Exploration Accessing WAN Chapter4

Enterprise Network Security
Accessing the WAN Chapter 4
Version 4.0
2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
Availability vs Security
In todays networks, there is a fine balance between having open networks for sharing information and the need for security You could completely secure your network servers by locking them away, but then no one would be able to share resources
Cisco Public
The Increasing Threat to Security

In 1985, an attacker needed expert knowledge and powerful equipment to perform basic attacks Today, the required level of knowledge has decreased and you can use basic equipment to perform sophisticated attacks The entry-level requirements for attackers have been lowered
Cisco Public
Attacker Terminology
White Hat A person who looks for vulnerabilities in networks to try to improve network security Black Hat A person who uses his knowledge to break into computer networks with malicious intent - Often called a Hacker or a Cracker Phreaker A person who manipulates the phone network so that it performs functions that arent allowed Spammer A person who sends large quantities of unsolicited e-mails Phisher A person who uses e-mail and other methods to get people to provide sensitive information without their knowledge
Cisco Public
Develop a Security Policy

The first step in protecting your network is to develop a sound security policy. Two objectives to accomplish:
Document the resources to be protected Identify the security objectives of the organization
A policy is a set of principles that guide decision making processes Three characteristics of a good security policy include:
-Inform employees of acceptable and unacceptable use of network resources -Defines how to handle security incidents -Defines roles for employees if there is a security incident
Cisco Public
Vulnerability, Threat, and Attack

Vulnerability is the degree of weakness inherent in every network and device
Threats are the people who want to take advantage of security weaknesses to gain access to networks
Attacks are the actual types of actions that can be carried out against a network There are three primary vulnerabilities:
- Technological weaknesses - Configuration weaknesses
- Security Policy weaknesses
Cisco Public
Questions!!!
What are two objectives a security policy must accomplish? What are three characteristics of a good security policy? Who poses more of a threat to your network security, the experienced hacker or the inexperienced person who downloads exploits from the internet?
Cisco Public
Physical Threats
The four classes of physical threats are:
- Hardware threats - Physical damage to servers, routers, switches, cabling plant, and workstations
- Environmental threats -Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
- Electrical threats -Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
- Maintenance threats -Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling
Cisco Public
Physical Security Measures
Cisco Public
Types of Threats
Unstructured threats consist of mostly inexperienced individuals using easily available hacking tools, such as shell scripts and password crackers
Structured threats involve people who know system vulnerabilities and use sophisticated hacking techniques to penetrate unsuspecting businesses External threats are from individuals or organizations working outside of a company who do not have authorized access to the computer systems or network - They work their way into a network mainly from the Internet or dialup access servers Internal threats occur when someone has authorized access to the network with either an account or physical access.
Cisco Public
10
Social Engineering
The easiest hack involves no computer skill at all - An attacker will try to trick a member of an organization into giving over valuable information, such as the location of files or passwords
Phishing is a type of social engineering attack that involves using email or other types of messages in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords
2006 Cisco Systems, Inc. All rights reserved. Cisco Public
11
Types of Network Attacks

Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. System access is the ability for an intruder to gain access to a device for which the intruder does not have an account or a password.
Denial of service (DoS) is when an attacker disables or corrupts networks, systems, or services with the intent to deny services to intended users. Worms, Viruses, and Trojan Horses can be inserted onto a host to damage or corrupt a system, replicate itself, or deny access to networks, systems, or services.
Cisco Public
12
Reconnaissance Attacks
Internet Information Queries External attackers can use Internet tools like nslookup and whois, to discover IP address space for a corporation or entity After the IP address space is determined, an attacker can then ping the IP addresses to identify the addresses that are active - To automate this step, an attacker may use a ping sweep tool, like fping or gping, which systematically pings all network addresses in a given range or subnet Next the intruder uses a port scanner like Nmap or Superscan to determine which network services or ports are active on the live IP addresses Internal attackers may attempt to "eavesdrop" on network traffic - Network snooping and packet sniffing are common terms for eavesdropping.
Cisco Public
13
Questions!!!
High levels of fake requests for service preventing users from accessing the company server would be what type of attack?
Preventing users from opening e-mail messages from suspicious sources would be trying to prevent what? What is the best defense against phishing exploits?
Cisco Public
14
Access Attacks Password Attacks

