Network Security


Published on

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • There is no such thing as perfect security. As soon as a method is devised, some smart punk will figure out how to decode it. 56-Key encryption has been successfully broken In general, what we don’t want is to scare people. Instead, we want to teach people how to close and lock the doors to their networks while understanding if someone REALLY wants in, they will probably find a way. Most security breaches are still accomplished by “social engineering” where a person posing as your help desk convinces someone to give them their password. The Cisco security initiative helps you build a reasonable security policy today and will let you evolve it into a more comprehensive solution as we deliver integration products.
  • The reason why the security problem is a difficult one is most networks (especially Internet and IP) were designed when the need for security did not exist for the types of information being sent across the network. Bank applications have always used separate networks and separate protocols. With the growth of the Internet, most companies want to merge these 2 networks together. This requires a new security model for the Internet and the networks that connect to the Internet. This brief history slide explains the origin of the Internet and Internet protocol The Internet was designed for global reach, inexpensive scalability, local administration not security Now, we have new uses for an established infrastructure: mobility, telecommuting, EDI, commerce. So we must impose a security model on top of the current infrastructure.
  • Several Cisco IOS security services which help provide protection for data resources benefit from NetFlow Switching performance and granularity NetFlow Switching permits users to operate extensive access control lists with minimal performance impact and operate access control with additional granularity to specific applications Dynamic address assignment and the increasing need to authenticate users for access control beyond a simple network address has lead Cisco to develop a mechanism termed “Lock and Key” With “Lock and Key,” when L3 devices see a packet beginning a new flow, a challenge and response packet is generated and sent back to the source. This asks the user to provide authentication via a password or some other method. When the L3 device receives back the authentication, it and the original header with application and destination information is forwarded to an access server which verifies the authentication and looks up the user’s access permissions. This set of permissions is then downloaded back into the network in the form of dynamic NetFlow-based access lists. These access control lists will temporarily govern the user’s connectivity permissions. When the user’s traffic activity ceases for a given period, all permissions and NetFlow records expire. This protects against later unauthorized use.
  • Today, analysts estimate that overall IT budgets are growing only up to 10% per annum. Yet the load on computing and network infrastructures is growing much more rapidly, particularly due to Internet and intranet applications Internet traffic is the fastest growing traffic type in most enterprises Gains in price/performance do not sufficiently offset the gap between spending and requirements growth so most IT environments are focusing on centralization, simplification, and standardization And as traffic/load and therefore the fundamental business value of the IT infrastructure increases, so the business becomes increasingly vulnerable to breaches in security
  • The dilemma facing the enterprise is that IT security is required to reduce business vulnerability Yet, it is complicated to implement and cannot be implemented uniformly nor scalably in terms of effort, time or cost This dilemma is compounded by the added vulnerability of Internet connection, which is now a uniform requirement but potentially gives every malicious hacker, bored college student and competitor an entree to the business infrastructure The statistics show that most enterprises are subject to attempted break-ins, many of which go undetected and are successful. Many enterprises simply don’t know it’s happening.
  • Cisco has vast amounts of technology for security. This slide groups it into the three main areas security features are needed. Details organized by IOS or server or PIX feature Cisco IOS—Perimeter Security-ACLs, data encryption, Kerberos, route authentication, GRE, Lock and Key, Kerberized Telnet TACACS+/RADIUS, L2F PIX IPsec Verisign CA (UNIX) DNS/DHCP server (UNIX) CiscoSecure—TACACS+/RADIUS/MS Login (NT) DNS/DHCP server
  • PC’s do you allow your PC to be auto logged onto the network Installation may require to install as “root”, can let your network be open Mail - without ACLs, may be able… Guest Login - many hosts have special admin access by default (ie VMS) Anonymous FTP
  • Layered security Policy/requirements
  • Firewalls include: Packet control Access Control Lists (ACLs) Resource protection Violation reporting Violation accounting Goal: Method: Application by application transit permissions Packet filtering Network hiding/illegal address support Network translation, circuit-level gateway, application proxies Host and application shielding Circuit-level gateway, applicationproxies Local session termination Circuit-level gateway, application proxies Per-user authentication RADIUS, TACACS+, simple passwords, one-time passwords, challenge/response Per-application authorization Circuit-level gateway, application proxies Destination restrictions on FTP, WWW Packet filtering Content restriction on WWW (schools, some Surfwatch or CyberNOT support companies) Simple, intuitive configuration and management Good GUI management tool Single box Internet access solution IP routing, DNS, SMTP relay, NNTP relay, NTP Internet Service Providers, looking to sell security as a value-add to their Connectivity customers, have additional requirements: Address portability DHCP for network blocks + address translation Secure remote administration SNMP v2, kerberos, other Secure remote monitoring SNMPv2, proprietary
  • DMZ Demarcation (“Demilitarized”) Zone Typically, one LAN Location of world-visible hosts Example: Top-level DNS server Main mail server Public FTP server (s) Public WWW server (s) Internal network “protected” Route filtering Network Address Translation (NAT) Packet filtering
  • Network Services Telnet, FTP, HTTP (WWW), etc. Naturally one-step connections Assume only outbound allowed Option 1: users go through two steps Option 2: deploy application proxy-servers Option 3: deploy one-way firewalling Route Filtering Access Control Lists & Logging Network Address Translation Payload Encryption Futures: (1Q97) SOCKS 5 IETF encryption Reflexive Access Control Lists Management/Monitoring
  • Network Services Telnet, FTP, HTTP (WWW), etc. Naturally one-step connections Assume only outbound allowed Option 1: users go through two steps Option 2: deploy application proxy-servers Option 3: deploy one-way firewalling Route Filtering Access Control Lists & Logging Network Address Translation Payload Encryption Futures: (1Q97) SOCKS 5 IETF encryption Reflexive Access Control Lists Management/Monitoring
  • Proxy-Servers Application-relay programs Look like server to real client Look like client to real server Application-specific Telnet, FTP HTTP (WWW), X Gopher, Archie Advantages: application-specific security Example: Username control Example: URL control Limitations: Tailoring for each application Custom client software Costly deployment
