Professional Documents
Culture Documents
Cisco Network
Security – IPSec VPN &
FW, IPS:
Implementing Secure Converged Wide
Area Networks (ISCW) & CCNA Security
Outline
v Network Threats
v IPSec VPN
ü VPN Overview
ü IPsec Overview
ü ESP and AH
ü Internet Key Exchange
ü Message Authentication and Integrity Check
ü Symmetric vs. Asymmetric Encryption Algorithms
ü PKI Environment
ü Summary
v Firewall
v IPS (Intrusion Prevention System)
1
Network Threats
2
Threat Capabilities—More
Dangerous and Easier to Use
Network Threats
Compromised
host
6
3
Four Classes of Network Attacks
üReconnaissance attacks
üAccess attacks
üDenial of service attacks
üWorms, viruses, and Trojan horses
4
Reconnaissance Attacks(자원조사/정찰)
–Network
üNetwork reconnaissance
reconnaissancerefers
refersto
tothe
the
overall
overallact
actofoflearning
learninginformation
informationabout
aabout
targetanetwork by using
target network bypublicly
using
available information
publicly available and applications.
information and
applications.
Packet Sniffers
Host A Host B
Router A Router B
5
Packet Sniffer Mitigation
Host A Host B
Router A Router B
IP Spoofing
ü IP spoofing occurs when a hacker inside or outside a
network impersonates the conversations of a trusted
computer.
ü Two general techniques are used during IP spoofing:
• A hacker uses an IP address that is within the range of
trusted IP addresses.
• A hacker uses an authorized external IP address that is
trusted.
ü Uses for IP spoofing include the following:
• IP spoofing is usually limited to the injection of malicious
data or commands into an existing stream of data.
• A hacker changes the routing tables to point to the spoofed IP
address, then the hacker can receive all the network packets
that are addressed to the spoofed address and reply just as any
trusted user can.
12
6
IP Spoofing Mitigation
§ The threat of IP spoofing can be reduced, but not eliminated, through
the following measures:
§Access control—The most common method for preventing IP spoofing is to
properly configure access control.
§RFC 2827 filtering—You can prevent users of your network from spoofing
other networks (and be a good Internet citizen at the same time) by
preventing any outbound traffic on your network that does not have a source
address in your organization's own IP range.
§Additional authentication that does not use IP-based authentication—
Examples of this include the following:
üCryptographic (recommended)
üStrong, two-factor, one-time passwords
13
DoS Attacks
14
7
DDoS Attack Example
15
Password Attacks
16
8
Password Attack Example
17
18
9
Man-in-the-Middle Attacks
Host A Host B
Data in clear text
Router A Router B
ØA man-in-the-middle attack requires that the hacker have access
to network packets that come across a network.
ØA man-in-the-middle attack is implemented using the following:
üNetwork packet sniffers
üRouting and transport protocols
ØPossible man-in-the-middle attack uses include the following:
üTheft of information
üHijacking of an ongoing session
üTraffic analysis
üDoS
üCorruption of transmitted data
üIntroduction of new information into network sessions
19
Man-in-the-Middle Mitigation
A man-in-the-middle attack
can only see cipher text
IPSec tunnel
Host A Host B
20
10
Application Layer Attacks
21
22
11
Trust Exploitation
23
Hacker
User = psmith; Pat Smithson
24
12
Port Redirection
25
Unauthorized Access
26
13
Virus and Trojan Horses
uA Trojan horse is different only in that the entire application was written
to look like something else, when in fact it is an attack tool. A Trojan horse
is mitigated by antivirus software at the user level and possibly the
network level.
