Download presentation
Presentation is loading. Please wait.
2
111 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE A Security Blueprint for Enterprise Networks Özay UYANIK Cisco Systems TURKEY
3
222 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. The Internet is Changing… Everything Vote Bank Medicate Travel Purchase
4
333 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Expanded Access Heightened Security Risks Internet Access Access Corporate Intranet InternetPresence Internet Business Value The Security Dilemma Customer Care E-Learning Supply Chain Management E-Commerce Workforce Optimization Explosion in E-Business!!
5
444 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Threats Driving Security Awareness Internet Information Theft Virus Attacks Worm Blaster Strikes Worldwide —— CNN Data Interception Unprotected Assets AOL Boosts Email Security After Attack — C/NET Denial of Service Unauthorized Entry Several Web Sites Attacked Following Assault on Yahoo! —— New York Times
6
555 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Critical e-Business Solutions Customer Care E-Learning Supply Chain Management E-Commerce Workforce Optimization Internet An Intelligent and Secure Network Infrastructure is Required for E-Business!!
7
666 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Are You Secure? External Exploitation 75% vulnerable; 95+% vulnerable externally with secondary exploitation Internet 100% vulnerable InternalExploitation Dial In Exploitation 65+% vulnerable
8
777 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. 100% Security “ ” The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it…. Gene Spafford—Director, Computer Operations, Audit, and Security Technology (COAST), Purdue University
9
888 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco Cisco SAFE Cisco SAFE is a flexible framework that empowers companies to securely take advantage of the Internet Economy
10
999 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Key Components of a SAFE Module Security Management Identity Perimeter Security Monitoring Secure Connectivity
11
10 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Security Is… Security Office Traditional Locks Guard Security Camera Card Key Intrusion Detection IDS Manager Security Manager Firewall Authentication Server
12
11 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. ISP Edge SAFE Enterprise Network Design Guide Enterprise Edge Enterprise Campus WAN Module Frame / ATM Module Corporate Internet VPN&Remote Access PSTN Module ISP A Module E-Commerce Module ISP B Module Cisco SAFE Architecture Goal: Security Resilience Performance Scalability QoS Awareness Cisco SAFE Architecture Goal: Security Resilience Performance Scalability QoS Awareness Distribution Core Management Server User Access Distribution
13
12 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Enterprise SAFE Network ISP Edge Enterprise Edge Enterprise Campus User Access Server Management Core Distribution VPN&Remote Access PSTN Module E-Commerce Module ISP Module SAFE Axioms Routers are targets Switches are targets Hosts are targets Networks are targets Applications are targets Secure management & reporting are required Distribution
14
13 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Routers are Targets Potentially a hacker’s best friend Protection should include: - constraining telnet access - SNMP read-only -administrative access with TACACS+ -NTP authentication - turning off unneeded services - logging unauthorized access attempts - authentication of routing update
15
14 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Switches are Targets Protection needs are similar to routers VLANs are an added vulnerability: - remove user ports from auto-trunking - use non-user VLANs for trunk ports - set unused ports to a non-routed VLAN -do not depend on VLAN separation -Private VLANs
16
15 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Promiscuous Port Community ‘A’ Community ‘B’ Isolated Ports Primary VLAN Community VLAN Community VLAN Isolated VLAN Only One Subnet! x x x x x x x x ARP Spoof Mitigation: Private VLANs PVLANs Isolate traffic in specific communities to create distinct “networks” within a normal VLAN Note: Most inter-host communication is disabled with PVLANs turned on http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/conf_gd/vlans.htm#xtocid854519
17
16 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Networks are Targets DDoS (ICMP Flood, TCP SYN Flood, UDP Floods) attacks cannot be stopped by the victim network alone RFC1918 addresses or local addresses should originate locally IP address spoofing can mitigated by filtering non-registered addresses
18
17 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. RFC 2267 Filtering interface Serial n ip access-group 101 in ! access-list 101 permit 142.142.0.0 0.0.255.255 any access-list 101 deny ip any any ISP Network Customer Network: 142.142.0.0/16 Ingress to Internet Ingress packets must be from customer addresses interface Serial n ip access-group 120 in ip access-group 130 out ! access-list 120 deny ip 142.142.0.0 0.0.255.255 any access-list 120 permit ip any any ! access-list 130 permit 142.142.0.0 0.0.255.255 any access-list 130 deny ip any any Egress from Internet Egress packets cannot be from and to customer Ensure ingress packets are valid
