eSiksha
 Login    Password        Sign Up   Forgot Password
Monday, November 04, 2024


    

Site Search

 

Cisco
 Home
 BSCNR  
 BCRAN 
 CCNA 2.0 
 CCNA Wan-
 Switching
 CCNA 
 CCNP 2.0-
 Multilayer -
 Switched Network 
 CCNP 2.0- 
 Internetworking- 
 Troubleshooting 
 CCNP Network-
 Security 
 Design Associate 
 Internetwork-
 Expert 
 Netwrok WAN-
 switching BSSC
 Internetwork-
 Design 3.0
 Pix Firewall 
 

 

 COMPUTERS

 Home 
 MCSE Cert.
 MCSD Cert. 
 Overview 
 The Work 
 Areas of Work 
 Eligibility 
 Career Prospects 
 Remuneration 

 

T
R
A
C
K
S		  MBA
 Engineering
 Medical
 Humanities
 Sciences
 Computers
 Govt. Exams
 Commerce
 School/+2

Cisco CCNP Managing Cisco Network Security

 

Establishing A Network Security Policy

Evaluating Network Security Threats

A security threat can be as simple as snooping your network’s normal operation or as complex as taking control of your entire network. It is important then to be familiar with the three basic categories of network security threats.

 

Basic Categories of Security Threats

  • Unauthorized Access - Unauthorized access is when an unauthorized individual gains access to the network or any network resource with the possibility of taking that resource or tampering with it

  • Impersonation – Impersonation is the process of identifying yourself as a different individual by using the same credentials as that particular individual uses. There are several ways that this is done. One of the more common ways is by eavesdropping on your network and gaining access to usernames and password when these are exchanged via unsecured means. Sniffer programs, as they are commonly referred as, are small software packages that enable someone to snoop into current network conversations and extract users’ credentials.

  • Denial of Service – Denial of Service is an attack on your network by a malicious individual in order to interfere in your networks normal operation. This is a common type of attack that has gained notoriety due to the growth of the Internet.


Motivations of Network Security Threats

It is important to understand the different motivations that some individuals may have in posing a security threat to your network. It is a common perception that network security attacks are perpetrated from your external network, which is the Internet. Therefore, the firewall is an important piece in protecting your network against these said attacks. Here are some of the more basic motivations in launching an attack on your network.

  • Greed – The intruder’s purpose is to take control or possession of any network resource such as corporate data so that he/she may sell it for money.

  • Notoriety – The intruder attempts to break in to networks that are said to be secure proving his skill to gain respect from his peers.

  • Revenge – The intruder has been fired or laid off and is looking for some type of reprisal. The most common occurrence of this is the damaging of important corporate data.


 Outlining A Network Security Policy

  • Define physical security-Defining physical security controls pertain to the physical infrastructure that your network is built on. This can be the various physical components that comprise your network such as servers, routers, switches and cabling. Ensuring the security of these components should be the foundation of your network security policy. Imagine having the strictest password policy but having your wiring closet open to anyone in the vicinity.

  • Define logical security controls – Logical security controls provide boundaries within your network segments. This process is done when traffic is filtered from one segment of your network to the next. The two main logical boundaries used are:

    1. Subnet Boundaries

    2. VLAN Boundaries

  • Ensure data and system integrity – Data that passes to and from your network needs to be identified as valid traffic. Valid traffic can further be described as expected network traffic that is supported traffic, unspoofed traffic and traffic in which the data has not been altered. This is the main reason why firewalls are implemented. A firewall ensures your data’s validity and integrity ingressing and egressing your network.

  • Ensure data confidentiality – Data confidentiality pertains to encryption. The key in this process is deciding which data is to be encrypted and which is not be encrypted. This should be carefully evaluated so that key data that pose as the greatest risk if compromised is encrypted.

  • Develop policies and procedures for the staff that is responsible for the network – Specific guidelines should be in place for the staff that is responsible for the maintenance of the network infrastructure. This should ensure that these policies are balanced between securing your network and allowing the staff to carry out their responsibilities in an efficient manner. These policies may include the following:

    1. Backups – One of the most important tasks in network management is being able to back up the data that is stored in that network. Polices and procedures should be in place to provide the staff, that is responsible for the backups, the steps in securing those backups.

