Upload
mebuomla
View
218
Download
0
Embed Size (px)
Citation preview
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
1/61
2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE I Chapter 6 1
Network Security
Accessing the WAN Chapter 4: Part 1Modified by Bill Bourgeois [from work by Cisco andTony Chen (College of DuPage)]
January 2011
Business Information &Engineering
Technologies
https://wiki.internet2.edu/confluence/display/itsg2/Information+Security+Governancehttps://wiki.internet2.edu/confluence/display/itsg2/Information+Security+Governancehttps://wiki.internet2.edu/confluence/display/itsg2/Information+Security+Governance7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
2/61
2
Business Information & EngineeringTechnologies
ObjectivesIn this chapter, we will discuss: Identification of security threats to enterprise networks Methods to mitigate security threats Configuration of basic router security
Disable unused router services and interfaces Use the Cisco auto-secure or SDM one-step lockdown
features
File and software image management with the Cisco IOSIntegrated File System (IFS)
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
3/61
3
Business Information & EngineeringTechnologies
Why is Network Security Important?Computer networks have grown in size andimportance.
If the security of the network is compromised, therecould be serious consequences
Loss of privacy Theft of information Legal Liability
We must understand: The different types of threats, The development of organizational security
policies and mitigation techniques, Cisco software tools to help secure networks. The management of Cisco IOS software images.
Cisco software images and configurations can bedeleted. Devices compromised in this way posesecurity risks.
All applications and operating systems havevulnerabilities which may be exploited.
https://wiki.internet2.edu/confluence/display/itsg2/Information+Security+Incident+Management+%28ISO+13%29https://wiki.internet2.edu/confluence/display/itsg2/Information+Security+Incident+Management+%28ISO+13%297/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
4/61
4
Business Information & EngineeringTechnologies
The Increasing Threat toSecurityOver the years, threat tools and methods have evolved.
In 1985 an attacker had to have sophisticated computer knowledge to make tools and basic attacks.
As time progressed and attackers' tools improved, attackersno longer require the same level of knowledge.
Some of the common terms are as follows: White hat - An individual who looks for vulnerabilities insystems and reports these so that they can be fixed (ethicalhacker).
Black hat - An individual who use his knowledge to break intosystems that he is not authorized to use.
Hacker - An individual that attempts to gain unauthorizedaccess to network with malicious intent.
Cracker - Someone who tries to gain unauthorized access tonetwork resources with malicious intent. Phreaker - Individual who manipulates a phone network,
through a payphone, to make free long distance calls. Spammer - An individual who sends large quantities of
unsolicited e-mail messages. Phisher - Uses e-mail or other means to trick others into
providing information, such as credit card numbers.
http://en.wikipedia.org/wiki/Phreakinghttp://en.wikipedia.org/wiki/Phreakinghttp://en.wikipedia.org/wiki/Phreakinghttp://en.wikipedia.org/wiki/Phreaking7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
5/61
5
Business Information & EngineeringTechnologies
Think Like a Attacker Many attackers use a seven-step process to gain information and start anattack.
Footprint analysis (reconnaissance). Company webpage can lead to information, such as the IP addresses of servers.
Enumeration of information.
An attacker can expand on the footprint by monitoring network traffic with a packet sniffer such as Wireshark, finding information such as version of servers. Manipulation of users to gain access .
Sometimes employees choose passwords that are easily cracked or broken. Escalation of privileges.
After attackers gain basic access, they use their skills to increase privileges. Gathering of additional passwords and secrets.
With improved privileges, attackers gain access to sensitive information. Installing backdoors.
Backdoors provide the attacker to enter the system without being detected. Leveraging a compromised system.
After a system is compromised, attacker uses it to attack others in the network.
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
6/61
6
Business Information & EngineeringTechnologies
Types of Computer CrimeThe most commonly reported acts of computer crime that have networksecurity implications are listed.
Insider abuse of network access Virus
Mobile device theft Phishing where an organization
is fraudulently represented as thesender
Instant messaging misuse Denial of service
Unauthorized access toinformation Bots within the organization Theft of customer or employee
data Abuse of wireless network
System penetration Financial fraud
Password sniffing Key logging Website defacement Misuse of a public web
application Theft of proprietary information Exploiting the DNS server of an
organization Telecom fraud Sabotage
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
7/61
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
8/618
Business Information & EngineeringTechnologies
Developing a Security PolicyThe first step an organization shouldtake to protect its data and is todevelop a security policy.
