1 / 125

IOS Router Security Features and examples

Agenda. Cisco Integrated Services RoutersCisco Security Device Manager (SDM)Zone-Based Policy FirewallVPNNew Site-to-Site and Client Remote Access TechnologiesIOS Based Intrusion Prevention. Cisco Integrated Services Router (ISR) Platforms and Features. Cisco Integrated Services Routers. Small

penda
Download Presentation

IOS Router Security Features and examples

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. IOS Router Security Features (and examples!)

    2. Agenda Cisco Integrated Services Routers Cisco Security Device Manager (SDM) Zone-Based Policy Firewall VPN New Site-to-Site and Client Remote Access Technologies IOS Based Intrusion Prevention

    3. Cisco Integrated Services Router (ISR) Platforms and Features

    4. Cisco Integrated Services Routers

    5. Cisco Integrated Services Router Features Integrated security: 3DES and AES hardware-based encryption NAC Unified network services: PVDM modules Media authentication and encryption with SRST Mobility: 3G wireless WAN Wireless LAN services

    6. Cisco Integrated Services Router Features (Continued) Application intelligence: Performance routing Cisco WAAS USB port

    7. 12.4(T) Advanced Security Feature Set Cisco VPN Group Encrypted Transport (GET) VPN Dynamic Multipoint VPN (DMVPN) Easy VPN Multiprotocol Label Switching (MPLS) VPN Virtual Tunnel Interface (VTI) SSL VPN

    8. 12.4(T) Advanced Security Feature Set (Continued) Cisco IOS Firewall IPv6 support and zone-based policy mapping Advanced application inspection and control Transparent firewall (Layer 2) VRF-Aware Firewall Cisco IOS Intrusion Prevention (IPS) Inline IPS Transparent IPS Flexible Packet Matching (FPM)

    9. 12.4(T) Advanced Security Feature Set (Continued) Cisco Network Foundation Protection (NFP) AutoSecure Control Plane Policing CPU and memory thresholding Network-Based Application Recognition (NBAR) Netflow Role-based CLI SSHv2 SNMPv3

    10. 12.4(T) Advanced Security Feature Set (Continued) Cisco Network Admission Control (NAC) Authentication, Authorization and Accounting (AAA) support IOS-based Certificate Server and Client 802.1x support with integrated switch ports IOS Content Filtering

    11. Cisco Security Device Manager (SDM)

    12. Cisco SDM Overview Cisco SDM is a web-based device management tool for Cisco IOS Software-based routers. Cisco SDM offers these benefits: Ease of use Smart wizards Built-in tutorials Knowledge base of Cisco IOS configurations Integrated management of services : Routing Switching Security Wireless QoS

    13. Starting Cisco SDM and Cisco SDM Express Before installing Cisco SDM, connect your PC to the router and disable your web browser pop-up blockers. For a new router setup: If you have the Cisco SDM CD-ROM, place the CD-ROM in your CD drive and click Install Cisco SDM when the autorun screen appears. If you do not have the Cisco SDM CD-ROM: Download the latest Cisco SDM image from the Cisco IOS Software center Unzip the image to a local directory on your PC Run setup.exe Cisco SDM is factory installed in some router models.

    14. Files Required to Run Cisco SDM from a Router router#show flash -#- --length-- -----date/time------ path 1 19312988 Dec 13 2005 01:23:50 +00:00 c2800nm-advsecurityk9-mz.124-5.bin 2 3317 Feb 8 2006 00:00:30 +00:00 startup.config 3 1646 Feb 8 2006 18:31:50 +00:00 sdmconfig-2811.cfg 4 4049920 Feb 8 2006 18:32:32 +00:00 sdm.tar 5 812544 Feb 8 2006 18:32:56 +00:00 es.tar 6 1007616 Feb 8 2006 18:33:14 +00:00 common.tar 7 1038 Feb 8 2006 18:33:24 +00:00 home.shtml 8 113152 Feb 8 2006 18:33:42 +00:00 home.tar

    15. Launching Cisco SDM Express To launch Cisco SDM Express: For a new router, go to https://10.10.10.1 For existing routers, go to https://<router_IP_address> The first time that you access the router by web browser, the Cisco SDM Express wizard launches.

