Security

1|Page
INDEX
1 2 3 4 5 6
Modern Network Security Threats Securing Network Devices Authentication, Authorization and Accounting Firewalls Cryptographic Systems Implementing Virtual Private Networks
page 2 page 10 page 22 page 30 page 35 page 48
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
2|Page
Chapter One Modern Network Security Threats Major Concepts Rationale for network security Data confidentiality, integrity, availability Risks, threats, vulnerabilities and countermeasures Methodology of a structured attack Security model (McCumber cube) Security policies, standards and guidelines Selecting and implementing countermeasures Network security design
What is Network Security? National Security Telecommunications and Information Systems Security Committee (NSTISSC). Network security is the protection of information and systems and hardware that use, store, and transmit that information. Network security encompasses those steps that are taken to ensure the confidentiality, integrity, and availability of data or resources. Network security initiatives and network security specialists can be found in private and public, large and small companies and organizations. The need for network security and its growth are driven by many factors: 1. Internet connectivity is 24/7 and is worldwide 2. Increase in cyber crime 3. Impact on business and individuals 4. Legislation & liabilities 5. Proliferation of threats 6. Sophistication of threats 7. Business Impact Decrease in productivity
3|Page
8. Loss of sales revenue 9. Release of unauthorized sensitive data 10. Threat of trade secrets or formulas 11. Compromise of reputation and trust 12. Loss of communications 13. Threat to environmental and safety systems 14. Loss of time
Goals of an Information Security Program Confidentiality - Prevent the disclosure of sensitive information from unauthorized people, resources, and processes Integrity - The protection of system information or processes from intentional or accidental modification Availability - The assurance that systems and data are accessible by authorized users when needed Information Security Model
Risk Management The process of assessing and quantifying risk and establishing an acceptable level of risk for the organization
4|Page
Risk can be mitigated, but cannot be eliminated Risk Analysis Risk assessment involves determining the likelihood that the vulnerability is a risk to the organization Each vulnerability can be ranked by the scale Sometimes calculating anticipated losses can be helpful in determining the impact of a vulnerability Categories of assets Information Assets (people, hardware, software, systems) Supporting Assets (facilities, utilities, services) Critical Assets (can be either of those listed above) Attributes of the assets need to be compiled Determine each items relative value How much revenue/profit does it generate? What is the cost to replace it? How difficult would it be to replace? How quickly can it be replaced? Threats A potential danger to information or a system An example: the ability to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network There may be weaknesses that greatly increase the likelihood of a threat manifesting Threats may include equipment failure, structured attacks, natural disasters, physical attacks, theft, viruses and many other potential events causing danger or dImpersonation Eavesdropping Denial-of-service Packet replay Man-in-the-middle Packet modification amage Vulnerabilities A network vulnerability is a weakness in a system, technology, product or policy
5|Page
In todays environment, several organizations track, organize and test these vulnerabilities The US government has a contract with an organization to track and publish network vulnerabilities Each vulnerability is given an ID and can be reviewed by network security professionals over the Internet. The common vulnerability exposure (CVE) list also publishes ways to prevent the vulnerability from being attacked It is very important that network security specialists comprehend the importance of vulnerability appraisal A vulnerability appraisal is a snapshot of the current security of the organization as it now stands What current security weaknesses may expose the assets to these threats? Vulnerability scanners are tools available as free Internet downloads and as commercial products These tools compare the asset against a database of known vulnerabilities and produce a discovery report that exposes the vulnerability and assesses its severity Countermeasures put into place to mitigate the potential risk
Types of AttacksStructured attack Come from hackers who are more highly motivated and technically competent. These people know system vulnerabilities and can understand and develop exploit code and scripts. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. These groups are often involved with the major fraud and theft cases reported to law enforcement agencies. Unstructured attack Consists of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing and challenging a hackers skills can still do serious damage to a company. External attacks Initiated by individuals or groups working outside of a company. They do not have authorized access to the computer systems or network. They gather information in order to work their way into a network mainly from the Internet or dialup access servers.
6|Page
Internal attacks More common and dangerous. Internal attacks are initiated by someone who has authorized access to the network. According to the FBI, internal access and misuse account for 60 to 80 percent of reported incidents. These attacks often are traced to disgruntled employees. Passive Attack - Listen to system passwords - Release of message content - Traffic analysis - Data capturing Active Attack - Attempt to log into someone elses account - Wire taps - Denial of services - Masquerading - Message modifications Stages of an AttackTodays attackers have a abundance of targets. In fact their greatest challenge is to select the most vulnerable victims. This has resulted in very well- planned and structured attacks. These attacks have common logistical and strategic stages. These stages include; - Reconnaissance - Scanning (addresses, ports, vulnerabilities) - Gaining access - Maintaining Access - Covering Tracks
Countermeasures DMZ/NAT IDS/IPS Content Filtering/NAC Firewalls/proxy services Authentication/Authorization/Accounting Self-defending networks Policies, procedures, standards guidelines Training and awareness What Is a Security Policy? A document that states how an organization plans to protect its tangible and intangible information assets
7|Page
Management instructions indicating a course of action, a guiding principle, or appropriate procedure High-level statements that provide guidance to workers who must make present and future decisions Generalized requirements that must be written down and communicated to others
All users must have a unique user ID and password that conforms to the company password standard Users must not share their password with anyone regardless of title or position Passwords must not be stored in written or any readable form If a compromise is suspected, it must be reported to the help desk and a new password must be requested
