Network Security

Introduction to
Network Security
Cisco Systems
SEC-1000
8020_05_2003_c2
2003, Cisco Systems, Inc. All rights reserved.
Agenda
Security Year in Review

Slammer, et. al.
Security Policy
Setting a Good Foundation
Extended Perimeter Security

Define the Perimeter, Firewalls, ACLs
Identity Services
Passwords, Tokens, PKI, Biometrics
Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
Intrusion Protection
Network, Host
Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2
Agenda

Slammer, et. al.
Security Policy

Identity Services
Secure Connectivity
Network, Host
Security Management
SEC-1000
8020_05_2003_c2
Are incidents decreasing?

SQL slammer
Other security headlines
SEC-1000
8020_05_2003_c2
Are Incidents Decreasing?

Type of Crime
2001
2002
$151.2
$170.8
Financial Fraud
$92.9
$115.7
Insider Net Abuse
$45.3
$49.9
Sabotage
$5.2
$15.1
Unauthorized Access by Insiders
$6.1
$4.5
Laptop Theft
$8.8
$11.7
Denial of Service
$4.3
$18.4
$19.0
$13.0
$378M
$456M
Theft of Proprietary Information
System Penetration by Outsiders
Total
Compare This to the Cost of Implementing a Comprehensive Security Solution!

Source: FBI 2002 Report on Computer Crime
SEC-1000
8020_05_2003_c2
Number of Incidents
Always on the Rise
CERTNumber of Incidents Reported (*)
http://www.cert.org/stats/cert_stats.html#incidents
(*) An Incident May Involve One Site or Hundreds (or Even Thousands) of Sites;
Also, Some Incidents May Involve Ongoing Activity for Long Periods of Time
SEC-1000
8020_05_2003_c2
Two of the Most Significant Vulnerabilities

Reported to the CERT/CC in 2002
Multiple vulnerabilities in Bind

On November 14, 2002, the CERT/CC published
CA-2002-31, describing multiple vulnerabilities in BIND,
the popular domain name server and client library software package from the Internet
Software Consortium (ISC); some of these vulnerabilities may allow a remote intruder
to execute arbitrary code with privileges of the user running named (typically root)
Multiple vulnerabilities in SNMP

In February, the CERT/CC began receiving reports of vulnerabilities in multiple
vendors' implementations of
SNMP, the Simple Network Management Protocol; the CERT/CC documented these
vulnerabilities in
CA-2002-03, which highlighted related vulnerability
notes, fixes, and affected vendors
SEC-1000
8020_05_2003_c2
The SQL Slammer Worm:

What Happened?
Released at 5:30 GMT,
January 25, 2003
Saturation point reached
within
2 hours of start
of infection
250,000300,000
hosts infected
Internet connectivity affected
worldwide
SEC-1000
8020_05_2003_c2
The SQL Slammer Worm:

30 Minutes after Release
Infections doubled every 8.5 seconds

Spread 100x faster than Code Red
At peak, scanned 55 million hosts per second
SEC-1000
8020_05_2003_c2
Network Effects of the SQL

Slammer Worm
Several service providers noted significant bandwidth
consumption at peering points
Average packet loss at the height of infections was 20%
Country of South Korea lost almost all Internet service
for period of time
Financial ATMs were affected
SQL Slammer overwhelmed some airline ticketing
systems
SEC-1000
8020_05_2003_c2
10
Network Effects of the

SQL Slammer Worm
SEC-1000
8020_05_2003_c2
11
Other Security Headlines

Gates: Security is top priority1/2002
Microsoft Chairman Bill Gates sends an e-mail to
company employees outlining a shift from focusing on
features to spotlighting security and privacy; critics say
its about time
Lots of pomp, no circumstance3/2002

More than a month after a major Microsoft security push,
observers are still waiting for real evidence that the
companys priorities have changed
SEC-1000
8020_05_2003_c2
12
Other Security Headlines
SEC-1000
8020_05_2003_c2
13
Network Vulnerabilities
Loss of Privacy
Data Theft
Bob
Alice
Bob
Alice
Corporate Business Plan:
Expand into Mallets
core area
m-y-p-a-s-s-w-o-r-d d-a-n
Impersonation
Loss of Integrity
Im Bob.
Send Me all
Corporate
Correspondence
with Cisco.
Bob
Deposit $1000
Alice
Alice
Customer
SEC-1000
8020_05_2003_c2
Deposit $ 100
Bob
Bank
14
Network Security
Data Security Assurance
Confidentiality
Benefit:
Ensures data privacy
Shuns:
Sniffing
Replay
SEC-1000
8020_05_2003_c2
Integrity
Authentication
Benefit:
Benefit:
Ensures data is unaltered during

transit
Ensures identity of originator or

recipient of data
Shuns:
Shuns:
Alteration
Replay
Impersonation
Replay
15
Business Security Objectives

