Internet security internet and intranet meeting future business needs l.jpg
Advertisement
This presentation is the property of its rightful owner.
1 / 103

Internet Security ‘Internet and Intranet - meeting future business needs’ PowerPoint PPT Presentation

Internet Security ‘Internet and Intranet - meeting future business needs’ Cisco Systems Confidential Cisco Systems Confidential 0036_08F7_c2 34 Before we Begin......

Download Presentation

Internet Security ‘Internet and Intranet - meeting future business needs’

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Internet security internet and intranet meeting future business needs l.jpg

Internet Security‘Internet and Intranet - meeting future business needs’

Cisco Systems Confidential

Cisco Systems Confidential

0036_08F7_c2

34


Before we begin l.jpg

Before we Begin......

  • Attendees agree that this information will be circulated on a very strict need-to-know basis as it is sensitive can cause security problems.

  • While the information in this document is not confidential, there is information that could be harmful if given to the wrong individuals.

  • The only way to understand security problems is to know what they are. This means that they may also be exploited by those who are untrustworthy.


New network threats l.jpg

Netcom Credit Card Information Stolen

CIA Web Site Hacked

New Network Threats

Cisco Systems Confidential

0603_02F7_c1

38


Need for more security l.jpg

Need for More Security

… and the “Net” Has Changed!

Original ARPAnet

Today’s Internet

Implications

1983:200 Core Nodes; Linear Growth

11.6 Million Core Nodes;

Exponential Growth

Shortage of Unique IP Network Numbers Imminent

Large Time-Sharing Nodes, Mostly Educational

Large and Distributed ISP-Connected Organizations

CIDR

NAT

DHCP for Client Only

IPv6

“Difficult” Security Underlying Technology Known to Few

Numerous Untrusted Private Sector Hosts; Hackers Abound

Firewalls

Encryption


Internetwork l.jpg

Internetwork

Small

Business

Consumers

Internet

Professional

Office

Enterprise


Putting things in perspective l.jpg

Putting Things in Perspective

  • 75% of computer attacks are never detected.

  • Only 15% of all computer crimes are instigated by outsiders.

  • 80% - 85% are launched by insiders - people you thought you could trust.


Where s the threat corporate space l.jpg

Where’s the Threat? …...Corporate Space

80%

20%

Internet

Terminal

Server

Employees


Where s the threat isp space l.jpg

Corporate

Network

Where’s the Threat? …….ISP Space

80%

20%

Internet

Terminal

Server

Customers


Security services l.jpg

Security Services

Have You Experienced Computer or Network Security Breaches in the Last Year?

No52%

Yes48%

Source: Computer Security Institute and FBI Computer Crime DivisionFortune 500 Survey, 1995


What are the threats l.jpg

What are the Threats?

“Trusted” Users

Remember....80-85% of all break-ins are caused by people who are insiders.

Amateurs

Cyberpunks, Hackers, Vandals, Crackers, Jerks, etc

Professionals

No-Win Situation


What are the threats11 l.jpg

What are the Threats?

“Trusted” Users

  • 80% - 90% of all break-ins are caused by people who work for the organizations they broke into!

  • Many are caught accidentally

  • Many are amateurs and are caught because they are careless

  • Most are quietly removed

  • Very few are reprimanded


What are the threats12 l.jpg

What are the Threats?

“Trusted” Users

  • Extremely few are prosecuted by the legal system

    • Never at a financial institution

    • Never at a site with links possible harm to life or where there is a tie-in to public view

    • Some places there is little understanding about how to handle the legal problem

    • Most companies do not want publicity


What are the threats13 l.jpg

What are the Threats?

“Trusted” Users

  • Most break-ins are either:

    • Greed-oriented

    • Revenge oriented

    • Malicious

    • Information Acquisition

    • Accidental initially, but an opportunity to the user of the system.


What are the threats14 l.jpg

What are the Threats?

Amateurs

  • Amateurs usually leave a trail that is not too difficult to pick up

  • Amateurs will eventually screw-up

  • Amateurs do not know when to quit

  • Amateurs, with careful monitoring, may be found quickly

  • Most Internet Cyberpunks are Amateurs


What are the threats15 l.jpg

What are the Threats?

