introduction to network security - cisco.com · introduction to network security © 2003, ......
TRANSCRIPT
![Page 1: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/1.jpg)
1© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Introduction to Network Security
![Page 2: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/2.jpg)
222© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Agenda
• Security Year in ReviewSlammer, et. al.
• Security PolicySetting a Good Foundation
• Extended Perimeter SecurityDefine the Perimeter, Firewalls, ACLs
• Identity ServicesPasswords, Tokens, PKI, Biometrics
• Secure ConnectivityWork Happens Everywhere, Virtual Private Networks
• Intrusion ProtectionNetwork, Host
• Security ManagementWrapping it All Together
![Page 3: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/3.jpg)
333© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Agenda
• Security Year in ReviewSlammer, et. al.
• Security PolicySetting a Good Foundation
• Extended Perimeter SecurityDefine the Perimeter, Firewalls, ACLs
• Identity ServicesPasswords, Tokens, PKI, Biometrics
• Secure ConnectivityWork Happens Everywhere, Virtual Private Networks
• Intrusion ProtectionNetwork, Host
• Security ManagementWrapping it All Together
![Page 4: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/4.jpg)
444© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Security Year in Review
• Are incidents decreasing?
• SQL slammer
• Other security headlines
![Page 5: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/5.jpg)
555© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Are Incidents Decreasing?
Source: FBI 2002 Report on Computer Crime
Compare This to the Cost of Implementing a Comprehensive Security Solution!
$456M$378MTotal$13.0$19.0System Penetration by Outsiders
$18.4$4.3Denial of Service
$11.7$8.8Laptop Theft
$4.5$15.1
$49.9
$115.7
$170.8
2002
$6.1Unauthorized Access by Insiders
$5.2Sabotage
$45.3Insider Net Abuse
$92.9Financial Fraud
$151.2Theft of Proprietary Information
2001Type of Crime
![Page 6: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/6.jpg)
666© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Number of Incidents Always on the Rise
.
(*) An Incident May Involve One Site or Hundreds (or Even Thousands) of Sites;Also, Some Incidents May Involve Ongoing Activity for Long Periods of Time
0
10000
20000
30000
40000
50000
60000
70000
80000
90000
1988 1990 1992 1994 1996 1998 2000 2002
CERT—Number of Incidents Reported (*)http://www.cert.org/stats/cert_stats.html#incidents
![Page 7: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/7.jpg)
777© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Two of the Most Serious Intruder Activities Reported to the CERT/CC in 2002
• Exploitation of vulnerabilities in Microsoft SQL ServerIntruders compromised systems through the automated exploitation of null or weak default SA passwords in Microsoft SQL Server and Microsoft Data Engine; the CERT/CC published advice on protecting systems that run Microsoft SQL Server in CA-2002-04 (February 25, 2002)
In July 2002, intruders continued to compromise systems and obtain sensitive information by exploiting several serious vulnerabilities in the Microsoft SQL Server; the CERT/CC published additional advice in CA-2002-22 (July 29, 2002)
• Apache/mod_ssl WormIntruders used a piece of self-propagating malicious code (referred to here as Apache/mod_ssl) to exploit a vulnerability in OpenSSL, an open-source implementation of the Secure Sockets Layer (SSL) protocol
The CERT/CC initially published CA-2002-23 (July 30, 2002), describing four vulnerabilities in OpenSSL that could be used to create denial of service; when these and other vulnerabilities finally manifested themselves in the form of the Apache/mod_ssl Worm, the CERT/CC published advice in CA-2002-27 (September 14, 2002)
![Page 8: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/8.jpg)
888© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
The SQL Slammer Worm: What Happened?
• Released at 5:30 GMT, January 25, 2003
• Saturation point reached within 2 hours of start of infection
• 250,000–300,000 hosts infected
• Internet connectivity affected worldwide
![Page 9: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/9.jpg)
999© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
The SQL Slammer Worm: 30 Minutes after “Release”
• Infections doubled every 8.5 seconds• Spread 100x faster than Code Red• At peak, scanned 55 million hosts per second
![Page 10: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/10.jpg)
101010© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Network Effects of the SQL Slammer Worm
• Several service providers noted significant bandwidth consumption at peering points
• Average packet loss at the height of infections was 20%
• Country of South Korea lost almost all Internet service for period of time
• Financial ATMs were affected
• SQL Slammer overwhelmed some airline ticketing systems
![Page 11: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/11.jpg)
111111© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Agenda
• Security Year in ReviewSlammer, et. al.
