Enterprise Network Security
description
Transcript of Enterprise Network Security
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE I Chapter 6 1
Enterprise Network Security
Accessing the WAN – Chapter 4
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 2
Objectives Describe the general methods used to mitigate
security threats to Enterprise networks
Configure Basic Router Security
Explain how to disable unused Cisco router network services and interfaces
Explain how to use Cisco SDM
Manage Cisco IOS devices
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 3
Why is network security important
•We want to live secure•We want to have our data secured•We want to have our communication secured
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 4
Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Explain how sophisticated attack tools and open
networks have created an increased need for network security and dynamic security policies
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 5
Security policy
• Risk assessment • Security policy • Organization of information security • Asset management • Human resources security • Physical and environmental security • Communications and operations management
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 6
Security levels
NO ! NO !
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 7
Number of Attacks
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 8
Describe the General Methods used to Mitigate Security Threats to Enterprise Networks
Social engineering?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 9
Access Attacks
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 10
Denial of Service attacks
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 11
Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Describe the common mitigation techniques that
enterprises use to protect themselves against threats
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 12
Security equipment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 13
Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Explain the concept of the Network Security Wheel
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 14
Configure Basic Router Security Explain why the security of routers and their
configuration settings is vital to network operation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 15
Configure Basic Router Security Describe the basic security measures needed to secure
Cisco routers
Router(config)# ip access-list standard SSH-accessRouter(config-std-nacl)# permit host 147.232.22.1Router(config-std-nacl)# deny any
Router(config)# line vty 0 4Router(config-line)# ip access-class SSH-access in
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 16
SSH configuration
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 17
Explain How to Disable Unused Cisco Router Network Services and Interfaces Explain how to secure a router with the command-line
interface (CLI) auto secure command
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 18
Explain How to Use Cisco SDM
Provide an overview of Cisco SDM
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 19
Manage Cisco IOS Devices
Describe the file systems used by a Cisco router
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 20
Manage Cisco IOS Devices
Describe how to backup and upgrade a Cisco IOS image
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 21
Manage Cisco IOS Devices
Explain how to back up and upgrade Cisco IOS software images using a network server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 22
Manage Cisco IOS Devices
Explain how to recover a Cisco IOS software image
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 23
Manage Cisco IOS Devices
Explain how to recover the enable password and the enable secret passwords
1) Ctrl+Break
2) Rommon 1> confreg 0x2142
3) Rommon 2> reset
4) Would you like to enter initial router configuration [Yes/no]
5) Router(config)# config-register 0x2102
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 24
Summary Security Threats to an Enterprise network include:
–Unstructured threats
–Structured threats
–External threats
–Internal threats
Methods to lessen security threats consist of:–Device hardening
–Use of antivirus software
–Firewalls
–Download security updates
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 25
Summary
Basic router security involves the following:–Physical security
–Update and backup IOS
–Backup configuration files
–Password configuration
–Logging router activity
Disable unused router interfaces & services to minimize their exploitation by intruders
Cisco SDM–A web based management tool for configuring security measures on Cisco routers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 26
Summary
Cisco IOS Integrated File System (IFS)–Allows for the creation, navigation & manipulation of directories on a cisco device
