network security
DESCRIPTION
TRANSCRIPT
![Page 1: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/1.jpg)
34Cisco Systems ConfidentialCisco Systems Confidential 0036_08F7_c2
Internet Security
‘Internet and Intranet - meeting future business needs’
![Page 2: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/2.jpg)
2Cisco Systems Confidential
Before we Begin......
• Attendees agree that this information will be circulated on a very strict need-to-know basis as it is sensitive can cause security problems.
• While the information in this document is not confidential, there is information that could be harmful if given to the wrong individuals.
• The only way to understand security problems is to know what they are. This means that they may also be exploited by those who are untrustworthy.
![Page 3: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/3.jpg)
New Network Threats
CIA Web Site Hacked
Netcom Credit Card
Information Stolen
38Cisco Systems Confidential0603_02F7_c1
![Page 4: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/4.jpg)
4Cisco Systems Confidential
Need for More Security
… and the “Net” Has Changed!
Today’s InternetToday’s Internet ImplicationsImplications
1983:1983:200 Core Nodes; 200 Core Nodes;
Linear GrowthLinear Growth
11.6 Million Core 11.6 Million Core Nodes;Nodes;
Exponential GrowthExponential Growth
Shortage of Unique IP Shortage of Unique IP Network Numbers Network Numbers
ImminentImminent
Large Time-Sharing Large Time-Sharing Nodes, Mostly Nodes, Mostly
EducationalEducational
Large and Large and Distributed Distributed
ISP-Connected ISP-Connected OrganizationsOrganizations
CIDRCIDRNATNAT
DHCP for Client OnlyDHCP for Client OnlyIPv6IPv6
““Difficult” Security Difficult” Security Underlying Technology Underlying Technology
Known to FewKnown to Few
Numerous Untrusted Numerous Untrusted Private Sector Hosts; Private Sector Hosts;
Hackers AboundHackers Abound
FirewallsFirewallsEncryptionEncryption
Original ARPAnetOriginal ARPAnet
![Page 5: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/5.jpg)
5Cisco Systems Confidential
Internetwork
Consumers
Enterprise
SmallBusiness
ProfessionalOffice
Internet
![Page 6: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/6.jpg)
6Cisco Systems Confidential
Putting Things in Perspective
• 75% of computer attacks are never detected.
• Only 15% of all computer crimes are instigated by outsiders.
• 80% - 85% are launched by insiders - people you thought you could trust.
![Page 7: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/7.jpg)
7Cisco Systems Confidential
Where’s the Threat? …...Corporate Space
Internet
TerminalServer
20% 80%
Employees
![Page 8: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/8.jpg)
8Cisco Systems Confidential
Where’s the Threat? …….ISP Space
Internet
TerminalServer
20% 80%
Customers
CorporateNetwork
![Page 9: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/9.jpg)
9Cisco Systems Confidential
Security Services
Source: Computer Security Institute and FBI Computer Crime DivisionFortune 500 Survey, 1995
YesYes48%48%
NoNo52%52%
Have You Experienced Computer or Network Security
Breaches in the Last Year?
![Page 10: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/10.jpg)
10Cisco Systems Confidential
What are the Threats?
“Trusted” UsersRemember....80-85% of all break-ins are caused by
people who are insiders.
AmateursCyberpunks, Hackers, Vandals, Crackers, Jerks, etc
ProfessionalsNo-Win Situation
![Page 11: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/11.jpg)
11Cisco Systems Confidential
What are the Threats?
“Trusted” Users80% - 90% of all break-ins are caused by people
who work for the organizations they broke into!
Many are caught accidentally
Many are amateurs and are caught because they are careless
Most are quietly removed
Very few are reprimanded
![Page 12: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/12.jpg)
12Cisco Systems Confidential
What are the Threats?“Trusted” Users
Extremely few are prosecuted by the legal system
Never at a financial institution
Never at a site with links possible harm to life or where there is a tie-in to public view
Some places there is little understanding about how to handle the legal problem
Most companies do not want publicity
![Page 13: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/13.jpg)
13Cisco Systems Confidential
What are the Threats?
