Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Airport security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Deep packet inspection wikipedia , lookup
Network tap wikipedia , lookup
Wireless security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Mobile security wikipedia , lookup
Unix security wikipedia , lookup
Computer security wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Chapter 11 Network Security powered by DJ 1 Chapter Objectives At the end of this Chapter you will be able to: Describe today's increasing network security threats and explain the need to implement a comprehensive security policy to mitigate the threats. Explain general methods to mitigate common security threats to network devices, hosts, and applications Describe the functions of common security appliances and applications Describe security recommended practices including initial steps to secure network devices powered by DJ 2 Perimeter, Firewall, and Typically, in medium to large enterprise networks, the various strategies Internal Routers for security are based on a some recipe of internal and perimeter routers plus firewall devices. Internal routers provide additional security to the network by screening traffic to various parts of the protected corporate network, and they do this using access lists. You can see where each of these types of devices are found in Figure below. powered by DJ 3 powered by DJ A Typical Secured Network 4 Recognizing Security Threats let’s examine some common attack profiles: Application-layer attacks These attacks commonly zero in on well-known holes in the software that’s typically found running on servers. Favorite targets include FTP, send mail, and HTTP. Because the permissions level granted to these accounts is most often “privileged,” bad guys simply access and exploit the machine that’s running one of these applications. Trojan horse attacks and viruses powered by DJ 5 Backdoors These are simply paths leading into a computer or network. Through simple invasions, or via more elaborate “Trojan horse” code, bad guys can use their implanted inroads into a specific host or even a network whenever they want to—until you detect and stop them. IP spoofing Packet sniffers Password attacks Brute force attack Port redirection attacks Denial of service (DoS) attack powered by DJ 6 Mitigating Security Threats What solution should we use to mitigate security threats? Something from Juniper, McAfee, or some other firewall product? NO, we probably useruns something fromofCisco. Cisco IOS should software on upwards 80 percent of the Internet backbone routers out there; it’s probably the most critical part of network infrastructure. So let’s just keep it real and use the Cisco . IOS’s software-based security, known as the Cisco IOS Firewall feature set, for our end-to-end Internet, intranet, and remoteaccess network security solutions. It’s a good idea to go with this because Cisco ACLs really are quite efficient tools for mitigating many of the most common threats around. powered by DJ 7 Cisco’s IOS Firewall Authentication proxy A feature that makes users authenticate any time they want to access the network’s resources through HTTP, HTTPS, FTP, and Telnet. It keeps personal network access profiles for users and automatically gets them for you from a RADIUS and applies them as well. Destination URL policy management A buffet of features that’s commonly referred to as URL Filtering. Per-user firewalls These are basically personalized, user-specific, downloadable firewalls obtained through service providers. You can also get personalized ACLs and other settings via AAA server profile storage. powered by DJ 8 Cisco IOS router and firewall provisioning Allows for no-touch router provisioning, version updates, and security policies. Denial of service (DoS) detection and prevention A feature that checks packet headers and drops any packets it finds suspicious. Dynamic port mapping A sort of adapter that permits applications supported by firewalls on nonstandard ports. Java applet blocking Protects you from any strange, unrecognized Java applets. powered by DJ 9 Basic and Advanced Traffic Filtering You can use standard, extended, even dynamic ACLs like Lock-and-Key traffic filtering with Cisco’s IOS Firewall. And you get to apply access controls to any network segment you want. Plus, you can specify the exact kind of traffic you want to allow to pass through any segment. Policy-based, multi-interface support Allows you to control user access by IP address and interface depending on your security policy. powered by DJ 10 Network Address Translation (NAT) Conceals the internal network from the outside, increasing security. Time-based access lists Determine security policies based upon the exact time of day and the particular day of the week. Peer router authentication Guarantees that routers are getting dependable routing information from actual, trusted sources. (For this to work, you need a routing protocol that supports authentication, like RIPv2, EIGRP, or OSPF.) powered by DJ 11 THANK YOU powered by DJ 12