    2. Equipment Certification – Network equipment that is introduced into the network should adhere to specific security requirements.

    3. Audit Trails – Keeping a log of what goes on in your network greatly enhances your ability to determine if there is any suspicious activity going on in your network environment.

  • Develop appropriate security awareness training – Training should be provided to all staff in order for them to be informed of the various security measures that your network employs. It is very important that the staff is made aware of the many problems that may arise due to security related issues.


Securing The Dialup Connection

Dialup connections to your corporate network are usually comprised of several dial in infrastructures. These could be direct dial in connections from mobile users and telecommuters. There is also the virtual dial in process of remote branches via the Internet through a corporate Virtual Private Network (VPN). Therefore, it is recommended that you secure these dial in access points with a firewall device that implements some kind of intrusion detection and auditing function. Regardless of how dial in access is provided to the corporate network, the main security concerns lie in the following areas:

  • Identifying the caller

  • Identifying the location of the caller

  • Identifying the destination of the caller

  • Logging of accessed applications and data

  • Logging of the duration of the connection

  • Guaranteeing authenticated communication

  • Guaranteeing private communication

 

Configuring the Network Access Server for AAA Security

Access control is the process of controlling who is allowed access to the network and what services they are allowed to use. Authentication, Authorization and Accounting (AAA) network security services provide the principal structure though which you set up access control on your router or network server. AAA offers the following benefits:

  • Increased flexibility

  • Scalability

  • Standard authentication methods, such as RADIUS, TACACS+ and Kerberos

  • Multiple backup systems

AAA is designed to enable you to configure the type of authentication and authorization you would use on a per line (per user) or per service basis. You define the type of authentication and authorization you want by creating method lists, then apply those method lists to specific services or interfaces. Method lists are lists defining the authentication methods to be used, in order, to authenticate a dial in user. These lists enable you to assign one or more security protocols to be used for authentication, thus creating a backup system for authentication to be used in case the initial method fails. AAA is comprised of three independent security functions.

Authentication  

Authentication is the process of identifying users, including their login and password dialog scripts, challenge and response, messaging support and encryption.

Authorization  

Authorization provides the process of determining what a remote user is authorized to access in the network such as network resources or services. AAA authorization works by putting together a set of attributes that identify what a user is authorized to perform. These attributes are compared the information contained in a database for a given user. The result is returned to AAA to determine the user’s actual capabilities and restrictions. This database can be local on the access server or remotely on a TACACS+ or RADIUS server.

Accounting  

Accounting is the process of tracking the different types of services that remotely connected users are accessing. Activities are logged to either a RADIUS or TACACS security server in the form of accounting records. This data can then be analyzed for client billing, auditing or network management.

 

Overview of Basic AAA Configuration Process

  • Enable AAA by issuing this command in global mode

aaa new-model

  • If you are using separate security servers, configure security control parameters, such as RADIUS, TACACS+ or Kerberos

  • Define the method lists for authentication by issuing this command

aaa authentication

For example, if you would like to specify RADIUS as the default method for logging in, the command would be:

aaa authentication login default radius

To log in using the local username database on the router, the command would be:

aaa authentication login default local

To log in using PPP and specify the local username database, the command would be:

aaa authentication ppp default local

This example would allow authentication to succeed even if the TACACS+ server returns an error.

aaa authentication ppp default tacacs+ none

  • Apply the method list to a particular interface

This example applies the method list to interface serial 0

interface serial 0

ppp authentication chap pap default

  • Configure authorization using this command

aaa authorization

This example allows authorization on the network via TACACS+

aaa authorization network tacacs+

This example specifies TACACS+ as the method for user authorization when trying to establish a reverse telnet session

aaa authorization reverse-access tacacs+

  • Configure accounting using this command

aaa accounting

In the following example, RADIUS-style accounting is used to track all usages of EXEC commands and network services, such as PPP, SLIP and ARAP

aaa accounting exe start-stop radius

aaa accounting network start-stop radius

Securing The Internet Connection

The most common solution to securing your Internet connection is setting up a firewall. A firewall is a network device that is placed between your trusted network and untrusted networks, the most common in which, is the Internet. It is also possible to setup a firewall within the boundaries of your internal network so as to prevent unauthorized access to certain areas of your network that are highly sensitive such as payroll files or engineering data. Today, there are three classifications of firewalls

