405_clonvick_rev4.ppt

405 views
299 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
405
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • You are the Captain. You want to chart a course and sail there.
  • Just like on the ship, you must have written rules training delegation of authority periodic review of the rules
  • Physical protection Dictionary attacks Replace the router attack
  • An excerpt from RFC 1413 - St. Johns [Page 6] RFC 1413 Identification Protocol February 1993 6. Security Considerations The information returned by this protocol is at most as trustworthy as the host providing it OR the organization operating the host. For example, a PC in an open lab has few if any controls on it to prevent a user from having this protocol return any identifier the user wants. Likewise, if the host has been compromised the information returned may be completely erroneous and misleading. The Identification Protocol is not intended as an authorization or access control protocol. At best, it provides some additional auditing information with respect to TCP connections. At worst, it can provide misleading, incorrect, or maliciously incorrect information. The use of the information returned by this protocol for other than auditing is strongly discouraged. Specifically, using Identification Protocol information to make access control decisions - either as the primary method (i.e., no other checks) or as an adjunct to other methods may result in a weakening of normal host security. An Identification server may reveal information about users, entities, objects or processes which might normally be considered private. An Identification server provides service which is a rough analog of the CallerID services provided by some phone companies and many of the same privacy considerations and arguments that apply to the CallerID service apply to Identification. If you wouldn't run a "finger" server due to privacy considerations you may not want to run this protocol.
  • Your Security Policies must be aligned with the overall objectives of your business.
  • use a switch in the dmz consider secure distribution of web content no trust between DMZ resources
  • administrative to the servers and routers/switches audit from servers, routers/switches (syslog) CRM authentication client - server
  • 405_clonvick_rev4.ppt

    1. 2. Designing Secure Enterprise Network C 405 NW’98
    2. 3. Infrastructure Security
    3. 4. The Security Wheel 1 Corporate Security Policy 2 SECURE 3 MONITOR 4 AUDIT/TEST 5 MANAGE & IMPROVE
    4. 5. Procedures and Operations Rules Periodic Review Delegation of Authority Training Lesson 1
    5. 6. Goals of the Session <ul><li>Define what to protect — anything that could cause problems if it were to stop or malfunction </li></ul><ul><li>Decide how to protect it —good enough vs. absolute protection </li></ul><ul><li>Think about the cost of protection vs. the cost of loss or corruption </li></ul>
    6. 7. Agenda <ul><li>I. Introduction </li></ul><ul><li>II. Router/Switch Self-Protection </li></ul><ul><li>III. Resource Protection </li></ul><ul><li>IV. Perimeter Protection </li></ul><ul><li>V. Sustaining Network Security </li></ul><ul><li>VI. Security Sustainment Validation </li></ul><ul><li>VII. Conclusions </li></ul>
    7. 8. II. Router/Switch Self-Protection <ul><li>Threats </li></ul><ul><li>Avoidance Measures </li></ul>
    8. 9. Intruder Attack Points <ul><li>The administrative interfaces </li></ul><ul><ul><li>Console </li></ul></ul><ul><ul><li>Telnet </li></ul></ul><ul><ul><li>SNMP </li></ul></ul><ul><li>Overload the data interface </li></ul><ul><li>Overload the processor </li></ul>
    9. 10. The Administrative Interface <ul><li>Password Protection </li></ul><ul><li>Password Encryption </li></ul>Router>
    10. 11. Banners <ul><li>Select an appropriate login banner that tells who is allowed into the system </li></ul>Welcome. Password:
    11. 12. Native Passwords line console 0 login password one4all exec-timeout 1 30 User Access Verification Password: <one4all> router> The native passwords can be viewed by anyone logging in with the enabled password
    12. 13. Service Password-Encryption (7) <ul><li>Will encrypt all passwords on the Cisco IOS ™ with Cisco-defined encryption type “7” </li></ul><ul><li>Use “enable password 7 <password>” for cut/paste operations </li></ul><ul><li>Cisco proprietary encryption method </li></ul>
    13. 14. Service Password-Encryption hostname Router ! enable password one4all ! service password-encryption ! hostname Router ! enable password 7 15181E00F
    14. 15. Enable Secret (5) <ul><li>Uses MD5 to produce a one-way hash </li></ul><ul><li>Cannot be decrypted </li></ul><ul><li>Use “enable secret 5 <password>” to cut/paste another “enable secret” password </li></ul>
    15. 16. Enable Secret 5 ! hostname Router ! enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1 hostname Router ! enable password 1forAll
    16. 17. Pass word of Caution <ul><li>Even passwords that are encrypted in the configuration are not encrypted on the wire as an administrator logs into the router </li></ul>100101
    17. 18. Use Good Passwords <ul><li>Do not use passwords that can be easily guessed </li></ul>hmm…, How about “ Pancho”?