Professionals

  • Professionals are rarely detected

  • Professionals are difficult to find

  • Professionals will usually originate from a break-in elsewhere

  • Professionals leave no traceback

  • Professionals know when it is time to leave

  • Professionals will take what they want, no matter what is done to safeguard information


What are the threats16 l.jpg

What are the Threats?

Bottom Line.......

  • If someone wants the information bad enough, and he/she knows what they are doing, they will not be stopped and you may consider the information to be “history.”


It issues l.jpg

IT Issues

Internet Traffic

Load/Traffic

  • Enterprise information becoming more valuable/vulnerable

Connectivity

IT Spending<10% Growth

Business Value/Importance

Today

Time


The security dilemma l.jpg

The Security Dilemma

More than 200 Fortune 1000 companies were asked if they had detected attempts from outsiders to gain computer access in the past 12 months

  • Security is complicated to implement

  • Security cannot be implemented uniformly

  • Internet connection is a security risk

Don’tKnow30%

No12%

Yes58%

If “yes”, how many successfulaccesses were detected?

41-505%

31-4010%

21-3016%

50+2%

11-2025%

1-1042%

Source: Warroom Research

Cisco Systems Confidential

0595_02F7_c1

3


Solutions before you begin l.jpg

SolutionsBefore you Begin.......

  • On-Site Security Policy

  • Host Security (UNIX/VMS)

  • Workstation Security(X, MS , MAC, OS/2)

  • Network Security

  • Password Policies

  • Application Security

  • Tools to Track Attacks

  • Ability to lock ‘em up (every security policy needs a hammer)


Creating cisco solutions l.jpg

Creating Cisco Solutions

Internet BU Products

Firewalls

Translation GWs

Traffic Directors

Client Software

Server Software

WorkgroupProducts

Core

Products

AccessProducts

InterWorksProducts

Integration withCisco IOS™ Software

End-to-End

SecuritySolutions

End-to-End

Multimedia

Solutions

Internet/Intranet

Connectivity and Security

for Novell, and

DEC Customers

Scalable

“Plug-and-Play”

TCP/IP

Environments

Scalability for

Global and

Enterprise WWW

Applications


Security is a system l.jpg

Perimeter Detector

(Door Entry)

Engine Kill

(Theft)

Locator/Detector

(Theft)

Lock Nuts

(Wheels)

Sound Detector

(Glass Entry)

Motion Detector

(Wheels/Entry)

Security Is a System

Physical Security Example

“What Are You Trying to Protect?”


Technical requirements l.jpg

Technical Requirements

  • Authentication

    • Who it is

  • Authorization

    • What is permitted

  • Accounting

    • What was done

  • Data integrity

    • Data is unaltered

  • Confidentiality

    • No unauthorized review

  • Assurance

    • Everything operates as specified


Cisco security today l.jpg

Cisco Security Today

TACACS+/ RADIUS

TACACS+/ RADIUS

TACACS+/ RADIUS

Logging

NAT

PAP/CHAP

Token Card Support

GRE Tunnels

Route Filtering

CiscoSecure™

Privilege Levels

Access Control Lists

Certificate Authority

Certificate Authority

Lock-and-Key

Kerberos

Kerberos

Cut-Through Proxy

Encryption

L2F

Encryption

Dial

Firewall

Network Infrastructure

Cisco Systems Confidential

0603_02F7_c1

24


Solutions before you begin24 l.jpg

SolutionsBefore you Begin.......

Security is an ATTITUDE!


Security objective balance l.jpg

Security Objective: Balance

Security

Access

Connectivity

Performance

Transparency

Authentication

Authorization

Accounting

Assurance

Confidentiality

Data Integrity

Every Customer’s Needs will Be Different!


