Enterprise Network Security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE I Chapter 6 1

Enterprise Network Security

Accessing the WAN – Chapter 4

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE 1 Chapter 6 2

Objectives Describe the general methods used to mitigate

security threats to Enterprise networks

Configure Basic Router Security

Explain how to disable unused Cisco router network services and interfaces

Explain how to use Cisco SDM

Manage Cisco IOS devices


Why is network security important

•We want to live secure•We want to have our data secured•We want to have our communication secured


Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Explain how sophisticated attack tools and open

networks have created an increased need for network security and dynamic security policies


Security policy

• Risk assessment • Security policy • Organization of information security • Asset management • Human resources security • Physical and environmental security • Communications and operations management


Security levels

NO ! NO !


Number of Attacks


Describe the General Methods used to Mitigate Security Threats to Enterprise Networks

Social engineering?


Access Attacks


Denial of Service attacks


Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Describe the common mitigation techniques that

enterprises use to protect themselves against threats


Security equipment


Describe the General Methods used to Mitigate Security Threats to Enterprise Networks Explain the concept of the Network Security Wheel


Configure Basic Router Security Explain why the security of routers and their

configuration settings is vital to network operation


Configure Basic Router Security Describe the basic security measures needed to secure

Cisco routers

Router(config)# ip access-list standard SSH-accessRouter(config-std-nacl)# permit host 147.232.22.1Router(config-std-nacl)# deny any

Router(config)# line vty 0 4Router(config-line)# ip access-class SSH-access in


SSH configuration


Explain How to Disable Unused Cisco Router Network Services and Interfaces Explain how to secure a router with the command-line

interface (CLI) auto secure command


Explain How to Use Cisco SDM

Provide an overview of Cisco SDM


Manage Cisco IOS Devices

Describe the file systems used by a Cisco router



Describe how to backup and upgrade a Cisco IOS image



Explain how to back up and upgrade Cisco IOS software images using a network server



Explain how to recover a Cisco IOS software image



Explain how to recover the enable password and the enable secret passwords

1) Ctrl+Break

2) Rommon 1> confreg 0x2142

3) Rommon 2> reset

4) Would you like to enter initial router configuration [Yes/no]

5) Router(config)# config-register 0x2102


Summary Security Threats to an Enterprise network include:

–Unstructured threats

–Structured threats

–External threats

–Internal threats

Methods to lessen security threats consist of:–Device hardening

–Use of antivirus software

–Firewalls

–Download security updates


Summary

Basic router security involves the following:–Physical security

–Update and backup IOS

–Backup configuration files

–Password configuration

–Logging router activity

Disable unused router interfaces & services to minimize their exploitation by intruders

Cisco SDM–A web based management tool for configuring security measures on Cisco routers


Summary

Cisco IOS Integrated File System (IFS)–Allows for the creation, navigation & manipulation of directories on a cisco device

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicITE I Chapter 6 28

Practise LABDHCP, NAT

Accessing the WAN – Chapter 4


Practise LAB


Tasks

• Basic configuration (example)

R-1(config)# interface FastEthernet 0/1R-1(config-if)# ip address dhcpR-1(config-if)# no shutdown

R-1(config)# interface FastEthernet 0/0R-1(config-if)# no shutdown

R-1(config)# interface FastEthernet 0/0.101R-1(config-subif)# encapsulation dot1q 101R-1(config-subif)# ip address 192.168.101.1 255.255.255.0

R-1(config)# interface FastEthernet 0/0.200R-1(config-subif)# encapsulation dot1q 200R-1(config-subif)# ip address 10.10.10.1 255.255.255.0


Tasks

• DHCP and DHCP relay

R-1(config)# ip dhcp pool VLAN101R-1(config-dhcp)# network 192.168.101.0 /24R-1(config-dhcp)# default-router 192.168.101.1R-1(config-dhcp)# dns-server 147.232.22.1




