network security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Network Security PowerPoint Presentation
Download Presentation
Network Security

Loading in 2 Seconds...

play fullscreen
1 / 170

Network Security - PowerPoint PPT Presentation


  • 229 Views
  • Updated on

Network Security. Ryan Greer CCNP, CCDP, MCSE Pat Bittner Keller Schroeder & Associates, Inc. Evansville, Indiana. Evaluating Network Security Threats. Module 1. Primary Reasons for Security Issues. Technology Weakness Configuration Weakness Policy Weakness. Technology Weaknesses.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Network Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Network Security Ryan Greer CCNP, CCDP, MCSE Pat Bittner Keller Schroeder & Associates, Inc. Evansville, Indiana

    2. Evaluating Network Security Threats Module 1

    3. Primary Reasons for Security Issues • Technology Weakness • Configuration Weakness • Policy Weakness

    4. Technology Weaknesses • TCP/IP • Operating System • Network Equipment Weaknesses

    5. Configuration Weakness • Insecure default Settings • Misconfigured network equipment • Insecure user accounts • System accounts with easy to guess password • Misconfigured Internet services • Java & JavaScript

    6. Policy Weakness • Lack of security policy • Internal Politics (political battles, turf wars) • Lack of business continuity (high turnover) • Poorly enforced • Inadequate monitoring • Lack of awareness of being attacked • Installations that do not follow policy • Security incident and DRP not in place

    7. Types of Threats • Internal Threats • External Threats

    8. Internal Threats • Current employees with less-than-honorable intentions • Current complyees pursing unintentional activities • Employees who mismanaged environment • Use insecure passwords • Misconfigure equipment out of ignorance

    9. Spies Hostile ex-employees Others Intrusion for sport Intrusion to learn External Threats • Thrill Seakers • Competitors • Enemies • Thieves

    10. Security Threat Types • Reconnaissance • Unauthorized Access • Denial of Service • Data Manipulation

    11. Reconnaissance • Target Discovery • Eavesdropping • Information Theft

    12. Unauthorized Access • Gaining Initial Access • Password-Based Attacks • Gaining Trusted or Priviledged Access • Misuse of Systems after gaining access • Counteracting Remote-Access Attacks

    13. Denial of Service • Resource Overload • Out-of-Band Data DoS Attacks • Others • Counteracting

    14. Data Manipulation • IP Spoofing • Session Replay and Hijacking • Rerouting

    15. Securing the Network Infrastructure Module 2

    16. Securing Physical Devices • Establish Configuration and Control Policy • Properly lock, power, wire and cool equipment • Control direct access to all network equipment • Secure access to network links • Plan for Disaster Recovery

    17. Securing Administrative Interface • Setting Console Access • Using Password Encryption • Fine-Tuning Line Parameters • Setting Multiple Privileged Levels • Setting Device Banner Messages • Controlling Telnet Access • Controlling SNMP Access

    18. Setting Console Passwords • Tips • Immediately configure • Make privileged and user passwords different • Use mixed characters • Do not write down

    19. Setting Console Access User Mode Passwords router(config)#line console 0 router(config-line)#login router(config-line)#password ruHamlet User Access Verification Password: ruHamlet router>

    20. Setting Console Passwords Privileged Mode Passwords router(config)#enable secret 2br!2b@? router> enable Password: 2br!2b@? router#

    21. Using Password Encryption Using Service Password Encryption router(config)#service password-encryption line con 0 password 7 094F471A1A0A line vty 0 4 password 7 05080F1C2243

    22. Fine-Tuning Line Parameters Unattended Timeout router(config)#line console 0 router(config-line)#exec-timeout 2 30

    23. Setting Multiple Privilege Levels

    24. Setting Multiple Privilege Levels Setting Privilege Levels for Commands router(config)#privilege exec level 2 show startup-config router(config)#privilege exec level 2 show debug ip rip router(config)#privilege exec level 2 show ping router(config)#enable secret level 2 2kdo40d Logging into Privilege Level router> enable 2

    25. Setting Device Banner Messages • Banner Messages • Do not use “Welcome” • Banner command router(config)#banner exec $ Session activated. Enter commands at the prompt $

    26. Controlling Telnet Access • Considerations • telnet ports called virtual terminal (vty) ports • Enable password must be configured to enable via Telnet • Should restrict telnet access by using ACL • Configure all vty ports (as many as 15) • Limit, block, disable aux ports with “no exec”

