11 Security Basics

Module 11: Security Basics
www.cisco.com
1999, Cisco Systems, Inc.
Agenda
Why Security? Security Technology

Identity Integrity Active Audit
CSE: Networking FundamentalsSecurity
www.cisco.com
11-2
All Networks Need Security

No matter the company size, security is important
Internet connection is to business in the late 1990s what telephones were to business in the late 1940s
Even small company sites are cracked
www.cisco.com
11-3
Why Security?
Three primary reasons
Policy vulnerabilities Configuration vulnerabilities Technology vulnerabilities
And People Eager to Take Advantage of the Vulnerabilities
www.cisco.com
11-4
Security Threats
telnet company.org username: dan password:
Im Bob. Send Me All Corporate Correspondence with Cisco.
m-y-p-a-s-s-w-o-r-d
d-a-n
Bob
Loss of Privacy
Impersonation
Deposit $1000 Deposit $ 100
CPU
Customer
Bank
Denial of Service
Loss of Integrity
www.cisco.com
1999, Cisco Systems, Inc. 11-5
Security Objective: Balance Business Needs with Risks

Access
Connectivity Performance Ease of Use Manageability Availability
Security
Authentication
Authorization Accounting Assurance
Policy Management
Confidentiality Data Integrity
www.cisco.com
11-6
Network Security Components: Physical Security Analogy

Doors, locks, & guards Keys & badges Surveillance cameras & motion sensors Firewalls & access controls Authentication Intrusion detection system
Complementary mechanisms that together provide in-depth defense

www.cisco.com
11-7
Security Technology
CSE-SecurityBasics
www.cisco.com
3-8
Elements of Security
Identity
Accurately identify users
Determine what users are allowed to do
Integrity
Ensure network availability Provide perimeter security Ensure privacy
Active audit
Recognize network weak spots
Detect and react to intruders
Policy
www.cisco.com
11-9
Security Technology
Identity
CSE-SecurityBasics
www.cisco.com
3-10
Identity
Uniquely and accurately identify users, applications, services, and resources Username/password, PAP, CHAP, AAA server, one-time password, RADIUS, TACACS+, Kerberos, MS-login, digital certificates, directory services, Network Address Translation
www.cisco.com
11-11
Username/Password
ID/Password ID/Password ID/Password AAA Server PPP PAP Dial-In User
Public Network
Password Network Access Server
Campus
User dials in with password to NAS NAS sends ID/password to AAA server AAA server authenticates user ID/password and tells NAS to accept (or reject) NAS accepts (or rejects) call
www.cisco.com
11-12
PAP and CHAP Authentication

Network Access Server PPP PAP or CHAP Public Network
Password Authentication Protocol (PAP)

Authenticates caller only Passes password in clear text
Challenge Handshake Authentication Protocol (CHAP)

Authenticates both sides Password is encrypted
www.cisco.com
11-13
One-Time Password
Token card Soft token S-Key Public Network
Dial-In User Token or S-Key Server AAA Server Campus
ID/One-Time Password ID/One-Time Password ID/One-Time Password
One-Time Password
Network Access Server
Additional level of security, guards against password guessing and cracking

Prevents spoofing, replay attacks
Single-use password is generated by token card or in software Synchronized central server authenticates user
www.cisco.com
11-14
Authentication, Authorization, and Accounting (AAA)