  • A stateful firewall Initial installation already pre-secure Understands multiple protocols, including FTP Opens dynamic access list based on specific application protocols Eliminates need for proxy server Allows clients to directly connect to internet without need for passive ftp Stateful” Security— Maintains state information TCP Source/Destination addresses TCP Sequence Numbers TCP Port Numbers 3 important benefits 1. High Performance: Uses these several parameters and performs a hash function. This number is use in checking traffic in and out, which is why it is so fast (no need to check entire data stream). It supports over 16,000 simultaneous TCP connections and runs from flash memory, no hard disk, so it has dramatically better performance. 2. Easy configuration — only 5 commands needed. No day-to-day management required. Highly reliable. 3. Very cost effective (especially when compared to hardware requirements of proxy servers). PIX also has an encryption option, the PIX PrivateLink card for end-to-end encryption
  • Encryption turns cleartext into ciphertext Encryption key as parameter to algorithm Decryption restores cleartext from ciphertext Decryption key as parameter to algorithm CHALLENGES: Keys must be changed frequently to avoid analysis, limit risks Shared keys must be generated and distributed securely Multiple techniques to achieve this Public Key Encryption Public/private keys Digital signatures Certificates Certifying Authority (CA) CISCO IOS Encrpytion Services Policy by network, subnet, or address/port pairs (ACL) DSS for device authentication Diffie-Hellman for session key management DES for bulk encryption DES 40 bit—generally exportable DES 56 bit—restricted Hardware assist—VIP2 service adapter Implementation of new IETF draft standard ISAKMP-Oakley Full IPsec compliance Host-based interoperability Other protocols IPX, AT Compression
  • As connections to the Internet grow in size, the performance requirements of the firewall will grow. For small sites, a combined router/firewall should have ample performance. As the connection size grows, the firewall will need to be stand alone to handle all the packet by packet analysis. As the connections become very large (DS3), DMZs will need a stackable solution so that encryption, compression and packet by packet analysis can be load balanced among many firewalls.
  • RADIUS or TACACS for centralized security TACACS is a an industry standard protocol specification, RFC 1492, that forwards username and password information to a centralized server. The centralized server can either be a TACACS database or a database like the UNIX password file with TACACS protocol support. XTACACS defines the extensions that Cisco added to the TACACS protocol to support new and advanced features. XTACACS supports: Multiple TACACS servers syslog—Sends accounting information to a UNIX host connect—Where the user is authenticated into the access server “shell” and can Telnet or initiate slip or PPP or ARA after initial XTACACS is multiprotocol and can authorize connections with: SLIP, ENABLE, PPP, ARA, EXEC, Telnet TACACS+ was first introduce by Cisco in Cisco IOS 10.3 in the first half of 1995. It was a total rewrite of the XTACACS protocol. In fact TACACS+ and XTACACS are not compatible. Cisco evaluated Radius as an alternative, but decided that Radius would not meet the customers needs, and as a result TACACS+ was developed
  • Individuals behind LAN to dial
  • Layer 2 Forwarding Look and feel of dial up workgroup LAN from anywhere on internet Multiprotocol IP, IPX, SNA, AppleTalk USES any protocol Address from “Home” Dynamic tunnel User name/password LCP negotiate at “HOME”
  • Encryption can be performed at the application layer by specific applications at client workstations and serving hosts. This has the advantage of operating on a complete end-to-end basis, but not all applications support encryption and it is usually subject to being invoked by individual users, so it is not reliable from a network administrator’s perspective. Encryption can also be performed at the network layer by general networking devices for specific protocols. This has the advantage of operating transparently between subnet boundaries and being reliably enforceable from a network administrator’s perspective. Finally, encryption can be performed at the link layer by specific encryption devices for a given media or interface type. This has the advantage of being protocol independent, but has to be performed on a link-by link basis. To understand the implications of these characterizations, let’s take a closer look.
  • By contrast, network encryption encrypts traffic on a flow-by-flow basis between specific source/destination user-application pairs or subnets. Network encryption encrypts only payload information, leaving network-layer headers in the clear. This makes it transparent to intermediary network-layer devices. Because it operates at the network layer, network encryption is protocol specific, but media and interface independent This also makes it topology independent.
  • Link encryption encrypts all traffic on a given link, including network-layer headers and protocol type information. This enables it to be protocol independent, but it must be media/interface specific in order to accommodate link-layer variations. This also means that each link over which the traffic to be encrypted may pass needs to be independently encrypted and decrypted. This is particularly required if the traffic is to pass through intermediary network-layer devices, because link layer encryption makes network layer headers unintelligible. So the utility of link-layer encryption is extremely dependent on network topology.
  • One of the most significant new Cisco IOS services to utilize NetFlow Switching is Network Encryption. Network Encryption allows encryption to be applied on a flow-by-flow basis, i.e. on a per source and destination user and application basis - or between subnets on a per application basis. By partnering with Cylink who has been at the forefront of encryption development, Cisco is able to provide an network encryption service which includes sophisticated mechanisms for device authentication and certification. Cisco’s network encryption service utilizes a scalable public key exchange method called Diffie-Hellman and the Digital Encryption Standard or DES algorithm for encryption. Two different DES versions are supported, one using a shorter key is free-from import/export restrictions and the other longer key which is subject to significant restrictions. In addition, to performance of network encryption within Cisco IOS software, Cisco also provides a hardware encryption port adapter for environments requiring very high-levels of encryption performance. To understand the benefits this capability provides, we will take a closer look at encryption alternatives.
  • Cisco network encryption can be performed on multiple Cisco routers ranging from 2500 series access routers to 7500 core routers - all beginning with the next major release 11.2. With Cisco 7500 systems, Cisco IOS software network encryption can operate not only on the central RSP but also on a distributed basis on multiple Versatile Interface Processors (VIPs). In addition, VIPs can be equipped with an Encryption Port Adapter providing increased performance for encryption-intensive applications .
