Presentation is loading. Please wait.

Presentation is loading. Please wait.

111 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE A Security Blueprint for Enterprise Networks Özay UYANIK.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "111 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE A Security Blueprint for Enterprise Networks Özay UYANIK."— Presentation transcript:

1

2 111 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE A Security Blueprint for Enterprise Networks Özay UYANIK Cisco Systems TURKEY

3 222 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. The Internet is Changing… Everything Vote Bank Medicate Travel Purchase

4 333 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Expanded Access Heightened Security Risks Internet Access Access Corporate Intranet InternetPresence Internet Business Value The Security Dilemma Customer Care E-Learning Supply Chain Management E-Commerce Workforce Optimization Explosion in E-Business!!

5 444 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Threats Driving Security Awareness Internet Information Theft Virus Attacks Worm Blaster Strikes Worldwide —— CNN Data Interception Unprotected Assets AOL Boosts Email Security After Attack — C/NET Denial of Service Unauthorized Entry Several Web Sites Attacked Following Assault on Yahoo! —— New York Times

6 555 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Critical e-Business Solutions Customer Care E-Learning Supply Chain Management E-Commerce Workforce Optimization Internet An Intelligent and Secure Network Infrastructure is Required for E-Business!!

7 666 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Are You Secure? External Exploitation 75% vulnerable; 95+% vulnerable externally with secondary exploitation Internet 100% vulnerable InternalExploitation Dial In Exploitation 65+% vulnerable

8 777 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. 100% Security “ ” The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it…. Gene Spafford—Director, Computer Operations, Audit, and Security Technology (COAST), Purdue University

9 888 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco Cisco SAFE Cisco SAFE is a flexible framework that empowers companies to securely take advantage of the Internet Economy

10 999 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Key Components of a SAFE Module Security Management Identity Perimeter Security Monitoring Secure Connectivity

11 10 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Security Is… Security Office Traditional Locks Guard Security Camera Card Key Intrusion Detection IDS Manager Security Manager Firewall Authentication Server

12 11 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. ISP Edge SAFE Enterprise Network Design Guide Enterprise Edge Enterprise Campus WAN Module Frame / ATM Module Corporate Internet VPN&Remote Access PSTN Module ISP A Module E-Commerce Module ISP B Module Cisco SAFE Architecture Goal: Security Resilience Performance Scalability QoS Awareness Cisco SAFE Architecture Goal: Security Resilience Performance Scalability QoS Awareness Distribution Core Management Server User Access Distribution

13 12 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Enterprise SAFE Network ISP Edge Enterprise Edge Enterprise Campus User Access Server Management Core Distribution VPN&Remote Access PSTN Module E-Commerce Module ISP Module SAFE Axioms Routers are targets Switches are targets Hosts are targets Networks are targets Applications are targets Secure management & reporting are required Distribution

14 13 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Routers are Targets Potentially a hacker’s best friend Protection should include: - constraining telnet access - SNMP read-only -administrative access with TACACS+ -NTP authentication - turning off unneeded services - logging unauthorized access attempts - authentication of routing update

15 14 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Switches are Targets Protection needs are similar to routers VLANs are an added vulnerability: - remove user ports from auto-trunking - use non-user VLANs for trunk ports - set unused ports to a non-routed VLAN -do not depend on VLAN separation -Private VLANs

16 15 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Promiscuous Port Community ‘A’ Community ‘B’ Isolated Ports Primary VLAN Community VLAN Community VLAN Isolated VLAN Only One Subnet! x x x x x x x x ARP Spoof Mitigation: Private VLANs PVLANs Isolate traffic in specific communities to create distinct “networks” within a normal VLAN Note: Most inter-host communication is disabled with PVLANs turned on http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/conf_gd/vlans.htm#xtocid854519

17 16 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Networks are Targets DDoS (ICMP Flood, TCP SYN Flood, UDP Floods) attacks cannot be stopped by the victim network alone RFC1918 addresses or local addresses should originate locally IP address spoofing can mitigated by filtering non-registered addresses

18 17 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. RFC 2267 Filtering interface Serial n ip access-group 101 in ! access-list 101 permit 142.142.0.0 0.0.255.255 any access-list 101 deny ip any any ISP Network Customer Network: 142.142.0.0/16 Ingress to Internet Ingress packets must be from customer addresses interface Serial n ip access-group 120 in ip access-group 130 out ! access-list 120 deny ip 142.142.0.0 0.0.255.255 any access-list 120 permit ip any any ! access-list 130 permit 142.142.0.0 0.0.255.255 any access-list 130 deny ip any any Egress from Internet Egress packets cannot be from and to customer Ensure ingress packets are valid

19 18 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. RFC 1918 Filtering interface Serial n ip access-group 101 in ! access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 permit ip any any ISP Network Customer Network Ingress to Internet

