Download Title: First Slide in a Presentation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
Document related concepts

Post-quantum cryptography wikipedia , lookup

Rainbow table wikipedia , lookup

Computer security wikipedia , lookup

Password strength wikipedia , lookup

Transcript 
CNIT 221 Security 1 ver.2
Module 2
City College of San Francisco
Spring 2006
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2004,
2005 Cisco
1
1
Network Security 1
Module 2 – Security Planning
and Policy
© 2005 Cisco Systems, Inc. All rights reserved.
2
Learning Objectives
–2.1 Discussing Network Security and Cisco
–2.2 Endpoint Protection and Management
–2.3 Network Protection and Management
–2.4 Security Architecture
–2.5 Basic Router Security
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
3
Module 2 – Security Planning and
Policy
2.1 Discussing Network Security and Cisco
© 2005 Cisco Systems, Inc. All rights reserved.
4
Network Security as a Continuous Process
• Network security is a continuous process
built around a security policy.
Secure
–Step 1: Secure
–Step 2: Monitor
–Step 3: Test
–Step 4: Improve
Improve
Security
Policy
Monitor
Test
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
5
Secure the Network
• Implement security
solutions to stop or
prevent unauthorized
access or activities,
and to protect
information:
Secure
Improve
Security
Policy
Monitor
–Authentication
–Encryption
–Firewalls
Test
–Vulnerability patching
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
6
Monitor Security
– Detects violations to
the security policy
– Involves system
auditing and
real-time intrusion
detection
– Validates the security
implementation in
Step 1
Secure
Improve
Security
Policy
Monitor
Test
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
7
Test Security
• Validates
effectiveness of
the security policy
through system
auditing and
vulnerability
scanning
Secure
Improve
Security
Policy
Monitor
Test
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
8
Improve Security
–Use information from
the monitor and test
phases to make
improvements to the
security implementation.
–Adjust the security
policy as security
vulnerabilities and risks
are identified.
Secure
Improve
Security
Policy
Monitor
Test
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
9
What Is a Security Policy?
• “A security policy is a formal statement of the
rules by which people who are given access to
an organization’s technology and information
assets must abide.”
• (RFC 2196, Site Security Handbook)
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
10
Why Create a Security Policy?
–To create a baseline of your current security posture
–To set the framework for security implementation
–To define allowed and not allowed behaviors
–To help determine necessary tools and procedures
–To communicate consensus and define roles
–To define how to handle security incidents
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
11
Security Policy Elements
Data Assessment
Vulnerabilities
Host Addressing
Denial of Service
Application Definition
POLICY
Misuse
Usage Guidelines
Reconnaissance
Topology/Trust Model
• On the left are the network design factors upon which security
policy is based
• On the right are basic Internet threat vectors toward which
security policies are written to mitigate
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
12
Module 2 – Security Planning and
Policy
2.2 Endpoint Protection and Management
© 2005 Cisco Systems, Inc. All rights reserved.
13
Types of Firewalls
– Server Based
Microsoft ISA
CheckPoint
Zone Alarm
– Appliance
PIX Security Appliance/ASA
Netscreen
SonicWall
– Personal
Norton
McAfee
ZoneAlarms
– Integrated
IOS Firewall
Switch Firewall
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
14
Module 2 – Security Planning and
Policy
2.3 Network Protection and Management
© 2005 Cisco Systems, Inc. All rights reserved.
15
Sample Firewall Topology
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
16
VPN Definition
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
17
Remote Access VPNs
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
18
Site-to-Site VPNs
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
19
Adaptive Security Device Manager (ASDM)
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
20
Security Device Manager (SDM)
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
21
Module 2 – Security Planning and
Policy
2.4 Security Architecture
© 2005 Cisco Systems, Inc. All rights reserved.
22
Secure Connectivity
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
23
Cisco Threat Defense System
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
24
Identity Based Networking Services (IBNS)
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
25
Plan, Design, Implement, Operate,
Optimize (PDIOO)
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
26
Module 2 – Security Planning and
Policy
2.5 Basic Router Security
© 2005 Cisco Systems, Inc. All rights reserved.
27
SSH
SSH Server and
Client
TCP Port 22
SSH Client
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
28
SSH Server Configuration
Router(config)#
hostname host-name
Router(config)#
ip domain-name domain-name.com
Router(config)#
crypto key generate rsa
Router(config)#
line vty 0 4
Router(config-line)#
transport input ssh
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
29
Controlling Access
• Console Port
• TTY
• VTY
•
A console is a terminal connected to a router console port.
•
The terminal can be a dumb terminal or PC with terminal
Router(config)#
emulation software.
© 2005 Cisco Systems, Inc. All rights reserved.
30
Passwords
•
•
Passwords are the most critical tools in controlling access to a
router. There are two password protection schemes in Cisco
IOS:
Type 7 uses the Cisco-defined encryption algorithm.
•
Type 5 uses an MD5 hash, which is much stronger.
•
Cisco recommends that Type 5 encryption be used instead of
Type 7 where possible. Type 7 encryption is used by the enable
password, username, and line password commands.
•
Service password encryption should be used.
•
Use good password practices when creating passwords.
•
Configure both username and password combinations.
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
31
Good Password Practices
• Avoid dictionary words, names, phone numbers, and
dates.
• Include at least one lowercase letter, uppercase letter,
