1 / 57

Chap 4 – Network Security Learning Objectives

Chap 4 – Network Security Learning Objectives. Describe the general methods used to mitigate security threats to Enterprise networks Configure Basic Router Security Explain how to disable unused Cisco router network services and interfaces Explain how to use Cisco SDM

xandy
Download Presentation

Chap 4 – Network Security Learning Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chap 4 – Network Security Learning Objectives • Describe the general methods used to mitigate security threats to Enterprise networks • Configure Basic Router Security • Explain how to disable unused Cisco router network services and interfaces • Explain how to use Cisco SDM • Manage Cisco IOS devices

  2. Network Security Threats • White hat - A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them. • Hacker - A general term that has historically been used to describe a computer programming expert. • Black hat - Another term for individuals who use their knowledge of computer systems to break into systems or networks that they are not authorized to use, usually for personal or financial gain. • Cracker - Someone who tries to gain unauthorized access to network resources with malicious intent. • Phreaker - Someone who manipulates the phone network to cause it to perform a function that is not allowed. • Spammer - An individual who sends large quantities of unsolicited e-mail messages. Spammers often use viruses to take control of home computers and use them to send out their bulk messages. • Phisher - Uses e-mail or other means to trick others into providing sensitive information, such as credit card numbers or passwords.

  3. Network Attack Goals The attacker's goal is to compromise a network target or an application running within a network. Many attackers use this seven-step process to gain information and state an attack: • Step 1. Perform footprint analysis (reconnaissance). • Step 2. Enumerate information. An attacker can expand on the footprint by monitoring network traffic with a packet sniffer such as Wireshark. • Step 3. Manipulate users to gain access. Sometimes employees choose passwords that are easily crackable. • Step 4. Escalate privileges. After attackers gain basic access, they use their skills to increase their network privileges. • Step 5. Gather additional passwords and secrets. • Step 6. Install backdoors. Backdoors provide the attacker with a way to enter the system without being detected. • Step 7. Leverage the compromised system. After a system is compromised, an attacker uses it to stage attacks on other hosts in the network.

  4. Open vs Closed Networks • Open – permit everything that is not explicitly denied: • Easy to configure and administer • Easy for end users to access network resources • Security costs: least expensive • Restrictive – combination of specific permissions and specific restrictions: • More difficult to configure and administer • More difficult for end users to access resources • Security cost: more expensive • Closed – deny everything not explicitly permitted: • Most difficult to configure and administer • Most difficult for end users to access resources • Security cost: most expensive

  5. Security Policy A security policy meets these goals: • Informs users, staff, and managers of their obligatory requirements for protecting technology and information assets. • Specifies the mechanisms through which these requirements can be met. • Provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy.

  6. Common Security Threats There are three primary vulnerabilities or weaknesses: • Technological weaknesses • Configuration weaknesses • Security policy weaknesses

  7. Technology Weaknesses

  8. Configuration Weaknesses

  9. Policy Weaknesses

  10. Physical Threats • Hardware threats-Physical damage to servers, routers, switches, cabling plant, and workstations. • Environmental threats-Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry). • Electrical threats-Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss. • Maintenance threats-Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling.

  11. Threats to Networks

  12. Social Engineering • The easiest hack involves no computer skill at all. If an intruder can trick a member of an organisation into giving over valuable information, such as the location of files or passwords, the process of hacking is made much easier.

  13. Reconnaissance Attacks • Internet information queries – such as nslookup and whois. • Ping sweeps - (ping the publicly available IP addresses to identify the addresses that are active). • Port scans - determine which network services or ports are active on the live IP addresses. • Packet sniffers - Network snooping and packet sniffing are common terms for eavesdropping. The information gathered by eavesdropping can be used to pose other attacks to the network.

  14. Access Attacks • Password attacks – often implemented using a packet sniffer to yield user accounts and passwords that are transmitted as clear text. • Trust exploitation attack - compromises a trusted host, using it to stage attacks on other hosts in a network. • Port redirection attack - an exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be blocked. • Man-in-the-middle (MITM) attack - carried out by attackers that manage to position themselves between two legitimate hosts.

  15. Denial of Service Attacks • Ping of death – oversized ping packets could cause unpatched versions of NT4 to crash. • Teardrop or SYN flood – attacker opens up multiple TCP sessions, but never completes the 3-way handshake, causing servers to crash. • Smurf attack – Distributed DOS attack, using compromised ‘zombie’ hosts to simultaneously ping a server.

  16. Malicious Code • A worm executes code and installs copies of itself in the memory of the infected computer, which can, in turn, infect other hosts. • A virus is malicious software that is attached to another program for the purpose of executing a particular unwanted function on a workstation. • A Trojan horse is different from a worm or virus only in that the entire application was written to look like something else, when in fact it is an attack tool.

