A syslog client is a host that generates log messages and forwards them to a syslog server

Syslog is the standard for logging system events. As shown in the figure, syslog implementations contain two types of systems Syslog servers These systems are also known as log hosts. These systems accept and process log messages from syslog clients. Syslog clients Syslog clients are routers or other types of Cisco equipment that generate and forward log messages to syslog servers. Note Performing forensics on router logs can become very difficult if your router clocks are not running the...

AAA Example Authentication via PPP Link

- Clear text, repeated password - Subject to eavesdropping and replay attacks Challenge Handshake Authentication Protocol - Secret password, per remote user - Challenge sent on link (random number) - Challenge can be repeated periodically to prevent session hijacking - CHAP response is Message Digest 5 hash of (challenge + secret) that provides authentication - Robust against sniffing and replay attacks MS-CHAP version 1 (supported in Cisco IOS Release 11.3 and later) and version 1 or version 2...

Adaptive Threat Defense

ATD is the ultimate goal of the Cisco Self-Defending Network. This topic describes the components of the ATD phase of Cisco Self-Defending Network strategy. ATD Products, Services, and Architecture Example Access Control, Packet Inspection Firewall Services Application Intelligence, Content Identity, Virtualization, QoS Inspection, Virus Mitigation Segmentation, Traffic Visibility IPS and Antivirus Services Network Intelligence Application Inspection, Use Enforcement, Web Control Application...

Adds commands or interfaces to a view

Router(config-view) commands exec include show version Next, you must assign the commands allowed to the selected view. The syntax for the commands command is as follows commands parser-mode include include-exclusive exclude all interface interfacename command Adds commands or interfaces to a view The mode in which the specified command exists Adds a command or an interface to the view and allows the same command or interface to be added to an additional view Adds a command or an interface to...

Admission Control

One of the most high-profile Cisco Self-Defending Network initiatives to date is the Cisco NAC program. NAC allows customers to determine what level of network access to grant to an endpoint based on the security posture of the user, which is based on the security state of the operating system and associated applications. In addition to controlling access, NAC gives IT administrators a way to automatically quarantine and remediate noncompliant endpoints. Making sure that endpoints are in...

Adversaries Hacker Motivations and Classes of Attack

To defend against attacks on information and information systems, organizations must define the threat in these three terms Adversaries Potential adversaries might include nation states, terrorists, criminals, hackers, and corporate competitors. Motivations Motivations may include intelligence gathering, theft of intellectual property, DoS, embarrassment of the company or clients, or pride in exploiting a notable target. Classes of attack Classes of attack may include passive monitoring of...

Aimvpnhpiiplus

The Cisco integrated services router series provides a built-in VPN encryption acceleration for IPsec Data Encryption Standard (DES), Triple-Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) 128, 192, and 256 bit key sizes. In addition, you can use an AIM for VPN encryption. There are three types of these modules AIM-VPN BPII-PLUS Basic performance AIM AIM-VPN EPII-PLUS Enhanced performance AIM AIM-VPN HPII-PLUS High performance AIM These modules increase the router...

Application Layer Attacks and Mitigation

This topic describes the mitigation of application layer attacks. This topic describes the mitigation of application layer attacks. Application layer attacks have these following characteristics Exploit well-known weaknesses, such as those in protocols, that are intrinsic Often use ports that are allowed through a firewall for example, TCP Can never be completely eliminated, There are several methods of executing an application layer attack Exploiting well-known weaknesses One of the most...

Application Security and AntiX Defense

Over the past several years, a number of new application layer network products have emerged to help address new classes of threats that were not adequately addressed by classic firewall and NIDS products, including viruses and worms, e-mail based spam and phishing, spyware, web services abuse, IP telephony abuse, and unauthorized peer-to-peer activity. Cisco has developed the next generation of packet- and content-inspection security services to deal with these types of threats and misuse....

As a step in a larger attack

The prime goal of an IP spoofing attack is to establish a connection that allows the attacker to gain root access to the host and to create a backdoor entry path into the target system. IP spoofing is a technique used to gain unauthorized access to computers whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. The attacker learns the IP address of a trusted host and modifies the packet headers so that it appears that the...

Authenticating Remote Access

This topic describes the methods of authentication used to provide remote access to a LAN. 1. The client establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database. If you have one or two NASs or routers providing access to your network for a limited number of users, you may store username...

Authenticating Router Access

It is important that you secure the interfaces of all your routers, particularly your network access servers and perimeter routers connecting to the Internet. You must configure the router to secure administrative access and remote LAN network access using aaa commands. The router access modes, port types, and AAA command elements are compared in the Router Access table. Securing Cisco Network Devices (SND) v2.0 Here are the general steps required to configure a Cisco router for local...

Authentication Methods

This topic describes the various authentication methods in use in terms of the degree of security that they provide and their ease of use. The most common method of user authentication is the use of usernames and passwords. These methods range from weak to strong in authentication security. Simple authentication methods use a database of usernames and passwords, while methods that are more complex use one-time passwords (OTPs). Consider each of the methods listed in the figure from the bottom...