A security policy must: Inform users, staff, and
managers of their requirements
for protecting information assets Specify the mechanismsthrough which theserequirements can be achieved
Provide a baseline from whichto acquire, configure, and auditcomputer systems for compliance
http://www.utoronto.ca/security/documentation/policies/policy_5.htmhttp://www.utoronto.ca/security/documentation/policies/policy_5.htm7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
9/619
Business Information & EngineeringTechnologies
Developing a Security Policy Assembling a security policy can be daunting. The ISO andIEC have published a security standard document call edISO/IEC 27002. The document consists of 12 sections :
1. Risk assessment2. Security policy in collaboration with corporate
management3. Organization of information security4. Asset management5. Human resources security6. Physical and environmental security7. Communications and operations management8. Access control9. Information systems acquisition, development, and
maintenance10. Information security incident management11. Business continuity management12. Compliance
http://en.wikipedia.org/wiki/ISO/IEC_27002http://en.wikipedia.org/wiki/ISO/IEC_27002http://en.wikipedia.org/wiki/ISO/IEC_270027/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
10/6110
Business Information & EngineeringTechnologies
The Enterprise Security PolicySecurity Policy definition?
A security policy is a set of guidelines established to safeguard the networkfrom attacks, both from inside and outside the company.
A security policy benefits the organization in several ways: Provides a means to audit existing network security and compare
the requirements to what is in place. Plan security improvements, including equipment, software, and
procedures. Defines the roles and responsibilities of the company executives,
administrators, and users. Defines which behavior is and is not allowed. Defines a process for handling network security incidents. Creates a basis for legal action if necessary.
A security policy is a living document The document is never finished and is continuously updated as
technology and employee requirements change.
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
11/6111
Business Information & EngineeringTechnologies
Functions of a Security Policy
The security policy is for everyone who has access tothe network; including employees, contractors,suppliers, and customers.
The security policy should treat each of these groups
differently. Each group should only be shown the portion of the
policy appropriate to their work and level of access tothe network.
One document is not likely to meet the needs of theentire audience in a large organization. Each sectionof the document should address each groupseparately.
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
12/6112
Business Information & EngineeringTechnologies
Components of a Security Policy
The SANS (SysAdmin, Audit, Network, Security) Institute ( http://www.sans.org )provides guidelines for developing comprehensive security po licies for organizations large and small.
Not all organizations need all of these policies.
General security policies that an organization may invoke : Statement of authority and scope - Defines who in the organization sponsors the
security policy, who is responsible for implementing it, and what areas are covered. Acceptable use policy (AUP) - Defines the acceptable use of equipment and
computing services, and the appropriate employee security measures to protect theorganization corporate resources and proprietary information.
Identification and authentication policy - Defines which technologies the companyuses to ensure that only authorized personnel have access to its data.
Internet access policy - Defines what the company will and will not tolerate withrespect to the use of its Internet connectivity by employees and guests. Campus access policy - Defines acceptable use of campus technology resources
by employees and guests. Remote access policy - Defines how remote users can use the remote access
infrastructure of the company. Incident handling procedure - Specifies who will respond to security incidents, and
how they are to be handled.
http://www.sans.org/http://www.sans.org/7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
13/6113
Business Information & EngineeringTechnologies
Some other policies which may be necessary in certain organizations to include: Account access request policy - Formalizes the account and access request
process within the organization. Users and system administrators who bypass thestandard processes for account and access requests can lead to legal actionagainst the organization.
Acquisition security assessment policy - Defines the responsibilities regardingcorporate acquisitions and defines the minimum requirements of an acquisitionassessment that the information security group must complete.
Audit policy - Defines audit policies to ensure the integrity of information andresources. This includes a process to investigate incidents, ensure conformance tosecurity policies, and monitor user and system activity where appropriate
Information sensitivity policy - Defines the requirements for classifying and securinginformation in a manner appropriate to its sensitivity level.
Password policy - Defines the standards for creating, protecting, and changingstrong passwords. Risk assessment policy - Defines the requirements and provides the authority for
the information security team to identify, assess, and remediate risks to theinformation infrastructure associated with conducting business.
