Network Security Knowledge is Everything! Network Operations



Similar documents
8 steps to protect your Cisco router

Security Audit CHAPTER21. Perform Security Audit

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

One-Step Lockdown with Cisco SDM

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Internet Infrastructure Security Technology Details. Merike Kaeo

Lab Configuring Syslog and NTP (Instructor Version)

How To Secure Network Threads, Network Security, And The Universal Security Model

Hardening Network Devices. PacNOG15 Network Security Workshop

- Basic Router Security -

Center for Internet Security Gold Standard Benchmark for Cisco IOS

Configuring the MNLB Forwarding Agent

Cisco IOS Switch Security Configuration Guide

Configuring the Cisco Secure PIX Firewall with a Single Intern

Enabling Management Protocols: NTP, SNMP, and Syslog

System Components PBX Model. Configuration Tasks

Lab Configure Syslog on AP

APNIC Members Training Course Security workshop. 2-4 July, Port Vila Vanuatu. In conjunction with PACNOG 4

Troubleshooting the Firewall Services Module

Chapter 4: Lab A: Configuring CBAC and Zone-Based Firewalls

ICND IOS CLI Study Guide (CCENT)

LAN-Cell to Cisco Tunneling

Brest. Backup : copy flash:ppe_brest1 running-config

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Troubleshooting the Firewall Services Module

Simple MPLS network topology for Dynamips/Olive

Objectives Understand Cisco IOS system architecture components. Work with the Cisco IOS Command Line Interface (CLI) and common commands.

CCNA Security. Chapter Two Securing Network Devices Cisco Learning Institute.

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Virtual Fragmentation Reassembly

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

Configuring a Cisco 2509-RJ Terminal Router

Introduction to Cisco router configuration

Configuring System Message Logging

ACL Compliance Director FAQ

Planning Maintenance for Complex Networks

Chapter 1: Planning Maintenance for Complex Networks. TSHOOT v6 Chapter , Cisco Systems, Inc. All rights reserved.

CISCO IOS NETWORK SECURITY (IINS)

Cisco ASA Configuration Guidance

Firewall Stateful Inspection of ICMP

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

Skills Assessment Student Training Exam

ICND1 Lab Guide Interconnecting Cisco Networking Devices Part 1 Version 2.0. Labs powered by

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Monitoring the Firewall Services Module

Skills Assessment Student Training (Answer Key)

LAB II: Securing The Data Path and Routing Infrastructure

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Cisco Troubleshooting High CPU Utilization on Cisco Route

Cisco 2621 Gateway-PBX Interoperability: Lucent/Avaya Definity G3si V7 PBX with Cisco CallManager Using T1 PRI NI-2 for an H.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Chapter 1 Introduction to Network Maintenance Objectives

Configurazione Rete VoIP

Deploying ACLs to Manage Network Security

Cisco Security Information Event Management Deployment Guide

Lab Configure Basic AP Security through IOS CLI

Things I can do to protect my network from getting Hacked!!!!!! Jazib Frahim, Technical Leader

Leased Line PPP Connections Between IOS and HP Routers

Security Toolsets for ISP Defense

Cisco IOS Firewall. Executive Summary

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

CS3695/M6-109 Lab 8-NPS02 VOIP Sniffing Ver. 8 Rev. 0

IINS Implementing Cisco Network Security 3.0 (IINS)

Juniper Networks WX Series Large. Integration on Cisco

Lab Load Balancing Across Multiple Paths Instructor Version 2500

Configurazione Rete VoIP

Network Defense Specialist. Course Title: Network Defense Specialist: Securing and Troubleshooting Network Operating Systems

7750 SR OS System Management Guide

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

Implementing Cisco IOS Network Security

Router Security Audit Logs

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Enabling Remote Access to the ACE

VPN Lesson 2: VPN Implementation. Summary

Report of Independent Auditors

Switch Configuration Required to Support Cisco ISE Functions

Configuring DNS on Cisco Routers

CTS2134 Introduction to Networking. Module Network Security

Management, Logging and Troubleshooting

Security and Access Control Lists (ACLs)

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Configuring Modem Transport Support for VoIP

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Securing Cisco Network Devices (SND)

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Firewall Authentication Proxy for FTP and Telnet Sessions

Remote Access VPN Business Scenarios

Cisco Routers and Switches

System Components PBX Model. Configuration Tasks

Angelos Stavrou. OF COURSE there is no Magic so lets see show things work in practice...

Transcription:

Network Security Knowledge is Everything Network Operations Warrick Mitchell - Network Engineer warrick.mitchell@aarnet.edu.au Agenda What is Network Security General Configuration Security Logging and Auditing Tools to help This talk is focused on securing your Cisco network infrastructure, if you would like to talk about securing content services (email, web servers etc ) or Junipers please come and see me afterwards. 2 1

What is network security? 3 What is network security? Firstly lets talk about what devices/software are commonly mentioned when discussing network security: 4 1. Firewalls (Deep packet inspection) 2. Intrusion Detection Systems (IDS) 3. Intrusion Prevention Systems (IPS) 4. Event correlation 5. Routers, Switches 6. Virus Scanners 7. Network scanning tools 2

What is network security? So as you have just seen, there is not one device/appliance/tool that provides network security. Cisco Press has many books which state that they believe Network Security is a system and that the system is: A collection of network-connected devices, technologies and best practises that work in complementary ways to provide security to information assets. Network Security Architectures 5 What is network security? To know your Enemy, you must become your Enemy Sun Tzu, The Art of War 6 3

What is network security? Why? 7 What is network security? Take advantage of the enemy's unpreparedness; travel by unexpected routes and strike him where he has taken no precautions. Sun Tzu, The Art of War 8 4

