Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\

Published byAubrey Briggs Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\"— Presentation transcript:

1 Chapter 10 Security

2 A typical secured network

3 Recognizing Security Threats 1- Application-layer attacks Ex: http://www. companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\ 2- Autorooters 3- Backdoors 4- Denial of service (DoS) and distributed denial of service (DDoS) attacks TCP SYN flood (SYN,SYN-ACK, & ACK) Ping of death Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K) Stacheldraht 5- IP spoofing 6- Man-in-the-middle attacks (Using Sniffer) 7- Network reconnaissance (port scans, DNS queries, and ping sweeps) 8- Packet sniffers 9- Password attacks (IP spoofing, packet sniffing, & Trojan horses) 10- Brute force attack 11- Port redirection attacks 12- Trojan horse attacks and viruses 13- Trust exploitation attacks

4 Mitigating Security Threats 1- Cisco’s IOS Firewall Stateful IOS Firewall inspection engine using Context-Based Access Control (CBAC) Intrusion detection Firewall voice traversal ICMP inspection Authentication proxy (RADIUS or TACACS+) Router(config)#enable use-tacacs Router(config)#tacacs-server ? hostSpecify a TACACS server keySet TACACS+ encryption key timeoutTime to wait for a TACACS server to reply Router(config)#enable last-resort Destination URL policy management Per-user firewalls Cisco IOS router and firewall provisioning Denial of service (DoS) detection and prevention Dynamic port mapping Java applet blocking 2- Basic and Advanced Traffic Filtering Policy-based, multi-interface support Network Address Translation (NAT) Time-based access lists Peer router authentication (RIPv2, EIGRP, or OSPF)

5 Access Lists 1- Standard access lists 2- Extended access lists 3- Advanced access lists a- Inbound access lists b- Outbound access lists Uses of Access lists Traffic filtration Telnet filtration General Tips Deny any addresses from your internal networks. Deny any local host addresses (127.0.0.0/8). Deny any reserved private addresses. Deny any addresses in the IP multicast address range (224.0.0.0/4).

6 Standard Access Lists Router(config)#access-list NO. Action Source Router(config)#access-list ? IP standard access list IP extended access list Extended 48-bit MAC address access list IP standard access list (expanded range) Protocol type-code access list IP extended access list (expanded range) 48-bit MAC address access list compiled Enable IP access-list compilation dynamic-extended Extend the dynamic ACL absolute timer rate-limit Simple rate-limit specific access list Router(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry comment Router(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address Router(config-if)#ip access-group 10 out (or in)

7 Wildcard Masking Router(config)#access-list 10 deny 172.16.10.0 0.0.0.255 Router(config)#access-list 10 deny 172.16.0.0 0.0.255.255 Router(config)#access-list 10 deny 172.16.16.0 0.0.3.255 Controlling VTY (Telnet) Access Router(config)#access-list 50 permit 172.16.10.3 Router(config)#line vty 0 4 Router(config-line)#access-class 50 in

8 Extended Access Lists Router(config)#access-list NO. Action Protocol Source Destination Condition Port no. Ex: Router(config)#access-list 110 permit tcp any host 172.16.30.2 eq 80 Router(config)#access-list 110 deny tcp any host 172.16.30.2 gt 1023 Router(config)#int s0 Router(config-if)#ip access-group 110 out

9 Access Lists Example

10 Advanced Access Lists 1- Named ACLs 2- Switch Port ACLs 3- Time based ACLs 1- Named ACLs Router(config)#ip access-list ? extended Extended Acc logging Control access list logging standard Standard Access List Router(config)#ip access-list standard BlockSales Router(config-std-nacl)#deny 172.16.40.0 0.0.0.255 Router(config-std-nacl)#permit any Router(config-std-nacl)#exit

11 2- Switch Port ACLs Conditions 1- Inbound only. 2- Named only. Switch(config)#mac access-list extended Name of list Switch(config-ext-macl)#Action Source Destination Ex: Switch(config)#mac access-list extended Block_MAC_Sales Switch(config-extended-macl)#deny any host 000d.29bd.4b85 Switch(config-extended-macl)#permit any any Switch(config-ext-macl)#int f0/6 Switch(config-if)#mac access-group Block_MAC_Sales in

12 3- Time-Based ACLs Router(config)#time-range no-http Router(config-time-range)#periodic we? Wednesday weekdays weekend Router(config-time-range)#periodic weekend ? hh:mm Starting time Router(config-time-range)#periodic weekend 06:00 to 12:00 Router(config-time-range)#exit Router(config)#time-range tcp-yes Router(config-time-range)#periodic weekend 06:00 to 12:00 Router(config-time-range)#exit Router(config)#ip access-list extended Time Router(config-ext-nacl)#deny tcp any any eq www time-range no-http Router(config-ext-nacl)#permit tcp any any time-range tcp-yes Router(config-ext-nacl)#interface f0/0 Router(config-if)#ip access-group Time in

13 Remarking Access Lists Router#config t Router(config)#access-list 110 remark Permit Bob from Sales Only To Finance Router(config)#access-list 110 permit ip host 172.16.10.1 172.16.20.0 0.0.0.255 Router(config)#access-list 110 deny ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255

14 Using SSH instead of Telnet 1- Enable the HTTP/HTTPS server Router(config)#ip http server Router(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] Router(config)#ip http authentication local 2- Create a user account using privilege level 15 (the highest level) Router(config)#username cisco privilege ? User privilege level Router(config)#username cisco privilege 15 password ? 0 Specifies an UNENCRYPTED password will follow 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) user password Router(config)#username cisco privilege 15 password 0 cisco

15 3- Configure the console, SSH, and Telnet to provide local login authentication at privilege level access Router(config)#line console 0 Router(config-line)#login local Router(config-line)#exit Router(config)#line vty 0 ? Last Line number Router(config)#line vty 0 1180 Router(config-line)#privilege level 15 Router(config-line)#login local Router(config-line)#transport input telnet Router(config-line)#transport input telnet ssh Router(config-line)#^Z Router#clock set 00:00:00 21 mar 2009

16 Viewing Access Lists Router#show access-list Router#show access-list 110 Router#show ip access-list Router#show ip interface Router#show running-config Switch#Show mac access-group

Download ppt "Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\"

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
CIT 742: Network Administration and Security Mohammed A. Saleh 1.

CIT 742: Network Administration and Security Mohammed A. Saleh 1.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
Network Security Network Attacks and Mitigation 張晃崚 CCIE #13673, CCSI #31340 區域銷售事業處 副處長 麟瑞科技.

Network Security Network Attacks and Mitigation 張晃崚 CCIE #13673, CCSI #31340 區域銷售事業處 副處長 麟瑞科技.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google