    18. 19. Authentication Mechanisms <ul><li>Local Password </li></ul><ul><li>Kerberos </li></ul><ul><li>TACACS+ </li></ul><ul><li>RADIUS </li></ul><ul><li>One-time Passwords </li></ul>UNIVERSAL PASSPORT USA
    19. 20. Cisco IOS TACACS+ Authentication version 11.2 ! service password-encryption ! hostname Router ! aaa new-model aaa authentication login ruth tacacs+ enable aaa authentication login sarah tacacs+ local enable secret 5 $1$hM3l$.s/DgJ4TeKdDk… ! username john password 7 030E4E050D5C username bill password 7 0430F1E060A51 ! Encrypts passwords with encryption (7). Define list “ruth” to use TACACS+ then the enable password Define list “sarah” to use TACACS+ then the local user and password “ enable secret” overrides the (7) encryption Define local users
    20. 21. Cisco IOS TACACS+ Authentication Defines the IP address of the TACACS+ server Defines the “encryption” key for communicating with the TACACS+ server Uses the authentication mechanisms listed in “ ruth” —TACACS+ then enable password Uses the authentication mechanisms listed in “ sarah” —TACACS+ then a local user/password tacacs-server host 10.1.1.2 tacacs-server key <key> ! line con 0 login authentication ruth line aux 0 login authentication ruth line vty 0 4 login authentication sarah length 29 width 92 ! end
    21. 22. PIX TACACS+ Authentication PIX Version 4.2(2) enable password BjeuCKspwqCc94Ss encrypted password nU3DFZzS7jF1jYc5 encrypted tacacs-server host 10.1.1.2 <key> aaa authentication telnet outbound 0 0 0 0 tacacs+ aaa authentication ftp outbound 0 0 0 0 tacacs+ aaa authentication http outbound 0 0 0 0 tacacs+ no snmp-server location no snmp-server contact snmp-server community notpublic no snmp-server enable traps telnet 10.1.1.2 255.255.255.255 ... Cryptochecksum:a21af67f58849f078a515b177df4228 : end [OK] Enable Password Telnet Password Defines the IP address of the TACACS+ server and the key Defines the services that require authentication Defines the device that can Telnet into the PIX
    22. 23. Encrypted Telnet Sessions <ul><li>Kerberos v5 </li></ul><ul><li>Strong Authentication within the session </li></ul><ul><li>Relies heavily upon DNS and NTP </li></ul>
    23. 24. One-Time Passwords <ul><li>May be used with TACACS+ or RADIUS </li></ul><ul><li>The same “password” will never be reused by an authorized administrator </li></ul><ul><li>Key Cards—CryptoCard token server included with CiscoSecure </li></ul><ul><li>Support for Security Dynamics and Secure Computing token servers in Cisco Secure </li></ul>
    24. 25. Restrict Telnet Access access-list 12 permit 172.17.55.0 0.0.0.255 line vty 0 4 access-class 12 in
    25. 26. SNMP Access Control RO—Read Only RW—Read + Write access-list 13 permit 192.85.55.12 access-list 13 permit 192.85.55.19 snmp-server community notpublic RO 13
    26. 27. Switch Access Security Console> set ip permit 172.100.101.102 Console> set ip permit 172.160.161.0 255.255.192.0 Console> set ip permit enable Console> show ip permit IP permit list feature enabled. Permit List Mask ---------------- --------------- 172.100.101.102 172.160.161.0 255.255.192.0 Denied IP Address Last Accessed Time Type ----------------- ---------------- ------ 172.100.101.104 01/20/97,07:45:20 SNMP 172.187.206.222 01/21/97,14:23:05 Telnet Console>
    27. 28. SNMP <ul><li>Version one sends cleartext communitystrings and has no policy reference </li></ul><ul><li>Version two addresses some of the known security weaknesses of SNMP version one </li></ul><ul><li>Version three is being worked on </li></ul>
    28. 29. Identification Protocol <ul><li>The Identification Protocol (Auth) can be enabled for sessions to the router </li></ul>Telnet Host (D=23, S=4909) Auth—who’s using (D=23, S=4909) Auth— (D=23, S=4909) is Chris Telnet (D=23, S=4909) proceed RFC 1413: Identification Protocol “ The information returned by this protocol is at most as trustworthy as the host providing it...”
