Router Based Network Security

ARVIND KUMAR SHARMA
(CISCO Certified Academy Instructor) CCNA,CCNP,CCNA Security Instructor CISCO Regional Academy Centre for electronic Governance, Jaipur

Modern Network Security Threats

What is Network Security
Network security is the protection of information and systems and hardware that use, store, and transmit that information. National Security Telecommunications and Information Systems Security Committee (NSTISSC) Network security encompasses those steps that are taken to ensure the confidentiality, integrity, and availability of data or resources.

Rationale for Network Security
Network security initiatives and network security specialists can be found in private and public, large and small companies and organizations. The need for network security and its growth are driven by many factors:
1. 2. 3. 4. 5. 6.

Internet connectivity is 24/7 and is worldwide Increase in cyber crime Impact on business and individuals Legislation & liabilities Proliferation of threats Sophistication of threats

Goals of an Information Security Program

Confidentiality

Prevent the disclosure of sensitive information from unauthorized people, resources, and processes The protection of system information or processes from intentional or accidental modification The assurance that systems and data are accessible by authorized users when needed

Integrity

Availability

Risk Management


Risk Analysis Threats Vulnerabilities

Risk Management

Control physical access

Password protection

Develop a Security Policy

The process of assessing and quantifying risk and establishing an acceptable level of risk for the organization Risk can be mitigated, but cannot be eliminated

Types of Attacks
Structured attack

Come from hackers who are more highly motivated and technically competent. These people know system vulnerabilities and can understand and develop exploit code and scripts. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. These groups are often involved with the major fraud and theft cases reported to law enforcement agencies.
Unstructured attack Consists of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing and challenging a hacker’s skills can still do serious damage to a company.

Types of Attacks
External attacks

Initiated by individuals or groups working outside of a company. They do not have authorized access to the computer systems or network. They gather information in order to work their way into a network mainly from the Internet or dialup access servers.
Internal attacks More common and dangerous. Internal attacks are initiated by someone who has authorized access to the network. According to the FBI, internal access and misuse account for 60 to 80 percent of reported incidents. These attacks often are traced to disgruntled employees.

Securing Network Devices

Areas of Router Security

Physical Security
 

Place router in a secured, locked room Install an uninterruptible power supply Use the latest stable version that meets network requirements Keep a copy of the O/S and configuration file as a backup Secure administrative control Disable unused ports and interfaces Disable unnecessary services

Operating System Security
 

Router Hardening
  

Local Versus Remote Access
Local Access
R1 LAN 1 Internet Internet LAN 3 Console Port Administrator

Remote Access
LAN 2 R1 Firewall R2

Requires a direct connection to a console port using a computer running terminal emulation software

Management LAN

Administration Host

Logging Host

Uses Telnet, SSH HTTP or SNMP connections to the router from a computer

Access Port Passwords
R1(config)# enable secret cisco

Command to restrict access to privileged EXEC mode Commands to establish a login password for dial-up modem connections
R1(config)# line aux 0 R1(config-line)# password cisco R1(config-line)# login

Commands to establish a login password on incoming Telnet sessions
R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login R1

R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# login

Commands to establish a login password on the console line

Configuring the Router for SSH
1. Configure the IP domain R1# conf t R1(config)# ip domain-name span.com name of the network R1(config)# crypto key generate rsa general-keys modulus 1024 2. Generate one way The name for the keys will be: R1.span.com secret key
% The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be nonexportable...[OK] R1(config)# *Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has been enabled 3. Verify or create a local R1(config)# username Bob secret cisco database entry R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh 4. Enable VTY inbound R1(config-line)# exit SSH sessions

Configuring for Privilege Levels

By default:

User EXEC mode (privilege level 1) Privileged EXEC mode (privilege level 15)

 

Sixteen privilege levels available Methods of providing privileged level access infrastructure access:
 

Privilege Levels Role-Based CLI Access

Config AAA, Show, Firewall, IDS/IPS, NetFlow

CLI Commands
router(config)# secure boot-image  Enables IOS image resilience router(config)# secure boot-config  Takes a snapshot of the router running configuration and securely archives it in persistent storage

Privilege Levels for Users
R1# conf t R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# username USER privilege 1 secret cisco privilege exec level 5 ping enable secret level 5 cisco5 username SUPPORT privilege 5 secret cisco5 privilege exec level 10 reload enable secret level 10 cisco10 username JR-ADMIN privilege 10 secret cisco10 username ADMIN privilege 15 secret cisco123

  

A USER account with normal, Level 1 access. A SUPPORT account with Level 1 and ping command access. A JR-ADMIN account with the same privileges as the SUPPORT account plus access to the reload command. An ADMIN account which has all of the regular privileged EXEC commands.

