Enterprise Network Security Accessing the WAN – Chapter 4
Objectives Describe the general methods used to mitigate security threats to Enterprise networks Configure Basic Router Security Explain how to disable unused Cisco router network services and interfaces Explain how to use Cisco SDM Manage Cisco IOS devices
Security Threats White hat-An individual who looks for vulnerabilities in systems or networks and then reports these vulnerabilities to the owners of the system so that they can be fixed. They are ethically opposed to the abuse of computer systems. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them. Hacker-A general term that has historically been used to describe a computer programming expert. More recently, this term is often used in a negative way to describe an individual that attempts to gain unauthorized access to network resources with malicious intent.
Security Threats Continued Black hat - Another term for individuals who use their knowledge of computer systems to break into systems or networks that they are not authorized to use, usually for personal or financial gain. A cracker is an example of a black hat. Cracker - A more accurate term to describe someone who tries to gain unauthorized access to network resources with malicious intent. Phreaker - An individual who manipulates the phone network to cause it to perform a function that is not allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free long distance calls.
Security Threats Continued Phreaker - An individual who manipulates the phone network to cause it to perform a function that is not allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free long distance calls. Spammer - An individual who sends large quantities of unsolicited e-mail messages. Spammers often use viruses to take control of home computers and use them to send out their bulk messages. Phisher - Uses e-mail or other means to trick others into providing sensitive information, such as credit card numbers or passwords. A phisher masquerades as a trusted party that would have a legitimate need for the sensitive information.
Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Explain how sophisticated attack tools and open networks have created an increased need for network security and dynamic security policies Graphic 4.1.1.2 (moving the icon show start and end) Graphic 4.1.1.4 (if space is an issue then just show open & closed)
Security Policy RFC2196 states that a "security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide.“ The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have published a security standard document called ISO/IEC 27002. This document refers specifically to information technology and outlines a code of practice for information security management.
ISO/IEC 27002 - 12 Sections Risk assessment Security policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development, and maintenance Information security incident management Business continuity management Compliance
Security Policy Function Protects people and information Sets the rules for expected behavior by users, system administrators, management, and security personnel Authorizes security personnel to monitor, probe, and investigate Defines and authorizes the consequences of violations
Physical Security Threats
Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Describe the most common security threats and how they impact enterprises Graphic 4.1.2.3
Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Describe the most common types of network attacks and how they impact enterprises Graphic 4.1.3.1
Reconnaissance Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. It is also known as information gathering and, in most cases, it precedes another type of attack. Reconnaissance is similar to a thief casing a neighborhood for vulnerable homes to break into, such as an unoccupied residence, easy-to-open doors, or open windows. Internet information queries Ping sweeps Port scans Packet sniffers
System Access System access is the ability for an intruder to gain access to a device for which the intruder does not have an account or a password. Entering or accessing systems usually involves running a hack, script, or tool that exploits a known vulnerability of the system or application being attacked.
Denial of Service Denial of service (DoS) is when an attacker disables or corrupts networks, systems, or services with the intent to deny services to intended users. DoS attacks involve either crashing the system or slowing it down to the point that it is unusable. DoS can also be as simple as deleting or corrupting information. In most cases, performing the attack involves simply running a hack or script. For these reasons, DoS attacks are the most feared.
Denial of Service
TCP SYN Flood Attack A flood of TCP SYN packets is sent, often with a forged sender address. Each packet is handled like a connection request, causing the server to spawn a half-open connection by sending back a TCP SYN-ACK packet and waiting for a packet in response from the sender address. The response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.
Worms, Viruses and Trojan Horses Malicious software can be inserted onto a host to damage or corrupt a system, replicate itself, or deny access to networks, systems, or services. Common names for this type of software are worms, viruses, and Trojan horses.
Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Describe the common mitigation techniques that enterprises use to protect themselves against threats Graphics 4.1.4.1 & 4.1.4.2 Personal firewall Antivirus OS patches
Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Explain the concept of the Network Security Wheel Graphic 4.1.5.1
The Security Wheel Continuous process Develop security policy Secure the network Monitor Security Test Improve
The Role of Routers in Network Security Advertise networks and filter who can use them. Provide access to network segments and subnetworks.
Routers are Targets - Router Security Physical security Regular router IOS upgrades Router configuration and IOS backups Port Security Disable unused services
Configure Basic Router Security Graphic 4.2.2.1
Encrypt Passwords
Passwords Always use the <enable secret> password command
Minimum Length
Securing Remote Access
Preventing Logins on Unused Lines
Control Incoming VTY Access
Remote Access with SSH SSH uses port 22
SSH Configurations Step 1: configure router hostname Step 2: set the domain name Step 3: generate asymmetric keys Step 4: configure local authentication and VTY protocol Step 5: configure ssh timeouts Step 6: use ssh
Sample SSH Configuration username student password 0 cisco ! ip ssh version 1 ip ssh time-out 15 ip ssh authentication-retries 2 ip domain-name cisco.com line vty 0 5 login local transport input ssh
Verifying SSH r1#sho ip ssh SSH Enabled - version 1 Authentication timeout: 120 secs; Authentication retries: 3 More SSH Information in the Network Security course
Show crypto key
Logging Router Activity Logs allow you to verify that a router is working properly or to determine whether the router has been compromised. In some cases, a log can show what types of probes or attacks are being attempted against the router or the protected network. Configuring logging (syslog) on the router should be done carefully. Send the router logs to a designated log host. The log host should be connected to a trusted or protected network or an isolated and dedicated router interface. Harden the log host by removing all unnecessary services and accounts.