Examples from Salary.com: Network Security Administrator Troubleshoots network access problems and implements network security policies and procedures. Ensures network security access and protects against unauthorized access, modification, or destruction. Requires a bachelor's degree with at least 5 years of experience in the field. Familiar with a variety of the field's concepts, practices, and procedures. Relies on extensive experience and judgment to plan and accomplish goals. Performs a variety of tasks. May lead and direct the work of others. A wide degree of creativity and latitude is expected. Risk Analyst Performs risk analysis studies in order to maintain maximum protection of an organization's assets. Investigates any incidences that may result in asset loss and compiles findings in reports for further review. Requires a bachelor's degree and 0-2 years of experience in the field or in a related area. Has knowledge of commonly-used concepts, practices, and procedures within a particular field. Relies on instructions and pre-established guidelines to perform the functions of the job. Works under immediate supervision. Primary job functions do not typically require exercising independent judgment. Chief Information Security Officer Responsible for determining enterprise information security standards. Develops and implements information security standards and procedures. Ensures that all information
8|Page
systems are functional and secure. Requires a bachelor's degree with at least 12 years of experience in the field. Familiar with a variety of the field's concepts, practices, and procedures. Relies on extensive experience and judgment to plan and accomplish goals. Performs a variety of tasks. Leads and directs the work of others. A wide degree of creativity and latitude is expected. Typically reports to top management. Network Perimeter/Firewall Specialist This position requires Experience and Skills working with perimeter protection devices and network firewalls. The candidate must have experience with PIX Firewalls and MPLS Network experience. Cisco Switch and Router experience is a plus. Experience with Network Transformation and Server Re-IP projects is a definite plus. Other Firewall experience is a definite plus. Ethical hacker/Penetration Tester Responsible for testing and improving network and information system security systems. This is a very sensitive hands-on front line position. This person will be working in a team environment. This individual will be performing mostly network and web application ethical hacking assessments on multi-protocol enterprise network and application systems. Duties may include: Requirements analysis and design, scoping of testing activity, vulnerability assessment, assessing tools/script testing, troubleshooting and physical security audits, logical security audits, logical protocol and traffic audits. Security Response IDS/IPS Engineer Provides support for the Intrusion Detection/Prevention Service, Host Log Monitoring Service, and Wireless IPS Service associated with Managed Security Services. Must have a well-rounded security background and are responsible for performing extensive troubleshooting of customer issues via Customer Support escalations from the Security Operations Center (SOC) Analysts. This individual performs both infrastructure engineering and customer focused projects to resolve all incidents in timely manner. These needs may involve performing device upgrades, investigating and responding to advanced security threats, and making changes to the security policy of a customer's device.
9|Page
Chapter 2 Securing Network Devices What is the edge router? The last router between the internal network and an untrusted network such as the Internet Functions as the first and last line of defense Implements security actions based on the organizations security policies How can the edge router be secured? Use various perimeter router implementations Consider physical security, operating system security, and router hardening Secure administrative access Local versus remote router access Single Router Approach
A single router connects the internal LAN to the Internet. All security policies are configured on this device. Defense-in-depth Approach
Passes everything through to the firewall. A set of rules determines what traffic the router will allow or deny. DMZ Approach
The DMZ is set up between two routers. Most traffic filtering left to the firewall Physical Security - Place router in a secured, locked room - Install an uninterruptible power supply Operating System Security - Use the latest stable version that meets network requirements - Keep a copy of the O/S and configuration file as a backup Router Hardening - Secure administrative control
10 | P a g e
Disable unused ports and interfaces Disable unnecessary services
Banners are disabled by default and must be explicitly enabled. There are four valid tokens for use within the message section of the banner command: $(hostname)Displays the hostname for the router $(domain)Displays the domain name for the router $(line)Displays the vty or tty (asynchronous) line number $(line-desc)Displays the description that is attached to the line
Configuring Router SSH Commands Connecting to Router Using SDM to configure the SSH Daemon
Complete the following prior to configuring routers for the SSH protocol: 1. Ensure that the target routers are running a Cisco IOS Release 12.1(1)T image or later to support SSH. 2. Ensure that each of the target routers has a unique hostname. 3. Ensure that each of the target routers is using the correct domain name of the network. 4. Ensure that the target routers are configured for local authentication, or for authentication, authorization, and accounting (AAA) services for username or password authentication, or both. This is mandatory for a router-torouter SSH connection. 2. By default: 1. User EXEC mode (privilege level 1) 2. Privileged EXEC mode (privilege level 15) 3. Sixteen privilege levels available
11 | P a g e
4. Methods of providing privileged level access infrastructure access: 1. Privilege Levels 2. Role-Based CLI Access Command mode Description Specifies the configuration mode. Use the privilege ? command to see a complete list of router configuration modes available (Optional) Enables setting a privilege level with a specified command (Optional) The privilege level associated with a command (specify up to 16 privilege levels, using numbers 0 to 15) (Optional) Resets the privilege level of a command (Optional) Resets the privilege level
level
level command
reset Command
Privilege Level Limitations There is no access control to specific interfaces, ports, logical interfaces, and slots on a router Commands available at lower privilege levels are always executable at higher levels. Commands specifically set on a higher privilege level are not available for lowerprivileged users. Assigning a command with multiple keywords to a specific privilege level also assigns any commands associated with the first keywords to the same privilege level. Role-Based CLI Controls which commands are available to specific roles Different views of router configurations created for different users providing:
12 | P a g e
Security: Defines the set of CLI commands that is accessible by a particular user by controlling user access to configure specific ports, logical interfaces, and slots on a router Availability: Prevents unintentional execution of CLI commands by unauthorized personnel Operational Efficiency: Users only see the CLI commands applicable to the ports and CLI to which they have access