Better than the type 7 encryption found in the service passwordencryption command

Boston(config) username rtradmin secret 0 Curium2006 Boston(config) username rtradmin secret 5 1 feb0 a104Qd9UZ. Ak00KTggPD0 Cisco routers can maintain a list of usernames and passwords for performing local login authentication. Starting with Cisco IOS Release 12.0(18)S, system administrators can choose to use an MD5 hashing mechanism to encrypt a user password. MD5 hashing of passwords is a much better encryption scheme than the standard type 7 encryption found in the service...

Change passwords often

When creating passwords for Cisco routers, always keep these rules in mind It is best to have a minimum of 10 characters for a password. Passwords may include the following A mix of uppercase and lowercase characters Passwords should not use dictionary words. Password-leading spaces are ignored, but all spaces after the first character are not ignored. You should decide when and how often the passwords will be changed. You may want to add your own rules to this list to make your passwords even...

Overview

The open nature of the Internet makes it increasingly important for growing businesses to pay attention to the security of their networks. As companies move more of their business functions to the public network, they need to take precautions to ensure that the data is not compromised or that the data does not end up in front of the wrong people. Unauthorized network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company...

Cisco IOS Security Features

This topic describes how to secure the network perimeter with Cisco IOS software security features. Cisco IOS software-based devices incorporate various security services to create an integrated and scalable network. The Cisco IOS Firewall is a security-specific option for Cisco IOS software. The Cisco IOS Firewall provides integrated network security with robust stateful firewall functionality and intrusion prevention for network perimeters. It adds greater depth and flexibility to existing...

Cisco SDM Overview

Cisco SDM is a web-based device management tool for Cisco IOS software-based routers. Cisco SDM offers these benefits - Knowledge base of Cisco TAC-approved Cisco IOS configurations - Integrated services management Cisco SDM is an intuitive, web-based device manager for easy and reliable deployment and management of services on Cisco IOS routers. Cisco SDM offers users these benefits Smart wizards in Cisco SDM have built-in intelligence about Cisco Technical Assistance Center (TAC)-recommended...

Cisco SDM Wizards in Configuration Mode

Carry out these tasks with smart wizards in configuration mode Configure the LAN interfaces and serial interfaces with Interfaces and Connections wizards Configure basic or advanced firewalls with the Firewall and ACL wizards Configure a secure site-to-site VPN, Cisco Easy VPN Server, Cisco Easy VPN Remote, and DMVPN with VPN wizards Perform a router security audit and lock down any insecure features it finds with Security Audit wizards Configure both basic and advanced NAT with NAT wizards....

Cisco Secure ACS is AAA system with these features

Key component used with firewall, dial-up access servers, and routers Implemented at network access points to authenticate remote or dial-in users Implemented at WAN extranet connections to audit activities and control authentication and authorization for business partner connections You can leverage the Cisco Secure ACS framework to control administrator access and configuration for all network devices in your network that are enabled by RADIUS and TACACS+. Here are some of the advanced...

Closed Networks

Attacks from inside the network remain a threat. The easiest way to protect a network from an outside attack is to close it off completely from the outside world. A closed network provides connectivity only to trusted known parties and sites a closed network does not allow a connection to public networks. Because there is no outside connectivity, networks designed in this way can be considered safe from outside attacks. However, internal threats still exist. The CSI in San Francisco,...

Common Threats to Physical Installations

Hardware threats Environmental threats Electrical threats Maintenance threats There are four classes of insecure installations or physical access threats Hardware threats The threat of physical damage to the router or switch hardware Environmental threats Threats such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry) Electrical threats Threats such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss...

Components of Network Security Design

This topic describes the factors that you need to consider when designing a network security system. Business goals and risk analysis drive the need for network security. Regardless of the security implications, business needs must come first. If your business cannot function because of security concerns, you have a problem. The security system design must accommodate the goals of the business, not hinder them. Risk analysis includes these two key elements What does the cost-benefit analysis of...

Configuring AAA with Cisco SDM

AAA can also be configured and edited using Cisco SDM. After the aaa new-model command has been configured on the router using the CLI, choose Additional Tasks > AAA. The figure shows the AAA Authentication Login configuration screen. It shows the two login authentication method lists configured on the router. One is the default method list, and the other is the sdm_vpn_xauth_ml_1 method list. Both method lists use the local database to perform login authentication. This screen can be used to...

Configuring an SSH Server for Secure Management and Reporting

This topic describes the steps used to configure an SSH server for secure management and reporting. Whenever possible, you should use SSH instead of Telnet to manage your Cisco routers. SSH version 1 (SSHv1) is supported in Cisco IOS Release 12.1(1)T and later, while SSH version 2 (SSHv2) is supported in Cisco IOS Release 12.3(4)T and later. Cisco routers configured for SSH act as SSH servers. You must provide an SSH client, such as PuTTY, OpenSSH, or Tera Term, for the administrator...

