Transcript
Page 1: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

1© 2005 Cisco Systems, Inc. All rights reserved. 111© 2004, Cisco Systems, Inc. All rights reserved.

Page 2: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

2© 2005 Cisco Systems, Inc. All rights reserved.

Network Security 1

Module 2 – Security Planning and Policy

Page 3: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

3© 2005 Cisco Systems, Inc. All rights reserved.

Learning Objectives

2.1 Discussing Network Security and Cisco

2.2 Endpoint Protection and Management

2.3 Network Protection and Management

2.4 Security Architecture

2.5 Basic Router Security

Page 4: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

4© 2005 Cisco Systems, Inc. All rights reserved.

Module 2 – Security Planning and Policy

2.1 Discussing Network Security and Cisco

Page 5: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

5© 2005 Cisco Systems, Inc. All rights reserved.

Network Security as a Continuous Process

• Network security is a continuous process built around a security policy.

Step 1: Secure

Step 2: Monitor

Step 3: Test

Step 4: Improve

Secure

Monitor

Test

Improve Security Policy

Page 6: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

6© 2005 Cisco Systems, Inc. All rights reserved.

Secure

Monitor

Test

Improve Security Policy

Secure the Network

• Implement security solutions to stop or prevent unauthorized access or activities, and to protect information:

Authentication

Encryption

Firewalls

Vulnerability patching

Page 7: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

7© 2005 Cisco Systems, Inc. All rights reserved.

Secure

Monitor

Test

Improve Security Policy

Monitor Security

Detects violations to the security policy

Involves system auditing and real-time intrusion detection

Validates the security implementation in Step 1

Page 8: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

8© 2005 Cisco Systems, Inc. All rights reserved.

Secure

Monitor

Test

Improve Security Policy

Test Security

• Validates effectiveness of the security policy through system auditing and vulnerability scanning

Page 9: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

9© 2005 Cisco Systems, Inc. All rights reserved.

Secure

Monitor

Test

Improve Security Policy

Improve Security

Use information from the monitor and test phases to make improvements to the security implementation.

Adjust the security policy as security vulnerabilities and risks are identified.

Page 10: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

10© 2005 Cisco Systems, Inc. All rights reserved.

What Is a Security Policy?

• “A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”

• (RFC 2196, Site Security Handbook)

Page 11: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

11© 2005 Cisco Systems, Inc. All rights reserved.

Why Create a Security Policy?

To create a baseline of your current security posture

To set the framework for security implementation

To define allowed and not allowed behaviors

To help determine necessary tools and procedures

To communicate consensus and define roles

To define how to handle security incidents

Page 12: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

12© 2005 Cisco Systems, Inc. All rights reserved.

Security Policy Elements

• On the left are the network design factors upon which security policy is based

• On the right are basic Internet threat vectors toward which security policies are written to mitigate

Topology/Trust ModelTopology/Trust Model

Usage GuidelinesUsage Guidelines

Application DefinitionApplication Definition

Host AddressingHost Addressing

VulnerabilitiesVulnerabilities

Denial of ServiceDenial of Service

ReconnaissanceReconnaissance

MisuseMisuse

Data AssessmentData Assessment

POLICY

Page 13: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

13© 2005 Cisco Systems, Inc. All rights reserved.

2.2 Endpoint Protection and Management

Module 2 – Security Planning and Policy

Page 14: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

14© 2005 Cisco Systems, Inc. All rights reserved.

Host and server based security components and technologies

• Device Hardening Unnecessary services

Default usernames and passwords

Authorization to use resources

• Personal Firewall

• Anti-virus Software

• Operating System Patches

• Intrusion Detection and Prevention Passive

Inline

• Host-based Intrusion Detection Systems Cisco Security Agent

Page 15: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

15© 2005 Cisco Systems, Inc. All rights reserved.

PC management

• Desktop Inventory and Maintenance

• Update Anti-virus Definitions

• Update HIDS and HIPS Signatures

Page 16: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

16© 2005 Cisco Systems, Inc. All rights reserved.

Module 2 – Security Planning and Policy

2.3 Network Protection and Management

Page 17: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

17© 2005 Cisco Systems, Inc. All rights reserved.

Sample Firewall Topology

Page 18: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

18© 2005 Cisco Systems, Inc. All rights reserved.

Types of Firewalls

Server Based

Microsoft ISA

CheckPoint

BorderManager

Appliance

PIX Security Appliance

Netscreen

SonicWall

Personal

Norton

McAfee

ZoneAlarms

Integrated

IOS Firewall

Switch Firewall

Page 19: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

19© 2005 Cisco Systems, Inc. All rights reserved.

