Professional Documents
Culture Documents
www.cisco.com
Agenda
www.cisco.com
11-2
Internet connection is to business in the late 1990s what telephones were to business in the late 1940s
Even small company sites are cracked
CSE: Networking FundamentalsSecurity
www.cisco.com
11-3
Why Security?
Three primary reasons
Policy vulnerabilities Configuration vulnerabilities Technology vulnerabilities
www.cisco.com
11-4
Security Threats
telnet company.org username: dan password:
Im Bob. Send Me All Corporate Correspondence with Cisco.
m-y-p-a-s-s-w-o-r-d
d-a-n
Bob
Loss of Privacy
Impersonation
Deposit $1000 Deposit $ 100
CPU
Customer
Bank
Denial of Service
CSE: Networking FundamentalsSecurity
Loss of Integrity
www.cisco.com
1999, Cisco Systems, Inc. 11-5
Security
Authentication
Authorization Accounting Assurance
Policy Management
www.cisco.com
11-6
www.cisco.com
11-7
Security Technology
CSE-SecurityBasics
www.cisco.com
3-8
Elements of Security
Identity
Accurately identify users
Determine what users are allowed to do
Integrity
Ensure network availability Provide perimeter security Ensure privacy
Active audit
Recognize network weak spots
Detect and react to intruders
Policy
www.cisco.com
11-9
Security Technology
Identity
CSE-SecurityBasics
www.cisco.com
3-10
Identity
Uniquely and accurately identify users, applications, services, and resources Username/password, PAP, CHAP, AAA server, one-time password, RADIUS, TACACS+, Kerberos, MS-login, digital certificates, directory services, Network Address Translation
CSE: Networking FundamentalsSecurity
www.cisco.com
11-11
Username/Password
ID/Password ID/Password ID/Password AAA Server PPP PAP Dial-In User
Public Network
Password Network Access Server
Campus
User dials in with password to NAS NAS sends ID/password to AAA server AAA server authenticates user ID/password and tells NAS to accept (or reject) NAS accepts (or rejects) call
CSE: Networking FundamentalsSecurity
www.cisco.com
11-12
www.cisco.com
11-13
One-Time Password
Token card Soft token S-Key Public Network
Dial-In User Token or S-Key Server AAA Server Campus
ID/One-Time Password ID/One-Time Password ID/One-Time Password
One-Time Password
Single-use password is generated by token card or in software Synchronized central server authenticates user
CSE: Networking FundamentalsSecurity
www.cisco.com
11-14
12 3 45 6 78 9 0
Authorization
Configures integrity What are you permitted to do?
Accounting
Assists with audit What did you do?
CSE: Networking FundamentalsSecurity
www.cisco.com
11-15
AAA Services
Network Access Server
Public Network Dial-In User Internet Internet User AAA Server
TACACS+ RADIUS
ID/User Profile ID/User Profile ID/User Profile
Campus
Centralized security database High availability Same policy across many access points Per-user access control Single network login Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password
www.cisco.com
1999, Cisco Systems, Inc. 11-16
RADIUS
Re mote Acce ss U se r
Acce ss S e rve r
RAD IU S S e rve r
RADIUS is an industry standardRFC 2138, RFC 2139 Cisco has full IETF RFC implementation Cisco has implemented many nonstandard vendor proprietary attributes Cisco hardware will work well with non-Cisco RADIUS AAA servers Cisco is committed to providing the best RADIUS solution
CSE: Networking FundamentalsSecurity
www.cisco.com
11-17
TACACS+ Authentication
Local or centralized Cisco continues to expand TACACS+ and add features in Cisco IOS 11.3 Cisco customers benefit from additional functionality with CiscoSecure server of both TACACS+ and RADIUS Cisco enterprise customers continue to ask for TACACS+ features
Username/Password Additional Information TACACS Database
TACACS
www.cisco.com
11-18
Lock-and-Key Security
Authorized User
Internet
Dynamically assigns access control lists on a per-user basis Allows a remote host to access a local host via the Internet Allows local hosts to access a host on a remote network
CSE: Networking FundamentalsSecurity
www.cisco.com
11-19
ISDN Station A
www.cisco.com
11-20
Kerberos Server
Kerberized Router
Mail Server
Authenticates users and the network services they use Uses tickets or credentials issued by a trusted Kerberos server
Limited life span; can be used in place of standard user/password mechanism
CSE: Networking FundamentalsSecurity
www.cisco.com
11-21
By exchanging public keys, two devices can determine a new unique key (the secret key) known only to them
DES
www.cisco.com
11-22
Digital Signatures
Bobs Document Bobs Document
Hash
Bobs Public Key
Digital Signature
Message Hash
www.cisco.com
11-23
Certificate Authority
BANK
?