“Trusted” UsersMost break-ins are either:
Greed-oriented
Revenge oriented
Malicious
Information Acquisition
Accidental initially, but an opportunity to the user of the system.
![Page 14: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/14.jpg)
14Cisco Systems Confidential
What are the Threats?
Amateurs
Amateurs usually leave a trail that is not too difficult to pick up
Amateurs will eventually screw-up
Amateurs do not know when to quit
Amateurs, with careful monitoring, may be found quickly
Most Internet Cyberpunks are Amateurs
![Page 15: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/15.jpg)
15Cisco Systems Confidential
What are the Threats?
ProfessionalsProfessionals are rarely detected
Professionals are difficult to find
Professionals will usually originate from a break-in elsewhere
Professionals leave no traceback
Professionals know when it is time to leave
Professionals will take what they want, no matter what is done to safeguard information
![Page 16: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/16.jpg)
16Cisco Systems Confidential
What are the Threats?Bottom Line.......
If someone wants the information bad enough, and he/she knows what they are doing, they will not be stopped and you may consider the information to be “history.”
![Page 17: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/17.jpg)
17Cisco Systems Confidential
IT Issues
• Enterprise information becoming more valuable/vulnerable
Load/Traffic
Today Time
IT Spending<10% Growth
Connectivity
Internet Traffic
Business Value/Importance
![Page 18: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/18.jpg)
The Security Dilemma
• Security is complicated to implement
• Security cannot be implemented uniformly
• Internet connection is a security risk
More than 200 Fortune 1000 companies were asked if they had detected attempts
from outsiders to gain computer access in the past 12 months
If “yes”, how many successfulaccesses were detected?
YesYes58%58%
NoNo12%12%
Don’tKnow30%
1-101-1042%42%
11-2011-2025%25%
21-3016%
31-4031-4010%10%
41-505%50+2%
3Cisco Systems Confidential0595_02F7_c1
Source: Warroom Research
![Page 19: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/19.jpg)
19Cisco Systems Confidential
Solutions Before you Begin.......
• On-Site Security Policy
• Host Security (UNIX/VMS)
• Workstation Security (X, MS , MAC, OS/2)
• Network Security
• Password Policies
• Application Security
• Tools to Track Attacks
• Ability to lock ‘em up (every security policy needs a hammer)
![Page 20: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/20.jpg)
20Cisco Systems Confidential
Creating Cisco Solutions
Integration withIntegration withCisco IOSCisco IOS™™ Software Software
Core Core ProductProduct
ss
AccessAccessProductsProducts
InterWorksInterWorksProductsProducts
WorkgroupWorkgroupProductsProducts
Internet BU ProductsInternet BU ProductsFirewallsFirewalls
Translation GWsTranslation GWsTraffic DirectorsTraffic DirectorsClient SoftwareClient SoftwareServer SoftwareServer Software
End-to-EndSecurity
Solutions
Scalability forGlobal and
Enterprise WWWApplications
Internet/IntranetConnectivity and Security
for Novell, andDEC Customers
End-to-EndMultimediaSolutions
Scalable“Plug-and-Play”
TCP/IPEnvironments
![Page 21: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/21.jpg)
21Cisco Systems Confidential
Security Is a System
Motion Detector(Wheels/Entry)
Perimeter Detector(Door Entry)
Lock Nuts(Wheels)Sound Detector
(Glass Entry)
Engine Kill(Theft)Locator/Detector
(Theft)
Physical Security Example“What Are You Trying to Protect?”