Role-Based Views Root View To configure any view for the system, the administrator must be in the root view. Root view has all of the access privileges as a user who has level 15 privileges. CLI View A specific set of commands can be bundled into a CLI view. Each view must be assigned all commands associated with that view and there is no
13 | P a g e
inheritance of commands from other views. Additionally, commands may be reused within several views. Superview Allow a network administrator to assign users and groups of users multiple CLI views at once instead of having to assign a single CLI view per user with all commands associated to that one CLI view.
Restoring Primary bootsetTo restore a primary bootset from a secure archive: 1. Reload the router using the reload command. 2. From ROMMON mode, enter the dir command to list the contents of the device that contains the secure bootset file. The device name can be found in the output of the show secure bootset command. 3. Boot up the router using the secure bootset image using the boot command with the filename found in step 2. Once the compromised router boots, proceed to privileged EXEC mode and restore the configuration. 4. Enter global configuration mode using conf t. Restore the secure configuration to the supplied filename using the secure boot-config restore filename Password Recovery Procedures 1. Connect to the console port. 2. Use the show version command to view and record the configuration register 3. Use the power switch to turn off the router, and then turn the router back on. 4. Press Break on the terminal keyboard within 60 seconds of power up to put the router into ROMmon. 5. At the rommon 1> prompt Type config 0x2142. 6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration. 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure. 8. Type enable at the Router> prompt. 9. Type copy startup-config running-config to copy the NVRAM into memory.
14 | P a g e
10. Type show running-config. 11. Enter global configuration and type the enable secret command to change the enable secret password. 12. Issue the no shutdown command on every interface to be used. Once enabled, issue a show ip interface brief command. Every interface to be used should display up up. 13. Type config-register configuration_register_setting. The configuration_register_setting is either the value recorded in Step 2 or 0x2102 . 14. Save configuration changes using the copy running-config startup-config command. Implementing Secure Management Configuration Change Management - Know the state of critical network devices - Know when the last modifications occurred - Ensure the right people have access when new management methodologies are adopted - Know how to handle tools and devices no longer used Automated logging and reporting of information from identified devices to management hosts Available applications and protocols like SNMP Secure Management and ReportingWhen logging and managing information, the information flow between management hosts and the managed devices can take two paths: Out-of-band (OOB): Information flows on a dedicated management network on which no production traffic resides. In-band: Information flows across an enterprise production network, the Internet, or both using regular data channels.
OOB management appropriate for large enterprise networks In-band management recommended in smaller networks providing a more costeffective security deployment
15 | P a g e
Be aware of security vulnerabilities of using remote management tools with inband management
Using Syslog Implementing Router Logging Syslog Configuring System Logging Enabling Syslog using SDM/CCP Implementing Router Logging Configure the router to send log messages to: Console: Console logging is used when modifying or testing the router while it is connected to the console. Messages sent to the console are not stored by the router and, therefore, are not very valuable as security events. Terminal lines: Configure enabled EXEC sessions to receive log messages on any terminal lines. Similar to console logging, this type of logging is not stored by the router and, therefore, is only valuable to the user on that line. Buffered logging: Store log messages in router memory. Log messages are stored for a time, but events are cleared whenever the router is rebooted. SNMP traps: Certain thresholds can be preconfigured. Events can be processed by the router and forwarded as SNMP traps to an external SNMP server. Requires the configuration and maintenance of an SNMP system.
16 | P a g e
Syslog: Configure routers to forward log messages to an external syslog service. This service can reside on any number of servers, including Microsoft Windows and UNIX-based systems, or the Cisco Security MARS appliance. Syslog servers: Known as log hosts, these systems accept and process log messages from syslog clients. Syslog clients: Routers or other types of equipment that generate and forward log messages to syslog servers.
Monitor Logging Remotely Logs can easily be viewed through the SDM, or for easier use, through a syslog viewer on any remote system. There are numerous Free remote syslog viewers, Kiwi is relatively basic and free. Configure the router/switch/etc to send logs to the PCs ip address that has kiwi installed. Kiwi automatically listens for syslog messages and displays them.
SNMP
Developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances on an IP network All versions are Application Layer protocols that facilitate the exchange of management information between network devices Part of the TCP/IP protocol suite Enables network administrators to manage network performance, find and solve network problems, and plan for network growth Three separate versions of SNMP
Security Levels noAuth: Authenticates a packet by a string match of the username or community string
17 | P a g e
auth: Authenticates a packet by using either the Hashed Message Authentication Code (HMAC) with Message Digest 5 (MD5) method or Secure Hash Algorithms (SHA) method. Priv: Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using the Data Encryption Standard (DES), Triple DES (3DES), or Advanced Encryption Standard (AES) algorithms.
Using NTP Clocks on hosts and network devices must be maintained and synchronized to ensure that log messages are synchronized with one another The date and time settings of the router can be set using one of two methods: Timekeeping Pulling the clock time from the Internet means that unsecured packets are allowed through the firewall Many NTP servers on the Internet do not require any authentication of peers Devices are given the IP address of NTP masters. In an NTP configured network, one or more routers are designated as the master clock keeper (known as an NTP Master) using the ntp master global configuration command. NTP clients either contact the master or listen for messages from the master to synchronize their clocks. To contact the server, use the ntp server ntp-serveraddress command. In a LAN environment, NTP can be configured to use IP broadcast messages instead, by using the ntp broadcast client command. Manually edit the date and time Configure Network Time Protocol
Features/Functions There are two security mechanisms available: An ACL-based restriction scheme An encrypted authentication mechanism such as offered by NTP version 3 or higher
18 | P a g e
Implement NTP version 3 or higher. Use the following commands on both NTP Master and the NTP client. ntp authenticate ntp authentication key md5 value ntp trusted-key key-value
