1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

  • Published on
    26-Mar-2015

  • View
    213

  • Download
    0

Transcript

<ul><li>Slide 1</li></ul><p>1 2005 Cisco Systems, Inc. All rights reserved. 111 2004, Cisco Systems, Inc. All rights reserved. Slide 2 2 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 2 Security Planning and Policy Slide 3 3 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 2.1 Discussing Network Security and Cisco 2.2 Endpoint Protection and Management 2.3 Network Protection and Management 2.4 Security Architecture 2.5 Basic Router Security Slide 4 4 2005 Cisco Systems, Inc. All rights reserved. Module 2 Security Planning and Policy 2.1 Discussing Network Security and Cisco Slide 5 5 2005 Cisco Systems, Inc. All rights reserved. Network Security as a Continuous Process Network security is a continuous process built around a security policy. Step 1: Secure Step 2: Monitor Step 3: Test Step 4: Improve Secure Monitor Test Improve Security Policy Slide 6 6 2005 Cisco Systems, Inc. All rights reserved. Secure Monitor Test Improve Security Policy Secure the Network Implement security solutions to stop or prevent unauthorized access or activities, and to protect information: Authentication Encryption Firewalls Vulnerability patching Slide 7 7 2005 Cisco Systems, Inc. All rights reserved. Secure Monitor Test Improve Security Policy Monitor Security Detects violations to the security policy Involves system auditing and real-time intrusion detection Validates the security implementation in Step 1 Slide 8 8 2005 Cisco Systems, Inc. All rights reserved. Secure Monitor Test Improve Security Policy Test Security Validates effectiveness of the security policy through system auditing and vulnerability scanning Slide 9 9 2005 Cisco Systems, Inc. All rights reserved. Secure Monitor Test Improve Security Policy Improve Security Use information from the monitor and test phases to make improvements to the security implementation. Adjust the security policy as security vulnerabilities and risks are identified. Slide 10 10 2005 Cisco Systems, Inc. All rights reserved. What Is a Security Policy? A security policy is a formal statement of the rules by which people who are given access to an organizations technology and information assets must abide. (RFC 2196, Site Security Handbook) Slide 11 11 2005 Cisco Systems, Inc. All rights reserved. Why Create a Security Policy? To create a baseline of your current security posture To set the framework for security implementation To define allowed and not allowed behaviors To help determine necessary tools and procedures To communicate consensus and define roles To define how to handle security incidents Slide 12 12 2005 Cisco Systems, Inc. All rights reserved. Security Policy Elements On the left are the network design factors upon which security policy is based On the right are basic Internet threat vectors toward which security policies are written to mitigate Topology/Trust Model Usage Guidelines Application Definition Host Addressing Vulnerabilities Denial of Service Reconnaissance Misuse Data Assessment POLICY Slide 13 13 2005 Cisco Systems, Inc. All rights reserved. 2.2 Endpoint Protection and Management Module 2 Security Planning and Policy Slide 14 14 2005 Cisco Systems, Inc. All rights reserved. Host and server based security components and technologies Device Hardening Unnecessary services Default usernames and passwords Authorization to use resources Personal Firewall Anti-virus Software Operating System Patches Intrusion Detection and Prevention Passive Inline Host-based Intrusion Detection Systems Cisco Security Agent Slide 15 15 2005 Cisco Systems, Inc. All rights reserved. PC management Desktop Inventory and Maintenance Update Anti-virus Definitions Update HIDS and HIPS Signatures Slide 16 16 2005 Cisco Systems, Inc. All rights reserved. Module 2 Security Planning and Policy 2.3 Network Protection and Management Slide 17 17 2005 Cisco Systems, Inc. All rights reserved. Sample Firewall Topology Slide 18 18 2005 Cisco Systems, Inc. All rights reserved. Types of Firewalls Server Based Microsoft ISA CheckPoint BorderManager Appliance PIX Security Appliance Netscreen SonicWall Personal Norton McAfee ZoneAlarms Integrated IOS Firewall Switch Firewall Slide 19 19 2005 Cisco Systems, Inc. All rights reserved. VPN Definition Slide 20 20 2005 Cisco Systems, Inc. All rights reserved. Remote Access VPNs Slide 21 21 2005 Cisco Systems, Inc. All rights reserved. Site-to-Site VPNs Slide 22 22 2005 Cisco Systems, Inc. All rights reserved. Network-Based Intrusion Detection Slide 23 23 2005 Cisco Systems, Inc. All rights reserved. Trust and Identity Remote Access Dial-In User Service (RADIUS) Terminal Access Controller Access Control System Plus (TACACS+) Kerberos Slide 24 24 2005 