CCNA4 - 4

Add to Favourites
Post to:
Comments
Presentation Transcript Presentation Transcript

Enterprise Network Security : Enterprise Network Security Accessing the WAN – Chapter 4

Objectives : Objectives Describe the general methods used to mitigate security threats to Enterprise networks Configure Basic Router Security Disable unused Cisco router network services and interfaces Cisco Security Device Manager (SDM) Manage Cisco IOS devices IOS Files Configurations

Basic Security Lab : Basic Security Lab

Defending Enterprise Networks : Defending Enterprise Networks Fifteen years ago, most networks were closed access Now, business models require open access Public networks have merged with private networks Attack methods More sophisticated tools Less knowledge required to implement See term definitions White Hat Black Hat Hacker Cracker

Security Policies in the Enterprise : Security Policies in the Enterprise Determine the level of access Balance between user needs and security needs Develop a security policy for an organization Informs users of responsibility Mechanisms for securing resources Baseline for verifying computerand network security May be defined as “acceptableuse policy”

Common Security Threats : Common Security Threats Vulnerabilities Examples: TCP/IP, Operating systems, Network equipment Physical threats Hardware, Environmental, Electrical, Maintenance Threats to networks Unstructured/Structured and External/Internal Social engineering Examples: phishing, vhishingand dumpster diving

Types of Network Attacks : Types of Network Attacks Reconnaissance Attacks Ping sweeps, port scans, packet sniffers Access Password attacks, Trust exploitations, Port redirection, Man-in-the-middle attacks Denial of Service (DoS) Ping of Death, SYN floods, Distributed DoS Malicious Codes Virus, Worms, Trojan Horse attacks

General Network Protection (Mitigation) : General Network Protection (Mitigation) Host and Server-based security Device hardening Antivirus software Personal firewalls Operating System patches Intrusion Detection and Prevention Host-based IDS Security appliances (Cisco) Adaptive Security Appliances Integrated Service Routers Network Admission Control

Network Security Wheel : Network Security Wheel See Section 4.1.6

Securing Cisco Routers : Securing Cisco Routers Router security issues Advertise routes and filter traffic Borders for networks and subnets Routers are targets for various security threats If border is compromised, other network devices are vulnerable Compromised routing tables affect traffic forwarding Misconfigured filtering can allow malicious hosts to attack network

Manage Router Security : Manage Router Security Create a strong password Store written passwords securely, avoid dictionary words Include numbers, letters, symbols, case sensitivity, length Regular policy for changing passwords Use passphrases to create complicated but memorable passwords “Jack and Jill ran up the hill” becomes JaJrupth

Manage Router Security (2) : Manage Router Security (2) Secure router passwords in IOS Plan text is the default for some passwords Line console or vty, enable password, and username name password pass Types of router password encryption Type 7 – simple encryption service password-encryption Type 5 – complex encryption default for: enable secret or username name secret pass Show startup-config to see type used for passwords

Manage Router Security (3) : Manage Router Security (3) Configure a minimum password length Security passwords min-length 0-16 Enforcement for new passwords (does not effect existing passwords)

Secure Remote Router Access : Secure Remote Router Access Administrative traffic should be protected Establish a management VLAN that only admin’s can access Encrypt all traffic to managed devices such as routers/switches Telnet = Bad Plaintext passwords, unencrypted packets Replace Telnet with Secure Shell (SSH) Transport input ssh for VTY lines Protect against unguarded terminals or open sessions Exec-timeout Service tcp-keepalives in

Configuring SSH for Remote Access : Configuring SSH for Remote Access Create MD5 hash for encrypting SSH traffic Enable SSH on VTY lines (with username) Router(config)#hostname SSH SSH(config)#ip domain-name ssh.com SSH(config)#crypto key generate rsa The name for the keys will be: SSH.ssh.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] SSH(config)#username SSH password cisco SSH(config)#line vty 0 4 SSH(config-line)#transport input ssh SSH(config-line)#login local

Log Router Activity : Log Router Activity Console prompts or “system logs” can be redirected to an external device Captured logs can be used to analyze performance or attacks Logs can be forwarded to server (ie, Windows 2003 or freeware such as KiwiSysLog)

Securing Router Network Services : Securing Router Network Services Router IOS includes default services that may open security vulnerabilities In general, disable with the NO form of the command Examples: No ip http server – disables web server No snmp server – disables Simple Network Management protocol No ip bootp server – disables DHCP services No services tcp-small-servers – various services No services udp-small-servers – various services

Securing Router Network Services (2) : Securing Router Network Services (2) See section 4.3.1 for many more services

Other Router Service Issues : Other Router Service Issues CDP* is rarely used in the enterprise No CDP run – disables service No CDP enable – disables CDP for specific interface Unused interfaces – shut down administratively * Required for some Cisco VOIP phone configuration * Very useful in the classroom for troubleshooting!