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 27
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE I Chapter 6 28
Practise LABDHCP, NAT
Accessing the WAN – Chapter 4
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 29
Practise LAB
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 30
Tasks
• Basic configuration (example)
R-1(config)# interface FastEthernet 0/1R-1(config-if)# ip address dhcpR-1(config-if)# no shutdown
R-1(config)# interface FastEthernet 0/0R-1(config-if)# no shutdown
R-1(config)# interface FastEthernet 0/0.101R-1(config-subif)# encapsulation dot1q 101R-1(config-subif)# ip address 192.168.101.1 255.255.255.0
R-1(config)# interface FastEthernet 0/0.200R-1(config-subif)# encapsulation dot1q 200R-1(config-subif)# ip address 10.10.10.1 255.255.255.0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 31
Tasks
• DHCP and DHCP relay
R-1(config)# ip dhcp pool VLAN101R-1(config-dhcp)# network 192.168.101.0 /24R-1(config-dhcp)# default-router 192.168.101.1R-1(config-dhcp)# dns-server 147.232.22.1
R-1(config)# ip dhcp pool VLAN102R-1(config-dhcp)# network 192.168.102.0 /24R-1(config-dhcp)# default-router 192.168.102.1R-1(config-dhcp)# dns-server 147.232.22.1
R-1(config)# ip dhcp pool VLAN103R-1(config-dhcp)# network 192.168.103.0 /24R-1(config-dhcp)# default-router 192.168.103.1R-1(config-dhcp)# dns-server 147.232.22.1
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 32
Practise LAB
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 33
Tasks
• DHCP and DHCP relay
R-2(config)# interface FastEthernet 0/0.102R-2(config-subif)# encapsulation 102R-2(config-subif)# ip address 192.168.102.1 255.255.255.0R-2(config-subif)# ip helper-address 192.168.1.2R-2(config-subif)# ip nat inside
R-2(config)# router ospf 1R-2(config-router)# network 192.168.1.0 0.0.0.3 area 0R-2(config-router)# network 192.168.102.0 0.0.0.3 area 0
R-1(config)# router ospf 1R-1(config-router)# default-information originateR-1(config-router)# network 192.168.1.0 0.0.0.3 area 0R-1(config-router)# network 192.168.2.0 0.0.0.3 area 0R-1(config-router)# network 192.168.101.0 0.0.0.255 area 0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 34
Practise LABHostC and Host H
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 35
Tasks
• Dynamic NAT and Static NAT
R-1(config)# ip route 10.10.12.0 255.255.255.0 192.168.1.2R-1(config)# ip route 10.10.13.0 255.255.255.0 192.168.2.2
R-2(config)# ip access-list standard SNATR-2(config-std-nacl)# permit 10.10.10.0 0.0.0.255
R-2(config)# ip nat pool POOL_IP 10.10.12.2 10.10.12.255R-2(config)# ip nat inside source list SNAT pool POOL_IPR-2(config)# ip nat inside source static 10.10.10.100 10.10.12.1
R-2(config)# interface FastEthernet0/0.200R-2(config-subif)# ip nat inside
R-2(config)# interface Serial 0/0R-2(config-subif)# ip nat outside
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 36
Practise LABPAT(overloading)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 37
Tasks
• Port Address Translation (overloading)
R-1(config)# interface FastEthernet 0/0.101R-1(config-subif)# ip nat inside
R-1(config)# interface FastEthernet 0/0.200R-1(config-subif)# ip nat inside
R-1(config)# interface Serial 0/0R-1(config-if)# ip nat inside
R-1(config)# interface Serial 0/1R-1(config-if)# ip nat inside
R-1(config)# interface FastEthernet 0/1R-1(config-if)# ip nat outside
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 38
Tasks
• Port Address Translation (overloading)
R-1(config)# ip access-list-standard natkoR-1(config-std-nacl)# permit 192.168.101.0 0.0.0.255R-1(config-std-nacl)# permit 192.168.102.0 0.0.0.255R-1(config-std-nacl)# permit 192.168.103.0 0.0.0.255R-1(config-std-nacl)# permit 10.10.10.0 0.0.0.255R-1(config-std-nacl)# permit 10.10.12.0 0.0.0.255R-1(config-std-nacl)# permit 10.10.13.0 0.0.0.255
R-1(config)# ip nat inside source list natko interface FastEthernet 0/1 overload
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 39
Practise LABIPv6
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 40
Tasks
• IPv6 addressing
R-1(config)# ipv6 unicast-routing
R-1(config)# interface FastEthernet 0/0.333R-1(config-subif)# encapsulation dot1q 333R-1(config-subif)# ipv6 address 2001:ac1::1/64
R-1(config)# interface Serial 0/0R-1(config-if)# ip address 192.168.1.1 255.255.255.252R-1(config-if)# ipv6 address 3ffe:12::1/64
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 41
Tasks
• IPv6 routing
R-1(config)# interface FastEthernet 0/0.333R-1(config-subif)# encapsulation dot1q 333R-1(config-subif)# ipv6 address 2001:ac1::1/64R-1(config-if)# ipv6 rip ROUTING enable
R-1(config)# interface Serial 0/0R-1(config-if)# ip address 192.168.1.1 255.255.255.252R-1(config-if)# ipv6 address 3ffe:12::1/64R-1(config-if)# ipv6 rip ROUTING enable
R-1(config)# ipv6 router rip ROUTING
© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 42