Cisco Systems, Inc. All rights reserved. Network security management Security management perform several functions. They identify sensitive network resources Determine mappings between sensitive network resources and user sets. Monitor access points to sensitive network resources Log inappropriate access. Audit Necessary to verify and monitor the corporate security policy. Verifies the correct implementation of the security policy. Logging and monitoring of events can help detect any unusual behavior and possible intrusions. Slide 25 25 2005 Cisco Systems, Inc. All rights reserved. CiscoWorks Slide 26 26 2005 Cisco Systems, Inc. All rights reserved. Adaptive Security Device Manager (ASDM) Slide 27 27 2005 Cisco Systems, Inc. All rights reserved. Security Device Manager (SDM) Slide 28 28 2005 Cisco Systems, Inc. All rights reserved. Module 2 Security Planning and Policy 2.4 Security Architecture Slide 29 29 2005 Cisco Systems, Inc. All rights reserved. Security architecture (SAFE) Defense in Depth Slide 30 30 2005 Cisco Systems, Inc. All rights reserved. Security architecture (SAFE) SAFE is a security blueprint for networks, which is based on Cisco Architecture for Voice, Video, and Integrated Data (AVVID). SAFE consists of modules that address the distinct requirements of each network area First industry blueprint that recommends exactly which security solutions should be included in each section of the network, and why they should be deployed. Security managers do not need to redesign the entire security architecture each time a new service is added to the network. Slide 31 31 2005 Cisco Systems, Inc. All rights reserved. Security architecture (SAFE) SAFE: A Security Blueprint for Enterprise Networks SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks SAFE: VPN IPSec Virtual Private Networks in Depth SAFE: Wireless LAN Security in Depth - version 2 SAFE: IP Telephony Security in Depth SAFE: IDS Deployment, Tuning, and Logging in Depth SAFE: Worm Mitigation Slide 32 32 2005 Cisco Systems, Inc. All rights reserved. The Cisco Self-Defending Network Allows organizations to use their existing platforms Identify, prevent, and adapt to both known and unknown security threats. Secure Connectivity. Threat Defense. Trust and Identity Solutions. Slide 33 33 2005 Cisco Systems, Inc. All rights reserved. Secure Connectivity Information transported across an internal wired and wireless infrastructure remains confidential Slide 34 34 2005 Cisco Systems, Inc. All rights reserved. Cisco Threat Defense System Solutions and intelligent networking technologies to identify and mitigate both known and unknown threats from inside and outside an organization Slide 35 35 2005 Cisco Systems, Inc. All rights reserved. Trust and Identity Solutions Secure network access and admission at any point in the network, Isolates and controls infected or unpatched devices Slide 36 36 2005 Cisco Systems, Inc. All rights reserved. The Cisco Trust and Identity Management Identity Management Centralized management of remote devices Authentication, Authorization, and Accounting (AAA) Identity Based Networking Services (IBNS) 802.1x to automatically identify users Appropriate degree of access privilege based on policy. Rogue wireless access points. Network Admission Control (NAC) Trusted endpoint having a current antivirus image, OS version, or patch update. Permit, deny, or restrict network access Quarantine and remediate non-compliant devices. Slide 37 37 2005 Cisco Systems, Inc. All rights reserved. Cisco integrated security Security functionality that is provided on a networking device Identity Based Networking Services IBNS Cisco Perimeter Security Slide 38 38 2005 Cisco Systems, Inc. All rights reserved. Plan, Design, Implement, Operate, Optimize (PDIOO) Network designs must easily adapt to implement the next generation of technology Stages of network life cycle The PDIOO methodology can be applied to all technologies Designer should define key deliverables and associated actions Slide 39 39 2005 Cisco Systems, Inc. All rights reserved. Planning and Design Planning Phase Logic of future designs can be tested for flaws. Helps to avoid logical mistake being replicated Focuses on technical as well as financial criteria it is important to identify all the stakeholders Design Phase Products, protocols, and features are chosen based on criteria defined in the planning stage Network diagrams Slide 40 40 2005 Cisco Systems, Inc. All rights reserved. Implement, Operate, Optimize Implementation Phase Detailed, customized deliverables to help avoid risks and meet expectations Ensures smooth deployment even when issues arise Operation Phase Protect the network investment Help the staff prevent problems, maximize system utility, and accelerate problem resolution Optimization Phase Can be