Download - 11 Security Basics
-
7/30/2019 11 Security Basics
1/55
1999, Cisco Systems, Inc.www.cisco.com
Module 11:Security Basics
-
7/30/2019 11 Security Basics
2/55
11-2CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Agenda
Why Security?
Security Technology
Identity
Integrity
Active Audit
-
7/30/2019 11 Security Basics
3/55
11-3CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
All Networks Need Security
No matter the companysize, security is important
Internet connection is tobusiness in the late 1990swhat telephones were tobusiness in the late 1940s
Even small company sitesare cracked
-
7/30/2019 11 Security Basics
4/55
-
7/30/2019 11 Security Basics
5/55
11-5CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Denial of Service Loss of Integrity
BankCustomer
Deposit $1000 Deposit $ 100
Security Threats
Loss of Privacy
m-y-p-a-s-s-w-o-r-d d-a-n
telnet company.orgusername: danpassword:
Impersonation
Im Bob.Send Me All Corporate
Correspondencewith Cisco.
Bob
CPU
-
7/30/2019 11 Security Basics
6/55
11-6CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Security Objective: BalanceBusiness Needs with Risks
Access Security
Authentication
AuthorizationAccounting
Assurance
Confidentiality
Data Integrity
Policy Management
Connectivity
PerformanceEase of Use
Manageability
Availability
-
7/30/2019 11 Security Basics
7/5511-7CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Doors, locks, &guards
Keys & badgesSurveillancecameras &
motion sensors
Firewalls &access controls
AuthenticationIntrusiondetection system
Complementary mechanisms thattogether provide in-depth defense
Network Security Components:Physical Security Analogy
-
7/30/2019 11 Security Basics
8/55 1999, Cisco Systems, Inc.www.cisco.com
Security Technology
3-8CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
-
7/30/2019 11 Security Basics
9/5511-9CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Policy
Identity
Accurately identify users
Determine what users are allowed to do
Integrity Ensure network availability
Provide perimeter security
Ensure privacy
Active audit Recognize network weak spots
Detect and react to intruders
Elements of Security
-
7/30/2019 11 Security Basics
10/55 1999, Cisco Systems, Inc.www.cisco.com
Security Technology
Identity
3-10CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
-
7/30/2019 11 Security Basics
11/5511-11CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Identity
Uniquely and accuratelyidentify users,applications, services,and resources
Username/password,PAP, CHAP, AAAserver, one-timepassword, RADIUS,TACACS+, Kerberos,MS-login, digitalcertificates, directoryservices, NetworkAddress Translation
-
7/30/2019 11 Security Basics
12/5511-12CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
AAAServer
Dial-In User NetworkAccess Server
CampusPPP
PAP
Password
ID/PasswordID/PasswordID/Password
Public
Network
Username/Password
User dials in with password to NAS
NAS sends ID/password to AAA server
AAA server authenticates user ID/passwordand tells NAS to accept (or reject)
NAS accepts (or rejects) call
-
7/30/2019 11 Security Basics
13/5511-13CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
NetworkAccess Server
PPPPAP or CHAP
PublicNetwork
PAP and CHAP Authentication
Password Authentication Protocol (PAP)
Authenticates caller only
Passes password in clear text
Challenge Handshake AuthenticationProtocol (CHAP)
Authenticates both sides
Password is encrypted
-
7/30/2019 11 Security Basics
14/55
-
7/30/2019 11 Security Basics
15/5511-15CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
1 2 34 5 67
098
1 2 34 5 67
098
Authentication, Authorization, andAccounting (AAA)
Tool for enforcingsecurity policy
Authentication Verifies identity
Who are you?
Authorization Configures integrity
What are you permittedto do?
Accounting Assists with audit
What did you do?