27
Sophistication of Threats
28
14
Network Security “Threat”
• A potential danger to information or a system
• An example: the ability to gain unauthorized access to systems or
information in order to commit fraud, network intrusion, industrial
espionage, identity theft, or simply to disrupt the system or network
• There may be weaknesses that greatly increase the likelihood of a
threat manifesting
• Threats may include equipment failure,
structured attacks, natural disasters,
physical attacks, theft, viruses and
many other potential events causing
danger or damage
29
§ Impersonation
§ Eavesdropping
§ Denial-of-service
§ Packet replay
§ Man-in-the-middle
§ Packet modification
30
15
Types of Attacks
Structured attack
Come from hackers who are more highly motivated and technically
competent. These people know system vulnerabilities and can
understand and develop exploit code and scripts. They understand,
develop, and use sophisticated hacking techniques to penetrate
unsuspecting businesses. These groups are often involved with the
major fraud and theft cases reported to law enforcement agencies.
Unstructured attack
Consists of mostly inexperienced individuals using easily available
hacking tools such as shell scripts and password crackers. Even
unstructured threats that are only executed with the intent of testing
and challenging a hacker’s skills can still do serious damage to a
company.
31
Types of Attacks
External attacks
Initiated by individuals or groups working outside of a company. They
do not have authorized access to the computer systems or network.
They gather information in order to work their way into a network
mainly from the Internet or dialup access servers.
Internal attacks
More common and dangerous. Internal attacks are initiated by
someone who has authorized access to the network. According to the
FBI, internal access and misuse account for 60 to 80 percent of
reported incidents. These attacks often are traced to disgruntled
employees.
32
16
Types of Attacks
§ Passive Attack
üListen to system passwords
üRelease of message content
üTraffic analysis
üData capturing
§ Active Attack
üAttempt to log into someone else’s account
üWire taps
üDenial of services
üMasquerading
üMessage modifications
33
§ ARP Attack
§ Brute Force Attack
§ Worms
§ Flooding
§ Sniffers
§ Spoofing
§ Redirected Attacks
§ Tunneling Attack
§ Covert Channels
34
17
Denial-of-Service Facts
35
Denial-of-Service Example
36
18
Types of Denial-of-Service Attacks
37
38
19
DoS - SYN Flood Attack
§ When connection sessions are initiated between a client
and server in a network, a very small space exists to
handle the usually rapid "hand-shaking" exchange of
messages that sets up a session.
§ The session-establishing packets include a SYN field
that identifies the sequence order.
§ To cause this kind of attack, an attacker can send many
packets, usually from a spoofed address, thus ensuring
that no response is sent.
39
20
DoS - Smurf Attack
41
42
21
DoS - Email Attacks
43
44
22
DoS - Viruses/Worms
45
46
23
Packet Sniffing Attacks
47
48
24
Social Engineering Attacks
§ Hacker-speak for tricking a person into revealing some
confidential information
§ Social Engineering is defined as an attack based on
deceiving users or administrators at the target site
§ Done to gain illicit access to systems or useful information
§ The goals of social engineering are fraud, network
intrusion, industrial espionage, identity theft, etc.
49
VPN Overview
50
25
VPN overview
VPN overview
26
VPN overview
VPN overview
27
VPN usage scenarios
55
VPN Overview
§ There are many different approaches to securing your
network.
§ Application layer scenario
–Almost any web banking scenario.
–Access your web banking from any PC in the world.
–Creates an SSL connection between two applications and transports
the data.
–As long as web browser and web server have same standard
implementation of SSL.
–Disadvantage: Software based encryption which adds processing
time and additional CPU cycles.
56
28
VPN Overview
§ Another solution: Data Link Layer encryption
–Solves the problems of using CPU cycles on the PC.
–Does not allow you to scale to an ISP-sized environment very easily.
–Everything from Layer 2 through Layer 7 is encrypted including the
network address.
–Makes it impossible to route the packet until the information is
decrypted.
–Can’t use if crossing any type of public WAN.
57
VPN Overview
§ Another solution: Encryption at network and transport
layers.