hardening servers against security threats or adding QoS to the network for latency-sensitive traffic Slide 41 41 2005 Cisco Systems, Inc. All rights reserved. Module 2 Security Planning and Policy 2.5 Basic Router Security Slide 42 42 2005 Cisco Systems, Inc. All rights reserved. Controlling Access Console Port TTY VTY A console is a terminal connected to a router console port. The terminal can be a dumb terminal or PC with terminal emulation software. Slide 43 43 2005 Cisco Systems, Inc. All rights reserved. Configure the Console Port User-Level Password Creates the user-level password ConUser1 The password is unencrypted Boston(config)# line console 0 Boston(config-line)# login Boston(config-line)# password ConUser1 router(config)# line console line-number router(config-line)# login router(config-line)# Password password Enters console line configuration mode Enables password checking at login Sets the user-level password to password Slide 44 44 2005 Cisco Systems, Inc. All rights reserved. Configure a VTY User-Level Password Boston(config)# line vty 0 4 Boston(config-line)# login Boston(config-line)# password CantGessMeVTY router(config)# line vty start-line-number end-line-number router(config-line)# login Enters VTY line configuration mode Specifies the range of VTY lines to configure Enables password checking at login for VTY (Telnet) sessions Sets the user-level password to password router(config-line)# password Slide 45 45 2005 Cisco Systems, Inc. All rights reserved. Configure an Auxiliary User-Level Password Boston(config)# line aux 0 Boston(config-line)# login Boston(config-line)# password NeverGessMeAux router(config)# line aux line-number router(config-line)# login Enters auxiliary line configuration mode Enables password checking at login for Aux connections Sets the user-level password to password router(config-line)# password Slide 46 46 2005 Cisco Systems, Inc. All rights reserved. Setting Timeouts for Router Lines router(config-line)# exec-timeout minutes [seconds] Default is 10 minutes Terminates an unattended console connection Provides an extra safety factor when an administrator walks away from an active console session Terminates an unattended console/auxiliary connection after 3 minutes and 30 seconds Boston(config)# line console 0 Boston(config-line)#exec-timeout 3 30 Boston(config)# line aux 0 Boston(config-line)#exec-timeout 3 30 Slide 47 47 2005 Cisco Systems, Inc. All rights reserved. Login Banner Banners should be used on all network devices A banner should include A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use. A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both. A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court. Specific notices required by specific local laws. A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership. Slide 48 48 2005 Cisco Systems, Inc. All rights reserved. Configuring Banner Messages router(config)# banner {exec | incoming | login | motd | slip-ppp} d message d Specify what is proper use of the system Specify that the system is being monitored Specify that privacy should not be expected when using this system Do not use the word welcome Have legal department review the content of the message Boston(config)# banner motd # WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. # Slide 49 49 2005 Cisco Systems, Inc. All rights reserved. SSH SSH Server and Client SSH Client TCP Port 22 Slide 50 50 2005 Cisco Systems, Inc. All rights reserved. SSH Server Configuration Router(config)# hostname host-name Router(config)# ip domain-name domain-name.com Router(config)# crypto key generate rsa Router(config)# line vty 0 4 Router(config-line)# transport input ssh Slide 51 51 2005 Cisco Systems, Inc. All rights reserved. Passwords Passwords are the most critical tools in controlling access to a router. There are two password protection schemes in Cisco IOS: Type 7 uses the Cisco-defined encryption algorithm. Type 5 uses an MD5 hash, which is much stronger. Cisco recommends that Type 5 encryption be used instead of Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands. Service password encryption should be used. Use good password practices when creating passwords. Configure both username and password combinations. Slide 52 52 2005 Cisco Systems, Inc. All rights reserved. Good Password Practices Avoid dictionary words, names, phone numbers, and dates. Include at least one lowercase letter, uppercase letter, digit, and special character. Make all passwords at least eight characters long. Avoid more than four digits or same-case letters in a row. Change passwords often. Slide 53 53 2005 Cisco Systems, Inc. All rights reserved. Initial Configuration Dialog --- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no] y Configuring global parameters:...</p>

Recommended

View more >