  • PIX Private Link is a $2,995 option for the efficient encryption of all packets sent from hosts on one protected LAN to hosts on another likewise equipped LAN. Private Link builds a secure “tunnel” for point-to-point communications, rendering messages between corporate offices or cooperating corporations immune to Internet “wiretaps.” 56-bit DES encryption is employed; US government restrictions may require a smaller keysize for PIX systems slated for foreign export. Aside: In the current implementation, up to 64 PIXs may join in such a private virtual network. But this software-imposed limit could and will be changed per market demand. PIX Private Link sets a new standard for affordability in the increasingly popular world of VPN.
  • <router>#wr t ! ! ---Snip-it from Cisco Config--- service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone ! hostname router ! clock timezone CST -6 clock summer-time CDST recurring ! username <username> access-class 123 password <password> ! logging buffered logging trap debugging logging <ip or name of your syslog facility> ! access-list 123 permit tcp host <ip address> any eq 23 log access-list 123 deny any any log ! snmp-server trap-authentication snmp-server host <ip or name of snmp receiver> <community name> tty snmp ! line vty 0 4 access-class 123 in ! ! end of config sample Here is a sample of the log produced by this config: Mar 24 13:15:05.602 CST: %SEC-6-IPACCESSLOGP: list 123 denied tcp <ip address>(16898) -> <ip address>(23), 1 packet Mar 24 13:00:36.470 CST: %SEC-6-IPACCESSLOGP: list 123 permitted tcp <ip address>(2528) -> <ip address>(23), 1 packet Mar 24 13:00:56.746 CST: %SYS-5-CONFIG_I: Configured from console by test1 on vty0 (<ip address>)
  • The Terminal Access Controller Access Control System (TACACS) provides an additional level of support for authenticating users who request telecommuting access to the internetwork or administrative access to a Cisco system. TACACS relies on two elements: • A TACACS agent operating in the system being accessed • A trusted, independent server to verify the credentials of a requesting user Cisco provides support for both of these elements. Support for the server is provided through the Security Manager component of CiscoWorks, and support for the agent is provided by the Cisco IOS software. The Cisco IOS software support for TACACS includes: • Login authentication by user identifier and password • Login attempt limitations • Extended support for system accounting and logging
  • Cisco offers an additional access security mechanism based on the concept of a token card. A token card, the size of a credit card, incorporates a dynamically changing password. In order for a remote user to access a telecommuting server or the management capabilities of a Cisco internetworking device, the user must use both a regular password and the dynamic password from the token card. Before the user is allowed to proceed, the user must be authenticated by a security server.
  • OSPF Area Authentication Simple Password Example: interface Ethernet0 ip address ip ospf authentication-key mypassword router ospf 10 network area 0 area 0 authentication OSPF Area Authentication Message Digest (MD5) Example: interface Ethernet0 ip address ip ospf message-digest-key 10 md5 mypassword router ospf 10 network area 0 area 0 authentication message-digest
  • Cisco has vast amounts of technology for security. This slide groups it into the three main areas security features are needed. Details organized by IOS or server or PIX feature Cisco IOS—Perimeter Security-ACLs, data encryption, Kerberos, route authentication, GRE, Lock and Key, Kerberized Telnet TACACS+/RADIUS, L2F PIX IPsec Verisign CA (UNIX) DNS/DHCP server (UNIX) CiscoSecure—TACACS+/RADIUS/MS Login (NT) DNS/DHCP server
  • Other URLs: The Underground - Ohio State's list of Usenet FAQs on security
  • Network Security

    1. 1. Internet Security ‘Internet and Intranet - meeting future business needs’ 34 Cisco Systems Confidential Cisco Systems Confidential 0036_08F7_c2
    2. 2. Before we Begin...... <ul><li>Attendees agree that this information will be circulated on a very strict need-to-know basis as it is sensitive can cause security problems. </li></ul><ul><li>While the information in this document is not confidential, there is information that could be harmful if given to the wrong individuals. </li></ul><ul><li>The only way to understand security problems is to know what they are. This means that they may also be exploited by those who are untrustworthy. </li></ul>
    3. 3. New Network Threats 38 Cisco Systems Confidential 0603_02F7_c1 CIA Web Site Hacked Netcom Credit Card Information Stolen
    4. 4. Need for More Security … and the “Net” Has Changed! Today’s Internet Implications 1983: 200 Core Nodes; Linear Growth 11.6 Million Core Nodes; Exponential Growth Shortage of Unique IP Network Numbers Imminent Large Time-Sharing Nodes, Mostly Educational Large and Distributed ISP-Connected Organizations CIDR NAT DHCP for Client Only IPv6 “ Difficult” Security Underlying Technology Known to Few Numerous Untrusted Private Sector Hosts; Hackers Abound Firewalls Encryption Original ARPAnet
    5. 5. Internetwork Consumers Enterprise Small Business Professional Office Internet
    6. 6. Putting Things in Perspective <ul><li>75% of computer attacks are never detected. </li></ul><ul><li>Only 15% of all computer crimes are instigated by outsiders. </li></ul><ul><li>80% - 85% are launched by insiders - people you thought you could trust. </li></ul>
    7. 7. Where’s the Threat? …... Corporate Space Internet Terminal Server 20% 80% Employees
    8. 8. Where’s the Threat? ……. ISP Space Internet Terminal Server 20% 80% Customers Corporate Network
    9. 9. Security Services Source: Computer Security Institute and FBI Computer Crime Division Fortune 500 Survey, 1995 Yes 48% No 52% Have You Experienced Computer or Network Security Breaches in the Last Year?