![Page 22: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/22.jpg)
22Cisco Systems Confidential
Technical Requirements
• AuthenticationWho it is
• AuthorizationWhat is permitted
• AccountingWhat was done
• Data integrity
Data is unaltered
• Confidentiality
No unauthorized review
• Assurance
Everything operates as specified
![Page 23: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/23.jpg)
Cisco Security Today
PAP/CHAP
TACACS+/ RADIUS
Kerberos
L2F
Lock-and-Key
Access Control Lists
Token Card Support
Logging
Route Filtering
NAT
GRE Tunnels
CiscoSecure™
Encryption
Privilege Levels
Kerberos
Dial Firewall Network Infrastructure
Certificate AuthorityCertificate Authority
Encryption
TACACS+/ RADIUS TACACS+/ RADIUS
Cut-Through Proxy
24Cisco Systems Confidential0603_02F7_c1
![Page 24: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/24.jpg)
24Cisco Systems Confidential
Solutions Before you Begin.......
Security is an ATTITUDE!
![Page 25: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/25.jpg)
25Cisco Systems Confidential
Security Objective: Balance
Access Security
Connectivity
Performance
Transparency
Authentication
Authorization
Accounting
Assurance
Confidentiality
Data Integrity
Every Customer’s Needs will Be Different!Every Customer’s Needs will Be Different!
![Page 26: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/26.jpg)
26Cisco Systems Confidential
Host Security
File SharingAnonymous FTP
Guest LoginMail
If a host is not secure, then neither is the network
![Page 27: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/27.jpg)
27Cisco Systems Confidential
Network Security Options
• No Internet connection
• Packet filtering with Access Control List (ACL)
• Firewalls
• Privacy with encryption
Encryption
AddressTranslation
User Authentication
SecureRouting
AccessControl
Legacy Integration
EventLogging
MultiprotocolTunnels
Enterprise Gateways
![Page 28: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/28.jpg)
28Cisco Systems Confidential
Definition of a Firewall
Firewalls are perimeter security solutions, deployed between a trusted and untrusted network,
often a corporate LAN and an Internet connection
![Page 29: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/29.jpg)
29Cisco Systems Confidential
Firewall Architecture
PacketFiltering
Internet
PublicWWW
PublicFTP
DNSMail
Cisco IOS 11.2
1. Access lists
2. Packet filtering
3. Network Address Translation
4. Encryption
Cisco IOS
Firewall
![Page 30: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/30.jpg)
30Cisco Systems Confidential
Internet
PublicWWW
PublicFTP
DNSMail
Firewall Architecture
Cisco PIX Firewall Dedicated
![Page 31: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/31.jpg)
31Cisco Systems Confidential
Internet
PublicWWW
PublicFTP
DNSMail
Demilitarized Zone (DMZ)
![Page 32: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/32.jpg)
32Cisco Systems Confidential
Internet
PublicWWW
PublicFTP
DNSMail
ProxyServer
Outbound Only
Outbound Only
Proxy Servers
![Page 33: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/33.jpg)
33Cisco Systems Confidential
Firewall with Address Translation
Internet
PublicWWW
PublicFTP
DNSMail
• Cisco PIX Firewall - dedicated
• Cisco IOS 11.2- NAT in software
Private IPs10.0.0.0
Registered IPs192.128.234.0
CiscoSecureAccess Router
OR
![Page 34: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/34.jpg)
34Cisco Systems Confidential
Encryption
Internet
PublicWWW
PublicFTP
DNSMail
Cipher Text
“YOUR Text”
“2$3B9F37”
“YOUR Text”
![Page 35: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/35.jpg)
35Cisco Systems Confidential
Scaling Internet Firewalls
Fractional E1/T1
> DS3/45 Mbps
• Small office
• All in one
• Costs less
= E1/T1• Gateway router and
firewall encryption performance
• Gateway router and firewalls
• Scalable encryption performance
Link speed
Internet
![Page 36: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/36.jpg)
36Cisco Systems Confidential
Dial Security
• Centralized security with TACACS+ / RADIUS
