Uploaded byEduclentMegasoftel
90 views

Ccna sec 01

The document discusses the basics of IT security including the CIA triad of confidentiality, integrity and availability. It also covers common security concepts such as assets, vulnerabilities, threats, countermeasures and risks. Additionally, it summarizes authentication, authorization and accounting (AAA) protocols, common attacks and how to implement secure network architecture.

Embed presentation

Download to read offline
The basics of IT security: CIA (Confidentiality, Integrity, Availability) • Confidentiality. • Measures that prevent disclosure of information or data to unauthorized individuals or systems. • Integrity. • Protecting the data from unauthorized alteration or revision. • Often ensured through the use of a hash. • Availability. • Making systems and data ready for use when legitimate users need them at any time. • Guaranteed by network hardening mechanisms and backup systems. • Attacks against availability all fall into the “denial of service” realm. • Asset. • It is anything that is valuable to an organization. • Vulnerability. • An exploitable weakness in a system or its design. • Threat. • Any potential danger to an asset. • Countermeasure. • A safeguard that somehow mitigates a potential risk. • Risk. • The potential for unauthorized access to, compromise, destruction, or damage to an asset. • Classifying Assets. • One reason to classify an asset is so that you can take specific action, based on policy, with regard to assets in a given class. • Classifying Vulnerabilities. • Policy flaws • Design errors • CCNA Sec 01 CCNA Sec Page 1
Design errors • Protocol weaknesses • Misconfiguration • Software vulnerabilities • Human factors • Malicious software • Hardware vulnerabilities • Physical access to network resources • Classifying Countermeasures. • Administrative controls. • Consist of written policies, procedures, guidelines, and standards. • Physical controls. • Are exactly what they sound like, physical security for the network servers, equipment, and infrastructure. • Logical controls (technical controls). • Logical controls include passwords, firewalls, IPS, access lists, VPN tunnels, ……... • Potential Attackers. • Terrorists • Criminals • Government agencies • Nation states • Hackers • Disgruntled employees • Competitors • Attack Methods. • Reconnaissance. • This is the discovery process used to find information about the network. • Social engineering. • Leverages our weakest (very likely) vulnerability in a secure system (data, applications, devices, networks): the user. • Could be done through e-mail or misdirection of web pages, which results in the user clicking something that leads to the attacker gaining information. • Phishing. • Presents a link that looks like a valid trusted resource to a user. • Pharming. • Used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user. • Privilege escalation. • The process of taking some level of access and achieving an even greater level of access. • Backdoor. • Application can be installed to allow access. • Code execution. • When attackers can gain access to a device, they might be able to take several actions. • Man-in-the-Middle Attacks. • Results when attackers place themselves in line between two devices that are communicating. • To mitigate this risk, you could use techniques such as DAI (Dynamic ARP Inspection). • Additional Attack Methods. • Covert channel. • Uses programs or communications in unintended ways. • For ex. If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to- • CCNA Sec Page 2
For ex. If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to- peer traffic inside of HTTP traffic. • Also a backdoor application collecting keystroke information from the workstation and then sending it out as ICMP or http packet. • Trust exploitation. • Ex. an attacker could leverage his gaining access to a DMZ host, and using that location to launch his attacks • from there to the inside network. Brute-force (password-guessing) attacks. • Performed when an attacker’s system attempts thousands of possible passwords looking for the right match. • Mitigated by limiting how many unsuccessful authentication attempts can occur within a specified time. • DoS (Denial of Service). • An attack is launched from a single device with the intent to cause damage to an asset • DDoS (Distributed Denial-of-Service). • An attack is launched from multiple devices as from botnet network. • Botnet. • A collection of infected computers that are ready to take instructions from the attacker. • RDoS (Reflected DDoS). • When the source of the initial (query) packets is actually spoofed by the attacker. • The response packets are then “reflected” back from the unknowing participant to the victim of the attack. • Guidelines for Secure Network Architecture. • Rule of least privilege. • Minimal access should only provided to the required network resources. • Defense in depth. • You should have security implemented on an early every point of your network. • Ex. filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches your servers, and using host-based security precautions at the servers, as well. • Separation of duties. • Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being addressed, because a person who moves into a new role will be required to review the policies in place. • Auditing. • Accounting and keeping records about what is occurring on the network. • Common forms of social engineering. • Phishing. • Elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution. • The e-mail message may ask the user to reply with the sensitive data, or to access a website to update information such as a bank account number. • Malvertising. • This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware. • Phone scams. • An example is a miscreant posing as a recruiter asking for names, e-mail addresses, and so on for members of the organization and then using that information to start building a database to leverage for a future attack. • Defenses Against Social Engineering. • Password management. • The number and type of characters that each password must include, how often a password must be changed. • Two-factor authentication. • Use two-factor authentication rather than fixed passwords. • Antivirus/antiphishing defenses. • CCNA Sec Page 3
