M%F3dulo 07 Security Basics LATI

8/8/2019 M%F3dulo 07 Security Basics LATI

1/47

www.cisco.comUniversidad Autnoma de Yucatn

Module 07:Security Basics

Module 07:

Security Basics


2/47

11-2Henry M. Ventura Sabido www.cisco.com

Agenda

Why Security?

Security Technology

Identity

Integrity

Active Audit


3/47


All Networks Need Security

No matter the companysize, security is important

Internet connection is to

business in the late 1990swhat telephones were tobusiness in the late 1940s

Even small company sitesare cracked


4/47


Why Security?

Three primary reasonsPolicy vulnerabilities

Configuration vulnerabilities

Technology vulnerabilities

And People Eager to TakeAnd People Eager to TakeAdvantage of the VulnerabilitiesAdvantage of the Vulnerabilities


5/47


Denial of Service Loss of Integrity

BankCustomer

Deposit $1000 Deposit $ 100

Security Threats

Loss of Privacy

m-y-p-a-s-s-w-o-r-d d-a-n

telnet company.orgusername: dan

password:

Impersonation

Im Bob.Send Me All Corporate

Correspondencewith Cisco.

Bob

CPUCPU


6/47


Security Objective: Balance

Business Needs with Risks

Access SecurityAuthentication

Authorization

Accounting

Assurance

Confidentiality

Data Integrity

Policy ManagementPolicy Management

Connectivity

Performance

Ease of Use

Manageability

Availability


7/47


Doors, locks, &guards

Keys & badges

Surveillancecameras &motion sensors

Firewalls &access controls

Authentication

IntrusionIntrusiondetection systemdetection system

Complementary mechanisms thattogether provide in-depth defense

Network Security Components:

Physical Security Analogy

Network Security Components:

Physical Security Analogy


8/47


Security TechnologySecurity Technology

3-8CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com


9/47


10/47


IdentityIdentity

Uniquely and accuratelyidentify users,

applications, services,and resources

Username/password,

PAP, CHAP, AAAserver, one-timepassword, RADIUS,TACACS+, Kerberos,

MS-login, digitalcertificates, directoryservices, NetworkAddress Translation


11/47


AAAServer

Dial-In User NetworkAccess Server

CampusPPP

PasswordPasswordPassword

ID/PasswordID/PasswordID/Password

ID/PasswordID/PasswordID/PasswordID/PasswordID/PasswordID/Password

PublicNetwork

Username/PasswordUsername/Password

User dials in with password to NAS

NAS sends ID/password to AAA server

AAA server authenticates user ID/passwordand tells NAS to accept (or reject)

NAS accepts (or rejects) call


12/47


NetworkAccess Server

PPPPAP or CHAP

PublicNetwork

PAP and CHAP AuthenticationPAP and CHAP Authentication

Password Authentication Protocol (PAP)Authenticates caller only

Passes password in clear text

Challenge Handshake AuthenticationProtocol (CHAP)

Authenticates both sides

Password is encrypted


13/47


Campus

AAA

Server

Token orS-Key Server Token cardToken card

Soft tokenSoft token

SS--KeyKey ID/One-Time PasswordID/One-Time PasswordID/One-Time Password

ID/OneID/One--Time PasswordTime PasswordID/OneID/One--Time PasswordTime PasswordID/OneID/One--Time PasswordTime Password

One-TimePasswordOneOne--TimeTimePasswordPassword

Dial-In User NetworkAccessServer

PublicNetwork

One-Time PasswordOne-Time Password

Additional level of security, guards against password

guessing and cracking Prevents spoofing, replay attacks

Single-use password is generated by tokencard or in software

Synchronized central server authenticates user


14/47


11 22 3344 55 6677

009988

11 22 3344 55 6677

009988

Authentication, Authorization, and

Accounting (AAA)

Authentication, Authorization, and

Accounting (AAA)

Tool for enforcing

security policyAuthentication

Verifies identity

Who are you?

Authorization Configures integrity

What are you permitted

to do?

Accounting Assists with audit

What did you do?


