No Slide Title
Download
Report
Transcript No Slide Title
Chap 4 – Network Security
Learning Objectives
•
•
•
Describe the general methods used to mitigate security
threats to Enterprise networks
Configure Basic Router Security
Explain how to disable unused Cisco router network
services and interfaces
•
Explain how to use Cisco SDM
•
Manage Cisco IOS devices
1
Chapter 4
Network Security Threats
•
•
•
•
•
•
•
White hat - A white hat generally focuses on securing IT systems, whereas a black hat (the
opposite) would like to break into them.
Hacker - A general term that has historically been used to describe a computer programming
expert.
Black hat - Another term for individuals who use their knowledge of computer systems to
break into systems or networks that they are not authorized to use, usually for personal or
financial gain.
Cracker - Someone who tries to gain unauthorized access to network resources with malicious
intent.
Phreaker - Someone who manipulates the phone network to cause it to perform a function that
is not allowed.
Spammer - An individual who sends large quantities of unsolicited e-mail messages. Spammers
often use viruses to take control of home computers and use them to send out their bulk
messages.
Phisher - Uses e-mail or other means to trick others into providing sensitive information, such
as credit card numbers or passwords.
2
Chapter 4
Network Attack Goals
The attacker's goal is to compromise a network target or an application running within a
network. Many attackers use this seven-step process to gain information and state an
attack:
•
•
•
•
•
•
•
Step 1. Perform footprint analysis (reconnaissance).
Step 2. Enumerate information. An attacker can expand on the footprint by monitoring
network traffic with a packet sniffer such as Wireshark.
Step 3. Manipulate users to gain access. Sometimes employees choose passwords that
are easily crackable.
Step 4. Escalate privileges. After attackers gain basic access, they use their skills to
increase their network privileges.
Step 5. Gather additional passwords and secrets.
Step 6. Install backdoors. Backdoors provide the attacker with a way to enter the
system without being detected.
Step 7. Leverage the compromised system. After a system is compromised, an attacker
uses it to stage attacks on other hosts in the network.
3
Chapter 4
Open vs Closed Networks
Open – permit everything that is not
explicitly denied:
•Easy to configure and administer
•Easy for end users to access network
resources
•Security costs: least expensive
Restrictive – combination of specific
permissions and specific restrictions:
•More difficult to configure and
administer
•More difficult for end users to access
resources
•Security cost: more expensive
4
•Closed – deny everything not explicitly
permitted:
•Most difficult to configure and
administer
•Most difficult for end users to access
resources
•Security cost: most expensive
Chapter 4
Security Policy
A security policy meets these goals:
1.
2.
1.
Informs users, staff, and managers of their obligatory
requirements for protecting technology and
information assets.
Specifies the mechanisms through which these
requirements can be met.
Provides a baseline from which to acquire, configure,
and audit computer systems and networks for
compliance with the policy.
5
Chapter 4
Common Security Threats
There are three primary vulnerabilities or
weaknesses:
1.
2.
3.
Technological weaknesses
Configuration weaknesses
Security policy weaknesses
6
Chapter 4
Technology Weaknesses
7
Chapter 4
Configuration Weaknesses
8
Chapter 4
Policy Weaknesses
9
Chapter 4
Physical Threats
1.
Hardware threats-Physical damage to servers, routers,
2.
Environmental threats-Temperature extremes (too hot
3.
Electrical threats-Voltage spikes, insufficient supply
4.
switches, cabling plant, and workstations.
or too cold) or humidity extremes (too wet or too dry).
voltage (brownouts), unconditioned power (noise), and
total power loss.
Maintenance threats-Poor handling of key electrical
components (electrostatic discharge), lack of critical
spare parts, poor cabling, and poor labeling.
10
Chapter 4
Threats to Networks
11
Chapter 4
Social Engineering
•The easiest hack involves no computer skill at all. If an intruder can
trick a member of an organisation into giving over valuable information,
such as the location of files or passwords, the process of hacking is
made much easier.
12
Chapter 4
Reconnaissance Attacks
•
Internet information queries – such as nslookup and whois.
•
Ping sweeps - (ping the publicly available IP addresses to
identify the addresses that are active).
•
•
Port scans - determine which network services or ports are
active on the live IP addresses.
Packet sniffers - Network snooping and packet sniffing are
common terms for eavesdropping. The information gathered
by eavesdropping can be used to pose other attacks to the
network.
13
Chapter 4
Access Attacks
•
•
•
•
Password attacks – often implemented using a packet
sniffer to yield user accounts and passwords that are
transmitted as clear text.
Trust exploitation attack - compromises a trusted host,
using it to stage attacks on other hosts in a network.
Port redirection attack - an exploitation attack that uses
a compromised host to pass traffic through a firewall that
would otherwise be blocked.