Privilege Levels
The enable level command is used to switch R1> enable 5 from Level 1 to Level 5 Password: R1# <abc5> The show privilege command R1# show privilege Current privilege level is 5 The current privilege level R1# R1# reload Translating "reload"
Translating "reload" % Unknown command or computer name, or unable to find computer address R1#

displays

The user cannot us the reload command

Authentication, Authorization, and Accounting

Authentication – Password-Only
Password-Only Method
User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords

Internet

R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login

   

Uses a login and password combination on access lines Easiest to implement, but most unsecure method Vulnerable to brute-force attacks Provides no accountability

Authentication – Local Database

  

Creates individual user account/password on each device Provides accountability User accounts must be configured locally on each device Provides no fallback authentication method
User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid

R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local

Internet

Local Database Method

AAA Access Security
Authorization Authentication
Who are you? which resources the user is allowed to access and which operations the user is allowed to perform?

Accounting
What did you spend it on?

Self-Contained AAA Authentication
Remote Client

1 2

AAA Router

3

Self-Contained AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database.

 

Used for small networks Stores usernames and passwords locally in the Cisco router

Server-Based AAA Authentication

Uses an external database server
  

Cisco Secure Access Control Server (ACS) for Windows Server Cisco Secure ACS Solution Engine Cisco Secure ACS Express

More appropriate if there are multiple routers
Remote Client
AAA Router
Cisco Secure ACS Server

1 2

4

3

Server-Based AAA
1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server.

AAA Authorization

Typically implemented using an AAA server-based solution Uses a set of attributes that describes user access to the network

1. When a user has been authenticated, a session is established with an AAA server. 2. The router requests authorization for the requested service from the AAA server. 3. The AAA server returns a PASS/FAIL for authorization.

AAA Accounting
 

Implemented using an AAA server-based solution Keeps a detailed log of what an authenticated user does on a device

1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process.

Local AAA Authentication Commands
R1# conf t R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# username JR-ADMIN secret Str0ngPa55w0rd username ADMIN secret Str0ng5rPa55w0rd aaa new-model aaa authentication login default local-case aaa local authentication attempts max-fail 10

1.

2. 3. 4.

To authenticate administrator access (character mode access) Add usernames and passwords to the local router database Enable AAA globally Configure AAA parameters on the router Confirm and troubleshoot the AAA configuration

Sample Configuration

R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case enable R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN

TACACS+ Authentication Process
Connect Username? JR-ADMIN Username prompt? Use “Username” JR-ADMIN Password prompt? Password? “Str0ngPa55w0rd” Use “Password” “Str0ngPa55w0rd” Accept/Reject

Provides separate AAA services Utilizes TCP port 49

RADIUS Authentication Process
Access-Request Username? JR-ADMIN Password? Str0ngPa55w0rd
(JR_ADMIN, “Str0ngPa55w0rd”)

Access-Accept

 

Works in both local and roaming situations Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting

Implementing Firewall Technologies

Standard Numbered IP ACLs
Router(config)# access-list {1-99} {permit | deny} source-addr [source-mask]
 

The first value specifies the ACL number The second value specifies whether to permit or deny the configured source IP address traffic


The third value is the source IP address that must be matched
The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range All ACLs assume an implicit deny statement at the end of the ACL6+ At least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface

 

Extended Numbered IP ACLs
Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [established]
 

The first value specifies the ACL number The second value specifies whether to permit or deny accordingly


The third value indicates protocol type
The source IP address and wildcard mask determine where traffic originates. The destination IP address and wildcard mask are used to indicate the final destination of the network traffic

The command to apply the standard or extended numbered ACL:

Router(config-if)# ip access-group number {in | out}

Extended Numbered IP ACLs
Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [established]
 

The first value specifies the ACL number The second value specifies whether to permit or deny accordingly