    10. 10. What are the Threats? <ul><li>“ Trusted” Users </li></ul><ul><ul><li>Remember....80-85% of all break-ins are caused by people who are insiders. </li></ul></ul><ul><li>Amateurs </li></ul><ul><ul><li>Cyberpunks, Hackers, Vandals, Crackers, Jerks, etc </li></ul></ul><ul><li>Professionals </li></ul><ul><ul><li>No-Win Situation </li></ul></ul>
    11. 11. What are the Threats? <ul><li>“ Trusted” Users </li></ul><ul><ul><li>80% - 90% of all break-ins are caused by people who work for the organizations they broke into! </li></ul></ul><ul><ul><li>Many are caught accidentally </li></ul></ul><ul><ul><li>Many are amateurs and are caught because they are careless </li></ul></ul><ul><ul><li>Most are quietly removed </li></ul></ul><ul><ul><li>Very few are reprimanded </li></ul></ul>
    12. 12. What are the Threats? <ul><li>“ Trusted” Users </li></ul><ul><ul><li>Extremely few are prosecuted by the legal system </li></ul></ul><ul><ul><ul><li>Never at a financial institution </li></ul></ul></ul><ul><ul><ul><li>Never at a site with links possible harm to life or where there is a tie-in to public view </li></ul></ul></ul><ul><ul><ul><li>Some places there is little understanding about how to handle the legal problem </li></ul></ul></ul><ul><ul><ul><li>Most companies do not want publicity </li></ul></ul></ul>
    13. 13. What are the Threats? <ul><li>“ Trusted” Users </li></ul><ul><ul><li>Most break-ins are either: </li></ul></ul><ul><ul><ul><li>Greed-oriented </li></ul></ul></ul><ul><ul><ul><li>Revenge oriented </li></ul></ul></ul><ul><ul><ul><li>Malicious </li></ul></ul></ul><ul><ul><ul><li>Information Acquisition </li></ul></ul></ul><ul><ul><ul><li>Accidental initially, but an opportunity to the user of the system. </li></ul></ul></ul>
    14. 14. What are the Threats? <ul><li>Amateurs </li></ul><ul><ul><li>Amateurs usually leave a trail that is not too difficult to pick up </li></ul></ul><ul><ul><li>Amateurs will eventually screw-up </li></ul></ul><ul><ul><li>Amateurs do not know when to quit </li></ul></ul><ul><ul><li>Amateurs, with careful monitoring, may be found quickly </li></ul></ul><ul><ul><li>Most Internet Cyberpunks are Amateurs </li></ul></ul>
    15. 15. What are the Threats? <ul><li>Professionals </li></ul><ul><ul><li>Professionals are rarely detected </li></ul></ul><ul><ul><li>Professionals are difficult to find </li></ul></ul><ul><ul><li>Professionals will usually originate from a break-in elsewhere </li></ul></ul><ul><ul><li>Professionals leave no traceback </li></ul></ul><ul><ul><li>Professionals know when it is time to leave </li></ul></ul><ul><ul><li>Professionals will take what they want, no matter what is done to safeguard information </li></ul></ul>
    16. 16. What are the Threats? <ul><li>Bottom Line....... </li></ul><ul><ul><li>If someone wants the information bad enough, and he/she knows what they are doing, they will not be stopped and you may consider the information to be “history.” </li></ul></ul>
    17. 17. IT Issues <ul><li>Enterprise information becoming more valuable/vulnerable </li></ul>Load/Traffic Today Time IT Spending <10% Growth Connectivity Internet Traffic Business Value/Importance
    18. 18. The Security Dilemma <ul><li>Security is complicated to implement </li></ul><ul><li>Security cannot be implemented uniformly </li></ul><ul><li>Internet connection is a security risk </li></ul>More than 200 Fortune 1000 companies were asked if they had detected attempts from outsiders to gain computer access in the past 12 months If “yes”, how many successful accesses were detected? Yes 58% No 12% Don’t Know 30% 1-10 42% 11-20 25% 21-30 16% 31-40 10% 41-50 5% 50+ 2% 3 Cisco Systems Confidential 0595_02F7_c1 Source: Warroom Research
    19. 19. Solutions Before you Begin....... <ul><li>On-Site Security Policy </li></ul><ul><li>Host Security (UNIX/VMS) </li></ul><ul><li>Workstation Security (X, MS , MAC, OS/2) </li></ul><ul><li>Network Security </li></ul><ul><li>Password Policies </li></ul><ul><li>Application Security </li></ul><ul><li>Tools to Track Attacks </li></ul><ul><li>Ability to lock ‘em up (every security policy needs a hammer) </li></ul>
    20. 20. Creating Cisco Solutions Integration with Cisco IOS ™ Software Core Products Access Products InterWorks Products Workgroup Products Internet BU Products Firewalls Translation GWs Traffic Directors Client Software Server Software End-to-End Security Solutions Scalability for Global and Enterprise WWW Applications Internet/Intranet Connectivity and Security for Novell, and DEC Customers End-to-End Multimedia Solutions Scalable “ Plug-and-Play” TCP/IP Environments
    21. 21. Security Is a System Physical Security Example “ What Are You Trying to Protect?” Motion Detector (Wheels/Entry) Perimeter Detector (Door Entry) Lock Nuts (Wheels) Sound Detector (Glass Entry) Engine Kill (Theft) Locator/Detector (Theft)
    22. 22. Technical Requirements <ul><li>Authentication </li></ul><ul><ul><li>Who it is </li></ul></ul><ul><li>Authorization </li></ul><ul><ul><li>What is permitted </li></ul></ul><ul><li>Accounting </li></ul><ul><ul><li>What was done </li></ul></ul><ul><li>Data integrity </li></ul><ul><ul><li>Data is unaltered </li></ul></ul><ul><li>Confidentiality </li></ul><ul><ul><li>No unauthorized review </li></ul></ul><ul><li>Assurance </li></ul><ul><ul><li>Everything operates as specified </li></ul></ul>
    23. 23. Cisco Security Today PAP/CHAP TACACS+/ RADIUS Kerberos L2F Lock-and-Key Access Control Lists Token Card Support Logging Route Filtering NAT GRE Tunnels CiscoSecure ™ Encryption Privilege Levels Kerberos Dial Firewall Network Infrastructure Certificate Authority Certificate Authority Encryption TACACS+/ RADIUS TACACS+/ RADIUS Cut-Through Proxy 24 Cisco Systems Confidential 0603_02F7_c1
    24. 24. Solutions Before you Begin....... <ul><li>Security is an ATTITUDE! </li></ul>
    25. 25. Security Objective: Balance Access Security Connectivity Performance Transparency Authentication Authorization Accounting Assurance Confidentiality Data Integrity Every Customer’s Needs will Be Different!
