CCNA Security Notes - WordPress

Transcription

Cisco CCNA Security Notes (640-553)ContentsContents . 1Introduction . 3Cisco Security Management Tools . 4Control of Data . 4Security Policy. 5Risk. 6System Development Life Cycle (SDLC) . 6Understanding the Risks . 7Layer 2 risks . 8Layer 3 risks . 9Upper Layer risks . 11Physical . 12Configuring Devices . 13Basic device Configuration . 13AAA . 15User Privileges . 17Logon Security . 18AutoSecure and One Step Lock Down . 19Logging. 21NTP . 22Layer 2 security . 23Port Security . 23802.1x Port Security / Network Admission Control (NAC) . 24Storm Control . 24Span ports (Switchport Analyser) . 25Securing VLANs . 25Securing IP at Layer 2 . 27Useful Commands. 28Best Practices. 28IOS Firewall . 29Firewall Introduction . 29Static Packet Filtering . 29M Morgan 2010Page 1 of 56

Cisco CCNA Security Notes (640-553)CBAC/Classic Firewall . 32Zone based Firewall (ZFW) . 32IPS . 35IPS Introduction . 35Configuring IPS on a Cisco Router using SDM . 37Logging & Monitoring . 38Notes . 40VPN / Cryptography . 41Hashing & Digital signatures. 41Symmetric Encryption . 42Asymmetric Encryption . 43Choosing an encryption method . 44Key Management . 44PKI . 45IPSec . 46Configuring Site to Site VPNs . 48Endpoint Security . 51Endpoint Security Introduction . 51Cisco NAC . 52Cisco Security Agent (CSA). 53IronPort. 53San and Voice Security . 54SAN Security . 54Voice Security . 55Notes . 56M Morgan 2010Page 2 of 56

Cisco CCNA Security Notes (640-553)IntroductionIEEE StandardsIEEE NoUse802.1d802.1q802.1w801.2xEthernet II (DIX 2.11g802.11iSTPVlan trunkingRSTP (Rapid spanning tree protocol)Port based Network Access ControlEthernet (with Frame type field)Ethernet (With length field)100 Base T1000Base-X (Fibre)1000Base-T (Ethernet)Token Ring5 GHz2.4 GHz (1-6-11 clean channels)2.4 GHz (1-6-11 clean channels)WPA 2Number 4312551Well Known PortsProtocolPortIPFTPSHHTelnetSMTPTacacsDNSDHCP / BOOTPTFTPPOP3NEWSNTPSNMPRadius20, 2122232549536769110119123161, 1621645 / 1812TCPTCPTCPTCPTCPTCP, NIPSHIPSNetwork IPSHost based IPSM Morgan 2010Page 3 of 56

Cisco CCNA Security Notes (640-553)Hardening asystemBastion HostBlendedThreatRainbowTablesPasswordsaltingIP DirectedbroadcastAnti-XRemove known system vulnerabilities by upgrading, patching and disabling unneededapplications and servicesA host which is placed in a vulnerable position such as a PC running a firewall. It is thereforeexpected to be hardened.An attacker uses multiple means of propagation such as viruses with worm like capabilities.A list of plain text strings and the corresponding (ND5 / SHA) hash. This allows an attacker toquickly find plaintext which would generate the required hash even though the plaintext wouldmore than likely differ from the original hashed text.One or more bits are changed in a password, the avalanche effect will result in a completelydifferent hash reducing the risk of cracking using rainbow tables.An IP packet whose destination address is a valid broadcast address for some IP subnet whichoriginates from a node that is not itself part of that destination subnetAnti Virus, Anti Spam etc.Cisco Security Management ToolsSecurity Device Manager (SDM) – A java/web based tool to configure and manage standalone routersCisco Security Monitoring, Analyses and Response System (MARS) – Appliance based reporting andlogging solution to correlate network events from all devices to identify threats. It is able to notify andreconfigure networks to reduce the impact of the threat. Risk of False positives is reduced as MARScorrelates data from multiple sources.Cisco IDS Event Viewer (IEV) – Java based no cost solution for viewing and managing up to five IPS/IDSsensors. IEV supports SDEE communication with the sensor. IEV is currently being replaced with theCisco IPS Express Manager (IME).Cisco Security Manager – A powerful GUI management platform to manage a Cisco based networkcontaining up to thousands of devices. CSM is capable of managing many Cisco devices (ASA, HIPS, VPNetc).Control of DataTypical data classifications include military – Unclassified, Sensitive But Unclassified (SBU),Confidential, Secret & Top Secret.US Government data classification levels – Confidential, Secret & Top Secret.Roles in data storage / use – Owner – Ultimately responsible for the data, select custodians, decides the classification andreviews the data. Custodian – Day to day responsibility for the data such as backups, reviews of security settingsetc. User – No responsibility classification of the data but is responsible for the correct use o thedata according to operational procedures.Security Controls –M Morgan 2010Page 4 of 56

Cisco CCNA Security Notes (640-553) Administrative – Controls policies and procedures including security awareness training, securitypolicies and standards, change controls, audits etc.Technical – Controls the electronics, hardware, software etc. Includes IPS, VPN, Firewalls, OTPsystems, authentication servers etc.Physical – Intruder detection, security guards, locks, UPS, Fire control systems etc.Each control can be broken down into three sections, Preventative, Deterrent and Detective.Response to Security BreachesTo prosecute an attacker the following things must be established Motive – Compile a list of individuals with motive to perform the attack. Opportunity – Did the individuals have the opportunity to perform the attack. Means – Did the suspected attackers have the technical knowhow and tools to perform theattack.Goals for security – Confidentiality – Ensure the data is confidential, example is a reconnaissance attack, theattacker wants to gather confidential information without being noticed such as data, accesspasswords. Encryption is a useful method to ensure confidentiality. Availability – Example attack is a DoS attack. Data integrity – Ensure the data is not changed during a transfer & the data origin is authentic(e.g. man in the middle attack)Aims – Creation of a dynamic (monitor, revise & adapt to latest risks) security policyCisco’s Deference in Depth – Implement multi layer network defences ASA/Firewalls, NIPS, HIPS (CiscoSecurity Agent), Out of Band management.Cisco Self-Defending Network – A suite of security solutions to identify threats, prevent threats andadapt to emerging threats. It consists of two key components, Cisco Security Manager and Mars(Monitoring, Analysis and Response System) to monitor and control network security

Cisco CCNA Security Notes (640-553) M Morgan 2010 Page 4 of 56 Hardening a system Remove known system vulnerabilities by upgrading, patching and disabling unneeded applications and services Bastion Host A host which is placed in a vulnerable position such as a PC running a firewall. It is therefore expected to be hardened. Blended