The document discusses the basics of IT security including the CIA triad of confidentiality, integrity and availability. It also covers common security concepts such as assets, vulnerabilities, threats, countermeasures and risks. Additionally, it summarizes authentication, authorization and accounting (AAA) protocols, common attacks and how to implement secure network architecture.
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
Tune in to the full webinar recording here: https://www.beyondtrust.com/resources/webinar/defense-depth-implementing-layered-privileged-password-security-strategy/?access_code=eb6de71b465f16507cadfb2347a9d98f
In this presentation from the live webinar of security expert and TechVangelist Founder/Chief, Nick Cavalancia explores how to apply the defense-in-depth, layered security approach to enterprise password management. Also included in this webinar is an overview of BeyondTrust's PowerBroker Password Safe, the leading solution for enterprise password management.
Intrusion detection and prevention systemNikhil Raj
This presentation describes how to implement Network based Intrusion Detection System (SNORT) in the network. Detecting and analyzing alerts generated and blocking the Attacker using Access Control List.
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
Tune in to the full webinar recording here: https://www.beyondtrust.com/resources/webinar/defense-depth-implementing-layered-privileged-password-security-strategy/?access_code=eb6de71b465f16507cadfb2347a9d98f
In this presentation from the live webinar of security expert and TechVangelist Founder/Chief, Nick Cavalancia explores how to apply the defense-in-depth, layered security approach to enterprise password management. Also included in this webinar is an overview of BeyondTrust's PowerBroker Password Safe, the leading solution for enterprise password management.
Intrusion detection and prevention systemNikhil Raj
This presentation describes how to implement Network based Intrusion Detection System (SNORT) in the network. Detecting and analyzing alerts generated and blocking the Attacker using Access Control List.
Tools and Mechanisms for Network Security in an Organization.
Physical Security, Administrative Security and Technical Security measures have been described.
Security Testing Tools are Nessus, THC Hydra, Kismet, Nikto, WireShark and NMAP.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
first ever presentation containing basic information about Intrusion Detection System and Intrusion Prevention System with advantages and disadvantages...
specially bibliography attached for engineering students.
it also contains 2013 powerpoint graphics.
hope it may helpful to u all.. your suggestions will be always welcomed..
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
This ppt explain you various type of possible attack, security property, Traffic Analysis, Security mechanism Intrusion detection system, vulnerability, Attack framework etc.
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Learn more here: https://www.dragos.com/blog/trisis/
Tools and Mechanisms for Network Security in an Organization.
Physical Security, Administrative Security and Technical Security measures have been described.
Security Testing Tools are Nessus, THC Hydra, Kismet, Nikto, WireShark and NMAP.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
first ever presentation containing basic information about Intrusion Detection System and Intrusion Prevention System with advantages and disadvantages...
specially bibliography attached for engineering students.
it also contains 2013 powerpoint graphics.
hope it may helpful to u all.. your suggestions will be always welcomed..
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
This ppt explain you various type of possible attack, security property, Traffic Analysis, Security mechanism Intrusion detection system, vulnerability, Attack framework etc.
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Learn more here: https://www.dragos.com/blog/trisis/
As organizations shift control of their infrastructure and data to the cloud, it is critical that they rethink their application security efforts. This can be accomplished by ensuring applications are designed to take advantage of built-in cloud security controls and configured properly in deployment.
Attend this webcast to gain insight into the security nuances of the cloud platform and risk mitigation techniques. Topics include:
• Common cloud threats and vulnerabilities
• Exposing data with insufficient Authorization and Authentication
• The danger of relying on untrusted components
• Distributed Denial of Service (DDoS) and other application attacks
• Securing APIs and other defensive measures
Network traffic analysis with cyber securityKAMALI PRIYA P
We are students from SRM University pursuing B.TECH in Computer Science Department. We took a small initiative to make a PPT about how network traffic can be analyzed through Cyber Security. We have also mentioned the known network analyzers and future scope for network traffic analysis with cyber security.
