Training Course on Network Administration 03-07, March 2014 National Centre for Physics 1
Network Security and Monitoring 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Crafting a Secure Network 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Network Security Network security is an integral part of computer networking Imporant on any size network. 4
Network Security Network security is an integral part of computer networking Imporant on any size network. 5
External Threats The most common external threats to networks include: Viruses, worms, and Trojan horses - malicious software and arbitrary code running on a user device Spyware and adware - software installed on a user device that secretly collects information about the user Zero-day attacks, also called zero-hour attacks - an attack that occurs on the first day that a vulnerability becomes known Hacker attacks - an attack by a knowledgeable person to user devices or network resources Denial of service attacks - attacks designed to slow or crash applications and processes on a network device Data interception and theft - an attack to capture private information from an organization s network Identity theft - an attack to steal the login credentials of a user in order to access private data. 6
Internal Threats The most common data breaches happen because of internal users of the network. Due to: lost or stolen devices accidental misuse by employees malicious employees With the evolving BYOD strategies, corporate data is much more vulnerable. Therefore, when developing a security policy, it is important to address both external and internal security threats.. 7
Security Solutions Network security components for a home or small office network should include: Antivirus and antispyware - to protect user devices from malicious software Firewall filtering - to block unauthorized access to the network. In addition to the above, larger networks and corporate networks often have other security requirements: Dedicated firewall systems - to provide more advanced firewall capability that can filter large amounts of traffic with more granularity Access control lists (ACL) - to further filter access and traffic forwarding Intrusion prevention systems (IPS) - to identify fast-spreading threats, such as zero-day or zero-hour attacks Virtual private networks (VPN) - to provide secure access to remote workers. Policies, procedures, standards guidelines 8
Security through Network Design Subnetting IP addresses are actually two addresses: one part is a network address and one part is a host address Subnetting or subnet addressing Splits a large block of IP addresses into smaller groups 9
Image from Cisco CCNA Class 1 10
Subnetting at CCSF Whole College: 147.144.0.0 /16 147.144.0.1 through 147.144.255.254 Eng Dept: 147.144.51.0 /24 147.144.51.1 through 147.144.51.254 CNIT Dept: 147.144.20.0 /24 147.144.20.1 through 147.144.20.254 Image from Cisco CCNA class 1, modified 11
Advantages of Subnetting 12
Subnets Improve Security Each subnet can be isolated from the rest of the network Traffic between subnets can be monitored and restricted at the routers Subnets also allow network administrators to hide the internal network layout Outsiders only see your public servers, not your private subnets 13
Virtual Local Area Network (VLAN) VLANs segment a network with switches, not routers A VLAN allows scattered users to be logically grouped together even though they may be attached to different switches Can reduce network traffic and provide a degree of security similar to subnetting: VLANs can be isolated so that sensitive data is transmitted only to members of the VLAN 14
VLAN Security VLAN communication can take place in two ways All devices are connected to the same switch Traffic is handled by the switch itself Devices are connected to different switches A special tagging protocol must be used, such as the IEEE 802.1Q-2005 A VLAN is heavily dependent upon the switch for correctly directing packets Attackers could take control of the switch itself, if it has a default or weak password Specially crafted traffic can also "hop" from one VLAN to another 15
Demilitarized Zone (DMZ) A separate network that sits outside the secure network perimeter Outside users can access the DMZ but cannot enter the secure network 16
DMZ with Firewall 17
Network Address Translation (NAT) Hides the IP addresses of network devices from attackers Private addresses IP addresses not assigned to any specific user or organization Function as regular IP addresses on an internal network Non-routable addresses--traffic addressed to private addresses is discarded by Internet routers 18
Network Address Translation (NAT) NAT removes the private IP address from the sender s packet And replaces it with an alias IP address When a packet is returned to NAT, the process is reversed An attacker who captures the packet on the Internet cannot determine the actual IP address of the sender 19
Introducing NAT and PAT 20
NAT Example Inside local address The IP address assigned to a host on the inside network. This address is likely to be an RFC 1918 private address. Inside global address A legitimate (Internet routable or public) IP address assigned the service provider that represents one or more inside local IP addresses to the outside world. Outside local address The IP address of an outside host as it is known to the hosts on the inside network. 21
NAT Example 1 DA 128.23.2.2 1 2 DA SA 10.0.0.3 IP Header... 128.23.2.2 Data 2 SA 179.9.8.80... Data IP Header The translation from Private source IP address to Public source IP address. 22
