Académique Documents
Professionnel Documents
Culture Documents
1
Lesson Planning
2
Major Concepts
Describe the principles of secure network design.
Describe the Cisco Self Defending Network.
Describe the role of operations security in a network.
Describe the various techniques and tools to use for network security
testing.
Describe the principles of business continuity planning and disaster
recovery.
Describe the SDLC and how to use it to design a Secure Network
Life Cycle management process.
Describe the functions, goals, role, and structure of a comprehensive
security policy.
3
Contents
4
9.1 Principles of Secure Network
Design
5
Principles of Secure Network Design
6
Ensuring a Network is Secure
7
Developing Security Policies
8
Risk Management Guidelines
9
Threat Identification and Risk Analysis
Bank Scenario
Risk Analysis
Quantitative Analysis
Annualized Rate of Occurrence
10
Threat Identification – Bank Scenario
Identified Threats
11
Risk Analysis
12
Quantitative Risk Analysis
13
Annualized Rate of Occurrence
Annualized Rate of Occurrence (ARO) - estimated
frequency that a threat is expected to occur.
Single Loss Expectancy (SLE)
Annualized Loss Expectancy (ALE) - expected financial
loss that an individual threat will cause an organization.
15
Ways to Handle Risk
16
Risk Management Scenario
17
Risk Management Scenario
18
Risk Avoidance Scenario
19
9.2 Cisco Self-Defending Network
20
Cisco Self-Defending Network
21
Introduction to Cisco Self-Defending
Network
22
Least Privilege Concept
Web Server
Deny
All
Internet Inside
24
Cisco Self-Defending Network Defined
Efficient security
management, control, and Operational Control
response and Policy Management
Advanced technologies
and security services that:
Mitigate the effects of Threat Control and Secure
outbreaks Containment Communications
Protect critical assets
Ensure privacy
25
Collaborative Systems Enabling
Unparalleled Security
26
Cisco Threat Control Solutions
Threat control for endpoints: This element defends against threats most
commonly introduced by Internet use, such as viruses, spyware, and other
malicious content.
Threat control for infrastructure: This element safeguards the server
and application infrastructure against attacks and intrusions. It also
defends against internal and external attempts to penetrate or attack
servers and information resources through application and operating
system vulnerabilities.
Threat control for e-mail: This element protects business productivity,
resource availability, and confidential information by stopping e-mail
initiated threats.
27
Secure Communications
28
Operational Control and
Policy Management
29
Cisco Solutions for a CSDN
30
Cisco Security Manager
31
Cisco Security MARS
32
Cisco Integrated Security Portfolio
33
Secure Network Platform
Security Services Integrated into the Network
Advanced Technologies and Services
Automated Threat Virtualized Behavioral-Based
Integrate Response Security Services Protection
Advanced
Endpoint Posture Dynamic DDoS Endpoint and Application-
Services Control Mitigation Layer Inspection
Integrate AdvancedSecurity
Security Point IPsec
Services Where and SSL
Needed
IPS
Products VPN
Firewall Access Control Network Antivirus
Integrated Collaborative Adaptive
34
Core Topology
MARS
ACS
VPN
Remote Worker
Intern Firewall
et
VPN
IPS
WAN
Iron Port
VPN CSA
Remote Branch
LAN
Web Email
Server Server DNS
35
9.3 Operations Security
36
Operations Security
Introduction
Principles
37
Overview
38
Core Principles
Separation of duties:
two-man control and dual
operator
Rotation of duties
Trusted recovery:
failure preparation and system
recovery
Change and configuration
controls
39
Separation of Duties
40
Rotation of Duties
Technical support
Week 1
Week 2
Data Center Support
Week 3
Data Entry
41
Trusted Recovery
Practices:
A junior staff member is responsible for loading
blank media.
Backup software uses an account that is
unknown to individuals to bypass file security.
A different staff member removes the backup
media and securely stores it on site while being
assisted by another member of the staff.
A separate copy of the backup is stored off site Backup 3 Backup 2
and is handled by a third staff member who is
accompanied by another staff member.