    29. 30. Resource Deprivation Attacks version 11.2 ! no service udp-small-servers no service tcp-small-servers ! <ul><li>Echo (7) </li></ul><ul><li>Discard (9) </li></ul><ul><li>Daytime (13) </li></ul><ul><li>Chargen (19) </li></ul>These are disabled by default in IOS 11.3
    30. 31. Resource Deprivation Attacks <ul><li>Finger (tcp/79) </li></ul>version 11.2 ! no service finger no service udp-small-servers no service tcp-small-servers !
    31. 32. ARP Control ! arp 172.1.1.99 00e0.a08c.70c2 arpa ! interface ethernet 0/0 ip address 172.1.1.100 255.255.0.0 ! 172.1.1.99 00e0.a08c.70c2 Ethernet 0/0 172.1.1.99 00e0.a013.0070
    32. 33. Switch Port Security Console> set port security 3/1 enable 01-02-03-04-05-06 Console> set port security 3/2 enable Console> Console> show port 3 Port Status Vlan Level Duplex Speed Type ---- -------- ---- ------ ------ ----- ------------ 3/1 connect 1 normal half 10 10 BASE-T 3/2 connect 1 normal half 10 10 BASE-T Port Security Secure-Src-Addr Last-Src-Addr Shutdown ---- -------- ----------------- ----------------- ------- 3/1 enabled 01-02-03-04-05-06 01-02-03-04-05-06 No 3/2 enabled 05-06-07-08-09-10 10-11-12-13-14-15 Yes Console>
    33. 34. Administrator Authorization Levels <ul><li>Sixteen administrative levels that can be used to delegate authority </li></ul><ul><li>Cisco IOS commands can be associated with a level </li></ul>Router# show priv Current privilege level is 15 Router# disable Router>enable 9 Password: Router# show priv Current privilege level is 9 Router# privilege exec level 9 show enable secret level 9 <AllinOne> enable secret 5 <OneinAll>
    34. 35. Audit Trail — Cisco IOS Syslog unix% tail cisco.log Feb 17 21:48:26 [10.1.1.101.9.132] 31: *Mar 2 11:51:55 CST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.2) unix% date Tue Feb 17 21:49:53 CST 1998 unix% Router>sho clock *11:53:44.764 CST Tue Mar 2 1993 Router> version 11.2 service timestamps log datetime localtime show-timezone ! logging 10.1.1.2
    35. 36. Audit Trail — PIX Syslog unix% tail pix.log Feb 20 07:46:25 [10.1.1.1.2.2] Begin configuration: reading from terminal Feb 20 07:46:29 [10.1.1.1.2.2] 111005 End configuration: OK Feb 20 07:46:32 [10.1.1.1.2.2] 111001 Begin configuration: writing to memory Feb 20 07:46:32 [10.1.1.1.2.2] 111004 End configuration: OK unix% PIX Version 4.2(2) … names logging console informational logging monitor informational logging buffered informational logging trap informational logging facility 20 logging host inside 10.1.1.2
    36. 37. Use a tool to analyze your logs and generate reports
    37. 38. III. Resource Protection <ul><li>Individual Resources </li></ul><ul><li>Threats </li></ul><ul><li>Avoidance measures </li></ul>
    38. 39. Spoofing interface Serial 1 ip address 172.26.139.2 255.255.255.252 ip access-group 111 in no ip directed-broadcast ! interface ethernet 0/0 ip address 10.1.1.100 255.255.0.0 no ip directed-broadcast Access-list 111 deny ip 127.0.0.0 0.255.255.255 any Access-list 111 deny ip 10.1.0.0 0.0.255.255 any Access-list 111 permit ip any any IP (D=10.1.1.2 S=10.1.1.1) 10.1.1.2 172.16.42.84