– Examples: CET (Cisco Encryption Technology) and IPSec
– Disadvantage of CET: proprietary (only Cisco equipment)
– Three necessary components to a good VPN and part of IPSec:
1. Authentication
2. Data Integrity
3. Payload encryption
58
29
Encryption
Algorithms
59
Encryption Algorithms
Symmetrical Asymmetrical
30
Encryption
Algorithms
Encryption
Algorithms
31
Hashing
Hashing
32
Diffie-Hellman
algorithm YA YB
IPsec Overview
66
33
What Is IPsec?
Is an IETF standard that employs cryptographic mechanisms on
the network layer:
Ø Authentication of every IP packet
Ø Verification of data integrity for each packet
Ø Confidentiality of packet payload
Consists of open standards for securing private
communications
Scales from small to very large networks
Is available in Cisco IOS software version 11.3(T) and later
Is included in PIX Firewall version 5.0 and later
67
34
IPSec Overview
AH – Authentication Header
§ AH provides:
–data integrity
–authentication
§ Does not provide encryption
§ Uses one-way hash function (also called an HMAC) to guarantee data integrity and origin
of the packet.
§ Entire IP packet put through one-way hash.
§ Includes IP header which could lead to problems.
§ TTL must be “zeroized: to give a “standard header”
§ Produces a new AH header for the packet to be transmitted.
70
§ AH may be applied alone, in combination with the IP ESP.
35
ESP – Encapsulating
Security Protocol
IPsec Protocols
36
IPsec Headers
Peer Authentication
37
ESP and AH
75
ESP and AH
IPsec protocols:
ESP or AH
ESP uses IP protocol number 50
AH uses IP protocol number 51
IPsec modes:
Tunnel or transport mode
Tunnel mode creates a new IP header
Transport mode authenticates the whole packet
76
38
ESP and AH Header
78
39
ESP Protocol
80
40
Tunnel Mode versus Transport Mode
AH ESP
Authenticated Header and Data
AH ESP
Hdr
Hdr
Everything is Authenticated
Transport Mode
AH ESP
Authenticated Header and Data
AH ESP
Hdr Hdr
Everything is Authenticated
AH
Hdr
§ Transport mode
–Current IP header has been used in the hashing algorithm and
therefore cannot be changed from sender to receiver.
–If the packet goes through any device that performs NAT/PAT, then a
portion of the IP header is changed and you will never get the same
hash output, because of different inputs at the sender and receiver
ends.
–Therefore, the packet will never be validated at the receiving end.
82
41
Transport Mode
AH ESP
Authenticated Header and Data
AH ESP
Hdr Hdr
Everything is Authenticated
AH
Hdr
§ Transport mode
–Should only be used if:
•You have control of the network from end to end
•Guarantee no IP packet manipulation will take place.
83
Tunnel Mode
AH ESP
Authenticated Header and Data
AH
Hdr
Everything is Authenticated
New IP
AH New IP ESP
Header Hdr Header Hdr
§ Tunnel mode
– A new IP header is used from gateway device to gateway device, and the original packet is
tunneled inside.
– Once the receiving end receives the packet:
•Removes the new IP header
•Decrypts original header
•A new tunnel header can be added, which can get manipulated (NAT) throughout the network
without affecting the tunneled protocol.
84
42
Tunnel Mode versus Transport Mode
SA - Security
Associations
43
SA - Security
Associations
87
SA - Security
Associations
88
44
Internet Key Exchange
89
45
IKE Phases
Phase 1:
Authenticate the peers
Negotiate a bidirectional SA
Main mode or aggressive mode
Phase 1.5:
Xauth
Mode config
Phase 2:
IPsec SAs/SPIs
Quick mode
91
IKE Modes
92
46
IKE – Internet Key
Exchange
§ Phase One
–Used to negotiate policy sets
–Authenticate peers
–Create a secure channel between peers
§ Parameter
Standard policy set: Strong Stronger
Encryption algorithm DES 3DES
Hash algorithm MD5 SHA-1
Authentication method Preshared RSA signatures
Key exchange Diffie-Hellman group 1 Diffie-Hellman group 2
IKE SA lifetime 86,400 seconds Less than 86,400 secs. 94
47
IKE – Phase One
§ Phase One
–Main mode: three different and distinct exchanges take place to add
to the security of the tunnel.