• Lock and Key
![Page 37: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/37.jpg)
37Cisco Systems Confidential
Centralized Security
Dial client
CiscoSecure—TACACS+
AuthenticationAuthorizationAccounting
RADIUSTACACS+
TACACS+or
RADIUS
![Page 38: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/38.jpg)
38Cisco Systems Confidential
Lock and Key
Non-Authorized User
Authorized User
• Enables dynamic Access Control Lists
• Single user on a LAN
• Per-user authorization and authentication
CiscoSecure
Internet
XX
XX
![Page 39: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/39.jpg)
39Cisco Systems Confidential
Internet
Virtual Private Dial Networks
CiscoSecureTACACS+
Server
• Encrypted access
• Multiprotocol — IP, IPX, SNA, AppleTalk
![Page 40: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/40.jpg)
40Cisco Systems Confidential
Virtual Private Networks
•IOS•PIX
![Page 41: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/41.jpg)
41Cisco Systems Confidential
Virtual Private Networks
• Replace private WAN with public network access
• Intracompany traffic is private and authenticated
• Internet access is transparent
RemoteRemoteOfficeOffice
RemoteRemoteOfficeOffice
CorporateCorporateLANLANPublic
Network
![Page 42: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/42.jpg)
42Cisco Systems Confidential
Encryption Alternatives
Network-Layer Encryption
Application-Layer Encryption
Link-LayerEncryption
Link-LayerEncryption
Application
Layers (5–7)
Transport/Network
Layers (3–4)
Link/Physical
Layers (1–2)
![Page 43: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/43.jpg)
43Cisco Systems Confidential
Application Encryption
• Encrypts traffic to/from interoperable applications
• Specific to application, but network independent
• Application dependentAll users must have interoperable applications
• Examples: S/MIME, PEM, Oracle Securenet, Lotus cc:Mailand Notes.
![Page 44: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/44.jpg)
44Cisco Systems Confidential
• Encrypts traffic between specific networks, subnets,or address/port pairs
• Specific to protocol, but media/interface independent
• Does not need to supported by intermediate network devices
• Independent of intermediate topology
• Example Cisco IOS and PIX
Network Encryption
HRServer
E-MailServer
A to HR Server—Encrypted
All Other Traffic—Clear
A
B
D
![Page 45: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/45.jpg)
45Cisco Systems Confidential
Link Encryption
• Encrypts all traffic on a link, including network-layer headers
• Specific to media/interface type, but protocol independent
• Topology dependentTraffic is encrypted/decrypted on link-by link basis
All alternative paths must be encrypted/decrypted
![Page 46: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/46.jpg)
46Cisco Systems Confidential
To PublicInternet
HR/FinancialServer
E-MailServer
A to C, D
Clear
B to C, D
Encrypt
Cisco IOS Encryption Services
• Policy by network, subnet, oraddress/port pairs (ACL)
• DSS for device authentication Diffie-Hellman for session key management
• DES for bulk encryptionDES 40 bit—generally exportableDES 56 bit—restricted
• Hardware assist—VIP2 service adapter
CA
B
DPrivateWAN
![Page 47: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/47.jpg)
47Cisco Systems Confidential
Cisco IOS Encryption Options
• Cisco IOS software on 100X, 25xx, 4xxx, 7xxx series routers
• On Cisco RSP 7000 and 7500 series encryption services are performed
Centrally on master RSP and/or
Distributed on VIP2-40
• Encryption service adapter for Versatile Interface Processors (VIP)
Provides higher performance encryption for local interfaces
Tamper-proof
Route Switch Processors
VIPVIPVIPIP IP
Cisco 7000 and 7500
Master RSP Slave RSP
EncryptionEncryptionService Service AdapterAdapter
Versatile Interface Processor
Port Port AdapterAdapter
![Page 48: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/48.jpg)
High-Performance High-Performance Hardware Encrypted Virtual Private Networks!
