1 / 42

Enterprise Network Security

Enterprise Network Security. Accessing the WAN – Chapter 4. Objectives. Describe the general methods used to mitigate security threats to Enterprise networks Configure Basic Router Security Explain how to disable unused Cisco router network services and interfaces

allie
Download Presentation

Enterprise Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Network Security Accessing the WAN– Chapter 4

  2. Objectives • Describe the general methods used to mitigate security threats to Enterprise networks • Configure Basic Router Security • Explain how to disable unused Cisco router network services and interfaces • Explain how to use Cisco SDM • Manage Cisco IOS devices

  3. Why is network security important • We want to live secure • We want to have our data secured • We want to have our communication secured

  4. Describe the General Methods used to Mitigate Security Threats to Enterprise Networks • Explain how sophisticated attack tools and open networks have created an increased need for network security and dynamic security policies

  5. Security policy • Risk assessment • Security policy • Organization of information security • Asset management • Human resources security • Physical and environmental security • Communications and operations management

  6. Security levels NO ! NO !

  7. Number of Attacks

  8. Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Social engineering?

  9. Access Attacks

  10. Denial of Service attacks

  11. Describe the General Methods used to Mitigate Security Threats to Enterprise Networks • Describe the common mitigation techniques that enterprises use to protect themselves against threats

  12. Security equipment

  13. Describe the General Methods used to Mitigate Security Threats to Enterprise Networks • Explain the concept of the Network Security Wheel

  14. Configure Basic Router Security • Explain why the security of routers and their configuration settings is vital to network operation

  15. Configure Basic Router Security • Describe the basic security measures needed to secure Cisco routers Router(config)# ip access-list standard SSH-access Router(config-std-nacl)# permit host 147.232.22.1 Router(config-std-nacl)# deny any Router(config)# line vty 0 4 Router(config-line)# ip access-class SSH-access in

  16. SSH configuration

  17. Explain How to Disable Unused Cisco Router Network Services and Interfaces • Explain how to secure a router with the command-line interface (CLI) auto secure command

  18. Explain How to Use Cisco SDM • Provide an overview of Cisco SDM

  19. Manage Cisco IOS Devices • Describe the file systems used by a Cisco router

  20. Manage Cisco IOS Devices • Describe how to backup and upgrade a Cisco IOS image

  21. Manage Cisco IOS Devices • Explain how to back up and upgrade Cisco IOS software images using a network server

  22. Manage Cisco IOS Devices • Explain how to recover a Cisco IOS software image

  23. Manage Cisco IOS Devices • Explain how to recover the enable password and the enable secret passwords • Ctrl+Break • Rommon 1> confreg 0x2142 • Rommon 2> reset • Would you like to enter initial router configuration [Yes/no] • Router(config)# config-register 0x2102

  24. Summary • Security Threats to an Enterprise network include: • Unstructured threats • Structured threats • External threats • Internal threats • Methods to lessen security threats consist of: • Device hardening • Use of antivirus software • Firewalls • Download security updates

  25. Summary • Basic router security involves the following: • Physical security • Update and backup IOS • Backup configuration files • Password configuration • Logging router activity • Disable unused router interfaces & services to minimize their exploitation by intruders • Cisco SDM • A web based management tool for configuring security measures on Cisco routers

  26. Summary • Cisco IOS Integrated File System (IFS) • Allows for the creation, navigation & manipulation of directories on a cisco device

  27. Practise LABDHCP, NAT Accessing the WAN– Chapter 4

  28. Practise LAB

  29. Tasks • Basic configuration (example) R-1(config)# interface FastEthernet 0/1 R-1(config-if)# ip address dhcp R-1(config-if)# no shutdown R-1(config)# interface FastEthernet 0/0 R-1(config-if)# no shutdown R-1(config)# interface FastEthernet 0/0.101 R-1(config-subif)# encapsulation dot1q 101 R-1(config-subif)# ip address 192.168.101.1 255.255.255.0 R-1(config)# interface FastEthernet 0/0.200 R-1(config-subif)# encapsulation dot1q 200 R-1(config-subif)# ip address 10.10.10.1 255.255.255.0