Antivirus/antiphishing defenses. • Document handling and destruction. • Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash. • Physical security. • Malware Identification Tools. • Packet captures. • Snort IDS • An open source IDS/IPS developed by the founder of Sourcefire. - NetFlow • IPS events • Advanced Malware Protection (AMP). • Designed for Cisco FirePOWER network security appliances. • Provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware threats. • NGIPS (Next-Generation Intrusion Prevention System). • The Cisco FirePOWER NGIPS solution provides multiple layers of advanced threat protection at high inspection throughput rates. • Implementing AAA in Cisco IOS Administrative access methods. • Password only. • Local database. • AAA Local Authentication (self-contained AAA). • AAA Server-based. • AAA provides: • Authentication. • Who is permitted to access a network. • Authorization. • What they can do while they are there. • Accounting. • Records in details what they did. • Methods of implementing AAA services. • Local AAA Authentication. • Uses a local database stored in the router for authentication. - Server-Based AAA Authentication. • Uses an external database server that leverages RADIUS or TACACS+ protocols. - Preferred in large environment. - Server-Based Authentication • The user establishes a connection with the router. • The router prompts the user for a username and password. • The router passes the username and password to the Cisco Secure ACS. • The ACS authenticates and authorizes the user based on its database. • ACS (Access Control Server). • Can create a central user and administrative access DB that all network devices can access. • Can work with many external databases, such as Active Directory. • Supports both TACACS+ and RADIUS protocols. • Both protocols can be used to communicate between AAA client (Router) and AAA servers (ACS). • Provides user and device group profiles. • CCNA Sec Page 4
• Restrictions to network access based on a specific time. • Can be software installed on windows server or a physical appliance can be purchased from Cisco. • RADIUS (Remote Authentication Dial-In User Service). • Open standard, RFCs 2865, 2866, 2867, and 2868. • Combines authentication & authorization, but separates accounting. • Supports detailed accounting required for billing users, so preferred by ISPs. • Encrypts only the password. • Does not encrypt user name, or any other data in the message. • Used UDP port 1645 & now 1812 for authentication & authorization. • Used UDP port 1646 & now 1813 for accounting. • Supports remote-access technologies, 802.1X, and SIP. • • TACACS+ (Terminal Access Control Access Control Server). • Cisco proprietary. • Separates authentication and authorization. • Provides limited detailed accounting. • Encrypts all packet not only the password. • Utilizes TCP port 49. • Multiprotocol support, such as IP and AppleTalk. • Incompatible with any previous version of TACACS. • • AAA clients must run Cisco IOS Release 11.2 or later. • ISE (Identity Services Engine). • An identity and access control policy platform. • Can validate that a computer meets the requirements of a company’s policy related to virus definition files, service pack levels, and so on before allowing the device on the network. • Leverages many AAA-like (authentication, authorization, and accounting) features, but is not a 100 percent replacement for ACS. • ACS should be used mainly for AAA, and ISE for the posturing & policy compliance checking for hosts. • Login method types: • CCNA Sec Page 5
Login method types: • Enable. • Uses the enable password for authentication. • Line. • Uses the line password for authentication. • Local. • Uses the local username database for authentication. • Local-case. • Uses case-sensitive local username authentication. • Group radius. • Uses the list of all RADIUS servers for authentication. • Group tacacs+. • Uses the list of all TACACS+ servers for authentication. • Group group-name. • Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. • None. • To ensure that the authentication succeeds even if all methods return an error. • AAA lists. • When AAA is enabled, the default list is automatically applied to all interfaces and lines but with no methods defined unless a predefined list is assigned. • If the default method list is not set and there is no other list, only the local user database is checked. • Authorization. • What a user can and cannot do on the network after that user is authenticated. • Implemented using a AAA server-based solution. • When a user has been authenticated, a session is established with the AAA server. • The router requests authorization for the requested service from the AAA server. • The AAA server returns a PASS/FAIL for authorization. • TACACS+ establishes a new TCP session for every authorization request. • When AAA authorization is not enabled, all users are allowed full access. • To enable AAA. • R(config)# aaa new-model • To Configure Authentication to Use the AAA Server. • R(config)# aaa authentication login list-name|default method method method [maximum 4 methods] • R(config)# aaa authentication login default group radius group tacacs+ local ….. • R(config)# aaa authentication enable list-name|default group tacacs+ enable • Methods are used in order, if no response from one, the next is used. • To specify the number of unsuccessful login attempts (then the user will be locked out). • R(config)# aaa local authentication attempts max-fail n • The account (non priv 15) will stay locked until it is cleared by an administrator. • To display a list of all locked-out users. • R# show aaa local user lockout • To unlock a specific user or to unlock all locked users. • R# clear aaa local user lockout all | username name • To display the attributes that are collected for a AAA session. • R# show aaa user all | unique-id • To show the unique ID of a session. • R# show aaa sessions • CCNA Sec Page 6
R# show aaa sessions • For vty lines. • R(config)# line vty 0 4 • R(config-line)# login authentication name|default • R(config-line)# authorization exec name|default • To debug aaa authentication. • R# debug aaa authentication|authorization • Look specifically for GETUSER and GETPASS status messages. • To configure AAA with CCP. • CCP, Configure, Router, AAA,…... • To create a local user account. • CCP > Router > Router Access > User Accounts/View > Add • To configure the AAA client (router) with the TACACS+ server. • R(config)# tacacs-server host ip key the-key • To configure the AAA client (router) with the RADIUS server. • R(config)# radius-server host ip key the-key • AAA Authorization (Router) • To get the priviege level that should be given to user from the local user database. • R(config)# aaa authorization exec default local • To get the priviege level that should be given to user from the tacacs server. • R(config)# aaa authorization exec default group tacacs+ • To enable command authorization on the console. • R(config)# aaa authorization console • To assign level 15 automatically to any user just authenticated. • R(config)# aaa authorization exec default if-authenticated • To authorize each command, you enter at config and it's submode. • R(config)# aaa authorization config-commands • To authorize level x (1-15) users. • R(config)# aaa authorization commands x default group tacacs+ if-authenticated • R(config)# no aaa authorization config-commands • AAA debugging • To debug aaa. • R# debug aaa authentication • To debug RADIUS or TACACS+. • R# debug radius|tacacs events • AAA Accounting • Each session established through the ACS can be fully accounted for and stored on the server. • To configure AAA accounting. • R(config)# aaa accounting exec default|list-name start-stop|stop-only method1 method2 ... • ACS server configurations. • Network device groups. • Groups of network devices, normally based on routers or switches with similar functions/devices managed by the same administrators. • Network devices (ACS clients/routers/switches). • The individual network devices that go into the device groups. • Identity groups (user/admin groups). • Groups of administrators, normally based on users who will need similar rights and access to specific groups of network devices. • CCNA Sec Page 7