Balance Business Needs with Security Risks
Access
Security
Connectivity
Authentication
Performance
Authorization
Ease of Use
Accounting
Manageability
Assurance
Availability
Policy Management
Confidentiality
Data Integrity
SEC-1000
8020_05_2003_c2
16
Agenda

Slammer, et. al.
Security Policy

Identity Services
Secure Connectivity
Network, Host
Security Management
SEC-1000
8020_05_2003_c2
17
Security Policy
Setting a good foundation

What is a security policy
Why create a security policy
What should it contain
SEC-1000
8020_05_2003_c2
18
Start with a Security Policy
Security policy defines and sets a good foundation by:

DefinitionDefine data and assets to be covered by
the security policy
IdentityHow do you identify the hosts and applications affected by this
policy?
TrustUnder what conditions is communication allowed between networked
hosts?
EnforceabilityHow will the policies implementation
be verified?
Risk AssessmentWhat is the impact of a policy violation? How are
violations detected?
Incident ResponseWhat actions are required upon
a violation of a security policy?
SEC-1000
8020_05_2003_c2
19
What Is a Security Policy?
A security policy is a formal

statement of the rules by
which people who are given
access to an organizations
technology and information
RFC
2196, Sitemust
Security Handbook
assets
abide.
SEC-1000
8020_05_2003_c2
20
Why Create a Security Policy?

To create a baseline of your current
security posture
To set the framework for security implementation
To define allowed and not allowed behaviors
To help determine necessary tools
and procedures
To communicate consensus and define roles
To define how to handle security incidents
SEC-1000
8020_05_2003_c2
21
What Should the

Security Policy Contain?
Statement of authority and scope
Acceptable use policy
Identification and
authentication policy
Internet use policy
Campus access policy
Remote access policy
Incident handling procedure
SEC-1000
8020_05_2003_c2
22
Security Policy Elements

Data Assessment
Vulnerabilities
Host Addressing
Denial of Service
Application Definition
POLICY
Misuse
Usage Guidelines
Reconnaissance
Topology/Trust Model
On the left are the network design factors upon which

security policy is based
On the right are basic Internet threat vectors toward which
security policies are written to mitigate
SEC-1000
8020_05_2003_c2
23
Enforcement
Secure
Secure
Identity and authentication
Filtering and stateful inspection
Encryption and VPNs
Audit
Security posture assessment
Vulnerability scanning
Patch verification/application auditing
Policy
Monitor
Intrusion detection and response

Content-based detection and response
Employee monitoring
Manage
Monitor
Manage
Secure device management
Event/data analysis and reporting
Network security intelligence
SEC-1000
8020_05_2003_c2
Audit
Security Wheel
24
Risk Assessment
Some elements of network security are

absolute, others must be weighed relative
to the potential risk
When you connect to the Internet, the Internet connects
back to you
Sound operational procedures and management are easier to

implement than technical solutions
You cant secure a bad idea
The cost of secure solutions must be factored into the overall Return
on Investment (ROI)
Security must be included in planning and design
Effective security requires managerial commitment
SEC-1000
8020_05_2003_c2
25
What Is Trust?
Trust is the inherent ability for hosts to
communicate within a network design
Trust and risk are opposites; security is based on
enforcing and limiting trust
Within subnets, trust is based on Layer 2
forwarding mechanisms
Between subnets, trust is based on
Layer 3+ mechanisms
SEC-1000
8020_05_2003_c2
26
Incident Response
Attacks are intentional, there are no accidental or stray IP

packets
Four levels of incidents:
Network misuse
Reconnaissance
Attack
Compromise
Without incident response plans, only passive defenses have

value
SEC-1000
8020_05_2003_c2
27
Agenda

Slammer, et. al.
Security Policy

Identity Services
Secure Connectivity
Network, Host
Security Management
SEC-1000
8020_05_2003_c2
28
Can you define the perimeter?

Dissimilar policy boundaries
Access control
Firewallsfirst line of defense
SEC-1000
8020_05_2003_c2
29
Can You Define the Perimeter?