    39. 40. ICMP Filtering Summary of Message Types 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect 8 Echo 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply ICMP Codes are not shown no ip redirects (IOS will not send or accept) Extended Access List: access-list 101 permit icmp any any <type> <code> no ip unreachables (IOS will not send) RFC 792: INTERNET CONTROL MESSAGE PROTOCOL
    40. 41. Source Routing RFC 791: Internet protocol Network 10.16.0.0 I’m 10.16.99.99— and here’s the route back to me Private interface Serial 1 ip address 172.16.139.2 255.255.255.252 ip access-group 111 in no ip source routing ! Access-list 111 permit ip 10.16.0.0 0.0.255.255 any
    41. 42. Example Scenario Protect the email server ? SMTP Host
    42. 43. Cisco IOS with an Access List e0/0 e0/1 interface ethernet 0/0 ip address 172.16.1.100 255.255.0.0 ! interface ethernet 0/1 ip address 172.17.1.100 255.255.0.0 ip access-group 111 in no ip unreachables no ip redirects ! access-list 111 permit tcp any host 172.16.1.1 eq smtp access-list 111 permit tcp any host 172.16.1.1 established access-list 111 permit icmp any host 172.16.1.1
    43. 44. Cisco PIX Inside Outside PIX Version 4.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname mypix ... fixup protocol smtp 25 ... interface ethernet0 auto interface ethernet1 auto ip address inside 10.1.1.101 255.255.0.0 ip address outside 172.17.1.100 255.255.0.0 static (inside,outside) 171.68.41.7 10.1.1.2 netmask 255.255.255.255 0 0 conduit permit tcp host 171.68.41.7 eq smtp any
    44. 45. Cisco IOS Firewall Feature Set e0 s0 logging 172.16.27.131 ip inspect audit-trail ip inspect dns-timeout 10 ip inspect tcp idle-time 60 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tcp timeout 3600 ! interface Ethernet 0 ip address 172.16.1.100 255.255.0.0 ip inspect myfw in ! interface Serial 0 ip address 172.19.139.1 255.255.255.248 ip access-group 111 in ip inspect myfw in ! access-list 111 permit tcp any host 172.16.1.1 eq smtp ! Add anti-spoofing here as well..
    45. 46. Intranet Protection Costs <ul><li>Versus: </li></ul><ul><ul><li>Loss </li></ul></ul><ul><ul><li>Corruption </li></ul></ul><ul><ul><li>Ease of Use </li></ul></ul>
    46. 47. IV. Perimeter Protection
    47. 48. Firewall Protection <ul><li>Use access control lists on the screening router to control traffic </li></ul><ul><li>Isolate each server from traffic with a switch </li></ul>The Internet DNS WWW Mail Demilitarized Zone (DMZ)
    48. 49. Syn Attack TCP syn (D=172.18.1.2 S=1.1.1.1) TCP syn (D=172.18.1.2 S=1.1.1.2) TCP syn (D=172.18.1.2 S=1.1.1.3) TCP syn (D=172.18.1.2 S=1.1.1.4) TCP syn (D=172.18.1.2 S=1.1.1.5) TCP syn (D=172.18.1.2 S=2.1.1.1) TCP syn (D=172.18.1.2 S=2.1.1.2) 172.18.1.2
    49. 50. Cisco IOS Syn Attack Defense TCP syn TCP syn/ack TCP ack <ul><li>How many session requests in the last one minute? </li></ul><ul><li>How many incomplete sessions are there? </li></ul>TCP syn TCP syn/ack TCP ack ! ip tcp intercept <access-list number> !