Piotr Kędra – network consultant. Since 2007 Piotr has been working as Systems Engineer in Polish entity of Juniper Networks. He is responsible for network solutions for enterprise sector and technical support for channel. Previously he work in Solidex and NextiraOne as presales enginner. He participated in number of audits and many projects in area of LAN, WAN and network security.
Topic of Presentation: The role of information in modern security systems
Language: Polish
Abstract: TBD
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Ccna sec 01
1. The basics of IT security: CIA (Confidentiality, Integrity, Availability)
•
Confidentiality.
•
Measures that prevent disclosure of information or data to unauthorized individuals or systems.
•
Integrity.
•
Protecting the data from unauthorized alteration or revision.
•
Often ensured through the use of a hash.
•
Availability.
•
Making systems and data ready for use when legitimate users need them at any time.
•
Guaranteed by network hardening mechanisms and backup systems.
•
Attacks against availability all fall into the “denial of service” realm.
•
Asset.
•
It is anything that is valuable to an organization.
•
Vulnerability.
•
An exploitable weakness in a system or its design.
•
Threat.
•
Any potential danger to an asset.
•
Countermeasure.
•
A safeguard that somehow mitigates a potential risk.
•
Risk.
•
The potential for unauthorized access to, compromise, destruction, or damage to an asset.
•
Classifying Assets.
•
One reason to classify an asset is so that you can take specific action, based on policy, with regard to assets in
a given class.
•
Classifying Vulnerabilities.
•
Policy flaws
•
Design errors
•
CCNA Sec 01
CCNA Sec Page 1
2. Design errors
•
Protocol weaknesses
•
Misconfiguration
•
Software vulnerabilities
•
Human factors
•
Malicious software
•
Hardware vulnerabilities
•
Physical access to network resources
•
Classifying Countermeasures.
•
Administrative controls.
•
Consist of written policies, procedures, guidelines, and standards.
•
Physical controls.
•
Are exactly what they sound like, physical security for the network servers, equipment, and infrastructure.
•
Logical controls (technical controls).
•
Logical controls include passwords, firewalls, IPS, access lists, VPN tunnels, ……...
•
Potential Attackers.
•
Terrorists
•
Criminals
•
Government agencies
•
Nation states
•
Hackers
•
Disgruntled employees
•
Competitors
•
Attack Methods.
•
Reconnaissance.
•
This is the discovery process used to find information about the network.
•
Social engineering.
•
Leverages our weakest (very likely) vulnerability in a secure system (data, applications, devices, networks):
the user.
•
Could be done through e-mail or misdirection of web pages, which results in the user clicking something that
leads to the attacker gaining information.
•
Phishing.
•
Presents a link that looks like a valid trusted resource to a user.
•
Pharming.
•
Used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the
valid site to the user.
•
Privilege escalation.
•
The process of taking some level of access and achieving an even greater level of access.
•
Backdoor.
•
Application can be installed to allow access.
•
Code execution.
•
When attackers can gain access to a device, they might be able to take several actions.
•
Man-in-the-Middle Attacks.
•
Results when attackers place themselves in line between two devices that are communicating.
•
To mitigate this risk, you could use techniques such as DAI (Dynamic ARP Inspection).
•
Additional Attack Methods.
•
Covert channel.
•
Uses programs or communications in unintended ways.
•
For ex. If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to-
•
CCNA Sec Page 2
3. For ex. If web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to-
peer traffic inside of HTTP traffic.
•
Also a backdoor application collecting keystroke information from the workstation and then sending it out as
ICMP or http packet.
•
Trust exploitation.
•
Ex. an attacker could leverage his gaining access to a DMZ host, and using that location to launch his attacks
•
from there to the inside network.
Brute-force (password-guessing) attacks.
•
Performed when an attacker’s system attempts thousands of possible passwords looking for the right match.
•
Mitigated by limiting how many unsuccessful authentication attempts can occur within a specified time.
•
DoS (Denial of Service).
•
An attack is launched from a single device with the intent to cause damage to an asset
•
DDoS (Distributed Denial-of-Service).
