Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer...
-
Upload
aubrey-briggs -
Category
Documents
-
view
213 -
download
0
Transcript of Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer...
![Page 1: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/1.jpg)
Chapter 10Security
![Page 2: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/2.jpg)
A typical secured network
![Page 3: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/3.jpg)
Recognizing Security Threats1- Application-layer attacksEx:http://www. companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\2- Autorooters3- Backdoors4- Denial of service (DoS) and distributed denial of service (DDoS) attacks• TCP SYN flood (SYN,SYN-ACK, & ACK)• Ping of death• Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K)• Stacheldraht5- IP spoofing6- Man-in-the-middle attacks (Using Sniffer)7- Network reconnaissance (port scans, DNS queries,and ping sweeps)8- Packet sniffers9- Password attacks (IP spoofing, packet sniffing, & Trojan horses)10- Brute force attack11- Port redirection attacks12- Trojan horse attacks and viruses13- Trust exploitation attacks
![Page 4: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/4.jpg)
Mitigating Security Threats1- Cisco’s IOS Firewall• Stateful IOS Firewall inspection engine using Context-Based Access Control (CBAC)• Intrusion detection• Firewall voice traversal• ICMP inspection• Authentication proxy (RADIUS or TACACS+)
Router(config)#enable use-tacacsRouter(config)#tacacs-server ?host Specify a TACACS serverkey Set TACACS+ encryption keytimeout Time to wait for a TACACS server to replyRouter(config)#enable last-resort
• Destination URL policy management• Per-user firewalls• Cisco IOS router and firewall provisioning• Denial of service (DoS) detection and prevention• Dynamic port mapping• Java applet blocking
2- Basic and Advanced Traffic Filtering• Policy-based, multi-interface support• Network Address Translation (NAT)• Time-based access lists• Peer router authentication (RIPv2, EIGRP, or OSPF)
![Page 5: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/5.jpg)
Access Lists1- Standard access lists2- Extended access lists3- Advanced access lists
a- Inbound access listsb- Outbound access lists
Uses of Access lists• Traffic filtration• Telnet filtration
General Tips• Deny any addresses from your internal networks.• Deny any local host addresses (127.0.0.0/8).• Deny any reserved private addresses.• Deny any addresses in the IP multicast address range (224.0.0.0/4).
![Page 6: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/6.jpg)
Standard Access ListsRouter(config)#access-list NO. Action SourceRouter(config)#access-list ?
<1-99> IP standard access list<100-199> IP extended access list<1100-1199> Extended 48-bit MAC address access list<1300-1999> IP standard access list (expanded range)<200-299> Protocol type-code access list<2000-2699> IP extended access list (expanded range)<700-799> 48-bit MAC address access list compiled Enable IP access-list
compilationdynamic-extended Extend the dynamic ACL absolute timerrate-limit Simple rate-limit specific access list
Router(config)#access-list 10 ?deny Specify packets to rejectpermit Specify packets to forwardremark Access list entry comment
Router(config)#access-list 10 deny ?Hostname or A.B.C.D Address to matchany Any source hosthost A single host address
Router(config-if)#ip access-group 10 out (or in)
![Page 7: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/7.jpg)
Wildcard MaskingRouter(config)#access-list 10 deny 172.16.10.0 0.0.0.255Router(config)#access-list 10 deny 172.16.0.0 0.0.255.255Router(config)#access-list 10 deny 172.16.16.0 0.0.3.255
Controlling VTY (Telnet) AccessRouter(config)#access-list 50 permit 172.16.10.3Router(config)#line vty 0 4Router(config-line)#access-class 50 in
![Page 8: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/8.jpg)
Extended Access ListsRouter(config)#access-list NO. Action Protocol Source Destination Condition Port no.
Ex:Router(config)#access-list 110 permit tcp any host 172.16.30.2 eq 80Router(config)#access-list 110 deny tcp any host 172.16.30.2 gt 1023Router(config)#int s0Router(config-if)#ip access-group 110 out
![Page 9: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/9.jpg)
Access Lists Example
![Page 10: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/10.jpg)
Advanced Access Lists1- Named ACLs2- Switch Port ACLs3- Time based ACLs
1- Named ACLsRouter(config)#ip access-list ?
extended Extended Acclogging Control access list loggingstandard Standard Access List
Router(config)#ip access-list standard BlockSalesRouter(config-std-nacl)#deny 172.16.40.0 0.0.0.255Router(config-std-nacl)#permit anyRouter(config-std-nacl)#exit
![Page 11: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/11.jpg)
2- Switch Port ACLs
Conditions1- Inbound only.2- Named only.
Switch(config)#mac access-list extended Name of listSwitch(config-ext-macl)#Action Source Destination
Ex:Switch(config)#mac access-list extended Block_MAC_SalesSwitch(config-extended-macl)#deny any host 000d.29bd.4b85Switch(config-extended-macl)#permit any anySwitch(config-ext-macl)#int f0/6Switch(config-if)#mac access-group Block_MAC_Sales in
![Page 12: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/12.jpg)
3- Time-Based ACLsRouter(config)#time-range no-httpRouter(config-time-range)#periodic we?
Wednesday weekdays weekend
Router(config-time-range)#periodic weekend ?hh:mm Starting time
Router(config-time-range)#periodic weekend 06:00 to 12:00Router(config-time-range)#exitRouter(config)#time-range tcp-yesRouter(config-time-range)#periodic weekend 06:00 to 12:00Router(config-time-range)#exit
Router(config)#ip access-list extended TimeRouter(config-ext-nacl)#deny tcp any any eq www time-range no-httpRouter(config-ext-nacl)#permit tcp any any time-range tcp-yes
Router(config-ext-nacl)#interface f0/0Router(config-if)#ip access-group Time in
![Page 13: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/13.jpg)
Remarking Access ListsRouter#config tRouter(config)#access-list 110 remark Permit Bob from Sales Only To FinanceRouter(config)#access-list 110 permit ip host 172.16.10.1 172.16.20.0 0.0.0.255Router(config)#access-list 110 deny ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255
![Page 14: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/14.jpg)
Using SSH instead of Telnet1- Enable the HTTP/HTTPS server
Router(config)#ip http serverRouter(config)#ip http secure-server% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]Router(config)#ip http authentication local
2- Create a user account using privilege level 15 (the highest level)
Router(config)#username cisco privilege ?<0-15> User privilege levelRouter(config)#username cisco privilege 15 password ?0 Specifies an UNENCRYPTED password will follow7 Specifies a HIDDEN password will followLINE The UNENCRYPTED (cleartext) user passwordRouter(config)#username cisco privilege 15 password 0 cisco
![Page 15: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/15.jpg)
3- Configure the console, SSH, and Telnet to provide local login authentication at privilege level access
Router(config)#line console 0Router(config-line)#login localRouter(config-line)#exitRouter(config)#line vty 0 ?
<1-1180> Last Line number<cr>
Router(config)#line vty 0 1180Router(config-line)#privilege level 15Router(config-line)#login localRouter(config-line)#transport input telnetRouter(config-line)#transport input telnet ssh
Router(config-line)#^Z
Router#clock set 00:00:00 21 mar 2009
![Page 16: Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: . companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\](https://reader036.fdocuments.us/reader036/viewer/2022082819/56649f1c5503460f94c32990/html5/thumbnails/16.jpg)
Viewing Access ListsRouter#show access-listRouter#show access-list 110Router#show ip access-listRouter#show ip interfaceRouter#show running-configSwitch#Show mac access-group