Cisco Ios Suneet

747 views

Published on

cisco ios presentation related with its hardening features...

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
747
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Management plane is the plane that receives and send the traffic that is used to access, configure and manage a device as well as monitor its operation and network on which it is deployed .The management plane is made up of protocols that support operational need of the network .The management plane includes interactive access to network devices using secure shell(SSH) or Telnet statistics collection using SNMP.
  • Control plane functions consist of protocols and processes Control Plane consist of Protocols.
  • Cisco Ios Suneet

    1. 1. CISCO IOS HARDENING<br />Presented By :- <br />Shweta Mehta<br />Suneet Malik<br />
    2. 2.
    3. 3. Introduction<br /><ul><li>Cisco IOS Software</li></ul>Internetwork Operating system<br />Used on Cisco Routers and switches<br />Package integrated with multitasking OS<br />Characteristics CLI(Command Line Interface)<br /><ul><li>Hardening</li></ul>Process of securing a system by reducing vulnerabilities<br />
    4. 4. Three Planes of a Network<br /><ul><li>Management Plane
    5. 5. Control Plane
    6. 6. Data Plane
    7. 7. Each plane provide </li></ul> different functionality<br />
    8. 8. MANAGEMENT PLANE<br />
    9. 9. Management Plane Fortification<br /><ul><li>Implement general management plane hardening.
    10. 10. Use strong password and secure them strongly.
    11. 11. Use the login password retry lockout feature.
    12. 12. Monitor the memory and CPU load of network devices.
    13. 13. Disable unneeded services </li></li></ul><li>Contd..<br /><ul><li>Secure interactive management sessions.</li></ul>Limit which IP addresses may establish <br /> management sessions to the network devices.<br />- Access classes<br /> - Management Plane protection.<br /> - Control plane policing.<br />Use warning banners for malicious users.<br />Use secure protocols.<br />
    14. 14. Contd..<br /><ul><li>Limit access to network with infrastructure access control List iACLs.</li></ul>Permit connections that are required for routing protocols and network management.<br />Explicitly deny all other IP traffic to any network device.<br />Permit all transit traffic that crosses the network and is not destined for infrastructure devices.<br />
    15. 15. Contd..<br /><ul><li>Permit tcp host 192.168.1.2 host 192.168.1.1 eq 179
    16. 16. Permit tcp host 192.168.1.2 eq 179 host 192.168.1.1
    17. 17. Permit tcp host 192.168.1.3 any eq 22
    18. 18. Deny ip any 192.168.1.0 0.255.255.255
    19. 19. Use Authentication ,Authorization and accounting (AAA).
    20. 20. Fortify SNMP.
    21. 21. Utilize logging best practices.
    22. 22. Utilize configuration management features of CISCO IOS Software.</li></li></ul><li>NEXT STEP ????<br />CONTOL PLANE<br />
    23. 23. CONTROL PLANE<br />
    24. 24. Control Plane Fortification<br /><ul><li>Implement general control plane hardening.</li></ul> - Disable ICMP Redirect processing.<br /> - Disable ICMP unreachable generation.<br /> - Disable proxy ARP.<br /> - If you use NTP ,explicitly configure a trusted time <br /> source and use proper authentication.<br /><ul><li>Limit CPU impact of control plane traffic</li></ul> - Implement iACLs<br /> - Implement receive ACLs(rACLs)<br /> - Use CoPP.<br />
    25. 25. Contd..<br /><ul><li>Secure BGP</li></ul>- Implement TTL Based security protection generalized TTL based security mechanism(GTSM),also known as BGP TTL security hack (BTCH).<br /> - Implement BGP peer authentication with message <br /> digest five (MD 5)<br /><ul><li>Configure a maximum number of BGP prefixes that can be stored by a router in memory.
    26. 26. Filter BGP prefixes with BGP autonomous system (AS) path access list and prefix list.</li></li></ul><li>Contd..<br /><ul><li>Secure IGPs
    27. 27. Use routing protocol authentication with MD5 , the </li></ul> passive interface command and routing filtering<br /> - Configure routing protocol to limit resource consumption.<br /><ul><li>Secure first hop Redundancy protocols(FHRPs)</li></ul> - Gateway load balancing protocol<br /> - Hot standby router protocol(HSRB)<br /> - Virtual router redundancy protocol.<br />
    28. 28. NEXT STEP ????<br />DATA PLANE<br />
    29. 29. DATA PLANE<br />
    30. 30. Data Plane Fortification<br /><ul><li>Implement general data plane hardening
    31. 31. Use IP options selective drop feature.
    32. 32. Disable IP source routing.
    33. 33. Disable ICMP redirects.
    34. 34. Disable or limit IP directed broadcast.</li></li></ul><li>Contd..<br /><ul><li>Implement anti spoofing protections to prevent the many attacks that rely on source address spoofing.
    35. 35. Unicast reverse path forwarding(URPF).
    36. 36. IP source guard.
    37. 37. Dynamic ARP Inspection (DAI).
    38. 38. Port security.
    39. 39. Access control lists.</li></li></ul><li>Contd..<br /><ul><li> Prevent spoofed addresses from entering the N/W .
    40. 40. Prevent the origination of packets containing spoofed source addrerss.
    41. 41. Filter transit traffic specifically ICPM packets , IP fragments and packets containing IP options with transit ACLs (tACLs).</li></li></ul><li>Contd..<br /><ul><li> Filter packets containing IP options where they are not needed.
    42. 42. Minimize CPU intensive features such as ACL logging and IP fragmentation.
    43. 43. Limit the generation of ICMP unreachable and Time exceeded messages.</li></li></ul><li>Contd..<br /><ul><li>Identify and trace attacks
    44. 44. Cisco IOS netFlow.
    45. 45. Classification ACLs
    46. 46. Use VLAN maps and port ACLs
    47. 47. Use private VLANs</li></li></ul><li>NEXT STEP ????<br />QUERIES!!!<br />
    48. 48. THANK YOU…<br />

    ×