NAT Example 1 2 Inside local address The IP address assigned to a host on the inside network. Inside global address A legitimate (Internet routable or public) IP address assigned the service provider. Outside global address The IP address assigned to a host on the outside network. The owner of the host assigns this address. 23
NAT Example 4 3 DA SA 10.0.0.3 128.23.2.2 4 IP Header DA... Data 179.9.8.80 3 SA 128.23.2.2... Data IP Header Translation back, from Public destination IP address to Private destination IP address. 24
NAT Example NAT allows you to have more than your allocated number of IP addresses by using RFC 1918 address space with smaller mask. However, because you have to use your Public IP addresses for the Internet, NAT still limits the number of hosts you can have access the Internet at any one time (depending upon the number of hosts in your public network mask.) 25
PAT Port Address Translation PAT (Port Address Translation) allows you to use a single Public IP address and assign it up to 65,536 inside hosts (4,000 is more realistic). PAT modifies the TCP/UDP source port to track inside Host addresses. Tracks and translates SA, DA and SP (which uniquely identifies each connection) for each stream of traffic. 26
PAT Example NAT/PAT table maintains translation of: DA, SA, SP DA 128.23.2.2 1 DA 128.23.2.2 SA 10.0.0.3 IP Header SA 10.0.0.2 IP Header DP 80 SP 1331 DA Data TCP/UDP Header DP 80 1555 TCP/UDP Header 128.23.2.2 179.9.8.80 2 SP DA Data SA IP Header SA 128.23.2.2 179.9.8.80 IP Header DP 80 SP 3333 Data TCP/UDP Header DP 80 SP 2222 Data TCP/UDP Header 27
PAT Example NAT/PAT table maintains translation of: SA (DA), DA (SA), DP (SP) DA 10.0.0.3 4 SA 128.23.2.2 IP Header DA SA 10.0.0.2 128.23.2.2 IP Header DP SP 1331 80 DA Data TCP/UDP Header DP 1555 80 TCP/UDP Header 179.9.8.80 128.23.2.2 3 SP DA Data SA 179.9.8.80 IP Header SA 128.23.2.2 IP Header DP 3333 SP 80 Data TCP/UDP Header DP 2222 SP 80 Data TCP/UDP Header 28
PAT Port Address Translation With PAT a multiple private IP addresses can be translated by a single public address (many-to-one translation). This solves the limitation of NAT which is one-to-one translation. 29
PAT Port Address Translation DA 128.23.2.2 1 DA 128.23.2.2 SA 10.0.0.3 IP Header SA 10.0.0.2 IP Header DP 80 SP 1331 DA Data TCP/UDP Header DP 80 1555 TCP/UDP Header 128.23.2.2 179.9.8.80 2 SP DA Data SA IP Header SA 128.23.2.2 179.9.8.80 IP Header DP 80 SP 3333 Data TCP/UDP Header DP 80 SP 2222 Data TCP/UDP Header 30
Configuring Static NAT 31
Configuring Dynamic NAT The network address space you have received from ARIN or your ISP is 179.9.8.0/24. In ISP s routing table: 179.9.8.0/24 via 192.168.1.1 ISP Translate to these outside addresses Start here 0.0.255.255 Source IP address must match here 32
192.168.1.1 is the address your ISP has assigned you. Instead of a host, you put a router there, running PAT so you can have multiple hosts share that same 192.168.1.1 address. Configure PAT Overload 10.1.0.0 In this example a single Public IP addresses is used, using PAT, source ports, to differentiate between connection streams. 33
Configure PAT Overload This is a different example, using the IP address of the outside interface instead specifying an IP address 34
NAT/PAT Clear Commands 35
Verifying NAT/PAT 36
Troubleshooting NAT/PAT 37
Issues with NAT/PAT NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses. Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router. Sometimes, this problem can be avoided by implementing static NAT mappings. 38
NAT with PAT Web browser: Email: 192.168.1.101 Port 1100 192.168.1.101 Port 1102 Web browser: 192.168.1.103 Port 1100 147.144.1.1 192.168.1. 1 192.168.1.51 192.168.1.103 192.168.1.102 192.168.1.101 Address Translation 192.168.1.101 Port 1100 -> 147.144.1.1 Port 2100 192.168.1.101 Port 1102 -> 147.144.1.1 Port 2101 192.168.1.103 Port 1100 -> 147.144.1.1 Port 2102 39
Network Access Control (NAC) Examines a computer before it is allowed to connect to the network Each computer must meet security policy first, such as Windows patches up to date Antivirus software Antispyware software Etc. Any device that does not meet the policy is only allowed to connect to a quarantine network where the security deficiencies are corrected 40
41
Firewall Typically used to filter packets Sometimes called a packet filter Designed to prevent malicious packets from entering the network A firewall can be software-based or hardware-based Hardware firewalls usually are located outside the network security perimeter As the first line of defense 42
Firewall (continued) 43
Firewall (continued) The basis of a firewall is a rule base Establishes what action the firewall should take when it receives a packet (allow, block, and prompt) Stateless packet filtering Looks at the incoming packet and permits or denies it based strictly on the rule base Stateful packet filtering Keeps a record of the state of a connection between an internal computer and an external server Then makes decisions based on the connection as well as the rule base 44
Stateless Firewall Rules 45
Stateful Firewall Rules State = Established Note error in textbook in left column, 3rd row 46
Inbound and Outbound Traffic Filtering Most personal software firewalls today also filter outbound traffic as well as inbound traffic Filtering outbound traffic protects users by preventing malware from connecting to other computers and spreading But it annoys them with these alerts 47
Proxy Server I want to see yahoo.com I will get yahoo.com and save a copy Internet Here is my copy of yahoo.com 48