19
18 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. RFC 1918 Filtering interface Serial n ip access-group 101 in ! access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 permit ip any any ISP Network Customer Network Ingress to Internet
20
19 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Hosts are Targets High Visibility makes them easy target Ensure that various host components are compatible and at the latest version - hardware platform/devices - operating system and updates - standard applications and patches - shareware scripts
21
20 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Applications are Targets Complexity of applications makes them open to human error vulnerabilities Host and Network based IDS focus on recognizing attack signatures and taking action: - shunning/blocking - alarm/warning - simply logging
22
21 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Secure Management and Reporting Logging levels NTP Out-of-Band management Ipsec, ssh or ssl SNMP Change Management
23
22 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE Enterprise Network Design Modules Enterprise Campus Enterprise EdgeSP Edge Building Distribution Building Distribution Management Server Core Edge Distribution Edge Distribution E-Commerce Corporate Internet Corporate Internet VPN and Remote Access WAN ISP B ISP A PSTN Frame/ ATM Frame/ ATM
24
23 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Campus Network Section - Management Module - Building Access and Distribution - Core and Server Modules - Edge Distribution Module
25
24 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Management Module Out of Band Management - separate physical networks - separate address space (192.168.25x.xxx) - use IPSec if physical separation is not possible Firewall between management subnet and managed-device subnet
26
25 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Management Module - cont’d Isolate managed ports to minimize impact of compromised device NIDS and HIDS on the management subnet One-time Passwords for authentication of administrators SNMP read-only snmp-server community Txo~QbW3XM RO 98 access-list 98 permit host 192.168.253.51
27
26 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Hosts IDS for Local Attack Attack Mitigation Roles for Management Module Two-Factor Authentication Two-Factor Authentication AAA Services Read-Only SNMP SSH Where Possible Config and Content Management SSH Where Possible Config and Content Management OTP Server Access Control Server Network Monitoring IDS Director Syslog 1 Syslog 2 System Admin X6 Term Server (IOS) eIOS-91 eIOS-21 X6 Switch Out-of-Band Network Management OOB Config Management OOB Config Management To All Device Console Ports Encrypted In-Band Network Management Network Log Data Comprehensive Layer 4-7 Analysis Comprehensive Layer 4-7 Analysis Stateful Packet Filtering IPSec Termination for Management Stateful Packet Filtering IPSec Termination for Management Private VLANs
28
27 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Campus Network Section - Management Module - Building Access and Distribution - Core and Server Modules - Edge Distribution Module
29
28 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Enterprise Campus Detail OTP Server OTP Server Access Control Server Access Control Server Network Monitoring Network Monitoring IDS Director IDS Director Syslog 1 Syslog 2 System Admin System Admin Management Module Management Module Building Module (Users) Building Distribution Module Building Distribution Module Core Module Core Module Corporate Server Corporate Server Module Server Module To eCommerce Module To Corporate Internet Module To VPN/ Remote Access Module To WAN Module Cisco Call Manager Cisco Call Manager Edge Distribution Module Edge Distribution Module Term Server (IOS) Term Server (IOS) Internal Email Internal Email Dept. Server Dept. Server
30
29 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Attack Mitigation Roles for Building and Distribution Modules To Core Module Inter Subnet Filtering RFC2827 Filtering Inter Subnet Filtering RFC2827 Filtering Host Virus Scanning VLANs
31
30 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Campus Network Section - Management Module - Building Access and Distribution - Core and Server Modules - Edge Distribution Module
32
31 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Internal Email Dept. Server Call Manager Attack Mitigation Roles for Core and Server Modules To Edge Distribution Module To Building Distribution Module Host IDS for Local Attack NIDS for Server Attacks Private VLANs for Server Connections RFC2827 Filtering NIDS for Server Attacks Private VLANs for Server Connections RFC2827 Filtering
33
32 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Campus Network Section - Management Module - Building Access and Distribution - Core and Server Modules - Edge Distribution Module
34
33 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Attack Mitigation Roles for Edge Distribution Module To eCommerce Module To Corporate Internet Module To VPN/Remote Access Module To WAN Module To Core Module Layer 3 Access Control RFC2827 Filtering Layer 3 Access Control RFC2827 Filtering
