CNIT 221

Security

Module 2 1 ver.2

City College of San Francisco Spring 2006

1

Network Security 1

Module 2 – Security Planning and Policy

© 2005 Cisco Systems, Inc. All rights reserved.

2

Learning Objectives

–

2.1 Discussing Network Security and Cisco

–

2.2 Endpoint Protection and Management

–

2.3 Network Protection and Management

–

2.4 Security Architecture

–

2.5 Basic Router Security Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

3

Module 2 – Security Planning and Policy

2.1 Discussing Network Security and Cisco

© 2005 Cisco Systems, Inc. All rights reserved.

4

Network Security as a Continuous Process

•

Network security is a continuous process built around a security policy.

–

Step 1: Secure Secure

–

Step 2: Monitor

–

Step 3: Test

–

Step 4: Improve Improve Security Policy Monitor Test Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

5

Secure the Network

•

Implement security solutions to stop or prevent unauthorized access or activities, and to protect information:

–

Authentication

–

Encryption

–

Firewalls

–

Vulnerability patching Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

Secure Improve Security Policy Monitor Test

6

Monitor Security

–

Detects violations to the security policy

–

Involves system auditing and real-time intrusion detection

–

Validates the security implementation in Step 1 Improve Secure Security Policy Test Monitor Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

7

Test Security

•

Validates effectiveness of the security policy through system auditing and vulnerability scanning Improve Secure Security Policy Test Monitor Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

8

Improve Security

–

Use information from the monitor and test phases to make improvements to the security implementation.

–

Adjust the security policy as security vulnerabilities and risks are identified.

Improve Secure Security Policy Test Monitor Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

9

What Is a Security Policy?

•

“A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”

•

(RFC 2196, Site Security Handbook) Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

10

Why Create a Security Policy?

–

To create a baseline of your current security posture

–

To set the framework for security implementation

–

To define allowed and not allowed behaviors

–

To help determine necessary tools and procedures

–

To communicate consensus and define roles

–

To define how to handle security incidents Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

11

Security Policy Elements Data Assessment Vulnerabilities Host Addressing Denial of Service Application Definition POLICY Misuse Usage Guidelines Reconnaissance Topology/Trust Model

•

On the left are the network design factors upon which security policy is based

•

On the right are basic Internet threat vectors toward which

© 2005 Cisco Systems, Inc. All rights reserved.

12

Module 2 – Security Planning and Policy

2.2 Endpoint Protection and Management

© 2005 Cisco Systems, Inc. All rights reserved.

13

Types of Firewalls

– – – –

Server Based Microsoft ISA CheckPoint Zone Alarm Appliance PIX Security Appliance/ASA Netscreen SonicWall Personal Norton McAfee ZoneAlarms Integrated IOS Firewall

© 2005 Cisco Systems, Inc. All rights reserved.

14

Module 2 – Security Planning and Policy

2.3 Network Protection and Management

© 2005 Cisco Systems, Inc. All rights reserved.

15

Sample Firewall Topology Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

16

VPN Definition Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

17

Remote Access VPNs Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

18

Site-to-Site VPNs Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

19

Adaptive Security Device Manager (ASDM) Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

20

Security Device Manager (SDM) Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

21

Module 2 – Security Planning and Policy

2.4 Security Architecture

© 2005 Cisco Systems, Inc. All rights reserved.

22

Secure Connectivity Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

23

Cisco Threat Defense System Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

24

Identity Based Networking Services (IBNS) Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

25

Plan, Design, Implement, Operate, Optimize (PDIOO) Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

26

Module 2 – Security Planning and Policy

2.5 Basic Router Security

© 2005 Cisco Systems, Inc. All rights reserved.

27

SSH TCP Port 22 SSH Client Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

SSH Server and Client

28

SSH Server Configuration Router(config)# hostname host-name Router(config )# ip domain-name domain-name.com Router(config )# crypto key generate rsa Router(config )# line vty 0 4 Router(config-line)# transport input ssh Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

29

Controlling Access

•

Console Port

•

TTY

•

VTY

• •

A console is a terminal connected to a router console port.

The terminal can be a dumb terminal or PC with terminal

© 2005 Cisco Systems, Inc. All rights reserved.

30

• • • • • • •

Passwords Passwords are the most critical tools in controlling access to a router. There are two password protection schemes in Cisco IOS: Type 7 uses the Cisco-defined encryption algorithm.

Type 5 uses an MD5 hash, which is much stronger. Cisco recommends that Type 5 encryption be used instead of Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands.