Proxy Server Clients never directly connect to the Internet This saves bandwidth, because one copy of a popular Web page can be used many times Allows a company to block forbidden Web sites It also prevents many attacks the same way NAT does Reverse proxy Does not serve clients but instead routes incoming requests to the correct server 49
Reverse Proxy Connect to Web server 1 50
Network Intrusion Detection Systems (NIDS) Network intrusion detection system (NIDS) Watches for attempts to penetrate a network NIDS work on the principle of comparing new behavior against normal or acceptable behavior A NIDS looks for suspicious patterns Passive intrusion detection just logs the traffic and sends alerts 51
Host Intrusion Prevention Systems (HIPS) Installed on each system that needs to be protected Rely on agents installed directly on the system being protected Work closely with the operating system, monitoring and intercepting requests in order to prevent attacks 52
Host Intrusion Prevention Systems (HIPS) Most HIPS monitor the following desktop functions: System calls File system access System Registry settings Host input/output HIPS are designed to integrate with existing antivirus, anti-spyware, and firewalls HIPS provide an additional level of security that is proactive instead of reactive 53
Network Intrusion Prevention Systems (NIPS) Work to protect the entire network and all devices that are connected to it By monitoring network traffic NIPS can immediately react to block a malicious attack NIPS are special-purpose hardware platforms that analyze, detect, and react to security-related events Can drop malicious traffic based on their configuration or security policy 54
Protocol Analyzers Three ways for detecting a potential intrusion Detecting statistical anomalies (unusual traffic) Examine network traffic and look for well-known patterns of attack Use protocol analyzer technology Protocol analyzers Can fully decode application-layer network protocols Parts of the protocol can be analyzed for any suspicious behavior Such as an overly long User-Agent field in an HTTP GET request 55
Internet Content Filters Internet content filters Monitor Internet traffic and block access to preselected Web sites and files A requested Web page is only displayed if it complies with the specified filters Unapproved Web sites can be restricted based on the Uniform Resource Locator (URL) or by matching keywords 56
Internet Content Filters (continued) 57
Monitoring 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
SNMP is an application layer protocol that provides a message format for communication between what are termed managers and agents Components include SNMP manager SNMP agent Management Information Base 59
Get Set Trap - unreliable Trap (SNMPv3 uses ACK) - reliable 60
61
62
63
The Management Information Base (MIB) MIB defines each variable as an object ID (OID) Organizes the into a hierarchy of OIDs, usually MIB for any device includes some branches of shown as a tree the tree with variables common to many networking devices and branches with variables specific to that device. Networking equipment vendors like Cisco can define their own private branches of the tree 64
MIB tree 65
Obtaining MIB value with snmpget -v2c The version on SNMP in use -c community The SNMP password, called a community string 10.250.250.14 The IP address of the monitored device 1.3.6.1.4.1.9.2.1.58.0 The numeric object identifier (OID) of the MIB variable 66
There are two types of community strings in SNMP Version 2c: Read-only (RO): Provides access to the MIB variables, but does not allow these variables to changed, only read. Because security is so weak in Version 2c, many organizations only use SNMP in this read-only mode. Read-write (RW): Provides read and write access to all objects in the MIB. 67
R1(config)# ip access-list standard ACL_PROTECTSNMP R1(config-std-nacl)# permit host 10.10.10.101 R1(config-std-nacl)# exit R1(config)# snmp-server community V011eyB@11!!! RO ACL_PROTECTSNMP R1(config)# snmp-server location Tampa R1(config)# snmp-server contact Anthony Sequeira R1(config)# end R1# 68
R2(config)# ip access-list standard ACL_PROTECTSNMP R2(config-std-nacl)# permit host 10.20.20.201 R2(config-std-nacl)# exit R2(config)# snmp-server community T3nn1sB@ll RW ACL_PROTECTSNMP R2(config)# snmp-server location New York R2(config)# snmp-server contact John Sequeira R2(config)# end R2# 69
Message integrity: This helps ensure that a packet has not been tampered with in transit Authentication: This helps ensure that the packet came from a known and trusted source Encryption: This helps to ensure that information cannot be read if the data is captured in transit 70
71
Syslog permits various Cisco devices (and some other non-cisco devices) to send their system messages across the network to syslog servers There are many different Syslog server software packages for Windows and UNIX 72
The logging buffer (RAM inside the router or switch) The console line The terminal lines A syslog server 73
74
A timestamp: *Dec 18 17:10:15.079 The facility on the router that generated the message: %LINEPROTO The severity level: 5 A mnemonic for the message: UPDOWN The description of the message: Line protocol on Interface FastEthernet0/0, changed state to down 75
76
77
Verifying R1(config)#logging 192.168.1.101 By default, Cisco routers and switches send log messages for all severity levels to the console. On some IOS versions, the device also buffers those log messages by default R1(config)# logging console R1(config)# logging buffered R1# show logging 78
Thank you! 79