–Aggressive mode: Everything is sent in a single exchange.
Parameter Strong Stronger
Encryption algorithm DES 3DES
Hash algorithm MD5 SHA-1
Authentication method Preshared RSA signatures
Key exchange Diffie-Hellman group 1 Diffie-Hellman group 2
IKE SA lifetime 86,400 seconds Less than 86,400 secs. 95
§ Phase Two
–Used to:
•Negotiate the IPSec security parameters
•Establish SAs
•Optionally perform Diffie-Hellman Key exchanges
–Has one mode, quick mode, which happens after Phase One.
96
48
Preparing for IKE
and IPSec
98
49
IPSec policy example
§ The figure shows a summary of IPSec encryption policy details that will
be configured in examples in this module.
§ Details about IPSec transforms are covered in a later section in this
module.
§ The example policy specifies that TCP traffic between the hosts should
be encrypted by IPSec using DES. 99
100
50
Message Authentication
and Integrity Check
101
51
Commonly Used Hash Functions
Symmetric vs.
Asymmetric Encryption
Algorithms
104
52
Symmetric vs. Asymmetric
Encryption Algorithms
Symmetric algorithm:
Secret key
cryptography
Encryption and
decryption use
the same key
Typically used to
encrypt the content of a
message
Examples: DES, 3DES,
AES
Asymmetric algorithm:
Public key
cryptography
Encryption and
decryption
use different keys
Typically used in digital
certification and key
management
Example: RSA
80 1,024à 1,369
112 2,048
128 3,072
192 7,680
256 15,360
106
53
Security Level of Cryptographic
Algorithms
107
54
Symmetric Encryption: 3DES
110
55
Asymmetric Encryption: RSA
112
56
Diffie-Hellman Key Exchange (Cont.)
113
PKI Environment
114
57
PKI Environment
115
Certificate Authority
The trust basis of a PKI system
Verifies user identity, issues certificates by binding identity of a
user to a public key with a digital certificate
Revokes certificates and publish Certificate Revocation List
(CRL)
In-house implementation or outsourcing
116
58
X.509 v3 Certificate
117
118
59
PKI Credentials
119
120
60
Five Steps of IPsec
121
122
61
Step 2: IKE Phase 1
123
62
Diffie-Hellman Key Exchange
125
63
Step 3: IKE Phase 2
64
Security Associations
SA database:
Destination IP
address
SPI
Protocol (ESP
or AH)
Security policy
database:
Encryption
algorithm
Authentication
algorithm
Mode
Key lifetime
SA Lifetime
130
65
Step 4: IPsec Session
66
Module 4. Implementing Firewall
Technologies
- @ cisco flash v1.0 -
Dongseo University
HoonJae Lee 133
Firewalls
134
67
Benefits of Firewalls§ Firewalls prevent malicious data
§ Prevents exposing sensitive from being sent to servers and
hosts and applications to clients.
untrusted users
§ Properly configured firewalls
§ Prevent the exploitation of make security policy
protocol flaws by sanitizing the enforcement simple, scalable,
protocol flow and robust.
§ A firewall reduces the
complexity of security
management by offloading most
of the network access control to
a couple of points in the
network.
135
68
Types of Filtering Firewalls
137
Packet-Filtering Firewall
Advantages
138
69
Packet-Filtering Firewall
Disadvantages
Stateful Firewall
10.1.1.1 200.3.3.3
140
70
Stateful Firewalls
Advantages/Disadvantages
• Often used as a primary means of defense by filtering unwanted,
unnecessary, or undesirable traffic.