35
34 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering
36
35 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Enterprise Edge - Detail eCommerce Module eCommerce Module Corporate Internet Module Corporate Internet Module ISP A Module ISP A Module ISP A ISP B To Edge Distribution Module To Edge Distribution Module ISP B Module ISP B Module To VPN/ Remote Access Module
37
36 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Broad Layer 4-7 Analysis Attack Mitigation Roles for Corporate Internet Module To Edge Distribution To VPN/Remote Access Focused Layer 4-7 Analysis Focused Layer 4-7 Analysis Host IDS Local Attack Mitigation Host IDS Local Attack Mitigation SMTP Content Inspection SMTP Content Inspection Spoof Mitigation Basic Filtering Spoof Mitigation Basic Filtering Spoof Mitigation (D)DoS Rate-Limiting Spoof Mitigation (D)DoS Rate-Limiting Inspect Outbound Traffic For Unauthorized URLs Inspect Outbound Traffic For Unauthorized URLs Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation Focused Layer 4-7 Analysis Focused Layer 4-7 Analysis ISP A
38
37 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering
39
38 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. VPN/Remote Access - Detail VPN/Remote Access - Detail Detail To Edge Distribution Module To Edge Distribution Module To Corporate Internet Module VPN/Remote Access Module VPN/Remote Access Module WAN Module PSTN Module PSTN Module Frame/ATM Module Frame/ATM Module PSTN FR/ATM
40
39 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Attack Mitigation Roles for Remote Access VPN Module PSTN Authenticate Remote Site Terminate IPSec To Edge Distribution Module Focused Layer 4-7 Analysis Allow only IPSec Traffic To Internet Via the Corporate Internet Module Broad Layer 4-7 Analysis Stateful Packet Filtering Basic Layer 7 Filtering Authenticate Users Terminate IPSec Authenticate Users Terminate Analog Dial
41
40 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering
42
41 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Enterprise Edge - Detail To Edge Distribution Module To Edge Distribution Module To Corporate Internet Module VPN/Remote Access Module VPN/Remote Access Module WAN Module PSTN Module PSTN Module Frame/ATM Module Frame/ATM Module PSTN FR/ATM
43
42 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Classic WAN Module: Detail and Attack Mitigation Classic WAN not often addressed in security context. Man-in-the-middle attacks can be mitigated by several IOS features: - Layer 3 access-control - IPSec encryption (optional) FR/ATM To Edge Distribution Module eIOS-61 eIOS-62 Layer 3 Access Control
44
43 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering
45
44 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Enterprise Edge - Detail eCommerce Module eCommerce Module Corporate Internet Module Corporate Internet Module ISP A Module ISP A Module ISP A ISP B To Edge Distribution Module To Edge Distribution Module ISP B Module ISP B Module To VPN/ Remote Access Module
46
45 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. E-Commerce Traffic Flow Edge Distribution Module E-Commerce Module ISP Module L1-3 DB L4 L5-7 Apps Incoming Requests Web Apps
47
46 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Attack Mitigation Roles for E-Commerce Module Stateful Packet Filtering Basic 7 Layer Filtering Host DoS Mitigation To Edge Distribution Focused Layer 4-7 Analysis Stateful Packet Filtering Basic Layer 7 Filtering Broad Layer 4-7 Analysis Wire Speed Access Control Broad Layer 4-7 Analysis Wire Speed Access Control Spoof Mitigation (D)DoS Rate Limiting Layer 4 Filtering Focused Layer 4-7 Analysis Host IDS for Local Attack Mitigation
48
47 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering
49
48 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Service Provider Filtering Best in e-commerce environments DDoS mitigation Bandwidth optimization RFC 1918,2827 Attacker Public Services Internal Services Internal Users Customer DDoS Agentok Ports: 80 443 x Source: DDoS Agent Destination: Public Services Port: UDP Flood Source: Attacker Destination: Public Services Port: 23(Telnet) x
50
49 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. CAR Rate Limiting Limit outbound ping to 8 Kbps Limit inbound TCP SYN packets to 256 Kbps interface xy rate-limit output access-group 102 8000 8000 8000 conform-action transmit exceed-action drop ! access-list 102 permit icmp any any echo access-list 102 permit icmp any any echo-reply interface xy rate-limit input access-group 103 256000 8000 8000 conform-action transmit exceed-action drop ! access-list 103 deny tcp any host 142.142.42.1 established access-list 103 permit tcp any host 142.142.42.1
51
50 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE Ecosystem: Security & VPN Associates Identity Application Security Security Management & Monitoring Secure Connectivity Perimeter Security Cisco.com/go/securityassociate
52
51 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. For more information... Cisco.com/go/security Cisco.com/go/SAFE Cisco.com/go/SAFE Policy
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.