Tool for enforcing security policy Authentication
Verifies identity Who are you?
123 456 789 0
12 3 45 6 78 9 0
Authorization
Configures integrity What are you permitted to do?
Accounting
Assists with audit What did you do?
www.cisco.com
11-15
AAA Services
Network Access Server
Public Network Dial-In User Internet Internet User AAA Server
TACACS+ RADIUS
ID/User Profile ID/User Profile ID/User Profile
Intercept Connection s Gateway Router Firewall
Campus
Centralized security database High availability Same policy across many access points Per-user access control Single network login Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password
www.cisco.com
RADIUS
Re mote Acce ss U se r
Acce ss S e rve r
RAD IU S S e rve r
RADIUS is an industry standardRFC 2138, RFC 2139 Cisco has full IETF RFC implementation Cisco has implemented many nonstandard vendor proprietary attributes Cisco hardware will work well with non-Cisco RADIUS AAA servers Cisco is committed to providing the best RADIUS solution
www.cisco.com
11-17
TACACS+ Authentication
Local or centralized Cisco continues to expand TACACS+ and add features in Cisco IOS 11.3 Cisco customers benefit from additional functionality with CiscoSecure server of both TACACS+ and RADIUS Cisco enterprise customers continue to ask for TACACS+ features
Username/Password Additional Information TACACS Database
TACACS
www.cisco.com
11-18
Lock-and-Key Security
Authorized User
Internet
Corporate Site Non-Authorized User
Dynamically assigns access control lists on a per-user basis Allows a remote host to access a local host via the Internet Allows local hosts to access a host on a remote network
www.cisco.com
11-19
Calling Line Identification

Compare with Known Numbers Call Setup Message with Local ISDN Numbers
1234
Accept Call
Station ISDN Number A 1234
ISDN Station A
PPP CHAP Authentication (Optional)
www.cisco.com
11-20
User Authentication with Kerberos

Remote User (Kerberos Principal) Encrypted Service Credential ?
Kerberos Server
Kerberos Credential (Ticket)
Kerberized Router
Mail Server
Authenticates users and the network services they use Uses tickets or credentials issued by a trusted Kerberos server
Limited life span; can be used in place of standard user/password mechanism
www.cisco.com
11-21
How Public Key Works

Public Key
WAN Private Key Private Key Public Key
By exchanging public keys, two devices can determine a new unique key (the secret key) known only to them
DES
www.cisco.com
11-22
Digital Signatures
Bobs Document Bobs Document
Bobs Private Key Hash
Hash
Bobs Public Key
Same? Encrypt Message Hash Decrypt
Digital Signature
Message Hash
If verification is successful, document has not been altered

www.cisco.com
11-23
Certificate Authority
BANK
?
CA
Internet
CA
Certificate Authority (CA) verifies identity CA signs digital certificate containing devices public key Certificate equivalent to an ID card Partners include Verisign, Entrust, Netscape, and Baltimore Technologies
www.cisco.com
11-24
Network Address Translation

SA 10.0.0.1 SA 171.69.58.8
Internet
Inside Local IP Address 10.0.0.1 10.0.0.2
Inside Global IP Address 171.69.58.80 171.69.58.81
10.0.0.1
Provides dynamic or static translation of private addresses to registered IP addresses Eliminates readdressing overheadLarge admin. cost benefit Conserves addressesHosts can share a single registered IP address for all external communications via port-level multiplexing Permits use of a single IP address range in multiple intranets Hides internal addresses Augmented by EasyIP DHCP host function
www.cisco.com
11-25
Security Technology
Integrity
CSE-SecurityBasics
www.cisco.com
3-26
IntegrityNetwork Availability
Ensure the network infrastructure remains available

TCP Intercept, route authentication
www.cisco.com
11-27
TCP Intercept
Request Intercepted Connection Established
Connection Transferred
Protects networks against denial of service attacks TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory, or waste processor cycles TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of the destination Can be configured to passively monitor TCP connection requests and respond if connection fails to be established in a configurable interval
www.cisco.com
11-28
Route Authentication
Home Gateway
Internet
Trusted Source
Enables routers to identify one another and verify each others legitimacy before accepting route updates Ensures that routers receive legitimate update information from a trusted source
www.cisco.com
11-29
IntegrityPerimeter Security
Control access to critical network applications, data, and services

Access control lists, firewall technologies, content filtering, CBAC, authentication
www.cisco.com
11-30
Access Lists
Standard
Filter source address only Permit/deny entire protocol suite
Extended
Filter source, destination addresses Inbound or outbound Port number Permit/deny specific protocols Reflexive Time-based
www.cisco.com
11-31
Policy Enforcement Using Access Control Lists