of network devices. • User accounts. • Individual administrator/user accounts that are placed in identity groups. • Authorization profiles. • These profiles control what rights are permitted. • The profile is associated with a network device group and a user/administrator identity group. • To manage ACS server. • https://ip • Default username and password: acsadmin pass: default • For trial license. • https://www.cisco.com/go/license username: adelmohammad , pass: P@ssw0rd get other licenses , demo and..., search for access control , To create a device group. • ACS > Network Resources > Network Device Groups > Device Type > Create • To add a device to the group. • Network Resources > Network Devices and AAA Clients > Create • Click the Select button to the right of the device type and select the device group • Select tacacs+ and type the password • In the ip address select range and type the range (ex. 10.0.0.100-200) , Add V • To create a user group. • Users and Identity Stores > Identity Groups > Create • To create individual user. • Users and Identity Stores > Internal Identity Stores > Users and click > Create • To create a shell profile. • Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Create • Custom tasks tab, Default Privilege:static, type a privilige level • To configure authorization policies (To assign permisions to identity group to access device group). • Access Policies > Access Services > Default Device Admin > Authorization > Create • Then select a shell profile or create one (shell profile has a name and defines a privilige level). • Verifying and Troubleshooting Router-to-ACS Server Interactions. • Ping the ACS server from the router. • R# test aaa group tacacs+ username password legacy • Using debug Commands to Verify Functionality • To look at the reports on the ACS server. • Monitoring & Reports > Reports > Catalog > AAA Protocol • Bring Your Own Device (BYOD) Allowing users bringing their own network-connected devices while also maintaining an appropriate • security posture. The organization’s security policy must be lever-aged to govern the level of access for BYOD devices. • CCNA Sec Page 8
• BYOD Solution Components. • BYOD devices. • The corporate-owned and personally owned endpoints that require access to the corporate network regardless of their physical location. • Wireless access points (AP). • Provide wireless network connectivity to the corporate network for both local & BYOD devices. • Wireless LAN (WLAN) controllers. • Serve as a centralized point for the configuration, management, and monitoring of the Cisco WLAN solution. • Used to implement and enforce the security requirements for the BYOD solution. • Works with the ISE to enforce both authentication and authorization policies on each BYOD endpoint. • Identity Services Engine (ISE). • The cornerstone of the AAA requirements for endpoint access, which are governed by the security policies put forth by the organization. • Cisco AnyConnect Secure Mobility Client. • Provides connectivity for end users who need access to the corporate network. • Inside network users leverages 802.1X to provide secure access to the corporate network. • Outside users uses AnyConnect Client to provide secure VPN connectivity, including posture checking. • Integrated Services Routers (ISR). • Will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and Internet access for home office environments. • Can provide VPN connectivity for mobile devices that are part of the BYOD solution. • Adaptive Security Appliance (ASA). • Provides all the standard security functions for the BYOD solution at the Internet edge. • Can provide IPS and VPN for end devices. • Cloud Web Security (CWS). • Provides enhanced security for all the BYOD solution endpoints while they access Internet. • RSA SecurID. • The RSA SecurID server provides one-time password (OTP) generation and logging for users that access network devices and other applications which require OTP authentication. • CCNA Sec Page 9
network devices and other applications which require OTP authentication. • Active Directory. • Restricts access to those users with valid authentication credentials. • Certificate authority. • The CA server ensures that only devices with corporate certificates can access the corporate network. • Mobile Device Management (MDM). • Deploy, manage, and monitor the mobile devices that make up the Cisco BYOD solution. • Specific functions provided by MDM include: • Enforcement of a PIN lock (locking a device after a set threshold of failed login attempts has been reached). - Enforcement of strong passwords for all BYOD devices. - Detection of attempts to “jailbreak” or “root” BYOD devices, specifically smartphones, and then attempting to use these compromised devices on the corporate network. - Enforcement of data encryption requirements based on an organization’s security policies. - Ability to remotely wipe a stolen or lost BYOD device so that all data is completely removed. - MDM Deployment Options. • On-Premise MDM Deployment. • MDM application software is installed and maintained on servers within the corporate data center. • Consists of the following topology and network components: • Data center. • The data center consists of the servers and ISE to enforce posture assessment and access control. • Internet edge. • Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all the BYOD devices. • Services. • Contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate. • Core. • Serves as the main distribution and routing point for all network traffic traversing the corporate network environment. • Campus building. • A distribution switch provides the main ingress/egress point for all network traffic entering and exiting from the campus environment. • Cloud-Based MDM Deployment. • MDM application software is hosted, managed and maintained by a service provider who is solely • CCNA Sec Page 10
MDM application software is hosted, managed and maintained by a service provider who is solely responsible for the BYOD solution. • Consists of the following topology and network components: • Data Center. • The data center consists of the servers and ISE to enforce posture assessment and access control. • Internet edge. • Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all the BYOD devices. • WAN. • Provides MPLS VPN connectivity for the branch office back to corporate network. • Internet access for the branch office. • Access to the cloud-based MDM functionality. • The cloud-based MDM provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all of the BYOD devices. • WAN edge. • Serve as the ingress/egress point for the MPLS WAN traffic entering from and exiting to the branch office environment. • Services. • Contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate • Core. • Serves as the main distribution and routing point for all network traffic travers ing the corporate network environment. • Branch office. • All users requiring network connectivity within the branch office do so through either hardwired connections to the access switches or via WLAN access to the corporate APs. • • CCNA Sec Page 11