The third value indicates protocol type
The source IP address and wildcard mask determine where traffic originates. The destination IP address and wildcard mask are used to indicate the final destination of the network traffic

The command to apply the standard or extended numbered ACL:

Router(config-if)# ip access-group number {in | out}

Named IP ACLs
Standard
Router(config)# ip access-list extended vachon1 Router(config-ext-nacl)# deny ip any 200.1.2.10 0.0.0.1 Router(config-ext-nacl)# permit tcp any host 200.1.1.11 eq 80 Router(config-ext-nacl)# permit tcp any host 200.1.1.10 eq 25 Router(config-ext-nacl)# permit tcp any eq 25 host 200.1.1.10 any established Router(config-ext-nacl)# permit tcp any 200.1.2.0 0.0.0.255 established Router(config-ext-nacl)# permit udp any eq 53 200.1.2.0 0.0.0.255 Router(config-ext-nacl)# deny ip any any Router(config-ext-nacl)# interface ethernet 1 Router(config-if)# ip access-group vachon1 in Router(config-if)# exit

Extended

How ACLs Work

Click to view examples

Inbound ACL

Outbound ACL

Viewing Commands
R1# show running-config <output omitted> ! hostname R1 <output omitted> enable secret 5 $1$MJD8$.1LWYcJ6iUi133Yg7vGHG/ <output omitted> crypto pki trustpoint TP-self-signed1789018390 enrollment selfsigned subject-name cn=IOS-Self-SignedCertificate-1789018390 revocation-check none rsakeypair TP-self-signed-1789018390 ! crypto pki certificate chain TP-selfsigned-1789018390 certificate self-signed 01 3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 <output omitted> 1BF29620 A084B701 5B92483D D934BE31 ECB7AB56 8FFDEA93 E2061F33 8356 quit interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group Outbound in <output omitted> ! interface Serial0/0/0 ip address 10.1.1.1 255.255.255.252 clock rate 128000 ! <output omitted> no ip http server ip http secure-server ! ip access-list standard Outbound remark SDM_ACL Category=1 permit 192.168.1.3 ! access-list 100 remark SDM_ACL Category=16 access-list 100 deny tcp any host 192.168.1.3 eq telnet log access-list 100 permit ip any any ! <output omitted> !

Types of ACLs

Standard IP ACLs


   

Extended IP ACLs
Extended IP ACLs using TCP established Reflexive IP ACLs Dynamic ACLs Time-Based ACLs

Context-based Access Control (CBAC) ACLs

Overview

CLI Commands

Example Configuration
R2 Internet
Serial0/0/1
Perimeter(config)# time-range employee-time Perimeter(config-time)# periodic weekdays 12:00 to 13:00 Perimeter(config-time)# periodic weekdays 17:00 to 19:00 Perimeter(config-time)# exit Perimeter(config)# access-list 100 permit tcp any host 200.1.1.11 eq 25 Perimeter(config)# access-list 100 permit tcp any eq 25 host 200.1.1.11 established Perimeter(config)# access-list 100 permit udp any host 200.1.1.12 eq 53 Perimeter(config)# access-list 100 permit udp any eq 53 host 200.1.1.12 Perimeter(config)# access-list 100 permit tcp any 200.1.1.0 0.0.0.255 established time-range employeetime Perimeter(config)# access-list 100 deny ip any any Perimeter(config)# interface ethernet 1 Perimeter(config-if)# ip access-group 100 in Perimeter(config-if)# exit Perimeter(config)# access-list 101 permit tcp host 200.1.1.11 eq 25 any Perimeter(config)# access-list 101 permit tcp host 200.1.1.11 any eq 25 Perimeter(config)# access-list 101 permit udp host 200.1.1.12 eq 53 any Perimeter(config)# access-list 101 permit udp host 200.1.1.12 any eq 53 Perimeter(config)# access-list 101 permit tcp 200.1.1.0 0.0.0.255 any time-range employee-time Perimeter(config)# access-list 100 deny ip any any Perimeter(config)# interface ethernet 1 Perimeter(config-if)# ip access-group 101 out

Serial 0/0/0

10.1.1.1

R1
192.168.1.0/24

I can’t surf the web at 10:00 A.M. because of the timebased ACL!