    27. Telnet Examples VTY Configuration router(config)#line vty 0 4 router(config-line)#login router(config-line)#password shakespeare Restricting Access router(config)#access-list 21 permit 10.1.1.4 router(config)#line vty 0 4 router(config-line)#access-class 21 in

    28. Controlling SNMP Access • SNMP Overview • Configuring SNMP Agent • Controlling SNMP access with community strings • Configuring Traps and Informs

    29. SNMP System • Components • Managed device (router or switch) • SNMP agents and MIBs running on managed device • SNMP management application (CiscoWorks 2000)

    30. SNMP Agent Functions • MIB variable access • MIB variable setting • SNMP trap • SNMP community strings

    31. Controlling SNMP Access with Community Strings Nonprivileged SNMP Access router(config)#snmp-server community secure ro Privileged SNMP Access router(config)#snmp-server community semisecure rw Access List SNMP Access router(config)#access-list 1 permit 10.1.1.4 router(config)#access-list 1 permit 10.1.1.5 router(config)#snmp-server community semisecure rw 1

    32. SNMP Traps and Informs Trap router(config)#snmp-server host 10.1.1.4 trap Inform router(config)#snmp-server host 10.1.1.4 inform

    33. Controlling router-router Communications • Routing Protocol Authentication • Secure router Configuration Files • Controlling Traffic Using Filters

    34. Routing Protocol Authentication • Plaintext • Neighbors must share authentication key • Key sent in plainttext • Message Digest Algorithm 5 (MD5) • Hash of key • Key not actually sent over wire • Prevents eavesdropping

    35. Securing Configuration Files • TFTP • Not secure protocol, no password required • Anyone with access to TFTP server can modify the configuration file • TFTP server can be detected with port scans • Recommendations • Manually enable/disable TFTP software when needed

    36. Controlling Traffic Using Filters • Access Lists • Filtering Routing Updates • Incoming Network Filters

    37. Access List Tips • Use ACL to control whether traffic is forwarded or blocked at the router interface • ACL do not authenticate individual users but filter based on information in the packets

    38. Filtering Networks in Routing Updates • Helps secure networks • Increases security • Increases stability • Configuration router(config)#access-list 45 deny 10.1.2.0 0.0.0.255 router(config)#access-list 45 permit any any router(config)#router eigrp 200 router(config-router)#distribute-list 45 out serial0

    39. Suppressing Updates from Being Processed Suppress Updates from Being Processed router(config)#access-list 46 permit 10.2.0.0 0.0.255.255 router(config)#router eigrp 200 router(config-router)#distribute-list 46 in serial0 Suppress Updates through Interface router(config)#router eigrp 200 router(config-router)#passive-interface ethernet0

    40. Incoming Network Filters Deny Spoofed Packets from Internal Network router(config)#access-list 102 deny ip 10.1.2.0 0.0.0.255 any log router(config)#interface serial0 router(config-router)#ip access-group 102 in

    41. Cisco AAA Security Technology Module 3

    42. AAA Security Architecture • Authentication • Requires users to prove that they really are who they say they are • Authorization • Decide which resources the user is allowed to access and which operations the user is allowed to perform • Accounting • Records what the user actually did, what was accessed, and how long it was accessed • Counteracts repudiation

    43. Authentication Methods • Username and Password Authentication • S/Key Authentication • Token Cards and Servers • PAP and CHAP Authentication

    44. Usernames and Passwords • No username/password • Username/password – static • Username/password – aging • S/Key one-time passwords • One-time passwords • Token cards/soft tokens

    45. PAP & CHAP Authentication • Important component of dialup access • Authentication accomplished by PAP or CHAP • PPP – standard encapsulation protocol for transport of different L3 protocols across serial or point-to-point links (PSTN,ISDN)

    46. PAP Authentication over PPP • Two-way handshake only after initial PPP link establishment • Client sends username and password • NAS accepts or rejects • Not a strong authentication method • Username and password sent in cleartext • No protection against playback or repeated trial-and-error attacks

    47. PAP Authentication over PPP

    48. CHAP Authentication over PPP • Stronger than PAP • Password never crosses network • 3-way handshake • NAS sends challenge message to client • Client replies with one-way hash value • NAS processes hash and compared to NAS’s calculation

    49. CHAP Cont’d • Protection against playback • Constantly changing string prevents eavesdropping and replaying • Problem – not supported in NT (NT uses MS-CHAP)

    50. CHAP Authentication over PPP