security-basics
DESCRIPTION
Security-basicsTRANSCRIPT
![Page 1: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/1.jpg)
© 1999, Cisco Systems, Inc. www.cisco.com
Module 11: Security Basics
Module 11: Security Basics
![Page 2: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/2.jpg)
11-2CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Agenda
• Why Security?
• Security Technology– Identity
– Integrity
– Active Audit
![Page 3: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/3.jpg)
11-3CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
All Networks Need Security
• No matter the company size, security is important
• Internet connection is to business in the late 1990s what telephones were to business in the late 1940s
• Even small company sites are cracked
![Page 4: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/4.jpg)
11-4CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Why Security?
• Three primary reasons– Policy vulnerabilities
– Configuration vulnerabilities
– Technology vulnerabilities
And People Eager to Take And People Eager to Take Advantage of the VulnerabilitiesAdvantage of the Vulnerabilities
![Page 5: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/5.jpg)
11-5CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Denial of Service Loss of Integrity
BankCustomer
Deposit $1000 Deposit $ 100
Security Threats
Loss of Privacy
m-y-p-a-s-s-w-o-r-d d-a-n
telnet company.orgusername: danpassword:
Impersonation
I’m Bob.Send Me All Corporate
Correspondencewith Cisco.
Bob
CPUCPU
![Page 6: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/6.jpg)
11-6CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Security Objective: Balance Business Needs with Risks
Access SecurityAuthentication
Authorization
Accounting
Assurance
Confidentiality
Data Integrity
Policy ManagementPolicy Management
Connectivity
Performance
Ease of Use
Manageability
Availability
![Page 7: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/7.jpg)
11-7CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Doors, locks, & guards
Keys & badges
Surveillance cameras & motion sensors
Firewalls & access controls
Authentication
Intrusion Intrusion detection systemdetection system
• Complementary mechanisms that together provide in-depth defense
Network Security Components: Physical Security Analogy
Network Security Components: Physical Security Analogy
![Page 8: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/8.jpg)
© 1999, Cisco Systems, Inc. www.cisco.com
Security TechnologySecurity Technology
3-8CSE-Security—Basics © 1999, Cisco Systems, Inc. www.cisco.com
![Page 9: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/9.jpg)
11-9CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Policy
• Identity– Accurately identify users
– Determine what users are allowed to do
• Integrity– Ensure network availability
– Provide perimeter security
– Ensure privacy
• Active audit– Recognize network weak spots
– Detect and react to intruders
Elements of SecurityElements of Security
![Page 10: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/10.jpg)
© 1999, Cisco Systems, Inc. www.cisco.com
Security TechnologySecurity Technology
IdentityIdentity
3-10CSE-Security—Basics © 1999, Cisco Systems, Inc. www.cisco.com
![Page 11: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/11.jpg)
11-11CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
IdentityIdentity
• Uniquely and accurately identify users, applications, services, and resources
– Username/password, PAP, CHAP, AAA server, one-time password, RADIUS, TACACS+, Kerberos, MS-login, digital certificates, directory services, Network Address Translation
![Page 12: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/12.jpg)
11-12CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
AAAServer
Dial-In User NetworkAccess Server
CampusPPPPAP
PasswordPasswordPasswordPassword
ID/PasswordID/PasswordID/PasswordID/PasswordID/PasswordID/Password
ID/PasswordID/PasswordID/PasswordID/PasswordID/PasswordID/Password
Public Network
Username/PasswordUsername/Password
• User dials in with password to NAS
• NAS sends ID/password to AAA server
• AAA server authenticates user ID/password and tells NAS to accept (or reject)
• NAS accepts (or rejects) call
![Page 13: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/13.jpg)
11-13CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Network Access Server