More Related Content

PDF
Network security
bySri Manakula Vinayagar Engineering College
 
PDF
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
byBeyondTrust
 
PPTX
Web application security part 02
byPrachi Gulihar
 
PPTX
Intrusion detection and prevention system
byNikhil Raj
 
PPSX
Intrusion detection system
bygaurav koriya
 
PPTX
Network_Intrusion_Detection_System_Team1
bySaksham Agrawal
 
PPTX
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
byUzairAhmad81
 
PDF
Chapter 13 web security
bynewbie2019
 
Network security
bySri Manakula Vinayagar Engineering College
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
byBeyondTrust
 
Web application security part 02
byPrachi Gulihar
 
Intrusion detection and prevention system
byNikhil Raj
 
Intrusion detection system
bygaurav koriya
 
Network_Intrusion_Detection_System_Team1
bySaksham Agrawal
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
byUzairAhmad81
 
Chapter 13 web security
bynewbie2019
 

What's hot

PPTX
Intrusion detection system
byRoshan Ranabhat
 
PPTX
Cryptography and system security
byGary Mendonca
 
PDF
Introduction IDS
byHitesh Mohapatra
 
PPT
intrusion detection system (IDS)
byAj Maurya
 
PDF
CNIT 121: 3 Pre-Incident Preparation
bySam Bowne
 
PDF
DTS Solution - Wireless Security Protocols / PenTesting
byShah Sheikh
 
PDF
Eximbank security presentation
bylaonap166
 
PPT
Intrusion Detection Presentation
byMustafash79
 
PPTX
Intrusion detection system
byOECLIB Odisha Electronics Control Library
 
PDF
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
byShah Sheikh
 
PPT
Intrusion Detection Systems
byvamsi_xmen
 
PDF
CNIT 50: 9. NSM Operations
bySam Bowne
 
PPTX
Ids & ips
byLan & Wan Solutions
 
PPTX
Intrusion detection system
bySweta Sharma
 
PPTX
Industry Best Practice against DDoS Attacks
byMarcelo Silva
 
PPTX
Authentication
byprimeteacher32
 
PPTX
IDS n IPS
bySAurabh PRajapati
 
PDF
Computer Security and Intrusion Detection(IDS/IPS)
byLJ PROJECTS
 
PPT
AN INTRUSION DETECTION SYSTEM
byApoorv Pandey
 
PPT
Intrusion Detection System
byMohit Belwal
 
Intrusion detection system
byRoshan Ranabhat
 
Cryptography and system security
byGary Mendonca
 
Introduction IDS
byHitesh Mohapatra
 
intrusion detection system (IDS)
byAj Maurya
 
CNIT 121: 3 Pre-Incident Preparation
bySam Bowne
 
DTS Solution - Wireless Security Protocols / PenTesting
byShah Sheikh
 
Eximbank security presentation
bylaonap166
 
Intrusion Detection Presentation
byMustafash79
 
Intrusion detection system
byOECLIB Odisha Electronics Control Library
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
byShah Sheikh
 
Intrusion Detection Systems
byvamsi_xmen
 
CNIT 50: 9. NSM Operations
bySam Bowne
 
Ids & ips
byLan & Wan Solutions
 
Intrusion detection system
bySweta Sharma
 
Industry Best Practice against DDoS Attacks
byMarcelo Silva
 
Authentication
byprimeteacher32
 
IDS n IPS
bySAurabh PRajapati
 
Computer Security and Intrusion Detection(IDS/IPS)
byLJ PROJECTS
 
AN INTRUSION DETECTION SYSTEM
byApoorv Pandey
 
Intrusion Detection System
byMohit Belwal
 

Similar to Ccna sec 01

PPTX
Seucrity in a nutshell
byYahia Kandeel
 
PDF
Network Security Fundamentals
byRahmat Suhatman
 
PPTX
Network security - Defense in Depth
byDilum Bandara
 
PPTX
Network Security
byYasser Rabie
 
PPTX
Seminar (network security)
byGaurav Dalvi
 
PDF
Ericas-Security-Plus-Study-Guide
byErica StJohn
 
PPTX
Week 01 - Cryptography and Network Security.pptx
byDasunNayanashan
 
PDF
It nv51 instructor_ppt_ch11
bynewbie2019
 
PPTX
Computer Security Chapter 1
byTemesgen Berhanu
 
PPTX
Network security and cyber law (1).pptx
byarpanjakhmola007
 
PPT
IT8005_EC_Unit_III_Securing_Communication_Channels
byPalani Kumar
 
PPTX
Network security
byJaydeep Patel
 
PPT
Network sec 1
byJasleen Kaur
 
PPT
Security chapter6
byFLYMAN TECHNOLOGY LIMITED
 
PPTX
Dncybersecurity
byAnne Starr
 
PPTX
NETWORK SECURITY dibyendu das.pptx
bySumanPatra78
 
PPTX
CS PPT CHP 1 PART 1-Types of attacks and basics of computer security.pptx
byShreyaChavan28
 
DOCX
Riordan Network VulnerabilitiesVulnerabilityThreatProbabil.docx
byjoellemurphey
 
