Professional Documents
Culture Documents
Internet connectivity is 24/7 and is worldwide Increase in cyber crime Impact on business and individuals Legislation & liabilities Proliferation of threats Sophistication of threats
Confidentiality
Prevent the disclosure of sensitive information from unauthorized people, resources, and processes The protection of system information or processes from intentional or accidental modification The assurance that systems and data are accessible by authorized users when needed
Integrity
Availability
Risk Management
Risk Management
Password protection
The process of assessing and quantifying risk and establishing an acceptable level of risk for the organization Risk can be mitigated, but cannot be eliminated
Types of Attacks
Structured attack
Come from hackers who are more highly motivated and technically competent. These people know system vulnerabilities and can understand and develop exploit code and scripts. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. These groups are often involved with the major fraud and theft cases reported to law enforcement agencies.
Unstructured attack Consists of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing and challenging a hackers skills can still do serious damage to a company.
Types of Attacks
External attacks
Initiated by individuals or groups working outside of a company. They do not have authorized access to the computer systems or network. They gather information in order to work their way into a network mainly from the Internet or dialup access servers.
Internal attacks More common and dangerous. Internal attacks are initiated by someone who has authorized access to the network. According to the FBI, internal access and misuse account for 60 to 80 percent of reported incidents. These attacks often are traced to disgruntled employees.
Physical Security
Place router in a secured, locked room Install an uninterruptible power supply Use the latest stable version that meets network requirements Keep a copy of the O/S and configuration file as a backup Secure administrative control Disable unused ports and interfaces Disable unnecessary services
Router Hardening
Remote Access
LAN 2 R1 Firewall R2
Requires a direct connection to a console port using a computer running terminal emulation software
Management LAN
Administration Host
Logging Host
Uses Telnet, SSH HTTP or SNMP connections to the router from a computer
Command to restrict access to privileged EXEC mode Commands to establish a login password for dial-up modem connections
R1(config)# line aux 0 R1(config-line)# password cisco R1(config-line)# login
By default:
User EXEC mode (privilege level 1) Privileged EXEC mode (privilege level 15)
Sixteen privilege levels available Methods of providing privileged level access infrastructure access:
CLI Commands
router(config)# secure boot-image Enables IOS image resilience router(config)# secure boot-config Takes a snapshot of the router running configuration and securely archives it in persistent storage
A USER account with normal, Level 1 access. A SUPPORT account with Level 1 and ping command access. A JR-ADMIN account with the same privileges as the SUPPORT account plus access to the reload command. An ADMIN account which has all of the regular privileged EXEC commands.
Privilege Levels
The enable level command is used to switch R1> enable 5 from Level 1 to Level 5 Password: R1# <abc5> The show privilege command R1# show privilege Current privilege level is 5 The current privilege level R1# R1# reload Translating "reload"
Translating "reload" % Unknown command or computer name, or unable to find computer address R1#
displays
Authentication Password-Only
Password-Only Method
User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords
Internet
Uses a login and password combination on access lines Easiest to implement, but most unsecure method Vulnerable to brute-force attacks Provides no accountability
Creates individual user account/password on each device Provides accountability User accounts must be configured locally on each device Provides no fallback authentication method
User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid
R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local
Internet
Accounting
What did you spend it on?
1 2
AAA Router
Self-Contained AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database.
Used for small networks Stores usernames and passwords locally in the Cisco router
Cisco Secure Access Control Server (ACS) for Windows Server Cisco Secure ACS Solution Engine Cisco Secure ACS Express
1 2
Server-Based AAA
1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server.
AAA Authorization
Typically implemented using an AAA server-based solution Uses a set of attributes that describes user access to the network
1. When a user has been authenticated, a session is established with an AAA server. 2. The router requests authorization for the requested service from the AAA server. 3. The AAA server returns a PASS/FAIL for authorization.
AAA Accounting
Implemented using an AAA server-based solution Keeps a detailed log of what an authenticated user does on a device
1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process.
1.
2. 3. 4.