Man-in-the-middle (MITM) attack - carried out by
attackers that manage to position themselves between two
legitimate hosts.
14
Chapter 4
Denial of Service Attacks
•
•
•
Ping of death – oversized ping packets could cause
unpatched versions of NT4 to crash.
Teardrop or SYN flood – attacker opens up multiple TCP
sessions, but never completes the 3-way handshake,
causing servers to crash.
Smurf attack – Distributed DOS attack, using
compromised ‘zombie’ hosts to simultaneously ping a
server.
15
Chapter 4
Malicious Code
•
•
•
A worm executes code and installs copies of itself in
the memory of the infected computer, which can, in
turn, infect other hosts.
A virus is malicious software that is attached to
another program for the purpose of executing a
particular unwanted function on a workstation.
A Trojan horse is different from a worm or virus only
in that the entire application was written to look like
something else, when in fact it is an attack tool.
16
Chapter 4
Host & Server Security Measures
•
Default usernames and passwords should be changed immediately.
•
Access to system resources should be restricted to only the
individuals that are authorised to use those resources.
•
Any unnecessary services and applications should be turned off and
uninstalled, when possible.
•
Employ firewalls to prevent access to networks ports.
•
•
Install host antivirus software to protect against known viruses.
Antivirus software can detect most viruses and many Trojan horse
applications, and prevent them from spreading in the network.
The most effective way to mitigate a worm and its variants is to
download security updates from the operating system vendor and
patch all vulnerable systems.
17
Chapter 4
Intrusion Detection & Prevention
Systems
• Intrusion detection systems (IDS) detect attacks against
a network and send logs to a management console.
• Intrusion prevention systems (IPS) prevent attacks
against the network.
18
Chapter 4
Network Security Wheel
•To assist with the compliance of a security policy, the
Security Wheel, a continuous process, has proven to be
an effective approach. The Security Wheel promotes
retesting and reapplying updated security measures on
a continuous basis.
19
Chapter 4
Security Policy
•
A security policy is a set of guidelines established to safeguard the network from
attacks, both from inside and outside a company, and should address the following:.
•
Statement of authority and scope - Defines who in the organization sponsors the
•
Acceptable use policy (AUP) - Defines the acceptable use of equipment and computing
•
Identification and authentication policy - Defines which technologies the company uses
•
Internet access policy - Defines what the company will and will not tolerate with respect
•
Campus access policy - Defines acceptable use of campus technology resources by
•
Remote access policy - Defines how remote users can use the remote access
•
Incident handling procedure - Specifies who will respond to security incidents, and how
they are to be handled.
security policy, who is responsible for implementing it, and what areas are covered by
the policy.
services, and the appropriate employee security measures to protect the organization
corporate resources and proprietary information.
to ensure that only authorised personnel have access to its data.
to the use of its Internet connectivity by employees and guests.
employees and guests.
infrastructure of the company.
20
Chapter 4
Router Security Issues
Because routers provide gateways to other networks, they are obvious
targets, and are subject to a variety of attacks. Here are some
examples of various security problems:
•
•
•
Compromising the access control can expose network configuration
details, thereby facilitating attacks against other network
components.
Compromising the route tables can reduce performance, deny
network communication services, and expose sensitive data.
Mis-configuring a router traffic filter can expose internal network
components to scans and attacks, making it easier for attackers to
avoid detection.
21
Chapter 4
Configure Basic Router
Security
Steps to Safeguard a Router:
1. Manage router security
2. Secure remote administrative access to routers
3. Logging router activity
4. Secure vulnerable router services and interfaces
5. Secure routing protocols
6. Control and filter network traffic
22
Chapter 4
1. Manage Router Security
Good password practices include the following:
•
•
•
•
•
Do not write passwords down and leave them in obvious places such
as your desk or on your monitor.
Avoid dictionary words, names, phone numbers, and dates. Using
dictionary words makes the passwords vulnerable to dictionary
attacks.
Combine letters, numbers, and symbols. Include at least one
lowercase letter, uppercase letter, digit, and special character.
Make passwords lengthy. The best practice is to have a minimum of
eight characters. Enforce the minimum length using Cisco IOS.
Change passwords as often as possible – stated in security policy.
23
Chapter 4
1. Manage Router Security
R1(config)# service password-encryption
R1(config)#no enable password
R1(config)#enable secret Tnotbi666
R1(config)#security passwords min-length 8
•Cisco recommends that Type 5 encryption be used
instead of Type 7 whenever possible. MD5 encryption is a
strong encryption method. It should be used whenever
possible. It is configured by replacing the keyword
password with secret.
