1 / 170

Network Security

Network Security. Ryan Greer CCNP, CCDP, MCSE Pat Bittner Keller Schroeder & Associates, Inc. Evansville, Indiana. Evaluating Network Security Threats. Module 1. Primary Reasons for Security Issues. Technology Weakness Configuration Weakness Policy Weakness. Technology Weaknesses.

caron
Télécharger la présentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security Ryan Greer CCNP, CCDP, MCSE Pat Bittner Keller Schroeder & Associates, Inc. Evansville, Indiana

  2. Evaluating Network Security Threats Module 1

  3. Primary Reasons for Security Issues • Technology Weakness • Configuration Weakness • Policy Weakness

  4. Technology Weaknesses • TCP/IP • Operating System • Network Equipment Weaknesses

  5. Configuration Weakness • Insecure default Settings • Misconfigured network equipment • Insecure user accounts • System accounts with easy to guess password • Misconfigured Internet services • Java & JavaScript

  6. Policy Weakness • Lack of security policy • Internal Politics (political battles, turf wars) • Lack of business continuity (high turnover) • Poorly enforced • Inadequate monitoring • Lack of awareness of being attacked • Installations that do not follow policy • Security incident and DRP not in place

  7. Types of Threats • Internal Threats • External Threats

  8. Internal Threats • Current employees with less-than-honorable intentions • Current complyees pursing unintentional activities • Employees who mismanaged environment • Use insecure passwords • Misconfigure equipment out of ignorance

  9. Spies Hostile ex-employees Others Intrusion for sport Intrusion to learn External Threats • Thrill Seakers • Competitors • Enemies • Thieves

  10. Security Threat Types • Reconnaissance • Unauthorized Access • Denial of Service • Data Manipulation

  11. Reconnaissance • Target Discovery • Eavesdropping • Information Theft

  12. Unauthorized Access • Gaining Initial Access • Password-Based Attacks • Gaining Trusted or Priviledged Access • Misuse of Systems after gaining access • Counteracting Remote-Access Attacks

  13. Denial of Service • Resource Overload • Out-of-Band Data DoS Attacks • Others • Counteracting

  14. Data Manipulation • IP Spoofing • Session Replay and Hijacking • Rerouting

  15. Securing the Network Infrastructure Module 2

  16. Securing Physical Devices • Establish Configuration and Control Policy • Properly lock, power, wire and cool equipment • Control direct access to all network equipment • Secure access to network links • Plan for Disaster Recovery

  17. Securing Administrative Interface • Setting Console Access • Using Password Encryption • Fine-Tuning Line Parameters • Setting Multiple Privileged Levels • Setting Device Banner Messages • Controlling Telnet Access • Controlling SNMP Access

  18. Setting Console Passwords • Tips • Immediately configure • Make privileged and user passwords different • Use mixed characters • Do not write down

  19. Setting Console Access User Mode Passwords router(config)#line console 0 router(config-line)#login router(config-line)#password ruHamlet User Access Verification Password: ruHamlet router>

  20. Setting Console Passwords Privileged Mode Passwords router(config)#enable secret 2br!2b@? router> enable Password: 2br!2b@? router#

  21. Using Password Encryption Using Service Password Encryption router(config)#service password-encryption line con 0 password 7 094F471A1A0A line vty 0 4 password 7 05080F1C2243

  22. Fine-Tuning Line Parameters Unattended Timeout router(config)#line console 0 router(config-line)#exec-timeout 2 30

  23. Setting Multiple Privilege Levels

  24. Setting Multiple Privilege Levels Setting Privilege Levels for Commands router(config)#privilege exec level 2 show startup-config router(config)#privilege exec level 2 show debug ip rip router(config)#privilege exec level 2 show ping router(config)#enable secret level 2 2kdo40d Logging into Privilege Level router> enable 2

  25. Setting Device Banner Messages • Banner Messages • Do not use “Welcome” • Banner command router(config)#banner exec $ Session activated. Enter commands at the prompt $

  26. Controlling Telnet Access • Considerations • telnet ports called virtual terminal (vty) ports • Enable password must be configured to enable via Telnet • Should restrict telnet access by using ACL • Configure all vty ports (as many as 15) • Limit, block, disable aux ports with “no exec”