To ensure a device is secure: Disable unnecessary services and interfaces Disable and restrict commonly configured management services, such as SNMP Disable probes and scans, such as ICMP Ensure terminal access security Disable gratuitous and proxy Address Resolution Protocol (ARP) Disable IP-directed broadcast
Security Audit Wizard Compares router configuration against recommended settings: Shut down unneeded servers Disable unneeded services Apply the firewall to the outside interfaces Disable or harden SNMP Shut down unused interfaces Check password strength Enforce the use of ACLs Cisco AutoSecure Initiated from CLI and executes a script. The AutoSecure feature first makes recommendations for fixing security vulnerabilities, and then modifies the security configuration of the router. Can lockdown the management plane functions and the forwarding plane services and functions of a router Used to provide a baseline security policy on a new router Command to enable the Cisco AutoSecure feature setup:
19 | P a g e
auto secure [no-interact] In Interactive mode, the router prompts with options to enable and disable services and other security features. This is the default mode but can also be configured using the auto secure full command. Cisco One-step LockdownTests router configuration for any potential security problems and automatically makes the necessary configuration changes to correct any problems found Cisco AutoSecure also: Disables NTP Configures AAA Sets SPD values Enables TCP intercepts Configures anti-spoofing ACLs on outside-facing interfaces
20 | P a g e
Chapter Three Authentication, Authorization and Accounting Authentication Password-Only Uses a login and password combination on access lines Easiest to implement, but most unsecure method Vulnerable to brute-force attacks Provides no accountability Creates individual user account/password on each device Provides accountability User accounts must be configured locally on each device Provides no fallback authentication method To increase the security of passwords, use additional configuration parameters: Minimum password lengths should be enforced Unattended connections should be disabled All passwords in the configuration file should be encrypted
login block-for Command All login enhancement features are disabled by default. The login block-for command enables configuration of the login enhancement features. The login block-for feature monitors login device activity and operates in two modes: o Normal-Mode (Watch-Mode) The router keeps count of the number of failed login attempts within an identified amount of time. Quiet-Mode (Quiet Period) If the number of failed logins exceeds the configured threshold, all login attempts made using Telnet, SSH, and HTTP are denied.
To generate log messages for successful/failed logins: login on-failure log login on-success log
To generate a message when failure rate is exceeded:
21 | P a g e
security authentication failure rate threshold-rate log
To verify that the login block-for command is configured and which mode the router is currently in: show login
To display more information regarding the failed attempts: show login failures
Access Methods Character Mode
A user sends a request to establish an EXEC mode process with the router for administrative purposes Packet Mode
A user sends a request to establish a connection through the router with a device on the network Self-Contained AAA Authentication Used for small networks Stores usernames and passwords locally in the Cisco router
Server-Based AAA Authentication Uses an external database server - Cisco Secure Access Control Server (ACS) for Windows Server - Cisco Secure ACS Solution Engine - Cisco Secure ACS Express More appropriate if there are multiple routers
AAA Authorization Typically implemented using an AAA server-based solution Uses a set of attributes that describes user access to the network
AAA Accounting Implemented using an AAA server-based solution
22 | P a g e
Keeps a detailed log of what an authenticated user does on a device
Local AAA Authentication Commands To authenticate administrator access (character mode access) 1. Add usernames and passwords to the local router database 2. Enable AAA globally 3. Configure AAA parameters on the router 4. Confirm and troubleshoot the AAA configuration aaa authentication enable
Enables AAA for EXEC mode access aaa authentication ppp
Enables AAA for PPP network access TACACS+ Functionality Separates AAA according to the AAA architecture, allowing modularity of the security server implementation RADIUS Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+. Open/RFC standard UDP
Standard Transport Protocol CHAP
Mostly Cisco supported TCP
Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP) Multiprotocol support
Unidirectional challenge and response from the RADIUS security server to the RADIUS client. No ARA, no NetBEUI
Protocol Support
23 | P a g e
Confidentiality
Entire packet encrypted
Password encrypted
Customization
Provides authorization of router commands on a per-user or per-group basis.
Has no option to authorize router commands on a per-user or per-group basis Extensive
Confidentiality
Limited
Cisco Secure ACS Benefits Extends access security by combining authentication, user access, and administrator access with policy control Allows greater flexibility and mobility, increased security, and user-productivity gains Enforces a uniform security policy for all users Reduces the administrative and management efforts
Advanced Features Automatic service monitoring Database synchronization and importing of tools for large-scale deployments Lightweight Directory Access Protocol (LDAP) user authentication support User and administrative access reporting Restrictions to network access based on criteria User and device group profiles
24 | P a g e
Chapter Four Implementing Firewall Technologies Major Concepts Implement ACLs Describe the purpose and operation of firewall technologies Implement CBAC Zone-based Policy Firewall using SDM and CLI
Standard Numbered IP ACLs The first value specifies the ACL number The second value specifies whether to permit or deny the configured source IP address traffic The third value is the source IP address that must be matched The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range All ACLs assume an implicit deny statement at the end of the ACL6+ At least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface
Extended Numbered IP ACLs The first value specifies the ACL number The second value specifies whether to permit or deny accordingly The third value indicates protocol type The source IP address and wildcard mask determine where traffic originates. The destination IP address and wildcard mask are used to indicate the final destination of the network traffic
ACL Configuration Guidelines ACLs are created globally and then applied to interfaces
25 | P a g e
ACLs filter traffic going through the router, or traffic to and from the router, depending on how it is applied Only one ACL per interface, per protocol, per direction Standard or extended indicates the information that is used to filter packets ACLs are process top-down. The most specific statements must go at the top of the list All ACLs have an implicit deny all statement at the end, therefore every list must have at least one permit statement to allow any traffic to pass