    16. Launching Cisco SDM

    17. Navigating the Cisco SDM Interface

    18. Navigating the Cisco SDM Interface (Cont.) Configure mode—provides wizards for the novice Monitor mode—allows you to view the current status of the router Refresh—resynchronizes the running configuration with Cisco SDM Save—saves the running configuration to the startup configuration on the router

    19. Cisco SDM Wizards in Configure Mode You can carry out these tasks with smart wizards in Configure mode: Configure LAN and serial interfaces with Interfaces and Connections wizards Configure basic or advanced firewalls with the Firewall and ACL wizards Configure different types of VPNs with the VPN wizards Perform a router security audit with Security Audit wizards Configure both basic and advanced NAT with NAT wizards Create, edit, and disable signatures with Intrusion Prevention wizards Use the Quality of Service wizard to prioritize real-time and business-critical application traffic Configure network access control policies with NAC wizards

    20. Configure Mode—Advanced Configuration The Additional Tasks option includes these advanced configurations: Router properties including name, domain, password, date, and time Router access including role-based user access, management, and SSH DHCP DNS and DDNS ACLs AAA including local and server-based authentication and authorization Router provisioning 802.1X

    21. Monitor Mode

    22. Security Audit Home Page

    23. Performing a Security Audit

    24. Performing a Security Audit (cont.)

    25. Performing a Security Audit (cont.)

    26. Performing a One-Step Lockdown

    27. Zone-Based Policy Firewall

    28. Cisco IOS Firewall Features Zone-based policy framework Application inspection for web and e-mail traffic Instant messenger and peer-to-peer application filtering VoIP support VRF support Wireless integration Stateful failover Local URL whitelist and blacklist support

    29. Allows grouping of physical and virtual interfaces into zones Applies firewall policies to traffic traversing zones Makes it simple to add or remove interfaces and integrate them into the firewall policy Cisco IOS Zone-Based Policy Firewall

    30. In the Beginning Early firewalls were ACLs configured on router interfaces to block traffic to provide initial access policy. The next generation of firewalls, such as Cisco IOS Software Stateful Inspection (formerly CBAC), offered interface-based firewall services. Traffic entering or leaving an interface is inspected for service conformance; if traffic matches the requirements, the return traffic is allowed back through the firewall. The inspection policy and the ACL policy are combined to define the firewall policy.

    31. Legacy Cisco IOS Stateful Inspection Multiple inspection policies and ACLs on several interfaces in a router make it difficult to correlate the policies that will be applied to traffic between multiple interfaces. Policies could not be tied to a host group or subnet with an ACL. All traffic through a given interface was subject to the same inspection. Classic stateful inspection relies too heavily on ACLs.

    32. The New Era—Cisco IOS Zone-Based Policy Firewall

    33. Benefits of Zone-Based Policy Firewall A zone-based policy firewall is not dependant on ACLs. The router security posture is now “block unless explicitly allowed”. Common Classification Policy Language (C3PL) makes policies easy to read and troubleshoot. One policy affects any given traffic instead of needing multiple ACLs and inspection actions.

    34. Zone-Based Policy Firewall Actions Inspect: Monitor outbound traffic according to permit/deny policy Anticipate return traffic according to session table entries Drop: Analogous to deny Pass: No stateful capability Analogous to permit

    35. Zone-Based Policy Firewall Rules for Application Traffic The source policy application and default policy for traffic is applied according to these rules:

    36. Zone-Based Policy Firewall Rules for Router Traffic

    37. Basic Firewall Wizard

    38. Interface Configuration

    39. Application Security Policy

    40. Finishing the Wizard

    41. Manually Configuring Cisco IOS Zone-Based Policy Firewalls Define zones. Define class maps to describe traffic between zones. Define policy maps to apply actions to the traffic of the class maps. Define zone pairs and assign policy maps to the zone pairs.