PPPPAP or CHAP
Public Network
PAP and CHAP AuthenticationPAP and CHAP Authentication
• Password Authentication Protocol (PAP)– Authenticates caller only
– Passes password in clear text
• Challenge Handshake Authentication Protocol (CHAP)– Authenticates both sides
– Password is encrypted
![Page 14: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/14.jpg)
11-14CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Campus
AAAServer
Token or S-Key Server• Token cardToken card
• Soft tokenSoft token• S-KeyS-Key ID/One-Time PasswordID/One-Time Password
ID/One-Time Password ID/One-Time Password ID/One-Time PasswordID/One-Time Password
ID/One-Time PasswordID/One-Time PasswordID/One-Time Password ID/One-Time Password ID/One-Time PasswordID/One-Time Password
One-Time One-Time PasswordPasswordOne-Time One-Time PasswordPassword
Dial-In User NetworkAccess Server
Public Network
One-Time PasswordOne-Time Password
• Additional level of security, guards against password guessing and cracking– Prevents spoofing, replay attacks
• Single-use password is generated by token card or in software
• Synchronized central server authenticates user
![Page 15: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/15.jpg)
11-15CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
11 22 3344 55 6677
009988
11 22 3344 55 6677
009988
Authentication, Authorization, and Accounting (AAA)
Authentication, Authorization, and Accounting (AAA)
• Tool for enforcing security policy
– Authentication• Verifies identity—
Who are you?
– Authorization• Configures integrity— What are
you permitted to do?
– Accounting• Assists with audit—
What did you do?
![Page 16: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/16.jpg)
11-16CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
AAA Services
• Centralized security database• High availability• Same policy across many access points• Per-user access control• Single network login• Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password
TACACS+
RADIU
S
TACACS+
RADIUS
ID/User ID/User ProfileProfileID/User ID/User ProfileProfileID/User ID/User ProfileProfile
ID/User ID/User ProfileProfileID/User ID/User ProfileProfileID/User ID/User ProfileProfile
AAAServer
Dial-In User
NetworkAccess Server
Campus
Internet UserGatewayRouter Firewall
Intercept Connection
s
Public Network
Internet
![Page 17: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/17.jpg)
11-17CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• RADIUS is an industry standard—RFC 2138, RFC 2139
• Cisco has full IETF RFC implementation
• Cisco has implemented many nonstandard vendor proprietary attributes
• Cisco hardware will work well with non-Cisco RADIUS AAA servers
• Cisco is committed to providing the best RADIUS solution
RADIUSRADIUS
![Page 18: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/18.jpg)
11-18CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Local or centralized
• Cisco continues to expand TACACS+ and add features in Cisco IOS™ 11.3
• Cisco customers benefit from additional functionality with CiscoSecure server of both TACACS+ and RADIUS
• Cisco enterprise customers continue to ask for TACACS+ features
TACACS
TACACS Database
Username/Password Additional Information
TACACS+ AuthenticationTACACS+ Authentication
![Page 19: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/19.jpg)
11-19CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Lock-and-Key Security
• Dynamically assigns access control lists on a per-user basis
• Allows a remote host to access a local host via the Internet
• Allows local hosts to access a host on a remote network
Authorized User
Corporate Site
Non-Authorized User
Internet
![Page 20: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/20.jpg)
11-20CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Calling Line Identification
1234
Call Setup Message with Local ISDN Numbers
Station ISDN Number
A 1234
Compare with Known Numbers
Accept Call
PPP CHAPAuthentication
(Optional)
Station A
ISDN
![Page 21: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/21.jpg)
11-21CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
User Authentication with KerberosUser Authentication with Kerberos
• Authenticates users and the network services they use
• Uses “tickets” or “credentials” issued by a trusted Kerberos server– Limited life span; can be used in place of
standard “user/password” mechanism
??
