1

Network Security 1

Module 2 – Security Planning and Policy

2

Learning Objectives

2.1 Discussing Network Security and Cisco

2.2 Endpoint Protection and Management

2.3 Network Protection and Management

2.4 Security Architecture

2.5 Basic Router Security

3

Module 2 – Security Planning and Policy

2.1 Discussing Network Security and Cisco

4

Network Security as a Continuous Process

• Network security is a continuous process built around a security policy.

Step 1: Secure

Step 2: Monitor

Step 3: Test

Step 4: Improve

Secure

Monitor

Test

Improve Security Policy

5

Secure the Network

• Implement security solutions to stop or prevent unauthorized access or activities, and to protect information:

Authentication

Encryption

Firewalls

Vulnerability patching

Secure

Monitor

Test

Improve Security Policy

6

Monitor Security

Detects violations to the security policyInvolves system auditing and real-time intrusion detectionValidates the security implementation in Step 1

Secure

Monitor

Test

Improve Security Policy

7

Test Security

• Validates effectiveness of the security policy through system auditing and vulnerability scanning

Secure

Monitor

Test

Improve Security Policy

8

Improve Security

Secure

Monitor

Test

Improve Security Policy

Use information from the monitor and test phases to make improvements to the security implementation.Adjust the security policy as security vulnerabilities and risks are identified.

9

What Is a Security Policy?

• “A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”

• (RFC 2196, Site Security Handbook)

10

Why Create a Security Policy?

To create a baseline of your current security posture

To set the framework for security implementation

To define allowed and not allowed behaviors

To help determine necessary tools and procedures

To communicate consensus and define roles

To define how to handle security incidents

11

Security Policy Elements

• On the left are the network design factors upon which security policy is based

• On the right are basic Internet threat vectors toward which security policies are written to mitigate

Topology/Trust ModelTopology/Trust Model

Usage GuidelinesUsage Guidelines

Application DefinitionApplication Definition

Host AddressingHost AddressingVulnerabilitiesVulnerabilities

Denial of ServiceDenial of Service

ReconnaissanceReconnaissance

MisuseMisuse

Data AssessmentData Assessment

POLICY

12

Module 2 – Security Planning and Policy

2.2 Endpoint Protection and Management

13

Types of Firewalls

Server BasedMicrosoft ISACheckPointBorderManager

AppliancePIX Security ApplianceNetscreenSonicWall

PersonalNortonMcAfeeZoneAlarms

IntegratedIOS FirewallSwitch Firewall

14

Host-Based Intrusion Detection

15

Module 2 – Security Planning and Policy

2.3 Network Protection and Management

16

Sample Firewall Topology

17

VPN Definition

18

Remote Access VPNs

19

Site-to-Site VPNs

20

Adaptive Security Device Manager (ASDM)

21

Security Device Manager (SDM)

22

Module 2 – Security Planning and Policy

2.4 Security Architecture

23

Secure Connectivity

24

Cisco Threat Defense System

25

Identity Based Networking Services (IBNS)

26

Plan, Design, Implement, Operate, Optimize (PDIOO)

27

Module 2 – Security Planning and Policy

2.5 Basic Router Security

28

SSH

SSH Server and Client

SSH Client

TCP Port 22

29

SSH Server Configuration

Router(config)#hostname host-name

Router(config)#ip domain-name domain-name.com

Router(config)#crypto key generate rsa

Router(config)#line vty 0 4

Router(config-line)#transport input ssh

30

Controlling Access

• Console Port

• TTY

• VTY

• A console is a terminal connected to a router console port.• The terminal can be a dumb terminal or PC with terminal emulation software.

31

Passwords

• Passwords are the most critical tools in controlling access to arouter. There are two password protection schemes in Cisco IOS:

• Type 7 uses the Cisco-defined encryption algorithm.• Type 5 uses an MD5 hash, which is much stronger. • Cisco recommends that Type 5 encryption be used instead of

Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands.

• Service password encryption should be used.• Use good password practices when creating passwords.• Configure both username and password combinations.

32

Good Password Practices

• Avoid dictionary words, names, phone numbers, and dates.

• Include at least one lowercase letter, uppercase letter, digit, and special character.

• Make all passwords at least eight characters long.

• Avoid more than four digits or same-case letters in a row.

• Change passwords often.

33

Initial Configuration Dialog

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no] y

Configuring global parameters:

Enter host name [Router]: Boston

The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration.Enter enable secret: CantGessMe

The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images.Enter enable password: WontGessMe

The virtual terminal password is used to protect access to the router over a network interface.Enter virtual terminal password: CantGessMeVTY

.

.

34

Configure the Enable Password Using enable secret

router(config)#enable secret password• Encrypts the password in the router configuration file• Uses a strong encryption algorithm based on MD5

Boston(config)# enable secret Curium96

Boston# show running-config!hostname Boston!no logging consoleenable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/!

35

Configure the Console Port User-Level Password

router(config)#line console line-number• Enters console line configuration mode

router(config-line)#login• Enables password checking at login

router(config-line)#Password password• Sets the user-level password to password

Creates the user-level password ConUser1

The password is unencrypted

Boston(config)# line console 0Boston(config-line)# loginBoston(config-line)# password ConUser1

36

Configure a VTY User-Level Passwordrouter(config)#line vty start-line-number end-line-number• Enters VTY line configuration mode• Specifies the range of VTY lines to configure

router(config-line)#login• Enables password checking at login for VTY (Telnet)

sessions

router(config-line)#

• Sets the user-level password to passwordpassword password

Boston(config)# line vty 0 4Boston(config-line)# loginBoston(config-line)# password CantGessMeVTY

37

Configure an Auxiliary User-Level Password

router(config)#line aux line-number• Enters auxiliary line configuration mode

router(config-line)#login• Enables password checking at login for Aux connections

router(config-line)#

• Sets the user-level password to passwordpassword password

Boston(config)# line aux 0Boston(config-line)# loginBoston(config-line)# password NeverGessMeAux

38

Encrypting Passwords Usingservice password-encryption

router(config)#service password-encryption• Encrypts all passwords in the router configuration file

Boston(config)# service password-encryption

• Uses a weak encryption algorithm that can be easily cracked

Boston# show running-config!line con 0password 7 0956F57A109A!line vty 0 4password 7 034A18F366A0!line aux 0password 7 7A4F5192306A

39

Setting Timeouts for Router Lines

router(config-line)#exec-timeout minutes [seconds]• Default is 10 minutes• Terminates an unattended console connection• Provides an extra safety factor when an

administrator walks away from an active console session

Boston(config)# line console 0Boston(config-line)#exec-timeout 3 30

• Terminates an unattended console/auxiliary connection after 3 minutes and 30 seconds

Boston(config)# line aux 0Boston(config-line)#exec-timeout 3 30

40

Setting Multiple Privilege Levels

router(config)#privilege mode {level level command | reset command}

• Level 1 is predefined for user-level access privileges• Levels 2–14 may be customized for user-level privileges• Level 15 is predefined for enable mode (enable command)

Boston(config)# privilege exec level 2 pingBoston(config)# enable secret level 2 Patriot

41

Login Banner

• Banners should be used on all network devices• A banner should include

A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use. A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both. A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court. Specific notices required by specific local laws.

• A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership.

42

Configuring Banner Messages

router(config)#banner {exec | incoming | login | motd |slip-ppp} d message d

• Specify what is “proper use” of the system• Specify that the system is being monitored• Specify that privacy should not be expected when using

this system• Do not use the word “welcome”• Have legal department review the content of the message

Boston(config)# banner motd #WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. #