Enterprise
Mobility
IP Telephony
Security/VPN
Campus LAN
Multiservice
WAN (Sonet, IP,
ATM, Frame
Relay)
Mainframe
Campus/WAN
Backbone
Multi-Gigabit
Ethernet
SEC-1000
8020_05_2003_c2
Suppliers
Video
Conferencing
ISDN
PSTN
Content
Networking
International
Sales Offices
Telecommuters
Mobile Users
Storage
30
Filtering Network Traffic
Examining the flow of data

across a network
Types of flows:
Packets
Connections
State
SEC-1000
8020_05_2003_c2
31
Access Control Lists (ACLs)
15 16
31 bit
Source IP Address
Destination IP Address
20 bytes
Simple ACLs look at information in IP packet headers
IP Packet Header
Many filters are based on the packets Source and Destination IP address
Extended ACLs look further into the packet or at the TCP or UDP port
number in use for the TCP/IP connection between hosts
SEC-1000
8020_05_2003_c2
32
The Evolution of ACLs

Dynamic ACLs
Lock-and-key filtering (Dynamic ACLs) allows an
authenticated user to pass traffic that would normally be
blocked at the router
Reflexive ACLs
Creates a temporary ACL to allows specified IP packets
to be filtered based on TCP or UDP session information;
the ACL expires shortly after the session ends (no
sequence #)
SEC-1000
8020_05_2003_c2
33
Firewalls
Four types of firewalls
Proxies (application-layer firewalls)
Stateful
Hybrid
Personal
Implementation methods
Software
Appliance
SEC-1000
8020_05_2003_c2
34
Proxy Firewalls
Proxy firewalls permit no traffic to pass

directly between networks
Provide intermediary style connections between the client on one
network and the
server on the other
Also provide significant logging and
auditing capabilities
For HTTP (application specific) proxies all
web browsers must be configured to point
at proxy server
Example Microsoft ISA Server
SEC-1000
8020_05_2003_c2
35
Stateful Firewalls
Access Control Lists plus
Maintaining state
Stateful firewalls inspect and maintain a record (a state table) of the
state of each connection that passes through the firewall
To adequately maintain the state of a connection the firewall needs
to inspect every packet
But short cuts can be made once a packet is identified as being part
of an established connection
Different vendors record slightly different information about the
state of a connection
SEC-1000
8020_05_2003_c2
36
Hybrid Firewalls
Hybrid firewalls combine features of other firewall
approaches such as
Access Control Lists
Application specific proxies
State tables
Plus features of other devices

Web (HTTP) cache
Specialized servers SSH, SOCKS, NTP
May include VPN, IDS
SEC-1000
8020_05_2003_c2
37
Personal Firewalls
Personal firewalls
Protecting remote users/home users
Watching inbound/outbound traffic
Creating basic rules
ExampleZoneAlarm
SEC-1000
8020_05_2003_c2
38
Agenda

Slammer, et. al.
Security Policy

Identity Services
Secure Connectivity
Network, Host
Security Management
SEC-1000
8020_05_2003_c2
39
Identity Services
User identity
Passwords
Tokens
PKI
Biometrics
SEC-1000
8020_05_2003_c2
40
User Identity
Mechanisms for proving who you are

Both people and devices can be authenticated
Three authentication attributes:

Something you know
Something you have
Something you are
Common approaches to Identity:

Passwords
Tokens
Certificates
SEC-1000
8020_05_2003_c2
41
Validating Identity
Identity within the network is based overwhelmingly on IP Layer

3 and 4 information carried within the IP packets themselves
Application-level user authentication exists, but is most commonly
applied on endpoints
Therefore, identity validation is often based on two

mechanisms:
Rule matching
Matching existing session state
Address and/or session spoofing is a major identity concern
SEC-1000
8020_05_2003_c2
42
Passwords
Correlates an
authorized user
with network
resources
Username and Password
Required
PIX
Enter username for CCO at

Firewall
www.com
User Name:
student
Password:
123@456
OK
SEC-1000
8020_05_2003_c2
Cancel
43
Passwords
Passwords have long been, and will continue to be a
problem
People will do what is easiest
Create and enforce good password procedures
Non-dictionary passwords
Changed often (90120 days)
Passwords are like underwearthey should be changed

often and neither hung from your monitor or hidden under
your keyboard
SEC-1000
8020_05_2003_c2
44
Tokens
Strong (2-factor) Authentication based
on something you know and something
you have
Username and Password Required
PIX Firewall
Enter username for server at www.com
User Name:
Password:
Access Is
234836
Granted or
Denied
jdoe
OK
Cancel
Ace Server
SEC-1000
8020_05_2003_c2
45
Public Key Infrastructure (PKI)