ACL Placement Standard ACLs should be placed as close to the destination as possible. Standard ACLs filter packets based on the source address only. If placed too close to the source, it can deny all traffic, including valid traffic. Extended ACLs should be placed on routers as close as possible to the source that is being filtered. If placed too far from the source being filtered, there is inefficient use of network resources. Types of ACLs Standard IP ACLs Extended IP ACLs Extended IP ACLs using TCP established Reflexive IP ACLs Dynamic ACLs Time-Based ACLs Context-based Access Control (CBAC) ACLs
The established keyword: Forces a check by the routers to see if the ACK, FIN, PSH, RST, SYN or URG TCP control flags are set. If flag is set, the TCP traffic is allowed in. Does not implement a stateful firewall on a router
26 | P a g e
Hackers can take advantage of the open hole Option does not apply to UDP or ICMP traffic
Reflexive ACLs Provide a truer form of session filtering Much harder to spoof Allow an administrator to perform actual session filtering for any type of IP traffic Work by using temporary access control entries (ACEs)
Dynamic ACL Overview Available for IP traffic only Dependent on Telnet connectivity, authentication, and extended ACLs Security benefits include: Use of a challenge mechanism to authenticate users Simplified management in large internetworks Reduction of the amount of router processing that is required for ACLs Reduction of the opportunity for network break-ins by network hackers Creation of dynamic user access through a firewall without compromising other configured security restrictions
ACLs can be used to: Mitigate IP address spoofinginbound/outbound Mitigate Denial of service (DoS) TCP synchronizes (SYN) attacksblocking external attacks Mitigate DoS TCP SYN attacksusing TCP intercept Mitigate DoS smurf attacks Filter Internet Control Message Protocol (ICMP) messagesinbound Filter ICMP messagesoutbound Filter traceroute
27 | P a g e
Chapter 4 Firewalls A firewall is a system that enforces an access control policy between network Common properties of firewalls: The firewall is resistant to attacks The firewall is the only transit point between networks The firewall enforces the access control policy
Benefits of Firewalls Prevents exposing sensitive hosts and applications to untrusted users Prevent the exploitation of protocol flaws by sanitizing the protocol flow Firewalls prevent malicious data from being sent to servers and clients. Properly configured firewalls make security policy enforcement simple, scalable, and robust. A firewall reduces the complexity of security management by offloading most of the network access control to a couple of points in the network.
Types of Filtering Firewalls Packet-filtering firewallis typically a router that has the capability to filter on some of the contents of packets (examines Layer 3 and sometimes Layer 4 information) Stateful firewallkeeps track of the state of a connection: whether the connection is in an initiation, data transfer, or termination state Application gateway firewall (proxy firewall) filters information at Layers 3, 4, 5, and 7. Firewall control and filtering done in software. Address-translation firewallexpands the number of IP addresses available and hides network addressing design. Host-based (server and personal) firewalla PC or server with firewall software running on it.
28 | P a g e
Transparent firewallfilters IP traffic between a pair of bridged interfaces. Hybrid firewallssome combination of the above firewalls. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.
Packet-Filtering Firewall Advantages Are based on simple permit or deny rule set Have a low impact on network performance Are easy to implement Are supported by most routers Afford an initial degree of security at a low network layer Perform 90% of what higher-end firewalls do, at a much lower cost
Packet-Filtering Firewall Disadvantages Packet filtering is susceptible to IP spoofing. Hackers send arbitrary packets that fit ACL criteria and pass through the filter. Packet filters do not filter fragmented packets well. Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, all fragments after the first fragment are passed unconditionally. Complex ACLs are difficult to implement and maintain correctly. Packet filters cannot dynamically filter certain services. Packet filters are stateless.
Stateful Firewalls Advantages/Disadvantages
29 | P a g e
Often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic. Strengthens packet filtering by providing more stringent control over security than packet filtering Improves performance over packet filters or proxy servers. Defends against spoofing and DoS attacks Allows for more log information than a packet filtering firewall
Advantages
Disadvantages
Cannot prevent application layer attacks because it does not examine the actual contents of the HTTP connection Not all protocols are stateful, such UDP and ICMP Some applications open multiple connections requiring a whole new range of ports opened to allow this second connection Stateful firewalls do not support user authentication
Cisco Systems Firewall Solutions IOS Firewall Zone-based policy framework for intuitive management Instant messenger and peer-to-peer application filtering VoIP protocol firewalling Virtual routing and forwarding (VRF) firewalling
30 | P a g e
Wireless integration Stateful failover Local URL whitelist and blacklist support Application inspection for web and e-mail traffic PIX 500 Series
ASA 5500 Series Design with DMZ
Firewall Best Practices Position firewalls at security boundaries. Firewalls are the primary security device. It is unwise to rely exclusively on a firewall for security. Deny all traffic by default. Permit only services that are needed. Ensure that physical access to the firewall is controlled.
31 | P a g e
Regularly monitor firewall logs. Practice change management for firewall configuration changes. Remember that firewalls primarily protect from technical attacks originating from the outside.
Introduction to CBAC Filters TCP and UDP packets based on application layer protocol session information Provides stateful application layer filtering Provides four main functions: Traffic Filtering Traffic Inspection Intrusion Detection Generation of Audits and Alerts
CBAC Capabilities Monitors TCP Connection Setup Examines TCP Sequence Numbers Inspects DNS Queries and Replies Inspects Common ICMP Message Types Supports Applications with Multiple Channels, such as FTP and Multimedia Inspects Embedded Addresses Inspects Application Layer Information
32 | P a g e
Chapter 5 Cryptographic Systems Secure Communications Traffic between sites must be secure Measures must be taken to ensure it cannot be altered, forged, or deciphered if intercepted
Authentication An ATM Personal Information Number (PIN) is required for authentication. The PIN is a shared secret between a bank account holder and the financial institution.
Integrity An unbroken wax seal on an envelop ensures integrity. The unique unbroken seal ensures no one has read the contents.
Confidentiality Julius Caesar would send encrypted messages to his generals in the battlefield. Even if intercepted, his enemies usually could not read, let alone decipher, the messages.
Cryptographic Hashes, Protocols, and Algorithm Examples
33 | P a g e
Hashing Basics Hashes are used for integrity assurance. Hashes are based on one-way functions. The hash function hashes arbitrary data into a fixed-length digest known as the hash value, message digest, digest, or fingerprint.