20 19 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Hosts are Targets High Visibility makes them easy target Ensure that various host components are compatible and at the latest version - hardware platform/devices - operating system and updates - standard applications and patches - shareware scripts

21 20 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Applications are Targets Complexity of applications makes them open to human error vulnerabilities Host and Network based IDS focus on recognizing attack signatures and taking action: - shunning/blocking - alarm/warning - simply logging

22 21 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Secure Management and Reporting Logging levels NTP Out-of-Band management Ipsec, ssh or ssl SNMP Change Management

23 22 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE Enterprise Network Design Modules Enterprise Campus Enterprise EdgeSP Edge Building Distribution Building Distribution Management Server Core Edge Distribution Edge Distribution E-Commerce Corporate Internet Corporate Internet VPN and Remote Access WAN ISP B ISP A PSTN Frame/ ATM Frame/ ATM

24 23 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Campus Network Section - Management Module - Building Access and Distribution - Core and Server Modules - Edge Distribution Module

25 24 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Management Module Out of Band Management - separate physical networks - separate address space (192.168.25x.xxx) - use IPSec if physical separation is not possible Firewall between management subnet and managed-device subnet

26 25 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Management Module - cont’d Isolate managed ports to minimize impact of compromised device NIDS and HIDS on the management subnet One-time Passwords for authentication of administrators SNMP read-only snmp-server community Txo~QbW3XM RO 98 access-list 98 permit host 192.168.253.51

27 26 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Hosts IDS for Local Attack Attack Mitigation Roles for Management Module Two-Factor Authentication Two-Factor Authentication AAA Services Read-Only SNMP SSH Where Possible Config and Content Management SSH Where Possible Config and Content Management OTP Server Access Control Server Network Monitoring IDS Director Syslog 1 Syslog 2 System Admin X6 Term Server (IOS) eIOS-91 eIOS-21 X6 Switch Out-of-Band Network Management OOB Config Management OOB Config Management To All Device Console Ports Encrypted In-Band Network Management Network Log Data Comprehensive Layer 4-7 Analysis Comprehensive Layer 4-7 Analysis Stateful Packet Filtering IPSec Termination for Management Stateful Packet Filtering IPSec Termination for Management Private VLANs

28 27 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Campus Network Section - Management Module - Building Access and Distribution - Core and Server Modules - Edge Distribution Module

29 28 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Enterprise Campus Detail OTP Server OTP Server Access Control Server Access Control Server Network Monitoring Network Monitoring IDS Director IDS Director Syslog 1 Syslog 2 System Admin System Admin Management Module Management Module Building Module (Users) Building Distribution Module Building Distribution Module Core Module Core Module Corporate Server Corporate Server Module Server Module To eCommerce Module To Corporate Internet Module To VPN/ Remote Access Module To WAN Module Cisco Call Manager Cisco Call Manager Edge Distribution Module Edge Distribution Module Term Server (IOS) Term Server (IOS) Internal Email Internal Email Dept. Server Dept. Server

30 29 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Attack Mitigation Roles for Building and Distribution Modules To Core Module Inter Subnet Filtering RFC2827 Filtering Inter Subnet Filtering RFC2827 Filtering Host Virus Scanning VLANs

31 30 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Campus Network Section - Management Module - Building Access and Distribution - Core and Server Modules - Edge Distribution Module

32 31 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Internal Email Dept. Server Call Manager Attack Mitigation Roles for Core and Server Modules To Edge Distribution Module To Building Distribution Module Host IDS for Local Attack NIDS for Server Attacks Private VLANs for Server Connections RFC2827 Filtering NIDS for Server Attacks Private VLANs for Server Connections RFC2827 Filtering

33 32 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Campus Network Section - Management Module - Building Access and Distribution - Core and Server Modules - Edge Distribution Module

34 33 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Attack Mitigation Roles for Edge Distribution Module To eCommerce Module To Corporate Internet Module To VPN/Remote Access Module To WAN Module To Core Module Layer 3 Access Control RFC2827 Filtering Layer 3 Access Control RFC2827 Filtering

35 34 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering

36 35 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Enterprise Edge - Detail eCommerce Module eCommerce Module Corporate Internet Module Corporate Internet Module ISP A Module ISP A Module ISP A ISP B To Edge Distribution Module To Edge Distribution Module ISP B Module ISP B Module To VPN/ Remote Access Module

37 36 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Broad Layer 4-7 Analysis Attack Mitigation Roles for Corporate Internet Module To Edge Distribution To VPN/Remote Access Focused Layer 4-7 Analysis Focused Layer 4-7 Analysis Host IDS Local Attack Mitigation Host IDS Local Attack Mitigation SMTP Content Inspection SMTP Content Inspection Spoof Mitigation Basic Filtering Spoof Mitigation Basic Filtering Spoof Mitigation (D)DoS Rate-Limiting Spoof Mitigation (D)DoS Rate-Limiting Inspect Outbound Traffic For Unauthorized URLs Inspect Outbound Traffic For Unauthorized URLs Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation Focused Layer 4-7 Analysis Focused Layer 4-7 Analysis ISP A

