1 / 19

Network Security Principles & Practices

Network Security Principles & Practices. By Saadat Malik Cisco Press 2003. – Chapter 3 – Device Security. A device is a node helping to form the topology of the network. A compromised device may be used by the attacker as a jumping board. A DoS attack may be launched against a device.

locascio
Download Presentation

Network Security Principles & Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security Principles & Practices By Saadat Malik Cisco Press 2003

  2. – Chapter 3 – Device Security • A device is a node helping to form the topology of the network. • A compromised device may be used by the attacker as a jumping board. • A DoS attack may be launched against a device. Network Security

  3. Two aspects of device security • Physical security • Placing the device in a secure location • Logical security • Securing the device against nonphysical attacks Network Security

  4. Physical security Considerations: • Using redundant devices? • Network topology (serialized, star, fully meshed?) • Where to place the network devices? • Media security (wire tapping, physical eavesdropping) • Adequate/uninterrupted power supply • disasters Network Security

  5. Device Redundancy • A backup device (router, switch, gateway, …) is configured to take over the functionality of a failed active device. • Means of achieving redundancy: • Use routing to enable redundancy • Use a redundancy protocol • Hot Standby Router Protocol (HSRP) • Virtual Router Redundancy Protocol (VRRP) • Failover protocols Network Security

  6. Cisco Command Reference • Cisco IOS Commands Master List, Release 12.2 http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122mindx/l22index.htm • Network Access Security Commands http://www.cisco.com/en/US/products/sw/iosswrel/ps1824/products_command_reference_chapter09186a0080087141.html • Configuration Guide for the Cisco Secure PIX Firewall Version 6.0: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/index.htm • PIX Command Reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm#xtocid0 Note: A PDF file may be downloaded from the above sites. • Cisco Command Summary: http://networking.ringofsaturn.com/Cisco/ciscocommandguide.php • Other useful sites: • http://www.elings.com/ Windows Administration Support Portal • http://www.freebraindumps.com/CCIE/ • http://www.groupstudy.com/ Network Security

  7. EIGRP (used in Example 3-1) • IGRP: Cisco’s Interior Gateway Routing Protocol • EIGRP: Enhanced IGRP • A router running EIGRP stores all its neighbors' routing tables so that it can quickly adapt to alternate routes. • If no appropriate route exists, EIGRP queries its neighbors to discover an alternate route. • These queries propagate until an alternate route is found. • To enable EIGRP on the router you simply need to enable eigrp and define a network number. This is done as follows: Router# conf t Router(config)# router eigrp 1 Router(config-router)# network 172.16.0.0 • http://networking.ringofsaturn.com/Cisco/eigrp.php Network Security

  8. Routing-enabled Redundancy • To set up routing in such a way that the routing protocols converge to one set of routes under normal conditions, and a different set of routes when some of the devices fail. • (floating) static routes with varying weights: example 3-1 • Dynamic routing protocols: e.g., Routing Information Protocol (RIP) http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/rip.htm Network Security

  9. Dynamic routing using RIP • Alternative paths are used when the normal path fails. • Fig. 3-3 Network Security

  10. Host Standby Routing Protocol proprietary (Cisco) A host uses a IP address as its default gateway. A virtual router is set up for that IP: a pair of IP and MAC addresses The addresses are ‘taken’ by a set of routers configured with HSRP One of the routers is designated as the active router. When the active router fails, one of the standby routers takes ownership of the IP and the MAC addresses. HSRP Network Security

  11. HSRP • HSRP group (aka. standby group) • election protocol • Packet format of HSRP messages: Fig. 3-4 • Messages: hello, coup hello, resign • How HSRP provides redundancy? • Fig. 3-5 (next slide) • A virtual IP is shared between router A and B, so when B becomes the active router, no change of default gateway IP is needed in the end hosts. Network Security

  12. Example HSRP ImplementationFig. 3-5 Network Security

  13. HSRP • Drawback: not very secure • The authentication field contains a password that is transmitted as clear text. • c.f., VRRP provides better security. Network Security

  14. VRRP • Virtual Router Redundancy Protocol • RFC 2338, RFC 3768 (4/04): ftp://ftp.rfc-editor.org/in-notes/rfc3768.txt • Non-proprietary (unlike HSRP) • an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN (the master router) • The election process provides dynamic fail over in the forwarding responsibility should the Master become unavailable. • allows any of the virtual router IP addresses on the LAN to be used as the default first hop router by end-hosts. Network Security

  15. VRRP • When is the master router considered down? • The master router periodically sends out an advertisement message that contains an advertisement interval. • Each backup router uses a timer to decide when the master router is down. • The election process: • When a backup router detects that the master router is down, it sends an advertisement message with its own priority value in it. • The backup router with the highest priority value becomes the new master router. Network Security

  16. VRRP • Question: How if an attacker injects a fake VRRP advertisement message (possibly with very high priority value) into the network? Would it then be elected to be the new master router? • The answer: VRRP security features • Three authentication methods • No authentication • Simple clear-text passwords • Strong authentication (using IP authentication with MD5 HMAC) Q: What’s the Implication? Shared key • A mechanism that protects against VRRP packets being injected from a remote network • sets TTL = 255 Network Security

  17. VRRP • RFC2338 (4/1998), obsoleted by RFC3768 (R. Hinden, Ed; April 2004) ftp://ftp.rfc-editor.org/in-notes/rfc3768.txt Network Security

  18. Failover Protocol • Cisco PIX firewall • The functionality of a failed firewall is taken over by a standby firewall. • See chapter 8 for details Network Security

  19. Security of major devices • Next: • Router security • Firewall security Network Security

More Related