M%F3dulo 07 Security Basics LATI
-
Upload
arcangel-gongora -
Category
Documents
-
view
219 -
download
0
Transcript of M%F3dulo 07 Security Basics LATI
-
8/8/2019 M%F3dulo 07 Security Basics LATI
1/47
www.cisco.comUniversidad Autnoma de Yucatn
Module 07:Security Basics
Module 07:
Security Basics
-
8/8/2019 M%F3dulo 07 Security Basics LATI
2/47
11-2Henry M. Ventura Sabido www.cisco.com
Agenda
Why Security?
Security Technology
Identity
Integrity
Active Audit
-
8/8/2019 M%F3dulo 07 Security Basics LATI
3/47
11-3Henry M. Ventura Sabido www.cisco.com
All Networks Need Security
No matter the companysize, security is important
Internet connection is to
business in the late 1990swhat telephones were tobusiness in the late 1940s
Even small company sitesare cracked
-
8/8/2019 M%F3dulo 07 Security Basics LATI
4/47
11-4Henry M. Ventura Sabido www.cisco.com
Why Security?
Three primary reasonsPolicy vulnerabilities
Configuration vulnerabilities
Technology vulnerabilities
And People Eager to TakeAnd People Eager to TakeAdvantage of the VulnerabilitiesAdvantage of the Vulnerabilities
-
8/8/2019 M%F3dulo 07 Security Basics LATI
5/47
11-5Henry M. Ventura Sabido www.cisco.com
Denial of Service Loss of Integrity
BankCustomer
Deposit $1000 Deposit $ 100
Security Threats
Loss of Privacy
m-y-p-a-s-s-w-o-r-d d-a-n
telnet company.orgusername: dan
password:
Impersonation
Im Bob.Send Me All Corporate
Correspondencewith Cisco.
Bob
CPUCPU
-
8/8/2019 M%F3dulo 07 Security Basics LATI
6/47
11-6Henry M. Ventura Sabido www.cisco.com
Security Objective: Balance
Business Needs with Risks
Access SecurityAuthentication
Authorization
Accounting
Assurance
Confidentiality
Data Integrity
Policy ManagementPolicy Management
Connectivity
Performance
Ease of Use
Manageability
Availability
-
8/8/2019 M%F3dulo 07 Security Basics LATI
7/47
11-7Henry M. Ventura Sabido www.cisco.com
Doors, locks, &guards
Keys & badges
Surveillancecameras &motion sensors
Firewalls &access controls
Authentication
IntrusionIntrusiondetection systemdetection system
Complementary mechanisms thattogether provide in-depth defense
Network Security Components:
Physical Security Analogy
Network Security Components:
Physical Security Analogy
-
8/8/2019 M%F3dulo 07 Security Basics LATI
8/47
www.cisco.comUniversidad Autnoma de Yucatn
Security TechnologySecurity Technology
3-8CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
-
8/8/2019 M%F3dulo 07 Security Basics LATI
9/47
-
8/8/2019 M%F3dulo 07 Security Basics LATI
10/47
11-10Henry M. Ventura Sabido www.cisco.com
IdentityIdentity
Uniquely and accuratelyidentify users,
applications, services,and resources
Username/password,
PAP, CHAP, AAAserver, one-timepassword, RADIUS,TACACS+, Kerberos,
MS-login, digitalcertificates, directoryservices, NetworkAddress Translation
-
8/8/2019 M%F3dulo 07 Security Basics LATI
11/47
11-11Henry M. Ventura Sabido www.cisco.com
AAAServer
Dial-In User NetworkAccess Server
CampusPPP
PasswordPasswordPassword
ID/PasswordID/PasswordID/Password
ID/PasswordID/PasswordID/PasswordID/PasswordID/PasswordID/Password
PublicNetwork
Username/PasswordUsername/Password
User dials in with password to NAS
NAS sends ID/password to AAA server
AAA server authenticates user ID/passwordand tells NAS to accept (or reject)
NAS accepts (or rejects) call
-
8/8/2019 M%F3dulo 07 Security Basics LATI
12/47
11-12Henry M. Ventura Sabido www.cisco.com
NetworkAccess Server
PPPPAP or CHAP
PublicNetwork
PAP and CHAP AuthenticationPAP and CHAP Authentication
Password Authentication Protocol (PAP)Authenticates caller only
Passes password in clear text
Challenge Handshake AuthenticationProtocol (CHAP)
Authenticates both sides
Password is encrypted
-
8/8/2019 M%F3dulo 07 Security Basics LATI
13/47
11-13Henry M. Ventura Sabido www.cisco.com
Campus
AAA
Server
Token orS-Key Server Token cardToken card
Soft tokenSoft token
SS--KeyKey ID/One-Time PasswordID/One-Time PasswordID/One-Time Password
ID/OneID/One--Time PasswordTime PasswordID/OneID/One--Time PasswordTime PasswordID/OneID/One--Time PasswordTime Password
One-TimePasswordOneOne--TimeTimePasswordPassword
Dial-In User NetworkAccessServer
PublicNetwork
One-Time PasswordOne-Time Password
Additional level of security, guards against password
guessing and cracking Prevents spoofing, replay attacks
Single-use password is generated by tokencard or in software
Synchronized central server authenticates user
-
8/8/2019 M%F3dulo 07 Security Basics LATI
14/47
11-14Henry M. Ventura Sabido www.cisco.com
11 22 3344 55 6677
009988
11 22 3344 55 6677
009988
Authentication, Authorization, and
Accounting (AAA)
Authentication, Authorization, and
Accounting (AAA)
Tool for enforcing
security policyAuthentication
Verifies identity
Who are you?