Advantages
142
71
Design with DMZ
Private-DMZ
Policy DMZ
DMZ-Private
Policy Public-DMZ
Policy
Private-Public
Policy
143
Endpoint security:
Provides identity and device security
policy compliance
Network
Perimeter security:
Core
Secures boundaries between zones
144
72
Firewall Best Practices
Design Example
Internet
R
2
Cisco
Serial Serial0/0/1 Router
Cisco Router 0/0/0 F0/ F0/ with
with 0 0 IOS
IOS Firewall R R Firewall
F0/ 1 3 F0/
1 1
F0/ F0/
5 5
S S
F0/6 1 3 F0/1
F0/1 8
F0/1 S
F0/1 2
8
PC A PC
(RADIUS/TACACS+) C
146
73
Introduction to CBAC
147
CBAC Capabilities
148
74
CBAC Overview
149
Step-by-Step
Fa0/0
S0/0/0
150
75
CBAC TCP Handling
151
152
76
CBAC Example
153
Configuration of CBAC
Four Steps to Configure
§ Step 1: Pick an Interface
§ Step 2: Configure IP ACLs at the Interface
§ Step 3: Define Inspection Rules
§ Step 4: Apply an Inspection Rule to an Interface
154
77
Module 5. Implementing Intrusion
Prevention
- @ cisco flash v1.0 -
Dongseo University
HoonJae Lee 155
Management Target
Console
78
Intrusion Prevention Systems (IPSs)
1
1. An attack is launched on a network
that has a sensor deployed in IPS
mode (inline mode).
2. The IPS sensor analyzes the
packets as they enter the IPS
sensor interface. The IPS sensor
matches the malicious traffic to a 2
signature and the attack is stopped Sensor
4
immediately.
3. The IPS sensor can also send an
alarm to a management console for
logging and other management Bit Bucket
purposes.
4. Traffic in violation of policy can be 3
dropped by an IPS sensor.
Target
Management
Console
Common characteristics of
IDS and IPS
158
79
Comparing IDS and IPS Solutions
Advantages Disadvantages
§ Response action cannot
§ No impact on network stop trigger packets
Promiscuous Mode
Advantages Disadvantages
§ Sensor issues might affect
network traffic
Inline Mode
§ Sensor overloading
§ Stops trigger packets
impacts the network
IPS
80
Network-Based Implementation
CSA MARS
VPN
Remote Worker
Firewall
VPN
IPS
CSA
Web Email
Server Server DNS
161
Host-Based Implementation
CSA
CSA MARS
VPN
IPS
CSA
VPN
Agent
Iron Port
Remote Branch CSA
CSA
CSA CSA
CSA
CSA
Web Email
Server Server DNS
162
81
Cisco Security Agent
Corporate
Network
Application
Server
Agent Agent
Firewall
Untrusted
Network
video
163
Host-Based Solutions
Advantages and Disadvantages of HIPS
Advantages Disadvantages
§ The success or failure of an § HIPS does not provide a
attack can be readily complete network picture.
determined.
§ HIPS has a requirement to
§ HIPS does not have to worry support multiple operating
about fragmentation attacks systems.
or variable Time to Live (TTL)
attacks.
§ HIPS has access to the traffic
in unencrypted form.