    26. 26. Host Security <ul><li>If a host is not secure, then neither is the network </li></ul>File Sharing Anonymous FTP Guest Login Mail
    27. 27. Network Security Options <ul><li>No Internet connection </li></ul><ul><li>Packet filtering with Access Control List (ACL) </li></ul><ul><li>Firewalls </li></ul><ul><li>Privacy with encryption </li></ul>Encryption Address Translation User Authentication Secure Routing Access Control Legacy Integration Event Logging Multiprotocol Tunnels Enterprise Gateways
    28. 28. Definition of a Firewall Firewalls are perimeter security solutions, deployed between a trusted and untrusted network, often a corporate LAN and an Internet connection
    29. 29. Firewall Architecture <ul><li>Cisco IOS 11.2 </li></ul><ul><li>1. Access lists </li></ul><ul><li>2. Packet filtering </li></ul><ul><li>3. Network Address Translation </li></ul><ul><li>4. Encryption </li></ul>Packet Filtering Internet Public WWW Public FTP DNS Mail Cisco IOS Firewall
    30. 30. Firewall Architecture Internet Public WWW Public FTP DNS Mail <ul><ul><li>Cisco PIX Firewall Dedicated </li></ul></ul>
    31. 31. Demilitarized Zone (DMZ) Internet Public WWW Public FTP DNS Mail
    32. 32. Proxy Servers Internet Public WWW Public FTP DNS Mail Proxy Server Outbound Only Outbound Only
    33. 33. Firewall with Address Translation <ul><li>Cisco PIX Firewall - dedicated </li></ul><ul><li>Cisco IOS 11.2- NAT in software </li></ul>Internet Public WWW Public FTP DNS Mail Private IPs Registered IPs CiscoSecure Access Router OR
    34. 34. Encryption Internet Public WWW Public FTP DNS Mail Cipher Text “ YOUR Text ” “ 2$3B9F37” “ YOUR Text”
    35. 35. Scaling Internet Firewalls <ul><li>Small office </li></ul><ul><li>All in one </li></ul><ul><li>Costs less </li></ul>Fractional E1/T1 > DS3/45 Mbps = E1/T1 <ul><li>Gateway router and firewall encryption performance </li></ul><ul><li>Gateway router and firewalls </li></ul><ul><li>Scalable encryption performance </li></ul>Link speed Internet
    36. 36. Dial Security <ul><li>Centralized security with TACACS+ / RADIUS </li></ul><ul><li>Lock and Key </li></ul>
    37. 37. Centralized Security Dial client CiscoSecure— TACACS+ Authentication Authorization Accounting RADIUS TACACS+ TACACS+ or RADIUS
    38. 38. Lock and Key <ul><li>Enables dynamic Access Control Lists </li></ul><ul><li>Single user on a LAN </li></ul><ul><li>Per-user authorization and authentication </li></ul>Non-Authorized User Authorized User CiscoSecure Internet X X
    39. 39. Virtual Private Dial Networks <ul><li>Encrypted access </li></ul><ul><li>Multiprotocol — IP, IPX, SNA, AppleTalk </li></ul>Internet CiscoSecure TACACS+ Server
    40. 40. Virtual Private Networks <ul><li>IOS </li></ul><ul><li>PIX </li></ul>
    41. 41. Virtual Private Networks <ul><li>Replace private WAN with public network access </li></ul><ul><li>Intracompany traffic is private and authenticated </li></ul><ul><li>Internet access is transparent </li></ul>Remote Office Remote Office Corporate LAN Public Network
    42. 42. Encryption Alternatives Network-Layer Encryption Application-Layer Encryption Link-Layer Encryption Link-Layer Encryption Application Layers (5–7) Transport/Network Layers (3–4) Link/Physical Layers (1–2)
    43. 43. Application Encryption <ul><li>Encrypts traffic to/from interoperable applications </li></ul><ul><li>Specific to application, but network independent </li></ul><ul><li>Application dependent </li></ul><ul><ul><li>All users must have interoperable applications </li></ul></ul><ul><li>Examples: S/MIME, PEM, Oracle Securenet, Lotus cc:Mail and Notes. </li></ul>
    44. 44. <ul><li>Encrypts traffic between specific networks, subnets, or address/port pairs </li></ul><ul><li>Specific to protocol, but media/interface independent </li></ul><ul><li>Does not need to supported by intermediate network devices </li></ul><ul><li>Independent of intermediate topology </li></ul><ul><li>Example Cisco IOS and PIX </li></ul>Network Encryption HR Server E-Mail Server A to HR Server—Encrypted All Other Traffic—Clear A B D
    45. 45. Link Encryption <ul><li>Encrypts all traffic on a link, including network-layer headers </li></ul><ul><li>Specific to media/interface type, but protocol independent </li></ul><ul><li>Topology dependent </li></ul><ul><ul><li>Traffic is encrypted/decrypted on link-by link basis </li></ul></ul><ul><ul><li>All alternative paths must be encrypted/decrypted </li></ul></ul>
    46. 46. Cisco IOS Encryption Services <ul><li>Policy by network, subnet, or address/port pairs (ACL) </li></ul><ul><li>DSS for device authentication Diffie-Hellman for session key management </li></ul><ul><li>DES for bulk encryption </li></ul><ul><ul><li>DES 40 bit—generally exportable </li></ul></ul><ul><ul><li>DES 56 bit—restricted </li></ul></ul><ul><li>Hardware assist—VIP2 service adapter </li></ul>To Public Internet HR/Financial Server E-Mail Server A to C, D Clear B to C, D Encrypt C A B D Private WAN