Global web server policy - Defines the standards required by all web hosts.
Components of a Security Policy
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
14/6114
Business Information & EngineeringTechnologies
An organization may also require policies specifically related to e-mail and IMsuch as:
Automatically forwarded e-mail policy - Documents the policy restricting automatice-mail forwarding to an external destination without prior approval from theappropriate manager or director.
E-mail policy - Defines content standards to prevent tarnishing the public image of the organization.
Spam policy - Defines how spam should be reported and treated. IM Usage Defines IM using Corporate resources
Remote access policies might include : Dial-in access policy - Defines the appropriate dial-in access and its use by
authorized personnel. Remote access policy - Defines the standards for connecting to the organization
network from any host or network external to the organization. VPN security policy - Defines the requirements for VPN connections to the network
of the organization.
The policy should note that users who defy or violate the rules in a securitypo licy may be subject to disciplinary action, up to and including termination of emp loyment as appropriate.
Components of a Security Policy
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
15/6115
Business Information & EngineeringTechnologies
Vulnerabilities
When discussing network security, three primaryelements to be considered are:
Vulnerability
The degree of weakness which is inherent in everynetwork and device. Routers, switches, desktops, and servers.
Threats The people interested in taking advantage of each
security weakness. Attack
Threats use a variety of tools, and programs to launchattacks against network vulnerabilities .
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
16/6116
Business Information & EngineeringTechnologies
VulnerabilitiesThere are 3 primaryvulnerabilities:
Security policy weaknesses Security risks to the network
exist if users do not follow thesecurity policy or if the policydoes not adequately addressvulnerabilities.
Technological weaknesses Computer and network
technologies have intrinsicsecurity weaknesses. Theseinclude operating systems,
applications, and networkequipment. Configuration weaknesses
Network administrators mustlearn of and addressconfiguration weaknesses.
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
17/6117
Business Information & EngineeringTechnologies
Threats to the Physical InfrastructureAn attacker can deny the use of network resources if those resources can be physically compromised.
The four classes of physical threats are: Hardware threats - Physical damage to servers,
routers, switches, cabling plant, and workstations
Environmental threats - Temperature extremes(too hot or too cold) or humidity extremes (toowet or too dry)
Electrical threats - Voltage spikes, insufficientsupply voltage (brownouts), unconditioned power (noise), and total power loss
Maintenance threats - Poor handling of keyelectrical components (electrostatic discharge),lack of critical spare parts, poor cabling, and poor labeling
Physical Security Very Important - not to beoverlooked!
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
18/6118
Business Information & EngineeringTechnologies
Threat to Physical Infrastructure (Mitigation)
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
19/6119
Business Information & EngineeringTechnologies
Threats to NetworksClasses of threats to networks:
Unstructured Threats Unstructured threats consist of inexperienced
individuals using easily available hacking tools,such as shell scripts and password crackers.
Structured Threats Structured threats arise from individuals or
groups that are highly motivated and technicallycompetent to break into business computers tocommit fraud, destroy or alter records, or simply to create havoc.
External Threats External threats can arise from individuals or
organizations working outside of a company
who do not have authorized access to thecomputer systems or network.
Internal Threats Internal threats occur when someone has
authorized access to the network with either anaccount or physical access.
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
20/6120
Business Information & EngineeringTechnologies
Social Engineering An intruder attempts to trick a member of an organization into revealing information,such as the location of files or passwords.
Phishing is a type of social engineeringattack that involves using e-mail in anattempt to trick others into providingsensitive information, such as creditcard numbers, company proprietarydata, or passwords.
Phishing scams frequently involvesending out e-mails that appear to befrom known online banking or auctionsites containing hyperlinks that appear to be legitimate but actually take usersto a fake website set up by the phisher
to capture their information. Phishing attacks can be prevented byeducating users and by implementingreporting guidelines when suspiciouse-mail is received.
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
21/6121
Business Information & EngineeringTechnologies
Types of Network Attacks
Reconnaissance Reconnaissance is the
discovery and mapping of systems, services, or vulnerabilities (aka informationgathering).
Similar to a burglar observing aneighborhood for vulnerablehomes to break into.
Access System access is the ability for
an intruder to gain access to adevice for which the intruder does not have password.