PPTX
Security Threats at OSI layers
byDepartment of Computer Science
 
PDF
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
byTương Hoàng
 
Seucrity in a nutshell
byYahia Kandeel
 
Network Security Fundamentals
byRahmat Suhatman
 
Network security - Defense in Depth
byDilum Bandara
 
Network Security
byYasser Rabie
 
Seminar (network security)
byGaurav Dalvi
 
Ericas-Security-Plus-Study-Guide
byErica StJohn
 
Week 01 - Cryptography and Network Security.pptx
byDasunNayanashan
 
It nv51 instructor_ppt_ch11
bynewbie2019
 
Computer Security Chapter 1
byTemesgen Berhanu
 
Network security and cyber law (1).pptx
byarpanjakhmola007
 
IT8005_EC_Unit_III_Securing_Communication_Channels
byPalani Kumar
 
Network security
byJaydeep Patel
 
Network sec 1
byJasleen Kaur
 
Security chapter6
byFLYMAN TECHNOLOGY LIMITED
 
Dncybersecurity
byAnne Starr
 
NETWORK SECURITY dibyendu das.pptx
bySumanPatra78
 
CS PPT CHP 1 PART 1-Types of attacks and basics of computer security.pptx
byShreyaChavan28
 
Riordan Network VulnerabilitiesVulnerabilityThreatProbabil.docx
byjoellemurphey
 
Security Threats at OSI layers
byDepartment of Computer Science
 
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
byTương Hoàng
 

Recently uploaded

PPTX
How to Create & Automate Asset Model in Odoo 18 Accounting
byCeline George
 
PPTX
West Hatch High School - GCSE Spanish Presentation
byWestHatch
 
PPTX
How Physician Assistants in the USA Earn CME Credits Online.pptx
byCME4Life
 
PDF
Sharad Bisen_Soil Sterilization_Objectives_ICAR Course, Sixth Dean Committee.pdf
bybisensharad
 
PPTX
How to Create & Configure Rewards in Odoo 18 Referrals
byCeline George
 
PDF
Chapter 05 Drug Acting on CNS Sedatives & Hypnotics | Antipsychotics.pdf
bySandeshSul
 
PPTX
Mohan - "A man of silence and authority"
bynidhibachauhan46
 
PDF
CAM, DHT11, GAS, ESP32, FLAME, IR, TEMP, LCD, PIR, SOIL, SOUND, RELAY, TURBID...
byPravinDhanrao3
 
PPTX
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
PPTX
Master of Punjabi Short Story "kartar singh duggal
bybhautikbharwad4
 
PPT
West Hatch High School - GCSE History Option
byWestHatch
 
PPTX
How to Track Team Performance Analysis in Odoo 18 Recruitment
byCeline George
 
PDF
Chapter 05 Drug Acting on CNS General Anasthetics.pdf
bySandeshSul
 
PPTX
Guidelines for reporting social networks and personal networks data
byisidromj
 
PDF
Q4_LE_English 5_Lesson 1_Week 1.pdf learning instruction
byMichelleCajefe2
 
PDF
Information about the author Shashi Deshpande
bydarshanaparmar6522
 
PPTX
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
PDF
West Hatch High School - GCSE Media Specification
byWestHatch
 
PDF
Darwinism: Theory of Natural Selection and Origin of Species
byIPGDCWA,NAMPALLY
 
PPTX
Definition of communication skills and it's process.
bypurvrajsinhsarvaiya0
 
How to Create & Automate Asset Model in Odoo 18 Accounting
byCeline George
 
West Hatch High School - GCSE Spanish Presentation
byWestHatch
 
How Physician Assistants in the USA Earn CME Credits Online.pptx
byCME4Life
 
Sharad Bisen_Soil Sterilization_Objectives_ICAR Course, Sixth Dean Committee.pdf
bybisensharad
 
How to Create & Configure Rewards in Odoo 18 Referrals
byCeline George
 
Chapter 05 Drug Acting on CNS Sedatives & Hypnotics | Antipsychotics.pdf
bySandeshSul
 
Mohan - "A man of silence and authority"
bynidhibachauhan46
 
CAM, DHT11, GAS, ESP32, FLAME, IR, TEMP, LCD, PIR, SOIL, SOUND, RELAY, TURBID...
byPravinDhanrao3
 
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
Master of Punjabi Short Story "kartar singh duggal
bybhautikbharwad4
 
West Hatch High School - GCSE History Option
byWestHatch
 
How to Track Team Performance Analysis in Odoo 18 Recruitment
byCeline George
 
Chapter 05 Drug Acting on CNS General Anasthetics.pdf
bySandeshSul
 
Guidelines for reporting social networks and personal networks data
byisidromj
 
Q4_LE_English 5_Lesson 1_Week 1.pdf learning instruction
byMichelleCajefe2
 
Information about the author Shashi Deshpande
bydarshanaparmar6522
 
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
West Hatch High School - GCSE Media Specification
byWestHatch
 