•
An attack is launched from multiple devices as from botnet network.
•
Botnet.
•
A collection of infected computers that are ready to take instructions from the attacker.
•
RDoS (Reflected DDoS).
•
When the source of the initial (query) packets is actually spoofed by the attacker.
•
The response packets are then “reflected” back from the unknowing participant to the victim of the attack.
•
Guidelines for Secure Network Architecture.
•
Rule of least privilege.
•
Minimal access should only provided to the required network resources.
•
Defense in depth.
•
You should have security implemented on an early every point of your network.
•
Ex. filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches
your servers, and using host-based security precautions at the servers, as well.
•
Separation of duties.
•
Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being
addressed, because a person who moves into a new role will be required to review the policies in place.
•
Auditing.
•
Accounting and keeping records about what is occurring on the network.
•
Common forms of social engineering.
•
Phishing.
•
Elicits secure information through an e-mail message that appears to come from a legitimate source such as a
service provider or financial institution.
•
The e-mail message may ask the user to reply with the sensitive data, or to access a website to update
information such as a bank account number.
•
Malvertising.
•
This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being
inadvertently redirected to sites hosting malware.
•
Phone scams.
•
An example is a miscreant posing as a recruiter asking for names, e-mail addresses, and so on for members of
the organization and then using that information to start building a database to leverage for a future attack.
•
Defenses Against Social Engineering.
•
Password management.
•
The number and type of characters that each password must include, how often a password must be changed.
•
Two-factor authentication.
•
Use two-factor authentication rather than fixed passwords.
•
Antivirus/antiphishing defenses.
•
CCNA Sec Page 3
4. Antivirus/antiphishing defenses.
•
Document handling and destruction.
•
Sensitive documents and media must be securely disposed of and not simply thrown out with the regular
office trash.
•
Physical security.
•
Malware Identification Tools.
•
Packet captures.
•
Snort IDS
•
An open source IDS/IPS developed by the founder of Sourcefire.
-
NetFlow
•
IPS events
•
Advanced Malware Protection (AMP).
•
Designed for Cisco FirePOWER network security appliances.
•
Provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent
advanced malware threats.
•
NGIPS (Next-Generation Intrusion Prevention System).
•
The Cisco FirePOWER NGIPS solution provides multiple layers of advanced threat protection at high
inspection throughput rates.
•
Implementing AAA in Cisco IOS
Administrative access methods.
•
Password only.
•
Local database.
•
AAA Local Authentication (self-contained AAA).
•
AAA Server-based.
•
AAA provides:
•
Authentication.
•
Who is permitted to access a network.
•
Authorization.
•
What they can do while they are there.
•
Accounting.
•
Records in details what they did.
•
Methods of implementing AAA services.
•
Local AAA Authentication.
•
Uses a local database stored in the router for authentication.
-
Server-Based AAA Authentication.
•
Uses an external database server that leverages RADIUS or TACACS+ protocols.
-
Preferred in large environment.
-
Server-Based Authentication
•
The user establishes a connection with the router.
•
The router prompts the user for a username and password.
•
The router passes the username and password to the Cisco Secure ACS.
•
The ACS authenticates and authorizes the user based on its database.
•
ACS (Access Control Server).
•
Can create a central user and administrative access DB that all network devices can access.
•
Can work with many external databases, such as Active Directory.
•
Supports both TACACS+ and RADIUS protocols.
•
Both protocols can be used to communicate between AAA client (Router) and AAA servers (ACS).
•
Provides user and device group profiles.
•
CCNA Sec Page 4
5. •
Restrictions to network access based on a specific time.
•
Can be software installed on windows server or a physical appliance can be purchased from Cisco.
•
RADIUS (Remote Authentication Dial-In User Service).
•
Open standard, RFCs 2865, 2866, 2867, and 2868.
•
Combines authentication & authorization, but separates accounting.
•
Supports detailed accounting required for billing users, so preferred by ISPs.
•
Encrypts only the password.