Host security l.jpg

Host Security

If a host is not secure, then neither is the network

File SharingAnonymous FTP

Guest Login

Mail


Network security options l.jpg

User Authentication

SecureRouting

AddressTranslation

Multiprotocol

Tunnels

AccessControl

Enterprise

Gateways

Event

Logging

Legacy

Integration

Encryption

Network Security Options

  • No Internet connection

  • Packet filtering with Access Control List (ACL)

  • Firewalls

  • Privacy with encryption


Definition of a firewall l.jpg

Definition of a Firewall

Firewalls are perimeter security solutions, deployed between a trusted and untrusted network, often a corporate LAN and an Internet connection


Firewall architecture l.jpg

Firewall Architecture

Cisco IOS 11.2

1. Access lists

2. Packet filtering

3. Network Address Translation

4. Encryption

Internet

Cisco IOS

Firewall

PacketFiltering

PublicWWW

PublicFTP

DNSMail


Firewall architecture30 l.jpg

Firewall Architecture

Internet

  • Cisco PIX Firewall Dedicated

PublicWWW

PublicFTP

DNSMail


Demilitarized zone dmz l.jpg

Demilitarized Zone (DMZ)

Internet

PublicWWW

PublicFTP

DNSMail


Proxy servers l.jpg

Proxy Servers

Outbound Only

Outbound Only

Internet

ProxyServer

PublicWWW

PublicFTP

DNSMail


Firewall with address translation l.jpg

Firewall with Address Translation

  • Cisco PIX Firewall - dedicated

  • Cisco IOS 11.2- NAT in software

Private IPs

10.0.0.0

Internet

CiscoSecureAccess Router

OR

PublicWWW

PublicFTP

DNSMail

Registered IPs

192.128.234.0


Encryption l.jpg

Encryption

“2$3B9F37”

Internet

“YOUR Text”

“YOUR Text”

PublicWWW

PublicFTP

DNSMail

Cipher Text


Scaling internet firewalls l.jpg

Scaling Internet Firewalls

Link speed

  • Small office

  • All in one

  • Costs less

Fractional E1/T1

  • Gateway router and firewall encryption performance

= E1/T1

Internet

  • Gateway router and firewalls

  • Scalable encryption performance

> DS3/45 Mbps


Dial security l.jpg

Dial Security

  • Centralized security with TACACS+ / RADIUS

  • Lock and Key


Centralized security l.jpg

Centralized Security

Authentication

Authorization

Accounting

CiscoSecure—TACACS+

RADIUS

TACACS+

TACACS+

or

RADIUS

Dial client


Lock and key l.jpg

Lock and Key

  • Enables dynamic Access Control Lists

  • Single user on a LAN

  • Per-user authorization and authentication

Internet

X

CiscoSecure

X

Authorized User

Non-Authorized User


Virtual private dial networks l.jpg

Virtual Private Dial Networks

  • Encrypted access

  • Multiprotocol — IP, IPX, SNA, AppleTalk

Internet

CiscoSecure

TACACS+

Server


Virtual private networks l.jpg

Virtual Private Networks

  • IOS

  • PIX


Virtual private networks41 l.jpg

Virtual Private Networks

  • Replace private WAN with public network access

  • Intracompany traffic is private and authenticated

  • Internet access is transparent

Corporate

LAN

Remote

Office

Public Network

Remote

Office


Encryption alternatives l.jpg

Encryption Alternatives

Application-Layer Encryption

ApplicationLayers (5–7)

Network-Layer Encryption

Transport/Network

Layers (3–4)

Link/PhysicalLayers (1–2)

Link-LayerEncryption

Link-LayerEncryption


Application encryption l.jpg

Application Encryption

  • Encrypts traffic to/from interoperable applications

  • Specific to application, but network independent

  • Application dependent

    • All users must have interoperable applications

  • Examples: S/MIME, PEM, Oracle Securenet, Lotus cc:Mailand Notes.