MD5
MD5 is a ubiquitous hashing algorithm Hashing properties One-way functioneasy to compute hash and infeasible to compute data given a hash Complex sequence of simple binary operations (XORs, rotations, etc.) which finally produces a 128-bit hash.
SHA SHA is similar in design to the MD4 and MD5 family of hash functions Takes an input message of no more than 264 bits Produces a 160-bit message digest
The algorithm is slightly slower than MD5. SHA-1 is a revision that corrected an unpublished flaw in the original SHA. SHA-224, SHA-256, SHA-384, and SHA-512 are newer and more secure versions of SHA and are collectively known as SHA-2.
Features of HMAC Uses an additional secret key as input to the hash function The secret key is known to the sender and receiver Adds authentication to integrity assurance
34 | P a g e
Defeats man-in-the-middle attacks
Based on existing hash functions, such as MD5 and SHA-1.
Using Hashing Routers use hashing with secret keys Ipsec gateways and clients use hashing algorithms Software images downloaded from the website have checksums Sessions can be encrypted
Key Management
35 | P a g e
Keyspace
For each bit added to the DES key, the attacker would require twice the amount of time to search the keyspace. Longer keys are more secure but are also more resource intensive and can affect throughput Types of Keys
Calculations are based on the fact that computing power will continue to grow at its present rate and the ability to perform brute-force attacks will grow at the same rate. Note the comparatively short symmetric key lengths illustrating that symmetric algorithms are the strongest type of algorithm.
36 | P a g e
Confidentiality and the OSI Model For Data Link Layer confidentiality, use proprietary link-encrypting devices For Network Layer confidentiality, use secure Network Layer protocols such as the IPsec protocol suite For Session Layer confidentiality, use protocols such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) For Application Layer confidentiality, use secure e-mail, secure database sessions (Oracle SQL*net), and secure messaging (Lotus Notes sessions)
Symmetric Encryption: Best known as shared-secret key algorithms The usual key length is 80 - 256 bits A sender and receiver must share a secret key Faster processing because they use simple mathematical operations.
Examples include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish Symmetric Encryption Algorithm Key length Description (in bits) Designed at IBM during the 1970s and was the NIST standard until 1997. DES 56 Although considered outdated, DES remains widely in use. Designed to be implemented only in hardware, and is therefore extremely slow in software. Based on using DES three times which means that the input data is encrypted three times and therefore considered much stronger than DES. However, it is rather slow compared to some new block
3DES
112 and 168
37 | P a g e
ciphers such as AES. Fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale. SEAL is an alternative algorithm to DES, 3DES, and AES. 160 It uses a 160-bit encryption key and has a lower impact to the CPU when compared to other software-based algorithms.
AES
128, 192, and 256
Software Encryption Algorithm (SEAL)
RC2 (40 and 64) RC4 (1 to 256) The RC series RC5 (0 to 2040) RC6 (128, 192, and 256)
A set of symmetric-key encryption algorithms invented by Ron Rivest. RC1 was never published and RC3 was broken before ever being used. RC4 is the world's most widely used stream cipher. RC6, a 128-bit block cipher based heavily on RC5, was an AES finalist developed in 1997.
Asymmetric Encryption Also known as public key algorithms
38 | P a g e
The usual key length is 5124096 bits A sender and receiver do not share a secret key Relatively slow because they are based on difficult computational algorithms Examples include RSA, ElGamal, elliptic curves, and DH.
DES
3DES
AES
The algorithm is trusted by the cryptographic community
Been replaced by 3DES
Yes
Verdict is still out
The algorithm adequately protects against brute-force attacks
No
Yes
Yes
Considerations Change keys frequently to help prevent brute-force attacks. Use a secure channel to communicate the DES key from the sender to the receiver. Consider using DES in CBC mode. With CBC, the encryption of each 64-bit block depends on previous blocks.
39 | P a g e
Test a key to see if it is a weak key before using it.
Advantages of AES The key is much stronger due to the key length AES runs faster than 3DES on comparable hardware AES is more efficient than DES and 3DES on comparable hardware
Rivest Codes Scorecard Description RC2 RC4 RC5 RC6
Timeline
1987
1987
1994
1998
Type of Algorithm
Block cipher
Stream cipher
Block cipher
Block cipher
Key size (in bits)
40 and 64
1 - 256
0 to 2040 bits (128 suggested)
128, 192, or 256
Using Diffie-Hellman Description Timeline Type of Algorithm Key size (in bits) Speed Diffie-Hellman Algorithm 1976 Asymmetric 512, 1024, 2048 Slow
40 | P a g e
Time to crack (Assuming a computer could try 255 keys per second) Resource Consumption Unknown but considered very safe
Medium
Asymmetric Key Characteristics Key length ranges from 5124096 bits Key lengths greater than or equal to 1024 bits can be trusted Key lengths that are shorter than 1024 bits are considered unreliable for most algorithms
Asymmetric Key Algorithms Key length Description (in bits) Invented in 1976 by Whitfield Diffie and Martin Hellman. 512, 1024, 2048 Two parties to agree on a key that they can use to encrypt messages The assumption is that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome.
DH
Digital Signature Standard (DSS) and Digital
512 1024
Created by NIST and specifies DSA as the algorithm for digital signatures. A public key algorithm based on the ElGamal signature
41 | P a g e
Signature Algorithm (DSA)
scheme. Signature creation speed is similar with RSA, but is slower for verification. Developed by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT in 1977
RSA encryption algorithms
512 to 2048
Based on the current difficulty of factoring very large numbers Suitable for signing as well as encryption Widely used in electronic commerce protocols Based on the Diffie-Hellman key agreement. Described by Taher Elgamal in 1984and is used in GNU Privacy Guard software, PGP, and other cryptosystems. The encrypted message becomes about twice the size of the original message and for this reason it is only used for small messages such as secret keys Invented by Neil Koblitz in 1987 and by Victor Miller in 1986.
EIGamal
512 1024
Elliptical curve techniques
160
Can be used to adapt many cryptographic algorithms Keys can be much smaller
Security Services- Digital Signatures Authenticates a source, proving a certain party has seen, and has signed, the data in question Signing party cannot repudiate that it signed the data Guarantees that the data has not changed from the time it was signed The signature is authentic and not forgeable: The signature is
42 | P a g e
proof that the signer, and no one else, signed the document. The signature is not reusable: The signature is a part of the document and cannot be moved to a different document. The signature is unalterable: After a document is signed, it cannot be altered. The signature cannot be repudiated: For legal purposes, the signature and the document are considered to be physical things. The signer cannot claim later that they did not sign it.