Authorization Configures integrity
What are you permitted
to do?
Accounting Assists with audit
What did you do?
-
8/8/2019 M%F3dulo 07 Security Basics LATI
15/47
11-15Henry M. Ventura Sabido www.cisco.com
RADIUSServer
RemoteAccess User
AccessServer
RADIUS is an industry standardRFC 2138, RFC 2139
Cisco has full IETF RFC implementation
Cisco has implemented many nonstandardvendor proprietary attributes
Cisco hardware will work well with non-CiscoRADIUS AAA servers
Cisco is committed to providing the best RADIUS solution
RADIUSRADIUS
-
8/8/2019 M%F3dulo 07 Security Basics LATI
16/47
11-16Henry M. Ventura Sabido www.cisco.com
Local or centralized
Cisco customers benefit from
additional functionality withCiscoSecure server of bothTACACS+ and RADIUS
Cisco enterprisecustomers continue
to ask forTACACS+features
TACACS
TACACS Database
Username/PasswordAdditional Information
TACACS+ AuthenticationTACACS+ Authentication
-
8/8/2019 M%F3dulo 07 Security Basics LATI
17/47
11-17Henry M. Ventura Sabido www.cisco.com
Lock-and-Key Security
Dynamically assigns access control lists on a per-user basis
Allows a remote host to access a local host via the Internet
Allows local hosts to access a host on a remote network
Authorized User
Corporate Site
Non-Authorized User
Internet
-
8/8/2019 M%F3dulo 07 Security Basics LATI
18/47
11-18Henry M. Ventura Sabido www.cisco.com
If verification is successful,
document has not been altered
BobsDocument
HashHash
MessageHash
BobsPrivate Key
EncryptEncryptDigital
Signature
BobsPublic Key
BobsDocument
MessageHash
Same?
DecryptDecrypt
HashHash
Message
Message
Message
Digital SignaturesDigital Signatures
-
8/8/2019 M%F3dulo 07 Security Basics LATI
19/47
11-19Henry M. Ventura Sabido www.cisco.com
Certificate Authority
Certificate Authority (CA) verifies identity
CA signs digital certificate containingdevices public key
Certificate equivalent to an ID card
Partners include Verisign, Entrust,Netscape, and Baltimore Technologies
?B A N K
CACA CACAInternetInternet
-
8/8/2019 M%F3dulo 07 Security Basics LATI
20/47
11-20Henry M. Ventura Sabido www.cisco.com
Network Address Translation
Provides dynamic or static translation of private addresses toregistered IP addresses
Eliminates readdressing overheadLarge admin. cost benefit
Conserves addressesHosts can share a single registered IPaddress for all external communications via port-level multiplexing
Permits use of a single IP address range in multiple intranets
Hides internal addresses
Augmented by EasyIP DHCP host function
10.0.0.1
SA 10.0.0.1
Inside LocalInside Local
IP AddressIP AddressInside GlobalInside Global
IP AddressIP Address
10.0.0.110.0.0.1
10.0.0.210.0.0.2171.69.58.80171.69.58.80
171.69.58.81171.69.58.81
SA 171.69.58.8
Internet
-
8/8/2019 M%F3dulo 07 Security Basics LATI
21/47
www.cisco.comUniversidad Autnoma de Yucatn
Security TechnologySecurity Technology
IntegrityIntegrity
3-21CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
-
8/8/2019 M%F3dulo 07 Security Basics LATI
22/47
11-22Henry M. Ventura Sabido www.cisco.com
IntegrityNetwork AvailabilityIntegrityNetwork Availability
Ensure the network
infrastructureremains available
TCP Intercept, route
authentication
-
8/8/2019 M%F3dulo 07 Security Basics LATI
23/47
11-23Henry M. Ventura Sabido www.cisco.com
IntegrityPerimeter SecurityIntegrityPerimeter Security
Control access tocritical network
applications, data,and services
Access control lists,firewall technologies,
content filtering,CBAC, authentication
-
8/8/2019 M%F3dulo 07 Security Basics LATI
24/47
11-24Henry M. Ventura Sabido www.cisco.com
Importance of FirewallsImportance of Firewalls
Permit secureaccess to resources
Protect networks
from:Unauthorized
intrusion from bothexternal and internal
sources
Denial of service(DOS) attacks
-
8/8/2019 M%F3dulo 07 Security Basics LATI
25/47
11-25Henry M. Ventura Sabido www.cisco.com
What Is a Firewall?What Is a Firewall?