24
Chapter 4
2. Secure Remote Access
R1(config)# line aux 0
R1(config-line)#no password
R1(config-line)#login
%login disabled on line 65 until ‘password’ is set
R1(config-line)#exit
•Remote access not only applies to the VTY line of the
router, it also applies to the TTY lines and the auxiliary
(AUX) port. Aux lines provide asynchronous access to a
router using a modem – disable them on all routers.
25
Chapter 4
2. Secure Remote Access
R1(config)# line vty 0 4
R1(config-line)#no transport input
R1(config-line)#transport input telnet ssh
R1(config-line)#exec-timeout 5
R1(config-line)#exit
R1(config)#service tcp-keepalives-in
•By default, all VTY lines are configured to accept any type
of remote connection. VTY lines should be configured to
accept connections only with the protocols actually needed.
This is done with the transport input command.
26
Chapter 4
2. Secure Remote Access
•SSH has replaced Telnet as the best practice for
providing remote router administration with connections
that support strong privacy and session integrity. SSH
uses port TCP 22.
•It provides functionality that is similar to that of an
outbound Telnet connection, except that the connection is
encrypted. With authentication and encryption, SSH
allows for secure communications over an insecure
network.
•Not all Cisco IOS images support SSH. Only
cryptographic images can. Typically, these images have
image IDs of k8 or k9 in their image names.
27
Chapter 4
2. Secure Remote Access
Configure SSH security:
•
•
•
•
•
•
•
•
•
•
R1(config)# ip domain-name cisco.com
R1(config)#crypto key generate rsa
How many bits in the modulus [512]:1024
R1(config)#username student password cisco
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login local
R1(config-line)#exit
R1(config)#ip ssh time-out 15
R1(config)#ip ssh authentication-retries 2
28
Chapter 4
3. Logging Router Activity
•
•
•
Logs allow verification that a router is working
properly or to determine whether the router has
been compromised. In some cases, a log can show
what types of probes or attacks are being attempted
against the router or the protected network.
Routers support different levels of logging. The eight
levels range from 0, emergencies indicating that the
system is unstable, to 7 for debugging messages that
include all router information.
Logs can be forwarded to a variety of locations,
including router memory or a dedicated syslog server.
A syslog server provides a better solution because all
network devices can forward their logs to one central
station where an administrator can review them
29
Chapter 4
4. Secure Router Services and
Interfaces.
Cisco routers support a large number of network services
at layers 2, 3, 4, and 7. Some of these services can be
restricted or disabled to improve security without
degrading the operational use of the router:
•Small services such as echo, discard, and chargen - Use the no
service tcp-small-servers or no service udp-small-servers command.
•BOOTP - Use the no ip bootp server command.
•Finger - Use the no service finger command.
•HTTP - Use the no ip http server command.
•SNMP - Use the no snmp-server command.
•CDP - Use the no cdp run command.
•Source routing - Use the no ip source-route command.
•Unused interfaces - Use the shutdown command.
•No SMURF attacks - Use the no ip directed-broadcast
command.
30
Chapter 4
5. Secure Routing Protocols.
Attacker
Computer
‘Tell R1 that
192.168.10.0/32
is reachable via
R3’
R2
R1
Computer
PC1
192.168.10.10 / 24
R1 updates its routing
table, routing packets for
192.168.10.0/24 to R3
R3
to 192.168.10.10/24
Computer
PC3
192.168.30.10 / 24
The best way to protect routing information on the network is to
authenticate routing protocol packets using message digest algorithm 5
(MD5). An algorithm like MD5 allows the routers to compare signatures
that should all be the same.
31
Chapter 4
5. Secure Routing Protocols.
Step 1 - Prevent RIP routing update propagation
Step 2 - Prevent unauthorised reception of RIP updates
Step 3 - Verify the operation of RIP routing using
route.
32
sh ip
Chapter 4
5. Secure Routing Protocols.
EIGRP Authentication
OSPF Authentication
33
Chapter 4
Auto Secure
•Cisco auto secure uses a single command to disable nonessential system processes and services, eliminating
potential security threats.
34
Chapter 4
Security Device Manager (SDM)
•The Cisco Router and Security Device Manager (SDM) is an
easy-to-use, web-based device-management tool designed for
configuring LAN, WAN, and security features on Cisco IOS
software-based routers.
35
Chapter 4
SDM Installation
•Example configuration needed to ensure installation and
running of Cisco SDM on a production router without
disrupting network traffic.
36
Chapter 4
Starting SDM
37
Chapter 4
IOS File System (IFS)
•IFS provides a single naming convention for all router
file locations and common operations.
•File system device prefix:
38
Chapter 4
IOS File System (IFS)
Legacy commands
as used in the
CCNA version-3
curriculum will be
supported for a
number of years.