Network encryption l.jpg

Network Encryption

A to HR Server—Encrypted

All Other Traffic—Clear

HR

Server

A

E-Mail

Server

B

D

  • Encrypts traffic between specific networks, subnets,or address/port pairs

  • Specific to protocol, but media/interface independent

  • Does not need to supported by intermediate network devices

  • Independent of intermediate topology

  • Example Cisco IOS and PIX


Link encryption l.jpg

Link Encryption

  • Encrypts all traffic on a link, including network-layer headers

  • Specific to media/interface type, but protocol independent

  • Topology dependent

    • Traffic is encrypted/decrypted on link-by link basis

    • All alternative paths must be encrypted/decrypted


Cisco ios encryption services l.jpg

Cisco IOS Encryption Services

  • Policy by network, subnet, oraddress/port pairs (ACL)

  • DSS for device authentication Diffie-Hellman for session key management

  • DES for bulk encryption

    • DES 40 bit—generally exportable

    • DES 56 bit—restricted

  • Hardware assist—VIP2 service adapter

Clear

A to C, D

Encrypt

B to C, D

C

A

E-Mail

Server

HR/FinancialServer

B

D

Private

WAN

To Public

Internet


Cisco ios encryption options l.jpg

Cisco IOS Encryption Options

Cisco 7000 and 7500

  • Cisco IOS software on 100X, 25xx, 4xxx, 7xxx series routers

  • On Cisco RSP 7000 and 7500 series encryption services are performed

    • Centrally on master RSP and/or

    • Distributed on VIP2-40

  • Encryption service adapter for Versatile Interface Processors (VIP)

    • Provides higher performance encryption for local interfaces

    • Tamper-proof

Route Switch Processors

Master RSP

Slave RSP

IP

VIP

IP

VIP

VIP

Versatile Interface Processor

Port Adapter

Encryption

Service

Adapter


Pix private link l.jpg

PIX Private Link

High-Performance Hardware Encrypted Virtual Private Networks!

PIX Private Link Frame

MAC

IP

UDP

IP

Data

CRC

Encapsulation

Header

Encrypted

Information

IP

Data

IP

Data

PIX/Private Link

PIX/Private Link

Network A

Network B

IP

Data

IP

Data

Public Network

Internet

PIX/Private Link

PIX/Private Link

Network C

Network D

Cisco Systems Confidential

0482_12F7_c1

33


Pix private link benefits l.jpg

PIX Private Link Benefits

  • Secures data communication between sites

  • Reduces high monthly cost of dedicated leased lines

  • Complete privacy

  • Easy installation—two commands, no maintenance

  • Compliant to IETF IPSEC—supports AH/ESP (RFC 1826) (RFC 1827)

  • Adds value to your Internet connection

  • Augment and back up existing leased lines


Private link l.jpg

Internet

Internet

Intranet

Private Link

Private Network—Satellite Division

10.0.0.0

PIX B

171.68.10.4

DMZ

171.69.236.2

PIX A

Engineering

Marketing

Executive

TACACS+ Server

RADIUS Server

172.17.0.0

172.18.0.0

172.19.0.0

SMTP Gateway

UNIX DB Gateway

Cisco Systems Confidential

0482_12F7_c1

35


Tricks to secure your router l.jpg

Tricks to Secure Your Router

Cisco Systems Confidential


Protecting your router l.jpg

Protecting Your Router

  • Terminal Access Security

  • Transaction and Accounting Records

  • Network Management Security

  • Traffic Filters

  • Routing Protocol Security

  • Securing Router Services


Slide53 l.jpg

The Router’s Role in a Network

Internet

Host

Systems

Router

TCP/IP

TCP/IP

Router

Router

IPX

DOS, Windows, Mac Workstations


Terminal access security l.jpg

Terminal Access Security

Cisco Systems Confidential


Console access l.jpg

Console Access

  • Change your passwords - do not use the default.

  • Make sure the privilege password is different from the access.

  • Use mixed character passwords - adds difficulty to crack attempts

  • Config Session Time-outs

  • Use password encryption features to encrypt the password in the configuration images and files.

  • Use enable secret to use the best encryption key.


Telnet access l.jpg

Telnet Access

  • Configures ALL the VTY ports!

  • Create an Access List for the ports - limits the range of IP addresses you can Telnet into the route.