Password attacks can involve the use of a packet sniffer to get user accounts and passwords that are transmitted as clear text - They usually refer to repeated attempts to log in to a shared resource, like a server or router - These repeated attempts are called dictionary attacks or brute-force attacks To conduct a dictionary attack, attackers use tools like L0phtCrack or Cain, which repeatedly attempt to log in as a user using words from a dictionary. A brute-force attack tool is where the software searches using combinations of character sets to compute every possible password
Cisco Public
15
Access Attacks - Trust Exploitation

Trust exploitation is compromising a trusted host and using it to stage attacks on other hosts in a network If a host in a network of a company is protected by a firewall (inside host), but is accessible to a trusted host outside the firewall (outside host), the inside host can be attacked through the trusted outside host.
Cisco Public
16
Access Attacks Port Redirection

Port redirection is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be blocked
Cisco Public
17
Access Attacks Man-in-the-Middle

A man-in-the-middle is when an attacker manages to position himself between two legitimate hosts
The attacker may allow normal transactions between hosts and only periodically manipulate the conversation between the two
Cisco Public
18
Questions!!!
What type of attack is where the software searches using combinations of character sets to compute every possible password? What type of attack is where a trusted host outside the network is compromised and used to stage attacks on a host inside the network? What type of attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be blocked? What type of attack is when an attacker manages to position himself between two legitimate hosts?
Cisco Public
19
Network Attacks DoS and DDoS Attacks

A ping of death attack modifies the IP portion of a ping packet header to indicate that there is more data in the packet than there actually is
-A ping is normally 64 or 84 bytes, while a ping of death could be up to 65,536 bytes -Sending a ping of this size may crash an older target computer. Most networks are no longer susceptible to this type of attack.
Cisco Public
20

A SYN flood attack exploits the TCP three-way handshake
- It involves sending multiple SYN requests (1,000+) to a targeted server - The server replies with the usual SYN-ACK response, but the malicious host never responds with the final ACK to complete the handshake
- This ties up the server until it eventually runs out of resources and cannot respond to a valid host request.
Cisco Public
21

A DDoS attack called a Smurf attack uses spoofed broadcast ping messages to flood a target system
- An attacker sends a large number of ICMP echo requests to the network broadcast address from a valid spoofed source IP addresses - The traffic is multiplied by the number of hosts that respond and on a multiaccess broadcast network, there could potentially be hundreds of machines replying to each echo packet.
Cisco Public
22
Questions!!!
What type of attack attack modifies the IP portion of a ping packet header to indicate that there is more data in the packet than there actually is? What type of attack exploits the TCP three-way handshake? What attack uses spoofed broadcast ping messages to flood a target system?
Cisco Public
23
Device Hardening
Device Hardening Involves taking your router or server and reducing the attack surface - Change default usernames and passwords - Only allow access to system resources to authorized users - Turn off all unnecessary applications and services
Cisco Public
24
Mitigating Security Threats

Additional steps you can take to secure your network include: - Use Antivirus software - Use a Firewall - Apply all security patches
Cisco Public
25
Intrusion Detection and Prevention

Intrusion Detection Systems (IDS) - detect attacks against a network and sends logs to a management console
Intrusion Prevention Systems (IPS) - prevent attacks against the network and on top of detection provides:
- Prevention - Stops the detected attack from executing. - Reaction - Immunizes the system from future attacks from a malicious source.
Cisco Public
26
HIDS vs HIPS
A Host-based Intrusion Detection System (HIDS) is usually implemented as a passive technology
-This system will send logs to a management console after the attack has occurred and the damage is done.
A Host-based Intrusion Prevention System (HIPS) is an inline technology that actually stops the attack, prevents damage, and blocks the propagation of worms and viruses. -Active detection can be set to shut down the network connection or to stop impacted services automatically. -Cisco provides HIPS using the Cisco Security Agent software.
- HIPS software (called agent software) is installed on each host, either the server or desktop, to monitor activity performed on and against the host
-The agent software will send logs and alerts to a centralized management server
Cisco Public
27
Questions!!!
What is the process called that involves taking your router or server and reducing the attack surface? What type of device is used to detect attacks against a network and sends logs to a management console? What type of device will prevent attacks against the network stop an attack while it is occurring?
Cisco Public
28
Security Appliances and Applications