Backup 1
42
Configuration Change Control
43
9.4 Network Security Testing
44
Network Security Testing
Introduction
Network Security Testing Tools
45
Introduction to Network Security
Testing
Objectives
Assessing the Operational Status
Using Testing Results
46
Objectives of Security Testing and
Evaluation
Objectives of ST&E:
Uncover design, implementation,
and operational flaws that
could lead to the violation of the
security policy.
47
Assessing the Operational Status
Network scanning
Vulnerability scanning
Password cracking
Log review
Integrity checkers
Virus detection
War dialing
War driving (802.11 or wireless LAN testing)
Penetration testing
48
Using Testing Results
49
Network Security Testing Tools
50
Security Testing Tools
51
Nmap
Basic functionality
Classic TCP and UDP port
scanning
Classic TCP and UDP port
sweeping
Stealth TCP and UDP port
scans and sweeps
Remote operating system
identification, known as OS
fingerprinting.
52
SuperScan
53
9.5 Business Continuity Planning
and Disaster Recovery
54
Business Continuity Planning and
Disaster Recovery
Continuity Planning
Objectives
Disaster Recovery
55
The Objectives
56
Disaster Recovery
57
Disruptions
58
Backups
Redundancy
Replacement components
owned by the organization or a
server provider
Service level agreement (SLA)
Redundant facility
Hot Site
Warm Site
Cold Site
59
9.6 System Development Life Cycle
60
System Development Life Cycle (SDLC)
Initiation
Acquisition and development
Implementation
Operations and maintenance
Disposition
61
Initiation
Initiation
62
Acquisition and Development
63
Implementation
Operations and
Maintenance Implementation
64
Operations and Maintenance
Initiation
Configuration management and control: ensures that there is
adequate consideration of the potential security impacts due to specific
changes to an information system or its surrounding environment.
Continuous monitoring: ensures that controls continue
Disposition to be
Acquisition and
effective in their application through periodic testing and evaluation.
Development
Operations and
Maintenance Implementation
65
Disposition
Initiation
66
9.7 Developing a Comprehensive
Security Policy
67
Developing a Comprehensive
Security Policy
68
Security Policy Overview
69
Determining an Organization’s Assets
70
Security Policy Benefits
Demonstrates an organization’s
commitment to security.
Sets the rules for expected
behavior.
Ensures consistency in system
operations, software and
hardware acquisition and use, and
maintenance.
Defines the legal consequences of
violations.
Gives security staff the backing of
management.
71
Audience
72
Structure of a Security Policy
Hierarchy of Policies
Governing Policy
Technical Policies
End User Policy
73
Hierarchy of Policies
Governing Policy
Technical End-User
Policies Policies
74
Governing Policy
Important components:
A statement of the issue that the
policy addresses.
How the policy applies in the
environment.
The roles and responsibilities of
those affected by the policy.
The actions, activities, and
processes that are allowed and
those that are not.
The consequences of
noncompliance.
75
Technical Policies
General policies
E-mail policies
Remote -access policies
Telephony policy
Application policies
Network policies
Wireless communication policy
76
End User Policy
77
Standards, Guidelines and Procedures
Overview
Standards Documents
Guideline Documents
Procedure Documents
78
Overview
79
Standards Documents
81
Procedure Documents
82
Roles and Responsibilities
Management Responsibilities
Executive Titles
83
Management Responsibilities
84
Executive Titles
85
Security Awareness Training
86
Security Awareness Program
87
Awareness
88
Training and Education
From: IT department
To: all Employees
Subject: Course Offerings
We are currently offering several training opportunities. Please see
the list below and contact your manager if interested.
89
Success
90
Laws and Ethics
91
Laws and Ethics
Types of Laws
Criminal
Civil
Administrative
Ethics
Computer Ethics Institute
Internet Activities Board (IAB)
Generally Accepted System Security Principles (GASSP)
International Information Systems Security Certification Consortium,
Inc (ISC)2 Code of Ethics
92
The ISC2 Code of Ethics
93
Response to Security Breach
94
Motive, Opportunity, and Means
95
Procedures
96
97