Transcript ppt in chapter 11

Chapter 11
Network Security
powered by DJ
1
Chapter Objectives
At the end of this Chapter you will be able to:
Describe today's increasing network security threats and explain the
need to implement a comprehensive security policy to mitigate the
threats.
Explain general methods to mitigate common security threats to
network devices, hosts, and applications
Describe the functions of common security appliances and
applications
Describe security recommended practices including initial steps to
secure network devices
powered by DJ
2

Perimeter, Firewall, and
Typically, in medium
to large enterprise networks, the various strategies
Internal
Routers
for security are based on a some recipe of internal and perimeter routers
plus firewall devices. Internal routers provide additional security to the
network by screening traffic to various parts of the protected corporate
network, and they do this using access lists. You can see where each of
these types of devices are found in Figure below.
powered by DJ
3
powered by DJ
A Typical Secured Network
4
Recognizing Security Threats
let’s examine some common attack profiles:

Application-layer attacks
These attacks commonly zero in on well-known holes in the software
that’s typically found running on servers. Favorite targets include FTP,
send mail, and HTTP. Because the permissions level granted to these
accounts is most often “privileged,” bad guys simply access and exploit
the machine that’s running one of these applications.

Trojan horse attacks and viruses
powered by DJ
5

Backdoors
These are simply paths leading into a computer or network. Through
simple invasions, or via more elaborate “Trojan horse” code, bad guys can
use their implanted inroads into a specific host or even a network
whenever they want to—until you detect and stop them.

IP spoofing

Packet sniffers

Password attacks

Brute force attack

Port redirection attacks
 Denial of service (DoS) attack
powered by DJ
6
Mitigating Security Threats
What solution should we use to mitigate security threats?
Something
from Juniper, McAfee, or some other firewall product? NO, we
probably
useruns
something
fromofCisco.
Cisco
IOS should
software
on upwards
80 percent of the Internet
backbone routers out there; it’s probably the most critical part of
network infrastructure. So let’s just keep it real and use the Cisco
.
IOS’s software-based security, known as the Cisco IOS Firewall
feature set, for our end-to-end Internet, intranet, and remoteaccess
network security solutions. It’s a good idea to go with this because
Cisco ACLs really are quite efficient tools for mitigating many of
the
most common threats around.
powered by DJ
7
Cisco’s IOS Firewall

Authentication proxy
A feature that makes users authenticate any time they want to access the
network’s resources through HTTP, HTTPS, FTP, and Telnet. It keeps
personal network access profiles for users and automatically gets them for
you from a RADIUS and applies them as well.

Destination URL policy management
A buffet of features that’s commonly referred to as URL Filtering.

Per-user firewalls
These are basically personalized, user-specific, downloadable firewalls
obtained through service providers. You can also get personalized ACLs and
other settings via AAA server profile storage.
powered by DJ
8

Cisco IOS router and firewall provisioning
Allows for no-touch router provisioning, version updates, and security
policies.

Denial of service (DoS) detection and prevention
A feature that checks packet headers and drops any packets it finds
suspicious.

Dynamic port mapping
A sort of adapter that permits applications supported by firewalls on
nonstandard ports.

Java applet blocking
Protects you from any strange, unrecognized Java applets.
powered by DJ
9

Basic and Advanced Traffic Filtering
You can use standard, extended, even dynamic ACLs like Lock-and-Key
traffic filtering with Cisco’s IOS Firewall. And you get to apply access
controls to any network segment you want. Plus, you can specify the exact
kind of traffic you want to allow to pass through any segment.

Policy-based, multi-interface support
Allows you to control user access by IP address and interface depending on
your security policy.
powered by DJ
10

Network Address Translation (NAT)
Conceals the internal network from the outside, increasing security.

Time-based access lists
Determine security policies based upon the exact time of day and the
particular day of the week.

Peer router authentication
Guarantees that routers are getting dependable routing information from
actual, trusted sources. (For this to work, you need a routing protocol that
supports authentication, like RIPv2, EIGRP, or OSPF.)
powered by DJ
11
THANK YOU
powered by DJ
12