Darwinism: Theory of Natural Selection and Origin of Species
byIPGDCWA,NAMPALLY
 
Definition of communication skills and it's process.
bypurvrajsinhsarvaiya0
 

Ccna sec 01

  • 1.
    The basics ofIT security: CIA (Confidentiality, Integrity, Availability) • Confidentiality. • Measures that prevent disclosure of information or data to unauthorized individuals or systems. • Integrity. • Protecting the data from unauthorized alteration or revision. • Often ensured through the use of a hash. • Availability. • Making systems and data ready for use when legitimate users need them at any time. • Guaranteed by network hardening mechanisms and backup systems. • Attacks against availability all fall into the “denial of service” realm. • Asset. • It is anything that is valuable to an organization. • Vulnerability. • An exploitable weakness in a system or its design. • Threat. • Any potential danger to an asset. • Countermeasure. • A safeguard that somehow mitigates a potential risk. • Risk. • The potential for unauthorized access to, compromise, destruction, or damage to an asset. • Classifying Assets. • One reason to classify an asset is so that you can take specific action, based on policy, with regard to assets in a given class. • Classifying Vulnerabilities. • Policy flaws • Design errors • CCNA Sec 01 CCNA Sec Page 1
  • 2.
    Design errors • Protocol weaknesses • Misconfiguration • Softwarevulnerabilities • Human factors • Malicious software • Hardware vulnerabilities • Physical access to network resources • Classifying Countermeasures. • Administrative controls. • Consist of written policies, procedures, guidelines, and standards. • Physical controls. • Are exactly what they sound like, physical security for the network servers, equipment, and infrastructure. • Logical controls (technical controls). • Logical controls include passwords, firewalls, IPS, access lists, VPN tunnels, ……... • Potential Attackers. • Terrorists • Criminals • Government agencies • Nation states • Hackers • Disgruntled employees • Competitors • Attack Methods. • Reconnaissance. • This is the discovery process used to find information about the network. • Social engineering. • Leverages our weakest (very likely) vulnerability in a secure system (data, applications, devices, networks): the user. • Could be done through e-mail or misdirection of web pages, which results in the user clicking something that leads to the attacker gaining information. • Phishing. • Presents a link that looks like a valid trusted resource to a user. • Pharming. • Used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user. • Privilege escalation. • The process of taking some level of access and achieving an even greater level of access. • Backdoor. • Application can be installed to allow access. • Code execution. • When attackers can gain access to a device, they might be able to take several actions. • Man-in-the-Middle Attacks. • Results when attackers place themselves in line between two devices that are communicating. • To mitigate this risk, you could use techniques such as DAI (Dynamic ARP Inspection). • Additional Attack Methods. • Covert channel. • Uses programs or communications in unintended ways. • For ex. If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to- • CCNA Sec Page 2
  • 3.
    For ex. Ifweb traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to- peer traffic inside of HTTP traffic. • Also a backdoor application collecting keystroke information from the workstation and then sending it out as ICMP or http packet. • Trust exploitation. • Ex. an attacker could leverage his gaining access to a DMZ host, and using that location to launch his attacks • from there to the inside network. Brute-force (password-guessing) attacks. • Performed when an attacker’s system attempts thousands of possible passwords looking for the right match. • Mitigated by limiting how many unsuccessful authentication attempts can occur within a specified time. • DoS (Denial of Service). • An attack is launched from a single device with the intent to cause damage to an asset • DDoS (Distributed Denial-of-Service). • An attack is launched from multiple devices as from botnet network. • Botnet. • A collection of infected computers that are ready to take instructions from the attacker. • RDoS (Reflected DDoS). • When the source of the initial (query) packets is actually spoofed by the attacker. • The response packets are then “reflected” back from the unknowing participant to the victim of the attack. • Guidelines for Secure Network Architecture. • Rule of least privilege. • Minimal access should only provided to the required network resources. • Defense in depth. • You should have security implemented on an early every point of your network. • Ex. filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches your servers, and using host-based security precautions at the servers, as well. • Separation of duties. • Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being addressed, because a person who moves into a new role will be required to review the policies in place. • Auditing. • Accounting and keeping records about what is occurring on the network. • Common forms of social engineering. • Phishing. • Elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution. • The e-mail message may ask the user to reply with the sensitive data, or to access a website to update information such as a bank account number. • Malvertising. • This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware. • Phone scams. • An example is a miscreant posing as a recruiter asking for names, e-mail addresses, and so on for members of the organization and then using that information to start building a database to leverage for a future attack. • Defenses Against Social Engineering. • Password management. • The number and type of characters that each password must include, how often a password must be changed. • Two-factor authentication. • Use two-factor authentication rather than fixed passwords. • Antivirus/antiphishing defenses. • CCNA Sec Page 3
  • 4.
    Antivirus/antiphishing defenses. • Document handlingand destruction. • Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash. • Physical security. • Malware Identification Tools. • Packet captures. • Snort IDS • An open source IDS/IPS developed by the founder of Sourcefire. - NetFlow • IPS events • Advanced Malware Protection (AMP). • Designed for Cisco FirePOWER network security appliances. • Provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware threats. • NGIPS (Next-Generation Intrusion Prevention System). • The Cisco FirePOWER NGIPS solution provides multiple layers of advanced threat protection at high inspection throughput rates. • Implementing AAA in Cisco IOS Administrative access methods. • Password only. • Local database. • AAA Local Authentication (self-contained AAA). • AAA Server-based. • AAA provides: • Authentication. • Who is permitted to access a network. • Authorization. • What they can do while they are there. • Accounting. • Records in details what they did. • Methods of implementing AAA services. • Local AAA Authentication. • Uses a local database stored in the router for authentication. - Server-Based AAA Authentication. • Uses an external database server that leverages RADIUS or TACACS+ protocols. - Preferred in large environment. - Server-Based Authentication • The user establishes a connection with the router. • The router prompts the user for a username and password. • The router passes the username and password to the Cisco Secure ACS. • The ACS authenticates and authorizes the user based on its database. • ACS (Access Control Server). • Can create a central user and administrative access DB that all network devices can access. • Can work with many external databases, such as Active Directory. • Supports both TACACS+ and RADIUS protocols. • Both protocols can be used to communicate between AAA client (Router) and AAA servers (ACS). • Provides user and device group profiles. • CCNA Sec Page 4