Service password encryption should be used.

Use good password practices when creating passwords.

Configure both username and password combinations.

Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

31

Good Password Practices

•

Avoid dictionary words, names, phone numbers, and dates.

•

Include at least one lowercase letter, uppercase letter, digit, and special character.

• •

Make all passwords at least eight characters long. Avoid more than four digits or same-case letters in a row.

•

Change passwords often. Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

32

Initial Configuration Dialog --- System Configuration Dialog -- Would you like to enter the initial configuration dialog? [yes/no] y Configuring global parameters: Enter host name [Router]: Boston The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration.

Enter enable secret: CantGessMe The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images.

Enter enable password: WontGessMe The virtual terminal password is used to protect access to the router over a network interface.

Enter virtual terminal password: CantGessMeVTY Router(config)# .

© 2005 Cisco Systems, Inc. All rights reserved.

33

Configure the Enable Password Using enable secret router(config)# enable secret password

•

Encrypts the password in the router configuration file

•

Uses a strong encryption algorithm based on MD5 Boston(config)# enable secret Curium96 Boston# show running-config !

hostname Boston !

no logging console enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ !

Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

34

Configure the Console Port User-Level Password router(config)# line console line-number

•

Enters console line configuration mode router(config-line )# login

•

Enables password checking at login router(config-line)# Password password

•

Sets the user-level password to password Boston(config)# line console 0 Boston(config-line)# login Boston(config-line)# password ConUser1 Router(config)# Creates the user-level password ConUser1

–

The password is unencrypted

© 2005 Cisco Systems, Inc. All rights reserved.

35

Configure a VTY User-Level Password router(config)# line vty start-line-number end-line-number

•

Enters VTY line configuration mode

•

Specifies the range of VTY lines to configure router(config-line)# login

•

Enables password checking at login for VTY (Telnet) sessions router(config-line)# password password

•

Sets the user-level password to password Boston(config)# line vty 0 4 Boston(config-line)# login Boston(config-line)# password CantGessMeVTY

© 2005 Cisco Systems, Inc. All rights reserved.

36

Configure an Auxiliary User-Level Password router(config)# line aux line-number

•

Enters auxiliary line configuration mode router(config-line)# login

•

Enables password checking at login for Aux connections router(config-line)# password password

•

Sets the user-level password to password Boston(config)# line aux 0 Boston(config-line)# login Boston(config-line)# password NeverGessMeAux

© 2005 Cisco Systems, Inc. All rights reserved.

37

Encrypting Passwords Using

service password-encryption

router(config)# service password-encryption

•

Encrypts all passwords in the router configuration file Boston(config)# service password-encryption Boston# show running-config !

line con 0 password 7 0956F57A109A !

line vty 0 4 password 7 034A18F366A0 !

line aux 0 password 7 7A4F5192306A

•

Uses a weak encryption algorithm that can be easily cracked

© 2005 Cisco Systems, Inc. All rights reserved.

38

Setting Timeouts for Router Lines router(config-line)# exec-timeout minutes [seconds]

• • •

Default is 10 minutes Terminates an unattended console connection Provides an extra safety factor when an administrator walks away from an active console session Boston(config)# line console 0 Boston(config-line)#exec-timeout 3 30 Boston(config)# line aux 0 Boston(config-line)#exec-timeout 3 30 connection after 3 minutes and 30 seconds

© 2005 Cisco Systems, Inc. All rights reserved.

39

Setting Multiple Privilege Levels router(config)# privilege mode {level level command | reset command}

•

Level 1 is predefined for user-level access privileges

• •

Levels 2 –14 may be customized for user-level privileges Level 15 is predefined for enable mode (

enable

command) Boston(config)# privilege exec level 2 ping Boston(config)# enable secret level 2 Patriot Router(config)#

© 2005 Cisco Systems, Inc. All rights reserved.

40

Login Banner

•

Banners should be used on all network devices

•

A banner should include A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use. A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both. A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court. Specific notices required by specific local laws.

•

A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership .

© 2005 Cisco Systems, Inc. All rights reserved.

41

Configuring Banner Messages router(config)# banner {exec | incoming | login | motd | slip-ppp} d message d

•

Specify what is “proper use” of the system

• • • •

Specify that the system is being monitored Specify that privacy should not be expected when using this system Do not use the word “welcome” Have legal department review the content of the message Boston(config)# banner motd # WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. #

© 2005 Cisco Systems, Inc. All rights reserved.

42

Router(config)#

43