-
7/30/2019 11 Security Basics
16/5511-16CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
AAA Services
Centralized security database High availability
Same policy across many access points
Per-user access control
Single network login
Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password
TACACS+
RADIUS
ID/UserProfileID/UserProfileID/UserProfile
AAAServer
Dial-InUser
NetworkAccess Server
Campus
Internet UserGatewayRouter Firewall
InterceptConnections
PublicNetwork
Internet
-
7/30/2019 11 Security Basics
17/5511-17CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
RADIUSServer
RemoteAccess User
AccessServer
RADIUS is an industry standardRFC 2138, RFC 2139
Cisco has full IETF RFC implementation
Cisco has implemented many nonstandardvendor proprietary attributes
Cisco hardware will work well with non-CiscoRADIUS AAA servers
Cisco is committed to providing the best RADIUS solution
RADIUS
-
7/30/2019 11 Security Basics
18/55
11-18CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Local or centralized
Cisco continues to expandTACACS+ and add features inCisco IOS 11.3
Cisco customers benefit fromadditional functionality withCiscoSecure server of bothTACACS+ and RADIUS
Cisco enterprisecustomers continue
to ask forTACACS+features
TACACS
TACACS Database
Username/PasswordAdditional Information
TACACS+ Authentication
-
7/30/2019 11 Security Basics
19/55
11-19CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Lock-and-Key Security
Dynamically assigns access control lists on a per-user basis
Allows a remote host to access a local host via the Internet
Allows local hosts to access a host on a remote network
Authorized User
Corporate Site
Non-Authorized User
Internet
-
7/30/2019 11 Security Basics
20/55
11-20CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Calling Line Identification
1234
Call Setup Messagewith Local ISDNNumbers
Station ISDNNumber
A 1234
Compare with Known Numbers
Accept Call
PPP CHAPAuthentication
(Optional)
Station A
ISDN
-
7/30/2019 11 Security Basics
21/55
-
7/30/2019 11 Security Basics
22/55
11-22CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
DES
Public Key
Private Key
Public Key
Private Key
WAN
How Public Key Works
By exchanging public keys, two devices candetermine a new unique key (the secret key)known only to them
-
7/30/2019 11 Security Basics
23/55
11-23CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
If verification is successful,
document has not been altered
BobsDocument
Hash
MessageHash
BobsPrivate Key
EncryptDigital
Signature
BobsPublic Key
BobsDocument
MessageHash
Same?
Decrypt
Hash
Digital Signatures
-
7/30/2019 11 Security Basics
24/55
11-24CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Certificate Authority
Certificate Authority (CA) verifies identity
CA signs digital certificate containing
devices public key Certificate equivalent to an ID card
Partners include Verisign, Entrust,Netscape, and Baltimore Technologies
?B A N K
CA CAInternet
-
7/30/2019 11 Security Basics
25/55
11-25CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Network Address Translation
Provides dynamic or static translation of private addresses toregistered IP addresses
Eliminates readdressing overheadLarge admin. cost benefit
Conserves addressesHosts can share a single registered IPaddress for all external communications via port-level multiplexing
Permits use of a single IP address range in multiple intranets
Hides internal addresses
Augmented by EasyIP DHCP host function
10.0.0.1
SA 10.0.0.1
Inside LocalIP Address
Inside GlobalIP Address
10.0.0.1
10.0.0.2
171.69.58.80
171.69.58.81
SA 171.69.58.8
Internet
-
7/30/2019 11 Security Basics
26/55
1999, Cisco Systems, Inc.www.cisco.com
Security Technology
Integrity
3-26CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
-
7/30/2019 11 Security Basics
27/55
11-27CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
IntegrityNetwork Availability
Ensure the networkinfrastructureremains available
TCP Intercept, route
authentication
-
7/30/2019 11 Security Basics
28/55
11-28CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
TCP Intercept