  • 5.
    • Restrictions to networkaccess based on a specific time. • Can be software installed on windows server or a physical appliance can be purchased from Cisco. • RADIUS (Remote Authentication Dial-In User Service). • Open standard, RFCs 2865, 2866, 2867, and 2868. • Combines authentication & authorization, but separates accounting. • Supports detailed accounting required for billing users, so preferred by ISPs. • Encrypts only the password. • Does not encrypt user name, or any other data in the message. • Used UDP port 1645 & now 1812 for authentication & authorization. • Used UDP port 1646 & now 1813 for accounting. • Supports remote-access technologies, 802.1X, and SIP. • • TACACS+ (Terminal Access Control Access Control Server). • Cisco proprietary. • Separates authentication and authorization. • Provides limited detailed accounting. • Encrypts all packet not only the password. • Utilizes TCP port 49. • Multiprotocol support, such as IP and AppleTalk. • Incompatible with any previous version of TACACS. • • AAA clients must run Cisco IOS Release 11.2 or later. • ISE (Identity Services Engine). • An identity and access control policy platform. • Can validate that a computer meets the requirements of a company’s policy related to virus definition files, service pack levels, and so on before allowing the device on the network. • Leverages many AAA-like (authentication, authorization, and accounting) features, but is not a 100 percent replacement for ACS. • ACS should be used mainly for AAA, and ISE for the posturing & policy compliance checking for hosts. • Login method types: • CCNA Sec Page 5
  • 6.
    Login method types: • Enable. • Usesthe enable password for authentication. • Line. • Uses the line password for authentication. • Local. • Uses the local username database for authentication. • Local-case. • Uses case-sensitive local username authentication. • Group radius. • Uses the list of all RADIUS servers for authentication. • Group tacacs+. • Uses the list of all TACACS+ servers for authentication. • Group group-name. • Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. • None. • To ensure that the authentication succeeds even if all methods return an error. • AAA lists. • When AAA is enabled, the default list is automatically applied to all interfaces and lines but with no methods defined unless a predefined list is assigned. • If the default method list is not set and there is no other list, only the local user database is checked. • Authorization. • What a user can and cannot do on the network after that user is authenticated. • Implemented using a AAA server-based solution. • When a user has been authenticated, a session is established with the AAA server. • The router requests authorization for the requested service from the AAA server. • The AAA server returns a PASS/FAIL for authorization. • TACACS+ establishes a new TCP session for every authorization request. • When AAA authorization is not enabled, all users are allowed full access. • To enable AAA. • R(config)# aaa new-model • To Configure Authentication to Use the AAA Server. • R(config)# aaa authentication login list-name|default method method method [maximum 4 methods] • R(config)# aaa authentication login default group radius group tacacs+ local ….. • R(config)# aaa authentication enable list-name|default group tacacs+ enable • Methods are used in order, if no response from one, the next is used. • To specify the number of unsuccessful login attempts (then the user will be locked out). • R(config)# aaa local authentication attempts max-fail n • The account (non priv 15) will stay locked until it is cleared by an administrator. • To display a list of all locked-out users. • R# show aaa local user lockout • To unlock a specific user or to unlock all locked users. • R# clear aaa local user lockout all | username name • To display the attributes that are collected for a AAA session. • R# show aaa user all | unique-id • To show the unique ID of a session. • R# show aaa sessions • CCNA Sec Page 6
  • 7.
    R# show aaasessions • For vty lines. • R(config)# line vty 0 4 • R(config-line)# login authentication name|default • R(config-line)# authorization exec name|default • To debug aaa authentication. • R# debug aaa authentication|authorization • Look specifically for GETUSER and GETPASS status messages. • To configure AAA with CCP. • CCP, Configure, Router, AAA,…... • To create a local user account. • CCP > Router > Router Access > User Accounts/View > Add • To configure the AAA client (router) with the TACACS+ server. • R(config)# tacacs-server host ip key the-key • To configure the AAA client (router) with the RADIUS server. • R(config)# radius-server host ip key the-key • AAA Authorization (Router) • To get the priviege level that should be given to user from the local user database. • R(config)# aaa authorization exec default local • To get the priviege level that should be given to user from the tacacs server. • R(config)# aaa authorization exec default group tacacs+ • To enable command authorization on the console. • R(config)# aaa authorization console • To assign level 15 automatically to any user just authenticated. • R(config)# aaa authorization exec default if-authenticated • To authorize each command, you enter at config and it's submode. • R(config)# aaa authorization config-commands • To authorize level x (1-15) users. • R(config)# aaa authorization commands x default group tacacs+ if-authenticated • R(config)# no aaa authorization config-commands • AAA debugging • To debug aaa. • R# debug aaa authentication • To debug RADIUS or TACACS+. • R# debug radius|tacacs events • AAA Accounting • Each session established through the ACS can be fully accounted for and stored on the server. • To configure AAA accounting. • R(config)# aaa accounting exec default|list-name start-stop|stop-only method1 method2 ... • ACS server configurations. • Network device groups. • Groups of network devices, normally based on routers or switches with similar functions/devices managed by the same administrators. • Network devices (ACS clients/routers/switches). • The individual network devices that go into the device groups. • Identity groups (user/admin groups). • Groups of administrators, normally based on users who will need similar rights and access to specific groups of network devices. • CCNA Sec Page 7
  • 8.