Practise LAB


Tasks

• DHCP and DHCP relay

R-2(config)# interface FastEthernet 0/0.102R-2(config-subif)# encapsulation 102R-2(config-subif)# ip address 192.168.102.1 255.255.255.0R-2(config-subif)# ip helper-address 192.168.1.2R-2(config-subif)# ip nat inside

R-2(config)# router ospf 1R-2(config-router)# network 192.168.1.0 0.0.0.3 area 0R-2(config-router)# network 192.168.102.0 0.0.0.3 area 0

R-1(config)# router ospf 1R-1(config-router)# default-information originateR-1(config-router)# network 192.168.1.0 0.0.0.3 area 0R-1(config-router)# network 192.168.2.0 0.0.0.3 area 0R-1(config-router)# network 192.168.101.0 0.0.0.255 area 0


Practise LABHostC and Host H


Tasks

• Dynamic NAT and Static NAT

R-1(config)# ip route 10.10.12.0 255.255.255.0 192.168.1.2R-1(config)# ip route 10.10.13.0 255.255.255.0 192.168.2.2

R-2(config)# ip access-list standard SNATR-2(config-std-nacl)# permit 10.10.10.0 0.0.0.255

R-2(config)# ip nat pool POOL_IP 10.10.12.2 10.10.12.255R-2(config)# ip nat inside source list SNAT pool POOL_IPR-2(config)# ip nat inside source static 10.10.10.100 10.10.12.1

R-2(config)# interface FastEthernet0/0.200R-2(config-subif)# ip nat inside

R-2(config)# interface Serial 0/0R-2(config-subif)# ip nat outside


Practise LABPAT(overloading)


Tasks

• Port Address Translation (overloading)

R-1(config)# interface FastEthernet 0/0.101R-1(config-subif)# ip nat inside

R-1(config)# interface FastEthernet 0/0.200R-1(config-subif)# ip nat inside

R-1(config)# interface Serial 0/0R-1(config-if)# ip nat inside

R-1(config)# interface Serial 0/1R-1(config-if)# ip nat inside

R-1(config)# interface FastEthernet 0/1R-1(config-if)# ip nat outside


Tasks

• Port Address Translation (overloading)

R-1(config)# ip access-list-standard natkoR-1(config-std-nacl)# permit 192.168.101.0 0.0.0.255R-1(config-std-nacl)# permit 192.168.102.0 0.0.0.255R-1(config-std-nacl)# permit 192.168.103.0 0.0.0.255R-1(config-std-nacl)# permit 10.10.10.0 0.0.0.255R-1(config-std-nacl)# permit 10.10.12.0 0.0.0.255R-1(config-std-nacl)# permit 10.10.13.0 0.0.0.255

R-1(config)# ip nat inside source list natko interface FastEthernet 0/1 overload


Practise LABIPv6


Tasks

• IPv6 addressing

R-1(config)# ipv6 unicast-routing

R-1(config)# interface FastEthernet 0/0.333R-1(config-subif)# encapsulation dot1q 333R-1(config-subif)# ipv6 address 2001:ac1::1/64

R-1(config)# interface Serial 0/0R-1(config-if)# ip address 192.168.1.1 255.255.255.252R-1(config-if)# ipv6 address 3ffe:12::1/64


Tasks

• IPv6 routing

R-1(config)# interface FastEthernet 0/0.333R-1(config-subif)# encapsulation dot1q 333R-1(config-subif)# ipv6 address 2001:ac1::1/64R-1(config-if)# ipv6 rip ROUTING enable

R-1(config)# interface Serial 0/0R-1(config-if)# ip address 192.168.1.1 255.255.255.252R-1(config-if)# ipv6 address 3ffe:12::1/64R-1(config-if)# ipv6 rip ROUTING enable

R-1(config)# ipv6 router rip ROUTING

Enterprise Network Security

Documents

Transcript of Enterprise Network Security