• Security PolicySetting a Good Foundation
• Extended Perimeter SecurityDefine the Perimeter, Firewalls, ACLs
• Identity ServicesPasswords, Tokens, PKI, Biometrics
• Secure ConnectivityWork Happens Everywhere, Virtual Private Networks
• Intrusion ProtectionNetwork, Host
• Security ManagementWrapping it All Together
![Page 12: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/12.jpg)
121212© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Security Policy
• Setting a good foundation
• What is a security policy
• Why create a security policy
• What should it contain
![Page 13: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/13.jpg)
131313© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Start with a Security Policy
• Security policy defines and sets a good foundation by:
Definition—Define data and assets to be covered by the security policyIdentity—How do you identify the hosts and applications affected by this policy?Trust—Under what conditions is communication allowed between networked hosts?Enforceability—How will the policies implementation be verified?Risk Assessment—What is the impact of a policy violation? How are violations detected?Incident Response—What actions are required upon a violation of a security policy?
![Page 14: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/14.jpg)
141414© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
What Is a Security Policy?
“A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”
RFC 2196, Site Security Handbook
![Page 15: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/15.jpg)
151515© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Why Create a Security Policy?
• To create a baseline of your current security posture
• To set the framework for security implementation
• To define allowed and not allowed behaviors
• To help determine necessary tools and procedures
• To communicate consensus and define roles
• To define how to handle security incidents
![Page 16: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/16.jpg)
161616© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
What Should the Security Policy Contain?
• Statement of authority and scope
• Acceptable use policy
• Identification and authentication policy
• Internet use policy
• Campus access policy
• Remote access policy
• Incident handling procedure
![Page 17: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/17.jpg)
171717© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Security Policy Elements
• On the left are the network design factors upon which security policy is based
• On the right are basic Internet threat vectors toward which security policies are written to mitigate
VulnerabilitiesVulnerabilities
Denial of ServiceDenial of Service
ReconnaissanceReconnaissance
MisuseMisuse
Topology/Trust ModelTopology/Trust Model
Usage GuidelinesUsage Guidelines
Application DefinitionApplication Definition
Host AddressingHost Addressing
Data AssessmentData Assessment
POLICY
![Page 18: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/18.jpg)
181818© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Enforcement
• SecureIdentity and authenticationFiltering and stateful inspectionEncryption and VPNs
• MonitorIntrusion detection and responseContent-based detection and responseEmployee monitoring
• AuditSecurity posture assessmentVulnerability scanningPatch verification/application auditing
• ManageSecure device managementEvent/data analysis and reportingNetwork security intelligence
Secure
Mo
nito
r
AuditM
anag
eSecurity Wheel
PolicyPolicy
![Page 19: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/19.jpg)
191919© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Risk Assessment
• Some elements of network security are absolute, others must be weighed relative to the potential risk
When you connect to the Internet, the Internet connects back to you
• Sound operational procedures and management are easier to implement than technical solutions
You can’t secure a bad idea
• The cost of secure solutions must be factored into the overall Return on Investment (ROI)
Security must be included in planning and designEffective security requires managerial commitment
![Page 20: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/20.jpg)
202020© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
What Is Trust?
• Trust is the inherent ability for hosts to communicate within a network design
• Trust and risk are opposites; security is based on enforcing and limiting trust
• Within subnets, trust is based on Layer 2 forwarding mechanisms
• Between subnets, trust is based on Layer 3+ mechanisms
![Page 21: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/21.jpg)
212121© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Incident Response
• Attacks are intentional, there are no accidental or stray IP packets
• Four levels of incident response:
Network misuse
Reconnaissance
Attack
Compromise
• Without incident response plans, only passive defenses have value
![Page 22: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/22.jpg)
222222© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Agenda
• Security Year in ReviewSlammer, et. al.
• Security PolicySetting a Good Foundation
• Extended Perimeter SecurityDefine the Perimeter, Firewalls, ACLs
• Identity ServicesPasswords, Tokens, PKI, Biometrics
• Secure ConnectivityWork Happens Everywhere, Virtual Private Networks
• Intrusion ProtectionNetwork, Host
• Security ManagementWrapping it All Together
![Page 23: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/23.jpg)
232323© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Extended Perimeter Security
• Can you define the perimeter?