CA
Internet
CA
Certificate Authority (CA) verifies identity CA signs digital certificate containing devices public key Certificate equivalent to an ID card Partners include Verisign, Entrust, Netscape, and Baltimore Technologies
CSE: Networking FundamentalsSecurity
www.cisco.com
11-24
Internet
10.0.0.1
Provides dynamic or static translation of private addresses to registered IP addresses Eliminates readdressing overheadLarge admin. cost benefit Conserves addressesHosts can share a single registered IP address for all external communications via port-level multiplexing Permits use of a single IP address range in multiple intranets Hides internal addresses Augmented by EasyIP DHCP host function
CSE: Networking FundamentalsSecurity
www.cisco.com
11-25
Security Technology
Integrity
CSE-SecurityBasics
www.cisco.com
3-26
IntegrityNetwork Availability
www.cisco.com
11-27
TCP Intercept
Request Intercepted Connection Established
Connection Transferred
Protects networks against denial of service attacks TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory, or waste processor cycles TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of the destination Can be configured to passively monitor TCP connection requests and respond if connection fails to be established in a configurable interval
CSE: Networking FundamentalsSecurity
www.cisco.com
11-28
Route Authentication
Home Gateway
Internet
Trusted Source
Enables routers to identify one another and verify each others legitimacy before accepting route updates Ensures that routers receive legitimate update information from a trusted source
CSE: Networking FundamentalsSecurity
www.cisco.com
11-29
IntegrityPerimeter Security
www.cisco.com
11-30
Access Lists
Standard
Filter source address only Permit/deny entire protocol suite
Extended
Filter source, destination addresses Inbound or outbound Port number Permit/deny specific protocols Reflexive Time-based
CSE: Networking FundamentalsSecurity
www.cisco.com
11-31
Ability to stop or reroute traffic based on packet characteristics Access control on incoming or outgoing interfaces Works together with NetFlow to provide high-speed enforcement on network access points Violation logging provides useful information to network managers
CSE: Networking FundamentalsSecurity
www.cisco.com
11-32
Importance of Firewalls
Permit secure access to resources Protect networks from:
Unauthorized intrusion from both external and internal sources Denial of service (DOS) attacks
CSE: Networking FundamentalsSecurity
www.cisco.com
11-33
What Is a Firewall?
All traffic from inside to outside and vice versa must pass through the firewall Only authorized traffic, as defined by the local security policy, is allowed in or out The firewall itself is immune to penetration
CSE: Networking FundamentalsSecurity
www.cisco.com
11-34
Packet-Filtering Routers
Users
Users
zip
E-mail Server
100
Micro Webserver
Web Server
Public Access
www.cisco.com
11-35
Proxy Service
Provides user-level security Most effective when used with packet filtering
Internet/ Intranet
Proxy Server
Internal Network
CSE: Networking FundamentalsSecurity
www.cisco.com
11-36
Stateful Sessions
Firewall Mail WWW Server Server
Internet
www.cisco.com
11-37
Performance Requirements
Company Network
.5 5 1 10 20
Meg
Per/Sec
40
Internet
Video Audio Private link Web commerce
www.cisco.com
11-38
IntegrityPrivacy
www.cisco.com
11-39
Encryption
Decryption
Cipher Text
CSE: Networking FundamentalsSecurity
www.cisco.com
11-40
What Is IPSec?
Network-layer encryption and authentication
Open standards for ensuring secure private communications over any IP network, including the Internet Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy Data protected with network encryption, digital certification, and device authentication
Implemented transparently in network infrastructure Includes routers, firewalls, PCs, and servers Scales from small to very large networks
CSE: Networking FundamentalsSecurity
www.cisco.com
11-41
IPSec Everywhere!
Router to Firewall
Router to Router
PC to Firewall
PC to Router PC to Server
CSE: Networking FundamentalsSecurity
www.cisco.com
11-42
www.cisco.com
11-43
Router A
Router B
IKE
Router A
IKE Tunnel
IKE
Router B
3. Negotiation complete; router A and router B now have complete IPSec SAs in place
www.cisco.com
1999, Cisco Systems, Inc. 11-44
www.cisco.com
11-45
Internet enables multiple computers to work simultaneously Electronic Frontier Foundation and distributed.net cracked a 56-bit DES challenge in 22 hours and 15 minutes
Consensus of the cryptographic community is that 56-bit DES, if not currently insecure, will soon be insecure
CSE: Networking FundamentalsSecurity
www.cisco.com
11-46
Security Technology
Active Audit
CSE-SecurityBasics
www.cisco.com
3-47
Firewalls, authorization, and encryption do not provide VISIBILITY into these problems
CSE: Networking FundamentalsSecurity
www.cisco.com
11-48
www.cisco.com
11-49
www.cisco.com
11-50
www.cisco.com
11-51
Ping of Death
Context: (Header)
Port Sweep SYN Attack TCP Hijacking Telnet Attacks Character Mode Attacks
Composite Multiple Packets
1999, Cisco Systems, Inc. 11-52
Land Attack
Content: (Data)
MS IE Attack
DNS Attacks
Atomic Single Packet
www.cisco.com
Active Audit
Actively audit and verify policy Detect intrusion and anomalies Report
UNIVERSAL PASSPORT
Kdkfldkaloee kjfkjajjakjkjkjkajkjfiejijgkd kdjfkdkdkdkddfkdjfkdjkdkd kfjdkkdjkfd kfjdkfjdkjkdjkdjkaj kjfdkjfkdjkfjkjajjajdjfla kjdfkjeiieie fkeieooei
************************ USA
Kjkjkjdgdk kjdkjfdkI kdfjkdj IkejkejKkdkd fdKKjkdjd KjkdjfkdKjkd Kjdkfjkdj Kjdk
************************
UNIVERSAL PASSPORT
www.cisco.com
11-53
Summary
Security is a mission-critical business requirement for all networks Security requires a global, corporate-wide policy Security requires a multilayered implementation
www.cisco.com
11-54
Presentation_ID
www.cisco.com
55