  17. Host & Server Security Measures • Default usernames and passwords should be changed immediately. • Access to system resources should be restricted to only the individuals that are authorised to use those resources. • Any unnecessary services and applications should be turned off and uninstalled, when possible. • Employ firewalls to prevent access to networks ports. • Install host antivirus software to protect against known viruses. Antivirus software can detect most viruses and many Trojan horse applications, and prevent them from spreading in the network. • The most effective way to mitigate a worm and its variants is to download security updates from the operating system vendor and patch all vulnerable systems.

  18. Intrusion Detection & Prevention Systems • Intrusion detection systems (IDS) detect attacks against a network and send logs to a management console. • Intrusion prevention systems (IPS) prevent attacks against the network.

  19. Network Security Wheel • To assist with the compliance of a security policy, the Security Wheel, a continuous process, has proven to be an effective approach. The Security Wheel promotes retesting and reapplying updated security measures on a continuous basis.

  20. Security Policy • A security policy is a set of guidelines established to safeguard the network from attacks, both from inside and outside a company, and should address the following:. • Statement of authority and scope - Defines who in the organization sponsors the security policy, who is responsible for implementing it, and what areas are covered by the policy. • Acceptable use policy (AUP) - Defines the acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization corporate resources and proprietary information. • Identification and authentication policy - Defines which technologies the company uses to ensure that only authorised personnel have access to its data. • Internet access policy - Defines what the company will and will not tolerate with respect to the use of its Internet connectivity by employees and guests. • Campus access policy - Defines acceptable use of campus technology resources by employees and guests. • Remote access policy - Defines how remote users can use the remote access infrastructure of the company. • Incident handling procedure - Specifies who will respond to security incidents, and how they are to be handled.

  21. Router Security Issues Because routers provide gateways to other networks, they are obvious targets, and are subject to a variety of attacks. Here are some examples of various security problems: • Compromising the access control can expose network configuration details, thereby facilitating attacks against other network components. • Compromising the route tables can reduce performance, deny network communication services, and expose sensitive data. • Mis-configuring a router traffic filter can expose internal network components to scans and attacks, making it easier for attackers to avoid detection.

  22. Configure Basic Router Security Steps to Safeguard a Router: • Manage router security • Secure remote administrative access to routers • Logging router activity • Secure vulnerable router services and interfaces • Secure routing protocols • Control and filter network traffic

  23. 1. Manage Router Security Good password practices include the following: • Do not write passwords down and leave them in obvious places such as your desk or on your monitor. • Avoid dictionary words, names, phone numbers, and dates. Using dictionary words makes the passwords vulnerable to dictionary attacks. • Combine letters, numbers, and symbols. Include at least one lowercase letter, uppercase letter, digit, and special character. • Make passwords lengthy. The best practice is to have a minimum of eight characters. Enforce the minimum length using Cisco IOS. • Change passwords as often as possible – stated in security policy.

  24. 1. Manage Router Security R1(config)# service password-encryption R1(config)#no enable password R1(config)#enable secret Tnotbi666 R1(config)#security passwords min-length 8 • Cisco recommends that Type 5 encryption be used instead of Type 7 whenever possible. MD5 encryption is a strong encryption method. It should be used whenever possible. It is configured by replacing the keyword password with secret.

  25. 2. Secure Remote Access R1(config)# line aux 0 R1(config-line)#no password R1(config-line)#login %login disabled on line 65 until ‘password’ is set R1(config-line)#exit • Remote access not only applies to the VTY line of the router, it also applies to the TTY lines and the auxiliary (AUX) port. Aux lines provide asynchronous access to a router using a modem – disable them on all routers.

  26. 2. Secure Remote Access R1(config)# line vty 0 4 R1(config-line)#no transport input R1(config-line)#transport input telnet ssh R1(config-line)#exec-timeout 5 R1(config-line)#exit R1(config)#service tcp-keepalives-in • By default, all VTY lines are configured to accept any type of remote connection. VTY lines should be configured to accept connections only with the protocols actually needed. This is done with the transport input command.

  27. 2. Secure Remote Access • SSH has replaced Telnet as the best practice for providing remote router administration with connections that support strong privacy and session integrity. SSH uses port TCP 22. • It provides functionality that is similar to that of an outbound Telnet connection, except that the connection is encrypted. With authentication and encryption, SSH allows for secure communications over an insecure network. • Not all Cisco IOS images support SSH. Only cryptographic images can. Typically, these images have image IDs of k8 or k9 in their image names.