Dissimilar policy boundaries
• Access control
• Firewalls—first line of defense
![Page 24: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/24.jpg)
242424© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Can You Define the Perimeter?
EnterpriseMobility
EnterpriseMobility
IP TelephonyIP Telephony
Security/VPNSecurity/VPN
VideoConferencing
VideoConferencing
StorageStorageContent
NetworkingContent
Networking
Multi-GigabitEthernet
Multi-GigabitEthernet
Mobile UsersMobile Users
TelecommutersTelecommuters
SuppliersSuppliers
InternationalSales OfficesInternationalSales Offices
MultiserviceWAN (Sonet, IP,
ATM, FrameRelay)
MultiserviceWAN (Sonet, IP,
ATM, FrameRelay)
ISDNISDN
PSTNPSTN
Campus/WANBackboneCampus/WANBackbone
MainframeMainframe
Campus LANCampus LAN
![Page 25: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/25.jpg)
252525© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Filtering Network Traffic
• Examining the flow of data across a network
• Types of flows:
Packets
Connections
State
![Page 26: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/26.jpg)
262626© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
• Simple ACLs look at information in IP packet headers
• Many filters are based on the packets Source and Destination IP address
• Extended ACLs look further into the packet or at the TCP or UDP port number in use for the TCP/IP connection between hosts
Access Control Lists (ACLs)
0 15 16 31 bit
20 bytes
IP Packet Header
Destination IP AddressSource IP Address
![Page 27: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/27.jpg)
272727© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
The Evolution of ACLs…
• Dynamic ACLs
Lock-and-key filtering (Dynamic ACLs) allows an authenticated user to pass traffic that would normally be blocked at the router
• Reflexive ACLs
Creates a temporary ACL to allows specified IP packets to be filtered based on TCP or UDP session information; the ACL “expires” shortly after the session ends (no sequence #)
![Page 28: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/28.jpg)
282828© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Firewalls
• Four types of firewalls
Proxies (application-layer firewalls)
Stateful
Hybrid
Personal
• Implementation methods
Software
Appliance
![Page 29: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/29.jpg)
292929© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Proxy Firewalls
• Proxy firewalls permit no traffic to pass directly between networks
• Provide “intermediary” style connections between the client on one network and the server on the other
• Also provide significant logging and auditing capabilities
• For HTTP (application specific) proxies all web browsers must be configured to point at proxy server
• Example Microsoft ISA Server
![Page 30: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/30.jpg)
303030© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Stateful Firewalls
• Access Control Lists plus…
• Maintaining state
Stateful firewalls inspect and maintain a record (a state table) of the state of each connection that passes through the firewall
To adequately maintain the state of a connection the firewall needs to inspect every packet
But short cuts can be made once a packet is identified as being part of an established connection
Different vendors record slightly different information about the state of a connection
![Page 31: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/31.jpg)
313131© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Hybrid Firewalls
• Hybrid firewalls combine features of other firewall approaches such as…
Access Control Lists
Application specific proxies
State tables
• Plus features of other devices…Web (HTTP) cache
Specialized servers SSH, SOCKS, NTP
May include VPN, IDS
![Page 32: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/32.jpg)
323232© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Personal Firewalls
• Personal firewalls
Protecting remote users/home users
Watching inbound/outbound traffic
Creating basic rules
• Example—ZoneAlarm
![Page 33: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/33.jpg)
333333© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Agenda
• Security Year in ReviewSlammer, et. al.