    50. 51. Cisco IOS Syn Attack Defense <ul><li>How many session requests in the last one minute? </li></ul><ul><li>How many incomplete sessions are there? </li></ul><ul><li>How long do I wait for the final ack? </li></ul>TCP ack TCP syn TCP syn/ack ip tcp intercept <access-list-number> ip tcp intercept mode watch
    51. 52. PIX — Syn Attack Defense Inside Outside PIX Version 4.2(2) static (inside,outside) 171.68.41.7 10.1.1.2 netmask 255.255.255.255 0 0 [max_conns [em_limit]] conduit permit tcp host 171.68.41.7 eq smtp any max_conns - the maximum number of TCP connections allowed em_limit - the embryonic connection limit
    52. 53. Cisco IOS Firewall Feature Set Syn Attack Defense <ul><li>How many session requests in the last one minute? </li></ul><ul><li>How many incomplete sessions are there? </li></ul><ul><li>How long do I wait for the final ack? </li></ul>TCP syn TCP syn/ack TCP ack ip inspect tcp synwait-time [seconds] ip inspect tcp finwait-time [seconds] ip inspect tcp idle-time [seconds]
    53. 54. Extranet Options EDI Translator Purchasing System Gateway Private Links Partner Campus Backbone Internet Partner Partner Virtual Private Networking VAN
    54. 55. Electronic Commerce Web Server Intranet Secure Commerce Servers Firewall Gateway Router Enterprise Servers Internet Demilitarized Zone (DMZ) Intranet Internet
    55. 56. VPN Security Requirements <ul><li>Encryption for authentication, confidentiality and integrity </li></ul><ul><li>Physical line separation via private lines or frame relay </li></ul>or
    56. 57. Virtual Private Dial Network <ul><li>Layer 2 Forwarding </li></ul><ul><li>Layer 2 Tunnel Protocol </li></ul>The Internet
    57. 58. VPDN Entrance to the Enterprise Firewall Screening Router Internet Demilitarized Zone (DMZ) Intranet Internet Home Gateway Intranet
    58. 59. Dial Access Protection <ul><li>Where to place the NAS? </li></ul>DNS WWW Mail Screening Router
    59. 60. V. Sustaining Network Security <ul><li>24 by 7 </li></ul>
    60. 61. Dynamic Routing Protocols Path Redundancy to Route Around Failures
    61. 62. Keyed Hashing for Authentication and Integrity <ul><li>Secret key and message are hashed together </li></ul><ul><li>Recomputation of digest verifies that the message originated with the peer and that the message was not altered in transit </li></ul>983lna9458hk7436gq “ Secret Key” Hash Function Message Signature
    62. 63. Route Update Authentication and Integrity IP HDR Key Route Update Data IP HDR Signature To the Wire Route Update Data Assemble the Packet with the Key Reassemble the Packet with the Signature Signature Hash Function
    63. 64. Route Filtering Router# sho ip proto Routing Protocol is &quot;rip&quot; Sending updates every 30 seconds, next due in 12 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is 1 Redistributing: rip router rip network 10.0.0.0 distribute-list 1 in ! access-list 1 deny 0.0.0.0 access-list 1 permit 10.0.0.0 0.255.255.255
    64. 65. Secure Vital Services <ul><li>Network Time Protocol Sources </li></ul><ul><li>Domain Name Servers </li></ul><ul><li>Certificate Authority </li></ul>
    65. 66. Multi-Level Security - TCSEC, ITSEC and CC <ul><li>Not really needed in Enterprise Networks </li></ul><ul><li>Difficult to implement (unless you’re the military) </li></ul>
    66. 67. Session Protection through Encryption Application Network Link Application to Application End to End End to Intermediate Intermediate to Intermediate Link Link
    67. 68. Session Protection through Network Layer Encryption Shared Secret Key Shared Secret Key (Cleartext) (Ciphertext) Internet (Cleartext) IPSec—the IETF working group defining IP Security Encrypt Decrypt DES DES 10100010110101010 10101001010100101 01010111010100101 10010100101011011
    68. 69. NetRanger <ul><li>Sensors watch for attacks or problems </li></ul><ul><li>NetRanger stops active attacks </li></ul>NetRanger Director Sensor Sensor Sensor Sensor Sensor Sensor
    69. 70. NetSonar Vulnerability Scanning <ul><li>Network mapping </li></ul><ul><ul><li>Identify live hosts </li></ul></ul><ul><ul><li>Identify services on hosts </li></ul></ul><ul><li>Vulnerability scanning </li></ul><ul><ul><li>Analyze discovery data for potential vulnerabilities </li></ul></ul><ul><ul><li>Confirm vulnerabilities on targeted hosts </li></ul></ul>Target Target Target Target
    70. 71. VI. Security Sustainment Validation <ul><li>What steps can you take to make sure that your network will continue to be secure? </li></ul>
    71. 72. Modeling Tools <ul><li>NetSys Modeling can verify the access controls in your network </li></ul>
    72. 73. Validating Your Policy through Network Management Systems <ul><li>What to monitor? </li></ul><ul><li>What to measure? </li></ul>Access Workgroup IBM Management Core Track and report trends that show how you are achieving your security goals
    73. 74. VII. Conclusions For the want of a nail, the shoe was lost. For the want of a shoe, the horse was lost. For the want of a horse, the rider was lost. For the want of a rider, the battle was lost. For the want of a battle, the Kingdom was lost. And all for the want of a horse shoe nail.

    ×