  • Limit or block port 57 (open Telnet with no password write over).

  • Do not use commands like ip alias on the Cisco, unless you really need to.

  • Block connections to echo and discard via the no service tcp-small-servers.


Telnet access57 l.jpg

Telnet Access

Enter configuration commands, one per line. End with CNTL/Z.

serial 2-3 (config) # access-list 101 deny tcp any any eq 57

serial 2-3 (config) # access-list 101 permit tcp 165.21.0.0 255.255.0.0 any

serial 2-3 (config) # line vty 0 5

serial 2-3 ( config-line) # access-class 101 in

Extended IP access list 101

deny tcp any any eq 57

permit tcp 165.21.0.0 255.255.0.0 any


Multiple privilege levels l.jpg

Multiple Privilege Levels

  • Division of responsibilities

    • Help desk and network manager

    • Security and network operations

  • Provides internal controls

  • Users can only see configuration settings they have access to


Configuring multiple privilege levels l.jpg

Configuring Multiple Privilege Levels

  • Set the privilege level for a command

  • Change the default privilege level for lines

  • Display current privilege levels

  • Log in to a privilege level


Multiple privilege example l.jpg

Multiple Privilege Example

  • Configuration

    • enable password level 15 pswd15

    • privilege exec level 15 configure

    • enable password level 10 pswd10

    • privilege exec level 10 show running-config

  • Login/Logout

    • enable <level>

    • disable <level>


What is aaa l.jpg

What Is AAA?

  • Authentication

    • Something you are

      • Unique, can’t be left at home: retina, prints, DNA

    • Something you have

      • Hardware assist: DES card

    • Something you know

      • Cheap low overhead solution: fixed passwords

  • Authorization

    • What you’re allowed to do: connections, services, commands

  • Accounting

    • What you did, and when

  • It’s also an architectural framework:

    • Protocol-independent formats

    • Easy to support multiple protocols

    • Consistent configuration interface

    • Good scalability for large ISP’s with volatile databases, lots of accounting data

Cisco Systems Confidential

0815_04F7_c3

4


Tacacs l.jpg

TACACS+

"Is JSmith with password ***** an authorized user?

Router A

TACACS+ Client

Virtual Terminal

"I would like to log into Router A; my name is JSmith; my password is *****


Token card l.jpg

3 1 7 8 4 5 4

Token

Token Card

Cisco 500-CS

username/password + token

access permitted

Security Server Partners


Transaction and accounting records l.jpg

Transaction and Accounting Records

Cisco Systems Confidential


Transaction records l.jpg

Transaction Records

  • Q - How do you tell when someone is cracking into your router, hub, or switch?

  • Consider some form of audit trails:

    • Using the UNIX logging features (if it has any). Corn scripts to alert you when there are potential problems.

    • SNMP Traps and alarms.

    • Implementing TACAS+, Radius, Kerberos, or third party solutions like Security Dynamics SmartCard.


Transaction records66 l.jpg

Transaction Records

  • UNIX Logging

    • logging buffered 16384

    • logging trap debugging

    • logging 169.222.32.1

Router

UNIX Workstation

w/ Logging Configured

Logging Flow


Network management security l.jpg

Network Management Security

Cisco Systems Confidential


Slide68 l.jpg

SNMP

  • #1 Source of Intelligence on a victim's network!

  • Do you know when someone is running a SNMP discovery tool on your network?

  • Do you block SNMP on your firewall?


Slide69 l.jpg

SNMP

  • Change your community strings! Do not leave the defaults on!

  • Use different community strings for the RO and RW communities.

  • Do NOT use RW community unless you are desperate!

  • Use mixed characters in the community strings. Yes, even SNMP community strings can be cracked!


Slide70 l.jpg

SNMP

  • Use a access list on SNMP. Limit who can make SNMP queries. If someone needs special access (I.e. for monitoring a Internet link), then create a special community string and access list.