• Security PolicySetting a Good Foundation
• Extended Perimeter SecurityDefine the Perimeter, Firewalls, ACLs
• Identity ServicesPasswords, Tokens, PKI, Biometrics
• Secure ConnectivityWork Happens Everywhere, Virtual Private Networks
• Intrusion ProtectionNetwork, Host
• Security ManagementWrapping it All Together
![Page 34: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/34.jpg)
343434© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Identity Services
• User identity
• Passwords
• Tokens
• PKI
• Biometrics
![Page 35: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/35.jpg)
353535© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
User Identity
• Mechanisms for proving who you areBoth people and devices can be authenticated
• Three authentication attributes:Something you know
Something you have
Something you are
• Common approaches to Identity:
Passwords
Tokens
Certificates
![Page 36: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/36.jpg)
363636© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Validating Identity
• Identity within the network is based overwhelmingly on IP Layer 3 and 4 information carried within the IP packets themselves
Application-level user authentication exists, but is most commonly applied on endpoints
• Therefore, identity validation is often based on two mechanisms:
Rule matching
Matching existing session state
• Address and/or session spoofing is a major identity concern
![Page 37: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/37.jpg)
373737© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Passwords
• Correlates an authorized user with network resources
PIX Firewall
Username and Password RequiredUsername and Password Required
Enter username for CCO at www.com
User Name:
Password:
OK Cancel
student
123@456
![Page 38: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/38.jpg)
383838© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Passwords
• Passwords have long been, and will continue to be a problem
• People will do what is easiest
• Create and enforce good password procedures
Non-dictionary passwords
Changed often (90–120 days)
• Passwords are like underwear—they should be changed often and neither hung from your monitor or hidden under your keyboard
![Page 39: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/39.jpg)
393939© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Tokens
• Strong (2-factor) Authentication based on “something you know” and “something you have”
Ace Server
PIX FirewallUsername and Password RequiredUsername and Password Required
Enter username for server at www.com
User Name:
Password:
OK Cancel
jdoe
234836
Access Is Granted or
Denied
Access Is Granted or
Denied
![Page 40: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/40.jpg)
404040© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Public Key Infrastructure (PKI)
• Relies on a two-key systemJ Doe signs a document with his private key
Person who receives that document uses JDoe’s public key to:
Verify authenticity and decrypt
Certificate Authority
I amjdoe!
Internet
CertificatesSigned by
us.orgjdoe
This Is jdoe
Signed byus.org Certificate
Authenticate and DecryptAuthenticate and Decrypt
![Page 41: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/41.jpg)
414141© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Biometrics
• Authentication based on physiological or behavioral characteristics
Features can be based on:FaceFingerprintEyeHand geometryHandwritingVoice
• Becoming more accepted and widely usedAlready used in government, military, retail, law enforcement, health and social services, etc.
![Page 42: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/42.jpg)
424242© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Agenda
• Security Year in ReviewSlammer, et. al.
• Security PolicySetting a Good Foundation
• Extended Perimeter SecurityDefine the Perimeter, Firewalls, ACLs
• Identity ServicesPasswords, Tokens, PKI, Biometrics
• Secure ConnectivityWork Happens Everywhere, Virtual Private Networks
• Intrusion ProtectionNetwork, Host
• Security ManagementWrapping It All Together
![Page 43: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/43.jpg)
434343© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Secure Connectivity
• Work happens everywhere!
• Virtual Private Networks
![Page 44: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/44.jpg)
444444© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Work Happens EverywhereIncreasing Need for Transparent Corporate Connectivity
• On the road (hotels, airports, convention centers)
280 million business trips a year
Productivity decline away from office >60–65%
• At home (teleworking)137 million telecommuters by 2003
40% of U.S. telecommuters from large or mid-size firms
• At work (branch offices, business partners)E-business requires agile networks
Branch offices should go where the talent is
Source: On the Road (TIA Travel Poll, 11/99); At Home (Gartner 2001, Cahners Instat 5/01); At Work (Wharton Center for Applied Research)
![Page 45: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/45.jpg)
454545© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Central/HQ
Regional Sites
Branches
SoHo
TelecommutersMobile Users
Virtual PrivateNetwork
Partners Customers
What Are VPNs?