    47. 47. Cisco IOS Encryption Options <ul><li>Cisco IOS software on 100X, 25xx, 4xxx, 7xxx series routers </li></ul><ul><li>On Cisco RSP 7000 and 7500 series encryption services are performed </li></ul><ul><ul><li>Centrally on master RSP and/or </li></ul></ul><ul><ul><li>Distributed on VIP2-40 </li></ul></ul><ul><li>Encryption service adapter for Versatile Interface Processors (VIP) </li></ul><ul><ul><li>Provides higher performance encryption for local interfaces </li></ul></ul><ul><ul><li>Tamper-proof </li></ul></ul>Route Switch Processors VIP VIP VIP IP IP Cisco 7000 and 7500 Master RSP Slave RSP Encryption Service Adapter Versatile Interface Processor Port Adapter
    48. 48. PIX Private Link High-Performance Hardware Encrypted Virtual Private Networks! IP UDP IP Data PIX Private Link Frame Encapsulation Header Encrypted Information MAC CRC 33 Cisco Systems Confidential 0482_12F7_c1 Public Network Internet PIX/Private Link PIX/Private Link Network A Network B IP Data PIX/Private Link Network C PIX/Private Link Network D IP Data IP Data IP Data
    49. 49. PIX Private Link Benefits <ul><li>Secures data communication between sites </li></ul><ul><li>Reduces high monthly cost of dedicated leased lines </li></ul><ul><li>Complete privacy </li></ul><ul><li>Easy installation—two commands, no maintenance </li></ul><ul><li>Compliant to IETF IPSEC—supports AH/ESP (RFC 1826) (RFC 1827) </li></ul><ul><li>Adds value to your Internet connection </li></ul><ul><li>Augment and back up existing leased lines </li></ul>
    50. 50. Private Link Private Network—Satellite Division TACACS+ Server RADIUS Server SMTP Gateway UNIX DB Gateway Engineering Marketing Executive DMZ PIX A PIX B 35 Cisco Systems Confidential 0482_12F7_c1 Internet Internet Intranet
    51. 51. Tricks to Secure Your Router Cisco Systems Confidential
    52. 52. Protecting Your Router <ul><li>Terminal Access Security </li></ul><ul><li>Transaction and Accounting Records </li></ul><ul><li>Network Management Security </li></ul><ul><li>Traffic Filters </li></ul><ul><li>Routing Protocol Security </li></ul><ul><li>Securing Router Services </li></ul>
    53. 53. The Router’s Role in a Network Host Systems TCP/IP IPX DOS, Windows, Mac Workstations Router Router Router Internet TCP/IP
    54. 54. Terminal Access Security Cisco Systems Confidential
    55. 55. Console Access <ul><li>Change your passwords - do not use the default. </li></ul><ul><li>Make sure the privilege password is different from the access. </li></ul><ul><li>Use mixed character passwords - adds difficulty to crack attempts </li></ul><ul><li>Config Session Time-outs </li></ul><ul><li>Use password encryption features to encrypt the password in the configuration images and files. </li></ul><ul><li>Use enable secret to use the best encryption key. </li></ul>
    56. 56. Telnet Access <ul><li>Configures ALL the VTY ports! </li></ul><ul><li>Create an Access List for the ports - limits the range of IP addresses you can Telnet into the route. </li></ul><ul><li>Limit or block port 57 (open Telnet with no password write over). </li></ul><ul><li>Do not use commands like ip alias on the Cisco, unless you really need to. </li></ul><ul><li>Block connections to echo and discard via the no service tcp-small-servers. </li></ul>
    57. 57. Telnet Access <ul><li>Enter configuration commands, one per line. End with CNTL/Z. </li></ul><ul><li>serial 2-3 (config) # access-list 101 deny tcp any any eq 57 </li></ul><ul><li>serial 2-3 (config) # access-list 101 permit tcp any </li></ul><ul><li>serial 2-3 (config) # line vty 0 5 </li></ul><ul><li>serial 2-3 ( config-line) # access-class 101 in </li></ul><ul><li>Extended IP access list 101 </li></ul><ul><li>deny tcp any any eq 57 </li></ul><ul><li>permit tcp any </li></ul>
    58. 58. Multiple Privilege Levels <ul><li>Division of responsibilities </li></ul><ul><ul><li>Help desk and network manager </li></ul></ul><ul><ul><li>Security and network operations </li></ul></ul><ul><li>Provides internal controls </li></ul><ul><li>Users can only see configuration settings they have access to </li></ul>
    59. 59. Configuring Multiple Privilege Levels <ul><li>Set the privilege level for a command </li></ul><ul><li>Change the default privilege level for lines </li></ul><ul><li>Display current privilege levels </li></ul><ul><li>Log in to a privilege level </li></ul>