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
22/6122
Business Information & EngineeringTechnologies
Types of Network AttacksDenial of Service
Denial of service (DoS) occurswhen an attacker disables or corrupts networks, systems, withthe intent to deny services tointended users. DoS attacks arethe most feared.
Worms, Viruses, and Trojan Horses Malicious software can be inserted
onto a host to damage or corrupt asystem, replicate itself, or denyaccess to networks, systems, or services.
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
23/6123
Business Information & EngineeringTechnologies
Reconaissance AttacksReconnaissance attacks may consistof:
Internet information queries External attackers can use Internet
tools, such as the nslookup , nmap , and whois utilities, to easily determinethe IP address space assigned to agiven corporation or entity.
Ping sweeps After the IP address space is
determined, an attacker can then pingthe publicly available IP addresses toidentify the addresses that are active.
An attacker may use a ping sweeptool, such as fping or gping , pings all
network addresses in a given subnet.
http://support.microsoft.com/kb/200525http://nmap.org/http://fping.sourceforge.net/http://sourceforge.net/projects/gping2/http://sourceforge.net/projects/gping2/http://fping.sourceforge.net/http://nmap.org/http://support.microsoft.com/kb/2005257/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
24/6124
Business Information & EngineeringTechnologies
Reconaissance AttacksReconnaissance attacks can consistof:
Port scans When the active IP addresses are
identified, the intruder uses a portscanner to determine which networkservices or ports are active on thelive IP addresses.
A port scanner is software, such as
Nmap or Superscan , which isdesigned to search a host for openports.
The port scanner queries theports to determine theapplication and version, as wellas the version of OS.
f
http://nmap.org/bennieston-tutorial/http://nmap.org/bennieston-tutorial/http://nmap.org/bennieston-tutorial/7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
25/61
25
Business Information & EngineeringTechnologies
Reconaissance AttacksPacket sniffers : Internal attackers may attemptto "eavesdrop" on network traffic .
Two common uses of eavesdropping areas follows: Information gathering - Network
intruders can identify usernames,passwords, or information carried in apacket.
Information theft - The network intruder can steal data from networkedcomputers by gaining unauthorizedaccess.
A common method for eavesdropping is tocapture TCP/IP or other protocol packetsand decode the contents. An example program is Wireshark . It can capture usernames and
passwords as they cross network.
f
http://www.wireshark.org/news/20060714.htmlhttp://www.wireshark.org/news/20060714.html7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
26/61
26
Business Information & EngineeringTechnologies
Reconaissance Attacks
Some effective methods for counteracting eavesdroppingare listed as follows: Use switched networks instead of hubs so that traffic is not
broadcast to all endpoints or network hosts. Use encryption that meets the data security needs without
imposing an excessive burden on system resources or users.
Forbid the use of protocols with known susceptibilities toeavesdropping. An example is SNMP versions prior to 3.
Version 3 can encrypt community strings.
B i I f i & E i i
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
27/61
27
Business Information & EngineeringTechnologies
Access Attacks Access attacks exploit vulnerabilities inauthentication, FTP, web and others togain entry to accounts, confidential,and sensitive information.
Password Attacks Password attacks usually refer to
repeated attempts to log in to aserver, to identify a user account andpassword.
These repeated attempts are calleddictionary attacks or brute-forceattacks .
Password attacks can be mitigated byeducating users to use long, complexpasswords.
To conduct a dictionary attack,attackers can use tools such asL0phtCrack , Cain, or rainbow tables .
http://www.l0phtcrack.com/http://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtmlhttp://en.wikipedia.org/wiki/Rainbow_tablehttp://en.wikipedia.org/wiki/Rainbow_tablehttp://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtmlhttp://www.l0phtcrack.com/7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
28/61
B i I f i & E i i
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
29/61
29
Business Information & EngineeringTechnologies
Port Redirection Port redirection is a
type of trustexploitation attackthat uses acompromised host topass traffic througha firewall.
A utility that canprovide this type of access is netcat .
Port redirection canbe mitigated throughthe use a host-based intrusiondetection system(IDS).
Access Attacks
B i I f i & E i i
http://en.wikipedia.org/wiki/Netcathttp://en.wikipedia.org/wiki/Netcat7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
30/61
30
Business Information & EngineeringTechnologies
Man-in-the-Middle Attack A man-in-the-middle (MITM) attack is carried out by
attackers that position themselves between twohosts.