PIX Private Link
IP UDP IIPP
DataData
PIX Private Link Frame
Encapsulation
Header
EncryptedInformation
MAC CRC
33Cisco Systems Confidential 0482_12F7_c1
Public NetworkInternet
PIX/Private Link
PIX/Private LinkNetwork
ANetwork
B
IP Data
PIX/Private LinkNetwork
C
PIX/Private Link Network
D
IP Data
IP Data
IP Data
![Page 49: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/49.jpg)
49Cisco Systems Confidential
PIX Private Link Benefits
• Secures data communication between sites
• Reduces high monthly cost of dedicated leased lines
• Complete privacy
• Easy installation—two commands, no maintenance
• Compliant to IETF IPSEC—supports AH/ESP (RFC 1826) (RFC 1827)
• Adds value to your Internet connection
• Augment and back up existing leased lines
![Page 50: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/50.jpg)
Private LinkPrivate Network—Satellite Division
TACACS+ Server
RADIUS Server
SMTP Gateway
UNIX DB Gateway
Engineering Marketing Executive
Internet
Inte
rnet
Inte
rnet
Intr
anet
Intr
anet
10.0.0.0
171.68.10.4
171.69.236.2DMZ
PIX A
172.17.0.0 172.18.0.0 172.19.0.0
PIX B
35Cisco Systems Confidential 0482_12F7_c1
![Page 51: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/51.jpg)
Tricks to Secure Your Router
Cisco Systems Confidential
![Page 52: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/52.jpg)
52Cisco Systems Confidential
Protecting Your Router
• Terminal Access Security
• Transaction and Accounting Records
• Network Management Security
• Traffic Filters
• Routing Protocol Security
• Securing Router Services
![Page 53: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/53.jpg)
53Cisco Systems Confidential
The Router’s Role in a Network
HostSystems
TCP/IP
IPX
DOS, Windows, Mac Workstations
Router
Router
Router
Internet
TCP/IP
![Page 54: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/54.jpg)
Terminal Access Security
Cisco Systems Confidential
![Page 55: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/55.jpg)
55Cisco Systems Confidential
Console Access
• Change your passwords - do not use the default.
• Make sure the privilege password is different from the access.
• Use mixed character passwords - adds difficulty to crack attempts
• Config Session Time-outs
• Use password encryption features to encrypt the password in the configuration images and files.
• Use enable secret to use the best encryption key.
![Page 56: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/56.jpg)
56Cisco Systems Confidential
Telnet Access
• Configures ALL the VTY ports!
• Create an Access List for the ports - limits the range of IP addresses you can Telnet into the route.
• Limit or block port 57 (open Telnet with no password write over).
• Do not use commands like ip alias on the Cisco, unless you really need to.
• Block connections to echo and discard via the no service tcp-small-servers.
![Page 57: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/57.jpg)
57Cisco Systems Confidential
Telnet Access
Enter configuration commands, one per line. End with CNTL/Z.
serial 2-3 (config) # access-list 101 deny tcp any any eq 57
serial 2-3 (config) # access-list 101 permit tcp 165.21.0.0 255.255.0.0 any
serial 2-3 (config) # line vty 0 5
serial 2-3 ( config-line) # access-class 101 in
Extended IP access list 101
deny tcp any any eq 57
permit tcp 165.21.0.0 255.255.0.0 any
![Page 58: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/58.jpg)
58Cisco Systems Confidential
Multiple Privilege Levels
• Division of responsibilitiesHelp desk and network manager
Security and network operations
• Provides internal controls
• Users can only see configuration settings they have access to
![Page 59: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/59.jpg)
59Cisco Systems Confidential
Configuring Multiple Privilege Levels
• Set the privilege level for a command
• Change the default privilege level for lines
• Display current privilege levels
• Log in to a privilege level
![Page 60: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/60.jpg)
60Cisco Systems Confidential
Multiple Privilege Example
• Configurationenable password level 15 pswd15
privilege exec level 15 configure
enable password level 10 pswd10
privilege exec level 10 show running-config
• Login/Logoutenable <level>
disable <level>
![Page 61: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/61.jpg)
What Is AAA?
