1 / 49

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW). Module 5 – ‘Cisco Device Hardening’. IDS = Intrution Detection System IPS = Intrution Protection System HIPS = Host Intrution Protection System. Den nye opdateret version hedder: RFC 3704 filtering. Encryption /

eleanor-parker
Download Presentation

Implementing Secure Converged Wide Area Networks (ISCW)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Secure Converged Wide Area Networks (ISCW) Module 5 – ‘Cisco Device Hardening’

  2. IDS = Intrution Detection System IPS = Intrution Protection System HIPS = Host Intrution Protection System

  3. Den nye opdateret version hedder: RFC 3704 filtering • Encryption / • Access control configuration /

  4. Worm Attack, Mitigation and Response The anatomy of a worm attack has three parts: The enabling vulnerability: A worm installs itself on a vulnerable system Propagation mechanism: After gaining access to devices, a worm replicates and selects new targets Payload: Once the worm infects the device, the attacker has access to the host – often as a privileged user. Attackers use a local exploit to escalate their privilege level to administrator.

  5. Worm attack mitigation Worm attack mitigation requires diligence on the part of system and network administration staff. Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident. Recommended steps for worm attack mitigation: Containment: Contain the spread of the worm into your network and within your network. Compartmentalise uninfected parts of your network. Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems. Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network. Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

  6. SNMP v3 er krypteret og sikker.

  7. Disabling Unused Cisco Router Network Services and Interfaces

  8. Unnecessary Services and Interfaces

  9. Commonly Configured Management Services

  10. Path Integrity Mechanisms

  11. Probe and Scan Features

  12. Terminal Access Security

  13. ARP Service

  14. AutoSecure Functions AutoSecure can selectively lock down: Management plane services and functions: Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner Also provides password security and SSH access Forwarding plane services and functions: CEF, traffic filtering with ACLs Firewall services and functions: Cisco IOS Firewall inspection for common protocols Login functions: Password security NTP protocol SSH access TCP Intercept services Syntax:Router#Auto Secure ? Forwarding Secure Forwarding Plane Management Secure Management Plane No-interact Non-Interactive session of AutoSecure <cr>

  15. SSH-Configuration Router(Config)#ip domain-name [Domæne navn] Router(Config)#crypto key genereate rsa ? General-keys Generate a general purpose RSA key pair for signing and encryption Usage-keys Generate seperate RSA key pairs for signing and encryption <cr> Router(Config)# crypto key genereate rsa general-keys modulus [modulus = nøgle størrelse i bit (360-2048)] Nøgler over 512 bit anbefales, normalt bruges 1024 bit.

  16. AutoSecure Failure Rollback Feature If AutoSecure fails to complete its operation, the running configuration may be corrupt: In Cisco IOS Release 12.3(8)T and later releases: Pre-AutoSecure configuration snapshot is stored in the flash under filename pre_autosec.cfg Rollback reverts the router to the router’s pre-autosecure configuration Command: configure replace flash:pre_autosec.cfg If the router is using software prior to Cisco IOS Release 12.3(8)T, the running configuration should be saved before running AutoSecure.

  17. Locking Down Routers with Cisco SDM SDM simplifies router and security configuration through smart wizards that help to quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI SDM simplifies firewall and IOS software configuration without requiring expertise about security or IOS software SDM contains a Security Audit wizard that performs a comprehensive router security audit SDM uses security configurations recommended by Cisco Technical Assistance Center (TAC) and the International Computer Security Association (ICSA) as the basis for comparisons and default settings The Security Audit wizard assesses the vulnerability of the existing router and provides quick compliance to best-practice security policies SDM can implement almost all of the configurations that AutoSecure offers with the One-Step Lockdown feature

  18. Securing Cisco Router Administrative Access

  19. Setting a Login Failure Blocking Period router(config)# login block-forsecondsattemptstrieswithinseconds • Blocks access for a quiet period after a configurable number of failed login attempts within a specified period • Must be entered before any other login command • Mitigates DoS and break-in attacks Perth(config)#login block-for 100 attempts 2 within 100

  20. Excluding Addresses from Login Blocking router(config)# login quiet-mode access-class {acl-name | acl-number} • Specifies an ACL that is applied to the router when it switches to the quiet mode • If not configured, all login requests will be denied during the quiet mode • Excludes IP addresses from failure counting for login block-for command Perth(config)#login quiet-mode access-class myacl

  21. Setting a Login Delay router(config)# login delayseconds • Configures a delay between successive login attempts • Helps mitigate dictionary attacks • If not set,a default delay of one second is enforced after the login block-for command is configured Perth(config)#login delay 30

  22. Configuring Role-Based CLI

  23. Role-Based CLI Overview Root view is the highest administrative view Creating and modifying a view or ‘superview’ is possible only from root view The difference between root view and privilege Level 15 is that only a root view user can create or modify views and superviews CLI views require AAA new-model: This is necessary even with local view authentication View authentication can be offloaded to an AAA server using the new attribute "cli-view-name" A maximum of 15 CLI views can exist in addition to the root view

  24. Getting Started with Role-Based CLI router# enable [privilege-level] [view [view-name]] • Enter a privilege level or a CLI view. • Use enable command with the view parameter to enter the root view. • Root view requires privilege Level 15 authentication. • The aaa-new model must be enabled. Perth(config)#aaa new-modelPerth(config)#exit Perth#enable view Password: Perth# %PARSER-6-VIEW_SWITCH: successfully set to view 'root'

  25. Configuring CLI Views router(config)# parser viewview-name • Creates a view and enters view configuration mode router(config-view)# password 5 encrypted-password commands parser-mode {include | include-exclusive | exclude} [all][interface interface-name | command] • Sets a password to protect access to the view • Adds commands or interfaces to a view Perth(config)#parser view monitor_viewPerth(config-view)#password 5 hErMeNe%GiLdE! Perth(config-view)#commands exec include show version

  26. Mitigating Threats and Attacks with Access Lists

  27. Configuring SNMP

  28. SNMPv1 and SNMPv2 Architecture SNMP asks agents embedded in network devices for information or tells the agents to do something.

  29. Community Strings In effect, having read-write access is equivalent to having the enable password! SNMP agents accept commands and requests only from SNMP systems that use the correct community string. By default, most SNMP systems use a community string of “public” If the router SNMP agent is configured to use this commonly known community string, anyone with an SNMP system is able to read the router MIB Router MIB variables can point to entities like routing tables and other security-critical components of a router configuration, so it is very important that custom SNMP community strings are created !

  30. SNMPv3 Features and Benefits It is strongly recommend that all network management systems use SNMPv3 rather than SNMPv1 or SNMPv2

  31. Configuring NTP on Cisco Routers

  32. NTP-Authentication

  33. NTP-Server

  34. NTP-Associations

  35. Configuring AAA on Cisco Routers

  36. The Three Components of AAA Authentication Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption Authorisation Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet Accounting Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes

  37. AAA Protocols: RADIUS and TACACS+

  38. AAA-Server Configuration

  39. AAA-Authentication Configurations CLI

  40. AAA-Authorization Configuration

  41. AAA-Authorization Configuration

  42. AAA-Accounting Configuration

  43. AAA-Accounting Configuration

More Related