Relies on a two-key system
J Doe signs a document with his private key
Person who receives that document uses JDoes
public key to:
Verify authenticity and decrypt
I am
jdoe!
Authenticate
and Decrypt
This Is
jdoe
Signed by
us.org
SEC-1000
8020_05_2003_c2
Internet
Certificates
Signed by
us.org
jdoe
Certificate
Certificate Authority
46
Biometrics
Authentication based on physiological or behavioral

characteristics
Features can be based on:
Face
Fingerprint
Eye
Handwriting
Voice
Becoming more accepted and widely used

Already used in government, military, retail, law enforcement, health and
social services, etc.
SEC-1000
8020_05_2003_c2
47
Agenda

Slammer, et. al.
Security Policy

Identity Services
Secure Connectivity
Network, Host
Security Management
Wrapping It All Together
SEC-1000
8020_05_2003_c2
48
Secure Connectivity
Work happens everywhere!

Virtual Private Networks
SEC-1000
8020_05_2003_c2
49
Work Happens Everywhere
Increasing Need for Transparent Corporate Connectivity
On the road (hotels, airports,

convention centers)
280 million business trips a year
Productivity decline away from office >6065%
At home (teleworking)
137 million telecommuters by 2003
40% of U.S. telecommuters from large or
mid-size firms
At work (branch offices, business partners)

E-business requires agile networks
Branch offices should go where the talent is
Source: On the Road (TIA Travel Poll, 11/99); At Home (Gartner 2001,
Cahners Instat 5/01); At Work (Wharton Center for Applied Research)
SEC-1000
8020_05_2003_c2
50
What Are VPNs?

A network built on a less expensive shared
infrastructure with the same policies and
performance as a private network
Regional Sites
Branches
SoHo
Telecommuters
Mobile Users
Partners
SEC-1000
8020_05_2003_c2
Virtual Private
Network
Central/HQ
Customers
51
Secure Connectivity
Defines peers
Two devices in a network that need to connect
Tunnel makes peers seem virtually next to each other
Ignores network complexity in between
Technologies
PPTPPoint-to-Point Tunneling Protocol
L2TPLayer 2 Tunneling Protocol
IPSec
Secure shell
SSL
SEC-1000
8020_05_2003_c2
52
What is IPSec?
Internet Protocol Security
A set of security protocols and algorithms used to
secure IP data at the network layer
IPSec provides data confidentiality (encryption),
integrity (hash), authentication (signature/certificates) of
IP packets while maintaining the ability to route them
through existing IP networks
SEC-1000
8020_05_2003_c2
53
Encryption Layers
Application-Layer (SSL, PGP, S-HTTP)
Application
Layers (5-7)
Transport/
Network
Layers (3-4)
Network-Layer (IPSec, CET)
Link/Physical
Layers (1-2)
Link-Layer Encryption (KG, KIV)

SEC-1000
8020_05_2003_c2
54
IPSec Protocols
Encryption
Data Privacy
DES
Integrity/Authentication
Data Exchange Verification Transport Format
IKE
Data Encryption Standard
3DES
Internet Key Exchange
RSA / DSS
Triple Data Encryption

Standard
Modes
Rivest, Shamir, Adelman /

Digital Signature Standard
X.509v3
Digital Certificates
MD5 / SHA
AH / ESP
Authentication
Header /
Encapsulating
Security Payload
Tunnel /
Transport
Network to Network
/ Host to Host
Message Digest 5 / Secure

Hash Algorithm
SEC-1000
8020_05_2003_c2
55
What is Encryption?
Encryption To convert messages to something

incomprehensible by means of a key, so that it
can be reconverted only by an authorized
recipient holding the matching key.
Cipher A system in which units of plain text are
arbitrarily transposed or substituted according to
a predetermined key.
Source: Encarta World English Dictionary, The American Heritage Dictionary