Automatically Securing Cisco Routers : Automatically Securing Cisco Routers Command-line interface auto secure shuts down services based on router role

Securing Routing Protocols : Securing Routing Protocols Compromised routing tables lead to instability Routing loops can be created Packets can be discarded Traffic may be forwarded to “sniffable” destination Routing protocol updates should be authenticated Encryption algorithm (MD5 hash) Shared secret key Encrypted packet Most routing protocols support authentication RIPv2, EIGRP, OSPF, IS-IS, BGP

Securing RIP Version 2 : Securing RIP Version 2 Use the passive-interface command to limit routing updates Example: FA 0/0 does not connect to another router Authenticate with key chain command Specifies key string that is shared among routers Actual authentication enabled at interface level Ip rip authentication mode MD5 Ip rip authentication key-chain (chain name)

Securing EIGRP and OSPF : Securing EIGRP and OSPF EIGRP uses similar steps as RIP v2 (different syntax) Enable authentication in global config Enable participation at the interface level

Cisco Security Device Manager (SDM) : Cisco Security Device Manager (SDM) Included on newer Integrated Services Routers (1800 and 2800’s for example) Can also be installed on a PC to save space in router flash Easy method to configure a new router Helps admin configure more advanced options such as VPN’s

Interface for Cisco SDM : Interface for Cisco SDM

SDM Includes Intelligent Wizards : SDM Includes Intelligent Wizards

Locking Down a Router with SDM : Locking Down a Router with SDM SDM includes a Security Audit Results can be used for a One Step Lockdown SDM can also reset router to “factory defaults”

Managing IOS File in Flash : Managing IOS File in Flash Various commands supported for viewing file system Show flash Dir flash: (note colon required for dir command) CD command to change directories PWD to confirm directory name Copy commandused betweendevices

Identifying IOS Naming Convention : Identifying IOS Naming Convention Upgrading requires knowledge of hardware assets Flash, RAM, Platform Cisco.com has tools to identify best fit

Using Trivial FTP to Copy Flash : Using Trivial FTP to Copy Flash TFTP server used to backup or restore over the network Copy flash tftp Reverse the command torestore the file Free Solarwinds TFTPused in classroom Note: tftpdnld commandused to recover fromRommon prompt Similar process but requires environment variables to be set

Recovering IOS Over Console Cable : Recovering IOS Over Console Cable IOS image can also be restored via Xmodem Scenario: no network interfaces up Use Xmodem on console cable to transfer image withserial communication copy xmodem flash Baud rate is increasedto speed copy i.e., 9600 is too slowfor file transfer!

Password Recovery Process : Password Recovery Process Configuration register should be set to what HEX value?

Chapter 4 Labs : Chapter 4 Labs 4.6.1 - Basic Security Configuration 4.6.2 - Challenge Security Configuration 4.6.3 - Troubleshooting Security Configuration Homework PT Activity 4.3.2 - Configuring OSPF Authentication

Slide 34 :

Upload Content

|

Embed Content

Want to learn?

Sign up and browse through relevant courses.

Name:
Your Email:
Password:
Country:
Contact no:


Area code Number
Subjects you are interested in:
Word verification: (Enter the text as in image)


Sign Up Already a member? Sign In
I agree to WizIQ's User Agreement & Privacy Policy
Jack Drooger
User
46 Members Recommend
54 Followers
Send message

Your Facebook Friends on WizIQ

For sales enquiry, call us at

USA
+1NoSkype-919-647-4727

Europe
+44NoSkype-(0)-20-7193-6503

Asia
+91NoSkype-988-500-3232

or
Let us call you

Give live classes, create & sell online courses

Try it free Plans & Pricing

Connect