  27. Telnet Examples VTY Configuration router(config)#line vty 0 4 router(config-line)#login router(config-line)#password shakespeare Restricting Access router(config)#access-list 21 permit 10.1.1.4 router(config)#line vty 0 4 router(config-line)#access-class 21 in

  28. Controlling SNMP Access • SNMP Overview • Configuring SNMP Agent • Controlling SNMP access with community strings • Configuring Traps and Informs

  29. SNMP System • Components • Managed device (router or switch) • SNMP agents and MIBs running on managed device • SNMP management application (CiscoWorks 2000)

  30. SNMP Agent Functions • MIB variable access • MIB variable setting • SNMP trap • SNMP community strings

  31. Controlling SNMP Access with Community Strings Nonprivileged SNMP Access router(config)#snmp-server community secure ro Privileged SNMP Access router(config)#snmp-server community semisecure rw Access List SNMP Access router(config)#access-list 1 permit 10.1.1.4 router(config)#access-list 1 permit 10.1.1.5 router(config)#snmp-server community semisecure rw 1

  32. SNMP Traps and Informs Trap router(config)#snmp-server host 10.1.1.4 trap Inform router(config)#snmp-server host 10.1.1.4 inform

  33. Controlling router-router Communications • Routing Protocol Authentication • Secure router Configuration Files • Controlling Traffic Using Filters

  34. Routing Protocol Authentication • Plaintext • Neighbors must share authentication key • Key sent in plainttext • Message Digest Algorithm 5 (MD5) • Hash of key • Key not actually sent over wire • Prevents eavesdropping

  35. Securing Configuration Files • TFTP • Not secure protocol, no password required • Anyone with access to TFTP server can modify the configuration file • TFTP server can be detected with port scans • Recommendations • Manually enable/disable TFTP software when needed

  36. Controlling Traffic Using Filters • Access Lists • Filtering Routing Updates • Incoming Network Filters

  37. Access List Tips • Use ACL to control whether traffic is forwarded or blocked at the router interface • ACL do not authenticate individual users but filter based on information in the packets

  38. Filtering Networks in Routing Updates • Helps secure networks • Increases security • Increases stability • Configuration router(config)#access-list 45 deny 10.1.2.0 0.0.0.255 router(config)#access-list 45 permit any any router(config)#router eigrp 200 router(config-router)#distribute-list 45 out serial0

  39. Suppressing Updates from Being Processed Suppress Updates from Being Processed router(config)#access-list 46 permit 10.2.0.0 0.0.255.255 router(config)#router eigrp 200 router(config-router)#distribute-list 46 in serial0 Suppress Updates through Interface router(config)#router eigrp 200 router(config-router)#passive-interface ethernet0

  40. Incoming Network Filters Deny Spoofed Packets from Internal Network router(config)#access-list 102 deny ip 10.1.2.0 0.0.0.255 any log router(config)#interface serial0 router(config-router)#ip access-group 102 in

  41. Cisco AAA Security Technology Module 3

  42. AAA Security Architecture • Authentication • Requires users to prove that they really are who they say they are • Authorization • Decide which resources the user is allowed to access and which operations the user is allowed to perform • Accounting • Records what the user actually did, what was accessed, and how long it was accessed • Counteracts repudiation

  43. Authentication Methods • Username and Password Authentication • S/Key Authentication • Token Cards and Servers • PAP and CHAP Authentication

  44. Usernames and Passwords • No username/password • Username/password – static • Username/password – aging • S/Key one-time passwords • One-time passwords • Token cards/soft tokens

  45. PAP & CHAP Authentication • Important component of dialup access • Authentication accomplished by PAP or CHAP • PPP – standard encapsulation protocol for transport of different L3 protocols across serial or point-to-point links (PSTN,ISDN)

  46. PAP Authentication over PPP • Two-way handshake only after initial PPP link establishment • Client sends username and password • NAS accepts or rejects • Not a strong authentication method • Username and password sent in cleartext • No protection against playback or repeated trial-and-error attacks

  47. PAP Authentication over PPP

  48. CHAP Authentication over PPP • Stronger than PAP • Password never crosses network • 3-way handshake • NAS sends challenge message to client • Client replies with one-way hash value • NAS processes hash and compared to NAS’s calculation

  49. CHAP Cont’d • Protection against playback • Constantly changing string prevents eavesdropping and replaying • Problem – not supported in NT (NT uses MS-CHAP)

  50. CHAP Authentication over PPP

More Related