•
Does not encrypt user name, or any other data in the message.
•
Used UDP port 1645 & now 1812 for authentication & authorization.
•
Used UDP port 1646 & now 1813 for accounting.
•
Supports remote-access technologies, 802.1X, and SIP.
•
•
TACACS+ (Terminal Access Control Access Control Server).
•
Cisco proprietary.
•
Separates authentication and authorization.
•
Provides limited detailed accounting.
•
Encrypts all packet not only the password.
•
Utilizes TCP port 49.
•
Multiprotocol support, such as IP and AppleTalk.
•
Incompatible with any previous version of TACACS.
•
•
AAA clients must run Cisco IOS Release 11.2 or later.
•
ISE (Identity Services Engine).
•
An identity and access control policy platform.
•
Can validate that a computer meets the requirements of a company’s policy related to virus definition files,
service pack levels, and so on before allowing the device on the network.
•
Leverages many AAA-like (authentication, authorization, and accounting) features, but is not a 100 percent
replacement for ACS.
•
ACS should be used mainly for AAA, and ISE for the posturing & policy compliance checking for hosts.
•
Login method types:
•
CCNA Sec Page 5
6. Login method types:
•
Enable.
•
Uses the enable password for authentication.
•
Line.
•
Uses the line password for authentication.
•
Local.
•
Uses the local username database for authentication.
•
Local-case.
•
Uses case-sensitive local username authentication.
•
Group radius.
•
Uses the list of all RADIUS servers for authentication.
•
Group tacacs+.
•
Uses the list of all TACACS+ servers for authentication.
•
Group group-name.
•
Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius
or aaa group server tacacs+ command.
•
None.
•
To ensure that the authentication succeeds even if all methods return an error.
•
AAA lists.
•
When AAA is enabled, the default list is automatically applied to all interfaces and lines but with no methods
defined unless a predefined list is assigned.
•
If the default method list is not set and there is no other list, only the local user database is checked.
•
Authorization.
•
What a user can and cannot do on the network after that user is authenticated.
•
Implemented using a AAA server-based solution.
•
When a user has been authenticated, a session is established with the AAA server.
•
The router requests authorization for the requested service from the AAA server.
•
The AAA server returns a PASS/FAIL for authorization.
•
TACACS+ establishes a new TCP session for every authorization request.
•
When AAA authorization is not enabled, all users are allowed full access.
•
To enable AAA.
•
R(config)# aaa new-model
•
To Configure Authentication to Use the AAA Server.
•
R(config)# aaa authentication login list-name|default method method method [maximum 4 methods]
•
R(config)# aaa authentication login default group radius group tacacs+ local …..
•
R(config)# aaa authentication enable list-name|default group tacacs+ enable
•
Methods are used in order, if no response from one, the next is used.
•
To specify the number of unsuccessful login attempts (then the user will be locked out).
•
R(config)# aaa local authentication attempts max-fail n
•
The account (non priv 15) will stay locked until it is cleared by an administrator.
•
To display a list of all locked-out users.
•
R# show aaa local user lockout
•
To unlock a specific user or to unlock all locked users.
•
R# clear aaa local user lockout all | username name
•
To display the attributes that are collected for a AAA session.
•
R# show aaa user all | unique-id
•
To show the unique ID of a session.
•
R# show aaa sessions
•
CCNA Sec Page 6
7. R# show aaa sessions
•
For vty lines.
•
R(config)# line vty 0 4
•
R(config-line)# login authentication name|default
•
R(config-line)# authorization exec name|default
•
To debug aaa authentication.
•
R# debug aaa authentication|authorization
•
Look specifically for GETUSER and GETPASS status messages.
•
To configure AAA with CCP.
•
CCP, Configure, Router, AAA,…...
•
To create a local user account.
•
CCP > Router > Router Access > User Accounts/View > Add
•
To configure the AAA client (router) with the TACACS+ server.
•
R(config)# tacacs-server host ip key the-key
•
To configure the AAA client (router) with the RADIUS server.
