Title: First Slide in a Presentation
Download
Report
Transcript Title: First Slide in a Presentation
CNIT 221 Security 1 ver.2
Module 2
City College of San Francisco
Spring 2006
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2004,
2005 Cisco
1
1
Network Security 1
Module 2 – Security Planning
and Policy
© 2005 Cisco Systems, Inc. All rights reserved.
2
Learning Objectives
–2.1 Discussing Network Security and Cisco
–2.2 Endpoint Protection and Management
–2.3 Network Protection and Management
–2.4 Security Architecture
–2.5 Basic Router Security
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
3
Module 2 – Security Planning and
Policy
2.1 Discussing Network Security and Cisco
© 2005 Cisco Systems, Inc. All rights reserved.
4
Network Security as a Continuous Process
• Network security is a continuous process
built around a security policy.
Secure
–Step 1: Secure
–Step 2: Monitor
–Step 3: Test
–Step 4: Improve
Improve
Security
Policy
Monitor
Test
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
5
Secure the Network
• Implement security
solutions to stop or
prevent unauthorized
access or activities,
and to protect
information:
Secure
Improve
Security
Policy
Monitor
–Authentication
–Encryption
–Firewalls
Test
–Vulnerability patching
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
6
Monitor Security
– Detects violations to
the security policy
– Involves system
auditing and
real-time intrusion
detection
– Validates the security
implementation in
Step 1
Secure
Improve
Security
Policy
Monitor
Test
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
7
Test Security
• Validates
effectiveness of
the security policy
through system
auditing and
vulnerability
scanning
Secure
Improve
Security
Policy
Monitor
Test
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
8
Improve Security
–Use information from
the monitor and test
phases to make
improvements to the
security implementation.
–Adjust the security
policy as security
vulnerabilities and risks
are identified.
Secure
Improve
Security
Policy
Monitor
Test
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
9
What Is a Security Policy?
• “A security policy is a formal statement of the
rules by which people who are given access to
an organization’s technology and information
assets must abide.”
• (RFC 2196, Site Security Handbook)
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
10
Why Create a Security Policy?
–To create a baseline of your current security posture
–To set the framework for security implementation
–To define allowed and not allowed behaviors
–To help determine necessary tools and procedures
–To communicate consensus and define roles
–To define how to handle security incidents
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
11
Security Policy Elements
Data Assessment
Vulnerabilities
Host Addressing
Denial of Service
Application Definition
POLICY
Misuse
Usage Guidelines
Reconnaissance
Topology/Trust Model
• On the left are the network design factors upon which security
policy is based
• On the right are basic Internet threat vectors toward which
security policies are written to mitigate
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
12
Module 2 – Security Planning and
Policy
2.2 Endpoint Protection and Management
© 2005 Cisco Systems, Inc. All rights reserved.
13
Types of Firewalls
– Server Based
Microsoft ISA
CheckPoint
Zone Alarm
– Appliance
PIX Security Appliance/ASA
Netscreen
SonicWall
– Personal
Norton
McAfee
ZoneAlarms
– Integrated
IOS Firewall
Switch Firewall
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
14
Module 2 – Security Planning and
Policy
2.3 Network Protection and Management
© 2005 Cisco Systems, Inc. All rights reserved.
15
Sample Firewall Topology
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
16
VPN Definition
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
17
Remote Access VPNs
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
18
Site-to-Site VPNs
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
19
Adaptive Security Device Manager (ASDM)
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
20
Security Device Manager (SDM)
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
21
Module 2 – Security Planning and
Policy
2.4 Security Architecture
© 2005 Cisco Systems, Inc. All rights reserved.
22
Secure Connectivity
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
23
Cisco Threat Defense System
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
24
Identity Based Networking Services (IBNS)
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
25
Plan, Design, Implement, Operate,
Optimize (PDIOO)
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
26
Module 2 – Security Planning and
Policy
2.5 Basic Router Security
© 2005 Cisco Systems, Inc. All rights reserved.
27
SSH
SSH Server and
Client
TCP Port 22
SSH Client
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
28
SSH Server Configuration
Router(config)#
hostname host-name
Router(config)#
ip domain-name domain-name.com
Router(config)#
crypto key generate rsa
Router(config)#
line vty 0 4
Router(config-line)#
transport input ssh
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
29
Controlling Access
• Console Port
• TTY
• VTY
•
A console is a terminal connected to a router console port.
•
The terminal can be a dumb terminal or PC with terminal
Router(config)#
emulation software.
© 2005 Cisco Systems, Inc. All rights reserved.
30
Passwords
•
•
Passwords are the most critical tools in controlling access to a
router. There are two password protection schemes in Cisco
IOS:
Type 7 uses the Cisco-defined encryption algorithm.
•
Type 5 uses an MD5 hash, which is much stronger.
•
Cisco recommends that Type 5 encryption be used instead of
Type 7 where possible. Type 7 encryption is used by the enable
password, username, and line password commands.
•
Service password encryption should be used.
•
Use good password practices when creating passwords.
•
Configure both username and password combinations.