Connection Transferred
ConnectionEstablished
RequestIntercepted
Protects networks against denial of service attacks
TCP SYN flooding can overwhelm server and cause it to denyservice, exhaust memory, or waste processor cycles
TCP Intercept protects network by intercepting TCPconnection requests and replying on behalf of the destination
Can be configured to passively monitor TCP connectionrequests and respond if connection fails to be establishedin a configurable interval
-
7/30/2019 11 Security Basics
29/55
11-29CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Route Authentication
Home Gateway
Internet
Enables routers to identify one another andverify each others legitimacy before
accepting route updates
Ensures that routers receive legitimateupdate information from a trusted source
Trusted Source
-
7/30/2019 11 Security Basics
30/55
11-30CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
IntegrityPerimeter Security
Control access to
critical networkapplications, data,and services
Access control lists,
firewall technologies,content filtering,CBAC, authentication
-
7/30/2019 11 Security Basics
31/55
P li E f t U i
-
7/30/2019 11 Security Basics
32/55
11-32CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Inbound Telnet
Stopped Here
Home Gateway
Internet
Policy Enforcement UsingAccess Control Lists
Ability to stop or reroute traffic based onpacket characteristics
Access control on incoming or outgoing interfaces
Works together with NetFlow to provide high-speedenforcement on network access points
Violation logging provides useful informationto network managers
-
7/30/2019 11 Security Basics
33/55
11-33CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Importance of Firewalls
Permit secureaccess to resources
Protect networksfrom:
Unauthorizedintrusion from both
external and internalsources
Denial of service(DOS) attacks
-
7/30/2019 11 Security Basics
34/55
11-34CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
What Is a Firewall?
All traffic from inside to outside and viceversa must pass through the firewall
Only authorized traffic, as defined by the localsecurity policy, is allowed in or out
The firewall itself is immune to penetration
-
7/30/2019 11 Security Basics
35/55
11-35CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Router with ACLs
Users
Users
ProtectedNetwork
E-mailServer
MicroWebserver
zip 100
Micro Webserver
Web Server PublicAccess
ISP andInternet
Packet-Filtering Routers
-
7/30/2019 11 Security Basics
36/55
-
7/30/2019 11 Security Basics
37/55
11-37CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
FirewallMail
ServerWWWServer
Internet
Stateful Sessions
Highest performance security
Maintains complete session state
Connection oriented Tracks complete connection Establishment and termination
Strong audit capability
Easy to add new applications
-
7/30/2019 11 Security Basics
38/55
11-38CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Company Network
.5
1
5 1020
40Meg
Per/Sec
Video Audio
Private link Web commerce
Internet
Performance Requirements
-
7/30/2019 11 Security Basics
39/55
11-39CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
IntegrityPrivacy
Provide authenticated
private communicationon demand
VPNs, IPSec, IKE,encryption, DES, 3DES,
digital certificates,CET, CEP
-
7/30/2019 11 Security Basics
40/55
-
7/30/2019 11 Security Basics
41/55
11-41CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
What Is IPSec?
Network-layer encryption and authentication
Open standards for ensuring secureprivate communications over any IPnetwork, including the Internet
Provides a necessary componentof a standards-based, flexible solutionfor deploying a network-wide security policy
Data protected with network encryption,digital certification, and device authentication
Implemented transparently in network infrastructure
Includes routers, firewalls, PCs, and servers
Scales from small to very large networks
-
7/30/2019 11 Security Basics
42/55
11-42CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Router to Router
Router to Firewall
PC to Router
PC to Server
PC to Firewall
IPSec Everywhere!