To authenticate administrator access (character mode access) Add usernames and passwords to the local router database Enable AAA globally Configure AAA parameters on the router Confirm and troubleshoot the AAA configuration
Sample Configuration
R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case enable R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN
Access-Accept
Works in both local and roaming situations Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting
The first value specifies the ACL number The second value specifies whether to permit or deny the configured source IP address traffic
The first value specifies the ACL number The second value specifies whether to permit or deny accordingly
The first value specifies the ACL number The second value specifies whether to permit or deny accordingly
Named IP ACLs
Standard
Router(config)# ip access-list extended vachon1 Router(config-ext-nacl)# deny ip any 200.1.2.10 0.0.0.1 Router(config-ext-nacl)# permit tcp any host 200.1.1.11 eq 80 Router(config-ext-nacl)# permit tcp any host 200.1.1.10 eq 25 Router(config-ext-nacl)# permit tcp any eq 25 host 200.1.1.10 any established Router(config-ext-nacl)# permit tcp any 200.1.2.0 0.0.0.255 established Router(config-ext-nacl)# permit udp any eq 53 200.1.2.0 0.0.0.255 Router(config-ext-nacl)# deny ip any any Router(config-ext-nacl)# interface ethernet 1 Router(config-if)# ip access-group vachon1 in Router(config-if)# exit
Extended
Inbound ACL
Outbound ACL
Viewing Commands
R1# show running-config <output omitted> ! hostname R1 <output omitted> enable secret 5 $1$MJD8$.1LWYcJ6iUi133Yg7vGHG/ <output omitted> crypto pki trustpoint TP-self-signed1789018390 enrollment selfsigned subject-name cn=IOS-Self-SignedCertificate-1789018390 revocation-check none rsakeypair TP-self-signed-1789018390 ! crypto pki certificate chain TP-selfsigned-1789018390 certificate self-signed 01 3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 <output omitted> 1BF29620 A084B701 5B92483D D934BE31 ECB7AB56 8FFDEA93 E2061F33 8356 quit interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group Outbound in <output omitted> ! interface Serial0/0/0 ip address 10.1.1.1 255.255.255.252 clock rate 128000 ! <output omitted> no ip http server ip http secure-server ! ip access-list standard Outbound remark SDM_ACL Category=1 permit 192.168.1.3 ! access-list 100 remark SDM_ACL Category=16 access-list 100 deny tcp any host 192.168.1.3 eq telnet log access-list 100 permit ip any any ! <output omitted> !
Types of ACLs
Standard IP ACLs
Extended IP ACLs
Extended IP ACLs using TCP established Reflexive IP ACLs Dynamic ACLs Time-Based ACLs
Overview
CLI Commands
Example Configuration
R2 Internet
Serial0/0/1
Perimeter(config)# time-range employee-time Perimeter(config-time)# periodic weekdays 12:00 to 13:00 Perimeter(config-time)# periodic weekdays 17:00 to 19:00 Perimeter(config-time)# exit Perimeter(config)# access-list 100 permit tcp any host 200.1.1.11 eq 25 Perimeter(config)# access-list 100 permit tcp any eq 25 host 200.1.1.11 established Perimeter(config)# access-list 100 permit udp any host 200.1.1.12 eq 53 Perimeter(config)# access-list 100 permit udp any eq 53 host 200.1.1.12 Perimeter(config)# access-list 100 permit tcp any 200.1.1.0 0.0.0.255 established time-range employeetime Perimeter(config)# access-list 100 deny ip any any Perimeter(config)# interface ethernet 1 Perimeter(config-if)# ip access-group 100 in Perimeter(config-if)# exit Perimeter(config)# access-list 101 permit tcp host 200.1.1.11 eq 25 any Perimeter(config)# access-list 101 permit tcp host 200.1.1.11 any eq 25 Perimeter(config)# access-list 101 permit udp host 200.1.1.12 eq 53 any Perimeter(config)# access-list 101 permit udp host 200.1.1.12 any eq 53 Perimeter(config)# access-list 101 permit tcp 200.1.1.0 0.0.0.255 any time-range employee-time Perimeter(config)# access-list 100 deny ip any any Perimeter(config)# interface ethernet 1 Perimeter(config-if)# ip access-group 101 out
Serial 0/0/0
10.1.1.1
R1
192.168.1.0/24
I cant surf the web at 10:00 A.M. because of the timebased ACL!
Serial 0/0/0
200.5.5.5/24
F0/1
R1
F0/0
R1(config)#access-list 122 permit udp any host 192.168.20.2 eq domain R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq smtp R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq ftp
R1(config)#access-list R1(config)#access-list R1(config)#access-list R1(config)#access-list 180 180 180 180 permit permit permit permit tcp tcp udp udp host host host host 200.5.5.5 200.5.5.5 200.5.5.5 200.5.5.5 host host host host 10.0.1.1 10.0.1.1 10.0.1.1 10.0.1.1 eq eq eq eq telnet 22 syslog snmptrap
Benefits of Firewalls
Prevents exposing sensitive hosts and applications to untrusted users Prevent the exploitation of protocol flaws by sanitizing the protocol flow
Firewalls prevent malicious data from being sent to servers and clients. Properly configured firewalls make security policy enforcement simple, scalable, and robust. A firewall reduces the complexity of security management by offloading most of the network access control to a couple of points in the network.