9 Do you know what s out on your network? Have you recently scanned your IPv4 infrastructure to see if anything new has been added? (IPv4) With IPv6 scanning your network becomes next to impossible. Have you got tools that utilise other methods to detect if a IPv6 device exists? Do you check if your servers/routers/switches/firewalls/ids/ips etc comply with your expected base configuration? 10 5

Things you really want to make sure you have used and are working: NTP (this is key for identifying when attacks happened across multiple devices) Sequence Numbers in your log files: service sequence-number timestamps debug uptime service sequence-number timestamps log datetime msec 11 service password-encryption This make sure all passwords are encrypted in the config. Use enable secret rather than enable password as you can decrypt the enable password but not the enable secret hash. And obviously you need a local username: username <username> secret <password> 12 DO NOT USE enable password or username <user> password <passwd> 6

Do you have a line aux 0 in your config? If so have you disabled it unless you really need it? line aux 0 exec-timeout 0 1 login local no exec transport input none 13 Do you have a line vty 0 4 or line vty 0 15 in your config? Is it secured? i.e SSH only, do you have IPv4 and IPv6 access? 14 line vty 0 15 access-class VTY-IPv4-INCOMING in exec-timeout 0 0 password 7 050303032D435F1C1C16031C0E18567A7A75 ipv6 access-class VTY-IPv6-INCOMING in transport input ssh 7

ip access-list extended VTY-IPv4-INCOMING permit ip X.X.X.X 0.0.0.255 any deny ip any any ipv6 access-list VTY-IPv6-INCOMING permit ipv6 XXXX:XXXX:XXXX::/64 any 15 Services or Features you should be questioning: Finger, HTTP/S Server, BootP Server, PAD [X.25], IP Source routing, proxy-arp, ip directed broadcast, ip unreachable, ip redirects, MOP [Decnet], NTP, SNMP, DNS, CDP Do you need to really run any of those? 16 8

Do you have passwords on your IGP sessions? (OSPF/OSPF3/RIP/ISIS/EIGRP) Are you leaking your IGP on interfaces to external parties? (Read about OSPF vulnerabilities here: http://tools.ietf.org/html/draft-ietf-rpsec-ospf-vuln-01 ) Do you have password on your exterior routing protocols? 17 Do you have SNMP enabled, if so do you have it secured to a select group of hosts via an ACL? snmp-server community <community name> RO <acl number> snmp-server trap link ietf snmp-server trap-source <Interface> snmp-server server packetsize 9000 snmp-server location <Where in the world is Waldo> snmp-server contact <An email address for Waldo> 18 9

What logging options have you got enabled? logging buffered 65536 logging console informational logging history informational logging trap debugging logging source-interface <interface> logging <host> 19 Do you perform CoPP (Control Plane Policing) on your switches and routers? http://www.cisco.com/web/about/security/intelligence/coppwp_gs.h tml http://www.cisco.com/en/us/docs/switches/lan/catalyst6500/ios/12 com/en/us/docs/switches/lan/catalyst6500/ios/12.2sx/configuration/guide/copp.html 20 10

Finally a useful feature: archive log config logging enable logging size 10 path ftp://ftp/$h/$h-$t write-memory 21 Logging and Auditing 22 11

Logging Logging can be an invaluable resource for knowing what s been happening on your network. It can also be an overload of information 23 For those who use Splunk I use the following search each morning to see what s been happening: source= tcp:9998 rex "(?<messagetype>%\s+)" stats count by messagetype Note *This is a Cisco search*. 24 12

For those who use Splunk 25 Tools to help? 26 13

Tools/Assistance MRTG/Cacti: 27 Tools/Assistance Netflow: 28 14

Tools/Assistance NSA provide an extremely valuable document on how to best secure your Cisco equipment: http://www.nsa.gov/ia/guidance/security_configuration_guides/cisc o_router_guides.shtml Cisco: http://www.cisco.com/en/us/tech/tk648/tk361/technologies_tech_ note09186a0080120f48.shtml 29 Juniper: http://www.juniper.net/techpubs/software/junos/junos74/swconfig7 4-system-basics/html/software-overview22.html Tools/Assistance Defence Signals Directorate have published The DSD Information Security Manual: http://www.dsd.gov.au/infosec/ism/index.htm Cymru provide a Junos Template: http://www.cymru.com/gillsr/documents/junos-template.pdf Cymru provide a Cisco template: http://www.cymru.com/documents/secure-ios-template.html 30 15

Tools/Assistance Rancid: RANCID-CONTENT-TYPE: cisco Chassis type: 877W-M - a 877W-M router CPU: MPC8272 Memory: main 236544K/25600K Memory: nvram 128K Processor ID: XXXXXXXXX Image: Software: C870-ADVIPSERVICESK9-M, 12.4(24)T4, RELEASE SOFTWARE (fc2) Image: Compiled: Fri 03-Sep-10 17:16 by prod_rel_team Image: flash:c870-advipservicesk9-mz.124-24.t4.bin ROM Bootstrap: Version 12.3(8r)YI4, RELEASE SOFTWARE Flash: 53248K bytes of processor board System flash (Intel Strataflash) Flash: Directory of flash:/ Flash: 2 -rwx 21890692 Jul 1 2011 01:06:14 +08:00 c870-advipservicesk9-mz.124-24.t4.bin Flash: 3 -rwx 26444544 Jun 30 2011 17:18:03 +08:00 c870-advipservicesk9-mz.151-4.m.bin Flash: 52383744 bytes total (4040704 bytes free) 31 Tools/Assistance Rancid has some useful tools available and you can easily write your own to identify what ACL s etc are no longer in use in your router configs. http://ftp.isc.org/isc/toolmakers/filter_audit-1.01.tar.gz http://www.isc.org/community/toolmakers 32 16

Questions? 33 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information