1 / 16

Chapter 10 Security

Chapter 10 Security. A typical secured network. Recognizing Security Threats. 1- Application-layer attacks Ex: http://www. companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c: 2- Autorooters 3- Backdoors

bayle
Download Presentation

Chapter 10 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 10Security

  2. A typical secured network

  3. Recognizing Security Threats • 1- Application-layer attacks • Ex: • http://www. companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\ • 2- Autorooters • 3- Backdoors • 4- Denial of service (DoS) and distributed denial of service (DDoS) attacks • TCP SYN flood (SYN,SYN-ACK, & ACK) • Ping of death • Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K) • Stacheldraht • 5- IP spoofing • 6- Man-in-the-middle attacks (Using Sniffer) • 7- Network reconnaissance (port scans, DNS queries, • and ping sweeps) • 8- Packet sniffers • 9- Password attacks (IP spoofing, packet sniffing, & Trojan horses) • 10- Brute force attack • 11- Port redirection attacks • 12- Trojan horse attacks and viruses • 13- Trust exploitation attacks

  4. Mitigating Security Threats • 1- Cisco’s IOS Firewall • Stateful IOS Firewall inspection engine using Context-Based Access Control (CBAC) • Intrusion detection • Firewall voice traversal • ICMP inspection • Authentication proxy (RADIUS or TACACS+) • Router(config)#enable use-tacacs • Router(config)#tacacs-server ? • host Specify a TACACS server • key Set TACACS+ encryption key • timeout Time to wait for a TACACS server to reply • Router(config)#enable last-resort • Destination URL policy management • Per-user firewalls • Cisco IOS router and firewall provisioning • Denial of service (DoS) detection and prevention • Dynamic port mapping • Java applet blocking • 2- Basic and Advanced Traffic Filtering • Policy-based, multi-interface support • Network Address Translation (NAT) • Time-based access lists • Peer router authentication (RIPv2, EIGRP, or OSPF)

  5. Access Lists • 1- Standard access lists • 2- Extended access lists • 3- Advanced access lists • a- Inbound access lists • b- Outbound access lists • Uses of Access lists • Traffic filtration • Telnet filtration • General Tips • Deny any addresses from your internal networks. • Deny any local host addresses (127.0.0.0/8). • Deny any reserved private addresses. • Deny any addresses in the IP multicast address range (224.0.0.0/4).

  6. Standard Access Lists Router(config)#access-list NO. Action Source Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list compiled Enable IP access-list compilation dynamic-extended Extend the dynamic ACL absolute timer rate-limit Simple rate-limit specific access list Router(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry comment Router(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address Router(config-if)#ip access-group 10 out (or in)

  7. Wildcard Masking Router(config)#access-list 10 deny 172.16.10.0 0.0.0.255 Router(config)#access-list 10 deny 172.16.0.0 0.0.255.255 Router(config)#access-list 10 deny 172.16.16.0 0.0.3.255 Controlling VTY (Telnet) Access Router(config)#access-list 50 permit 172.16.10.3 Router(config)#line vty 0 4 Router(config-line)#access-class 50 in

  8. Extended Access Lists Router(config)#access-list NO. Action Protocol Source Destination Condition Port no. Ex: Router(config)#access-list 110 permit tcp any host 172.16.30.2 eq 80 Router(config)#access-list 110 deny tcp any host 172.16.30.2 gt 1023 Router(config)#int s0 Router(config-if)#ip access-group 110 out

  9. Access Lists Example

  10. Advanced Access Lists 1- Named ACLs 2- Switch Port ACLs 3- Time based ACLs 1- Named ACLs Router(config)#ip access-list ? extended Extended Acc logging Control access list logging standard Standard Access List Router(config)#ip access-list standard BlockSales Router(config-std-nacl)#deny 172.16.40.0 0.0.0.255 Router(config-std-nacl)#permit any Router(config-std-nacl)#exit

  11. 2- Switch Port ACLs Conditions 1- Inbound only. 2- Named only. Switch(config)#mac access-list extended Name of list Switch(config-ext-macl)#Action Source Destination Ex: Switch(config)#mac access-list extended Block_MAC_Sales Switch(config-extended-macl)#deny any host 000d.29bd.4b85 Switch(config-extended-macl)#permit any any Switch(config-ext-macl)#int f0/6 Switch(config-if)#mac access-group Block_MAC_Sales in

  12. 3- Time-Based ACLs Router(config)#time-range no-http Router(config-time-range)#periodic we? Wednesday weekdays weekend Router(config-time-range)#periodic weekend ? hh:mm Starting time Router(config-time-range)#periodic weekend 06:00 to 12:00 Router(config-time-range)#exit Router(config)#time-range tcp-yes Router(config-time-range)#periodic weekend 06:00 to 12:00 Router(config-time-range)#exit Router(config)#ip access-list extended Time Router(config-ext-nacl)#deny tcp any any eq www time-range no-http Router(config-ext-nacl)#permit tcp any any time-range tcp-yes Router(config-ext-nacl)#interface f0/0 Router(config-if)#ip access-group Time in

  13. Remarking Access Lists Router#config t Router(config)#access-list 110 remark Permit Bob from Sales Only To Finance Router(config)#access-list 110 permit ip host 172.16.10.1 172.16.20.0 0.0.0.255 Router(config)#access-list 110 deny ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255

  14. Using SSH instead of Telnet 1- Enable the HTTP/HTTPS server Router(config)#ip http server Router(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] Router(config)#ip http authentication local 2- Create a user account using privilege level 15 (the highest level) Router(config)#username cisco privilege ? <0-15> User privilege level Router(config)#username cisco privilege 15 password ? 0 Specifies an UNENCRYPTED password will follow 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) user password Router(config)#username cisco privilege 15 password 0 cisco

  15. 3- Configure the console, SSH, and Telnet to provide local login authentication at privilege level access Router(config)#line console 0 Router(config-line)#login local Router(config-line)#exit Router(config)#line vty 0 ? <1-1180> Last Line number <cr> Router(config)#line vty 0 1180 Router(config-line)#privilege level 15 Router(config-line)#login local Router(config-line)#transport input telnet Router(config-line)#transport input telnet ssh Router(config-line)#^Z Router#clock set 00:00:00 21 mar 2009

  16. Viewing Access Lists Router#show access-list Router#show access-list 110 Router#show ip access-list Router#show ip interface Router#show running-config Switch#Show mac access-group

More Related