An attacker may catch a victim with a phishing e-mail or by defacing a website. For instancehttp:www.legitimate.com becomeshttp:www.attacker.com/http://www.legitimate.com.
1. When a victim requests a webpage, the host of thevictim makes the request to the attacker's host.
2. The attacker's host receives the request and fetchesthe real page from the legitimate website.
3. The attacker can alter the legitimate webpage andapply any transformations to the data they want tomake.
4. The attacker forwards the requested page to thevictim.
WAN MITM attack mitigation is achieved by usingVPNs.
LAN MITM attacks use tools ettercap and ARPpoisoning .
May be mitigated by using port security on LAN
switches.
Access Attacks
B i I f ti & E i i
http://www.watchguard.com/infocenter/editorial/135324.asphttp://ettercap.sourceforge.net/http://www.watchguard.com/infocenter/editorial/135324.asphttp://www.watchguard.com/infocenter/editorial/135324.asphttp://www.watchguard.com/infocenter/editorial/135324.asphttp://www.watchguard.com/infocenter/editorial/135324.asphttp://ettercap.sourceforge.net/7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
31/61
31
Business Information & EngineeringTechnologies
DoS AttacksDoS attacks are the most publicized form of attack and alsoamong the most difficult to eliminate.
DoS attacks prevent authorized people from using aservice by consuming system resources.
Ping of Death A ping is normally 64 (84 bytes with the header). The IP packet size could be up to 65,535 bytes.
A ping of this size may crash an older computer.SYN Flood
A SYN flood attack exploits the TCP 3-way handshake. It sends multiple SYN requests to a targeted server. The server replies with SYN-ACK, but the malicious
host never responds to the ACK to complete thehandshake.
This ties up the server until it runs out of resources.
E-mail bombs Programs send bulk e-mails monopolizing services.
Malicious applets These attacks are Java, JavaScript, or ActiveX that cause
destruction or tie up computer resources
B i I f ti & E i i
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
32/61
32
Business Information & EngineeringTechnologies
Distributed DoS (DDoS) attacks are designed tosaturate network links with illegitimate data.
There are 3 components to a DDoS attack.
A Client which is typically the system
that launches the attack. A Handler is a compromised host that
controls multiple Agents
An Agent is a compromised host that isresponsible for generating packetsaimed at the intended victim
Examples of DDoS attacks include the following:
SMURF attack
Tribe flood network (TFN)
Stacheldraht
DoS Attacks
B i I f ti & E gi i g
http://en.wikipedia.org/wiki/Smurf_attackhttp://en.wikipedia.org/wiki/Tribe_Flood_Networkhttp://en.wikipedia.org/wiki/Stacheldrahthttp://en.wikipedia.org/wiki/Stacheldrahthttp://en.wikipedia.org/wiki/Stacheldrahthttp://en.wikipedia.org/wiki/Tribe_Flood_Networkhttp://en.wikipedia.org/wiki/Tribe_Flood_Networkhttp://en.wikipedia.org/wiki/Smurf_attackhttp://en.wikipedia.org/wiki/Smurf_attack7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
33/61
33
Business Information & EngineeringTechnologies
The Smurf attack uses spoofedbroadcast ping messages toflood a target system. It startswith an attacker sending a largenumber of ICMP echo requeststo the network broadcastaddress from valid spoofedsource IP addresses.
Turning off directedbroadcast capabilityprevents the network frombeing used as a bouncesite.
IP Directed-Broadcastis off by default after Cisco IOS version12.0
DoS Attacks
ICMP REQ D= 172.18. 1.255 S= 172.16.1.2
ICMP REPLY D= 172.18. 1.2 S= 172.16.1.3
ICMP REPLY D= 172.18. 1.2 S= 172.16.1.4
ICMP REPLY D= 172.18. 1.2 S= 172.16.1.5
ICMP REPLY D= 172.18. 1.2 S= 172.16.1.6
ICMP REPLY D= 172.18. 1.2 S= 172.16.1.7
ICMP REPLY D= 172.18. 1.2 S= 172.16.1.8
Directed-Broadcast
B i I f ti & E gi i g
http://www.securitydocs.com/library/2553http://www.securitydocs.com/library/2553http://www.securitydocs.com/library/2553http://www.securitydocs.com/library/25537/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
34/61
34
Business Information & EngineeringTechnologies
Malicious Code Attacks
The primary vuln erabili ties for end-user workstations are worm , virus , and Trojanhorse attacks.