  30. Tasks • DHCP and DHCP relay R-1(config)# ip dhcp pool VLAN101 R-1(config-dhcp)# network 192.168.101.0 /24 R-1(config-dhcp)# default-router 192.168.101.1 R-1(config-dhcp)# dns-server 147.232.22.1 R-1(config)# ip dhcp pool VLAN102 R-1(config-dhcp)# network 192.168.102.0 /24 R-1(config-dhcp)# default-router 192.168.102.1 R-1(config-dhcp)# dns-server 147.232.22.1 R-1(config)# ip dhcp pool VLAN103 R-1(config-dhcp)# network 192.168.103.0 /24 R-1(config-dhcp)# default-router 192.168.103.1 R-1(config-dhcp)# dns-server 147.232.22.1

  31. Practise LAB

  32. Tasks • DHCP and DHCP relay R-2(config)# interface FastEthernet 0/0.102 R-2(config-subif)# encapsulation 102 R-2(config-subif)# ip address 192.168.102.1 255.255.255.0 R-2(config-subif)# ip helper-address 192.168.1.2 R-2(config-subif)# ip nat inside R-2(config)# router ospf 1 R-2(config-router)# network 192.168.1.0 0.0.0.3 area 0 R-2(config-router)# network 192.168.102.0 0.0.0.3 area 0 R-1(config)# router ospf 1 R-1(config-router)# default-information originate R-1(config-router)# network 192.168.1.0 0.0.0.3 area 0 R-1(config-router)# network 192.168.2.0 0.0.0.3 area 0 R-1(config-router)# network 192.168.101.0 0.0.0.255 area 0

  33. Practise LAB HostC and Host H

  34. Tasks • Dynamic NAT and Static NAT R-1(config)# ip route 10.10.12.0 255.255.255.0 192.168.1.2 R-1(config)# ip route 10.10.13.0 255.255.255.0 192.168.2.2 R-2(config)# ip access-list standard SNAT R-2(config-std-nacl)# permit 10.10.10.0 0.0.0.255 R-2(config)# ip nat pool POOL_IP 10.10.12.2 10.10.12.255 R-2(config)# ip nat inside source list SNAT pool POOL_IP R-2(config)# ip nat inside source static 10.10.10.100 10.10.12.1 R-2(config)# interface FastEthernet0/0.200 R-2(config-subif)# ip nat inside R-2(config)# interface Serial 0/0 R-2(config-subif)# ip nat outside

  35. Practise LAB PAT(overloading)

  36. Tasks • Port Address Translation (overloading) R-1(config)# interface FastEthernet 0/0.101 R-1(config-subif)# ip nat inside R-1(config)# interface FastEthernet 0/0.200 R-1(config-subif)# ip nat inside R-1(config)# interface Serial 0/0 R-1(config-if)# ip nat inside R-1(config)# interface Serial 0/1 R-1(config-if)# ip nat inside R-1(config)# interface FastEthernet 0/1 R-1(config-if)# ip nat outside

  37. Tasks • Port Address Translation (overloading) R-1(config)# ip access-list-standard natko R-1(config-std-nacl)# permit 192.168.101.0 0.0.0.255 R-1(config-std-nacl)# permit 192.168.102.0 0.0.0.255 R-1(config-std-nacl)# permit 192.168.103.0 0.0.0.255 R-1(config-std-nacl)# permit 10.10.10.0 0.0.0.255 R-1(config-std-nacl)# permit 10.10.12.0 0.0.0.255 R-1(config-std-nacl)# permit 10.10.13.0 0.0.0.255 R-1(config)# ip nat inside source list natko interface FastEthernet 0/1 overload

  38. Practise LAB IPv6

  39. Tasks • IPv6 addressing R-1(config)# ipv6 unicast-routing R-1(config)# interface FastEthernet 0/0.333 R-1(config-subif)# encapsulation dot1q 333 R-1(config-subif)# ipv6 address 2001:ac1::1/64 R-1(config)# interface Serial 0/0 R-1(config-if)# ip address 192.168.1.1 255.255.255.252 R-1(config-if)# ipv6 address 3ffe:12::1/64

  40. Tasks • IPv6 routing R-1(config)# ipv6 router rip ROUTING R-1(config)# interface FastEthernet 0/0.333 R-1(config-subif)# encapsulation dot1q 333 R-1(config-subif)# ipv6 address 2001:ac1::1/64 R-1(config-if)# ipv6 rip ROUTING enable R-1(config)# interface Serial 0/0 R-1(config-if)# ip address 192.168.1.1 255.255.255.252 R-1(config-if)# ipv6 address 3ffe:12::1/64 R-1(config-if)# ipv6 rip ROUTING enable

More Related