39
Chapter 4
Managing IOS Images
•The show file systems command which lists all of the available
file systems on a router. Provides information about the
amount of available and free memory, the type of file system
and its permissions.
Permissions include read only (ro), write only (wo), and read
and write (rw).
40
Chapter 4
Managing IOS Images
•The dir command lists the content of the current default
file system, (default is flash) .
•There are several files located in flash, but of specific
interest is the file image name of the current IOS running in
RAM.
41
Chapter 4
Managing IOS Images
•To view the contents of NVRAM, change the current
default file system using the cd nvram: change directory
command. The pwd command displays present working
directory (default). The dir command lists the contents of
NVRAM.
42
Chapter 4
Cisco IOS File Naming
Convention
43
Chapter 4
Managing IOS Images
•Widely distributed routers need a source or backup location for Cisco IOS
software images. Using a network TFTP server allows image and configuration
uploads and downloads over the network. A TFTP server can be another router,
a workstation, or a host system.
•As any network grows, storage of Cisco IOS software images and
configuration files on the central TFTP server enables control of the number
and revision level of Cisco IOS images and configuration files that must be
maintained.
R2
Computer
TFTP Server
192.168.20.254 / 24
44
R1
R3
Chapter 4
Managing IOS Images
Before changing a Cisco IOS image on the router,
ensure the following:
•
•
•
Determine the memory required for the update and,
if necessary, install additional memory.
Set up and test the file transfer capability between
the administrator host and the router.
Schedule the required downtime, normally outside of
business hours, for the router to perform the update.
45
Chapter 4
Managing IOS Images
When ready to do the update, perform the following:
•
Shut down all interfaces on the router not needed to
•
Back up the current operating system and the current
•
Load the update for either the operating system or the
•
Test to confirm that the update works properly. If the
perform the update.
configuration file to a TFTP server.
configuration file.
tests are successful, you can then re-enable the interfaces
you disabled. If the tests are not successful, back out the
update, determine what went wrong, and start again.
46
Chapter 4
Backup IOS to a TFTP Server
R2
Computer
TFTP Server
192.168.20.254 / 24
R1
Administrator
Computer
47
R3
Chapter 4
Upgrade IOS from a TFTP Server
R2
Computer
TFTP Server
192.168.20.254 / 24
R1
Administrator
Computer
48
R3
Chapter 4
Restore IOS from a TFTP Server
1. Enter interface configuration:
2. Download image from TFTP server:
49
Chapter 4
Router modes
•
Cisco access level routers ( 2600 series etc) have three
operating modes:
1. ROMMON
2. ROM
3. USER EXEC
•
On router boot-up the config-register contents
determines which mode the router boots to (rom,
rommon), or whether the boot system sequence, held in
NVRAM, should be followed to attempt to load a valid
IOS image.
50
Chapter 4
config-register
•Config-register contents is a 16 bit binary number
written as 4 hexadecimal digits.
51
Chapter 4
Loading IOS image.
Boot-up
Read config-register
0x2100
0x2101
0x2102
to
Behaviour on bootup depends upon
config-register
settings.
0x210F
ROM
Monitor
Mode
ROMMON
ROM
Mode
ROM
Check NVRAM boot
system sequence, default:Flash
TFTP
ROM
52
Chapter 4
Setting boot system sequence
53
Chapter 4
Password Recovery
•
•
Use the power switch to turn off the router, and then turn the router back on.
Press Break on the terminal keyboard within 60 seconds of power up to put the
router into ROMmon.
rommon 1> 0x2142 (router will bypasses the startup configuration where the
forgotten enable password is stored).
•
rommon 2>reset (reboots router, ignoring the saved configuration).
•
Router> enable
•
Router# copy startup-config running-config (copy NVRAM into memory).
•
•
•
Router#conf t – access the configuration mode to change all passwords as
required.
Router(config)#config-register 0x2102 (router will use startup-config the next
time it boots).
Router#copy running-config startup-config (to commit the changes).
54
Chapter 4
Chap 4 – Network Security
Learning Objectives
•
•
•
Describe the general methods used to mitigate security
threats to Enterprise networks
Configure Basic Router Security
Explain how to disable unused Cisco router network
services and interfaces
•
Explain how to use Cisco SDM
•
Manage Cisco IOS devices
55
Chapter 4
Any
Questions?
56
Chapter 4
Chapter 4.3.2 – OSPF
Authentication
Lab Topology
R2
S0/0/0
10.1.1.0/30
PC1
192.168.10.10/24
S0/0/0
DCE
.1
.2
.1
S0/0/1
DCE
10.2.2.0/30
S0/0/1
.2
Fa0/1
Fa0/1
R1
Computer
192.168.10.1/24
57
PC3
192.168.30.10/24
R3
Computer
192.168.30.1/24
Chapter 4