    of network devices. • Useraccounts. • Individual administrator/user accounts that are placed in identity groups. • Authorization profiles. • These profiles control what rights are permitted. • The profile is associated with a network device group and a user/administrator identity group. • To manage ACS server. • https://ip • Default username and password: acsadmin pass: default • For trial license. • https://www.cisco.com/go/license username: adelmohammad , pass: P@ssw0rd get other licenses , demo and..., search for access control , To create a device group. • ACS > Network Resources > Network Device Groups > Device Type > Create • To add a device to the group. • Network Resources > Network Devices and AAA Clients > Create • Click the Select button to the right of the device type and select the device group • Select tacacs+ and type the password • In the ip address select range and type the range (ex. 10.0.0.100-200) , Add V • To create a user group. • Users and Identity Stores > Identity Groups > Create • To create individual user. • Users and Identity Stores > Internal Identity Stores > Users and click > Create • To create a shell profile. • Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Create • Custom tasks tab, Default Privilege:static, type a privilige level • To configure authorization policies (To assign permisions to identity group to access device group). • Access Policies > Access Services > Default Device Admin > Authorization > Create • Then select a shell profile or create one (shell profile has a name and defines a privilige level). • Verifying and Troubleshooting Router-to-ACS Server Interactions. • Ping the ACS server from the router. • R# test aaa group tacacs+ username password legacy • Using debug Commands to Verify Functionality • To look at the reports on the ACS server. • Monitoring & Reports > Reports > Catalog > AAA Protocol • Bring Your Own Device (BYOD) Allowing users bringing their own network-connected devices while also maintaining an appropriate • security posture. The organization’s security policy must be lever-aged to govern the level of access for BYOD devices. • CCNA Sec Page 8
  • 9.
    • BYOD Solution Components. • BYODdevices. • The corporate-owned and personally owned endpoints that require access to the corporate network regardless of their physical location. • Wireless access points (AP). • Provide wireless network connectivity to the corporate network for both local & BYOD devices. • Wireless LAN (WLAN) controllers. • Serve as a centralized point for the configuration, management, and monitoring of the Cisco WLAN solution. • Used to implement and enforce the security requirements for the BYOD solution. • Works with the ISE to enforce both authentication and authorization policies on each BYOD endpoint. • Identity Services Engine (ISE). • The cornerstone of the AAA requirements for endpoint access, which are governed by the security policies put forth by the organization. • Cisco AnyConnect Secure Mobility Client. • Provides connectivity for end users who need access to the corporate network. • Inside network users leverages 802.1X to provide secure access to the corporate network. • Outside users uses AnyConnect Client to provide secure VPN connectivity, including posture checking. • Integrated Services Routers (ISR). • Will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and Internet access for home office environments. • Can provide VPN connectivity for mobile devices that are part of the BYOD solution. • Adaptive Security Appliance (ASA). • Provides all the standard security functions for the BYOD solution at the Internet edge. • Can provide IPS and VPN for end devices. • Cloud Web Security (CWS). • Provides enhanced security for all the BYOD solution endpoints while they access Internet. • RSA SecurID. • The RSA SecurID server provides one-time password (OTP) generation and logging for users that access network devices and other applications which require OTP authentication. • CCNA Sec Page 9
  • 10.
    network devices andother applications which require OTP authentication. • Active Directory. • Restricts access to those users with valid authentication credentials. • Certificate authority. • The CA server ensures that only devices with corporate certificates can access the corporate network. • Mobile Device Management (MDM). • Deploy, manage, and monitor the mobile devices that make up the Cisco BYOD solution. • Specific functions provided by MDM include: • Enforcement of a PIN lock (locking a device after a set threshold of failed login attempts has been reached). - Enforcement of strong passwords for all BYOD devices. - Detection of attempts to “jailbreak” or “root” BYOD devices, specifically smartphones, and then attempting to use these compromised devices on the corporate network. - Enforcement of data encryption requirements based on an organization’s security policies. - Ability to remotely wipe a stolen or lost BYOD device so that all data is completely removed. - MDM Deployment Options. • On-Premise MDM Deployment. • MDM application software is installed and maintained on servers within the corporate data center. • Consists of the following topology and network components: • Data center. • The data center consists of the servers and ISE to enforce posture assessment and access control. • Internet edge. • Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all the BYOD devices. • Services. • Contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate. • Core. • Serves as the main distribution and routing point for all network traffic traversing the corporate network environment. • Campus building. • A distribution switch provides the main ingress/egress point for all network traffic entering and exiting from the campus environment. • Cloud-Based MDM Deployment. • MDM application software is hosted, managed and maintained by a service provider who is solely • CCNA Sec Page 10
  • 11.
    MDM application softwareis hosted, managed and maintained by a service provider who is solely responsible for the BYOD solution. • Consists of the following topology and network components: • Data Center. • The data center consists of the servers and ISE to enforce posture assessment and access control. • Internet edge. • Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all the BYOD devices. • WAN. • Provides MPLS VPN connectivity for the branch office back to corporate network. • Internet access for the branch office. • Access to the cloud-based MDM functionality. • The cloud-based MDM provides all the policies and profiles, digital certificates, applications, data, and configuration settings for all of the BYOD devices. • WAN edge. • Serve as the ingress/egress point for the MPLS WAN traffic entering from and exiting to the branch office environment. • Services. • Contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate • Core. • Serves as the main distribution and routing point for all network traffic travers ing the corporate network environment. • Branch office. • All users requiring network connectivity within the branch office do so through either hardwired connections to the access switches or via WLAN access to the corporate APs. • • CCNA Sec Page 11