Control access to console ports

Maintenance-related threats compose a broad category of threats that include many items. Follow the general rules listed here to prevent these types of threats Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection, or incorrect termination. Use cable runs, raceways, or both, to traverse rack-to-ceiling or rack-to-rack connections. Always follow electrostatic discharge procedures when replacing or working with internal router...

Converging Dynamics

New laws require organizations to better protect the privacy of sensitive and personal information. A growing level of terrorist and criminal activity is being directed at communications networks and computer systems. Cyber attacks and hacking are much easier now than in the past for a larger number of perpetrators. Converging dynamics have raised the risks for organizations that are required to protect the privacy of client information or that have a high political or brand profile. There are...

Course Flow

Module 1 Introduction to Network Security Policies Module 2 Securing the Perimeter Module 3 Securing LAN and WLAN Devices Module 4 Cisco IOS Firewall Configuration (Cont.) Module 5 Securing Networks with Cisco IOS IPS Module 6 Building IPsec VPNs (Cont.) The schedule reflects the recommended structure for this course. This structure allows enough time for the instructor to present the course information and for you to work through the lab activities. The exact timing of the subject materials...

Course Goal

The goal of the SND course is for learners to be able to perform basic tasks to secure network devices at Layers 2 and 3 using both the CLI and web-based GUIs. Devices include Cisco integrated services routers, and Cisco Catalyst switches. Upon completing this course, you will be able to meet these objectives Develop a comprehensive network security policy to counter threats against information security Configure routers on the network perimeter with Cisco IOS software security features...

Creates a new view

The key commands that are specific to configuring views for role-based CLI are shown in this and the next figure. When a system is in root view, it has all of the access privileges as a user who has level 15 privileges. If the administrator wishes to configure any view to the system, the system must be in root view. The difference between a user who has level 15 privileges and a root view user is that a root view user can configure a new view and add or remove commands from the view. This...

DoS Attacks

DoS and DDoS attacks have these characteristics They are not generally targeted to gain access. They aim at making a service unavailable. They require very little effort to execute. They are difficult to eliminate. DoS and DDoS attacks have these characteristics They are not generally targeted to gain access. They aim at making a service unavailable. They require very little effort to execute. They are difficult to eliminate. The left side of the figure shows a typical DoS attack architecture....

DoS Example

Issues commands to handlers that control agents in a mass attack. 2. The cracker installs software to scan, compromise, and infect agents with zombies. 2. The cracker installs software to scan, compromise, and infect agents with zombies. 3. Agents are loaded with remote control attack software. 3. Agents are loaded with remote control attack software. This figure shows the process of a DDoS attack. In the figure, the hacker uses a terminal to scan for systems to hack. After the hacker accesses...

Defensein Depth Strategy

An Integrated Set of Measures and Actions Availability, Integrity, Authentication, Confidentiality, and Nonrepudiation Information assurance ensures that information and information systems are protected against attacks through the application of security services such as availability, integrity, authentication, confidentiality, and nonrepudiation. In addition to incorporating protection mechanisms, organizations need to expect attacks and must include attack detection tools and procedures that...

Defensein Depth Strategy Focus Areas

Defend the network and infrastructure Defend the perimeter Defend the computing environment Provide support Securing information and systems against all threats requires multiple, overlapping protection approaches that address the people, technology, and operational aspects of information technology. Using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach will ensure the system is never unprotected. The defense-in-depth strategy...

Develop a written security policy for the company

Defending your network against attack requires constant vigilance and education. These 10 practices represent the best insurance for your network Keep patches up to date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks. Shut down unnecessary services and ports. Use strong passwords and change them often. Control physical access to systems. Avoid unnecessary web page inputs. Some websites allow users to enter usernames and passwords. A...

Developing a Security Policy Using the Pdioo Model

Developing a security policy is a major undertaking, and you should approach it in the same way as you would any major project. This topic describes the process of developing a security policy within a typical corporate environment. Assess the Effectiveness of the Security Policy Assess the Effectiveness of the Security Policy There are many references describing the way to build an effective security policy. A good approach is to use the planning, designing, implementing, operating, and...

Developing a Security Policy Implement Phase

This topic describes the activities included in the implement phase of a security policy life cycle. Developing a Security Policy Implement Phase Enforce, implement, and account for exceptions. (The policy must last a long time and be understood) Use the chain of command to disseminate any new or changed policies Use e-mail and security awareness program Design training to be relevant to the work responsibilities of every person using the system Audit internally ensure enforceability The...

Developing a Security Policy Operate Phase

This topic describes the activities included in the operate phase of the security policy life cycle. Developing a Security Policy Operate Phase Security operations and administration Includes day-to-day operations, responses to changes, and responses to attack Scheduled activity to evaluate effectiveness using Ongoing activity focusing on the security system and its users Established procedures and follow-up During the operate phase, the system performs its work. However, during this stage,...

