Security Basics: © 1999, Cisco Systems, Inc

Module 11 Security Basics
www.cisco.com
1999, Cisco Systems, Inc.
Agenda
Why Security? Security Technology

Identity Integrity Active Audit
CSE: Networking FundamentalsSecurity
www.cisco.com
11-2
Why Security?
Three primary reasons
Policy vulnerabilities Configuration vulnerabilities Technology vulnerabilities
And People Eager to Take Advantage of the Vulnerabilities
www.cisco.com
11-4
Security Threats
telnet company.org username: dan password:
Im Bob. Send Me All Corporate Correspondence with Cisco.
m-y-p-a-s-s-w-o-r-d
d-a-n
Bob
Loss of Privacy
Impersonation
Deposit $1000 Deposit $ 100
CPU
Customer
Bank
Denial of Service
Loss of Integrity
www.cisco.com
1999, Cisco Systems, Inc. 11-5
Security Objective: Balance Business Needs with Risks

Access
Connectivity Performance Ease of Use Manageability Availability
Security
Authentication
Authorization Accounting Assurance
Policy Management
Confidentiality Data Integrity
www.cisco.com
11-6
Elements of Security
Identity
Accurately identify users
Determine what users are allowed to do
Integrity
Ensure network availability Provide perimeter security Ensure privacy
Active audit
Recognize network weak spots
Detect and react to intruders
Policy
www.cisco.com
11-7
Security Technology
Identity
CSE-SecurityBasics
www.cisco.com
3-8
Username/Password
ID/Password ID/Password ID/Password TACACS+ or RADIUS AAA Server PPP PAP or CHAP Dial-In User
Public Network
Password Network Access Server
Campus
User dials in with password to network access server NAS sends ID/password to AAA server AAA server authenticates user ID/password and tells NAS to accept (or reject) NAS accepts (or rejects) call
www.cisco.com
11-10
PAP and CHAP Authentication

Network Access Server PPP PAP or CHAP Public Network
Password Authentication Protocol (PAP)
Challenge Handshake Authentication

Protocol (CHAP)
www.cisco.com
11-11
Authentication, Authorization, and Accounting (AAA)

Tool for enforcing security policy Authentication
Verifies identity Who are you?
123 456 789 0
1 23 4 56 7 89 0
Authorization
Configures integrity What are you permitted to do?
Accounting
Assists with audit What did you do?
www.cisco.com
11-12
AAA Services
Network Access Server
Public Network Dial-In User Internet Internet User
AAA Server
TACACS+ RADIUS
ID/User Profile ID/User Profile ID/User Profile
Intercept Connection s Gateway Router Firewall
Campus
Centralized security database High availability Same policy across many access points Per-user access control Single network login Support for: TACACS+, RADIUS
www.cisco.com
RADIUS
Re mote Acce ss U se r
Acce ss S e rve r
RADIUS is an industry standard Remote Authentication Dial-In User Server
RAD IU S S e rve r
The RADIUS server maintains user authentication and network access information RADIUS clients run on access servers and send authentication requests to the RADIUS server
www.cisco.com
11-14
TACACS+ Authentication
Local or centralized Cisco continues to expand TACACS+
Username/Password Additional Information TACACS Database
Cisco customers benefit from additional functionality with CiscoSecure server of both TACACS TACACS+ and RADIUS
www.cisco.com
11-15
How Public Key Works

Public Key
WAN Private Key Private Key Public Key
By exchanging public keys, two devices can determine a new unique key (the secret key) known only to them
DES
www.cisco.com
11-16
Digital Signatures
Bobs Document Bobs Document
Bobs Private Key Hash
Hash
Bobs Public Key
Same? Encrypt Message Hash Decrypt
Digital Signature
Message Hash
If verification is successful, document has not been altered

www.cisco.com
11-17
Certificate Authority
BANK
?
CA
Internet
CA
Certificate Authority (CA) verifies identity CA signs digital certificate containing devices public key Certificate equivalent to an ID card Partners include Verisign, Entrust, Netscape, and Baltimore Technologies
www.cisco.com
11-18
Network Address Translation

SA 10.0.0.1 SA 171.69.58.8
Internet
Inside Local IP Address 10.0.0.1 10.0.0.2
Inside Global IP Address 171.69.58.80 171.69.58.81
10.0.0.1
Provides dynamic or static translation of private addresses to registered IP addresses Eliminates readdressing overheadLarge admin. cost benefit Conserves addressesHosts can share a single registered IP address for all external communications via port-level multiplexing Permits use of a single IP address range in multiple intranets Hides internal addresses
www.cisco.com
11-19
Security Technology
Integrity
CSE-SecurityBasics
www.cisco.com
3-20
IntegrityNetwork Availability
Ensure the network