Allowing Common Services
Internet

Serial 0/0/0
200.5.5.5/24

F0/1

R1

F0/0

DNS, SMTP, FTP R1 PC A
192.168.20.2/24

R1(config)#access-list 122 permit udp any host 192.168.20.2 eq domain R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq smtp R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq ftp
R1(config)#access-list R1(config)#access-list R1(config)#access-list R1(config)#access-list 180 180 180 180 permit permit permit permit tcp tcp udp udp host host host host 200.5.5.5 200.5.5.5 200.5.5.5 200.5.5.5 host host host host 10.0.1.1 10.0.1.1 10.0.1.1 10.0.1.1 eq eq eq eq telnet 22 syslog snmptrap

Benefits of Firewalls

Prevents exposing sensitive hosts and applications to untrusted users Prevent the exploitation of protocol flaws by sanitizing the protocol flow

Firewalls prevent malicious data from being sent to servers and clients. Properly configured firewalls make security policy enforcement simple, scalable, and robust. A firewall reduces the complexity of security management by offloading most of the network access control to a couple of points in the network.

Types of Firewalls


 

Filtering Firewalls Packet Filtering Firewall Stateful Firewall Cisco Systems Firewall Solutions

Stateful Firewall
10.1.1.1 200.3.3.3

source port 1500

destination port 80

Inside ACL (Outgoing Traffic)

Outside ACL (Incoming Traffic)
Dynamic: permit tcp host 200.3.3.3 eq 80 host 10.1.1.1 eq 1500 permit tcp any host 10.1.1.2 eq 25 permit udp any host 10.1.1.2 eq 53 deny ip any any

permit ip 10.0.0.0 0.0.0.255 any

Design Example
Internet R
2 Cisco Router with IOS Firewall

Cisco Router with IOS Firewall

Serial 0/0/0

Serial0/0/1 F0/ 0 F0/ 0

F0/ 1
F0/ 5
F0/6

R 1

R 3 F0/
1 F0/ 5

S 1

F0/1 F0/1

S 3 S
F0/1 2 8

F0/1 8

PC A (RADIUS/TACAC S+)

PC C

Common Designs
LAN-to-Internet Public Servers

Redundant Firewalls

Complex Firewall

Implementing Intrusion Prevention

Common Intrusions
MARS ACS
VPN

Remote Worker

Zero-day exploit attacking the network
Firewall

VPN

VPN

Remote Branch

Iron Port

CSA LAN

Web Server

Email Server

DNS

Intrusion Detection Systems (IDSs)
1.

2.

3.

An attack is launched on a network that has a sensor deployed in promiscuous IDS mode; therefore copies of all packets are sent to the IDS sensor for packet analysis. However, the target machine will experience the malicious attack. The IDS sensor, matches the malicious traffic to a signature and sends the switch a command to deny access to the source of the malicious traffic. The IDS can also send an alarm to a management console for logging and other management purposes.

Switch

1 2
Sensor

3

Management Console

Target

Intrusion Prevention Systems (IPSs)
1
1.

2.

3.

4.

An attack is launched on a network that has a sensor deployed in IPS mode (inline mode). The IPS sensor analyzes the packets as they enter the IPS sensor interface. The IPS sensor matches the malicious traffic to a signature and the attack is stopped immediately. The IPS sensor can also send an alarm to a management console for logging and other management purposes. Traffic in violation of policy can be dropped by an IPS sensor.

2
Sensor

4

Bit Bucket

3

Management Console

Target

Common characteristics of IDS and IPS

Both technologies are deployed using sensors. Both technologies use signatures to detect patterns of misuse in network traffic. Both can detect atomic patterns (singlepacket) or composite patterns (multipacket).

Comparing IDS and IPS Solutions
Advantages  No impact on network (latency, jitter) Promiscuous Mode Disadvantages  Response action cannot stop trigger packets

 Correct tuning required for  No network impact if there is a response actions sensor failure  Must have a well thoughtout security policy  No network impact if there is sensor overload  More vulnerable to network evasion techniques