Code Signing with Digital Signatures The publisher of the software attaches a digital signature to the executable, signed with the signature key of the publisher. The user of the software needs to obtain the public key of the publisher or the CA certificate of the publisher if PKI is used.
Public Key Infrastructure PKI: A service framework (hardware, software, people, policies and procedures) needed to support large-scale public key-based technologies. Certificate: A document, which binds together the name of the entity and its public key and has been signed by the CA Certificate authority (CA): The trusted third party that signs the public keys of entities in a PKI-based system Usage Keys When an encryption certificate is used much more frequently than a signing certificate, the public and private key pair is more exposed due to its frequent usage. In this case, it might be a good idea to shorten the lifetime of the key pair and change it more often, while having a separate signing private and public key pair with a longer lifetime. When different levels of encryption and digital signing are required because of legal, export, or performance issues, usage keys allow an administrator to assign different key lengths to the two pairs.
43 | P a g e
When key recovery is desired, such as when a copy of a users private key is kept in a central repository for various backup reasons, usage keys allow the user to back up only the private key of the encrypting pair. The signing private key remains with the user, enabling true nonrepudiation.
RSA PKCS Standards PKCS #1: RSA Cryptography Standard PKCS #3: DH Key Agreement Standard PKCS #5: Password-Based Cryptography Standard PKCS #6: Extended-Certificate Syntax Standard PKCS #7: Cryptographic Message Syntax Standard PKCS #8: Private-Key Information Syntax Standard PKCS #10: Certification Request Syntax Standard PKCS #12: Personal Information Exchange Syntax Standard PKCS #13: Elliptic Curve Cryptography Standard PKCS #15: Cryptographic Token Information Format Standard
Public Key Technology A PKI communication protocol used for VPN PKI enrollment Uses the PKCS #7 and PKCS #10 standards
Single-Root PKI Topology Certificates issued by one CA Centralized trust decisions Single point of failure
PKI Authentication Characteristics To authenticate each other, users have to obtain the certificate of the CA and their own certificate. These steps require the out-of-band verification of the processes.
44 | P a g e
Public-key systems use asymmetric keys where one is public and the other one is private. Key management is simplified because two users can freely exchange the certificates. The validity of the received certificates is verified using the public key of the CA, which the users have in their possession. Because of the strength of the algorithms, administrators can set a very long lifetime for the certificates.
45 | P a g e
Chapter 7 Implementing Virtual Private Networks What is a VPN?
Virtual: Information within a private network is transported over a public network. Private: The traffic is encrypted to keep the data confidential.
Layer 3 VPN
Generic routing encapsulation (GRE) Multiprotocol Label Switching (MPLS) IPSec
46 | P a g e
Types of VPN Networks
Site-to-Site VPN
Remote-Access VPNs
47 | P a g e
VPN Client SoftwareIn a remote-access VPN, each host typically has Cisco VPN Client software Cisco IOS SSL VPN Provides remote-access connectivity from any Internet-enabled host Uses a web browser and SSL encryption Delivers two modes of access: Clientless Thin client Remote-Access VPN Secondary role Secondary role Primary role Site-to-Site VPN Primary role Primary role Secondary role
Product Choice Cisco VPN-Enabled Router Cisco PIX 500 Series Security Appliances Cisco ASA 5500 Series Adaptive Security
48 | P a g e
Appliances Cisco VPN 3000 Series Concentrators Home Routers Primary role Primary role Secondary role
GRE VPN verview
Encapsulation
49 | P a g e
IPSec Topology Works at the network layer, protecting and authenticating IP packets. It is a framework of open standards which is algorithm-independent. It provides data confidentiality, data integrity, and origin authentication.
IPSec Framework
Pre-shared Key (PSK) At the local device, the authentication key and the identity information (devicespecific information) are sent through a hash algorithm to form hash_I. One-way authentication is established by sending hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated. The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated.
50 | P a g e
RSA Signatures At the local device, the authentication key and identity information (devicespecific information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local device's private encryption key creating a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is hash_I. Next, the remote device independently creates hash_I from stored information. If the calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the remote device authenticates the local device, the authentication process begins in the opposite direction and all steps are repeated from the remote device to the local device.
IPSec Framework Protocols--- Authentication Header---- Encapsulating Security Payload IKE Phases
51 | P a g e
IPSec VPN Negotiation
ISAKMP Parameters Parameter Keyword Accepted Values Default Value Description
des 3des encryption aes aes 192 aes 256
56-bit Data Encryption Standard Triple DES 128-bit AES 192-bit AES 256-bit AES Message integrity (Hash) algorithm des Message encryption algorithm
sha hash md5
SHA-1 (HMAC variant) sha MD5 (HMAC variant)
52 | P a g e
pre-share authentication rsa-encr rsa-sig
preshared keys RSA encrypted nonces RSA signatures 768-bit Diffie-Hellman (DH) 1024-bit DH 1536-bit DH 86,400 sec (one day) 1 rsa-sig
Peer authentication method
1 group 2 5
Key exchange parameters (DH group identifier)
lifetime
seconds
Can specify any number of seconds
ISAKMPestablished SA lifetime
Telecommuting Flexibility in working location and working hours Employers save on real-estate, utility and other overhead costs Succeeds if program is voluntary, subject to management discretion, and operationally feasible Organizational benefits: Continuity of operations Increased responsiveness Secure, reliable, and manageable access to information Cost-effective integration of data, voice, video, and applications Increased employee productivity, satisfaction, and retention
Social benefits:
53 | P a g e
Increased employment opportunities for marginalized groups Less travel and commuter related stress
Environmental benefits: Reduced carbon footprints, both for individual workers and organizations
Comparison of SSL and IPSec SSL IPsec
Applications
Web-enabled applications, file sharing, e-mail Moderate
All IP-based applications
Stronger Key lengths from 56 bits to 256 bits Strong Two-way authentication using shared secrets or digital certificates Moderate
Encryption
Key lengths from 40 bits to 128 bits Moderate
Authentication
One-way or two-way authentication
Ease of Use
Very high
Can be challenging to nontechnical users Strong
Overall Security
Moderate Any device can connect
Only specific devices with specific configurations can connect
54 | P a g e
Types of Access
Cisco Easy VPN Negotiates tunnel parameters Establishes tunnels according to set parameters Automatically creates a NAT / PAT and associated ACLs Authenticates users by usernames, group names, and passwords Manages security keys for encryption and decryption Authenticates, encrypts, and decrypts data through the tunnel