• Authentication Something you areare
Unique, can’t be left at home: retina, prints, DNA
Something you havehaveHardware assist: DES card
Something you know knowCheap low overhead solution: fixed passwords
• Authorization What you’re allowed to do: connections, services, commands
• Accounting What you did, and when
• It’s also an architectural framework: Protocol-independent formats Easy to support multiple protocols Consistent configuration interface Good scalability for large ISP’s with volatile databases, lots of accounting data
Cisco Systems Confidential0815_04F7_c3 4
![Page 62: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/62.jpg)
62Cisco Systems Confidential
Virtual Terminal
Router A
"I would like to log into Router A;
my name is JSmith; my
password is *****
"Is JSmith with password ***** an authorized
user?
TACACS+ Client
TACACS+
![Page 63: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/63.jpg)
63Cisco Systems Confidential
username/password + token
access permitted
Security Server Partners
3 1 7 8 4 5 4
Token
Cisco 500-CS
Token Card
![Page 64: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/64.jpg)
Transaction and Accounting Records
Cisco Systems Confidential
![Page 65: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/65.jpg)
65Cisco Systems Confidential
Transaction Records
• Q - How do you tell when someone is cracking into your router, hub, or switch?
• Consider some form of audit trails: Using the UNIX logging features (if it has any). Corn
scripts to alert you when there are potential problems.
SNMP Traps and alarms.
Implementing TACAS+, Radius, Kerberos, or third party solutions like Security Dynamics SmartCard.
![Page 66: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/66.jpg)
66Cisco Systems Confidential
Transaction Records
• UNIX Logging logging buffered 16384
logging trap debugging
logging 169.222.32.1
Logging Flow
RouterUNIX Workstation
w/ Logging Configured
![Page 67: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/67.jpg)
Network Management Security
Cisco Systems Confidential
![Page 68: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/68.jpg)
68Cisco Systems Confidential
SNMP
• #1 Source of Intelligence on a victim's network!
• Do you know when someone is running a SNMP discovery tool on your network?
• Do you block SNMP on your firewall?
![Page 69: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/69.jpg)
69Cisco Systems Confidential
SNMP
• Change your community strings! Do not leave the defaults on!
• Use different community strings for the RO and RW communities.
• Do NOT use RW community unless you are desperate!
• Use mixed characters in the community strings. Yes, even SNMP community strings can be cracked!
![Page 70: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/70.jpg)
70Cisco Systems Confidential
SNMP
• Use a access list on SNMP. Limit who can make SNMP queries. If someone needs special access (I.e. for monitoring a Internet link), then create a special community string and access list.
• Explicitly point SNMP traffic back to the authorized workstation
![Page 71: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/71.jpg)
71Cisco Systems Confidential
SNMP
snmp-server community apricot RO 1
snmp-server trap-authentication
snmp-server enable traps config
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server host 169.223.2.2 apricot
ip access-list 1 permit 169.223.2.2
![Page 72: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/72.jpg)
Traffic Filters
Cisco Systems Confidential
![Page 73: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/73.jpg)
73Cisco Systems Confidential
IP Access List
• <1-99> IP standard access list
• <100-199> IP extended access list
• <1100-1199> Extended 48-bit MAC address access list
• <200-299> Protocol type-code access list
• <700-799> 48-bit MAC address access list
![Page 74: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/74.jpg)
74Cisco Systems Confidential
Extended Access Lists
access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log]
Example:
access-list 101 permit icmp any any log
![Page 75: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/75.jpg)
75Cisco Systems Confidential
Spoofing
• Access list protections are based on matching the source.