infrastructure remains available
TCP Intercept Route authentication
www.cisco.com
11-21
TCP Intercept
Request Intercepted Connection Established
Connection Transferred
Protects networks against denial of service attacks TCP SYN flooding can overpower server and cause it to deny service, exhaust memory, or waste processor cycles TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of the destination
www.cisco.com
11-22
Route Authentication
Home Gateway
Internet
Trusted Source
Enables routers to identify one another and verify each others legitimacy before accepting route updates Ensures that routers receive legitimate update information from a trusted source
www.cisco.com
11-23
IntegrityPerimeter Security
Integrity also means ensuring the safety of the network devices and the flows of information between them Control access to critical network applications, data, and services
Access control lists, firewall technologies, content filtering, CBAC, authentication
CBAC = Context Based Access Control
www.cisco.com
11-24
Access Lists
Standard
Filter source address only Permit/deny entire protocol suite
Extended
Filter source, destination addresses Inbound or outbound Port number Permit/deny specific protocols Reflexive Time-based
www.cisco.com
11-25
What Is a Firewall?
All traffic from inside to outside and vice versa must pass through the firewall Only authorized traffic, as defined by the local security policy, is allowed in or out
www.cisco.com
11-27
Proxy Service
To the outside world, it appears as if all sessions terminate at a single host.
Proxy servers hide IP addresses, so they are not exposed to the outside world. Certain proxy servers also can examine content, so they can limit what can be done and what can not be done
Internet/ Intranet
Proxy Server
Internal Network
www.cisco.com
11-29
IntegrityPrivacy
Provide authenticated private communication on demand

VPNs, IPSec, IKE,
encryption, DES, 3DES, digital certificates, CET, CEP
IKE = Internet Key Exchange DES = Data Encryption Standard CET = Cisco Encryption Technology CEP = Certificate Enrollment Protocol
www.cisco.com
Encryption and Decryption

Clear Text Clear Text
Encryption
Decryption
Cipher Text
www.cisco.com
11-32
What Is IPSec?
Network-layer encryption and authentication
Open standards for ensuring secure private communications over any IP network, including the Internet Data protected with network encryption, digital certification, and device authentication
Implemented transparently in network infrastructure Includes routers, firewalls, PCs, and servers Scales from small to very large networks
www.cisco.com
11-33
IPSec Everywhere!
Router to Firewall
Router to Router
PC to Firewall
PC to Router PC to Server
www.cisco.com
11-34
IKEInternet Key Exchange

IKE is the mechanism IPSec uses to set up Security Associations (SAs) IPSec provides the packet level processing while IKE negotiates security associations IKE does 3 things: Negotiates its own policy Performs an exchange of key-material using authenticated DiffieHellman DES = Data Encryption Standard Negotiates the IPSec SA MD5 = Message Digest algorithm 5
3DES, MD5, and RSA Signatures, OR IDEA, SHA, and DSS Signatures, OR Blowfish, SHA, and RSA Encryption
RSA = Rivest-Shamir-Adleman algorithm IDEA = International Data Encryption Algorithm SHA = Secure Hash Algorithm DSS = Digital Signature Standard
IDEA, SHA, and DSS Signatures
IKE Policy Tunnel

www.cisco.com
11-35
How IPSec Uses IKE

1. Outbound packet from Alice to BobNo IPSec security association yet
4. Packet is sent from Alice to Bob protected by IPSec SA
Router A
Router B
IKE
Router A
IKE Tunnel
IKE
Router B
2. Router As IKE begins negotiation with router Bs IKE

3. Negotiation complete; router A and router B now have complete IPSec SAs in place
www.cisco.com
EncryptionDES and 3DES

Data Encryption Standard
Widely adopted standard with IPSec Encrypts plain text, which becomes cyphertext DES performs 16 rounds of encryption Triple DES (3DES)
The 56-bit DES algorithm runs three times
Accomplished on a VPN client, server, router, or firewall

www.cisco.com
11-37
Security Technology
Active Audit
CSE-SecurityBasics
www.cisco.com
3-38
Active AuditNetwork Vulnerability Assessment

Assess and report on the security status of network components
Scanning (active, passive), vulnerability database
www.cisco.com
11-39
Active AuditIntrusion Detection System

Identify and react to known or suspected network intrusion or anomalies
Passive promiscuous monitoring Database of threats or suspect behavior Communication infrastructure or access control changes
www.cisco.com
11-40
Presentation_ID
www.cisco.com
43

Security Basics: © 1999, Cisco Systems, Inc

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Basics: © 1999, Cisco Systems, Inc

Uploaded by

Copyright:

Available Formats

Module 11 Security Basics

1999, Cisco Systems, Inc.

Why Security? Security Technology

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

And People Eager to Take Advantage of the Vulnerabilities

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

Security Objective: Balance Business Needs with Risks

Confidentiality Data Integrity

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

PAP and CHAP Authentication

Password Authentication Protocol (PAP)

Challenge Handshake Authentication

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

Authentication, Authorization, and Accounting (AAA)

1999, Cisco Systems, Inc.

ID/User Profile ID/User Profile ID/User Profile

Intercept Connection s Gateway Router Firewall

RADIUS is an industry standard Remote Authentication Dial-In User Server

1999, Cisco Systems, Inc.

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

How Public Key Works

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

Bobs Private Key Hash

Same? Encrypt Message Hash Decrypt

If verification is successful, document has not been altered

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Network Address Translation

Inside Local IP Address 10.0.0.1 10.0.0.2

Inside Global IP Address 171.69.58.80 171.69.58.81

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Ensure the network

CSE: Networking FundamentalsSecurity

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Provide authenticated private communication on demand

encryption, DES, 3DES, digital certificates, CET, CEP

CSE: Networking FundamentalsSecurity

Encryption and Decryption

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

IKEInternet Key Exchange

IDEA, SHA, and DSS Signatures

IKE Policy Tunnel

1999, Cisco Systems, Inc.

How IPSec Uses IKE