• A network built on a less expensive shared infrastructure with the same policies and performance as a private network
![Page 46: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/46.jpg)
464646© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Secure Connectivity
• Defines “peers”Two devices in a network that need to connect
Tunnel makes peers seem virtually next to each other
Ignores network complexity in between
• TechnologiesPPTP—Point-to-Point Tunneling Protocol
L2TP—Layer 2 Tunneling Protocol
IPSec
Secure shell
SSL
![Page 47: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/47.jpg)
474747© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Encryption
• Symmetric Cryptography
Uses a shared secret key to encrypt and decrypt transmitted data
Data flow is bidirectional
• Provides data confidentiality only
Does not provide data integrity or non-repudiation
• Examples: DES, 3DES, AES
![Page 48: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/48.jpg)
484848© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Symmetric Cryptography
CleartextCleartext CleartextCleartext
CiphertextCiphertext CiphertextCiphertext
SecretKey
(One)Encrypt
(Lock)
DataConfidentiality
Decrypt
(Unlock)
![Page 49: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/49.jpg)
494949© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Encryption
• Asymmetric cryptographyAlso known as Public Key Cryptography
Utilizes two keys: private and public keysTwo keys are mathematically related but different values
• Computationally intensive• Provides data confidentiality
Can provide for data integrity as well as non-repudiation
• Examples: RSA Signatures
![Page 50: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/50.jpg)
505050© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Asymmetric Cryptography
CleartextCleartext CleartextCleartext
CiphertextCiphertext CiphertextCiphertext
Encrypt
(Lock)
KeyConfidentiality
Decrypt
(Unlock)
PublicKey
PrivateKey
![Page 51: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/51.jpg)
515151© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Digital Signatures
Pri
Message
0FB6CD3451DA0FB6CD3451DA EncryptionEncryption SignatureSignature
One-Way Hash Function
(MD5, SHA1)
Hash of Message
Hash Is Encrypted withthe Sender's Private Key
Digital Signature Is theEncrypted Hash
![Page 52: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/52.jpg)
525252© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Security Association
• A Security Association (SA) is an agreement between two peers on a common security policy, including:
If and how data will be encrypted
How entities will authenticate
Shared session keys
How long the association will last (lifetime)
• Types of security associationsUni-directional (IPSec SAS)
Bi-directional (IKE SAS)
IKE SA—Main Mode
IPSec SAs—Quick ModePeerPeer
![Page 53: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/53.jpg)
535353© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
*RFC 2401–2412
IP IP DataDataTCPTCP
DataDataTCPTCP
Encapsulating Security Payload (ESP)
IP IP ESP Trailer
ESP Auth
ESP Header
Authenticated
Encrypted
AHAH DataDataTCPTCP
Authentication Header (AH)
IP IP
Authenticated
IP Data Packet
What Is IPSec?
• IPSec: An IETF standard* framework for the establishment and management of data privacy between network entities
IPSec is an evolving standard
![Page 54: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/54.jpg)
545454© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Key Management
• IKE = Internet Key Exchange protocols
• Public key cryptosystems enable secure exchange of private crypto keys across open networks
• Re-keying at appropriate intervals
![Page 55: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/55.jpg)
555555© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
An IPSec VPN Is…
• IPSec provides the framework that lets you negotiate exactly which options to use
IPSec provides flexibility to address different networking requirements
• A VPN which uses IPSec to insure data authenticity and confidentiality
AH provides authenticity
ESP provides authenticity and confidentiality
• The IPSec framework is open and can accommodate new encryption and authentication techniques
![Page 56: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/56.jpg)
565656© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Agenda
• Security Year in ReviewSlammer, et. al.
• Security PolicySetting a Good Foundation
• Extended Perimeter SecurityDefine the Perimeter, Firewalls, ACLs
• Identity ServicesPasswords, Tokens, PKI, Biometrics
• Secure ConnectivityWork Happens Everywhere, Virtual Private Networks
• Intrusion ProtectionNetwork, Host
• Security ManagementWrapping It All Together
![Page 57: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/57.jpg)
575757© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Intrusion Protection
• Monitoring the network and hosts
• Network scanning
• Packet sniffing
• Intrusion detection primer
![Page 58: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/58.jpg)
585858© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Monitoring
Where Did This Car
Come from?
Where Is This Van Going?