• Protect your router with something like the following:access-list 101 deny ip 131.108.0.0 0.0.255.255 0.0.0.0
255.255.255.255
access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
• Turn off ip source-routing
![Page 76: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/76.jpg)
76Cisco Systems Confidential
Spoofing
Internet
Central SiteBranch Office A
Hello, I’m Branch Office X! Here is my routing-update!
![Page 77: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/77.jpg)
77Cisco Systems Confidential
Spoofing
ISP A ISP B
198.92.93.0/24source w/198.92.93.3/24
filter any inbound packets w/ 198.92.93.0/24
![Page 78: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/78.jpg)
78Cisco Systems Confidential
Denial of Service Attacks
• TCP SYN attack: A sender using a series of random source IP addresses starts connections that cannot be completed, causing the connection queues to fill up, thereby denying service to legitimate TCP users.
• UDP diagnostic port attack: A sender using a series of random IP source addresses calls for UDP diagnostic services on the router, causing all CPU resources to be consumed servicing the bogus requests.
![Page 79: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/79.jpg)
79Cisco Systems Confidential
Denial of Service Attacks: TCP SYN
ISP BISP A
Target
Internet
Attacker9.0.0.0/8 10.0.0.0/8
TCP/SYN 192.168.0.4/32
SYN/ACK ?15.0.0.13/32TCP/SYN
SYN/ACK ?172.16.0.2/32
SYN/ACK
TCP/SYN
?
![Page 80: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/80.jpg)
80Cisco Systems Confidential
Denial of Service Attacks: TCP SYN
ISP BISP A
Target
Internet
Attacker9.0.0.0/8 10.0.0.0/8
Filter any addressthat does not contain10.0.0.0/8 as a source
• Ingress FilteringApply an outbound filter…...
access-list 101 permit ip 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
![Page 81: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/81.jpg)
81Cisco Systems Confidential
Denial of Service Attacks: UDP diag
ISP BISP A
Target
Internet
Attacker9.0.0.0/8 10.0.0.0/8
attacker floods the routerw/ echo, chargen, and discardrequest
• Turn off small servicesno udp small-servers
no tcp small-servers
![Page 82: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/82.jpg)
82Cisco Systems Confidential
Solution: TCP Intercept
• Tracks, intercepts and validates TCP connection requests
• Two modes: Intercept and monitor
![Page 83: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/83.jpg)
83Cisco Systems Confidential
TCP Intercept—Intercept Mode
• 1. Answer connection requests
• 2. Establishes genuine connection
• 3. Merge connection between client and server
Connection Transferred
Connection EstablishedRequest Intercepted
![Page 84: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/84.jpg)
84Cisco Systems Confidential
TCP Intercept—Monitor Mode
• Passively monitor connection requests
• Terminates connection attempts that exceed configurable time limit
![Page 85: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/85.jpg)
85Cisco Systems Confidential
TCP Intercept Aggressive Behavior
• Begins when high-threshold exceeded, ends when drops below low-threshold
• New connection drops old partial connection
• Retransmission timeout cut in half
• Watch timeout cut in half
![Page 86: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/86.jpg)
86Cisco Systems Confidential
TCP Intercept Considerations
• TCP negotiated options not supported
• Available in release 11.2(4)F Enterprise and Service Provider
• Connection is fast switched except on the RP/SP/SSP based C7000 which supports process switching only
![Page 87: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/87.jpg)
87Cisco Systems Confidential
TCP Intercept Configuration Tasks
• Enable ip tcp intercept list <extended ACL>
• Set mode ip tcp intercept mode {intercept | watch}
• Set drop mode ip tcp intercept drop-mode {oldest | random}
![Page 88: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/88.jpg)
88Cisco Systems Confidential
TCP Intercept Configuration
• Change timers ip tcp intercept watch-timeout <seconds>
ip tcp intercept finrst-timeout <seconds>
ip tcp intercept connection-timeout <seconds>
• Change aggressive thresholds ip tcp intercept max-incomplete low <number>
ip tcp intercept max-incomplete high <number>
ip tcp intercept one-minute low <number>