    42. Define Zones

    43. Define Class Maps

    44. Define Policy Maps

    45. Assign Policy Maps to Zone Pairs

    46. Reviewing the Cisco IOS Zone-Based Firewall Policy

    47. Cisco IOS Zone-Based Firewall Policy Configuration

    48. Viewing Firewall Log

    49. Monitoring the Cisco IOS Zone-Based Policy Firewall

    50. 12.4(T) IOS Site-to-Site VPN Technologies

    51. Cisco Easy VPN Components Cisco Easy VPN is made up of two components: Cisco Easy VPN Server: Enables Cisco IOS routers, Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature. Cisco Easy VPN Remote: Enables Cisco IOS routers, Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3002 Hardware Clients or Cisco VPN Software Clients to act as remote VPN Clients.

    52. Remote Access Using Cisco Easy VPN

    53. Cisco Easy VPN Remote Modes of Operation Client mode Specifies that NAT or PAT be used Client automatically configures the NAT or PAT translation and the ACLs needed to implement the VPN tunnel ip nat inside command applied to all inside interfaces ip nat outside command applied to interface configured for Cisco Easy VPN Remote Network extension mode Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses PAT not used Network extension plus mode Additional capability of being able to request an IP address via mode configuration and automatically assign it to an available loopback interface IPsec SAs for this IP address automatically created by Cisco Easy VPN Remote IP address typically used for troubleshooting (using ping, Telnet, and SSH)

    54. Cisco Easy VPN Remote Client Mode

    55. Cisco Easy VPN Remote Network Extension Mode

    56. Cisco Easy VPN Remote Web-Based Activation

    57. Web-Based Activation

    58. Authentication Bypass

    59. User Authentication

    60. Successful Authentication

    61. Deactivation

    62. Generic Routing Encapsulation Generic Routing Encapsulation RFCs 1701, 1702, 2784 Uses IP protocol 47 when encapsulated within IP Allows passing of routing information between connected networks

    63. Default GRE Characteristics Tunneling of arbitrary OSI Layer 3 payload is primary goal of GRE Stateless (no flow control mechanisms) No security (no confidentiality, data authentication, or integrity assurance) 24-B overhead by default (20-B IP header and 4-B GRE header)

    64. Configure a GRE Tunnel

    65. GRE/IPsec GRE encapsulates arbitrary payload. IPsec encapsulates unicast IP packet (GRE) Tunnel mode (default): IPsec creates a new tunnel IP packet. Transport mode: IPsec reuses the IP header of the GRE (20 B less overhead).

    66. GRE with Encryption Example

    67. DMVPN Relies on: IPsec profiles NHRP mGRE Benefits: Hub router configuration reduction Automatic IPsec encryption initiation Support for dynamically addressed spoke routers Dynamic tunnel creation for spoke-to-spoke tunnels

    68. Single DMVPN Topology

    69. Dual DMVPN Topology

    70. DMVPN Deployment Models

    71. DMVPN Example

    72. DMVPN Example (Cont.) Spoke A will use it’s public address as the IPsec peer because it the tunnel interface has the config line: “tunnel source ethernet0”. This will resolve to the public address, even if it’s dynamically assigned via (e.g.) DHCP.Spoke A will use it’s public address as the IPsec peer because it the tunnel interface has the config line: “tunnel source ethernet0”. This will resolve to the public address, even if it’s dynamically assigned via (e.g.) DHCP.