164
82
Network-Based Solutions
Corporate
Network
Sensor Firewall
Router
Untrusted
Network
Sensor
Management
Server Sensor
Web DNS
Server Server
165
§ Integrates IPS into the Cisco 1841 (IPS AIM only), 2800 and 3800
ISR routers
§ IPS AIM occupies an internal AIM slot on router and has its own CPU
and DRAM
§ Monitors up to 45 Mb/s of traffic
§ Provides full-featured intrusion protection
§ Is able to monitor traffic from all router interfaces
§ Can inspect GRE and IPsec traffic that has been decrypted at the
router
§ Delivers comprehensive intrusion protection at branch offices,
isolating threats from the corporate network
§ Runs the same software image as Cisco IPS Sensor Appliances
166
83
Cisco IPS Solutions
ASA AIP-SSM
§ High-performance module designed to provide additional
security services to the Cisco ASA 5500 Series Adaptive
Security Appliance
§ Diskless design for improved reliability
§ External 10/100/1000 Ethernet interface for management
and software downloads
§ Intrusion prevention capability
§ Runs the same software image as the Cisco IPS Sensor
appliances
167
168
84
Cisco IPS Solutions
Cisco Catalyst 6500 Series IDSM-2
169
IPS Sensors
§ Factors that impact IPS sensor selection and deployment:
ØAmount of network traffic
ØNetwork topology
ØSecurity budget
ØAvailable security staff
§ Size of implementation
ØSmall (branch offices)
ØLarge
ØEnterprise
170
85
Comparing HIPS and Network IPS
Advantages Disadvantages
§ Is host-specific § Operating system
dependent
§ Protects host after decryption
HIPS § Lower level network events
§ Provides application-level
not seen
encryption protection
§ Host is visible to attackers
§ Is cost-effective § Cannot examine encrypted
traffic
§ Not visible on the network
§ Does not know whether an
Network § Operating system attack was successful
IPS independent
§ Lower level network events
seen
Signature Characteristics
86
Signature Types
§ Atomic
ØSimplest form
ØConsists of a single packet, activity, or event
ØDoes not require intrusion system to maintain state information
ØEasy to identify
§ Composite
ØAlso called a stateful signature
ØIdentifies a sequence of operations distributed across multiple
hosts
ØSignature must maintain a state known as the event horizon
173
Signature File
174
87
Signature Micro-Engines
Provides simple Internet Control Message Protocol (ICMP) alarms based on the following parameters: type, code,
ATOMIC.ICMP ATOMIC.IP
sequence, and ID
ATOMIC.IPOPTIONS ATOMIC.IP Provides simple alarms based on the decoding of Layer 3 options
Provides simple User Datagram Protocol (UDP) packet alarms based on the following parameters: port, direction, and
ATOMIC.UDP ATOMIC.IP
data length
SERVICE.HTTP SERVICE.HTTP Provides HTTP protocol decode-based string engine that includes ant evasive URL de-obfuscation
SERVICE.FTP
String – Use expression-based patterns to detect intrusions
SERVICE.FTP Provides FTP service special decode alarms
STRING.TCP STRING.TCP Offers TCP regular expression-based pattern inspection engine services
STRING.UDP STRING.UDP Offers UDP regular expression-based pattern inspection engine services
STRING.ICMP
Multi-String Supports flexible pattern matching
STRING.ICMP Provides ICMP regular expression-based pattern inspection engine services
MULTI-STRING MULTI-STRING Supports flexible pattern matching and supports Trend Labs signatures
176
88
Signature Triggers
Advantages Disadvantages
• Easy configuration • No detection of unknown signatures
Pattern-based • Fewer false positives • Initially a lot of false positives
Detection • Good signature design • Signatures must be created, updated, and
tuned
Pattern-based Detection
Signature Type
Trigger
Atomic Signature Stateful Signature
No state required to Must maintain state or examine
Pattern-
examine pattern to multiple items to determine if
based
determine if signature signature action should be
detection
action should be applied applied
Detecting for an Address Searching for the string
Resolution Protocol confidential across multiple
Example (ARP) request that has a packets in a TCP session
source Ethernet address
of FF:FF:FF:FF:FF:FF
89
Anomaly-based Detection
Signature Type
Trigger
Atomic Signature Stateful Signature
No state required to
Anomaly- State required to identify
identify activity that
based activity that deviates from
deviates from normal
detection normal profile
profile
Detecting traffic that is
going to a destination port Verifying protocol compliance
Example
that is not in the normal for HTTP traffic
profile
Policy-based Detection
90
Honey Pot-based Detection
181
182
91
183
92