-
7/30/2019 11 Security Basics
43/55
11-43CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Automatically negotiates policy to protectcommunication
Authenticated Diffie-Hellman key exchange
Negotiates (possibly multiple) security associationsfor IPSec
3DES, MD5, and RSA Signatures,OR
IDEA, SHA, and DSS Signatures,OR
Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures
IKE Policy Tunnel
IKEInternet Key Exchange
-
7/30/2019 11 Security Basics
44/55
11-44CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Router A Router B
1. Outbound packet fromAlice to BobNo IPSecsecurity association yet
2. Router As IKE beginsnegotiation withrouter Bs IKE
3. Negotiation complete;router A and router B now havecomplete IPSec SAs in place
IKE IKE
4. Packet is sent from Alice toBob protected by IPSec SA
IKE Tunnel
Router A Router B
How IPSec Uses IKE
-
7/30/2019 11 Security Basics
45/55
11-45CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
EncryptionDES and 3DES
Widely adopted standard
Encrypts plain text, whichbecomes cyphertext
DES performs 16 rounds
Triple DES (3DES)
The 56-bit DES algorithm runs three times
112-bit triple DES includes two keys 168-bit triple DES includes three keys
Accomplished on a VPN client,server, router, or firewall
-
7/30/2019 11 Security Basics
46/55
11-46CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Exhaustive search is the only way to breakDES keys (so far)
Would take hundreds of years on fastest generalpurpose computers (56-bit DES)
Specialized computer would cost $1,000,000 but could crackkeys in 35 minutes (Source: M.J. Wiener)
Internet enables multiple computers to worksimultaneously
Electronic Frontier Foundation and distributed.netcracked a 56-bit DES challenge in 22 hours and 15minutes
Consensus of the cryptographic community is that 56-bitDES, if not currently insecure, will soon be insecure
Breaking DES Keys
-
7/30/2019 11 Security Basics
47/55
1999, Cisco Systems, Inc.www.cisco.com
Security Technology
Active Audit
3-47CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
-
7/30/2019 11 Security Basics
48/55
11-48CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Firewalls, authorization, and encryption do not provideVISIBILITY into these problems
Why Active Audit?
The hacker might be an employee or trusted partner Up to 80% of security breaches come from the
inside (Source: FBI)
Your defense might be ineffective
One out of every three intrusions occur where a firewallis in place (Source: Computer Security Institute)
Your employees might make mistakes
Misconfigured firewalls, servers, etc.
Your network will grow and change Each change introduces new security risks
-
7/30/2019 11 Security Basics
49/55
11-49CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Why Active Audit?
Network security requires a layereddefense
Point security PLUS active systems to measure
vulnerabilities and monitor for misuse Network perimeter and the intranet
Security is an ongoing, operational
process Must be constantly measured, monitored, and
improved
Active Audit Network
-
7/30/2019 11 Security Basics
50/55
11-50CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Active AuditNetworkVulnerability Assessment
Assess and report onthe security status ofnetwork components
Scanning (active,passive), vulnerability
database
Active AuditIntrusion Detection
-
7/30/2019 11 Security Basics
51/55
11-51CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Active AuditIntrusion DetectionSystem
Identify and react toknown or suspectednetwork intrusion oranomalies Passive promiscuous
monitoring
Database of threats orsuspect behavior
Communicationinfrastructure or accesscontrol changes
-
7/30/2019 11 Security Basics
52/55
11-52CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
IDS Attack Detection
Context:(Header)
Content:(Data)
AtomicSingle Packet
CompositeMultiple Packets
Ping of Death
Land Attack
Port Sweep
SYN Attack
TCP Hijacking
MS IE Attack
DNS Attacks
Telnet Attacks
Character Mode
Attacks
-
7/30/2019 11 Security Basics
53/55
11-53CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Actively audit and
verify policy Detect intrusion
and anomalies
Report
Active Audit
UNIVERSALPASSPORT
KjkjkjdgdkkjdkjfdkIkdfjkdj
IkejkejKkdkdfdKKjkdjd
KjkdjfkdKjkdKjdkfjkdj Kjdk
USA
************************
************************
Kdkfldkaloeekjfkjajjakjkjkjkajkjfiejijgkd
kdjfkdkdkdkddfkdjfkdjkdkdkfjdkkdjkfd
kfjdkfjdkjkdjkdjkajkjfdkjfkdjkfjkjajjajdjfla
kjdfkjeiieiefkeieooei
UNIVERSALPASSPORT
S
-
7/30/2019 11 Security Basics
54/55
11-54CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Security is a mission-criticalbusiness requirement for all
networks Security requires a global,
corporate-wide policy
Security requires amultilayered implementation
Summary
-
7/30/2019 11 Security Basics
55/55