Developing a Security Policy Optimize Phase

This topic describes the activities included in the optimize phase of the security policy life cycle. Developing a Security Policy Optimize Phase Organizations deal with changes in features and services, new threats and vulnerabilities, increasing need for interconnections, new user groups, and upgrades to software, hardware, and services. You should analyze changes from a security standpoint and use the PDIOO process. You should complete the necessary analysis and modify as necessary. You...

Developing a Security Policy Plan Phase

This topic describes the activities included in the plan phase of a security policy life cycle. Information security team Technical staffs The goal of the plan phase is to assemble a team and assign tasks. An appropriate and effective security policy needs the acceptance and support of all employees in the organization. At the top, corporate management must give full support to the policy process or the policy will have little chance of being effective. Companies should follow a formal policy...

Device

SNMPvl and SNMPv2 use a community string to access router SNMP agents. SNMP community strings act like passwords. An SNMP community string is a text string used to authenticate messages between a management station and an SNMP engine. If the manager sends one of the correct read-only community strings, it can get information but not set information in an agent. If the manager uses one of the correct read-write community strings, it can get or set information in the agent. In effect, having set...

Disable and restrict commonly configured management services

Simple Network Management Protocol (SNMP) This service is enabled by default. The SNMP service allows the router to respond to remote SNMP queries and configuration requests. If required, restrict which SNMP systems have access to the router SNMP agent and use SNMP version 3 (SNMPv3) whenever possible, because this version offers secure communication not available in earlier versions of SNMP. Disable this service when it is not required. HTTP or HTTP Secure (HTTPS) configuration and monitoring...

Disable gratuitous and proxy Address Resolution Protocol ARP

Gratuitous ARP This service is enabled by default. Gratuitous ARP is the main mechanism used in ARP poisoning attacks. You should disable gratuitous ARPs on each router interface unless this service is needed. Proxy ARP This service is enabled by default. This feature configures the router to act as a proxy for Layer 2 address resolution. This service should be disabled unless the router is being used as a LAN bridge. Disable IP-directed broadcast This service is enabled in Cisco IOS software...

Disable probes and scans

Finger service This service is enabled by default. The finger protocol (port 79) allows users throughout the network to obtain a list of the users currently using a particular device. The information displayed includes the processes running on the system, the line number, connection name, idle time, and terminal location. This information is provided through the Cisco IOS software show users EXEC command. Unauthorized persons can use this information for reconnaissance attacks. Disable this...

Disable unnecessary services and interfaces

Router interfaces You should limit unauthorized access to the router and the network by disabling unused open router interfaces. Bootstrap Protocol (BOOTP) server This service is enabled by default. This service allows a router to act as a BOOTP server for other routers. This service is rarely required and should be disabled. Cisco Discovery Protocol (CDP) This service is enabled by default. CDP is used primarily to obtain protocol addresses of neighboring Cisco devices and to discover the...

Dispose

Network security is a process based on security policy. The life cycle of network security Plan The network designers identify network requirements in this phase. The plan includes analyzing the places where the network will be installed and identifying the people and processes that need network services. Design In this phase, the network designers accomplish the bulk of the logical and physical design according to the requirements gathered during the plan phase. Implement After management...

Each of these commands has its own syntax and options methods

The figure contains a complete listing of aaa authentication commands for Cisco IOS Release 12.2 and later. The AAA Authentication Commands table describes each of these commands 2006 Cisco Systems, Inc. Securing the Perimeter 2-93 To enable an AAA authentication method for AppleTalk Remote Access Protocol (ARAP) users using RADIUS or TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication. This command creates a...

Enable AAA Globally Using the aaa newmodel Command

Router(config) aaa new-model Establishes AAA section in configuration file router(config) username Joe106 password lMugOJava router(config) aaa authentication login default local Helps prevent administrative access lockout while configuring AAA The first step in configuring an NAS or router to use the AAA process is to enable AAA using the aaa new-model command. If an administrative Telnet or console session is lost while enabling AAA on a Cisco router and no local AAA user authentication...

Enables password checking at login for auxiliary line connections

Boston(config-line) password NeverGessMeAux Boston(config-line) login By default, Cisco router auxiliary ports do not require a password for remote administrative access. Administrators sometimes use this port to remotely configure and monitor the router using a dial-up modem connection. Unlike console and vty passwords, the auxiliary password is not configured during the initial configuration dialog and should be configured, as shown in the figure, using the password command in auxiliary line...

Enables password checking at login for vty Telnet sessions

Boston(config) line vty 0 4 Boston(config-line) login Boston(config-line) password Cisco routers support multiple Telnet sessions (up to five simultaneous sessions by default, and more can be added), each serviced by a logical vty line. By default, Cisco routers do not have any line-level passwords configured for these vty lines. If you enable password checking, you must also configure a vty password before attempting to access the router using Telnet. If you fail to configure a vty password...

