Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Enterprise Network Security Accessing the WAN – Chapter 4 ITE I Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Describe the general methods used to mitigate security threats to Enterprise networks Configure Basic Router Security Explain how to disable unused Cisco router network services and interfaces Explain how to use Cisco SDM Manage Cisco IOS devices ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2 Why is network security important •We want to live secure •We want to have our data secured •We want to have our communication secured ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3 Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Explain how sophisticated attack tools and open networks have created an increased need for network security and dynamic security policies ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4 Security policy • • • • • • • ITE 1 Chapter 6 Risk assessment Security policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Security levels NO ! NO ! ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6 Number of Attacks ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Social engineering? ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8 Access Attacks ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9 Denial of Service attacks ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10 Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Describe the common mitigation techniques that enterprises use to protect themselves against threats ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11 Security equipment ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12 Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Explain the concept of the Network Security Wheel ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13 Configure Basic Router Security Explain why the security of routers and their configuration settings is vital to network operation ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14 Configure Basic Router Security Describe the basic security measures needed to secure Cisco routers Router(config)# ip access-list standard SSH-access Router(config-std-nacl)# permit host 147.232.22.1 Router(config-std-nacl)# deny any Router(config)# line vty 0 4 Router(config-line)# ip access-class SSH-access in ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15 SSH configuration ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16 Explain How to Disable Unused Cisco Router Network Services and Interfaces Explain how to secure a router with the command-line interface (CLI) auto secure command ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17 Explain How to Use Cisco SDM Provide an overview of Cisco SDM ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 18 Manage Cisco IOS Devices Describe the file systems used by a Cisco router ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 19 Manage Cisco IOS Devices Describe how to backup and upgrade a Cisco IOS image ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 20 Manage Cisco IOS Devices Explain how to back up and upgrade Cisco IOS software images using a network server ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 21 Manage Cisco IOS Devices Explain how to recover a Cisco IOS software image ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 22 Manage Cisco IOS Devices Explain how to recover the enable password and the enable secret passwords 1) Ctrl+Break 2) Rommon 1> confreg 0x2142 3) Rommon 2> reset 4) Would you like to enter initial router configuration [Yes/no] 5) Router(config)# config-register 0x2102 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 23 Summary Security Threats to an Enterprise network include: –Unstructured threats –Structured threats –External threats –Internal threats Methods to lessen security threats consist of: –Device hardening –Use of antivirus software –Firewalls –Download security updates ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 24 Summary Basic router security involves the following: –Physical security –Update and backup IOS –Backup configuration files –Password configuration –Logging router activity Disable unused router interfaces & services to minimize their exploitation by intruders Cisco SDM –A web based management tool for configuring security measures on Cisco routers ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 25 Summary Cisco IOS Integrated File System (IFS) –Allows for the creation, navigation & manipulation of directories on a cisco device ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 26 Practise LAB DHCP, NAT Accessing the WAN – Chapter 4 ITE I Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 27 Practise LAB ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 