1 / 18

Network Security

Network Security. Password Control and Device Access. Outline. Network Gatekeepers Identifying network threats and countermeasures Using secure router, firewall, and switch configurations. Network Gatekeepers. Filtering Port Blocking IDS.

sonya-mcpherson
Download Presentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security Password Control and Device Access

  2. Outline • Network Gatekeepers • Identifying network threats and countermeasures • Using secure router, firewall, and switch configurations

  3. Network Gatekeepers Filtering Port Blocking IDS • Network is the entry point to application and control access to the various servers in the enterprise environment • The basic components of a network, which act as the front-line gatekeepers, are the: • Router • The router is the very first line of defense. It provides packet routing, It can also be configured to block or filter the forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP • Firewall, and • Switch • Private VLANs IDS: Intrusion Detection System

  4. Router Considerations • Patches and updates • stay current with both security issues and service patch • Disable unused interfaces. • Apply strong password policies. • Use static routing. • An attacker might try to change routes to cause denial of service or to forward requests to a rogue server • Audit Web facing administration interfaces

  5. Threats and Countermeasures • An attacker looks for poorly configured network devices to exploit. The following are high-level network threats: • Information gathering • Sniffing • Spoofing • Session hijacking • Denial of service

  6. Information Gathering • Information gathering can reveal detailed information about network topology, system configuration, and network devices. Attacks • Using Tracert (Traceroute) to detect network topology • Using Telnet to open ports for banner grabbing • Using port scans to detect open ports • Using broadcast requests to enumerate hosts on a subnet

  7. Blocking Traceroute • The traceroute command is used to discover the routes that packets actually take when traveling to their destination • Router1#traceroute 34.0.0.4 1 12.0.0.2 4 msec 4 msec 4 msec 2 23.0.0.3 20 msec 16 msec 16 msec • 34.0.0.4 16 msec * 16 msec • Which protocol is used by traceroute? • http://en.wikipedia.org/wiki/Traceroute

  8. Protocols used by Traceroute • Traceroute uses either ICMP (windows) or UDP • To block inbound traceroute you need to block • Block incoming ICMP echo request (ICMP type 8). This will prevent ping attacks • which can crash some systems. • access-list 101 deny icmp any any echo-request • Block outgoing ICMP echo-replies (ICMP type 0). traffic to anyone, especially in response to malicious programs that uses ICMP echo-replies. Apply this filter outbound • access-list 101 deny icmp any any echo-reply • Block outgoing ICMP time-exceeded (ICMP type 11). Prevent outsiders from mapping your network. • access-list 101 deny icmp any any time exceeded • Block UDP with ports > 30000 (should block most Unix traceroutes) • block outgoing messages destined to UDP ports 33434 to 33534 or block all UDP except that which you absolutely need Apply Here: echo -request Apply Here: echo –reply/time exceeded http://www.sans.org/reading_room/whitepapers/networkdevs/easy-steps-cisco-extended-access-list_231

  9. Countermeasures- Information gathering • Block telnet • how? • Password control on Telnet Router(config)# line vty 0 4  Router(config-line)# password cisco Router(config-line)# login • By default, console, auxiliary, and Telnet (VTY) sessions time out after 10 minutes of idling. Change the timeout to 5 minutes for Telnet sessions • Router(config-line)# exec-timeout 5 0 • Service Banners • login banner should not contain any specific information about : • the router name, • model, software, or ownership.. • Router (config)# banner motd& any unauthorized use of the system is unlawful and can be subject to civil and criminal penalties &

  10. Block Telnet Access • Telnet sends user information across the network in clear text • Limit Remote access using Telnet • Router(config)# access-list 1 permit 172.16.3.10  • Router(config)# access-list 1 permit 172.16.3.11  • Router(config)# line vty 0 4  • Router(config-line)# access-class 1 in 172.16.3.10 in Perimeter router 172.16.3.11

  11. HTTP ACCESS • By default, the HTTP server function on the router is disabled. To configure HTTP access, use the following steps: • Step 1. Enable the HTTP server (required). • Router(config)# ip http server • Step 2. Define an authentication method (highly recommended). • Router(config)# ip http authentication {aaa | enable | local} • Step 3. Restrict access through HTTP (highly recommended). • Router(config)# ip http access-class standard_ACL_This command enables you to restrict, based on the source IP address of the client, which devices are allowed HTTP or HTTPS access to the route. • Step 4. Change the HTTP port number (optional). • Router(config)# ip http port port_# • Step 6. Restrict the number of HTTP connections (recommended). • Router(config)# ip http max-connections

  12. HTTP Access - Example • Router(config)# access-list 1 permit 172.16.3.10  • Router(config)# access-list 1 permit 172.16.3.11  • Router(config)# username richard privilege 15 secret bigXdogYlover  • Router(config)# username natalie privilege 15 secret BIGxDOGyLOVER  • Router(config)# ip http server  • Router(config)# ip http authentication local  • Router(config)# ip http access-class 1

  13. Sniffing Sniffing, also called eavesdropping, is the act of monitoring network traffic for data, such as clear-text passwords or configuration information. Vulnerabilities • Weak physical security • Lack of encryption when sending sensitive data • Router(config)# line vty 0 4  • Router(config-line)# transport input ssh • Router(config-line)# transport output ssh

  14. Countermeasures Some of the countermeasures: • Strong physical security that prevents rogue devices from being placed on the network • Encrypted credentials and application traffic over the network

  15. Spoofing – from outside Apply here • Spoofing, is a means to hide one's true identity on the network. • Most, but not all, of the spoofing attacks that take place start with someone on the outside of your network spoofing their IP address to make it look like they are part of the inside of your network. • deny traffic that has a source IP address inside the RFC 1918 block that is coming into your network from the outside interface • Router(config) # access-list 100 deny ip 10.0.0.0 0.255.255.255 any log • router(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log • router(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log • Router(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log • Router(config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log • Router(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any log (private multicast range) • Router (config)# interface serial 0/0 • Router (config-if)# ip access-group 100 in

  16. Spoofing – from inside 192.168.1.0/24 Fa0/1 we also want to prevent our inside people from spoofing to a different IP address as well. The only range that is allowed to transmit is my internal network, in this case 192.168.1.0 /24 Router (config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any Router(config)# access-list 105 deny ip any any log Router(config)# interface fa0/1 Router(config-if)# ip access-group 105 in

  17. Denial of Service • Network-layer denial of service attacks usually try to deny service by flooding the network with traffic, which consumes the available bandwidth and resources. • Vulnerabilities • Weak router and switch configuration • Unencrypted communication

  18. Considerations - Secure switching • Install latest patches and updates • Virtual Local Area Networks (VLANs) • Virtual LANs separate network segments and allow application of access control lists based on security rules. • Insecure defaults • change all factory default passwords and to prevent network enumeration or total control of the switch • Services • all unused services are disabled.

More Related