    73. DMVPN Example (Cont.)

    74. DMVPN Example (Cont.)

    75. DMVPN Example (Cont.) Default NHRP “holdtime” is 120 minutes. For NHRP config info see: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipras_r/1rfipadr.htm#xtocid36Default NHRP “holdtime” is 120 minutes. For NHRP config info see: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipras_r/1rfipadr.htm#xtocid36

    76. DMVPN Routing Tables

    77. DMVPN NHRP Mapping Tables

    86. Key Server Configuration

    87. Group Member Configuration

    88. Fully-Meshed VPNs

    89. Hub-and-Spoke VPNs

    90. IPSec Virtual Tunnel Interface (VTI)

    91. 12.4(T) IOS Remote Access VPN Technologies

    92. Cisco Easy VPN for Remote Access

    93. Access Mode Summary

    94. SSL VPN Login Page

    95. SSL VPN Overview Provides secure remote access to corporate network resources from a web browser Users not required to use any particular workstation No need to install or configure software on remote PCs Clientless SSL VPN: No VPN client software needed Client-based SSL VPN: VPN software dynamically pushed from security appliance

    96. SSL VPN Access Methods

    97. Cisco Secure Desktop Highlight that we stop both keystroke loggers natively within CSD and malware using hooks to the Microsoft software. Bring home the point that we also erase downloaded files…like the if a user downloads a payroll spreadsheet from email.Highlight that we stop both keystroke loggers natively within CSD and malware using hooks to the Microsoft software. Bring home the point that we also erase downloaded files…like the if a user downloads a payroll spreadsheet from email.

    98. Cisco Secure Desktop How it Works

    99. Cisco Secure Desktop Malware Detection

    100. Cisco Secure Desktop Easy-to-Use and Manage Session Protection Transparent to the end user with automatic session creation Works with desktop guest permissions Small download size (less than 500 KB) for fast session initiation Delivered via Active X, Java or .exe to ensure operation in diverse environments Customizable interface and templates User still has access to all of the PC’s hardware and software resources All applications and processes running in the Secure Desktop are controlled Creates a cryptographic file system on the fly and nothing is ever written in clear on the disk – user cannot unintentionally save data outside the partition

    101. Cisco Secure Desktop Technical Details

    103. Cisco AnyConnect VPN Client (Cont.)

    104. 12.4(T) IOS Intrustion Prevention

    105. Cisco IOS Intrusion Prevention System

    106. Features Uses the underlying routing infrastructure Ubiquitous protection of network assets Inline deep packet inspection Software based inline intrusion prevention sensor IPS signature support Signature based packet scanning, uses same set of signatures as IDS Sensor platform Dynamic signature update (no need to update IOS Image) Customized signature support Variety of event actions configurable per-signature basis Parallel signature scanning Named and numbered extended ACL support

    107. Cisco IOS IPS Intrusion Prevention Technology Cisco IOS IPS uses a blend of features from Cisco IDS and IPS products: Cisco IPS 4200 Series Sensors Cisco Catalyst 6500 Series IDSM Cisco IOS IPS uses a blend of detection technologies: Profile-based Signature-based Protocol analysis-based

    108. Primary Benefits of the Cisco IOS IPS Solution Cisco IOS IPS: Uses the underlying routing infrastructure to provide an additional layer of security Denies malicious traffic from both the inside and outside network Works with Cisco IPS, Cisco IOS Firewall, Cisco VPN, and Cisco NAC solutions Is supported by Cisco SDM, Cisco Security MARS, and Cisco Security Manager Integrates smoothly into existing network infrastructure Supports about 2000 attack signatures from the same signature database available for Cisco IPS appliances

    109. Cisco IOS IPS Signature Features

    110. Using Cisco SDM to Configure IPS

    111. IPS Policies Wizard

    112. IPS Config Location and Category

    113. IPS Policy Summary

    114. Cisco IOS IPS CLI Configuration

    115. Setting Signature Severity

    116. Configuring Signature Actions

    117. Editing Signatures Using Cisco SDM

    118. Support for SDEE and Syslog

    119. Viewing SDEE Alarm Messages

    120. Viewing Syslog IPS Alarms

    121. Verifying IPS Policies

    122. Verify IPS Operation

    123. Verify IPS Operation (cont.)

    124. Verify IPS Operation (cont.)

    125. Thank You Russell Hughes rhughes@sunsetlearning.com http://www.sunsetlearning.com 1.800.569.1894

More Related