VPN Definition

Page 20: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

20© 2005 Cisco Systems, Inc. All rights reserved.

Remote Access VPNs

Page 21: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

21© 2005 Cisco Systems, Inc. All rights reserved.

Site-to-Site VPNs

Page 22: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

22© 2005 Cisco Systems, Inc. All rights reserved.

Network-Based Intrusion Detection

Page 23: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

23© 2005 Cisco Systems, Inc. All rights reserved.

Trust and Identity

– Remote Access Dial-In User Service (RADIUS)

– Terminal Access Controller Access Control System Plus (TACACS+)

– Kerberos

Page 24: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

24© 2005 Cisco Systems, Inc. All rights reserved.

Network security management

• Security management perform several functions.

They identify sensitive network resources

Determine mappings between sensitive network resources and user sets.

Monitor access points to sensitive network resources

Log inappropriate access.

• Audit

Necessary to verify and monitor the corporate security policy.

Verifies the correct implementation of the security policy.

Logging and monitoring of events can help detect any unusual behavior and possible intrusions.

Page 25: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

25© 2005 Cisco Systems, Inc. All rights reserved.

CiscoWorks

Page 26: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

26© 2005 Cisco Systems, Inc. All rights reserved.

Adaptive Security Device Manager (ASDM)

Page 27: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

27© 2005 Cisco Systems, Inc. All rights reserved.

Security Device Manager (SDM)

Page 28: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

28© 2005 Cisco Systems, Inc. All rights reserved.

Module 2 – Security Planning and Policy

2.4 Security Architecture

Page 29: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

29© 2005 Cisco Systems, Inc. All rights reserved.

Security architecture (SAFE) – Defense in Depth

Page 30: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

30© 2005 Cisco Systems, Inc. All rights reserved.

Security architecture (SAFE)

• SAFE is a security blueprint for networks, which is based on Cisco Architecture for Voice, Video, and Integrated Data (AVVID).

• SAFE consists of modules that address the distinct requirements of each network area

• First industry blueprint that recommends exactly which security solutions should be included in each section of the network, and why they should be deployed.

• Security managers do not need to redesign the entire security architecture each time a new service is added to the network.

Page 31: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

31© 2005 Cisco Systems, Inc. All rights reserved.

Security architecture (SAFE)

SAFE: A Security Blueprint for Enterprise Networks

SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

SAFE: VPN IPSec Virtual Private Networks in Depth

SAFE: Wireless LAN Security in Depth - version 2

SAFE: IP Telephony Security in Depth

SAFE: IDS Deployment, Tuning, and Logging in Depth

SAFE: Worm Mitigation

Page 32: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

32© 2005 Cisco Systems, Inc. All rights reserved.

The Cisco Self-Defending Network

• Allows organizations to use their existing platforms

• Identify, prevent, and adapt to both known and unknown security threats.

–Secure Connectivity.

–Threat Defense.

–Trust and Identity Solutions.

Page 33: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

33© 2005 Cisco Systems, Inc. All rights reserved.

Secure Connectivity

Information transported across an internal wired and wireless infrastructure remains confidential

Page 34: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

34© 2005 Cisco Systems, Inc. All rights reserved.

Cisco Threat Defense System

Solutions and intelligent networking technologies to identify and mitigate both known and unknown threats from inside and outside an organization

Page 35: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

35© 2005 Cisco Systems, Inc. All rights reserved.

Trust and Identity Solutions• Secure network access and admission at any point in the network,

• Isolates and controls infected or unpatched devices

Page 36: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

36© 2005 Cisco Systems, Inc. All rights reserved.

The Cisco Trust and Identity Management

• Identity Management

Centralized management of remote devices

Authentication, Authorization, and Accounting (AAA)

• Identity Based Networking Services (IBNS)

802.1x to automatically identify users

Appropriate degree of access privilege based on policy.

Rogue wireless access points.

• Network Admission Control (NAC)

Trusted endpoint having a current antivirus image, OS version, or patch update.

Permit, deny, or restrict network access

Quarantine and remediate non-compliant devices.

Page 37: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

37© 2005 Cisco Systems, Inc. All rights reserved.

Cisco integrated security

• Security functionality that is provided on a networking device

Identity Based Networking Services IBNS

Cisco Perimeter Security

Page 38: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

38© 2005 Cisco Systems, Inc. All rights reserved.

Plan, Design, Implement, Operate, Optimize (PDIOO)

• Network designs must easily adapt to implement the next generation of technology

• Stages of network life cycle

• The PDIOO methodology can be applied to all technologies

• Designer should define key deliverables and associated actions

Page 39: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

39© 2005 Cisco Systems, Inc. All rights reserved.