The Cisco Adaptive Security Appliance (ASA) integrates firewall, voice security, SSL and IPsec VPN, IPS, and content security services in one device. The Cisco ASA 5500 provides threat control to regulate network access, isolate infected systems, prevent intrusions, and protect assets against malicious traffic like worms and viruses
Cisco Public
29

The Cisco Network Admission Control (NAC) appliance uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources Provides a roles-based method of preventing unauthorized access to a network
Cisco Public
30

Cisco IPS 4200 series is an inline intrusion prevention system for larger networks The inline intrusion prevention is provided by the sensors which identifies, classifies, and stops malicious traffic on the network
Cisco Public
31
The Network Security Wheel

The Network Security Wheel is a continuous process that is used to help comply with security policies First, you secure the network by implementing threat defense and stateful inspection and packet filtering - Stateful inspection refers to a firewall keeping information on the state of a connection in a state table so that it can recognize changes in the connection that could mean an attacker is attempting to hijack a session or otherwise manipulate a connection Secure connectivity
-VPNs-Encrypt network traffic to prevent unwanted disclosure to unauthorized or malicious individuals

-Trust and identity-Implement tight constraints on trust levels within a network -For example, systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall -Authentication-Give access to authorized users only -Policy enforcement-Ensure that users and end devices are in compliance with the corporate policy
Cisco Public
32

Step 2 of the Network Security Wheel is to monitor security This includes both active and passive methods of detecting security violations
The most commonly used active method is to audit host-level log files Most operating systems include auditing functionality
System administrators must enable the audit system for every host on the network and take the time to check and interpret the log file entries Implement IDS
33

Step 3 of the Network Security Wheel is to test security This involves actively testing the security measures that you implemented in Step 1 Vulnerability assessment tools like Security Administrator Tool for Analyzing Networks (SATAN), Nessus, or Nmap are tools that can be used to periodically test the network security measures at the network and host level
Cisco Public
34

Step 4 of the Network Security Wheel is to improve security The improvement phase of the Security Wheel involves analyzing the data collected during monitoring and testing This analysis helps to develop and implement improvement mechanisms that change the security policy and results in adding items to step 1
This starts the cycle over again which is what makes the Network Security Wheel a circular continuous process
Cisco Public
35
Questions!!!
What are the four stages of the Security Wheel? What are some things that can be done during the first stage? At what stage of the Security Wheel does intrusion detection occur?
Cisco Public
36
Configure Basic Router Security

Routers are targets for network attackers If they can compromise and access a router, it can help them gain access to other elements in the network To protect the network, you need to understand the routers roles: - Advertise networks - Filter who can use the network - Provide access to network segments and subnetworks
37
Routers Are Targets

Examples of security problems with routers include: - Compromising the access control can expose network configuration details, thereby facilitating attacks against other network components - The attacker knows that you are protecting something important because there is an ACL in place
- Compromising the route tables

can reduce performance, deny network communication services, and expose sensitive data - Misconfiguring a router traffic filter can expose internal network components to scans and attacks, making it easier for attackers to avoid detection
Cisco Public
38
Securing Your Network

Secure your network at the perimeter first Think about router security in terms in these categories: - Physical security - Update the router IOS whenever advisable - Backup the router configuration and IOS - Harden the router to eliminate the potential abuse of unused ports and services
Cisco Public
39