Enables secure calls from Cisco IP phones to Cisco Call Manager

The High Density Voice Network Module (NM-HDV) contains five 72-pin single inline memory module (SIMM) sockets or banks for packet PVDMs numbered 0 through 4. Each socket can be filled with a single 72-pin PVDM. The PVDMs must be installed starting from slot 0. Note PVDM and PVDM2 modules are not interchangeable. Use PVDM modules with the NM- HDV network module only, and use PVDM2 modules with the NM-HDV2 network module only. The PVDM2 modules are used with onboard voice interface cards on the...

Encrypting Passwords Using the service passwordencryption Command

Encrypts all clear text passwords in the router configuration file Boston(config) service password-encryption Encrypts all clear text passwords in the router configuration file Boston(config) service password-encryption Just like console and vty passwords, auxiliary passwords are not encrypted in the router configuration. This is why it is important to use the service password-encryption command. With the exception of the enable secret password, all Cisco router passwords are, by default,...

Endpoint Protection

One of the realities of viruses and worms is that, along with endpoint infection, they frequently create network congestion as a byproduct of rapid propagation. In effect, CSA becomes a first order dampener to the virus and worm propagation effect. A second and equally compelling reason for deploying CSA is that it establishes a presence on endpoints that can be used to establish a feedback loop between the endpoint and the network resulting in a network that rapidly adapts to emerging threats.

Ensure path integrity

Internet Control Message Protocol (ICMP) redirects This service is enabled by default. ICMP redirects cause the router to send ICMP redirect messages whenever the router is forced to resend a packet through the same interface on which it was received. This information can be used by attackers to redirect packets to an untrusted device. This service should be disabled when not required. 2-114 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. IP source routing This service is...

Ensure terminal access security

IP identification service This service is enabled by default. The identification protocol (specified in RFC 1413, Identification Protocol) reports the identity of a TCP connection initiator to the receiving host. This data can be used by an attacker to gather information about your network, and this service should be explicitly disabled. TCP keepalives This service is disabled by default. TCP keepalives help clean up TCP connections where a remote host has rebooted or otherwise stopped...

Faaa authorization

In global configuration mode, this command enables the authentication _ 2. In global configuration mode, this command enables AAA authentication to determine if a user can assess the privileged command level. _ 3. This command forces the router to override every other authentication method previously configured for the router lines. _ 4. In global configuration mode, this command specifies one or more AAA authentication methods for use on serial interfaces. _ 5. In global configurations...

Generation of system logging messages for login detection

The Cisco IOS Login Enhancements feature allows users to better secure their Cisco IOS devices when creating a virtual connection, such as Telnet, SSH, or HTTP. Thus, users can help slow down dictionary attacks and help protect their router from a possible denial of service (DoS) attack. To better configure security when opening a virtual login connection, these requirements have been added to the login process Delays between successive login attempts Login shutdown if DoS attacks are suspected...

Hardware Threat Mitigation

Plan physical security to limit damage to the equipment Lock up equipment and prevent unauthorized access from the doors, ceiling, raised floor, windows, ducts, or vents Monitor and control closet entry with electronic logs SECURE INTERNET ACCESS COMPUTER ROOM Mission-critical Cisco network equipment should be located in wiring closets or in computer or telecommunications rooms that meet these minimum requirements The room must be locked with only authorized personnel allowed access. The room...

Hashes the password in the router configuration file Uses a strong hashing algorithm based on MD5

Boston(config) enable secret Curium2006 enable secret 5 1 ptCj vRErS tehv53JjaqFMzBT If you did not use the initial configuration dialog to configure your enable secret password, you must use the enable secret command in global configuration mode as shown in the figure. The enable secret command uses a one-way encryption hash based on MD5 (designated by the number 5 in the sample configuration) and is considered irreversible by most cryptographers. However, even this type of encryption is still...

How can you track changes when attacks or network failures occur

Configuring logging for your Cisco routers is a straightforward operation when your network contains only a few Cisco routers. However, logging and reading information from hundreds of devices can prove to be a challenging proposition and can raise the questions listed in the figure. Securing administrative access and device configurations is also a straightforward operation for smaller Cisco router networks. However, managing administrative access and device configurations for many more...

Identify vulnerabilities on the network

As legitimate tools, port scan and ping sweep applications run a series of tests against hosts and devices to identify vulnerable services needing attention. IP addressing and port or banner data from both TCP and UDP ports are examined to gather information. In an illegitimate situation, a port scan can be a series of messages sent by someone attempting to break into a computer to learn which computer network services (each service is associated with a well-known port number) the computer...

If the host cannot be seen by the hacker the hacker may launch a Trojan application such as W32QAZ to determine the

The first step is to review all the information on the host that the hacker has collected for example, files containing usernames and passwords and registry keys containing application or user passwords. (Any available documentation, including e-mails and other documents, may also be of assistance.) If this step does not succeed, the hacker may launch a Trojan horse attack. This type of attack usually means copying malicious code to the user system and giving it the same name as a frequently...