Planning and Design

• Planning Phase

Logic of future designs can be tested for flaws.

Helps to avoid logical mistake being replicated

Focuses on technical as well as financial criteria

it is important to identify all the stakeholders

• Design Phase

Products, protocols, and features are chosen based on criteria defined in the planning stage

Network diagrams

Page 40: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

40© 2005 Cisco Systems, Inc. All rights reserved.

Implement, Operate, Optimize

• Implementation Phase

Detailed, customized deliverables to help avoid risks and meet expectations

Ensures smooth deployment even when issues arise

• Operation Phase

Protect the network investment

Help the staff prevent problems, maximize system utility, and accelerate problem resolution

• Optimization Phase

Can be hardening servers against security threats or adding QoS to the network for latency-sensitive traffic

Page 41: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

41© 2005 Cisco Systems, Inc. All rights reserved.

Module 2 – Security Planning and Policy

2.5 Basic Router Security

Page 42: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

42© 2005 Cisco Systems, Inc. All rights reserved.

Controlling Access

• Console Port

• TTY

• VTY

• A console is a terminal connected to a router console port.• The terminal can be a dumb terminal or PC with terminal emulation software.

Page 43: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

43© 2005 Cisco Systems, Inc. All rights reserved.

Configure the Console Port User-Level Password

Creates the user-level password ConUser1

The password is unencrypted

Boston(config)# line console 0Boston(config-line)# loginBoston(config-line)# password ConUser1

router(config)#

line console line-number

router(config-line)#

login

router(config-line)#

Password password

• Enters console line configuration mode

• Enables password checking at login

• Sets the user-level password to password

Page 44: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

44© 2005 Cisco Systems, Inc. All rights reserved.

Configure a VTY User-Level Password

Boston(config)# line vty 0 4Boston(config-line)# loginBoston(config-line)# password CantGessMeVTY

router(config)#

line vty start-line-number end-line-number

router(config-line)#

login

• Enters VTY line configuration mode

• Specifies the range of VTY lines to configure

• Enables password checking at login for VTY (Telnet) sessions

• Sets the user-level password to password

router(config-line)#

password password

Page 45: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

45© 2005 Cisco Systems, Inc. All rights reserved.

Configure an Auxiliary User-Level Password

Boston(config)# line aux 0Boston(config-line)# loginBoston(config-line)# password NeverGessMeAux

router(config)#

line aux line-number

router(config-line)#

login

• Enters auxiliary line configuration mode

• Enables password checking at login for Aux connections

• Sets the user-level password to password

router(config-line)#

password password

Page 46: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

46© 2005 Cisco Systems, Inc. All rights reserved.

Setting Timeouts for Router Lines

router(config-line)#

exec-timeout minutes [seconds]• Default is 10 minutes

• Terminates an unattended console connection

• Provides an extra safety factor when an administrator walks away from an active console session

• Terminates an unattended console/auxiliary connection after 3 minutes and 30 seconds

Boston(config)# line console 0Boston(config-line)#exec-timeout 3 30

Boston(config)# line aux 0Boston(config-line)#exec-timeout 3 30

Page 47: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

47© 2005 Cisco Systems, Inc. All rights reserved.

Login Banner

• Banners should be used on all network devices

• A banner should include

A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use.

A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both.

A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court.

Specific notices required by specific local laws.

• A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership.

Page 48: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

48© 2005 Cisco Systems, Inc. All rights reserved.

Configuring Banner Messages

router(config)#

banner {exec | incoming | login | motd |slip-ppp} d message d

• Specify what is “proper use” of the system

• Specify that the system is being monitored

• Specify that privacy should not be expected when using this system

• Do not use the word “welcome”

• Have legal department review the content of the message

Boston(config)# banner motd #WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. #

Page 49: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

49© 2005 Cisco Systems, Inc. All rights reserved.

SSH

SSH Server and Client

SSH Client

TCP Port 22

Page 50: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

50© 2005 Cisco Systems, Inc. All rights reserved.

SSH Server Configuration

Router(config)#

hostname host-name

Router(config)#

ip domain-name domain-name.com

Router(config)#

crypto key generate rsa

Router(config)#

line vty 0 4

Router(config-line)#

transport input ssh

Page 51: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

51© 2005 Cisco Systems, Inc. All rights reserved.

Passwords

• Passwords are the most critical tools in controlling access to a router. There are two password protection schemes in Cisco IOS:

• Type 7 uses the Cisco-defined encryption algorithm.