Types of Firewalls
Filtering Firewalls Packet Filtering Firewall Stateful Firewall Cisco Systems Firewall Solutions
Stateful Firewall
10.1.1.1 200.3.3.3
destination port 80
Design Example
Internet R
2 Cisco Router with IOS Firewall
Serial 0/0/0
F0/ 1
F0/ 5
F0/6
R 1
R 3 F0/
1 F0/ 5
S 1
F0/1 F0/1
S 3 S
F0/1 2 8
F0/1 8
PC A (RADIUS/TACAC S+)
PC C
Common Designs
LAN-to-Internet Public Servers
Redundant Firewalls
Complex Firewall
Common Intrusions
MARS ACS
VPN
Remote Worker
VPN
VPN
Remote Branch
Iron Port
CSA LAN
Web Server
Email Server
DNS
2.
3.
An attack is launched on a network that has a sensor deployed in promiscuous IDS mode; therefore copies of all packets are sent to the IDS sensor for packet analysis. However, the target machine will experience the malicious attack. The IDS sensor, matches the malicious traffic to a signature and sends the switch a command to deny access to the source of the malicious traffic. The IDS can also send an alarm to a management console for logging and other management purposes.
Switch
1 2
Sensor
Management Console
Target
2.
3.
4.
An attack is launched on a network that has a sensor deployed in IPS mode (inline mode). The IPS sensor analyzes the packets as they enter the IPS sensor interface. The IPS sensor matches the malicious traffic to a signature and the attack is stopped immediately. The IPS sensor can also send an alarm to a management console for logging and other management purposes. Traffic in violation of policy can be dropped by an IPS sensor.
2
Sensor
Bit Bucket
Management Console
Target
Both technologies are deployed using sensors. Both technologies use signatures to detect patterns of misuse in network traffic. Both can detect atomic patterns (singlepacket) or composite patterns (multipacket).
Correct tuning required for No network impact if there is a response actions sensor failure Must have a well thoughtout security policy No network impact if there is sensor overload More vulnerable to network evasion techniques
IDS
Network-Based Implentation
CSA
VPN
MARS
Remote Worker
Firewall
VPN IPS
CSA
VPN
Remote Branch
Iron Port
CSA CSA
CSA
Web Server
Email Server
DNS
Host-Based Implementation
CSA
CSA
VPN
Remote Worker
VPN IPS
CSA
VPN
Remote Branch
Iron Port
CSA
Agent
CSA
CSA CSA
CSA
CSA
Web Server
Email Server
DNS
Firewall
Internet
VPN IPS
Iron Port
Hosts
Web Server Email Server
DNS
LAN
Threat Protection
Based on three elements: Cisco Network Admission Control (NAC) Endpoint protection Network infection containment
I have gained access to this system which is trusted by the other system, allowing me to access it. Indirect
CSA Architecture
Administration Workstation Server Protected by Cisco Security Agent
Alerts
Events
SSL
Security Policy
Management Center for Cisco Security Agent with Internal or External Database
CSA Overview
Application
Network Interceptor
Configuration Interceptor
Allowed Request
Blocked Request
Layer 2 Security
Perimeter
MARS ACS
Firewall
Internet
VPN IPS
Iron Port
Hosts
Web Server Email Server
DNS
Port 1 Port 2
Attacker
I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
F F
Spanning tree protocol operates by electing a root bridge STP builds a tree topology STP manipulation changes the topology of a networkthe attacking host appears to be the root bridge
Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.
VLAN Attacks
VLAN Attacks
802.1Q Trunk VLAN 20 Server VLAN 10
Server
A VLAN hopping attack can be launched in two ways: Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode Introducing a rogue switch and turning trunking on
802.1Q, Frame
20
4
The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.
Note: This attack works only if the trunk has the same native VLAN as the attacker.
Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C
Attacker 1
Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
Attacker 2
CLI Commands
Switch(config-if)# switchport mode access
Sets the maximum number of secure MAC addresses for the interface (optional)
CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) Fa0/12 2 (Count) 0 (Count) 0 Shutdown :0 ----------------------------------------------------------------------------------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security Port Security : Port status : Violation mode : Maximum MAC Addresses : Total MAC Addresses : Configured MAC Addresses : Aging time : Aging type : SecureStatic address aging : Security Violation Count :
2k
1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking
3. Be sure that the native VLAN is used only for trunk lines and no where else
Configuring RSPAN
1. Configure the RPSAN VLAN
2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit
2960-1
2960-2
Using VLANs
Voice VLAN = 110 Data VLAN = 10
5/1
802.1Q Trunk
IP phone 10.1.110.3
Desktop PC 171.1.1.1
Creates a separate broadcast domain for voice traffic Protects against eavesdropping and tampering Renders packet-sniffing tools less effective Makes it easier to implement VACLs that are specific to voice traffic
Cryptographic Systems
Authentication
An ATM Personal Information Number (PIN) is required for authentication. The PIN is a shared secret between a bank account holder and the financial institution.
