Things I can do to protect my network from getting Hacked!!!!!! Jazib Frahim, Technical Leader

Things I can do to protect my network from getting Hacked!!!!!! Jazib Frahim, Technical Leader

Cisco Support Community Expert Series Webcast Today s featured expert is Cisco Technical Leader Ask him questions now about How to protect your network Jazib Frahim CCIE in Routing and Switching, & Security 2011 Cisco and/or its affiliates. All rights reserved. 2 2

Thank You for Joining Us Today Today s presentation will include audience polling questions We encourage you to participate! 2011 Cisco and/or its affiliates. All rights reserved. 3

Thank You for Joining Us Today If you would like a copy of the presentation slides, click the PDF link in the chat box on the right or go to https://supportforums.cisco.com/community/netpro/security /others Or, https://supportforums.cisco.com/docs/docs-18401 2011 Cisco and/or its affiliates. All rights reserved. 4

Polling Question 1 What is your primary role/function in the company that you work for? a) Network/Security engineer b) Systems Administrator c) Network/IT Manager d) IT Executive e) Other 2011 Cisco and/or its affiliates. All rights reserved. 5

Submit Your Questions Now Use the Q&A panel to submit your questions. Experts will start responding those 2011 Cisco and/or its affiliates. All rights reserved. 6

Things I can do to protect my network from getting Hacked!!!!!! Jazib Frahim, Technical Leader

Agenda Case Study 1 Incident in the VPN network Case Study 2 Incident in the branch network Case Study 3 Incident in the Internet edge Recommendations Questions and Answers 2011 Cisco and/or its affiliates. All rights reserved. 8

Case Study 1 Incident in the VPN network

Telecommuters Partner 1 Partner 2 Internet ASA VPN Cluster Corporate Network New York Road warriors 2011 Cisco and/or its affiliates. All rights reserved. 10

Unauthorized Access via Clientless SSL VPN several times for about 3-4 weeks. 2011 Cisco and/or its affiliates. All rights reserved. 11

Attacker Exploited the Authentication Bypass Vulnerability described in CVE-2010-0568 The Cisco ASA was not patched for the vulnerability Attacker was able to compromise other internal systems and stole several documents / information. 2011 Cisco and/or its affiliates. All rights reserved. 12

In a monthly VPN activity report they noticed that a user called CatchMeIfYouCan logged in several times for a period of 3-4 weeks. The username did not conform to the active directory standard. After further investigation, they found that VPN authentication was being bypassed in the ASA cluster as a result of CVE-2010-0568. 2011 Cisco and/or its affiliates. All rights reserved. 13

Only allowed VPN traffic to ASAs External user authentication ASA VPN Cluster AD/NTLM authentication Idle and session timeouts Road warriors Leveraged DAP New York Disabled Split-tunneling VPN traffic inspected by IPS 2011 Cisco and/or its affiliates. All rights reserved. 14

Polling Question 2 Where do you typically hear about security breaches/compromises in the enterprises? a) Online b) Print Media c) Television d) Social circles e) Other 2011 Cisco and/or its affiliates. All rights reserved. 15

Submit Your Questions Now Use the Q&A panel to submit your questions. Experts will start responding those 2011 Cisco and/or its affiliates. All rights reserved. 16

Case Study 2 Incident in the Branch Network

Branch Office Network Branch Network 1 Corporate Network Private WAN Branch Network 2 2011 Cisco and/or its affiliates. All rights reserved. 18

A retail store in Mobile, Alabama was, apparently, not physically secured. Finally, they transferred sensitive data outside of the network Hackers plugged and hid a wireless router on the network They sniffed traffic to extract user credentials with escalated privileges They controlled the router over an encrypted wireless connection 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2011 Cisco and/or its affiliates. All rights reserved. 19

Law enforcement agencies traced a number of fraudulent purchases all over the country, with one commonality all victims had used their cards in their company stores. 2011 Cisco and/or its affiliates. All rights reserved. 20

AAA in all Networking Devices Secure Protocols such as SSH Branch Network Redundancy (Logical & Physical) Corporate Network Private WAN NetFlow and Event Monitoring Routing Protocol Security WAN edge acting as firewall & IPS Control Plane Policing (CoPP) QoS for traffic prioritization GETVPN to encrypt all WAN traffic 2011 Cisco and/or its affiliates. All rights reserved. 21

Case Study 3

Disgruntled Employee (Network Administrator) Created backdoor accounts on AAA Servers After a Month of Being Fired Logged in to the network and erased configurations of several Internet Edge networking devices (including firewalls and routers) Erased backup configurations from a management server using such account 2011 Cisco and/or its affiliates. All rights reserved. 23

SP Edge Backup Configs Ex-employee was able to SSH to the outside router and use it as a stepping stone to connect to the firewall. Internet ISP A ISP B DMZ DNS/FTP/NTP Corporate Network Email/WWW Sec Appliances After he connected to the firewall, he modified the rules to be able to further SSH into several networking devices Erased their configuration Erased the backup configurations on a server he had previously configured in our network. 2011 Cisco and/or its affiliates. All rights reserved. 24

Everyone Experienced the Effects Everyone Called!! 2011 Cisco and/or its affiliates. All rights reserved. 25

SP Edge AAA in all Networking Devices Internet ISP A ISP B Corporate Network Secure Protocols such as SSH Redundancy in all areas Netflow urpf/anti-spoofing DMZ Firewalls Intrusion Prevention Systems (IPS) DNS/FTP/NTP Email/WWW Sec Appliances Control Plane Policing (CoPP) Port Security 2011 Cisco and/or its affiliates. All rights reserved. 26

