© 2006 Cisco Systems, Inc. All rights reserved. SND v2.02-1 Securing the Perimeter Applying a Security Policy for Cisco Routers.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved.SND v Module Summary Routers play an important role in ensuring that network perimeters are secure;
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Module Summary The Cisco Discovery Protocol is an information-gathering tool used by network.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Managing Your Network Environment Managing Cisco Devices.
© 2006 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Examining Cisco IOS Firewall.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Route Selection Using Policy Controls Using Multihomed BGP Networks.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Disabling Unused Cisco Router Network Services and Interfaces.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 3 Cisco PIX Firewall Technology and Features.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Applying Security Policies to Network Switches.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Integrating Internet Access with MPLS VPNs Implementing Separate Internet Access and VPN Services.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Connecting Networks Understanding How TCP/IP Works.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Implementation Configuring VRF Tables.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Building a Simple Serial Network Understanding the OSI Model.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Configuring GRE Tunnels.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Introducing ACLs.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Configuring a Router.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Implementing Inter-VLAN Routing Describing Routing Between VLANs.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Starting a Switch.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Applying a Security Policy for Cisco Routers

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Role of Routers in Networks Router Security Principles How Routers Enforce a Perimeter Security Policy Local and Remote Administrative Access Maintaining the Most Recent Versions of Cisco IOS Software Logging Conceptual Basis for a Router Security Policy Creating a Security Policy for a Router Applying Cisco IOS Security Features Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Role of Routers in Networks A simple network with two routers File Server User Host LAN LAN LAN WAN Router 2Router 1

© 2006 Cisco Systems, Inc. All rights reserved. SND v Threats to and Attacks on Routers Examples of threats to routers: Unauthorized access Session hijacking Rerouting Masquerading DoS Eavesdropping Information theft Examples of attack techniques: Password guessing Routing protocol attacks SNMP attacks IP fragmentation attacks for DoS Ping of death attacks DDoS attacks Session replay attacks

© 2006 Cisco Systems, Inc. All rights reserved. SND v Router Security Principles There are three principles of router security: Physical security Operating system and router configuration security Router hardening

© 2006 Cisco Systems, Inc. All rights reserved. SND v Scenario 3 Scenario 2 How Routers Enforce Perimeter Security Policy Routers are used to secure the perimeter of networks. Three typical methods are as follows: In scenario 1, the router protects the LAN. In scenario 2, the router provides defense in depth by screening traffic before a firewall. In scenario 3, the zone between R1 and R2 is called a DMZ. Servers that must be accessible from the Internet can be put here. LAN Router 1 (R1) Internet Scenario 1 LAN R1 Internet Firewall LAN R1 Internet R2FW DMZ

© 2006 Cisco Systems, Inc. All rights reserved. SND v Filtering Packets with a Router Most routers can filter on one or more of the following: –Source IP address –Source port –Destination IP address –Destination port –Protocol type Some routers can even filter on any bit or any pattern of bits in the IP header. Typically, routers are not able to filter on the content of services such as the FTP file name.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Local and Remote Administrative Access If remote administrative access is required, use a dedicated management network or encrypt all management traffic. LAN R1 Internet R2FW LAN Management LAN Administration Host Logging Host Internet LAN R1 Local AccessRemote Access Administrator Console Port

© 2006 Cisco Systems, Inc. All rights reserved. SND v Maintaining Most Recent Versions of Cisco IOS Software Before updating Cisco IOS software on routers, complete these tasks: Install additional memory if necessary Test the file transfer capability between the administrator host and the router Schedule the required downtime for the update To update Cisco IOS software on routers, complete these tasks: Shut down or disconnect the interfaces on the router Back up the current Cisco IOS image and configuration files Load the Cisco IOS software or configuration updates Test the updates

© 2006 Cisco Systems, Inc. All rights reserved. SND v Logging The logging host is a dedicated computer whose only job is to store logs. Connect the logging host to a separate, protected network or a dedicated router interface. LAN R1 Internet R2FW LAN Management LAN Administration Host Logging Host

© 2006 Cisco Systems, Inc. All rights reserved. SND v Conceptual Basis for a Router Security Policy Types of access related to router security layers as follows: Physical integrity –Physical access –Electrical access Core static configuration –Administrative access –Software updates Dynamic configuration –Routing protocols –Management protocols Network Traffic –Access to networks that the router serves Source: National Security Agency, December 2005, Router Security Configuration Guide Router Security Layers Network Traffic Through the Router Dynamic Configuration and Router Status Core Static Configuration Physical Integrity

© 2006 Cisco Systems, Inc. All rights reserved. SND v Creating a Security Policy for a Router Here are some objectives for a security policy: Specify security objectives, not particular commands or mechanisms Specify policy for all the zones: –Physical –Static configuration –Dynamic configuration –Traffic flow Deny services and protocols that are not explicitly permitted Update the security policy regularly

© 2006 Cisco Systems, Inc. All rights reserved. SND v Applying Cisco IOS Security Features Secure access to the router itself Secure router network services Control and filter network traffic Configure routing protocol security Manage router security Configure network access control for routers

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary General threats to routers include unauthorized access, session hijacking, rerouting, masquerading, DoS, eavesdropping, and information theft. Router security depends on physical security, operating system security, and configuration hardening. Routers enforce perimeter security for a network by prohibiting specific traffic and by directing traffic to firewalls. Remote administrative access should be limited to a dedicated management LAN. Update the router operating system to take advantage of new security features and technologies. Logs help the administrator to verify activity and identify potential threats to the network security. Security policies should be developed based on four layers. These layers are physical security, static configuration, dynamic configuration, and traffic flow. A security policy should keep objectives at a high level, specify policy for each of the four zones, and specify that any services and protocols that are not explicitly permitted must be denied. Implementing a security policy on Cisco routers includes physical security, shutting down unnecessary network services, filtering network traffic, securing routing protocols, auditing router configurations, and configuring network access control.

© 2006 Cisco Systems, Inc. All rights reserved. SND v