• Type 5 uses an MD5 hash, which is much stronger.

• Cisco recommends that Type 5 encryption be used instead of Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands.

• Service password encryption should be used.

• Use good password practices when creating passwords.

• Configure both username and password combinations.

Page 52: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

52© 2005 Cisco Systems, Inc. All rights reserved.

Good Password Practices

• Avoid dictionary words, names, phone numbers, and dates.

• Include at least one lowercase letter, uppercase letter, digit, and special character.

• Make all passwords at least eight characters long.

• Avoid more than four digits or same-case letters in a row.

• Change passwords often.

Page 53: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

53© 2005 Cisco Systems, Inc. All rights reserved.

Initial Configuration Dialog

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no] y

Configuring global parameters:

Enter host name [Router]: Boston

The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration.

Enter enable secret: CantGessMe

The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images.

Enter enable password: WontGessMe

The virtual terminal password is used to protect access to the router over a network interface.

Enter virtual terminal password: CantGessMeVTY..

Page 54: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

54© 2005 Cisco Systems, Inc. All rights reserved.

Configure the Enable Password Using enable secret

router(config)#

enable secret password• Encrypts the password in the router configuration file

• Uses a strong encryption algorithm based on MD5

Boston(config)# enable secret Curium96

Boston# show running-config!hostname Boston!no logging consoleenable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/!

Page 55: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

55© 2005 Cisco Systems, Inc. All rights reserved.

Encrypting Passwords Usingservice password-encryption

router(config)#

service password-encryption• Encrypts all passwords in the router configuration file

• Uses a weak encryption algorithm that can be easily cracked

Boston(config)# service password-encryption

Boston# show running-config!line con 0password 7 0956F57A109A!line vty 0 4password 7 034A18F366A0!line aux 0password 7 7A4F5192306A

Page 56: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

56© 2005 Cisco Systems, Inc. All rights reserved.

Setting Multiple Privilege Levels

router(config)#

privilege mode {level level command | reset command}

• Level 1 is predefined for user-level access privileges

• Levels 2–14 may be customized for user-level privileges

• Level 15 is predefined for enable mode (enable command)

Boston(config)# privilege exec level 2 pingBoston(config)# enable secret level 2 Patriot

Page 57: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

57© 2005 Cisco Systems, Inc. All rights reserved.

Setting Multiple Privilege Levels

Page 58: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

58© 2005 Cisco Systems, Inc. All rights reserved.

IOS network services

• Some services can be restricted or disabled to improve security

• Support only traffic and protocols a network needs.

• show proc

Small services such as echo, discard, and chargen – no service tcp-small-servers or no service udp-small-servers 

BOOTP – no ip bootp server 

Finger – no service finger 

Hypertext Transfer Protocol (HTTP) – no ip http server 

Simple Network Management Protocol (SNMP) – no snmp-server

Page 59: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

59© 2005 Cisco Systems, Inc. All rights reserved.

IOS network services

• Pass through the router, special packets, or remote router configuration

Cisco Discovery Protocol (CDP) – no cdp run 

Remote configuration. – no service config 

Source routing – no ip source-route

• Interfaces

Unused interfaces – shutdown

No SMURF attacks – no ip directed-broadcast

Ad-hoc routing – no ip proxy-arp

Page 60: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

60© 2005 Cisco Systems, Inc. All rights reserved.

Routing protocol authentication and update filtering

• Attacker who sends false routing update packets to an unprotected router can easily corrupt its routing table.

Re-route network traffic as desired.

• Protect the routing tables from unauthorized and malicious changes

Use only static routes

Authenticate route table updates

Page 61: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

61© 2005 Cisco Systems, Inc. All rights reserved.

Routing protocol authentication and update filtering

• Routing protocol authentication is vulnerable to eavesdropping and spoofing of routing updates.

–Message Digest 5 (MD5)

OSPF

RIPv2

Enhanced IGRP

BGP

• Passive Interfaces

–Prevent other routers on the network from learning about routes dynamically.

–Keep parties from learning about the existence of routes or routing protocols

Page 62: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

62© 2005 Cisco Systems, Inc. All rights reserved.

NTP, SNMP, router name, DNS

• NTP Service

• SNMP Services

Erase existing community strings

Set a hard-to-guess, read-only community string.

Apply a simple IP access list to SNMP denying all traffic.

Disable SNMP system shutdown and trap features

• Router Name and DNS Name Resolution

ip name-server addresses

no ip domain-lookup 

hostname

Page 63: 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved

636363© 2005, Cisco Systems, Inc. All rights reserved.


Recommended