•
R(config)# radius-server host ip key the-key
•
AAA Authorization (Router)
•
To get the priviege level that should be given to user from the local user database.
•
R(config)# aaa authorization exec default local
•
To get the priviege level that should be given to user from the tacacs server.
•
R(config)# aaa authorization exec default group tacacs+
•
To enable command authorization on the console.
•
R(config)# aaa authorization console
•
To assign level 15 automatically to any user just authenticated.
•
R(config)# aaa authorization exec default if-authenticated
•
To authorize each command, you enter at config and it's submode.
•
R(config)# aaa authorization config-commands
•
To authorize level x (1-15) users.
•
R(config)# aaa authorization commands x default group tacacs+ if-authenticated
•
R(config)# no aaa authorization config-commands
•
AAA debugging
•
To debug aaa.
•
R# debug aaa authentication
•
To debug RADIUS or TACACS+.
•
R# debug radius|tacacs events
•
AAA Accounting
•
Each session established through the ACS can be fully accounted for and stored on the server.
•
To configure AAA accounting.
•
R(config)# aaa accounting exec default|list-name start-stop|stop-only method1 method2 ...
•
ACS server configurations.
•
Network device groups.
•
Groups of network devices, normally based on routers or switches with similar functions/devices managed by
the same administrators.
•
Network devices (ACS clients/routers/switches).
•
The individual network devices that go into the device groups.
•
Identity groups (user/admin groups).
•
Groups of administrators, normally based on users who will need similar rights and access to specific groups
of network devices.
•
CCNA Sec Page 7
8. of network devices.
•
User accounts.
•
Individual administrator/user accounts that are placed in identity groups.
•
Authorization profiles.
•
These profiles control what rights are permitted.
•
The profile is associated with a network device group and a user/administrator identity group.
•
To manage ACS server.
•
https://ip
•
Default username and password: acsadmin pass: default
•
For trial license.
•
https://www.cisco.com/go/license
username: adelmohammad , pass: P@ssw0rd
get other licenses , demo and..., search for access control ,
To create a device group.
•
ACS > Network Resources > Network Device Groups > Device Type > Create
•
To add a device to the group.
•
Network Resources > Network Devices and AAA Clients > Create
•
Click the Select button to the right of the device type and select the device group
•
Select tacacs+ and type the password
•
In the ip address select range and type the range (ex. 10.0.0.100-200) , Add V
•
To create a user group.
•
Users and Identity Stores > Identity Groups > Create
•
To create individual user.
•
Users and Identity Stores > Internal Identity Stores > Users and click > Create
•
To create a shell profile.
•
Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Create
•
Custom tasks tab, Default Privilege:static, type a privilige level
•
To configure authorization policies (To assign permisions to identity group to access device group).
•
Access Policies > Access Services > Default Device Admin > Authorization > Create
•
Then select a shell profile or create one (shell profile has a name and defines a privilige level).
•
Verifying and Troubleshooting Router-to-ACS Server Interactions.
•
Ping the ACS server from the router.
•
R# test aaa group tacacs+ username password legacy
•
Using debug Commands to Verify Functionality
•
To look at the reports on the ACS server.
•
Monitoring & Reports > Reports > Catalog > AAA Protocol
•
Bring Your Own Device (BYOD)
Allowing users bringing their own network-connected devices while also maintaining an appropriate
•
security posture.
The organization’s security policy must be lever-aged to govern the level of access for BYOD devices.
•
CCNA Sec Page 8
9. •
BYOD Solution Components.
•
BYOD devices.
•
The corporate-owned and personally owned endpoints that require access to the corporate network regardless
of their physical location.
•
Wireless access points (AP).
•
Provide wireless network connectivity to the corporate network for both local & BYOD devices.
•
Wireless LAN (WLAN) controllers.
•
Serve as a centralized point for the configuration, management, and monitoring of the Cisco WLAN solution.
•
Used to implement and enforce the security requirements for the BYOD solution.
•
Works with the ISE to enforce both authentication and authorization policies on each BYOD endpoint.