  • Packet Filtering – This type of firewall depend exclusively on UDP, ICMP, TCP and IP headers of individual packets to deny or permit traffic. The packet filter examines the combination of inbound or outbound traffic direction, IP source and destination address and TCP or UDP source and destination port numbers.

  • Circuit filtering – This type of firewall controls access via observing state information and recreating the flow of data that the traffic is associated with.

  • Application gateway – This type of firewall processes messages that are specific to a particular IP application. This type of firewall is probably the most secure, however, it is also the most resource intensive type to deploy.

 

Cisco IOS Firewall

The Cisco IOS firewall feature set is a security-specific option for the Cisco IOS software. It enhances the built-in security capabilities in the Cisco IOS and adds the full functionality of a firewall. The Cisco IOS firewall feature set is comprised of several different feature modules. The three basic feature sets we cover are:

  • Context-Based Access Control – This feature module provides the functionality of an advanced traffic filter and is an essential part of your IOS firewall. CBAC provides these functions for your firewall

    1. Traffic Filtering – Filters TCP and UDP packets based on information that is obtained through the application-layer protocol session. The firewall can inspect traffic originating from either side of the firewall and can then determine which traffic is allowed access into or out of the network.

    2. Alert and Audit Trails – CBAC produces real time alerts and audit logs based on events that are observed by the firewall. This enhanced log keeps tracks of all network transactions, such as source and destination hosts, ports used and total number of bytes transferred.

    3. Traffic Inspection – Inspection of inbound and outbound traffic produces state information. This state information allows the firewall to create temporary openings to allow return traffic for the permissible session.

  • Intrusion Detection System – This feature set is designed for mid-range and high-end router platforms with firewall support. It is best suited for any router deployed around your network perimeter, more commonly, on your Internet connections. This feature set provides identification of the most common attacks by identifying the signature in the pattern of attacks that are launched against your network. When the intrusion detection system identifies a pattern of attack that matches against a signature on the systems database, it responds before network security can be compromised and the event is then logged. These responses are to be configured by the administrator and can be one of the following:

    1. Send an alarm – this can be sent to either a syslog or a centralized management system such as NetRanger

    2. Drop the packet

    3. Reset the TCP Connection

  • IOS Firewall Authentication Proxy – This feature set allows network administrators to apply specific security policies based on user. In earlier versions, security policies were generally applied across multiple users. This feature can only be active when there is traffic from the authenticated user.

 

Configuring the PIX Firewall

PIX Firewall Basics

The PIX firewall is a complete hardware and software security solution. The PIX IOS runs on proprietary PIX hardware. In most respects, the basic concept behind the PIX firewall is to allow everything from the internal network to go outbound and only allow the return connections from the outside interface to the inside interface. The handling of connections from an inside interface to an outside interface is different from connections that are from the outside interface to the inside interface. Here are the basic steps in configuring a PIX firewall

  • The first step in configuring a PIX firewall is naming the different interfaces. On new installations, the PIX firewall provides default names for each interface. To view these default interface names, use the show nameif command. However, it would be ideal to rename these interfaces according to your network conventions or specifications. The command to name the interface is nameif. The syntax of this command is as follows:

nameif hardware_Id Interface Security_level

Hardware_id – this is the hardware name for the network interface card you are naming. Examples of this would be Ethernet0 (if you are using Ethernet interfaces)

Interface – this would be where you would name that interface if you want to use a different name other than the default one. Examples of this would be dmz or perimeter. You can specify up to 48 characters for this field, however, if you use a long name, you would need to reenter that name every time.

Security_level – You can choose any security level value between 1 and 99 for any perimeter interface so long as it is not the same as the inside or outside interface. If this is an initial PIX configuration, the default security level starts at security10 for the first perimeter interface.