Implement integrated security into the network infrastructure

- Review network staging, implementation, - Review network staging, implementation, When your security solution design is complete, you must define the implementation and deployment activities. During the implement phase, the team uses sound security design principles and assistance provided during the plan and design phases to strengthen their ability to meet aggressive deployment schedules and to help minimize costly disruptions to the existing network infrastructure. Network security...

Improve Security

This step involves taking these actions Use information from the monitor and test phases to make improvements to the security implementation Adjust the security policy as security vulnerabilities and risks are identified As described in the figure, monitoring and testing of network security may identify aspects of the network that can be improved. 2006 Cisco Systems, Inc. Introduction to Network Security Policies 1-27

Inband management guidelines

- Apply only to devices needing to be managed or monitored - Decide whether the management channel needs to be open at all times - Keep clocks on hosts and network devices synchronized - Record changes and archive configurations The figure outlines guidelines for OOB and in-band management of the architecture. As a general rule, OOB management is appropriate for large enterprise networks. In smaller networks, in-band management is recommended as a means of achieving a more cost-effective...

Infection Containment

Strong network admission policies do not eliminate the need to continue monitoring devices once they enter a network. Determined attackers can evade just about any admission check, and the network cannot always rely on, or trust, an infected element to turn itself in. Compliant devices also can become infected through a variety of vectors once they are members of a network (for example, a Universal Serial Bus USB key with infected content). To further help protect the network, the Cisco...

Information Assurance Typical Network Architecture

This figure shows a conceptual diagram of a network for a branch location within a large enterprise. The network topology aligns with the Availability and Protection of Information Triangle. Information at the bottom is available to the public and corresponds to the base of the Availability and Protection of Information Triangle. There is a demilitarized zone (DMZ) that acts as the single point of entry into the site and defends the network perimeter and external connections. The network...

Installation Risk Assessment

Generally High Risk (Mission Critical) Generally High Risk (Mission Critical) Before discussing how to secure Cisco network installations, it is important to make the distinction between low-risk and high-risk devices Low-risk devices These devices are typically low-end, either small office home office (SOHO) devices. Examples of SOHO devices include the Cisco 800 Series Routers, CiscoPro CPA 900 Series Routers, Cisco 1700 Series Modular Access Routers, Cisco 1800 Series Integrated Services...

Introducing the Cisco Integrated Services Router Family

This topic describes the security features of the Cisco Integrated Services Router Family. Integrated Services Router Product Portfolio ,, _ SMB or Enterprise Large . . Small Office - . . n l. n l. Headquarters _ . Small branch Branch Branch , , Home Office and beyond The Cisco 850 Series Access Routers supports broadband cable and Asymmetric Digital Subscriber Line (ADSL) over analog telephone lines. Designed for very small offices, the routers provide secure WAN connectivity with optional...

Keeping up to date with the latest antivirus software and application versions

Viruses and Trojan horse attacks can be contained through the effective use of antivirus software at the user level and potentially at the network level. Antivirus software can detect most viruses and many Trojan horse applications and prevent them from spreading in the network. As hackers release new viruses or Trojan horse applications, enterprises need to keep up to date with the latest antivirus software and application versions and patches. Keeping up to date with the latest developments...

Launching Cisco SDM

SDM will be launched from the PC using the If you installed Cisco SDM on an administrator PC, go to the Microsoft Windows program menu (choose Start > Programs (All Programs) > Cisco Systems > Cisco SDM). Then provide the IP address of the LAN interface on the router as configured previously with the Cisco SDM Express Wizard in the Cisco SDM Launcher window. If Cisco SDM is on the router flash memory, open a web browser and enter the new IP address of the LAN interface there. Follow the...

Launching Cisco SDM Express

- For a new router, in a web browser go to - For existing routers go to https < router IP address> The first time that you access the router by web browser, you will get the Cisco SDM Express wizard. On a new router, you can access Cisco SDM Express from your PC web browser by going to IP address http 10.10.10.1. The factory default router configuration file that comes with Cisco SDM configures the router Ethernet IP address to 10.10.10.1. If the proper files are loaded on the router flash...

Layered Defense

Link layer and network layer encryption and traffic flow security Authenticated access controls, audit Technical surveillance countermeasures Trusted software development and distribution A comprehensive corporate security policy provides in-depth defense. The figure shows the components of a layered defense strategy. 1-22 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc.

Locking Down a Router with Cisco Auto Secure

Cisco AutoSecure will modify the configuration of your device. Cisco AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks. Is this router connected to internet no y Enter the number of interfaces facing internet 1 1 Enter the interface name that is facing internet FastEthernet0 0 Securing Management plane services Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service...

Logging

The logging host is a dedicated computer whose only job is to store logs. Connect the logging host to a separate, protected network or a dedicated router interface. Administrators can use logs to verify that a router is working properly or to determine whether the router has been compromised. In some cases, a log can show what types of probes or attacks are being attempted against the router or the protected network. Configuring logging (syslog) on the router should be done carefully. Send the...