A worm executes code and installscopies of itself in the infectedcomputer, which can infect other hosts.
A worm installs itself byexploiting known vulnerabilitiesin systems, such as naive endusers who open unverifiedexecutable attachments in e-mails
A virus is malicious software that isattached to another program for thepurpose of executing a particular unwanted function on a workstation.
An example is a program t hat isattached to command.com anddeletes files and infects any other versions of command.com.
Business Information & Engineering
http://en.wikipedia.org/wiki/Computer_wormhttp://en.wikipedia.org/wiki/Computer_wormhttp://support.microsoft.com/kb/113163http://support.microsoft.com/kb/113163http://support.microsoft.com/kb/113163http://en.wikipedia.org/wiki/Computer_worm7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
35/61
35
Business Information & EngineeringTechnologies
A Trojan horse is an applicationthat was written to look likesomething else, when in fact itis an attack tool.
Example of a Trojan horse issoftware that runs a game. While theuser is occupied with the game, theTrojan horse mails a copy of itself toevery address in the user's addressbook or installs key loggers, etc.
This kind of attack can becontained through the effectiveuse of antivirus software at theuser level, and potentially at thenetwork level.
Malicious Code Attacks
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
36/61
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
37/61
37
Business Information & EngineeringTechnologies
Additional steps can be taken to secure hosts: Antivirus software can be installed and updated
to protect against known viruses. Antivirussoftware does this in two ways:
Scans files, comparing their contents toknown viruses in a virus dictionary. Matchesare flagged in a manner defined by the user.
Monitors suspicious processes running on ahost that might indicate infection.
Personal firewalls on the PC can prevent attacks.Some personal firewall software vendors includeMcAfee, Norton, Symantec, and Zone Labs.
Download OS and application security updates
and patch all vulnerable systems. A solution to the management of security
patches is to create a central patch server with which all systems must communicate.
Any patches that are required by a host areautomatically downloaded from the patchserver and installed without user intervention.
Host and Server Based Security: Device Hardening
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
38/61
38
Business Information & EngineeringTechnologies
Intrusion Detection and Prevention Intrusion detection systems (IDS) detect attacks and
send logs to a management console. Intrusion prevention systems (IPS) prevent attacks. It
provides the following active defense: Prevention - Stops the detected attack from executing.
Reaction - Immunizes the system from future attacks. Either technology can be implemented at a network
or host level (or both for maximum protection).
Host-based Intrusion Detection Systems (HIDS) Host-based intrusion is passive technology. HIDS sends logs to a management console after the attack
has occurred and the damage is done.Host-based Intrusion Prevention System (HIPS),
HIPS stops the attack, and prevents damage. Cisco provides HIPS using the Security Agent software.
Agents are installed on publicly accessible servers andcorporate mail and application servers
See Cisco Security Agent &(CSA) for more information.
Host and Server Based Security: Device Hardening
http://www.cisco.com/cdc_content_elements/flash/security/csa_v2/demo.htmlhttp://www.cisco.com/cdc_content_elements/flash/security/csa_v2/demo.html7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
39/61
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
40/61
40
Business Information & EngineeringTechnologies
Common Security Appliances and Applications
Cisco Network Admission Control (NAC) Appliance
The Cisco NAC appliance uses the networkinfrastructure to enforce security policycompliance on all devices seeking to accessnetwork computing resources.
Cisco Security Agent (CSA)
Cisco Security Agent software provides threatprotection capabilities for server, desktop, andpoint-of-service (POS) computing systems.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.htmlhttp://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.htmlhttp://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.htmlhttp://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.htmlhttp://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
41/61
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
42/61
42
Business Information & EngineeringTechnologies
Secure Secure the network by applying the security policy and
implementing the following security solutions: Threat defense
Stateful inspection and packet filtering (firewall) Deploy IPS Patch Vulnerabilities Lock down the network devices by disabling
unnecessary services
Use VPNs Trust/Identity constraints User Access Authentication
Policy Enforcement
Monitor Monitoring security involves both active and passive methods of
detecting security violations. The active method is to audit host-level log files.