•
Identity Services Engine (ISE).
•
The cornerstone of the AAA requirements for endpoint access, which are governed by the security policies
put forth by the organization.
•
Cisco AnyConnect Secure Mobility Client.
•
Provides connectivity for end users who need access to the corporate network.
•
Inside network users leverages 802.1X to provide secure access to the corporate network.
•
Outside users uses AnyConnect Client to provide secure VPN connectivity, including posture checking.
•
Integrated Services Routers (ISR).
•
Will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and
Internet access for home office environments.
•
Can provide VPN connectivity for mobile devices that are part of the BYOD solution.
•
Adaptive Security Appliance (ASA).
•
Provides all the standard security functions for the BYOD solution at the Internet edge.
•
Can provide IPS and VPN for end devices.
•
Cloud Web Security (CWS).
•
Provides enhanced security for all the BYOD solution endpoints while they access Internet.
•
RSA SecurID.
•
The RSA SecurID server provides one-time password (OTP) generation and logging for users that access
network devices and other applications which require OTP authentication.
•
CCNA Sec Page 9
10. network devices and other applications which require OTP authentication.
•
Active Directory.
•
Restricts access to those users with valid authentication credentials.
•
Certificate authority.
•
The CA server ensures that only devices with corporate certificates can access the corporate network.
•
Mobile Device Management (MDM).
•
Deploy, manage, and monitor the mobile devices that make up the Cisco BYOD solution.
•
Specific functions provided by MDM include:
•
Enforcement of a PIN lock (locking a device after a set threshold of failed login attempts has been reached).
-
Enforcement of strong passwords for all BYOD devices.
-
Detection of attempts to “jailbreak” or “root” BYOD devices, specifically smartphones, and then attempting
to use these compromised devices on the corporate network.
-
Enforcement of data encryption requirements based on an organization’s security policies.
-
Ability to remotely wipe a stolen or lost BYOD device so that all data is completely removed.
-
MDM Deployment Options.
•
On-Premise MDM Deployment.
•
MDM application software is installed and maintained on servers within the corporate data center.
•
Consists of the following topology and network components:
•
Data center.
•
The data center consists of the servers and ISE to enforce posture assessment and access control.
•
Internet edge.
•
Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital
certificates, applications, data, and configuration settings for all the BYOD devices.
•
Services.
•
Contains the WLC for all APs to which the corporate users connect; however, any other network-based
services required for the corporate.
•
Core.
•
Serves as the main distribution and routing point for all network traffic traversing the corporate network
environment.
•
Campus building.
•
A distribution switch provides the main ingress/egress point for all network traffic entering and exiting from
the campus environment.
•
Cloud-Based MDM Deployment.
•
MDM application software is hosted, managed and maintained by a service provider who is solely
•
CCNA Sec Page 10
11. MDM application software is hosted, managed and maintained by a service provider who is solely
responsible for the BYOD solution.
•
Consists of the following topology and network components:
•
Data Center.
•
The data center consists of the servers and ISE to enforce posture assessment and access control.
•
Internet edge.
•
Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital
certificates, applications, data, and configuration settings for all the BYOD devices.
•
WAN.
•
Provides MPLS VPN connectivity for the branch office back to corporate network.
•
Internet access for the branch office.
•
Access to the cloud-based MDM functionality.
•
The cloud-based MDM provides all the policies and profiles, digital certificates, applications, data, and
configuration settings for all of the BYOD devices.
•
WAN edge.
•
Serve as the ingress/egress point for the MPLS WAN traffic entering from and exiting to the branch office
environment.
•
Services.
•
Contains the WLC for all APs to which the corporate users connect; however, any other network-based
services required for the corporate
•
Core.
•
Serves as the main distribution and routing point for all network traffic travers ing the corporate network
environment.
•
Branch office.
•
All users requiring network connectivity within the branch office do so through either hardwired connections
to the access switches or via WLAN access to the corporate APs.
•
•
CCNA Sec Page 11