![Page 59: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/59.jpg)
595959© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Network Scanning
• “Active” tool
Identifies devices on the network
Useful in network auditing
• “Fingerprinting”
How a scanner figures out what OS and version is installed
• Examples: Nmap, Nessus
![Page 60: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/60.jpg)
606060© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Packet Sniffing
• Diagnostic tools
Used capture packets
Used to examine packet data (filters)
Can reconstruct sessions and streams
• Sniffers can be “promiscuous”
Passive, listening
• Examples: Sniffer, Ethereal
![Page 61: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/61.jpg)
616161© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
• Create a system of distributed “promiscuous” Sniffer-like devices
Watching activity on a network and specific hosts
• Different approachesProtocol anomaly/signature detection
Host-based/network-based
• Different IDS technologies can be combined to create a better solution
Intrusion Detection
![Page 62: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/62.jpg)
626262© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Terminology
• False positives: System mistakenly reports certain benign activity as malicious
• False negatives: System does not detect and report actual malicious activity
![Page 63: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/63.jpg)
636363© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Misuse/Signature vs. Anomaly Detection
Network vs. Host-Based
Misuse/Signature vs. Anomaly Detection
Network vs. Host-Based
Intrusion Detection Approaches
![Page 64: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/64.jpg)
646464© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Anomaly vs. Signature Detection
• Anomaly detection: Define normal, authorized activity, and consider everything else to be potentially malicious
• Misuse/signature detection: Explicitly define what activity should be considered malicious
Most commercial IDS products are signature-based
![Page 65: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/65.jpg)
656565© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Host vs. Network-Based
• Host-based “agent” software monitors activity on the computer on which it is installed
Cisco HIDS (Okena)—System activity
TripWire—File system activity
• Network-based appliance collects and analyzes activity on a connected network
• Integrated IDSNetwork-based IDS functionality as deployed in routers, firewalls, and other network devices
![Page 66: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/66.jpg)
666666© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
ConsPros
• Can verify success or failure of attack
• Generally not impacted by bandwidth or encryption
• Understands host context and may be able to stop attack
• Impacts host resources
• Operating system dependent
• Scalability—requires one agent per host
• Protects all hosts on monitored network
• No host impact
• Can detect network probes and denial of service attacks
• Switched environments pose challenges
• Monitoring multi-gig is currently challenging
• Generally can’t proactively stop attacks
Should View as Complementary!
Some General Pros and Cons
Host-Based
Network-Based
![Page 67: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/67.jpg)
676767© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Data Flow
Data Capture
Monitoring the Network
Network Link to the Management Console
IP Address
Passive InterfaceNo IP Address
Network IDS Sensor
![Page 68: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/68.jpg)
686868© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Host IDS Sensor
• Syslog monitoring
• Detection
• Wider platform support
• Attack interception
• Prevention
• Focused protection
Syslog
Passive Agent(OS Sensor)
Active Agent(Server Sensor)
![Page 69: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/69.jpg)
696969© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
ProductionNetwork Segment
IDS Sensor
Management Console
Component Communications
Typical IDS Architecture
• Management consoleReal-time event displayEvent databaseSensor configuration
• SensorPacket signature analysisGenerate alarmsResponse/countermeasures
• Host-basedGenerate alarmsResponse/countermeasures
Host-Based IDS
![Page 70: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/70.jpg)
707070© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Too Many Choices?
• Generally, most efficient approach is to implement network-based IDS first
Easier to scale and provides broad coverage
Less organizational coordination required
No host/network impact
• May want to start with host-based IDS if you only need to monitor a couple of servers
• Vast majority of commercial IDS is signature-based
• Keep in mind that IDS is not the “security panacea”
![Page 71: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/71.jpg)
717171© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Agenda
• Security Year in ReviewSlammer, et. al.
• Security PolicySetting a Good Foundation
• Extended Perimeter SecurityDefine the Perimeter, Firewalls, ACLs
• Identity ServicesPasswords, Tokens, PKI, Biometrics
• Secure ConnectivityWork Happens Everywhere, Virtual Private Networks
• Intrusion ProtectionNetwork, Host
• Security ManagementWrapping It All Together
![Page 72: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/72.jpg)
727272© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Security Management
• Wrapping it all together
• Security management
Scalable and manageable
• Syslog and log analysis
![Page 73: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/73.jpg)
737373© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Wrapping It All Together
• In the previous sections we discussed:Security policy
Perimeter security and filtering
Identity services
Virtual Private Networks
Intrusion detection and prevention systems
• No one system can defend your networks and hosts
With all this technology, how do we survive?