Remote User(Kerberos Principal)
Kerberos Credential
(Ticket)
Encrypted ServiceCredential
KerberizedRouter
Kerberos Server
MailServer
![Page 22: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/22.jpg)
11-22CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
DESDES
Public Key
Private Key
Public Key
Private Key
WAN
How Public Key WorksHow Public Key Works
• By exchanging public keys, two devices can determine a new unique key (the secret key) known only to them
![Page 23: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/23.jpg)
11-23CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• If verification is successful, document has not been altered
Bob’sDocument
HashHash
MessageHash
Bob’sPrivate Key
EncryptEncryptDigital
Signature
Bob’sPublic Key
Bob’sDocument
MessageHash
Same?
DecryptDecrypt
HashHash
Message
Message
Message
Digital SignaturesDigital Signatures
![Page 24: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/24.jpg)
11-24CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Certificate Authority
• Certificate Authority (CA) verifies identity
• CA signs digital certificate containing device’s public key
• Certificate equivalent to an ID card
• Partners include Verisign, Entrust, Netscape, and Baltimore Technologies
?B A N K
CACA CACAInternetInternet
![Page 25: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/25.jpg)
11-25CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Network Address Translation
• Provides dynamic or static translation of private addresses to registered IP addresses
• Eliminates readdressing overhead—Large admin. cost benefit
• Conserves addresses—Hosts can share a single registered IPaddress for all external communications via port-level multiplexing
• Permits use of a single IP address range in multiple intranets
• Hides internal addresses
• Augmented by EasyIP DHCP host function
10.0.0.1
SA 10.0.0.1
Inside LocalInside LocalIP AddressIP Address
Inside GlobalInside GlobalIP AddressIP Address
10.0.0.110.0.0.110.0.0.210.0.0.2
171.69.58.80171.69.58.80171.69.58.81171.69.58.81
SA 171.69.58.8
Internet
![Page 26: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/26.jpg)
© 1999, Cisco Systems, Inc. www.cisco.com
Security TechnologySecurity Technology
IntegrityIntegrity
3-26CSE-Security—Basics © 1999, Cisco Systems, Inc. www.cisco.com
![Page 27: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/27.jpg)
11-27CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Integrity—Network AvailabilityIntegrity—Network Availability
• Ensure the network infrastructure remains available– TCP Intercept, route
authentication
![Page 28: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/28.jpg)
11-28CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
TCP Intercept
Connection Transferred
Connection Established
Request Intercepted
• Protects networks against denial of service attacks
• TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory, or waste processor cycles
• TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of the destination
• Can be configured to passively monitor TCP connection requests and respond if connection fails to be established in a configurable interval
![Page 29: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/29.jpg)
11-29CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Route Authentication
Home Gateway
Internet
• Enables routers to identify one another and verify each other’s legitimacy before accepting route updates
• Ensures that routers receive legitimate update information from a “trusted” source
Trusted Source
![Page 30: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/30.jpg)
11-30CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Integrity—Perimeter SecurityIntegrity—Perimeter Security
• Control access to critical network applications, data, and services– Access control lists,
firewall technologies, content filtering, CBAC, authentication
![Page 31: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/31.jpg)
11-31CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Access ListsAccess Lists
• Standard– Filter source address only
– Permit/deny entire protocol suite
• Extended– Filter source,
destination addresses
– Inbound or outbound
– Port number
– Permit/deny specific protocols
– Reflexive
– Time-based
![Page 32: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/32.jpg)
11-32CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Inbound Telnet Stopped Here
Home Gateway
Internet
Policy Enforcement Using Access Control Lists
Policy Enforcement Using Access Control Lists
• Ability to stop or reroute traffic based on packet characteristics
• Access control on incoming or outgoing interfaces
• Works together with NetFlow to provide high-speed enforcement on network access points
• Violation logging provides useful information to network managers
![Page 33: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/33.jpg)
11-33CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Importance of FirewallsImportance of Firewalls
• Permit secure access to resources
• Protect networks from:– Unauthorized intrusion
from both external and internal sources
– Denial of service (DOS) attacks
![Page 34: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/34.jpg)
11-34CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
What Is a Firewall?What Is a Firewall?
