CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 14 Network Security.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Guide to Network Defense and Countermeasures Second Edition
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
SCSC 455 Computer Security Virtual Private Network (VPN)
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition
Virtual Private Networks and IPSec
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
Chapter 20: Network Security Business Data Communications, 4e.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Remote Networking Architectures
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
Understanding VPN Concepts Virtual Private Network (VPN) enables computers to –Communicate securely over insecure channels –Exchange private encrypted.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
Secure Socket Layer (SSL)
Chapter 13 – Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Virtual Private Network (VPN) Topics Discussion What is a VPN? What is a VPN?  Types of VPN  Why we use VPN?  Disadvantage of VPN  Types of.
Guide to Firewalls and VPNs, 3 rd Edition Chapter Ten Setting Up A Virtual Private Network.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
Guide to Network Defense and Countermeasures Third Edition
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
VIRTUAL PRIVATE NETWORKS Lab#9. 2 Virtual Private Networks (VPNs)  Institutions often want private networks for security.  Costly! Separate routers,
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Virtual Private Networks and IPSec
CompTIA Security+ Study Guide (SY0-401)
Working at a Small-to-Medium Business or ISP – Chapter 8
CompTIA Security+ Study Guide (SY0-401)
CCNA Guide to Cisco Networking Fundamentals Fourth Edition
Introduction to Network Security
Virtual Private Networks (VPN)
Presentation transcript:

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 14 Network Security

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition2 Objectives Distinguish between the different types of network security threats Explain how to mitigate network security threats Implement SSH on Cisco routers and switches Configure VPNs with the Cisco Security Device Manager

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition3 General Network Security Security policy –An organization’s set of rules regarding how to handle and protect sensitive data A security policy should include: –Physical security –Acceptable use of applications –Safeguarding data –Remote access to the network –Data center –Wireless security

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition4 General Network Security (continued) An effective security policy implements multiple layers of security A security policy should have three goals: –To prevent the hacker from getting access to critical data –To slow down the hacker enough to be caught –To frustrate the hacker enough to cause him or her to quit the hacking attempt When designing a security policy, take care to specify exactly what you are trying to protect

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition5 Protecting the Hardware The first level of security in any network is physical security Critical nodes of an organization should be separated from the general workforce The nodes should be kept in a central location where only a select group of people are allowed If office space is limited and nodes must be located near employees –The servers should at least be stored in a locked cabinet

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition6 Protecting the Hardware (continued)

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition7 Protecting Software The primary threats against software are malware and hackers Malware –Refers to malicious programs that have many different capabilities Hackers are usually driven by greed, ego, and/or vengeance –They look to make personal gains through system vulnerabilities

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition8 Malware Prevention The most important elements of a prevention plan –Installing and maintaining virus prevention software, –Conducting virus awareness training for network users Types of malware –Virus –Worm –Macro Virus –Polymorphic Virus –Stealth Virus

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition9 Malware Prevention (continued) Types of malware (continued) –Boot-Sector Virus –Trojan or Trojan Horse –Logic Bomb Virus prevention software –Available for installation on entire networks –Usually includes a version that will run on clients as well as servers –Must be updated regularly to ensure your network is protected against all the latest malware threats

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition10 Malware Prevention (continued) User training –Users must be trained to update their antivirus software daily or, at a bare minimum, weekly –Users also must learn how viruses are transmitted between computers –Teach users to scan removable devices with the virus scanning software before using them

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition11 Firewalls Firewall –The primary method of keeping hackers out of a network –Normally placed between a private LAN and the public Internet, where they act like gatekeepers –Can be a hardware device or it can be software –Types: personal and enterprise All data packets entering or exiting the network have to pass through an enterprise-level firewall –Firewall filters (or analyzes) packets

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition12 Firewalls (continued) Four firewall topologies –Packet-filtering router –Single-homed bastion –Dual-homed bastion –Demilitarized zone (DMZ)

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition13

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition14

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition15

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition16

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition17 Firewalls (continued) Intrusion Detection Systems (IDS) –A security device that can detect a hacker’s attempts to gain access to the network –Can also detect virus outbreaks, worms, and distributed denial of service (DDoS) attacks Intrusion Prevention Systems (IPS) –Like an IDS, except that it is placed in line so all packets coming in or going out of the network pass through it –This allows an IPS to drop packets based on rules defined by the network administrator

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition18 Permissions, Encryption, and Authentication Permission –An official approval that allows a user to access a specific network resource Encryption –Often consists of using security algorithms to scramble and descramble data –Types of algorithms Symmetric key Asymmetric key

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition19 Permissions, Encryption, and Authentication (continued)

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition20 Permissions, Encryption, and Authentication (continued)

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition21 Permissions, Encryption, and Authentication (continued) Secure Sockets Layer –A means of encrypting a session between two hosts through the use of digital certificates, which are based on asymmetric key encryption Authentication –The process by which users verify to a server that they are who they say they are –There are several types of authentication Password authentication protocol (PAP) Challenge handshake authentication protocol (CHAP)

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition22 Permissions, Encryption, and Authentication (continued) Additional authentication services supported by Cisco: –Remote Authentication Dial-in User Service (RADIUS) –Terminal Access Controller Access Control System Plus (TACACS+) These two common security protocols are based on the Authentication, Authorization, and Accounting (AAA) model

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition23 Mitigating Security Threats The three basic strategies for mitigating security threats are: –Using the SSH protocol to connect to your routers and switches rather than telnet –Turning off unnecessary services –Keeping up-to-date on security patches (software releases) with a patch management initiative

