network security 1 - kapsi internet-käyttäjät...
TRANSCRIPT
1
Network Security 1
Module 2 – Security Planning and Policy
2
Learning Objectives
2.1 Discussing Network Security and Cisco
2.2 Endpoint Protection and Management
2.3 Network Protection and Management
2.4 Security Architecture
2.5 Basic Router Security
3
Module 2 – Security Planning and Policy
2.1 Discussing Network Security and Cisco
4
Network Security as a Continuous Process
• Network security is a continuous process built around a security policy.
Step 1: Secure
Step 2: Monitor
Step 3: Test
Step 4: Improve
Secure
Monitor
Test
Improve Security Policy
5
Secure the Network
• Implement security solutions to stop or prevent unauthorized access or activities, and to protect information:
Authentication
Encryption
Firewalls
Vulnerability patching
Secure
Monitor
Test
Improve Security Policy
6
Monitor Security
Detects violations to the security policyInvolves system auditing and real-time intrusion detectionValidates the security implementation in Step 1
Secure
Monitor
Test
Improve Security Policy
7
Test Security
• Validates effectiveness of the security policy through system auditing and vulnerability scanning
Secure
Monitor
Test
Improve Security Policy
8
Improve Security
Secure
Monitor
Test
Improve Security Policy
Use information from the monitor and test phases to make improvements to the security implementation.Adjust the security policy as security vulnerabilities and risks are identified.
9
What Is a Security Policy?
• “A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”
• (RFC 2196, Site Security Handbook)
10
Why Create a Security Policy?
To create a baseline of your current security posture
To set the framework for security implementation
To define allowed and not allowed behaviors
To help determine necessary tools and procedures
To communicate consensus and define roles
To define how to handle security incidents
11
Security Policy Elements
• On the left are the network design factors upon which security policy is based
• On the right are basic Internet threat vectors toward which security policies are written to mitigate
Topology/Trust ModelTopology/Trust Model
Usage GuidelinesUsage Guidelines
Application DefinitionApplication Definition
Host AddressingHost AddressingVulnerabilitiesVulnerabilities
Denial of ServiceDenial of Service
ReconnaissanceReconnaissance
MisuseMisuse
Data AssessmentData Assessment
POLICY
12
Module 2 – Security Planning and Policy
2.2 Endpoint Protection and Management
13
Types of Firewalls
Server BasedMicrosoft ISACheckPointBorderManager
AppliancePIX Security ApplianceNetscreenSonicWall
PersonalNortonMcAfeeZoneAlarms
IntegratedIOS FirewallSwitch Firewall
14
Host-Based Intrusion Detection
15
Module 2 – Security Planning and Policy
2.3 Network Protection and Management
16
Sample Firewall Topology
17
VPN Definition
18
Remote Access VPNs
19
Site-to-Site VPNs
20
Adaptive Security Device Manager (ASDM)
21
Security Device Manager (SDM)
22
Module 2 – Security Planning and Policy
2.4 Security Architecture
23
Secure Connectivity
24
Cisco Threat Defense System
25
Identity Based Networking Services (IBNS)
26
Plan, Design, Implement, Operate, Optimize (PDIOO)
27
Module 2 – Security Planning and Policy
2.5 Basic Router Security
28
SSH
SSH Server and Client
SSH Client
TCP Port 22
29
SSH Server Configuration
Router(config)#hostname host-name
Router(config)#ip domain-name domain-name.com
Router(config)#crypto key generate rsa
Router(config)#line vty 0 4
Router(config-line)#transport input ssh
30
Controlling Access
• Console Port
• TTY
• VTY
• A console is a terminal connected to a router console port.• The terminal can be a dumb terminal or PC with terminal emulation software.
31
Passwords
• Passwords are the most critical tools in controlling access to arouter. There are two password protection schemes in Cisco IOS:
• Type 7 uses the Cisco-defined encryption algorithm.• Type 5 uses an MD5 hash, which is much stronger. • Cisco recommends that Type 5 encryption be used instead of
Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands.