Below are the six steps required to safeguard your routers Well cover the first five in this chapter and the final one in the next chapter where well learn how to create ACLs
Cisco Public
40

Basic router security includes creating strong passwords Use the service password-encryption command to encrypt passwords in the show commands Also use the enable secret password command and configure passwords on the lines (console, vty, aux)
Cisco Public
41
Securing Administrative Access

As your network grows, consoling in to every router isnt an option and youll need remote access If implemented incorrectly, it could allow an attacker to take control of your network First, you need to secure your vty and aux lines Next, you need to configure your router to encrypt traffic in an ssh tunnel
Cisco Public
42
Configuring Secure Administrative Access

If you will not be using the auxiliary port for a modem connection, then shut it off by using the following:
Cisco Public
43
Configuring Secure Administrative Access

It is preferable to use secure shell (SSH) over telnet because ssh uses strong encryption vs clear text - To properly program ssh, use the following commands
- no transport input turns off all types of connections to vty - transport input ssh defines only ssh for vty connections The exec-timeout 3 command below will cause the vty connection to be dropped after 3 minutes of inactivity
Cisco Public
44
Configuring SSH Security
We name our host, then define the domain name so that we can enable ssh We create our asymmetric keys to be used for the encryption and were asked what we want our key size to be (Cisco recommends 1,024)
We next define a local user, and then configure ssh on our vty lines
Finally, the time-out in seconds and number of login attempts is configured
45
Using SSH
To establish an SSH connection, you have to use an ssh terminal like PuTTY or TeraTerm
Youll choose the SSH option and use TCP port 22
Cisco Public
46
Disable Unnecessary Services

There are some services that should be turned off on your router - Turning off unnecessary services is known as hardening the router as well as reducing your attack surface Small services such as echo, discard, and chargen - Use the no service tcp-smallservers or no service udp-small-servers command - echo is used for pinging - discard is a debugging tool used to test connections - chargen stands for character generator and is also a testing tool BOOTP - Use the no ip bootp server command Finger - Use the no service finger command - finger sets up connections between devices and shares information like full names and e-mail addresses HTTP - Use the no ip http server command SNMP - Use the no snmp-server command CDP Use the no cdp enable command DNS Use the no ip domain-lookup command
47
Cisco Auto Secure

The auto secure command can be used to automatically disable non-essential system processes and services There are two different modes you can use, either interactive or non-interactive Interactive is shown below
Cisco Public
48
Questions!!!
When setting encryption for use with SSH, what key size does Cisco recommend?
What is the port number for SSH? What command is used to disable DNS? What command will automatically disable non-essential system processes and services?
Cisco Public
49
Securing Routing Protocols RIPv2

The steps to secure RIPv2 updates are as follows: - Step 1. Prevent RIP routing update propagation - Force all ports into passive and then open only those required - Step 2. Create a key chain and identify the keys
- Step 3. Prevent unauthorized reception of RIP updates - Use MD5 to prevent anyone from intercepting RIP updates
Cisco Public
50
Securing Routing Protocols EIGRP & OSPF

To secure routers that are utilizing either EIGRP or OSPF, you will configure MD5 authentication to be used
Cisco Public
51
Cisco Security Device Manager (SDM)

A GUI based tool that allows you to easily configure not only security, but also most other configurations for Ciscos routers and switches
Cisco Public
52
Configure Cisco SDM

To configure Cisco SDM on a router already in use, without disrupting network traffic, follow these steps:
- Step 1. Access the router's Cisco CLI interface using Telnet or the console connection - Step 2. Enable the HTTP and HTTPS servers on the router - Step 3 Create a user account defined with privilege level 15 (enable privileges)
- Step 4 Configure SSH and Telnet for local login and privilege level 15
Cisco Public
53
How to Use Cisco SDM

SDM is stored in flash memory or on a PC
Use HTTPS and put the IP address of the router in the browser Enter a username and password
Cisco Public
54
How to Use Cisco SDM

The Menu Bar is standard The Tool Bar allows you to access the SDM wizards
Router Information shows you available memory & IOS information
Cisco Public
55
Lock Down a Router Using SDM