15/47


RADIUSServer

RemoteAccess User

AccessServer

RADIUS is an industry standardRFC 2138, RFC 2139

Cisco has full IETF RFC implementation

Cisco has implemented many nonstandardvendor proprietary attributes

Cisco hardware will work well with non-CiscoRADIUS AAA servers

Cisco is committed to providing the best RADIUS solution

RADIUSRADIUS


16/47


Local or centralized

Cisco customers benefit from

additional functionality withCiscoSecure server of bothTACACS+ and RADIUS

Cisco enterprisecustomers continue

to ask forTACACS+features

TACACS

TACACS Database

Username/PasswordAdditional Information

TACACS+ AuthenticationTACACS+ Authentication


17/47


Lock-and-Key Security

Dynamically assigns access control lists on a per-user basis

Allows a remote host to access a local host via the Internet

Allows local hosts to access a host on a remote network

Authorized User

Corporate Site

Non-Authorized User

Internet


18/47


If verification is successful,

document has not been altered

BobsDocument

HashHash

MessageHash

BobsPrivate Key

EncryptEncryptDigital

Signature

BobsPublic Key

BobsDocument

MessageHash

Same?

DecryptDecrypt

HashHash

Message

Message

Message

Digital SignaturesDigital Signatures


19/47


Certificate Authority

Certificate Authority (CA) verifies identity

CA signs digital certificate containingdevices public key

Certificate equivalent to an ID card

Partners include Verisign, Entrust,Netscape, and Baltimore Technologies

?B A N K

CACA CACAInternetInternet


20/47


Network Address Translation

Provides dynamic or static translation of private addresses toregistered IP addresses

Eliminates readdressing overheadLarge admin. cost benefit

Conserves addressesHosts can share a single registered IPaddress for all external communications via port-level multiplexing

Permits use of a single IP address range in multiple intranets

Hides internal addresses

Augmented by EasyIP DHCP host function

10.0.0.1

SA 10.0.0.1

Inside LocalInside Local

IP AddressIP AddressInside GlobalInside Global

IP AddressIP Address

10.0.0.110.0.0.1

10.0.0.210.0.0.2171.69.58.80171.69.58.80

171.69.58.81171.69.58.81

SA 171.69.58.8

Internet


21/47



IntegrityIntegrity



22/47


IntegrityNetwork AvailabilityIntegrityNetwork Availability

Ensure the network

infrastructureremains available

TCP Intercept, route

authentication


23/47


IntegrityPerimeter SecurityIntegrityPerimeter Security

Control access tocritical network

applications, data,and services

Access control lists,firewall technologies,

content filtering,CBAC, authentication


24/47


Importance of FirewallsImportance of Firewalls

Permit secureaccess to resources

Protect networks

from:Unauthorized

intrusion from bothexternal and internal

sources

Denial of service(DOS) attacks


25/47


What Is a Firewall?What Is a Firewall?

All traffic from inside to outside and viceversa must pass through the firewall

Only authorized traffic, as defined by the localsecurity policy, is allowed in or out

The firewall itself is immune to penetration


26/47


Router with Filters

Users

Users

ProtectedNetwork

E-mail

Server

MicroWebserv er

zip 100

Micro WebserverMicro Webserver

Web Server

PublicPublic

AccessAccess

ISP andISP andInternetInternet

Packet-Filtering RoutersPacket-Filtering Routers


27/47


28/47


Company Network

.5.5

11

55 10102020

4040MegMegPer/SecPer/Sec

Video Audio Private link Web commerce

Internet

Performance RequirementsPerformance Requirements


29/47


IntegrityPrivacyIntegrityPrivacy

Provide authenticatedprivate communication

on demandVPNs, IPSec, IKE,

encryption, DES, 3DES,

digital certificates,CET, CEP


30/47


Encryption and Decryption

Clear Text Clear Text

Cipher Text

BobIs

aFink

8vyaleh31&

d

ktu.dtrw8

743

$Fie*nP093h

BobIs

aFink

DecryptionDecryptionEncryptionEncryption

?


31/47


Service ProviderSharedNetwork

VPNVPN

Internet, IP, FR, ATM

What Are VPNs?What Are VPNs?

Virtual Private Networks (VPNs) extend the classic WAN

VPNs leverage the classic WAN infrastructure, including Ciscos family ofVPN-enabled routers and policy management tools

VPNs provide connectivity on a shared infrastructurewith the same policies and performance as a privatenetwork with lower total cost of ownership


32/47


Extends private network through public Internet

Lower cost than private WAN

Relies on tunneling and encryption

Internet

Hong Kong

Paris

IP Packet(Private,

Encrypted)

IP Header(Public)

Virtual Private NetworksVirtual Private Networks


33/47


Why Build a VPN?Why Build a VPN?