• Service password encryption should be used.• Use good password practices when creating passwords.• Configure both username and password combinations.
32
Good Password Practices
• Avoid dictionary words, names, phone numbers, and dates.
• Include at least one lowercase letter, uppercase letter, digit, and special character.
• Make all passwords at least eight characters long.
• Avoid more than four digits or same-case letters in a row.
• Change passwords often.
33
Initial Configuration Dialog
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no] y
Configuring global parameters:
Enter host name [Router]: Boston
The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration.Enter enable secret: CantGessMe
The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images.Enter enable password: WontGessMe
The virtual terminal password is used to protect access to the router over a network interface.Enter virtual terminal password: CantGessMeVTY
.
.
34
Configure the Enable Password Using enable secret
router(config)#enable secret password• Encrypts the password in the router configuration file• Uses a strong encryption algorithm based on MD5
Boston(config)# enable secret Curium96
Boston# show running-config!hostname Boston!no logging consoleenable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/!
35
Configure the Console Port User-Level Password
router(config)#line console line-number• Enters console line configuration mode
router(config-line)#login• Enables password checking at login
router(config-line)#Password password• Sets the user-level password to password
Creates the user-level password ConUser1
The password is unencrypted
Boston(config)# line console 0Boston(config-line)# loginBoston(config-line)# password ConUser1
36
Configure a VTY User-Level Passwordrouter(config)#line vty start-line-number end-line-number• Enters VTY line configuration mode• Specifies the range of VTY lines to configure
router(config-line)#login• Enables password checking at login for VTY (Telnet)
sessions
router(config-line)#
• Sets the user-level password to passwordpassword password
Boston(config)# line vty 0 4Boston(config-line)# loginBoston(config-line)# password CantGessMeVTY
37
Configure an Auxiliary User-Level Password
router(config)#line aux line-number• Enters auxiliary line configuration mode
router(config-line)#login• Enables password checking at login for Aux connections
router(config-line)#
• Sets the user-level password to passwordpassword password
Boston(config)# line aux 0Boston(config-line)# loginBoston(config-line)# password NeverGessMeAux
38
Encrypting Passwords Usingservice password-encryption
router(config)#service password-encryption• Encrypts all passwords in the router configuration file
Boston(config)# service password-encryption
• Uses a weak encryption algorithm that can be easily cracked
Boston# show running-config!line con 0password 7 0956F57A109A!line vty 0 4password 7 034A18F366A0!line aux 0password 7 7A4F5192306A
39
Setting Timeouts for Router Lines
router(config-line)#exec-timeout minutes [seconds]• Default is 10 minutes• Terminates an unattended console connection• Provides an extra safety factor when an
administrator walks away from an active console session
Boston(config)# line console 0Boston(config-line)#exec-timeout 3 30
• Terminates an unattended console/auxiliary connection after 3 minutes and 30 seconds
Boston(config)# line aux 0Boston(config-line)#exec-timeout 3 30
40
Setting Multiple Privilege Levels
router(config)#privilege mode {level level command | reset command}
• Level 1 is predefined for user-level access privileges• Levels 2–14 may be customized for user-level privileges• Level 15 is predefined for enable mode (enable command)
Boston(config)# privilege exec level 2 pingBoston(config)# enable secret level 2 Patriot
41
Login Banner
• Banners should be used on all network devices• A banner should include
A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use. A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both. A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court. Specific notices required by specific local laws.
• A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership.
42
Configuring Banner Messages
router(config)#banner {exec | incoming | login | motd |slip-ppp} d message d
• Specify what is “proper use” of the system• Specify that the system is being monitored• Specify that privacy should not be expected when using
this system• Do not use the word “welcome”• Have legal department review the content of the message
Boston(config)# banner motd #WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. #