    60. 60. Multiple Privilege Example <ul><li>Configuration </li></ul><ul><ul><li>enable password level 15 pswd15 </li></ul></ul><ul><ul><li>privilege exec level 15 configure </li></ul></ul><ul><ul><li>enable password level 10 pswd10 </li></ul></ul><ul><ul><li>privilege exec level 10 show running-config </li></ul></ul><ul><li>Login/Logout </li></ul><ul><ul><li>enable <level> </li></ul></ul><ul><ul><li>disable <level> </li></ul></ul>
    61. 61. What Is AAA? <ul><li>Authentication </li></ul><ul><ul><li>Something you are </li></ul></ul><ul><ul><ul><li>Unique, can’t be left at home: retina, prints, DNA </li></ul></ul></ul><ul><ul><li>Something you have </li></ul></ul><ul><ul><ul><li>Hardware assist: DES card </li></ul></ul></ul><ul><ul><li>Something you know </li></ul></ul><ul><ul><ul><li>Cheap low overhead solution: fixed passwords </li></ul></ul></ul><ul><li>Authorization </li></ul><ul><ul><li>What you’re allowed to do: connections, services, commands </li></ul></ul><ul><li>Accounting </li></ul><ul><ul><li>What you did, and when </li></ul></ul><ul><li>It’s also an architectural framework: </li></ul><ul><ul><li>Protocol-independent formats </li></ul></ul><ul><ul><li>Easy to support multiple protocols </li></ul></ul><ul><ul><li>Consistent configuration interface </li></ul></ul><ul><ul><li>Good scalability for large ISP’s with volatile databases, lots of accounting data </li></ul></ul>Cisco Systems Confidential 0815_04F7_c3 4
    62. 62. TACACS+ Virtual Terminal Router A &quot;I would like to log into Router A; my name is JSmith; my password is ***** &quot;Is JSmith with password ***** an authorized user? TACACS+ Client
    63. 63. Token Card username/ password + token access permitted Security Server Partners Cisco 500-CS 3 1 7 8 4 5 4 Token
    64. 64. Transaction and Accounting Records Cisco Systems Confidential
    65. 65. Transaction Records <ul><li>Q - How do you tell when someone is cracking into your router, hub, or switch? </li></ul><ul><li>Consider some form of audit trails: </li></ul><ul><ul><li>Using the UNIX logging features (if it has any). Corn scripts to alert you when there are potential problems. </li></ul></ul><ul><ul><li>SNMP Traps and alarms. </li></ul></ul><ul><ul><li>Implementing TACAS+, Radius, Kerberos, or third party solutions like Security Dynamics SmartCard. </li></ul></ul>
    66. 66. Transaction Records <ul><li>UNIX Logging </li></ul><ul><ul><li>logging buffered 16384 </li></ul></ul><ul><ul><li>logging trap debugging </li></ul></ul><ul><ul><li>logging </li></ul></ul>Logging Flow Router UNIX Workstation w/ Logging Configured
    67. 67. Network Management Security Cisco Systems Confidential
    68. 68. SNMP <ul><li>#1 Source of Intelligence on a victim's network! </li></ul><ul><li>Do you know when someone is running a SNMP discovery tool on your network? </li></ul><ul><li>Do you block SNMP on your firewall? </li></ul>
    69. 69. SNMP <ul><li>Change your community strings! Do not leave the defaults on! </li></ul><ul><li>Use different community strings for the RO and RW communities. </li></ul><ul><li>Do NOT use RW community unless you are desperate! </li></ul><ul><li>Use mixed characters in the community strings. Yes, even SNMP community strings can be cracked! </li></ul>
    70. 70. SNMP <ul><li>Use a access list on SNMP. Limit who can make SNMP queries. If someone needs special access (I.e. for monitoring a Internet link), then create a special community string and access list. </li></ul><ul><li>Explicitly point SNMP traffic back to the authorized workstation </li></ul>
    71. 71. SNMP <ul><li>snmp-server community apricot RO 1 </li></ul><ul><li>snmp-server trap-authentication </li></ul><ul><li>snmp-server enable traps config </li></ul><ul><li>snmp-server enable traps envmon </li></ul><ul><li>snmp-server enable traps bgp </li></ul><ul><li>snmp-server host apricot </li></ul><ul><li>ip access-list 1 permit </li></ul>
    72. 72. Traffic Filters Cisco Systems Confidential
    73. 73. IP Access List <ul><li><1-99> IP standard access list </li></ul><ul><li><100-199> IP extended access list </li></ul><ul><li><1100-1199> Extended 48-bit MAC address access list </li></ul><ul><li><200-299> Protocol type-code access list </li></ul><ul><li><700-799> 48-bit MAC address access list </li></ul>
    74. 74. Extended Access Lists <ul><li>access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] </li></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><li>access-list 101 permit icmp any any log </li></ul></ul>
    75. 75. Spoofing <ul><li>Access list protections are based on matching the source . </li></ul><ul><li>Protect your router with something like the following: </li></ul><ul><ul><li>access-list 101 deny ip </li></ul></ul><ul><ul><li>access-list 101 deny ip </li></ul></ul><ul><ul><li>access-list 101 permit ip </li></ul></ul><ul><li>Turn off ip source-routing </li></ul>
    76. 76. Spoofing Internet Central Site Branch Office A Hello, I’m Branch Office X! Here is my routing-update!