The one-step lockdown wizard is accessed from the Configure GUI interface by clicking the Security Audit task
Cisco Public
56
Questions!!!
What is the privilege level required in order to use SDM? How do you access the control page in order to use SDM? What two locations can SDM be run from?
Cisco Public
57
Maintaining Cisco IOS Images

Periodically, you will need to update your routers in order to secure them You should wait to update because newly released updates are not always stable Updates are free fixes to an IOS Upgrades are not free replace the IOS
Cisco Public
58
Cisco IOS File Systems

The show file systems command identifies what file systems are available on a router You can easily identify how much free space is available which is relevant to updates and upgrades
Cisco Public
59
Flash Memory
Using the dir command we see the contents of flash memory
Of interest is line 11 which provides the name of the current IOS
Cisco Public
60
Cisco IOS File Naming Conventions
Cisco Public
61
NVRAM
Next, we view NVRAM by changing the file directory we are viewing the cd nvram command
The pwd command allows us to identify which directory we are working in Finally, dir shows us the contents of nvram
Cisco Public
62
Managing Cisco IOS Images
Cisco Public
63
TFTP Managed Cisco IOS Devices
Cisco Public
64
Backing Up a Software Image
Cisco Public
65
Upgrading a Software Image
Cisco Public
66
Questions!!!
What are the two most important pieces of information we get out of using the dir command for flash memory? What are two important conditions a Cisco Administrator should verify before attempting to upgrade a IOS image from a TFTP server and what commands are used?
Cisco Public
67
Recovering IOS Software Images

If the IOS is deleted or becomes corrupt, it must be replaced for the router to function
It will load the rommon> prompt by default if this happens
Cisco Public
68
Using Xmodem to Recover

tftpdnld is a quick way for recovery Xmodem is another option, but it is through the console cable and is very slow in comparison
Cisco Public
69
Password Recovery
Cisco Public
70
Questions!!!
How do we access the router for password recovery (through what port)? What do we change in order to recover a password? From what to what?
Cisco Public
71
Cisco Public
72

Exploration Accessing WAN Chapter4

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Exploration Accessing WAN Chapter4

Transféré par

Droits d'auteur :

Formats disponibles

Enterprise Network Security

Accessing the WAN Chapter 4

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

The Increasing Threat to Security

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Develop a Security Policy

2006 Cisco Systems, Inc. All rights reserved.

Vulnerability, Threat, and Attack

- Security Policy weaknesses

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Physical Security Measures

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Types of Network Attacks

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Access Attacks Password Attacks

2006 Cisco Systems, Inc. All rights reserved.

Access Attacks - Trust Exploitation

2006 Cisco Systems, Inc. All rights reserved.

Access Attacks Port Redirection

2006 Cisco Systems, Inc. All rights reserved.

Access Attacks Man-in-the-Middle

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Network Attacks DoS and DDoS Attacks

2006 Cisco Systems, Inc. All rights reserved.

Network Attacks DoS and DDoS Attacks

2006 Cisco Systems, Inc. All rights reserved.

Network Attacks DoS and DDoS Attacks

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Mitigating Security Threats

2006 Cisco Systems, Inc. All rights reserved.

Intrusion Detection and Prevention

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Security Appliances and Applications

2006 Cisco Systems, Inc. All rights reserved.

Security Appliances and Applications

2006 Cisco Systems, Inc. All rights reserved.

Security Appliances and Applications

2006 Cisco Systems, Inc. All rights reserved.

The Network Security Wheel

-VPNs-Encrypt network traffic to prevent unwanted disclosure to unauthorized or malicious individuals

2006 Cisco Systems, Inc. All rights reserved.

The Network Security Wheel

The Network Security Wheel

2006 Cisco Systems, Inc. All rights reserved.

The Network Security Wheel

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Configure Basic Router Security

Routers Are Targets

- Compromising the route tables

2006 Cisco Systems, Inc. All rights reserved.

Securing Your Network