IDS

Network-Based Implentation
CSA
VPN

MARS

Remote Worker
Firewall

VPN IPS

CSA

VPN

Remote Branch

Iron Port

CSA CSA

CSA

Web Server

Email Server

DNS

Host-Based Implementation
CSA

CSA
VPN

MARS Management Center for Cisco Security Agents
Firewall

Remote Worker

VPN IPS

CSA

VPN

Remote Branch

Iron Port
CSA

Agent
CSA

CSA CSA
CSA

CSA

Web Server

Email Server

DNS

Securing the Local Area Network

Securing the LAN
Perimeter
MARS ACS

Firewall

Internet
VPN IPS

Areas of concentration: • Securing endpoints • Securing network infrastructure

Iron Port

Hosts
Web Server Email Server

DNS

LAN

Addressing Endpoint Security
Policy Compliance Infection Containment Secure Host

Threat Protection

Based on three elements: • Cisco Network Admission Control (NAC) • Endpoint protection • Network infection containment

Types of Application Attacks
Direct I have gained direct access to this application’s privileges

I have gained access to this system which is trusted by the other system, allowing me to access it. Indirect

CSA Architecture
Administration Workstation Server Protected by Cisco Security Agent

Alerts

Events

SSL

Security Policy

Management Center for Cisco Security Agent with Internal or External Database

CSA Overview
Application

File System Interceptor

Network Interceptor

Configuration Interceptor

Execution Space Interceptor

Rules Engine State Correlation Engine Rules and Policies

Allowed Request

Blocked Request

Layer 2 Security
Perimeter
MARS ACS

Firewall

Internet
VPN IPS

Iron Port

Hosts
Web Server Email Server

DNS

MAC Address Spoofing Attack
1 Switch Port AABBcc 2 12AbDd The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc

MAC Address: AABBcc

Port 1 Port 2

MAC Address: 12AbDd

MAC Address: AABBcc

Attacker

I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.

STP Manipulation Attack

Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234

F

F F

F

F

B

Spanning tree protocol operates by electing a root bridge STP builds a tree topology STP manipulation changes the topology of a network—the attacking host appears to be the root bridge

LAN Storm Attack
Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast

 Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN.  These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.

VLAN Attacks

 Segmentation  Flexibility  Security

VLAN = Broadcast Domain = Logical Network (Subnet)

VLAN Attacks
802.1Q Trunk VLAN 20 Server VLAN 10

Attacker sees traffic destined for servers

Server

A VLAN hopping attack can be launched in two ways: • Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode • Introducing a rogue switch and turning trunking on

Double-Tagging VLAN Attack
1
Attacker on VLAN 10, but puts a 20 tag in the packet The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2.

2

802.1Q, Frame

20

3

The second switch receives the packet, on the native VLAN

Trunk (Native VLAN = 10)

4
The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.

Note: This attack works only if the trunk has the same native VLAN as the attacker.

Victim (VLAN 20)

Port Security Overview
MAC A

Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C

0/1 0/2 0/3
MAC A MAC F

Attacker 1

Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses

Attacker 2

CLI Commands
Switch(config-if)# switchport mode access

• Sets the interface mode as access
Switch(config-if)# switchport port-security

• Enables port security on the interface
Switch(config-if)# switchport port-security maximum value

• Sets the maximum number of secure MAC addresses for the interface (optional)

Port Security Violation Configuration
Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}

• Sets the violation mode (optional)
Switch(config-if)# switchport port-security mac-address mac-address

• Enters a static secure MAC address for the interface (optional)
Switch(config-if)# switchport port-security mac-address sticky

• Enables sticky learning on the interface (optional)

CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) Fa0/12 2 (Count) 0 (Count) 0 Shutdown :0 ----------------------------------------------------------------------------------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 1024

sw-class# show port-security Port Security : Port status : Violation mode : Maximum MAC Addresses : Total MAC Addresses : Configured MAC Addresses : Aging time : Aging type : SecureStatic address aging : Security Violation Count :

interface f0/12 Enabled Secure-down Shutdown 2 1 0 120 mins Absolute Disabled 0

Storm Control Configuration
Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 1k Switch(config-if)# storm-control action shutdown

2k

• Enables storm control
• Specifies the level at which it is enabled • Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic

Mitigating VLAN Attacks

Trunk (Native VLAN = 10)

1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking

3. Be sure that the native VLAN is used only for trunk lines and no where else

Configuring RSPAN
1. Configure the RPSAN VLAN
2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit

2960-1

2960-2

2. Configure the RSPAN source ports and VLANs
2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan 100 reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk

3. Configure the RSPAN traffic to be forwarded
2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface FastEthernet 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk

Using VLANs
Voice VLAN = 110 Data VLAN = 10

5/1

802.1Q Trunk

IP phone 10.1.110.3

Desktop PC 171.1.1.1

• • • •

Creates a separate broadcast domain for voice traffic Protects against eavesdropping and tampering Renders packet-sniffing tools less effective Makes it easier to implement VACLs that are specific to voice traffic

Cryptographic Systems

Authentication

An ATM Personal Information Number (PIN) is required for authentication. The PIN is a shared secret between a bank account holder and the financial institution.