• All traffic from inside to outside and vice versa must pass through the firewall
• Only authorized traffic, as defined by the local security policy, is allowed in or out
• The firewall itself is immune to penetration
![Page 35: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/35.jpg)
11-35CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Router with ACLsUsers
Users
ProtectedNetwork
E-mail Server
Micro Webserver
zip 100
Micro WebserverMicro Webserver
Web Server PublicPublicAccessAccess
ISP andISP andInternetInternet
Packet-Filtering RoutersPacket-Filtering Routers
![Page 36: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/36.jpg)
11-36CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Provides user-level security
• Most effective when used with packet filtering
Internal Network
ProxyServer
Internet/Intranet
Proxy ServiceProxy Service
![Page 37: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/37.jpg)
11-37CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
FirewallMail
ServerWWWServer
Internet
Stateful SessionsStateful Sessions
• Highest performance security
• Maintains complete session state
• Connection oriented– Tracks complete connection
– Establishment and termination
• Strong audit capability
• Easy to add new applications
![Page 38: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/38.jpg)
11-38CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Company Network
.5.5
11
55 10102020
4040MegMeg
Per/SecPer/Sec
• Video• Audio• Private link• Web commerce
Internet
Performance RequirementsPerformance Requirements
![Page 39: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/39.jpg)
11-39CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Integrity—PrivacyIntegrity—Privacy
• Provide authenticated private communication on demand– VPNs, IPSec, IKE,
encryption, DES, 3DES, digital certificates, CET, CEP
![Page 40: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/40.jpg)
11-40CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Encryption and Decryption
Clear Text Clear Text
Cipher Text
Bob Is
a Fink
8vyaleh31&d
ktu.dtrw8743
$Fie*nP093h
Bob Is
a Fink
DecryptionDecryptionEncryptionEncryption
![Page 41: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/41.jpg)
11-41CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
What Is IPSec?
• Network-layer encryption and authentication– Open standards for ensuring secure
private communications over any IP network, including the Internet
– Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy
– Data protected with network encryption, digital certification, and device authentication
• Implemented transparently in network infrastructure
• Includes routers, firewalls, PCs, and servers
• Scales from small to very large networks
![Page 42: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/42.jpg)
11-42CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Router to Router
Router to Firewall
PC to Router
PC to Server
PC to Firewall
IPSec Everywhere!IPSec Everywhere!
![Page 43: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/43.jpg)
11-43CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Automatically negotiates policy to protect communication
• Authenticated Diffie-Hellman key exchange
• Negotiates (possibly multiple) security associations for IPSec
3DES, MD5, and RSA Signatures, OR
IDEA, SHA, and DSS Signatures, OR
Blowfish, SHA, and RSA Encryption
3DES, MD5, and RSA Signatures, OR
IDEA, SHA, and DSS Signatures, OR
Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS SignaturesIDEA, SHA, and DSS Signatures
IKE Policy TunnelIKE Policy Tunnel
IKE—Internet Key ExchangeIKE—Internet Key Exchange
![Page 44: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/44.jpg)
11-44CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Router A Router B
1. Outbound packet from Alice to Bob—No IPSec security association yet
2. Router A’s IKE begins negotiation with router B’s IKE
3. Negotiation complete; router A and router B now have complete IPSec SAs in place
IKE IKE
4. Packet is sent from Alice to Bob protected by IPSec SA
IKE TunnelIKE TunnelRouter A Router B
How IPSec Uses IKEHow IPSec Uses IKE
![Page 45: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/45.jpg)
11-45CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Encryption—DES and 3DESEncryption—DES and 3DES
• Widely adopted standard
• Encrypts plain text, which becomes cyphertext
• DES performs 16 rounds
• Triple DES (3DES)– The 56-bit DES algorithm runs three times
– 112-bit triple DES includes two keys
– 168-bit triple DES includes three keys
• Accomplished on a VPN client, server, router, or firewall
![Page 46: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/46.jpg)
11-46CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Exhaustive search is the only way to break DES keys (so far)
• Would take hundreds of years on fastest general purpose computers (56-bit DES)– Specialized computer would cost $1,000,000 but could crack
keys in 35 minutes (Source: M.J. Wiener)
• Internet enables multiple computers to work simultaneously
• Electronic Frontier Foundation and distributed.net cracked a 56-bit DES challenge in 22 hours and 15 minutes
Consensus of the cryptographic community is that 56-bit DES, if not currently insecure, will soon be insecure
Breaking DES KeysBreaking DES Keys
![Page 47: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/47.jpg)
© 1999, Cisco Systems, Inc. www.cisco.com
Security TechnologySecurity Technology
Active AuditActive Audit
3-47CSE-Security—Basics © 1999, Cisco Systems, Inc. www.cisco.com
![Page 48: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/48.jpg)
11-48CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Firewalls, authorization, and encryption do not provide VISIBILITY into these problems
Why Active Audit?Why Active Audit?