History
Scytale - (700 BC)
Vigenre table
Cryptanalysis Methods
Brute Force Attack
Known Ciphertext
With a Brute Force attack, the attacker has some portion of ciphertext. The attacker attempts to unencrypt the ciphertext with all possible keys.
The Basics
Hashes are used for integrity assurance. Hashes are based on one-way functions. The hash function hashes arbitrary data into a fixed-length digest known as the hash value, message digest, digest, or fingerprint.
e883aa0b24c09f
MD5
One-way functioneasy to compute hash and infeasible to compute data given a hash Complex sequence of simple binary operations (XORs, rotations, etc.) which finally produces a 128-bit hash.
MD5
SHA
SHA is similar in design to the MD4 and MD5 family of hash functions
Takes an input message of no more than 264 bits Produces a 160-bit message digest
The algorithm is slightly slower than MD5. SHA-1 is a revision that corrected an unpublished flaw in the original SHA. SHA-224, SHA-256, SHA-384, and SHA512 are newer and more secure versions of SHA and are collectively known as SHA-2.
SHA
Example
Data
Pay to Terry Smith One Hundred and xx/100 $100.00 Dollars
Received Data
Secret Key
Pay to Terry Smith One Hundred and xx/100 $100.00 Dollars
Secret Key
4ehIDx67NMop9
4ehIDx67NMop9
$100.00 Dollars
If the generated HMAC matches the sent HMAC, then integrity and authenticity have been verified. If they dont match, discard the message.
4ehIDx67NMop9
Symmetric Encryption
Key Pre-shared key Key
Encrypt
$1000
$!@#IQ
Decrypt
$1000
Best known as shared-secret key algorithms The usual key length is 80 - 256 bits A sender and receiver must share a secret key Faster processing because they use simple mathematical operations. Examples include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish.
Asymmetric Encryption
Encryption Key Two separate keys which are not shared Decryption Key
Encrypt
$1000
%3f7&4
Decrypt
$1000
Also known as public key algorithms The usual key length is 5124096 bits A sender and receiver do not share a secret key Relatively slow because they are based on difficult computational algorithms Examples include RSA, ElGamal, elliptic curves, and DH.
64 bits
64bits
64bits
0101010010101010100001001001001 0101010010101010100001001001001
Computer A
Encryption Algorithm
4
Encrypted Text
Computer B
Encryption Algorithm
Encrypted Text
Computer A uses Computer Bs public key to encrypt a message using an agreed-upon algorithm
Computer B uses its private key to decrypt and reveal the message
What is a VPN?
Business Partner with a Cisco Router Mobile Worker with a Cisco VPN Client
CSA
VPN
Internet
Firewall
Corporate Network
WAN
VPN
Virtual: Information within a private network is transported over a public network. Private: The traffic is encrypted to keep the data confidential.
Layer 3 VPN
IPSec
VPN
IPSec
Internet
Remote-access VPNs
Mobile Worker with a Cisco VPN Client
CSA
MARS
VPN
Internet
Firewall
Site-to-Site VPNs
VPN
WAN
IP S
VPN
Iron Port
CSA
CSA CSA
CSA
CSACSA
DNS
IPSec Clients
A wireless client that is loaded on a pda
Certicom PDA IPsec VPN Client
Internet
Small Office
Software loaded on a PC
Internet
IPSec Topology
Main Site
Business Partner with a Cisco Router IPsec Perimeter Router Legacy Cisco PIX Firewall
POP ASA
Legacy Concentrator
Corporate
It is a framework of open standards which is algorithm-independent. It provides data confidentiality, data integrity, and origin authentication.
At the local device, the authentication key and the identity information (device-specific Diffie-Hellman information) are sent through a hash algorithm to form hash_I. One-way authentication is DH7 established by sending hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated. The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated.
IKE SA
IPsec SA
IKE SA
IPsec SA
Nmap
Basic functionality Classic TCP and UDP port scanning Classic TCP and UDP port sweeping Stealth TCP and UDP port scans and sweeps Remote operating system identification, known as OS fingerprinting.
Disaster Recovery
The process of regaining access to the data, hardware, and software necessary to resume critical business operations after a disaster. Plan for coping with unexpected or sudden loss of key personnel.
Implementation
Demonstrates an organizations commitment to security. Sets the rules for expected behavior. Ensures consistency in system operations, software and hardware acquisition and use, and maintenance. Defines the legal consequences of violations. Gives security staff the backing of management.