Management Protocol Best Practices

- Configure SNMP with only read-only community strings - Set up access control on the device that you wish to manage - Encrypt syslog traffic within an IPsec tunnel - Set up access control on the firewall - Encrypt TFTP traffic within an IPsec tunnel - Implement your own master clock - Use ACLs that specify which network devices are allowed to synchronize with other network devices Here are three recommendations for the correct use of SNMP tools Configure SNMP with only read-only community...

Management Protocols and Vulnerabilities

The protocols used to manage your network can be a source of vulnerability. This topic describes vulnerabilities in configuration management protocols and recommendations for mitigating these vulnerabilities. If the managed device does not support any of the recommended protocols, such as SSH and SSL, Telnet (not recommended) may have to be used. When the inventers of the Internet developed Telnet, security was not an issue. Modern network administrators should recognize that a Telnet session...

Managing Change

In response to various events, such as user complaints, availability of new features and services, or the discovery of new threats and vulnerabilities, IT system managers and users modify the system and incorporate new features, new procedures, and software updates. The environment also changes. Networking and interconnections increase. Administrators add new users and user groups including internal users, partners, acquisitions, and others. New threats may emerge. Software, hardware, and...

Mbsa

You can use a number of the tools and techniques to find vulnerabilities in your network. You will use some of these tools in the lab exercise for this lesson. Once you identify the vulnerabilities, you can consider and implement mitigation steps as appropriate GNU Netcat Netcat is a featured networking utility that reads and writes data across network connections using the TCP IP protocol. BluesPortScan The BluePortScan scans 300 ports per second on a Microsoft Windows NT or Microsoft Windows...

Microsoft Windows dialup networking connection Username and Password fields

An example of dial-up authentication using usemame and password authentication is shown in the figure. On the client end, a Microsoft Windows dial-up networking connection prompts users for their username and password. This information is sent for authentication over communication lines using TCP IP and PPP to a remote NAS or a security server. As a matter of policy, do not allow users to check the Save Password check box. 2006 Cisco Systems, Inc. Securing the Perimeter 2-85 Another OTP...

Mitigating Worm Attacks

Worm attack mitigation requires diligence on the part of system and network administration staff. Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident. There are four recommended steps for worm attack mitigation Containment Contain the spread of the worm inside your network and within your network. Compartmentalize uninfected parts of your network. Inoculation Start patching all systems and,...

Module Self Check

Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) Considering how routers function, describe the security concerns that arise for unsecured routers. (Source Applying a Security Policy for Cisco Routers) Q2) Which command is used to enter privileged or privileged EXEC mode (Source Securing Administrative Access to Cisco Routers) Q3) List the passwords that are, by default, shown as clear text...

Module Summary

This topic summarizes the key points that were discussed in this module. Applying an effective security policy is the most important step that an organization can do to protect itself. The security policy drives all activities undertaken to secure network resources to implement a defense-in-depth strategy. There are many way to attack networks, and many techniques for reducing vulnerabilities and determining and mitigating common network attacks. Knowing the methodologies used by hackers helps...

Navigating the Cisco SDM Interface

The home page, shown in the figure, appears each time you successfully log in to Cisco SDM. Navigating the Cisco SDM user interface on the home page is done through the toolbar. Two of the modes on the toolbar, Configure mode, and Monitor mode, are also used to navigate the interface. To select a mode, click the corresponding button in the toolbar. For each mode, a task panel is available showing the wizard options available for that mode. 2006 Cisco Systems, Inc. Securing the Perimeter 2-69

Navigating the Cisco SDM Interface Cont

From the task panel that appears, launch wizards. 2006 Cisco Systems, Inc. All rights re Configure mode provides wizards for the novice. More experienced users are able to perform tasks in any order and outside of the wizards. Monitor mode is where the user can view the current status of the router. The Refresh button is used to resynchronize the router running configuration with Cisco SDM, because Cisco SDM does not synchronize with the router configuration automatically. The Save button is...

NTP Many NTP servers on the Internet do not require any authentication of peers

Use Simple Network Management Protocol (SNMP) to remotely retrieve information from a network device (commonly referred to as read-only access) or to configure parameters on the device (commonly referred to as read-write access). SNMP uses passwords (called community strings) within each message as a very simple form of security. Unfortunately, most implementations of SNMP on networking devices today send the community string in clear text along with the message. Just like Telnet, anyone with a...

O O

List the three steps in network design development. (Source Designing a Secure Network Life-Cycle Model) Introduction to Network Security Policies Q40) Define each of these terms in the context of security policies. (Source Developing a Comprehensive Security Policy) Q41) Give three reasons for having a security policy. (Source Developing a Comprehensive Security Policy) Q42) List three of the components of a comprehensive security policy. (Source Developing a Comprehensive Security Policy)...

Objectives

Upon completing this lesson, you will be able to explain how to meet the security needs of a typical enterprise with a comprehensive security policy. This ability includes being able to meet these objectives Explain the goals of a security policy Describe the essential functions of a security policy Describe the components of a comprehensive security policy Describe the process of developing a security policy within a typical corporate environment Describe the activities included in the plan...