38 37 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering

39 38 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. VPN/Remote Access - Detail VPN/Remote Access - Detail Detail To Edge Distribution Module To Edge Distribution Module To Corporate Internet Module VPN/Remote Access Module VPN/Remote Access Module WAN Module PSTN Module PSTN Module Frame/ATM Module Frame/ATM Module PSTN FR/ATM

40 39 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Attack Mitigation Roles for Remote Access VPN Module PSTN Authenticate Remote Site Terminate IPSec To Edge Distribution Module Focused Layer 4-7 Analysis Allow only IPSec Traffic To Internet Via the Corporate Internet Module Broad Layer 4-7 Analysis Stateful Packet Filtering Basic Layer 7 Filtering Authenticate Users Terminate IPSec Authenticate Users Terminate Analog Dial

41 40 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering

42 41 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Enterprise Edge - Detail To Edge Distribution Module To Edge Distribution Module To Corporate Internet Module VPN/Remote Access Module VPN/Remote Access Module WAN Module PSTN Module PSTN Module Frame/ATM Module Frame/ATM Module PSTN FR/ATM

43 42 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Classic WAN Module: Detail and Attack Mitigation Classic WAN not often addressed in security context. Man-in-the-middle attacks can be mitigated by several IOS features: - Layer 3 access-control - IPSec encryption (optional) FR/ATM To Edge Distribution Module eIOS-61 eIOS-62 Layer 3 Access Control

44 43 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering

45 44 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Enterprise Edge - Detail eCommerce Module eCommerce Module Corporate Internet Module Corporate Internet Module ISP A Module ISP A Module ISP A ISP B To Edge Distribution Module To Edge Distribution Module ISP B Module ISP B Module To VPN/ Remote Access Module

46 45 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. E-Commerce Traffic Flow Edge Distribution Module E-Commerce Module ISP Module L1-3 DB L4 L5-7 Apps Incoming Requests Web Apps

47 46 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Attack Mitigation Roles for E-Commerce Module Stateful Packet Filtering Basic 7 Layer Filtering Host DoS Mitigation To Edge Distribution Focused Layer 4-7 Analysis Stateful Packet Filtering Basic Layer 7 Filtering Broad Layer 4-7 Analysis Wire Speed Access Control Broad Layer 4-7 Analysis Wire Speed Access Control Spoof Mitigation (D)DoS Rate Limiting Layer 4 Filtering Focused Layer 4-7 Analysis Host IDS for Local Attack Mitigation

48 47 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering

49 48 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Service Provider Filtering Best in e-commerce environments DDoS mitigation Bandwidth optimization RFC 1918,2827 Attacker Public Services Internal Services Internal Users Customer DDoS Agentok Ports: 80 443 x Source: DDoS Agent Destination: Public Services Port: UDP Flood Source: Attacker Destination: Public Services Port: 23(Telnet) x

50 49 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. CAR Rate Limiting Limit outbound ping to 8 Kbps Limit inbound TCP SYN packets to 256 Kbps interface xy rate-limit output access-group 102 8000 8000 8000 conform-action transmit exceed-action drop ! access-list 102 permit icmp any any echo access-list 102 permit icmp any any echo-reply interface xy rate-limit input access-group 103 256000 8000 8000 conform-action transmit exceed-action drop ! access-list 103 deny tcp any host 142.142.42.1 established access-list 103 permit tcp any host 142.142.42.1

51 50 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE Ecosystem: Security & VPN Associates Identity Application Security Security Management & Monitoring Secure Connectivity Perimeter Security Cisco.com/go/securityassociate

52 51 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. For more information... Cisco.com/go/security Cisco.com/go/SAFE Cisco.com/go/SAFE Policy

Download ppt "111 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE A Security Blueprint for Enterprise Networks Özay UYANIK."

Similar presentations

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...

1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...
Network Security Network Attacks and Mitigation 張晃崚 CCIE #13673, CCSI #31340 區域銷售事業處 副處長 麟瑞科技.

Network Security Network Attacks and Mitigation 張晃崚 CCIE #13673, CCSI #31340 區域銷售事業處 副處長 麟瑞科技.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
16254_08_2002 © 2002, Cisco Systems, Inc. All rights reserved. Cisco’s Security Vision Mario Mazzola Chief Development Officer August 29, 2002.

16254_08_2002 © 2002, Cisco Systems, Inc. All rights reserved. Cisco’s Security Vision Mario Mazzola Chief Development Officer August 29, 2002.
Cisco IOS Firewall ( CBAC-Context Based Access Control)

Cisco IOS Firewall ( CBAC-Context Based Access Control)
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy.

KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy.
2 3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. Security Technologies.

2 3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. Security Technologies.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.

Similar presentations

Ads by Google