History
Scytale - (700 BC)

Vigenère table

German Enigma Machine

Jefferson encryption device

Cryptanalysis Methods
Brute Force Attack
Known Ciphertext

Successfully Unencrypted Key found

With a Brute Force attack, the attacker has some portion of ciphertext. The attacker attempts to unencrypt the ciphertext with all possible keys.

The Basics

Hashes are used for integrity assurance. Hashes are based on one-way functions. The hash function hashes arbitrary data into a fixed-length digest known as the hash value, message digest, digest, or fingerprint.

Data of Arbitrary Length

Fixed-Length Hash Value

e883aa0b24c09f

MD5

MD5 is a ubiquitous hashing algorithm Hashing properties

One-way function—easy to compute hash and infeasible to compute data given a hash Complex sequence of simple binary operations (XORs, rotations, etc.) which finally produces a 128-bit hash.

MD5

SHA

SHA is similar in design to the MD4 and MD5 family of hash functions
 

Takes an input message of no more than 264 bits Produces a 160-bit message digest

The algorithm is slightly slower than MD5. SHA-1 is a revision that corrected an unpublished flaw in the original SHA. SHA-224, SHA-256, SHA-384, and SHA512 are newer and more secure versions of SHA and are collectively known as SHA-2.

SHA

Example
Data
Pay to Terry Smith One Hundred and xx/100 $100.00 Dollars

Received Data
Secret Key
Pay to Terry Smith One Hundred and xx/100 $100.00 Dollars

Secret Key

HMAC (Authenticated Fingerprint)

4ehIDx67NMop9

HMAC (Authenticated Fingerprint)

4ehIDx67NMop9

Pay to Terry Smith One Hundred and xx/100

$100.00 Dollars

If the generated HMAC matches the sent HMAC, then integrity and authenticity have been verified. If they don’t match, discard the message.

4ehIDx67NMop9

Symmetric Encryption
Key Pre-shared key Key

Encrypt
$1000

$!@#IQ

Decrypt

$1000

    

Best known as shared-secret key algorithms The usual key length is 80 - 256 bits A sender and receiver must share a secret key Faster processing because they use simple mathematical operations. Examples include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish.

Asymmetric Encryption
Encryption Key Two separate keys which are not shared Decryption Key

Encrypt
$1000

%3f7&4

Decrypt

$1000

   

Also known as public key algorithms The usual key length is 512–4096 bits A sender and receiver do not share a secret key Relatively slow because they are based on difficult computational algorithms Examples include RSA, ElGamal, elliptic curves, and DH.

Symmetric Encryption Techniques
blank blank 1100101 01010010110010101 01010010110010101

64 bits

64bits

64bits

Block Cipher – encryption is completed in 64 bit blocks

0101010010101010100001001001001 0101010010101010100001001001001

Stream Cipher – encryption is one bit at a time

Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality
Computer A acquires Computer B’s public key
1 Can I get your Public Key please? Here is my Public Key.
Bob’s Public Key

2

Bob’s Public Key

Computer A
Encryption Algorithm

Computer A transmits The encrypted message to Computer B

4
Encrypted Text

Bob’s Private Key

Computer B
Encryption Algorithm

Encrypted Text

3

Computer A uses Computer B’s public key to encrypt a message using an agreed-upon algorithm

Computer B uses its private key to decrypt and reveal the message

Implementing Virtual Private Networks

What is a VPN?
Business Partner with a Cisco Router Mobile Worker with a Cisco VPN Client

CSA

VPN

Internet

SOHO with a Cisco DSL Router
VPN

Firewall

Corporate Network
WAN


VPN

Regional branch with a VPN enabled Cisco ISR router

Virtual: Information within a private network is transported over a public network. Private: The traffic is encrypted to keep the data confidential.