  • Explicitly point SNMP traffic back to the authorized workstation


Slide71 l.jpg

SNMP

snmp-server community apricot RO 1

snmp-server trap-authentication

snmp-server enable traps config

snmp-server enable traps envmon

snmp-server enable traps bgp

snmp-server host 169.223.2.2 apricot

ip access-list 1 permit 169.223.2.2


Traffic filters l.jpg

Traffic Filters

Cisco Systems Confidential


Ip access list l.jpg

IP Access List

  • <1-99> IP standard access list

  • <100-199> IP extended access list

  • <1100-1199>Extended 48-bit MAC address access list

  • <200-299> Protocol type-code access list

  • <700-799>48-bit MAC address access list


Extended access lists l.jpg

Extended Access Lists

access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log]

Example:

access-list 101 permit icmp any any log


Spoofing l.jpg

Spoofing

  • Access list protections are based on matching the source.

  • Protect your router with something like the following:

    access-list 101 deny ip 131.108.0.0 0.0.255.255 0.0.0.0 255.255.255.255

    access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255

    access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

  • Turn off ip source-routing


Spoofing76 l.jpg

Spoofing

Internet

Central Site

Branch Office A

Hello, I’m Branch Office X! Here is my routing-update!


Spoofing77 l.jpg

Spoofing

filter any inbound packets

w/ 198.92.93.0/24

ISP A

ISP B

source w/

198.92.93.3/24

198.92.93.0/24


Denial of service attacks l.jpg

Denial of Service Attacks

  • TCP SYN attack: A sender using a series of random source IP addresses starts connections that cannot be completed, causing the connection queues to fill up, thereby denying service to legitimate TCP users.

  • UDP diagnostic port attack: A sender using a series of random IP source addresses calls for UDP diagnostic services on the router, causing all CPU resources to be consumed servicing the bogus requests.


Denial of service attacks tcp syn l.jpg

ISP A

ISP B

Denial of Service Attacks: TCP SYN

Internet

9.0.0.0/8

10.0.0.0/8

Attacker

Target

TCP/SYN

192.168.0.4/32

?

SYN/ACK

15.0.0.13/32

TCP/SYN

SYN/ACK

?

TCP/SYN

172.16.0.2/32

?

SYN/ACK


Denial of service attacks tcp syn80 l.jpg

ISP A

ISP B

Internet

9.0.0.0/8

10.0.0.0/8

Attacker

Target

Denial of Service Attacks: TCP SYN

  • Ingress Filtering

    Apply an outbound filter…...

    access-list 101 permit ip 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255

Filter any address

that does not contain

10.0.0.0/8 as a source


Denial of service attacks udp diag l.jpg

ISP A

ISP B

Denial of Service Attacks: UDP diag

  • Turn off small services

    • no udp small-servers

    • no tcp small-servers

Internet

9.0.0.0/8

Target

10.0.0.0/8

Attacker

attacker floods the router

w/ echo, chargen, and discard

request


Solution tcp intercept l.jpg

Solution: TCP Intercept

  • Tracks, intercepts and validates TCP connection requests

  • Two modes: Intercept and monitor


Tcp intercept intercept mode l.jpg

Request Intercepted

Connection Established

Connection Transferred

TCP Intercept—Intercept Mode

  • 1. Answer connection requests

  • 2. Establishes genuine connection

  • 3. Merge connection between client and server


Tcp intercept monitor mode l.jpg

TCP Intercept—Monitor Mode

  • Passively monitor connection requests

  • Terminates connection attempts that exceed configurable time limit


Tcp intercept aggressive behavior l.jpg

TCP Intercept Aggressive Behavior

  • Begins when high-threshold exceeded, ends when drops below low-threshold

  • New connection drops old partial connection

  • Retransmission timeout cut in half

  • Watch timeout cut in half


Tcp intercept considerations l.jpg

TCP Intercept Considerations

  • TCP negotiated options not supported

  • Available in release 11.2(4)F Enterprise and Service Provider

  • Connection is fast switched except on the RP/SP/SSP based C7000 which supports process switching only