Passive methods include using IDS devices to detectintrusion.
Test The functionality of the security solutions implemented in step 1
and the system auditing and intrusion detection methodsimplemented in step 2 are verified.
Improve With the information collected from the monitoring and testing
phases, Intrusion Detection Systems (IDS) can be used toimplement improvements
The Network Security Wheel
Business Information & Engineering
http://lippisreport.com/2009/05/lippis-report-125-cisco-launches-cloud-based-global-correlation-threat-defense/http://lippisreport.com/2009/05/lippis-report-125-cisco-launches-cloud-based-global-correlation-threat-defense/7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
43/61
43
Business Information & EngineeringTechnologies
Routers are TargetsBecause routers provide gateways to other networks,they are obvious targets. Some examples of varioussecurity problems:
Compromised access control can expose networkconfiguration details facilitating attacks against other network components.
Compromised routing tables can reduce performance,deny network communication services, and exposesensitive data.
Misconfiguring a router traffic filter can expose internalnetwork components to scans and attacks, making iteasier for attackers to avoid detection.
Attackers may compromise routers in different ways. The types of attacks including trust exploitationattacks, IP spoofing, session hijacking, and MITMattacks.
Most of the best practices discussed for routers canalso be used to secure switches.
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
44/61
44
Business Information & EngineeringTechnologies
Router Security IssuesPhysical security
Locate the router in a locked room that isaccessible only to authorized personnel.
To reduce the possibility of DoS due to apower failure, install an uninterruptible power supply (UPS).
Update the router IOS whenever advisable To get the best security performance from the
IOS, use the latest stable release that meetsthe feature requirements of the network.
Backup the router configuration and IOS Keep a secure copy of the router image and
router configuration file on a TFTP server for backup purposes.
Harden the router to eliminate the potential abuse of unused ports and services A router has many services enabled by
default. Harden the router configuration by disabling
unnecessary services. Use auto secure or Cisco Security
Device Manager (SDM)
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
45/61
45
Business Information & EngineeringTechnologies
Applying Cisco IOS Security Features to RoutersBefore configuring securityfeatures on a router, planfor all the Cisco IOSsecurity configurationsteps.
Access control lists (ACLs)are discussed in Chapter 5; ACLs are a criticaltechnology and must beconfigured to control andfilter network traffic.
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
46/61
46
Business Information & EngineeringTechnologies
Manage Basic Router SecurityBasic router security consists of configuring strong passwords.
Do not write passwords down and leave them in accessible places suchas your desk or on your monitor.
Avoid dictionary words , names, phone numbers, and dates.
Combine letters, numbers, and symbols . Include at least one lowercaseletter, uppercase letter, digit, and special character. Deliberately misspell a password . For example, Smith can be spelled as
5mYth. Another example could be Security spelled as 5ecur1ty. Make passwords lengthy . The best practice is to have a minimum of eight
characters. Change passwords as often as possible . This practice limits the window
of opportunity in which a hacker can crack a password and limits theexposure window after a password has been compromised.
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
47/61
47
Business Information & EngineeringTechnologies
Passphrases A recommended method for creating strong complex
passwords is to use passphrases. A passphrase is basically asentence or phrase that serves as a more secure password.
Manage Basic Router Security
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
48/61
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
49/61
49
Business Information & EngineeringTechnologies
Cisco IOS provides 2 password protection schemes:Simple encryption called a type 7 scheme. Hides the password using a simple encryption algorithm.
Use the service password-encryption global command. The type 7 encryption can be used by enable password, and line
password including vty, console, and aux ports . R1(config)# service password-encryption R1(config)# do show run | include username
username Student password 7 03075218050061 R1(config)#
Manage Basic Router Security
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
50/61
50
Business Information & EngineeringTechnologies
Cisco IOS provides 2 password protection schemes:Complex encryption called a type 5 scheme .
It uses a more secure MD5 hash. To protect the privileged EXEC level use enable secret command.
Router will use the enable secret password in lieu of the enablepassword if both are configured.
The local database usernames should be also configured using theusername username secret password command.