An example of the nameif command is:

nameif ethernet0 inside 10

  • The second step in configuring a PIX firewall is assigning IP addresses to each interface on your PIX firewall. If you have any unused interface on your PIX firewall, the PIX assigned IP address for that interface is 127.0.0.1 and the subnet mask of 255.255.255.255. This does not allow any traffic to pass through this interface. The format for this ip address command is as follows:

ip address inside ip_address network_mask

ip address outside ip_address network_mask

ip_address – IP address you specify for that interface. This IP address must be unique.

network_mask – The network mask of the IP address assigned. If you are using a subnet mask, use it in this field.

An example of the ip address command is:

ip address inside 10.10.10.1 255.255.255.0

  • The next step is configuring the interfaces that are on your PIX firewall. The command that is used is interface. The format for this command is as follows:

interfaceHardware_id Hardware_speed (Shutdown)

Hardware_id - You can use either ethernetn for Ethernet interfaces or token for token ring depending on how it was specified in the nameif command.

Hardware_speed – If the interface used is Token Ring, use either 4Mbps or 16Mbps depending on the speed of the Token Ring card. If the interface is Ethernet, depending on the network interface card used in the PIX firewall, you can use auto (sets Ethernet speed automatically), 10baset (10 Mbps half duplex), 10full (10 Mbps full duplex), 100basetx (100 Mbps half duplex), 100full (100 Mbps full duplex) and aui (10 Mbps half duplex on a aui cable interface).

Shutdown – This is used to disable the use of this interface. If this is an initial configuration, the shutdown option is on by default. To enable an interface, you would need to enter the command without the shutdown option.

An example of the interface command is

interface ethernet0 auto

Configuring Access Through the PIX Firewall

Now that we have configured the different components of the PIX firewall, we need to allow users to connect through the PIX firewall. As we have identified each interface with a security level, we need to define the guidelines allowing connections coming from a higher security level interface to a lower security level interface and vice versa. The commands that are used to allow this are nat and global.

  • To allow inside users to connect to any lower security level interface, use the nat (inside) 1 0 0 command. The “1” after the interface (inside) is the NAT ID. Instead of using 0 0, to allow all hosts to start a connection, you can specify a host or a network address and mask. For example, to allow only the 10.10.10.5 host to start a connection, you can specify this command:

nat (inside) 1 10.10.10.5 255.255.255.255

  • Adding a global command for each lower security level interface allows users to have access to, for example, the outside interface or the dmz interface. The global command then creates a pool of addresses that translated connections can pass through. Remember to have enough global addresses to accommodate the number of users that are accessing the lower security level interface. An example of this is:

global (dmz1) 1 10.10.10.20-10.10.10.50 netmask 255.255.255.0

  • The next step is to set up a default route that points to the outside router. You can use the show route command to view the command that you just issued. If there is an existing route already configured, use the no route to remove it. For example, if the outside router’s address is 64.18.5.10, you would issue this command:

route outside 0 0 64.18.5.10 1

This command defines that the default router is on the outside interface. The default route is defined as the 0 0 right before the ip address. This is translated as 0.0.0.0 netmask 0.0.0.0. The 1 at the end of the command states that this is the next hop router.

  • The next step is to permit ping access. This allows you to test that the host is reachable through the PIX firewall. The process starts by creating an access-list that permits pings through the firewall. Here is an example:

access-list ping_in permit icmp any any

access-list ping_out permit icmp any any

  • After creating the access-lists, you would need to apply it to the specific interface. In this example, we are applying the access-list ping_in towards the inside interface of the PIX firewall.

access-group ping_in interface inside

  • The final steps are to save the configuration by issuing the write memory command, checking the configuration by using the write terminal command and finally testing the network connectivity. Pinging the different interfaces of the firewall and getting a response would be a good start in verifying network connectivity. Here are some of the commands you would use to check the configuration of the PIX firewall:

show ip address – to verify the ip address of each interface

show nat – to verify network address translation

show route – to verify the default route

show global – to show the range of global addresses

If you happen to need a host from the outside interface to gain access to a host in the inside interface, the conduit command is used. An example of this is when you want anyone from the outside interface to access your web server in the dmz. The resulting command would be:

static (dmz, outside) 64.18.1.50 10.10.10.50 netmask 255.255.255.255

conduit permit tcp host 64.18.1.50 ew www any

The first line defines that from the dmz, host 10.10.10.50 is mapped access through the outside interface of 64.18.1.50. The second line then defines that any user from the outside can access 64.18.1.50 via port 80.