Company information

secured Lower costs

Connectivity costs

Capital costs

Management andsupport costs

Wider connectivity

options Speed of deployment


34/47


Who Buys VPNs?

Organizations wishing to:

Implement more cost-effective WAN solutions

Connect multiple remote sites

Deploy intranetsConnect to suppliers, business

partners, and customers

Get back to their core business,and leave the WAN to the experts

Lower operational and

capital equipment costs

Businesses with:Businesses with:

Multiple branchMultiple branchoffice locationsoffice locations

TelecommutersTelecommuters Remote workersRemote workers

Contractors andContractors andconsultantsconsultants


35/47


Networked Applications

Traditional applicationsE-mail

Database

File transfer New applications

Videoconferencing

Distance learningAdvanced publishing

Voice


36/47


Example of a VPN

Private networking service overa public network infrastructure

Munich Main OfficeMain Office

New York Office Milan Office

Paris Office

Internet

MobileWorkerDials to Munich

over Internet


37/47


What Is IPSec?

Network-layer encryption and authentication

Open standards for ensuring secureprivate communications over any IPnetwork, including the Internet

Provides a necessary component

of a standards-based, flexible solutionfor deploying a network-wide security policy

Data protected with network encryption,digital certification, and device authentication

Implemented transparently in network infrastructure Includes routers, firewalls, PCs, and servers

Scales from small to very large networks


38/47


Router to Router

Router to Firewall

PC to Router

PC to Server

PC to Firewall

IPSec Everywhere!IPSec Everywhere!


39/47


40/47


Router A Router B

1. Outbound packet fromAlice to BobNo IPSec

security association yet

2. Router As IKE beginsnegotiation withrouter Bs IKE

3. Negotiation complete;router A and router B now havecomplete IPSec SAs in place

IKE IKE

4. Packet is sent from Alice toBob protected by IPSec SA

IKE TunnelIKE TunnelRouter A Router B

How IPSec Uses IKEHow IPSec Uses IKE


41/47



Active AuditActive Audit



42/47


Firewalls, authorization, and encryption do not provideVISIBILITY into these problems

Why Active Audit?Why Active Audit?

The hacker might be an employee or trusted partner

Up to 80% of security breaches come from the

inside (Source: FBI)

Your defense might be ineffective

One out of every three intrusions occur where a firewallis in place (Source: Computer Security Institute)

Your employees might make mistakes

Misconfigured firewalls, servers, etc.

Your network will grow and change

Each change introduces new security risks


43/47


Why Active Audit?Why Active Audit?

Network security requires a layered

defensePoint security PLUS active systems to measure

vulnerabilities and monitor for misuse

Network perimeter and the intranet

Security is an ongoing, operationalprocess

Must be constantly measured, monitored, andimproved

Active AuditNetworkActive AuditNetwork


44/47


Active AuditNetwork

Vulnerability Assessment

Active AuditNetwork

Vulnerability Assessment

Assess and report onthe security status ofnetwork components

Scanning (active,passive), vulnerabilitydatabase

Active AuditIntrusion DetectionActive AuditIntrusion Detection


45/47


Active AuditIntrusion Detection

System

Active AuditIntrusion Detection

System

Identify and react to

known or suspectednetwork intrusion oranomaliesPassive promiscuous

monitoring

Database of threats or

suspect behaviorCommunication

infrastructure or accesscontrol changes

A ti A dit


46/47


Actively audit andverify policy

Detect intrusionand anomalies

Report

Active Audit

UNIVERSALUNIVERSALPASSPORTPASSPORT

Kjkjkjdgdk

kjdkjfdkIkdfjkdj

IkejkejKkdkdfdKKjkdjd

KjkdjfkdKjkdKjdkfjkdjKjdk

USA

************************

************************

Kdkfldkaloee

kjfkjajjakjkjk jkajkjfiejijg kdkdjfkdkdkdkddf kdjfkdjkdkd

kfjdkkdjkfdkfjdkfjdkjkdj kdjkaj

kjfdkjfkdjkfjkjajjajdjfla

kjdfkjeiieiefkeieooei

UNIVERSALUNIVERSALPASSPORTPASSPORT

SS


47/47


Security is a mission-criticalbusiness requirement for allnetworks

Security requires a global,corporate-wide policy

Security requires amultilayered implementation

SummarySummary

M%F3dulo 07 Security Basics LATI

Documents

Transcript of M%F3dulo 07 Security Basics LATI