![Page 74: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/74.jpg)
747474© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Integrated Network Security
SecurityFunctionsSecurity
Functions
End-to-EndCoverage
End-to-EndCoverage Network and End Point Security
FlexibleDeployment
FlexibleDeployment
SecurityAppliances
SecurityAppliances
SwitchModulesSwitch
ModulesRouter ModulesRouter Modules
SecuritySoftwareSecuritySoftware
Analysis Distributed InvestigationDistributed Investigation
Security ManagementDevice Manageability, Embedded Management Tools, Security Policy,
Monitoring and Analysis, Network and Service Management
VPNVPN FirewallFirewall IntrusionIntrusionProtectionProtection
IdentityIdentitySvcsSvcs
NetworkServicesNetworkServices
Seamless Collaboration of Security and Networking Services
Management
![Page 75: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/75.jpg)
757575© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Security Management
• How to manage the network securely
• In-band versus out-of-band managementIn-band management—management information travels the same network path as the dataOut-of-band management—a second path exists to manage devices; does not necessarily depend on the LAN/WAN
• If you must use in-band, be sure to useEncryptionSSH instead of telnet
• Making sure that policies are in place and that they are working
![Page 76: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/76.jpg)
767676© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Syslog
• A protocol that supports the transport of event notification messages
Originally developed as part of BSD Unix
• Syslog is supported on most internetworking devices
• BSD Syslog—IETF RFC 3164The RFC documents BSD Syslog observed behavior
• Work continues on reliable and authenticated Syslog
http://www.employees.org/~lonvick/index.shtml
![Page 77: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/77.jpg)
777777© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Log Analysis
• Log analysis is the process of examining Syslog and other log data
Building a baseline of what should be considered normal behaviorThis is “post event” analysis because it is not happening in real-time
• Log analysis is looking forSigns of troubleEvidence that can be used to prosecute
• If you log it, read and use it!• Resources
http://www.counterpane.com/log-analysis.html
![Page 78: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/78.jpg)
787878© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Security = Tools Implementing Policy
• Now more than ever
Identity tools
Filtering tools
Connectivity tools
Monitoring tools
Management tools
![Page 79: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/79.jpg)
797979© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
The Threat Forecast
• New vulnerabilities and exploits are uncovered everyday
Subscribe to bugtraq to watch the fun!
• Crystal ball
Attacks will continue
Greater complexity
Still see unpatched vulnerabilities taken advantage of
![Page 80: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/80.jpg)
808080© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Conclusions
• Things sound dire!!!
• The sky really is not falling!!!
• Take care of those security issues that you have control over
• Security is a process, not a box!
![Page 81: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/81.jpg)
818181© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Security Resources at Cisco
• Cisco Connection Online—
http://www.cisco.com/go/security
• Cisco Product Specific Incident Response Team (PSIRT)—
http://www.cisco.com/go/psirt
![Page 82: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/82.jpg)
828282© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Security Resources on the Internet
• Cisco Connection Online—http://www.cisco.com
• SecurityFocus.com—http://www.securityfocus.com
• SANS—http://www.sans.org
• CERT—http://www.cert.org
• CIAC—http://www.ciac.org/ciac
• CVE—http://cve.mitre.org
• Computer Security Institute—http://www.gocsi.com
• Center for Internet Security—http://www.cisecurity.org
![Page 83: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/83.jpg)
83© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Thank You
![Page 84: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/84.jpg)
84© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Questions
![Page 85: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/85.jpg)
858585© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Recommended Reading
Designing Network Security, Second Ed.ISBN: 1587051176Available in Oct 2003
Designing Network SecurityISBN: 1578700434
Managing Cisco Network SecurityISBN: 1578701031
![Page 86: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/86.jpg)
868686© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Recommended Reading
Network Security Principles and PracticesISBN: 1587050250
Cisco Secure Internet Security SolutionsISBN: 1587050161
Cisco Secure Intrusion Detection SystemISBN: 158705034X
![Page 87: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/87.jpg)
878787© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2
Recommended Reading
CCSP Cisco Secure PIX Firewall Advanced Exam Certification GuideISBN: 1587200678
CCSP Cisco Secure VPN Exam Certification GuideISBN: 1587200708
![Page 88: Introduction to Network Security - cisco.com · Introduction to Network Security © 2003, ... Source: FBI 2002 Report on Computer Crime ... • Security Policy](https://reader030.vdocument.in/reader030/viewer/2022011800/5acb86907f8b9a93268b55b4/html5/thumbnails/88.jpg)
888888© 2003, Cisco Systems, Inc. All rights reserved.
SEC-10008020_05_2003_c2