Tcp intercept configuration tasks l.jpg

TCP Intercept Configuration Tasks

  • Enable

    • ip tcp intercept list <extended ACL>

  • Set mode

    • ip tcp intercept mode {intercept | watch}

  • Set drop mode

    • ip tcp intercept drop-mode {oldest | random}


Tcp intercept configuration l.jpg

TCP Intercept Configuration

  • Change timers

    • ip tcp intercept watch-timeout <seconds>

    • ip tcp intercept finrst-timeout <seconds>

    • ip tcp intercept connection-timeout <seconds>

  • Change aggressive thresholds

    • ip tcp intercept max-incomplete low <number>

    • ip tcp intercept max-incomplete high <number>

    • ip tcp intercept one-minute low <number>

    • ip tcp intercept one-minute high <number>


Routing protocol security l.jpg

Routing Protocol Security

Cisco Systems Confidential


Routing protocols l.jpg

Routing Protocols

  • Routing protocol can be attacked

    • Denial of Service

    • Smoke Screens

    • False information

    • Reroute packets

May be accidental or intentional


Solution route authentication l.jpg

Solution: Route Authentication

  • Authenticates routing update packets

  • Shared key included in routing updates

    • Plain text—protects against accidental problems only

    • Message Digest 5 (MD5)—protects against accidental and intential problems


Route authentication protocol l.jpg

Route Authentication Protocol

  • Routing update includes key and key number

  • Receiving router verifies received key against local copy

  • If keys match update accepted, otherwise it is rejected


Route authentication details l.jpg

Route Authentication Details

  • Multiple keys supported

    • Key lifetimes based on time of day

    • Only first valid key sent with each packet

  • Supported in: BGP, IS-IS, OSPF, RIPv2, and EIGRP(11.2(4)F)

  • Syntax differs depending on routing protocol


Routing protocols94 l.jpg

Routing Protocols

  • OSPF Area Authentication

    • Two Types

      • Simple Password

      • Message Digest (MD5)

ip ospf authentication-key key (this goes under the specific interface)

area area-idauthentication (this goes under "router ospf <process-id>")

ip ospf message-digest-key keyidmd5key (used under the interface)

areaarea-idauthentication message-digest (used under "router ospf <process-id>")


Securing router services l.jpg

Securing Router Services

Cisco Systems Confidential


Www server l.jpg

WWW Server

  • Yes, IOS now includes a WWW server!

  • Makes configurations easier, but opens new security holes (default - turned off).

  • Put access list on which addresses are allowed to access port 80.

  • Similar to console & TTY access.


Other areas to consider l.jpg

Other Areas to Consider

Cisco Systems Confidential


Other areas to consider98 l.jpg

Other Areas to Consider

  • Turn off

    • proxy arp

    • no ip directed-broadcast

    • no service finger


Protecting the config files l.jpg

Protecting the Config Files

  • Router configs are usually stored some place safe. But are they really safe?

  • Protect and limit access to TFTP and MOP servers containing router configs.


Summary l.jpg

Summary

  • Security is not just about protecting your UNIX workstations.

  • Your network devices are just as vulnerable.

  • Be smart, protect them.

  • Routers are the side doorinto any network.


Cisco security today101 l.jpg

Cisco Security Today

TACACS+/ RADIUS

TACACS+/ RADIUS

TACACS+/ RADIUS

Logging

NAT

PAP/CHAP

Token Card Support

GRE Tunnels

Route Filtering

CiscoSecure™

Privilege Levels

Access Control Lists

Certificate Authority

Certificate Authority

Lock-and-Key

Kerberos

Kerberos

Cut-Through Proxy

Encryption

L2F

Encryption

Dial

Firewall

Network Infrastructure

Cisco Systems Confidential

0603_02F7_c1

24


Where to get more information l.jpg

Where to get more information?

http://www.cisco.com/


Where to get more information103 l.jpg

Where to get more information?

  • Security URLs:

    • Computer Emergency Response Team (CERT)

      • http://www.cert.org

    • SATAN (Security Administrator Tool for Analyzing Networks)

      • http://recycle.cebaf.gov/~doolitt/satan/

    • Phrack Magazine

      • http://freeside.com/phrack.html


  • Login