    77. 77. Spoofing ISP A ISP B source w/ filter any inbound packets w/
    78. 78. Denial of Service Attacks <ul><li>TCP SYN attack: A sender using a series of random source IP addresses starts connections that cannot be completed, causing the connection queues to fill up, thereby denying service to legitimate TCP users. </li></ul><ul><li>UDP diagnostic port attack: A sender using a series of random IP source addresses calls for UDP diagnostic services on the router, causing all CPU resources to be consumed servicing the bogus requests. </li></ul>
    79. 79. Denial of Service Attacks: TCP SYN Target Internet Attacker TCP/SYN SYN/ACK ? TCP/SYN SYN/ACK ? SYN/ACK TCP/SYN ? ISP B ISP A
    80. 80. Denial of Service Attacks: TCP SYN <ul><li>Ingress Filtering </li></ul><ul><ul><li>Apply an outbound filter…... </li></ul></ul><ul><ul><li>access-list 101 permit ip </li></ul></ul>Filter any address that does not contain as a source ISP B ISP A Target Internet Attacker
    81. 81. Denial of Service Attacks: UDP diag <ul><li>Turn off small services </li></ul><ul><ul><li>no udp small-servers </li></ul></ul><ul><ul><li>no tcp small-servers </li></ul></ul>Target Internet Attacker attacker floods the router w/ echo, chargen, and discard request ISP B ISP A
    82. 82. Solution: TCP Intercept <ul><li>Tracks, intercepts and validates TCP connection requests </li></ul><ul><li>Two modes: Intercept and monitor </li></ul>
    83. 83. TCP Intercept—Intercept Mode <ul><li>1. Answer connection requests </li></ul><ul><li>2. Establishes genuine connection </li></ul><ul><li>3. Merge connection between client and server </li></ul>Connection Transferred Connection Established Request Intercepted
    84. 84. TCP Intercept—Monitor Mode <ul><li>Passively monitor connection requests </li></ul><ul><li>Terminates connection attempts that exceed configurable time limit </li></ul>
    85. 85. TCP Intercept Aggressive Behavior <ul><li>Begins when high-threshold exceeded, ends when drops below low-threshold </li></ul><ul><li>New connection drops old partial connection </li></ul><ul><li>Retransmission timeout cut in half </li></ul><ul><li>Watch timeout cut in half </li></ul>
    86. 86. TCP Intercept Considerations <ul><li>TCP negotiated options not supported </li></ul><ul><li>Available in release 11.2(4)F Enterprise and Service Provider </li></ul><ul><li>Connection is fast switched except on the RP/SP/SSP based C7000 which supports process switching only </li></ul>
    87. 87. TCP Intercept Configuration Tasks <ul><li>Enable </li></ul><ul><ul><li>ip tcp intercept list <extended ACL> </li></ul></ul><ul><li>Set mode </li></ul><ul><ul><li>ip tcp intercept mode {intercept | watch} </li></ul></ul><ul><li>Set drop mode </li></ul><ul><ul><li>ip tcp intercept drop-mode {oldest | random} </li></ul></ul>
    88. 88. TCP Intercept Configuration <ul><li>Change timers </li></ul><ul><ul><li>ip tcp intercept watch-timeout <seconds> </li></ul></ul><ul><ul><li>ip tcp intercept finrst-timeout <seconds> </li></ul></ul><ul><ul><li>ip tcp intercept connection-timeout <seconds> </li></ul></ul><ul><li>Change aggressive thresholds </li></ul><ul><ul><li>ip tcp intercept max-incomplete low <number> </li></ul></ul><ul><ul><li>ip tcp intercept max-incomplete high <number> </li></ul></ul><ul><ul><li>ip tcp intercept one-minute low <number> </li></ul></ul><ul><ul><li>ip tcp intercept one-minute high <number> </li></ul></ul>
    89. 89. Routing Protocol Security Cisco Systems Confidential
    90. 90. Routing Protocols <ul><li>Routing protocol can be attacked </li></ul><ul><ul><li>Denial of Service </li></ul></ul><ul><ul><li>Smoke Screens </li></ul></ul><ul><ul><li>False information </li></ul></ul><ul><ul><li>Reroute packets </li></ul></ul>May be accidental or intentional
    91. 91. Solution: Route Authentication <ul><li>Authenticates routing update packets </li></ul><ul><li>Shared key included in routing updates </li></ul><ul><ul><li>Plain text—protects against accidental problems only </li></ul></ul><ul><ul><li>Message Digest 5 (MD5)—protects against accidental and intential problems </li></ul></ul>
    92. 92. Route Authentication Protocol <ul><li>Routing update includes key and key number </li></ul><ul><li>Receiving router verifies received key against local copy </li></ul><ul><li>If keys match update accepted, otherwise it is rejected </li></ul>
    93. 93. Route Authentication Details <ul><li>Multiple keys supported </li></ul><ul><ul><li>Key lifetimes based on time of day </li></ul></ul><ul><ul><li>Only first valid key sent with each packet </li></ul></ul><ul><li>Supported in: BGP, IS-IS, OSPF, RIPv2, and EIGRP(11.2(4)F) </li></ul><ul><li>Syntax differs depending on routing protocol </li></ul>
    94. 94. Routing Protocols <ul><li>OSPF Area Authentication </li></ul><ul><ul><li>Two Types </li></ul></ul><ul><ul><ul><li>Simple Password </li></ul></ul></ul><ul><ul><ul><li>Message Digest (MD5) </li></ul></ul></ul>ip ospf authentication-key key (this goes under the specific interface) area area-id authentication (this goes under &quot;router ospf <process-id>&quot;) ip ospf message-digest-key keyid md5 key (used under the interface) area area-id authentication message-digest (used under &quot;router ospf <process-id>&quot;)
    95. 95. Securing Router Services Cisco Systems Confidential
    96. 96. WWW Server <ul><li>Yes, IOS now includes a WWW server! </li></ul><ul><li>Makes configurations easier, but opens new security holes (default - turned off) . </li></ul><ul><li>Put access list on which addresses are allowed to access port 80. </li></ul><ul><li>Similar to console & TTY access. </li></ul>
    97. 97. Other Areas to Consider Cisco Systems Confidential
    98. 98. Other Areas to Consider <ul><li>Turn off </li></ul><ul><ul><li>proxy arp </li></ul></ul><ul><ul><li>no ip directed-broadcast </li></ul></ul><ul><ul><li>no service finger </li></ul></ul>
    99. 99. Protecting the Config Files <ul><li>Router configs are usually stored some place safe. But are they really safe? </li></ul><ul><li>Protect and limit access to TFTP and MOP servers containing router configs. </li></ul>
    100. 100. Summary <ul><li>Security is not just about protecting your UNIX workstations. </li></ul><ul><li>Your network devices are just as vulnerable. </li></ul><ul><li>Be smart, protect them. </li></ul><ul><li>Routers are the side door into any network. </li></ul>
    101. 101. Cisco Security Today PAP/CHAP TACACS+/ RADIUS Kerberos L2F Lock-and-Key Access Control Lists Token Card Support Logging Route Filtering NAT GRE Tunnels CiscoSecure ™ Encryption Privilege Levels Kerberos Dial Firewall Network Infrastructure Certificate Authority Certificate Authority Encryption TACACS+/ RADIUS TACACS+/ RADIUS Cut-Through Proxy 24 Cisco Systems Confidential 0603_02F7_c1
    102. 102. Where to get more information?
    103. 103. Where to get more information? <ul><li>Security URLs: </li></ul><ul><ul><li>Computer Emergency Response Team (CERT) </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>SATAN (Security Administrator Tool for Analyzing Networks) </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Phrack Magazine </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>