be understood by a network management station using the SNMP (Simple Network Management Protocol) method of communication.
![Page 68: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/68.jpg)
Simple Network Management Protocol (SNMP)
Why is this important? SNMP MIBs are crucial in order to manage your
network and understand the underlying objects which are being retrieved from SNMP Agents.
![Page 69: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/69.jpg)
Remote Monitoring (RMON)
• Developed by the IETF in the early 1990s to address shortcomings in standard MIBs– Provides information on data link and physical
layer parameters– Nine groups of data for Ethernet– The statistics group tracks packets, octets, packet-
size distribution, broadcasts, collisions, dropped packets, fragments, CRC and alignment errors, jabbers, and undersized and oversized packets
![Page 70: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/70.jpg)
Cisco Tools• Cisco Discovery Protocol– With the show cdp neighbors detail command, you
can display detailed information about neighboring routers and switches, including which protocols are enabled, network addresses for enabled protocols, the number and types of interfaces, the type of platform and its capabilities, and the version of Cisco IOS Software running on the neighbor.
• NetFlow Accounting– An integral part of Cisco IOS Software that collects and
measures data as it enters router or switch interfaces
![Page 71: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/71.jpg)
Summary• Use a top-down approach– Chapter 2 talks about identifying assets and risks
and developing security requirements– Chapter 5 talks about logical design for security
(secure topologies)– Chapter 8 talks about the security plan, policy, and
procedures– Chapter 8 also covers security mechanisms and
selecting the right mechanisms for the different components of a modular network design
![Page 72: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/72.jpg)
Summary• Determine which resources to monitor, which
data about these resources to collect, and how to interpret that data
• Develop processes that address performance, fault, configuration, security, and accounting management
• Develop a network management architecture• Select management protocols and tools
![Page 73: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/73.jpg)
Review Questions• How does a security plan differ from a security policy?• Why is it important to achieve buy-in from users,
managers, and technical staff for the security policy?• What are some methods for keeping hackers from
viewing and changing router and switch configuration information?
• How can a network manager secure a wireless network?
![Page 74: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/74.jpg)
Review Questions• Why is network management design important? • Define the five types of network management
processes according to the ISO. • What are some advantages and disadvantages of
using in-band network management versus out-of-band network management?
• What are some advantages and disadvantages of using centralized network management versus distributed network management?
![Page 75: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/75.jpg)
This Week’s Outcomes
• Security• Threats and Risks• Security Policy• Security Mechanisms• Wireless Security• SNMP
![Page 76: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/76.jpg)
Due this week
• 4-2-2 – Cisco Networking Practical Experience– Basic Routing and LAN Switching Configuration
![Page 77: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/77.jpg)
Next week
• Read Chapter 8in Top-Down Network Design• – Concept questions 5
![Page 78: ITEC 275 Computer Networks – Switching, Routing, and WANs Week 8 Robert D’Andrea Some slides provide by Priscilla Oppenheimer and used with permission.](https://reader036.fdocuments.in/reader036/viewer/2022062317/5a4d1b317f8b9ab05999b0ab/html5/thumbnails/78.jpg)
Q & A
• Questions, comments, concerns?