  28. 2. Secure Remote Access Configure SSH security: • R1(config)# ip domain-name cisco.com • R1(config)#crypto key generate rsa • How many bits in the modulus [512]:1024 • R1(config)#username student password cisco • R1(config)#line vty 0 4 • R1(config-line)#transport input ssh • R1(config-line)#login local • R1(config-line)#exit • R1(config)#ip ssh time-out 15 • R1(config)#ip ssh authentication-retries 2

  29. 3. Logging Router Activity • Logs allow verification that a router is working properly or to determine whether the router has been compromised. In some cases, a log can show what types of probes or attacks are being attempted against the router or the protected network. • Routers support different levels of logging. The eight levels range from 0, emergencies indicating that the system is unstable, to 7 for debugging messages that include all router information. • Logs can be forwarded to a variety of locations, including router memory or a dedicated syslog server. A syslog server provides a better solution because all network devices can forward their logs to one central station where an administrator can review them

  30. 4. Secure Router Services and Interfaces. Cisco routers support a large number of network services at layers 2, 3, 4, and 7. Some of these services can be restricted or disabled to improve security without degrading the operational use of the router: • Small services such as echo, discard, and chargen - Use the no service tcp-small-servers or no service udp-small-servers command. • BOOTP - Use the no ip bootp server command. • Finger - Use the no service finger command. • HTTP - Use the no ip http server command. • SNMP - Use the no snmp-server command. • CDP - Use the no cdp run command. • Source routing - Use the no ip source-route command. • Unused interfaces - Use the shutdown command. • No SMURF attacks - Use the no ip directed-broadcast command.

  31. 5. Secure Routing Protocols. Attacker ‘Tell R1 that 192.168.10.0/32 is reachable via R3’ R2 R3 R1 PC3 192.168.30.10 / 24 PC1 192.168.10.10 / 24 R1 updates its routing table, routing packets for 192.168.10.0/24 to R3 to 192.168.10.10/24 The best way to protect routing information on the network is to authenticate routing protocol packets using message digest algorithm 5 (MD5). An algorithm like MD5 allows the routers to compare signatures that should all be the same.

  32. 5. Secure Routing Protocols. Step 1 - Prevent RIP routing update propagation Step 3 - Verify the operation of RIP routing usingsh ip route. Step 2 - Prevent unauthorised reception of RIP updates

  33. 5. Secure Routing Protocols. EIGRP Authentication OSPF Authentication

  34. Auto Secure • Cisco auto secure uses a single command to disable non-essential system processes and services, eliminating potential security threats.

  35. Security Device Manager (SDM) • The Cisco Router and Security Device Manager (SDM) is an easy-to-use, web-based device-management tool designed for configuring LAN, WAN, and security features on Cisco IOS software-based routers.

  36. SDM Installation • Example configuration needed to ensure installation and running of Cisco SDM on a production router without disrupting network traffic.

  37. Starting SDM

  38. IOS File System (IFS) • IFS provides a single naming convention for all router file locations and common operations. • File system device prefix:

  39. IOS File System (IFS) Legacy commands as used in the CCNA version-3 curriculum will be supported for a number of years.

  40. Managing IOS Images • The show file systems command which lists all of the available file systems on a router. Provides information about the amount of available and free memory, the type of file system and its permissions. Permissions include read only (ro), write only (wo), and read and write (rw).

  41. Managing IOS Images • The dir command lists the content of the current default file system, (default is flash) . • There are several files located in flash, but of specific interest is the file image name of the current IOS running in RAM.

  42. Managing IOS Images • To view the contents of NVRAM, change the current default file system using the cd nvram: change directory command. The pwd command displays present working directory (default). The dir command lists the contents of NVRAM.

  43. Cisco IOS File Naming Convention

  44. Managing IOS Images • Widely distributed routers need a source or backup location for Cisco IOS software images. Using a network TFTP server allows image and configuration uploads and downloads over the network. A TFTP server can be another router, a workstation, or a host system. • As any network grows, storage of Cisco IOS software images and configuration files on the central TFTP server enables control of the number and revision level of Cisco IOS images and configuration files that must be maintained. R2 TFTP Server 192.168.20.254 / 24 R3 R1

  45. Managing IOS Images Before changing a Cisco IOS image on the router, ensure the following: • Determine the memory required for the update and, if necessary, install additional memory. • Set up and test the file transfer capability between the administrator host and the router. • Schedule the required downtime, normally outside of business hours, for the router to perform the update.

  46. Managing IOS Images When ready to do the update, perform the following: • Shut down all interfaces on the router not needed to perform the update. • Back up the current operating system and the current configuration file to a TFTP server. • Load the update for either the operating system or the configuration file. • Test to confirm that the update works properly. If the tests are successful, you can then re-enable the interfaces you disabled. If the tests are not successful, back out the update, determine what went wrong, and start again.

  47. Backup IOS to a TFTP Server R2 TFTP Server 192.168.20.254 / 24 R3 R1 Administrator

  48. Upgrade IOS from a TFTP Server R2 TFTP Server 192.168.20.254 / 24 R3 R1 Administrator

  49. Restore IOS from a TFTP Server 1. Enter interface configuration: 2. Download image from TFTP server:

  50. Router modes • Cisco access level routers ( 2600 series etc) have three operating modes: • ROMMON • ROM • USER EXEC • On router boot-up the config-register contents determines which mode the router boots to (rom, rommon), or whether the boot system sequence, held in NVRAM, should be followed to attempt to load a valid IOS image.

More Related