All traffic from inside to outside and viceversa must pass through the firewall
Only authorized traffic, as defined by the localsecurity policy, is allowed in or out
The firewall itself is immune to penetration
-
8/8/2019 M%F3dulo 07 Security Basics LATI
26/47
11-26Henry M. Ventura Sabido www.cisco.com
Router with Filters
Users
Users
ProtectedNetwork
E-mail
Server
MicroWebserv er
zip 100
Micro WebserverMicro Webserver
Web Server
PublicPublic
AccessAccess
ISP andISP andInternetInternet
Packet-Filtering RoutersPacket-Filtering Routers
-
8/8/2019 M%F3dulo 07 Security Basics LATI
27/47
-
8/8/2019 M%F3dulo 07 Security Basics LATI
28/47
11-28Henry M. Ventura Sabido www.cisco.com
Company Network
.5.5
11
55 10102020
4040MegMegPer/SecPer/Sec
Video Audio Private link Web commerce
Internet
Performance RequirementsPerformance Requirements
-
8/8/2019 M%F3dulo 07 Security Basics LATI
29/47
11-29Henry M. Ventura Sabido www.cisco.com
IntegrityPrivacyIntegrityPrivacy
Provide authenticatedprivate communication
on demandVPNs, IPSec, IKE,
encryption, DES, 3DES,
digital certificates,CET, CEP
-
8/8/2019 M%F3dulo 07 Security Basics LATI
30/47
11-30Henry M. Ventura Sabido www.cisco.com
Encryption and Decryption
Clear Text Clear Text
Cipher Text
BobIs
aFink
8vyaleh31&
d
ktu.dtrw8
743
$Fie*nP093h
BobIs
aFink
DecryptionDecryptionEncryptionEncryption
?
-
8/8/2019 M%F3dulo 07 Security Basics LATI
31/47
11-31Henry M. Ventura Sabido www.cisco.com
Service ProviderSharedNetwork
VPNVPN
Internet, IP, FR, ATM
What Are VPNs?What Are VPNs?
Virtual Private Networks (VPNs) extend the classic WAN
VPNs leverage the classic WAN infrastructure, including Ciscos family ofVPN-enabled routers and policy management tools
VPNs provide connectivity on a shared infrastructurewith the same policies and performance as a privatenetwork with lower total cost of ownership
-
8/8/2019 M%F3dulo 07 Security Basics LATI
32/47
11-32Henry M. Ventura Sabido www.cisco.com
Extends private network through public Internet
Lower cost than private WAN
Relies on tunneling and encryption
Internet
Hong Kong
Paris
IP Packet(Private,
Encrypted)
IP Header(Public)
Virtual Private NetworksVirtual Private Networks
-
8/8/2019 M%F3dulo 07 Security Basics LATI
33/47
11-33Henry M. Ventura Sabido www.cisco.com
Why Build a VPN?Why Build a VPN?
Company information
secured Lower costs
Connectivity costs
Capital costs
Management andsupport costs
Wider connectivity
options Speed of deployment
-
8/8/2019 M%F3dulo 07 Security Basics LATI
34/47
11-34Henry M. Ventura Sabido www.cisco.com
Who Buys VPNs?
Organizations wishing to:
Implement more cost-effective WAN solutions
Connect multiple remote sites
Deploy intranetsConnect to suppliers, business
partners, and customers
Get back to their core business,and leave the WAN to the experts
Lower operational and
capital equipment costs
Businesses with:Businesses with:
Multiple branchMultiple branchoffice locationsoffice locations
TelecommutersTelecommuters Remote workersRemote workers
Contractors andContractors andconsultantsconsultants
-
8/8/2019 M%F3dulo 07 Security Basics LATI
35/47
11-35Henry M. Ventura Sabido www.cisco.com
Networked Applications
Traditional applicationsE-mail
Database
File transfer New applications
Videoconferencing
Distance learningAdvanced publishing
Voice
-
8/8/2019 M%F3dulo 07 Security Basics LATI
36/47
11-36Henry M. Ventura Sabido www.cisco.com
Example of a VPN
Private networking service overa public network infrastructure
Munich Main OfficeMain Office
New York Office Milan Office
Paris Office
Internet
MobileWorkerDials to Munich
over Internet
-
8/8/2019 M%F3dulo 07 Security Basics LATI
37/47
11-37Henry M. Ventura Sabido www.cisco.com
What Is IPSec?