Home Gateway
Internet
Inbound Telnet Stopped Here
Ability to stop or reroute traffic based on packet characteristics Access control on incoming or outgoing interfaces Works together with NetFlow to provide high-speed enforcement on network access points Violation logging provides useful information to network managers
www.cisco.com
11-32
Importance of Firewalls
Permit secure access to resources Protect networks from:
Unauthorized intrusion from both external and internal sources Denial of service (DOS) attacks
www.cisco.com
11-33
What Is a Firewall?
All traffic from inside to outside and vice versa must pass through the firewall Only authorized traffic, as defined by the local security policy, is allowed in or out The firewall itself is immune to penetration
www.cisco.com
11-34
Packet-Filtering Routers
Users
Protected Network Router with ACLs
Users
ISP and Internet

Micro W ebserver
zip
E-mail Server
100
Micro Webserver
Web Server
Public Access
www.cisco.com
11-35
Proxy Service
Provides user-level security Most effective when used with packet filtering
Internet/ Intranet
Proxy Server
Internal Network
www.cisco.com
11-36
Stateful Sessions
Firewall Mail WWW Server Server
Highest performance security Maintains complete session state Connection oriented

Tracks complete connection Establishment and termination
Internet
Strong audit capability Easy to add new applications

www.cisco.com
11-37
Performance Requirements
Company Network
.5 5 1 10 20
Meg
Per/Sec
40
Internet
Video Audio Private link Web commerce
www.cisco.com
11-38
IntegrityPrivacy
Provide authenticated private communication on demand

VPNs, IPSec, IKE, encryption, DES, 3DES, digital certificates, CET, CEP
www.cisco.com
11-39
Encryption and Decryption

Clear Text Clear Text
Encryption
Decryption
Cipher Text
www.cisco.com
11-40
What Is IPSec?
Network-layer encryption and authentication
Open standards for ensuring secure private communications over any IP network, including the Internet Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy Data protected with network encryption, digital certification, and device authentication
Implemented transparently in network infrastructure Includes routers, firewalls, PCs, and servers Scales from small to very large networks
www.cisco.com
11-41
IPSec Everywhere!
Router to Firewall
Router to Router
PC to Firewall
PC to Router PC to Server
www.cisco.com
11-42
IKEInternet Key Exchange

Automatically negotiates policy to protect communication Authenticated Diffie-Hellman key exchange Negotiates (possibly multiple) security associations for IPSec
3DES, MD5, and RSA Signatures, OR IDEA, SHA, and DSS Signatures, OR Blowfish, SHA, and RSA Encryption
IDEA, SHA, and DSS Signatures
IKE Policy Tunnel

www.cisco.com
11-43
How IPSec Uses IKE

1. Outbound packet from Alice to BobNo IPSec security association yet
4. Packet is sent from Alice to Bob protected by IPSec SA
Router A
Router B
IKE
Router A
IKE Tunnel
IKE
Router B
2. Router As IKE begins negotiation with router Bs IKE

3. Negotiation complete; router A and router B now have complete IPSec SAs in place
www.cisco.com
EncryptionDES and 3DES

Widely adopted standard Encrypts plain text, which becomes cyphertext DES performs 16 rounds Triple DES (3DES)
The 56-bit DES algorithm runs three times 112-bit triple DES includes two keys 168-bit triple DES includes three keys
Accomplished on a VPN client, server, router, or firewall

www.cisco.com
11-45
Breaking DES Keys

Exhaustive search is the only way to break DES keys (so far) Would take hundreds of years on fastest general purpose computers (56-bit DES)
Specialized computer would cost $1,000,000 but could crack keys in 35 minutes (Source: M.J. Wiener)
Internet enables multiple computers to work simultaneously Electronic Frontier Foundation and distributed.net cracked a 56-bit DES challenge in 22 hours and 15 minutes
Consensus of the cryptographic community is that 56-bit DES, if not currently insecure, will soon be insecure
www.cisco.com
11-46
Security Technology
Active Audit
CSE-SecurityBasics
www.cisco.com
3-47
Why Active Audit?