 

Configuring Advanced Features

  • Failover – Failover allows you to add a secondary PIX firewall unit that takes over when the primary unit fails. These units are connected by special RS-232 serial cables that transmit special “hello” failover messages to each other every 15 secs. When a failure of the primary unit is detected, the secondary unit assumes the IP address and the MAC address of the failed unit. The secondary unit then acquires the configuration of the primary unit and is now able to function as the firewall. To enable failover between two PIX firewall units, they would need to be configured exactly the same. When a failover cable is connected between the two units, you need to explicitly enable failover by issuing the failover command. In addition, if any configuration change is made on the primary unit, you need to issue the command write standby in order for the changes to be replicated to the standby unit.

  • PPTP Virtual Private Network – In version 5.1, Microsoft’s PPTP is supported. PPTP (Point to point tunneling protocol) is a layer 2 tunneling protocol that allows a remote client to establish secure communication through a public IP network such as the internet. The vpdn command enable the PPTP feature for inbound connections between the PIX firewall and a windows client. An example of the use of this command is as follows:

vpdn enable outside

  • ActiveX Blocking – Active X controls are components that are inserted in a web page or application that can contain several different forms that can gather or display information. This can create many potential security problems as these can be invoked to attack network services or take over a workstation. The PIX firewall Active X feature blocks these controls from the web page itself.

  • SNMP – The PIX firewall can be configured to send SNMP traps to a SNMP sever so that it can be monitored remotely. The command to enable this advanced feature is snmp-server hosts.

  • Websense URL Filtering – If you use a websense server, the PIX firewall can be configured to allow it to do URL filtering. The command issued on the PIX firewall to point itself to a websense server is as follows:

url- server (inside) host 10.10.10.1 timoeout 15

  • FTP and URL Logging – The PIX firewall can log ftp commands and WWW URL’s to a syslog server. Issuing the command show fixup ensures that the ftp and http protocol commands are present in the configuration.

Encryption Technology

Basic Cryptography

Cryptography is defined as the science of reading or writing coded messages. It is the foundation of the mechanics of enabling authentication, integrity and confidentiality. The process of cryptography is known as encryption. An encrypted message is a message that has undergone a mathematical process or algorithmic process in order for it to be converted to cipher text. When the intended recipient gets the cipher text, he then proceeds to decrypt the message by applying the same algorithmic process on it as the sender. This allows him to be able to get back the decrypted message. There are three types of cryptographic functions that enable authentication, integrity and confidentiality:

  • Symmetric encryption – This type of encryption is often known as secret key encryption. This is where a common key and the same algorithmic process is used to encrypt and decrypt a message.

  • Asymmetric encryption – This type of encryption is often known as public key encryption. Public key encryption uses two different but related keys in order to do the algorithmic process on the message. When a message is encrypted, both a public key and a private key is needed. For example, Joe would like to send Mary an encrypted message. First, he encrypts the message using both his public and private key. He then sends Mary both the encrypted message and his public key. Mary then uses Joe’s public key to decrypt the message.

  • Hash functions – A hash function takes a message and then outputs it to a certain code. The code has to meet specific properties to be effective. These properties are consistency, randomness, uniqueness and it must be one way. One-way hashes verify the integrity of a message by making sure that the message has not been tampered with in transit.