Network-layer encryption and authentication
Open standards for ensuring secureprivate communications over any IPnetwork, including the Internet
Provides a necessary component
of a standards-based, flexible solutionfor deploying a network-wide security policy
Data protected with network encryption,digital certification, and device authentication
Implemented transparently in network infrastructure Includes routers, firewalls, PCs, and servers
Scales from small to very large networks
-
8/8/2019 M%F3dulo 07 Security Basics LATI
38/47
11-38Henry M. Ventura Sabido www.cisco.com
Router to Router
Router to Firewall
PC to Router
PC to Server
PC to Firewall
IPSec Everywhere!IPSec Everywhere!
-
8/8/2019 M%F3dulo 07 Security Basics LATI
39/47
-
8/8/2019 M%F3dulo 07 Security Basics LATI
40/47
11-40Henry M. Ventura Sabido www.cisco.com
Router A Router B
1. Outbound packet fromAlice to BobNo IPSec
security association yet
2. Router As IKE beginsnegotiation withrouter Bs IKE
3. Negotiation complete;router A and router B now havecomplete IPSec SAs in place
IKE IKE
4. Packet is sent from Alice toBob protected by IPSec SA
IKE TunnelIKE TunnelRouter A Router B
How IPSec Uses IKEHow IPSec Uses IKE
-
8/8/2019 M%F3dulo 07 Security Basics LATI
41/47
www.cisco.comUniversidad Autnoma de Yucatn
Security TechnologySecurity Technology
Active AuditActive Audit
3-41CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
-
8/8/2019 M%F3dulo 07 Security Basics LATI
42/47
11-42Henry M. Ventura Sabido www.cisco.com
Firewalls, authorization, and encryption do not provideVISIBILITY into these problems
Why Active Audit?Why Active Audit?
The hacker might be an employee or trusted partner
Up to 80% of security breaches come from the
inside (Source: FBI)
Your defense might be ineffective
One out of every three intrusions occur where a firewallis in place (Source: Computer Security Institute)
Your employees might make mistakes
Misconfigured firewalls, servers, etc.
Your network will grow and change
Each change introduces new security risks
-
8/8/2019 M%F3dulo 07 Security Basics LATI
43/47
11-43Henry M. Ventura Sabido www.cisco.com
Why Active Audit?Why Active Audit?
Network security requires a layered
defensePoint security PLUS active systems to measure
vulnerabilities and monitor for misuse
Network perimeter and the intranet
Security is an ongoing, operationalprocess
Must be constantly measured, monitored, andimproved
Active AuditNetworkActive AuditNetwork
-
8/8/2019 M%F3dulo 07 Security Basics LATI
44/47
11-44Henry M. Ventura Sabido www.cisco.com
Active AuditNetwork
Vulnerability Assessment
Active AuditNetwork
Vulnerability Assessment
Assess and report onthe security status ofnetwork components
Scanning (active,passive), vulnerabilitydatabase
Active AuditIntrusion DetectionActive AuditIntrusion Detection
-
8/8/2019 M%F3dulo 07 Security Basics LATI
45/47
11-45Henry M. Ventura Sabido www.cisco.com
Active AuditIntrusion Detection
System
Active AuditIntrusion Detection
System
Identify and react to
known or suspectednetwork intrusion oranomaliesPassive promiscuous
monitoring
Database of threats or
suspect behaviorCommunication
infrastructure or accesscontrol changes
A ti A dit
-
8/8/2019 M%F3dulo 07 Security Basics LATI
46/47
11-46Henry M. Ventura Sabido www.cisco.com
Actively audit andverify policy
Detect intrusionand anomalies
Report
Active Audit
UNIVERSALUNIVERSALPASSPORTPASSPORT
Kjkjkjdgdk
kjdkjfdkIkdfjkdj
IkejkejKkdkdfdKKjkdjd
KjkdjfkdKjkdKjdkfjkdjKjdk
USA
************************
************************
Kdkfldkaloee
kjfkjajjakjkjk jkajkjfiejijg kdkdjfkdkdkdkddf kdjfkdjkdkd
kfjdkkdjkfdkfjdkfjdkjkdj kdjkaj
kjfdkjfkdjkfjkjajjajdjfla
kjdfkjeiieiefkeieooei
UNIVERSALUNIVERSALPASSPORTPASSPORT
SS
-
8/8/2019 M%F3dulo 07 Security Basics LATI
47/47
11-47Henry M. Ventura Sabido www.cisco.com
Security is a mission-criticalbusiness requirement for allnetworks
Security requires a global,corporate-wide policy
Security requires amultilayered implementation
SummarySummary