Security

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Security

Încărcat de

Drepturi de autor:

Formate disponibile

1|Page

page 2 page 10 page 22 page 30 page 35 page 48

Disable unused ports and interfaces Disable unnecessary services

To generate a message when failure rate is exceeded:

security authentication failure rate threshold-rate log

Access Methods Character Mode

AAA Accounting Implemented using an AAA server-based solution

Keeps a detailed log of what an authenticated user does on a device

Enables AAA for EXEC mode access aaa authentication ppp

Standard Transport Protocol CHAP

Mostly Cisco supported TCP

Entire packet encrypted

Provides authorization of router commands on a per-user or per-group basis.

Has no option to authorize router commands on a per-user or per-group basis Extensive

Stateful Firewalls Advantages/Disadvantages

ASA 5500 Series Design with DMZ

Cryptographic Hashes, Protocols, and Algorithm Examples

Defeats man-in-the-middle attacks

Based on existing hash functions, such as MD5 and SHA-1.

112 and 168

128, 192, and 256

Software Encryption Algorithm (SEAL)

Asymmetric Encryption Also known as public key algorithms

The algorithm is trusted by the cryptographic community

Been replaced by 3DES

Verdict is still out

The algorithm adequately protects against brute-force attacks

Test a key to see if it is a weak key before using it.

Rivest Codes Scorecard Description RC2 RC4 RC5 RC6

Key size (in bits)

0 to 2040 bits (128 suggested)

128, 192, or 256

Digital Signature Standard (DSS) and Digital

Signature Algorithm (DSA)

RSA encryption algorithms

Elliptical curve techniques

Chapter 7 Implementing Virtual Private Networks What is a VPN?

Generic routing encapsulation (GRE) Multiprotocol Label Switching (MPLS) IPSec

Types of VPN Networks

GRE VPN verview

IPSec VPN Negotiation

ISAKMP Parameters Parameter Keyword Accepted Values Default Value Description

des 3des encryption aes aes 192 aes 256

sha hash md5

SHA-1 (HMAC variant) sha MD5 (HMAC variant)

pre-share authentication rsa-encr rsa-sig

Peer authentication method

Key exchange parameters (DH group identifier)

Can specify any number of seconds

Comparison of SSL and IPSec SSL IPsec

Web-enabled applications, file sharing, e-mail Moderate

All IP-based applications

Key lengths from 40 bits to 128 bits Moderate

One-way or two-way authentication

Can be challenging to nontechnical users Strong

Moderate Any device can connect

Only specific devices with specific configurations can connect

S-ar putea să vă placă și