 

Overview of IKE & IPSEC

  • IPSEC –IPSEC stands for IP Security. IPSEC is a framework of open standards for guaranteeing secure private communications over the Internet. IPSEC uses encryption technology to offer data integrity, confidentiality and authenticity between participating peers in a private network. Cisco provides full Encapsulating Security Payload (ESP) and Authentication Header (AH) support. IPSEC provides IP network layer encryption and authentication thus providing an end-to-end security solution in your network architecture. This encryption method allows encrypted packets to look the same as regular packets; these packets are routed normally through any IP network, such as the Internet. This is done without any changes to the transitional networking devices. The only devices that are aware of such an encryption are the end points of the communication. IPSEC employs several different technologies to provide a complete system of confidentiality, integrity and authenticity. These technologies are

    1. Diffie-Hellman key exchange – This is used for obtaining key material between peers on a public network.

    2. Public key cryptography – This is used for signing the Diffie-Hellman exchanges. This guarantees the identities of the two parties.

    3. Bulk key encryption – This is for encrypting the data.

    4. Keyed Hash Algorithms – This, combined with traditional hash algorithms, provides packet authentication.

    5. Digital Certificates – Items signed by a certificate authority to act as digital identification cards.

  • IKE – IKE stands for Internet Key Exchange. IKE was formerly known as the Internet Security Association Key Management Protocol or ISAKMP. IKE offers security association management. IKE authenticates each peer in an IPSEC communication, negotiates security policy and handles the exchange of session keys. IKE is a key management protocol standard that is used in conjunction with IPSEC. IPSEC can be configured without IKE; however, IKE enhances the IPSEC with its additional features. IKE automatically negotiates IPSEC security associations and enables IPSEC secure communications without manual configuration. IKE provides these benefits

    1. Eliminates the need to manually configure the different security parameters of IPSEC in the crypto maps at both peers.

    2. Allows you to configure a lifetime for the IPSEC security association

    3. Allows encryptions keys to change during IPSEC sessions

    4. Allows IPSEC to offer anti-replay services

    5. Permits Certificate Authority support for manageable and scalable IPSEC implementation

    6. Allows dynamic authentication of peers

 

Configuring IPSEC with IKE

  • Enable the debug crypto ipsec command to obtain important IPSEC-related messages that only display when this command is entered.

  • Create an access-list to define the traffic to protect:

access-list 102 permit ip 10.10.0.0 255.255.0.0 64.18.1.1 255.255.255.0

  • Configure a transform set that specifies how the traffic will be protected. For example:

crypto ipsec transform-set testset1 esp-des esp-sha-hmac

crypto ipsec transform-set testset2 ah-sha-hmac esp-3des esp-sha-hmac

  • Create a crypto map entry in the IPSEC ISAKMP mode:

crypto map testmap1 10 ipsec-isakmp

  • Assign an access-list to a crypto map entry. For example:

crypto map testmap1 10 match address 102

  • Define the peer to which the IPSEC protected traffic can be forwarded to:

crypto map testmap1 10 set peer 209.223.140.2

  • Specify which transform sets are allowed for this crypto map entry. For example:

crypto map testmap1 10 set transform-set testset1 testset2

 

Configuring IKE

  • The first step is to enable the debug crypto isakmp command to capture important IKE-related messages that only display when this command is enabled.

  • Enable IKE on the interface on which the IPSEC traffic will be evaluated. For example:

isakmp enable outside

  • Define the policy to create. The priority number that is assigned by you identifies each policy. For example:

isakmp policy 21

  • Specify the encryption algorithm. For example:

isakmp policy 21 encryption des

  • Specify the hash algorithm. For example:

isakmp policy 21 hash md5

  • Specify the authentication method. For example:

isakmp policy 21 authentication rsa-sig

  • Specify the Diffie-Hellman group identifier. For example:

isakmp policy 21 group 2

  • Specify the security association’s lifetime. For example:

Isakmp policy 21 lifetime 4000


 
Home | Abroad | Academics | Advice | Alumni Associations | Career Watch | Competitive Exams | Career Counseling | Distance Education | Forms | Organisations | Relax Zone | MBA | Engineering | Medical | Humanities | Sciences | Computers ICSE/ISC/CBSE | Scholarship | Loans
 
 Contact Us | Feedback | Advertise | Disclaimer | Privacy Policy
 
©2000-2001 All rights reserved "DD Web Vision Private Limited"

Site developed by