The hacker might be an employee or trusted partner
Up to 80% of security breaches come from the inside (Source: FBI)
Your defense might be ineffective

One out of every three intrusions occur where a firewall is in place (Source: Computer Security Institute)
Your employees might make mistakes

Misconfigured firewalls, servers, etc.
Your network will grow and change

Each change introduces new security risks
Firewalls, authorization, and encryption do not provide VISIBILITY into these problems
www.cisco.com
11-48
Why Active Audit?

Network security requires a layered defense
Point security PLUS active systems to measure vulnerabilities and monitor for misuse Network perimeter and the intranet
Security is an ongoing, operational process

Must be constantly measured, monitored, and improved
www.cisco.com
11-49
Active AuditNetwork Vulnerability Assessment

Assess and report on the security status of network components
Scanning (active, passive), vulnerability database
www.cisco.com
11-50
Active AuditIntrusion Detection System

Identify and react to known or suspected network intrusion or anomalies
Passive promiscuous monitoring Database of threats or suspect behavior Communication infrastructure or access control changes
www.cisco.com
11-51
IDS Attack Detection
Ping of Death
Context: (Header)
Port Sweep SYN Attack TCP Hijacking Telnet Attacks Character Mode Attacks
Composite Multiple Packets
Land Attack
Content: (Data)
MS IE Attack
DNS Attacks
Atomic Single Packet
www.cisco.com
Active Audit
Actively audit and verify policy Detect intrusion and anomalies Report
UNIVERSAL PASSPORT
Kdkfldkaloee kjfkjajjakjkjkjkajkjfiejijgkd kdjfkdkdkdkddfkdjfkdjkdkd kfjdkkdjkfd kfjdkfjdkjkdjkdjkaj kjfdkjfkdjkfjkjajjajdjfla kjdfkjeiieie fkeieooei
************************ USA
Kjkjkjdgdk kjdkjfdkI kdfjkdj IkejkejKkdkd fdKKjkdjd KjkdjfkdKjkd Kjdkfjkdj Kjdk
************************
UNIVERSAL PASSPORT
www.cisco.com
11-53
Summary
Security is a mission-critical business requirement for all networks Security requires a global, corporate-wide policy Security requires a multilayered implementation
www.cisco.com
11-54
Presentation_ID
www.cisco.com
55

11 Security Basics

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

11 Security Basics

Uploaded by

Copyright:

Available Formats

Module 11: Security Basics

1999, Cisco Systems, Inc.

Why Security? Security Technology

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

All Networks Need Security

1999, Cisco Systems, Inc.

And People Eager to Take Advantage of the Vulnerabilities

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

Security Objective: Balance Business Needs with Risks

Confidentiality Data Integrity

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

Network Security Components: Physical Security Analogy

Complementary mechanisms that together provide in-depth defense

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

PAP and CHAP Authentication

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

1999, Cisco Systems, Inc.

Network Access Server

Additional level of security, guards against password guessing and cracking

1999, Cisco Systems, Inc.

Authentication, Authorization, and Accounting (AAA)

1999, Cisco Systems, Inc.

Intercept Connection s Gateway Router Firewall

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

Corporate Site Non-Authorized User

1999, Cisco Systems, Inc.

Calling Line Identification

Station ISDN Number A 1234

PPP CHAP Authentication (Optional)

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

User Authentication with Kerberos

Kerberos Credential (Ticket)

1999, Cisco Systems, Inc.

How Public Key Works

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

Bobs Private Key Hash

Same? Encrypt Message Hash Decrypt

If verification is successful, document has not been altered

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Network Address Translation

Inside Local IP Address 10.0.0.1 10.0.0.2

Inside Global IP Address 171.69.58.80 171.69.58.81

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Ensure the network infrastructure remains available

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.