Layer 3 VPN
IPSec

VPN

IPSec
Internet

SOHO with a Cisco DSL Router

 

Generic routing encapsulation (GRE) Multiprotocol Label Switching (MPLS) IPSec

Types of VPN Networks
Business Partner with a Cisco Router

Remote-access VPNs
Mobile Worker with a Cisco VPN Client
CSA

MARS
VPN

SOHO with a Cisco DSL Router

Internet

Firewall

Site-to-Site VPNs

VPN

WAN

IP S

VPN

Iron Port
CSA

CSA CSA

Regional branch with a VPN enabled Cisco ISR router

CSA

CSACSA

Web Email Server Server

DNS

IPSec Clients
A wireless client that is loaded on a pda
Certicom PDA IPsec VPN Client

Router with Firewall and VPN Client

Internet

Small Office

Cisco VPN Software Client

Software loaded on a PC

A network appliance that connects SOHO LANs to the VPN
Cisco AnyConnect VPN Client

Internet

Provides remote users with secure VPN connections

IPSec Topology
Main Site
Business Partner with a Cisco Router IPsec Perimeter Router Legacy Cisco PIX Firewall

Regional Office with a Cisco PIX Firewall

POP ASA

Legacy Concentrator

SOHO with a Cisco SDN/DSL Router

Mobile Worker with a Cisco VPN Client on a Laptop Computer

Corporate

Works at the network layer, protecting and authenticating IP packets.
 

It is a framework of open standards which is algorithm-independent. It provides data confidentiality, data integrity, and origin authentication.

Pre-shared Key (PSK)

•At the local device, the authentication key and the identity information (device-specific Diffie-Hellman information) are sent through a hash algorithm to form hash_I. One-way authentication is DH7 established by sending hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated. • The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated.

IPSec VPN Negotiation
10.0.1.3 R1 R2 10.0.2.3

1. Host A sends interesting traffic to Host B.
2. R1 and R2 negotiate an IKE Phase 1 session. IKE SA
IKE Phase 1

IKE SA

3. R1 and R2 negotiate an IKE Phase 2 session. IPsec SA
IKE Phase 2

IPsec SA

4. Information is exchanged via IPsec tunnel.
IPsec Tunnel

5. The IPsec tunnel is terminated.

Managing a Secure Network

IPSec VPN Negotiation
10.0.1.3 R1 R2 10.0.2.3

1. Host A sends interesting traffic to Host B.
2. R1 and R2 negotiate an IKE Phase 1 session. IKE SA
IKE Phase 1

IKE SA

3. R1 and R2 negotiate an IKE Phase 2 session. IPsec SA
IKE Phase 2

IPsec SA

4. Information is exchanged via IPsec tunnel.
IPsec Tunnel

5. The IPsec tunnel is terminated.

Objectives of Security Testing and Evaluation
Objectives of ST&E: Uncover design, implementation, and operational flaws that could lead to the violation of the security policy. Determine the adequacy of security mechanisms, assurances, and device properties to enforce the security policy. Assess the degree of consistency between the system documentation and its implementation.

Nmap
Basic functionality  Classic TCP and UDP port scanning  Classic TCP and UDP port sweeping  Stealth TCP and UDP port scans and sweeps  Remote operating system identification, known as OS fingerprinting.

Disaster Recovery

The process of regaining access to the data, hardware, and software necessary to resume critical business operations after a disaster. Plan for coping with unexpected or sudden loss of key personnel.

Operations and Maintenance
Initiation Configuration management and control: ensures that there is adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. Continuous monitoring: ensures that controls continue to be effective Acquisition and in their Disposition application through periodic testing and evaluation. Development

Operations and Maintenance

Implementation

Security Policy Benefits

Demonstrates an organization’s commitment to security. Sets the rules for expected behavior. Ensures consistency in system operations, software and hardware acquisition and use, and maintenance. Defines the legal consequences of violations. Gives security staff the backing of management.

ARVIND KUMAR SHARMA
(CISCO Certified Academy Instructor) CCNA,CCNP,CCNA Security Instructor CISCO Regional Academy Centre for electronic Governance, Jaipur

Sign up to vote on this title
UsefulNot useful