Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Published byAmbrose Collins Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device."— Presentation transcript:

1 Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device itself –Routers –Firewalls –Switches –Authentication servers –wireless access points –…

2 Network Security2 Steps to secure a router: 1.Backup of configuration files and the router software 2.Controlling access to the router (tty, vty ports) 3.Securing access to the router (via SSH) 4.Password management 5.Logging events on the router 6.Disabling unnecessary services 7.Using loopback interfaces 8.Controlling SNMP as a management protocol 9.Controlling HTTP as a management protocol 10.Using CEF as a switching mechanism 11.Setting up the scheduler from a security perspective 12.Using the Network Time Protocol (NTP) 13.Login banners 14.Capturing core dumps 15.Using service nagle to improve Telnet access during high CPU events

3 Network Security3 2. Controlling access to the router A tty port is physically connected to a terminal or workstation for local administrative access to the router. An aux ports, similar to a tty port, is connected to a modem for remote out-of-band administrative access to the router. A vty (virtual tty) port is used to allow remote in- band connection sessions, via telnet, ssh, or rlogin.

4 Network Security4 Vulnerabilities of tty or aux ports A tty or aux port may suffer reverse telnet attack, where the terminal server connected to the tty port or the modem connected to the aux port of the router is used by the attacker (as a remote client) to access the router. Check out this link to see an illustration of using ‘reverse telnet’ to remotely access a router. (diagrams below)this link

5 Network Security5 Normal telnet

6 Network Security6 Reverse Telnet

7 Network Security7 Vulnerabilities of tty or aux ports Solution? –Disable the console port Line con0 transport input none –Allow only SSH access to a router’s console port (a feature added to IOS v12.2 or higher) Line con0 login authentication default rotary 1 transport input ssh ip ssh port 2001 rotary 1 Requirement: The router must be set up as a SSH server.

8 Network Security8 Controlling vty access 1.Restricted access: Only allow the protocols that will be used by the network admin Since Cisco IOS v11.1, the default is none. Example: To allow only telnet and ssh connections line vty 0 4 transport input telnet ssh 2.Only addresses in the ‘access list’ are allowed to connect: access-class, access-list (See example 3-6) 3.Short timeouts: The default timeout value is 10 minutes. To set it to 5 min. 30 sec. line vty 0 4 exec-timeout 5 30 4.Authentication for vty access: either local or RADIUS authentication (preferred).

9 Network Security9 3. Securing access to the router using encryption IPsec VPN client (preferred; more details in Ch 13) –Two cases: A.The VPN client access a back-end LAN (the destination) by building a tunnel between itself and a router (the IPsec gateway), behind which the LAN is located. B.The VPN client is used to remotely administer the router, which is both the gateway and the destination. SSH: Only SSH v1 is supported by Cisco IOS Example 3-11

10 Network Security10 4. Password Management Passwords stored on the router should be properly encrypted. The default password-encryption is either type 0 (clear text passwords) or type 7 (weak encryption). Use the enable secret command to activate MD5 when encrypting passwords. Example 3-12

11 Network Security11 Password Management Passwords stored on the router should be properly encrypted. The default password-encryption is either type 0 (clear text passwords) or type 7 (weak encryption). Use the enable secret command to activate MD5 when encrypting passwords. Example 3-12

12 Network Security12 5. Logging events Advantages: Allows auditing and tracking  forensics (in case of an attack)  performance tuning (maintenance) required: good time stamping  using NTP Example: 3-13

13 Network Security13 6. Disable unnecessary services If a service is not being actively used on a device, it should be disabled. Otherwise it may be used as a back door for the attacker to gain access to the device. Sample services to be disabled: Table 3-1 TCP small servers, UDP small servers, Finger server, …

14 Network Security14 7. Using loopback interfaces Advantages: Enable a block of IP addresses to be assigned to be used by loopback. –All routers can be forced to use these loopback IP addresses as source addresses when accessing the servers. –The servers can then also be locked down to allow access only from this block of IP addresses. Accesses from addresses outside this block are denied. Example 3-14

15 Network Security15 8. Controlling SNMP (as a management protocol) SNMP can be used in read-only and ‘read and write’ modes Unless necessary, use read-only mode on routers. The ‘read and write’ mode allows the admin to modify the router’s configurations via SNMP. Access into the network via SNMP should be blocked at the network’s boundary.

16 Network Security16 8. Controlling SNMP (as a management protocol) Security of SNMP: –v1 and v2 use ‘community strings’ as the only authentication mechanism. (Not secure) –v3 is more secure by providing MD5 or SHA for authentication, and DES for encryption. SNMP v3: threats vs protections (p.65)

17 Network Security17 9. Controlling HTTP (as a management protocol) Unless necessary, HTTP access to the router should be disabled. Admin access to the router via HTTP should be secured, by activating authentication. Example: 3-19

18 Network Security18 10. Using CEF as a switching mechanism Cisco Express Forwarding Routers using the traditional switching mechanisms need to update routing caches when packets destined for new addresses arrive. SYN floods and DDoS attacks use a large number of random or pseudo-random IP addresses as ultimate targets. CEF replaces the normal routing cache with a data structure that mirrors the entire routing tables. It does away with the need to update the cache each time a new IP address needs to be routed to.

19 Network Security19 11. Using the scheduler scheduler allocate scheduler interval To prevent the router from becoming too busy responding to the interrupts on its interfaces due to the large number of packets arriving  large-scale network attack, esp. a DDoS attack Example 3-21

20 Network Security20 12. Using NTP Network Time Protocol Critical for services requiring good time stamping: logging, AAA, Kerberos, … Challenge: authentication between devices exchanging NTP information

21 Network Security21 13. Login banners Sequence: –Login banner –login session –MOTD banner –EXEC banner (or incoming banner) Example: 3-25

22 Network Security22 14. Capturing core dumps In the event of system crash, the core dump may provide useful info for tracking the attack(s). Example: 3-26

23 Network Security23 15. Service nagle Nagle is an algorithm that can be enabled as a service on a Cisco router, to allow the router to pace the TCP connection for Telnet in a way that reduces the burden on the CPU and generally improves the performance of the Telnet session. –service nagle (Example 3-27)

24 Network Security24 Security of other devices Firewalls, switches, … Similar procedure –Check the default settings –‘Harden’ the device before placing it into use in the production network.

Download ppt "Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device."

Similar presentations

Configuring a Router Harold Hernandez, MS, CCNI. 3.1 Configuring a Router Name a router Set passwords Examine show commands Configure a serial interface.

Configuring a Router Harold Hernandez, MS, CCNI. 3.1 Configuring a Router Name a router Set passwords Examine show commands Configure a serial interface.
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing And Switching 2.0.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing And Switching 2.0.
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
CCNA2-1 Chapter 1 Introduction to Routing and Packet Forwarding CLI Configuration and Addressing.

CCNA2-1 Chapter 1 Introduction to Routing and Packet Forwarding CLI Configuration and Addressing.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Configuring a Network Operating System Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Configuring a Network Operating System Introduction to Networks.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Device Security A device is a node helping to form the topology of the network. A compromised device may be used by the attacker as a jumping board. A.

Device Security A device is a node helping to form the topology of the network. A compromised device may be used by the attacker as a jumping board. A.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Exterior Gateway Protocol Border Gateway Protocol (BGP) Interior Gateway Protocol Routing Information Protocol (RIP) Enhanced Interior Gateway Protocol.

Exterior Gateway Protocol Border Gateway Protocol (BGP) Interior Gateway Protocol Routing Information Protocol (RIP) Enhanced Interior Gateway Protocol.

Similar presentations

Ads by Google