R1(config)# username Student secret cisco
R1(config)# do show run | include usernameusername Student secret 5 $1$z245$lVSTJzuYgdQDJiacwP2Tv/
R1(config)# PAP uses clear text passwords and cannot use MD5 encrypted
passwords
Manage Basic Router Security
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
51/61
51
Business Information & EngineeringTechnologies
Password Length
Cisco IOS Software Release 12.3(1) andlater allow administrators to set theminimum character length for all router passwords using the securitypasswords min-length globalconfiguration command
Eliminates common passwords thatare prevalent on most networks,such as "lab" and "cisco."
This command affects any new user passwords created after thecommand is executed.
The command does not affectpreviously existing router passwords.
Manage Basic Router Security
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
52/61
52
Business Information & EngineeringTechnologies
Local access through the console port is thepreferred way for an administrator to connect toa device to manage it since it is secure .
Connecting to all the network devices locallycan be an issue.
Remote administrative access is moreconvenient than local access. Remote administrative access using Telnet is
insecure since Telnet forwards all network trafficin clear text.
An attacker could capture network traffic andsniff the administrator passwords or router configuration.
To secure administrative access to routers andswitches,
Secure the administrative lines (VTY, AUX), Configure the network device to encrypt traffic
in an SSH tunnel.
Securing Remote Administrative Access To Routers
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
53/61
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
54/61
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
55/61
55
g gTechnologies
A Cisco device has limited VTY lines (usuallyfive). When all of the VTYs are in use, no
additional remote connections can beestablished.
Creates the opportunity for a DoSattack. The attacker does not have tolog in to do this. The sessions cansimply be left at the login prompt.
Reduce the exposure by configuring the lastVTY line to accept connections only from asingle, specific administrative workstation,
ACLs, along with the ip access- class command on the last VTY line, must beconfigured.
Discussed in Chapter 5.
Another useful tactic is to configure VTYtimeouts using the exec-timeout command.
Provides protection against sessionsaccidentally left idle.
Enabling TCP keepalives on incomingconnections by using the service tcp-keepalives-in command can help guardagainst both malicious attacks andorphaned sessions caused by remotesystem crashes.
Securing Remote Administrative Access To Routers
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
56/61
56
g gTechnologies
Traditionally, remote administrative accesson routers was configured using Telnet onTCP port 23.
All Telnet traffic is forwarded in plain text.
SSH has replaced Telnet for providingremote access with connections thatsupport privacy and integrity .
SSH uses TCP port 22. Cryptographic capable IOS images
support SSH (others do not).
Cisco routers are capable of acting as SSHclient and server.
Both of these functions are enabled bydefault on the router when SSH isenabled.
As a client, a router can SSH to another router.
As a server, a router can accept SSH
client connections.
Securing Remote Administrative Access To Routers
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
57/61
57
g gTechnologies
Configuring SSH SecurityTo enable SSH, the following parameters must beconfigured:
1. Hostname 2. Domain name3. Asymmetrical keys 4. Local authentication
Optional configuration parameters include: Timeouts - Retries
Set router parameters Configure the router hostname with the
hostname command.
Set the domain name
Enter the ip domain-name < dom ain name > command.
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
58/61
58
g gTechnologies
Generate asymmetric keys Create a key that the router uses to encrypt its
SSH management traffic with the crypto keygenerate rsa command.
Cisco recommends using a minimum moduluslength of 1024 .
Configure local authentication and vty Define a local user and assign SSH to the vty lines.
Configure SSH timeouts (optional)
Use the command ip ssh time-out seconds andauthentication-retries integer to enable timeoutsand authentication retries.
Set the SSH timeout to 15 seconds and thenumber of retries to 2
Configuring SSH Security
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
59/61
59
g gTechnologies
Test SSH SecurityTo connect to a router configured with SSH, use an SSH clientapplication such as PuTTY or TeraTerm .
Be sure to choose the SSH option and that it uses TCP port 22 . Using TeraTerm to connect securely to the R2 router with SSH,
R2 displays a username prompt followed by a password prompt oncethe connection is initiated.
TeraTerm displays the router R2 user EXEC prompt (assuming thatthe correct credentials are provided).
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
60/61
Business Information & Engineering
7/27/2019 Chapter 04 Enterprise Network Security -1_wjb1
61/61
g gTechnologies
BREAK(Continued at Next Class Session)