• The hacker might be an employee or “trusted” partner– Up to 80% of security breaches come from the
inside (Source: FBI)
• Your defense might be ineffective– One out of every three intrusions occur where a firewall
is in place (Source: Computer Security Institute)
• Your employees might make mistakes– Misconfigured firewalls, servers, etc.
• Your network will grow and change– Each change introduces new security risks
![Page 49: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/49.jpg)
11-49CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Why Active Audit?Why Active Audit?
• Network security requires a layered defense– Point security PLUS active systems to measure
vulnerabilities and monitor for misuse
– Network perimeter and the intranet
• Security is an ongoing, operational process– Must be constantly measured, monitored, and
improved
![Page 50: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/50.jpg)
11-50CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Active Audit—Network Vulnerability Assessment
Active Audit—Network Vulnerability Assessment
• Assess and report on the security status of network components–Scanning (active,
passive), vulnerability database
![Page 51: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/51.jpg)
11-51CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Active Audit—Intrusion Detection System
Active Audit—Intrusion Detection System
• Identify and react to known or suspected network intrusion or anomalies– Passive promiscuous
monitoring
– Database of threats or suspect behavior
– Communication infrastructure or access control changes
![Page 52: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/52.jpg)
11-52CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
IDS Attack Detection
Context:(Header)
Content:(Data)
“Atomic”Single Packet
“Composite”Multiple Packets
Ping of Death
Land Attack
Port SweepPort Sweep
SYN AttackSYN Attack
TCP HijackingTCP Hijacking
MS IE AttackMS IE Attack
DNS AttacksDNS Attacks
Telnet AttacksTelnet Attacks
Character Mode Character Mode AttacksAttacks
![Page 53: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/53.jpg)
11-53CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Actively audit and verify policy
• Detect intrusion and anomalies
• Report
Active Audit
UNIVERSALUNIVERSALPASSPORTPASSPORT
KjkjkjdgdkkjdkjfdkI kdfjkdjIkejkejKkdkdfdKKjkdjdKjkdjfkdKjkdKjdkfjkdj Kjdk
USA
************************
************************
Kdkfldkaloeekjfkjajjakjkjkjkajkjfiejijgkd
kdjfkdkdkdkddfkdjfkdjkdkdkfjdkkdjkfd
kfjdkfjdkjkdjkdjkajkjfdkjfkdjkfjkjajjajdjfla
kjdfkjeiieiefkeieooei
UNIVERSALUNIVERSALPASSPORTPASSPORT
![Page 54: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/54.jpg)
11-54CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Security is a mission-critical business requirement for all networks
• Security requires a global, corporate-wide policy
• Security requires a multilayered implementation
SummarySummary
![Page 55: Security-basics](https://reader033.vdocuments.us/reader033/viewer/2022061121/5468f2e4af7959c23c8b6703/html5/thumbnails/55.jpg)
55Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com