Recommendations

Key points to consider about security 100 % Secure Network Security Baseline You can never get a 100% secure network. No product of any size, vendor or type can provide 100% security at a given time You can not rely on products and technologies for full security You need to keep improving the security posture of network infrastructure to meet the challenges of the evolving threats. You must create a baseline for the activities occurring in your network infrastructure to provide answers to hard questions such as: Are we more secure today than we were before? Have we improved from last year? Are we secure enough? 2011 Cisco and/or its affiliates. All rights reserved. 28

Patch Management Proactive Security Vulnerability Announced by Vendor Identify Workarounds Patch/Fix is Tested Identify Affected Devices Patch/Fix is Obtained Patch is Implemented Awareness You need to keep up with vulnerability announcements from vendors at all times. Identification/ Correlation Identify vulnerable devices Identify potential workarounds and network mitigations Fix Tested and Implemented Test Certify Image/Software Implement 2011 Cisco and/or its affiliates. All rights reserved. 29

Incident Management Reactive Security T 0 T e T i T c T Event (T e -T o ) T incident (T i -T e ) T containment (T c -T i ) T o = Time when an event occurs on the network T e = Time when the event is detected on the network T i = Time when the event is classified as an incident T c = Time when the incident is contained on the network 2011 Cisco and/or its affiliates. All rights reserved. 30

AAA Management Restricted Access Physical Security Network Device Authentication? Network User Authentication? Guest Access with network restrictions? Shutting down unused ports? Traffic filtering from branch to corporate network? Unlocked/unres tricted wiring closets? Monitoring via cameras? 2011 Cisco and/or its affiliates. All rights reserved. 31

AAA Management Outside Router Firewalls Process around User accounts No Audits of AAA Accounts? Change Control Correlation & Enforcement? Why Listen to SSH There? No VTY Access Control? Why SSH from the Outside Router? Change Control Correlation & Enforcement? 2011 Cisco and/or its affiliates. All rights reserved. 32

Useful References Cisco's Security Center http://www.cisco.com/security BugTraq: http://www.securityfocus.com/archive/1 Emerging Threats Open Source http://www.emergingthreats.net Mallware Collect (mwcollect) http://code.mwcollect.org SANS Internet Storm Center http://isc.sans.org Team Cymru http://www.team-cymru.org Cisco Advanced Services offers a Security Architectural Assessment service http://www.cisco.com/en/us/services/ps2961/ps2952/cisco _saa_ds.pdf 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2011 Cisco and/or its affiliates. All rights reserved. 33 33

Polling Question 3 Have you created a baseline for the operational and technical activities that occur in your network? a) Yes, We already have a good baseline b) Yes, We are in the process of creating a baseline c) No, but we are thinking about it d) No, and we are not thinking about it 2011 Cisco and/or its affiliates. All rights reserved. 34

Submit Your Questions Now Use the Q&A panel to submit your questions. Experts will start responding those 2011 Cisco and/or its affiliates. All rights reserved. 35

Q&A 2011 Cisco and/or its affiliates. All rights reserved. 36

We Appreciate Your Feedback! The first 5 listeners who fill out the Evaluation Survey will receive a free: $20 USD Gift Certificate To complete the evaluation, please click on link provided in the chat. 2011 Cisco and/or its affiliates. All rights reserved. 37

If you have additional questions, you can ask them to Expert He will be answering from day X to day Y. https://supportforums.cisco.com/community/netpro/ask-theexpert You can watch the video or read the Q&A 5 business days after the event at https://supportforums.cisco.com/community/netpro/ask-theexpert/webcasts

in Polish Topic: Security Architecture for Corporate Networks Tuesday, September 27th, at 10:00 a.m. Warsaw (UTC +2) 9:00 a.m London (UTC +1) 4:00 a.m. New York (UTC -4) Join Security CCIE and CISSP-ISSAP Expert Gaweł Mikołajczyk Technical Leader at Cisco in Europe He will talk about Cisco Security architecture for corporate newtorks During this interactive session you will be able ask all your questions related to this topic. Register for this live Webcast at http://bitly.com/polish-webcast-registration 2011 Cisco and/or its affiliates. All rights reserved. 39

https://supportforms.cisco.com http://www.facebook.com/ciscosupportcommunity http://twitter.com/#!/cisco_support http://www.youtube.com/user/ciscosupportchannel http://itunes.apple.com/us/app/cisco-technicalsupport/id398104252?mt=8 http://www.linkedin.com/groups/csc-cisco-support- Community-3210019 2011 Cisco and/or its affiliates. All rights reserved. 40

If you speak Polish, Japanese, or Spanish, we invite you to ask your questions and collaborate in your language. Spanish https://supportforums.cisco.com/community/spanish Polish https://supportforums.cisco.com/community/ etc/netpro-polska Japanese https://supportforums.cisco.com/community/csc-japan We re also running a pilot for Russian and Portuguese. You can register at the following links Russian: https://www.ciscofeedback.vovici.com/se.ashx?s=6a5348a712220e19 Portuguese: https://www.ciscofeedback.vovici.com/se.ashx?s=6a5348a77ee5c0b7 2011 Cisco and/or its affiliates. All rights reserved. 41

Thank You for Your Time Please Take a Moment to Complete the Evaluation