28 Tasks • Basic configuration (example) R-1(config)# interface FastEthernet 0/1 R-1(config-if)# ip address dhcp R-1(config-if)# no shutdown R-1(config)# interface FastEthernet 0/0 R-1(config-if)# no shutdown R-1(config)# interface FastEthernet 0/0.101 R-1(config-subif)# encapsulation dot1q 101 R-1(config-subif)# ip address 192.168.101.1 255.255.255.0 R-1(config)# interface FastEthernet 0/0.200 R-1(config-subif)# encapsulation dot1q 200 R-1(config-subif)# ip address 10.10.10.1 255.255.255.0 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 29 Tasks • DHCP and DHCP relay R-1(config)# ip dhcp pool VLAN101 R-1(config-dhcp)# network 192.168.101.0 /24 R-1(config-dhcp)# default-router 192.168.101.1 R-1(config-dhcp)# dns-server 147.232.22.1 R-1(config)# ip dhcp pool VLAN102 R-1(config-dhcp)# network 192.168.102.0 /24 R-1(config-dhcp)# default-router 192.168.102.1 R-1(config-dhcp)# dns-server 147.232.22.1 R-1(config)# ip dhcp pool VLAN103 R-1(config-dhcp)# network 192.168.103.0 /24 R-1(config-dhcp)# default-router 192.168.103.1 R-1(config-dhcp)# dns-server 147.232.22.1 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 30 Practise LAB ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 31 Tasks • DHCP and DHCP relay R-2(config)# interface FastEthernet 0/0.102 R-2(config-subif)# encapsulation 102 R-2(config-subif)# ip address 192.168.102.1 255.255.255.0 R-2(config-subif)# ip helper-address 192.168.1.2 R-2(config-subif)# ip nat inside R-2(config)# router ospf 1 R-2(config-router)# network 192.168.1.0 0.0.0.3 area 0 R-2(config-router)# network 192.168.102.0 0.0.0.3 area 0 R-1(config)# router ospf 1 R-1(config-router)# default-information originate R-1(config-router)# network 192.168.1.0 0.0.0.3 area 0 R-1(config-router)# network 192.168.2.0 0.0.0.3 area 0 R-1(config-router)# network 192.168.101.0 0.0.0.255 area 0 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 32 HostC and Host H Practise LAB ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 33 Tasks • Dynamic NAT and Static NAT R-1(config)# ip route 10.10.12.0 255.255.255.0 192.168.1.2 R-1(config)# ip route 10.10.13.0 255.255.255.0 192.168.2.2 R-2(config)# ip access-list standard SNAT R-2(config-std-nacl)# permit 10.10.10.0 0.0.0.255 R-2(config)# ip nat pool POOL_IP 10.10.12.2 10.10.12.255 R-2(config)# ip nat inside source list SNAT pool POOL_IP R-2(config)# ip nat inside source static 10.10.10.100 10.10.12.1 R-2(config)# interface FastEthernet0/0.200 R-2(config-subif)# ip nat inside R-2(config)# interface Serial 0/0 R-2(config-subif)# ip nat outside ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 34 PAT(overloading) Practise LAB ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 35 Tasks • Port Address Translation (overloading) R-1(config)# interface FastEthernet 0/0.101 R-1(config-subif)# ip nat inside R-1(config)# interface FastEthernet 0/0.200 R-1(config-subif)# ip nat inside R-1(config)# interface Serial 0/0 R-1(config-if)# ip nat inside R-1(config)# interface Serial 0/1 R-1(config-if)# ip nat inside R-1(config)# interface FastEthernet 0/1 R-1(config-if)# ip nat outside ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 36 Tasks • Port Address Translation (overloading) R-1(config)# ip access-list-standard natko R-1(config-std-nacl)# permit 192.168.101.0 0.0.0.255 R-1(config-std-nacl)# permit 192.168.102.0 0.0.0.255 R-1(config-std-nacl)# permit 192.168.103.0 0.0.0.255 R-1(config-std-nacl)# permit 10.10.10.0 0.0.0.255 R-1(config-std-nacl)# permit 10.10.12.0 0.0.0.255 R-1(config-std-nacl)# permit 10.10.13.0 0.0.0.255 R-1(config)# ip nat inside source list natko interface FastEthernet 0/1 overload ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 37 IPv6 Practise LAB ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 38 Tasks • IPv6 addressing R-1(config)# ipv6 unicast-routing R-1(config)# interface FastEthernet 0/0.333 R-1(config-subif)# encapsulation dot1q 333 R-1(config-subif)# ipv6 address 2001:ac1::1/64 R-1(config)# interface Serial 0/0 R-1(config-if)# ip address 192.168.1.1 255.255.255.252 R-1(config-if)# ipv6 address 3ffe:12::1/64 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 39 Tasks • IPv6 routing R-1(config)# ipv6 router rip ROUTING R-1(config)# interface FastEthernet 0/0.333 R-1(config-subif)# encapsulation dot1q 333 R-1(config-subif)# ipv6 address 2001:ac1::1/64 R-1(config-if)# ipv6 rip ROUTING enable R-1(config)# interface Serial 0/0 R-1(config-if)# ip address 192.168.1.1 255.255.255.252 R-1(config-if)# ipv6 address 3ffe:12::1/64 R-1(config-if)# ipv6 rip ROUTING enable ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 40 Záver prezentácie Thank you for your attention Moderné vzdelávanie pre vedomostnú spoločnosť. Projekt je spolufinancovaný zo zdrojov EÚ. ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 41