Explain How to Disable Unused Cisco Router Network Services and Interfaces Describe the router services and interfaces that are vulnerable to network attack Graphic 4.3.1.1
Disable Unused Services
Explain How to Disable Unused Cisco Router Network Services and Interfaces Explain the vulnerabilities posed by commonly configured management services Graphic 4.3.1.3 Covered in CCNP Course
Securing Routing Protocols Falsified routing information may generally be used to cause systems to misinform (lie to) each other, cause a DoS, or cause traffic to follow a path it would not normally follow. The consequences of falsifying routing information are as follows: 1. Redirect traffic to create routing loops as shown in the figure 2. Redirect traffic so it can be monitored on an insecure link 3. Redirect traffic to discard it
Routing Protocol Authentication
Routing Updates Authentication
Verify RIP
OSPF Authentication
EIGRP Authentication
Auto Secure Cisco AutoSecure uses a single command to disable non-essential system processes and services, eliminating potential security threats. You can configure AutoSecure in privileged EXEC mode using the auto secure command in one of these two modes: Interactive mode - This mode prompts you with options to enable and disable services and other security features. This is the default mode. Non-interactive mode - This mode automatically executes the auto secure command with the recommended Cisco default settings. This mode is enabled with the no-interact command option.
Securing the Router with AutoSecure
Security Device Manager (SDM) The Cisco Router and Security Device Manager (SDM) is an easy-to-use, web-based device-management tool designed for configuring LAN, WAN, and security features on Cisco IOS software-based routers. The SDM files can be installed on the router, a PC, or on both. An advantage of installing SDM on the PC is that it saves router memory, and allows you to use SDM to manage other routers on the network. If Cisco SDM is pre-installed on the router, Cisco recommends using Cisco SDM to perform the initial configuration.
SDM Features
Configuring a Router to Support SDM Privilege level 15 = enable privileges
Explain How to Use Cisco SDM Provide an overview of Cisco SDM Graphics 4.4.1.1 & 4.4.1.2
Explain How to Use Cisco SDM Explain the steps to configure a router to use Cisco SDM Graphic 4.4.2.1
Explain How to Use Cisco SDM Explain the steps you follow to start SDM Graphic 4.4.3.1
Explain How to Use Cisco SDM Describe the Cisco SDM Interface Graphic 4.4.4.1 (if possible try to make it so that the graphic is more clear - it looks slightly blurry to me) It might also be helpful if the blue tabs could be moved to the right so that things like the IOS version can be observed.
Explain How to Use Cisco SDM Describe the commonly used Cisco SDM wizards Graphic 4.4.5.1
Explain How to Use Cisco SDM Explain how to use Cisco SDM for locking down your router Graphic 4.4.6.1
SDM - End of Life Cisco announced the end of life for SDM SDM will is replaced by Cisco Configuration Professional (CCP) Latest release 2.5 Download at Cisco.com
Manage Cisco IOS Devices Graphic 4.5.2.1 Not on Packet Tracer
Flash
NVRAM Not on PacketTracer
Managing Configuration Files Graphic 4.5.2.3
Cisco File Naming Convention
TFTP Servers
Manage Cisco IOS Devices Explain how to back up and upgrade Cisco IOS software images using a network server Graphics 4.5.4.1 & 4.5.4.2
Upgrading the IOS - Step 1
Upgrading the IOS - Step 2
Upgrading the IOS - Step 3
Restoring IOS Images Graphic 4.5.5.1 & 4.5.5.2
Connect to TFTP Server
Prepare the Router Make sure you have the correct file name Show version
Download the file You can also copy the file from a “healthy” router
Manage Cisco IOS Devices Compare the use of the show and debug commands when troubleshooting Cisco router configurations Graphic 4.5.6.1
Troubleshooting Commands Show commands Debug commands
Debug Command Considerations The debug commands may generate too much data that is of little use for a specific problem. Normally, knowledge of the protocol or protocols being debugged is required to properly interpret the debug outputs. When using debug troubleshooting tools, output formats vary with each protocol. Some generate a single line of output per packet, others generate multiple lines of output per packet. Some debug commands generate large amounts of output; others generate only occasional output. Some generate lines of text, and others generate information in field format. Plan its use carefully – debug is cpu intensive
Commands Related to Debug
Router Password Recovery Graphic 4.5.7.2
Configuration Register The configuration register is similar to your PC BIOS settings, which control the bootup process. Among other things, the BIOS tells the PC from which hard disk to boot. In a router, a configuration register, represented by a single hexadecimal value, tells the router what specific steps to take when powered on. Configuration registers have many uses, and password recovery is probably the most used.
Router Password Recovery Procedure 4.5.7 – Good explanation!
Show version If you require further assistance please contact us by sending email to export@cisco.com. Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory. Processor board ID FTX0947Z18E M860 processor: part number 0, mask 49 2 FastEthernet/IEEE 802.3 interface(s) 191K bytes of NVRAM. 31360K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102
Summary Security Threats to an Enterprise network include: Unstructured threats Structured threats External threats Internal threats Methods to lessen security threats consist of: Device hardening Use of antivirus software Firewalls Download security updates For the graphic 4.7.1.1, shouldn’t the title be written in past tense? It looks like the same graphic used in the introduction.
Summary Basic router security involves the following: Physical security Update and backup IOS Backup configuration files Password configuration Logging router activity Disable unused router interfaces & services to minimize their exploitation by intruders Cisco SDM A web based management tool for configuring security measures on Cisco routers
Summary Cisco IOS Integrated File System (IFS) Allows for the creation, navigation & manipulation of directories on a cisco device