ip tcp intercept one-minute high <number>
![Page 89: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/89.jpg)
Routing Protocol Security
Cisco Systems Confidential
![Page 90: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/90.jpg)
90Cisco Systems Confidential
Routing Protocols
• Routing protocol can be attacked Denial of Service
Smoke Screens
False information
Reroute packets
May be accidental or intentionalMay be accidental or intentional
![Page 91: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/91.jpg)
91Cisco Systems Confidential
Solution: Route Authentication
• Authenticates routing update packets
• Shared key included in routing updatesPlain text—protects against accidental problems
only
Message Digest 5 (MD5)—protects against accidental and intential problems
![Page 92: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/92.jpg)
92Cisco Systems Confidential
Route Authentication Protocol
• Routing update includes key and key number
• Receiving router verifies received key against local copy
• If keys match update accepted, otherwise it is rejected
![Page 93: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/93.jpg)
93Cisco Systems Confidential
Route Authentication Details
• Multiple keys supportedKey lifetimes based on time of day
Only first valid key sent with each packet
• Supported in: BGP, IS-IS, OSPF, RIPv2, and EIGRP(11.2(4)F)
• Syntax differs depending on routing protocol
![Page 94: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/94.jpg)
94Cisco Systems Confidential
Routing Protocols
• OSPF Area AuthenticationTwo Types
Simple Password
Message Digest (MD5)
ip ospf authentication-key key (this goes under the specific interface)area area-id authentication (this goes under "router ospf <process-id>")
ip ospf message-digest-key keyid md5 key (used under the interface)area area-id authentication message-digest (used under "router ospf <process-id>")
![Page 95: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/95.jpg)
Securing Router Services
Cisco Systems Confidential
![Page 96: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/96.jpg)
96Cisco Systems Confidential
WWW Server
• Yes, IOS now includes a WWW server!
• Makes configurations easier, but opens new security holes (default - turned off).
• Put access list on which addresses are allowed to access port 80.
• Similar to console & TTY access.
![Page 97: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/97.jpg)
Other Areas to Consider
Cisco Systems Confidential
![Page 98: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/98.jpg)
98Cisco Systems Confidential
Other Areas to Consider
• Turn offproxy arp
no ip directed-broadcast
no service finger
![Page 99: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/99.jpg)
99Cisco Systems Confidential
Protecting the Config Files
• Router configs are usually stored some place safe. But are they really safe?
• Protect and limit access to TFTP and MOP servers containing router configs.
![Page 100: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/100.jpg)
100Cisco Systems Confidential
Summary
• Security is not just about protecting your UNIX workstations.
• Your network devices are just as vulnerable.
• Be smart, protect them.
• Routers are the side doorside door into any network.
![Page 101: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/101.jpg)
Cisco Security Today
PAP/CHAP
TACACS+/ RADIUS
Kerberos
L2F
Lock-and-Key
Access Control Lists
Token Card Support
Logging
Route Filtering
NAT
GRE Tunnels
CiscoSecure™
Encryption
Privilege Levels
Kerberos
Dial Firewall Network Infrastructure
Certificate AuthorityCertificate Authority
Encryption
TACACS+/ RADIUS TACACS+/ RADIUS
Cut-Through Proxy
24Cisco Systems Confidential0603_02F7_c1
![Page 102: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/102.jpg)
102Cisco Systems Confidential
http://www.cisco.com/
Where to get more information?
![Page 103: Network Security](https://reader036.vdocuments.us/reader036/viewer/2022062614/5462daffaf79595f5c8b47cc/html5/thumbnails/103.jpg)
103Cisco Systems Confidential
Where to get more information?
• Security URLs:Computer Emergency Response Team
(CERT)
http://www.cert.org
SATAN (Security Administrator Tool for Analyzing Networks)
http://recycle.cebaf.gov/~doolitt/satan/
Phrack Magazine
http://freeside.com/phrack.html