digit, and special character.
• Make all passwords at least eight characters long.
• Avoid more than four digits or same-case letters in a row.
• Change passwords often.
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
32
Initial Configuration Dialog
--- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no] y
Configuring global parameters:
Enter host name [Router]: Boston
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: CantGessMe
The enable password is used when you do not specify an enable
secret password, with some older software versions, and some boot
images.
Enter enable password: WontGessMe
The virtual terminal password is used to protect access to the
router over a network interface.
Enter virtual terminal password: CantGessMeVTY
Router(config)#
.
.
© 2005 Cisco Systems, Inc. All rights reserved.
33
Configure the Enable Password
Using enable secret
router(config)#
enable secret password
• Encrypts the password in the router configuration file
• Uses a strong encryption algorithm based on MD5
Boston(config)# enable secret Curium96
Boston# show running-config
!
hostname Boston
!
no logging console
enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/
!
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
34
Configure the Console Port
User-Level Password
router(config)#
line console line-number
• Enters console line configuration mode
router(config-line)#
login
• Enables password checking at login
router(config-line)#
Password password
• Sets the user-level password to password
Boston(config)# line console 0
Boston(config-line)# login
Boston(config-line)# password ConUser1
–Creates the user-level password ConUser1
Router(config)#
–The password is unencrypted
© 2005 Cisco Systems, Inc. All rights reserved.
35
Configure a VTY User-Level Password
router(config)#
line vty start-line-number end-line-number
• Enters VTY line configuration mode
• Specifies the range of VTY lines to configure
router(config-line)#
login
• Enables password checking at login for VTY (Telnet)
sessions
router(config-line)#
password password
• Sets the user-level password to password
Boston(config)# line vty 0 4
Router(config)#
Boston(config-line)# login
Boston(config-line)# password CantGessMeVTY
© 2005 Cisco Systems, Inc. All rights reserved.
36
Configure an Auxiliary
User-Level Password
router(config)#
line aux line-number
• Enters auxiliary line configuration mode
router(config-line)#
login
• Enables password checking at login for Aux connections
router(config-line)#
password password
• Sets the user-level password to password
Boston(config)# line aux 0
Boston(config-line)# login
Router(config)#
Boston(config-line)# password NeverGessMeAux
© 2005 Cisco Systems, Inc. All rights reserved.
37
Encrypting Passwords Using
service password-encryption
router(config)#
service password-encryption
• Encrypts all passwords in the router configuration file
Boston(config)# service password-encryption
Boston# show running-config
!
line con 0
password 7 0956F57A109A
!
line vty 0 4
password 7 034A18F366A0
!
line aux 0
Router(config)#
password 7 7A4F5192306A
• Uses a weak encryption algorithm that can be easily cracked
© 2005 Cisco Systems, Inc. All rights reserved.
38
Setting Timeouts for Router Lines
router(config-line)#
exec-timeout minutes [seconds]
• Default is 10 minutes
• Terminates an unattended console connection
• Provides an extra safety factor when an
administrator walks away from an active console
session
Boston(config)# line console 0
Boston(config-line)#exec-timeout 3 30
Boston(config)# line aux 0
Boston(config-line)#exec-timeout 3 30
Router(config)#
• Terminates an unattended console/auxiliary
connection after 3 minutes and 30 seconds
© 2005 Cisco Systems, Inc. All rights reserved.
39
Setting Multiple Privilege Levels
router(config)#
privilege mode {level level command | reset
command}
• Level 1 is predefined for user-level access privileges
• Levels 2–14 may be customized for user-level privileges
• Level 15 is predefined for enable mode (enable command)
Boston(config)# privilege exec level 2 ping
Boston(config)# enable secret level 2 Patriot
Router(config)#
© 2005 Cisco Systems, Inc. All rights reserved.
40
Login Banner
• Banners should be used on all network devices
• A banner should include
A notice that the system is to be logged into or accessed
only by authorized personnel, and information about who
may authorize use.
A notice that any unauthorized use of the system is
unlawful, and may be subject to civil and criminal
penalties, or both.
A notice that any use of the system may be logged or
monitored without further notice, and that the resulting
logs may be used as evidence in court.
Specific notices required by specific local laws.
• A login banner usually should not contain any
Router(config)#
specific information about the router, its name, its
model, what software it is running, or its ownership.
© 2005 Cisco Systems, Inc. All rights reserved.
41
Configuring Banner Messages
router(config)#
banner {exec | incoming | login | motd |
slip-ppp} d message d
• Specify what is “proper use” of the system
• Specify that the system is being monitored
• Specify that privacy should not be expected when using
this system
• Do not use the word “welcome”
• Have legal department review the content of the message
Boston(config)# banner motd #
WARNING: You are connected to $(hostname) on
the Cisco Systems, Incorporated network.
Router(config)#
Unauthorized access and use of this network
will be vigorously prosecuted. #
© 2005 Cisco Systems, Inc. All rights reserved.
42
Router(config)#
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2005,
2005 Cisco
43
43
Related documents
Sample Quiz
Sample Quiz
Peak Support Services Ltd
Peak Support Services Ltd
How to setup the router for Static IP internet connection mode
How to setup the router for Static IP internet connection mode
glossary - Homework Market
glossary - Homework Market
If your staff need to upgrade or re
If your staff need to upgrade or re
Worksheet 1 (Router Programming)
Worksheet 1 (Router Programming)
sw-p-08 router remote control
sw-p-08 router remote control
WT8266-S1 FAQ Forum: bbs.wireless-tag.com
WT8266-S1 FAQ Forum: bbs.wireless-tag.com
connectivity_hard_ware_1
connectivity_hard_ware_1
CCNA 1: Chapter 11 Exam Answer v4.0 100%
CCNA 1: Chapter 11 Exam Answer v4.0 100%
JOB DESCRIPTION NETWORK ADMINISTRATOR
JOB DESCRIPTION NETWORK ADMINISTRATOR