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition24 Secure Shell (SSH) Connections Secure Shell (SSH) protocol –Sends all data encrypted The two version of SSH are SSH Version 1 and SSH Version 2 –SSH Version 2 is the recommended version Some SSH commands are mandatory and others are optional You must also generate an RSA key pair (asymmetric key encryption) –Which enables SSH

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition25 Secure Shell (SSH) Connections (continued) The preferred method is to implement SSH on all VTY lines –Which ensures that all remote IP sessions to the router will be protected in the SSH tunnel The command sequence for enabling SSH is: Router(config)#hostname SshRouter SshRouter(config)#ip domain-name sshtest.com SshRouter(config)#crypto key generate rsa The name of the keys will be: SshRouter.sshtest.com

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition26 Disabling Unnecessary Services You should disable the services unless your organization uses them Methods –Go through the CLI and enter a series of commands for each service –Use the Security Audit Wizard in the Cisco Security Device Manager (SDM) The following services are unnecessary on most networks: –Finger Service –PAD Service

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition27 Disabling Unnecessary Services (continued) The following services are unnecessary on most networks: (continued) –TCP Small Servers Service –UDP Small Servers Service –IP Bootp Server Service –Cisco Discovery Protocol (CDP) –IP Source Route –Maintenance Operations Protocol (MOP) –Directed Broadcast

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition28 Disabling Unnecessary Services (continued) The following services are unnecessary on most networks: (continued) –ICMP Redirects –Proxy ARP –IDENT –IPv6

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition29 Patch Management Your organization’s patch management program should account for all software in the organization –Including commercial applications as well as applications developed in-house A patch management program should take into account the major software vendor’s patch release schedules –As well as your organization’s business goals and needs Not all patches released by vendors are flawless

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition30 Virtual Private Networks (VPNs) –A popular technology for creating a connection between an external computer and a corporate site over the Internet To establish a VPN connection, you need VPN- capable components Client-to-site VPN (also known as remote user VPN) –A VPN that allows designated users to have access to the corporate network from remote locations

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition31 Virtual Private Networks (VPNs)

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition32 Virtual Private Networks (VPNs) Site-to-site VPN –A VPN that allows multiple corporate sites to be connected over low-cost Internet connections You can choose from several tunneling protocols to create secure, end-to-end tunnels –Point-to-Point Tunneling Protocol (PPTP) –Layer 2 Tunneling Protocol (L2TP) –Generic Routing Encapsulation (GRE)

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition33 Virtual Private Networks (VPNs)

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition34 IPSec –A suite of protocols, accepted as an industry standard, which provides secure data transmission over layer 3 of the OSI model –An IP standard and will only encrypt IP-based data IPSec supports two modes of operation: transport mode and tunnel mode

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition35 IPSec (continued) Transport mode –Primarily geared toward encrypting data that is being sent host-to-host –Only encrypts and decrypts the individual data packets Which results in quite a bit of overhead on the processor Tunnel mode –Encrypts all data in the tunnel and is the mode supported by Cisco components

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition36 IPSec Protocols Two IPSec protocols have been developed to provide packet-level security They include the following characteristics: –Authentication Header (AH) –Encapsulating Security Payload (ESP)

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition37 IPSec Authentication Algorithms Authentication algorithms use one of two Hashed Message Authentication Codes (HMAC) –MD5 (message-digest algorithm 5) –SHA-1 (secure hash algorithm) An HMAC is a secret key authentication algorithm that ensures data integrity and originality –Based on the distribution of the secret key Cryptographic software keys are exchanged between hosts using an HMAC

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition38 IPSec Encryption Algorithms For encryption, the two most popular algorithms on IPSec networks are 3DES (tripleDES) and AES –These protocols are used solely with the IPSec ESP protocol Remember, AH does not support encryption

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition39 IPSec Key Management You need to pay attention to how keys are handed from node to node during IPSec authentication Two options are available –Deliver the secret keys to all parties involved via e- mail or on disk –Utilize a key management protocol Key management is defined by the Internet Security Association and Key Management Protocol (ISAKMP) –Governed by RFC 2407 and 2408

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition40 IPSec Transform Sets A transform set –A configuration value (or simply stated, a command) that allows you to establish an IPSEC VPN on a Cisco firewall You can create a transform set through the CLI or you can simply use the SDM GUI When creating an IPSec VPN you must specify a protocol, the algorithm, and the method of key management

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition41 Creating VPNs with the Security Device Manager (SDM) Cisco supports VPNs with several different devices VPNs can be created on firewalls, routers, computers –And even on a device specifically made for VPNs, called a VPN concentrator The following example focuses on using the Cisco Security Device Manager (SDM) Web utility to create a VPN on a Cisco router

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition42

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition43

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition44

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition45

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition46

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition47

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition48

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition49

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition50

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition51 Cisco Security Audit Wizard You can use the Cisco SDM to conduct security audits The SDM’s Security Audit Wizard –Can be used to verify your router’s configuration And determine what security settings have and have not been configured –Will also make recommendations as to which settings should be enabled –Provides an easy to use GUI that allows you to make those changes

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition52

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition53

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition54

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition55

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition56

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition57

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition58 Cisco Security Audit Wizard (continued)

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition59 Summary Protecting the physical equipment where sensitive data resides is as important as protecting the data itself When securing an organization’s network, you must be sure to protect it against external threats as well as internal threats User training is a key element to protecting the network and the data within it Using an SSH connection to a router is a much more secure method of connecting to a router than clear text telnet

CCNA Guide to Cisco Networking Fundamentals, Fourth Edition60 Summary (continued) Disabling unnecessary services increases a router’s security IPSec is an industry-standard suite of protocols and algorithms that allow for secure encrypted VPN tunnels Cisco’s SDM is a multifunction Web utility that allows you to create VPNs and complete a security audit

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.