Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Slides:

Advertisements

Similar presentations

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)

Securing the Router Chris Cunningham.

IS Network and Telecommunications Risks

 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Payment Card Industry (PCI) Data Security Standard

COEN 252: Computer Forensics Router Investigation.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

Access Control Key concepts: Controlling the data flow within a network ACL (access control lists)

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.

Alberto Rivai Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai

1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

CONTENTS  INTRODUCTION.  KEYWORDS  WHAT IS FIREWALL ?  WHY WE NEED FIREWALL ?  WHY NOT OTHER SECURITY MECHANISM ?  HOW FIREWALL WORKS ?  WHAT IT.

Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.

Internet and Intranet Fundamentals Class 9 Session A.

RANCID / WebSVN AfNOG 12, Dar Es Salaam, Tanzania.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

RANCID / Version Control AfNOG 11, Kigali/Rwanda.

Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.

User Access to Router Securing Access.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.

Chapter 3: Authentication, Authorization, and Accounting

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\

Cisco 1 - Networking Basics Perrine. J Page 16/5/2016 Chapter 11 At which layer of the TCP/IP model does Telnet operate? 1.application 2.presentation 3.session.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

Security fundamentals Topic 10 Securing the network perimeter.

Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.

Chapter 9: Implementing the Cisco Adaptive Security Appliance

© 2005,2006 NeoAccel Inc. Partners Presentation Authentication & Access Control.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.

Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

Liquid Telecom Network Security. Network Security - Availability Physical Infrastructure – PoP Site Security/Traffic Protection Logical – Device Hardening/Traffic.

Juniper Networks Mobile Security Solution Nosipho Masilela COSC 356.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

Security fundamentals

CompTIA Security+ Study Guide (SY0-401)

Instructor Materials Chapter 5 Providing Network Services

Working at a Small-to-Medium Business or ISP – Chapter 8

Lesson Objectives Aims You should be able to:

Chapter 2: Basic Switching Concepts and Configuration

CompTIA Security+ Study Guide (SY0-401)

6.6 Firewalls Packet Filter (=filtering router)

Cisco Real Exam Dumps IT-Dumps

– Chapter 3 – Device Security (B)

– Chapter 3 – Device Security (B)

Firewalls Chapter 8.

Introduction to Network Security

Presentation transcript:

Point Protection 111

Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits

NOC ISPs Backbone RISK Assessment Remote StaffOffice Staff Penetration Interception Penetration Interception DOS AAA

NOC ISPs Backbone Lock Down the VTY and Console Ports Remote StaffOffice Staff Penetration AAA VTY, Console, rACLs, and VTY ACL

NOC ISPs Backbone Encrypt the Traffic from Staff to Device Remote StaffOffice Staff Interception AAA SSH from Staff to Device

NOC ISPs Backbone Staff AAA to get into the Device Remote StaffOffice Staff Penetration AAA AAA on the Device

NOC ISPs Backbone Radius is not an SP AAA Option! Remote StaffOffice Staff Interception AAA SSH from Staff to Device encrypts the password via secure TCP Sessions Radius sends unencrypted traffic to the AAA server via UDP! Why make a big deal about SSH to the router when you choose to put your network at risk using Radius as a AAA solution?

NOC ISPs Backbone One Time Password – Checking the ID Remote StaffOffice Staff Penetration AAA One-Time Password Token cardToken card Soft tokenSoft token S-keyS-key How do you insure that the engineer is authenticated vs a penetrated computer authenticated? OTP

NOC ISPs Backbone DOSing the AAA Infrastructure Remote StaffOffice Staff DOS the AAA Servers AAA OTP DOS the AAA Ports

NOC ISPs Backbone Use a Firewall to Isolate the AAA Servers Remote StaffOffice Staff DOS the AAA Servers AAA OTP DOS the AAA Ports Statefull inspection is another reason to select TCP base AAA over UDP. NOC Firewall Separate AAA Firewall to protect from internal and external threats.

AAA OTP AAA Node Peer B Peer A Distribute AAA Servers and Config Backup IXP-W IXP- E Upstream A Upstream B POP NOC G Sink Hole Network Upstream B AAA OTP AAA Node

TACACS+ URLs TACACS+ Open Source –ftp://ftp-eng.cisco.com/pub/tacacs/ftp://ftp-eng.cisco.com/pub/tacacs/ –Includes the IETF Draft, Source, and Specs. Extended TACACS++ server – TACACS + mods –

The Old World: Router Perspective Policy enforced at process level (VTY ACL, Kernel ACL, SNMP ACL, etc.) Some early features such as ingress ACL used when possible untrusted telnet, snmp Attacks, junk Router CPU

The New World: Router Perspective Central policy enforcement, prior to process level Granular protection schemes On high-end platforms, hardware implementations Protecting The Router Control Plane draft-ietf-opsec- protect-control-plane-04 untrusted telnet, snmp Attacks, junk Router CPU Protection

Watch the Config! There has been many times where the only way you know someone has violated the router is that a config has changed. If course you need to be monitoring your configs.

Config Monitoring RANCID - Really Awesome New Cisco config Differ (but works with lots of routers – used a lot with Juniper Routers) Rancid monitors a device's configuration (software & hardware) using CVS. Rancid logs into each of the devices in the device table file, runs various show commands, processes the output, and s any differences from the previous collection to staff.