Packet sniffers

Password attacks are implemented using several methods, including brute-force attacks, Trojan horse programs, IP spoofing, and packet sniffers. Although packet sniffers and IP spoofing can yield user accounts and passwords, password attacks usually refer to repeated attempts to identify a user account, password, or both. These repeated attempts are the brute-force attacks discussed earlier. To execute a brute-force attack, an attacker can use a program that runs across the network and attempts...

Password Attack Example

L0phtCrack can take the hashes of passwords and generate clear text passwords from them. Passwords are computed using two methods Just as with packet sniffer and IP spoofing attacks, a brute-force password attack can provide access to accounts that attackers then use to modify critical network files and services. For example, an attacker compromises your network integrity by modifying your network routing tables. This trick reroutes all network packets to the attacker before transmitting them...

Perform remote alarming and monitoring

Electrical supply problems can be limited by adhering to these guidelines Install uninterrupted power supply (UPS) systems for mission-critical Cisco network devices. Install backup generator systems for mission-critical supplies. Plan for and initiate regular UPS or generator testing and maintenance procedures based on the manufacturer suggested preventative maintenance schedule. Install redundant power supplies on critical devices. Monitor and alarm power-related parameters at the power...

Policy Management

To ensure that your policies do not become obsolete, you should implement a regular review process. The review process should include some form of update mechanism to translate any changes in the organizational operating environment into your security policy as quickly as possibly. You must identify and charter a specific department or group, such as the data security department, with the custodianship of the security policy. This organization should also be responsible for conducting a regular...

Port redirectors can help bypass port filters routers and firewalls and may even be encrypted over a Secure Sockets

Back doors provide hackers with a way into the system if they are detected trying to enter through the front door, or if they want to enter the system without being detected. The most common backdoor point is a listening port that provides remote access to the system for users (hackers) who do not have, or do not want to use, access or administrative privileges. Firewalls or router filtering may prevent the hacker from later accessing these ports. However, common router filtering may not block...

Programs and utilities

Uwhois The http www.uwhois.com web interface performs whois lookups, forward and reverse DNS searches, and traceroutes. Nmap Network Mapper (Nmap) is a free open source utility for network exploration or security auditing. Nmap rapidly scans large networks and single hosts. Go to http www.insecure.org nmap . Foundstone ScanLine Foundstone ScanLine is a Microsoft Windows NT-based port scanner. 2006 Cisco Systems, Inc. Introduction to Network Security Policies 1-83 Keep all sensitive data off...

Reconnaissance Attacks

Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications. Reconnaissance attacks include these attacks Internet information queries Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. Reconnaissance is also known as information gathering, and in most cases, precedes an actual access or denial of service (DoS) attack. First, the malicious intruder typically...

Recovery and reconstitution

Respond quickly to intrusions. Restore critical services. This figure lists some of the operational focus areas associated with the defense-in-depth The operational element focuses on all of the activities required to sustain the organization security posture on a daily basis. The operational element performs these functions Maintaining a visible and up-to-date system security policy Certifying and accrediting changes to the information technology baseline....

References

For additional information, refer to these resources Canavan, S. The SANS Institute. An Information Security Policy Development Guide for Large Companies. West-Brown, Moira J., D. Stikvoort, K.P. Kossakowski, et al. Carnegie Mellon Software Engineering Institute. Handbook for Computer Security Incident Response Teams (CSIRTs). http www.cert. org archive pdf csirt-handbook.pdf. Cisco Systems, Inc. Network Security Policy Best Practices White Paper. Computer Security Institute. 2005 CSI FBI...

Remote environmental alarming recording and monitoring

Take these actions to limit environmental damage to Cisco network devices Supply the room with dependable temperature and humidity control systems. Always verify the recommended environmental parameters of the Cisco network equipment with the supplied product documentation. Remove any sources of electrostatic and magnetic interferences in the room. If possible, remotely monitor and alarm the environmental parameters of the room. 2006 Cisco Systems, Inc. Introduction to Network Security Policies...

RFC 3704 filtering at the perimeter router should be used to mitigate the chance of an outside attacker spoofing the

The first recommendation is to use IPsec, SSH, or SSL to encrypt management traffic to protect sensitive information such as the device configuration, passwords, and other sensitive data. Regardless of whether you use SSH, SSL, or Telnet for remote access to the managed device, you should also configure ACLs to allow only management servers to connect to the device. Deny and log all attempts from other IP addresses logged. Implement RFC 3704 filtering at the ingress router to reduce the chance...

Run setupexe

Note Cisco SDM is factory installed in some router models. Cisco SDM is a web-based tool that is supported on Microsoft Windows-based PC platforms. You should refer to the Cisco Router and Security Device Manager Quick Start Guide for details on the operating systems and web browsers that are supported by Cisco SDM. Cisco SDM is factory installed in some router models. If it is not installed on your router, it will either be available on a CD-ROM that is included with new routers or it can be...