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
31
Good Password Practices
• Avoid dictionary words, names, phone numbers, and
dates.
• Include at least one lowercase letter, uppercase letter,
digit, and special character.
• Make all passwords at least eight characters long.
• Avoid more than four digits or same-case letters in a row.
• Change passwords often.
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
32
Initial Configuration Dialog
--- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no] y
Configuring global parameters:
Enter host name [Router]: Boston
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: CantGessMe
The enable password is used when you do not specify an enable
secret password, with some older software versions, and some boot
images.
Enter enable password: WontGessMe
The virtual terminal password is used to protect access to the
router over a network interface.
Enter virtual terminal password: CantGessMeVTY
Router(config)#
.
.
© 2005 Cisco Systems, Inc. All rights reserved.
33
Configure the Enable Password
Using enable secret
router(config)#
enable secret password
• Encrypts the password in the router configuration file
• Uses a strong encryption algorithm based on MD5
Boston(config)# enable secret Curium96
Boston# show running-config
!
hostname Boston
!
no logging console
enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/
!
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
34
Configure the Console Port
User-Level Password
router(config)#
line console line-number
• Enters console line configuration mode
router(config-line)#
login
• Enables password checking at login
router(config-line)#
Password password
• Sets the user-level password to password
Boston(config)# line console 0
Boston(config-line)# login
Boston(config-line)# password ConUser1
–Creates the user-level password ConUser1
Router(config)#
–The password is unencrypted
© 2005 Cisco Systems, Inc. All rights reserved.
35
Configure a VTY User-Level Password
router(config)#
line vty start-line-number end-line-number
• Enters VTY line configuration mode
• Specifies the range of VTY lines to configure
router(config-line)#
login
• Enables password checking at login for VTY (Telnet)
sessions
router(config-line)#
password password
• Sets the user-level password to password
Boston(config)# line vty 0 4
Router(config)#
Boston(config-line)# login
Boston(config-line)# password CantGessMeVTY
© 2005 Cisco Systems, Inc. All rights reserved.
36
Configure an Auxiliary
User-Level Password
router(config)#
line aux line-number
• Enters auxiliary line configuration mode
router(config-line)#
login
• Enables password checking at login for Aux connections
router(config-line)#
password password
• Sets the user-level password to password
Boston(config)# line aux 0
Boston(config-line)# login
Router(config)#
Boston(config-line)# password NeverGessMeAux
© 2005 Cisco Systems, Inc. All rights reserved.
37
Encrypting Passwords Using
service password-encryption
router(config)#
service password-encryption
• Encrypts all passwords in the router configuration file
Boston(config)# service password-encryption
Boston# show running-config
!
line con 0
password 7 0956F57A109A
!
line vty 0 4
password 7 034A18F366A0
!
line aux 0
Router(config)#
password 7 7A4F5192306A
• Uses a weak encryption algorithm that can be easily cracked
© 2005 Cisco Systems, Inc. All rights reserved.
38
Setting Timeouts for Router Lines
router(config-line)#
exec-timeout minutes [seconds]
• Default is 10 minutes
• Terminates an unattended console connection
• Provides an extra safety factor when an
administrator walks away from an active console
session
Boston(config)# line console 0
Boston(config-line)#exec-timeout 3 30
Boston(config)# line aux 0
Boston(config-line)#exec-timeout 3 30
Router(config)#
• Terminates an unattended console/auxiliary
connection after 3 minutes and 30 seconds
© 2005 Cisco Systems, Inc. All rights reserved.
39
Setting Multiple Privilege Levels
router(config)#
privilege mode {level level command | reset
command}
• Level 1 is predefined for user-level access privileges
• Levels 2–14 may be customized for user-level privileges
• Level 15 is predefined for enable mode (enable command)
Boston(config)# privilege exec level 2 ping
Boston(config)# enable secret level 2 Patriot
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
40
Login Banner
• Banners should be used on all network devices
• A banner should include
A notice that the system is to be logged into or accessed
only by authorized personnel, and information about who
may authorize use.
A notice that any unauthorized use of the system is
unlawful, and may be subject to civil and criminal
penalties, or both.
A notice that any use of the system may be logged or
monitored without further notice, and that the resulting
logs may be used as evidence in court.
Specific notices required by specific local laws.
• A login banner usually should not contain any
Router(config)#
specific information about the router, its name, its
model, what software it is running, or its ownership.
© 2005 Cisco Systems, Inc. All rights reserved.
41
Configuring Banner Messages
router(config)#
banner {exec | incoming | login | motd |
slip-ppp} d message d
• Specify what is “proper use” of the system
• Specify that the system is being monitored
• Specify that privacy should not be expected when using
this system
• Do not use the word “welcome”
• Have legal department review the content of the message
Boston(config)# banner motd #
WARNING: You are connected to $(hostname) on
the Cisco Systems, Incorporated network.
Router(config)#
Unauthorized access and use of this network
will be vigorously prosecuted. #
© 2005 Cisco Systems, Inc. All rights reserved.
42
Router(config)#
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2005,
2005 Cisco
43
43