SEC-1000
8020_05_2003_c2
56
What is a KEY?
Key An initial, primary value input to a
computational algorithm, producing a
theoretically unique result exclusive to the input
value.
Correct
KEY
Opened
KEY
Encrypted
Algorithm
Decrypted
Incorrec
t KEY
Locked
KEY
SEC-1000
8020_05_2003_c2
Key
Encrypted
Algorithm
Encrypted
57
One-Time Key
One-Time Key A unique key is used once, and
only once per encryption operation. For every
encryption operation a new, unrelated key is
generated, used, then discarded.
Key
First
Operation
KEY
Encrypt
New KEY
Encrypt
Second
Operation
SEC-1000
8020_05_2003_c2
58
Symmetrical Keys
Symmetrical Key The same key is used for
initiating the encryption process and initiating the
decryption process.
Encryption
KEY (A)
SEC-1000
8020_05_2003_c2
Locked
Decryption
KEY (A)
Unlocked
59
Asymmetrical Keys
Asymmetrical Key A different key is used for
initiating the encryption process and initiating the
decryption process.
Encryption
KEY (A)
SEC-1000
8020_05_2003_c2
Locked
Decryption
KEY (B)
Unlocked
60
Soft Key
Soft Key A numerical value that acts as the
algorithmic input to initiate the encryption or
decryption process.
Key
2081 8102 81A1 01AA A98B 2E27 1F0E EF1D

5747 2054 B4EE B1B3 BEDB 5676 45F3 1ED7
3737 CDD4 51B3 67AD D867 ECD0 FFC5 995B
E112 5411 7584 7F6A 3877 66FC 3C1F 45C2
7887 34A2 2413 6242 E243 6B84 6F06 1E73
B43A 9396 49C4 CB2E 9982 8AD7 B8AA 9C01
D689 9AE2 ABF3 1B84 42C0 F337 341C 42CB
1785 0B0D 8C54 C900 0B1B 6CE7 E7B5 28AD
727A 2F55 F1C1 A392 0301 0201
1024 bit RSA Key

SEC-1000
8020_05_2003_c2
61
Encryption Process
Encryption Process Inputting a key into an
algorithm that acts upon a message to produce
encrypted output.
Key
+
Key
(numerical)
SEC-1000
8020_05_2003_c2
age
Mess
Message
(converted to
numerical)
1. Multiply key and

message
2. Then add 400
3. Then divide by 2
Encryption
Algorithm
p
Encry
ted
=
Encrypted
Output
62
Pre-Shared Key (PSK)

Symmetric Encryption Both parties exchange encrypted
messages using the same, shared key for both encryption
and decryption.
Shared Key
Shared Key
p
Encry
Key
Encrypt
Decrypt
ag
Mess
ted
Key
Encrypt
Decrypt
Internet
ag
Mess
pted
Encry
Alice
Bob
SEC-1000
8020_05_2003_c2
63
Public Key Infrastructure (PKI)

Asymmetric Encryption A distributed public key is used to
encrypt messages that can only be decrypted with a private
key held by the publisher of the public key.
Alices Public Key
Alices Private Key

p
Encry
Key
PUB
ted
Key
PRI
Encrypt
ag
Mess
Bob
Decrypt
Key
PRI
Key
PUB
pted
Encry
Decrypt
Bobs Private Key

SEC-1000
8020_05_2003_c2
Internet
ag
Mess
Alice
Encrypt
Bobs Public Key

64
Modern Digital Encryption - DES

Message Text
Encryption Key
1. Plain Text (64 bit

Data Block)
a ge
Mess
Key
Key
2. Initial Permutation
(Split Data Block
into two 32 bit
blocks)
48 bit (left)
1. Data and Key

Combined 16 times
2. Data Compressed
to 32 bit Blocks
3. 48 bits Select from

56 bit key
48 bit key
48 bit
(right)
Left
Data
Key
Right
Cipher
3. Final Permutation
(Join Data Block
into one 64 bit
block)
SEC-1000
8020_05_2003_c2
2. 56 bit key
transformed with
shift permutation
3. Data Blocks
Expanded to 48 bit
Blocks
IP
1. 64 bit Key
Reduced to 56 bit
key (every 8th bit
ignored)
Data
Key
p
Encry
Cipher
FP
65
Digital Encryption Algorithms

DES/3DES (Triple DES)
IDEA
Lucifer
CA-1.1
IPSec Standard
Encryption Algorithm
Madryga
FEAL
REDOC
LOKI
Khufu/Khafre
SEC-1000
8020_05_2003_c2
RC5
MMB
Blowfish
RSA
RC2
SkipJack
GOST
CAST
SAFER
3-Way
CRAB
66
What is DES/3DES?
Data Encryption Standard

DES is a published, U.S. Government approved encryption algorithm
DES
DES is a single algorithm

instance
DES uses a 56 bit key to encrypt
64 bit datagrams
3DES
3DES is the DES algorithm
performed three times
sequentially
Two-key 3DES encrypts 1-2-1,
resulting in a 112 bit key
strength
Three-key 3DES encrypts 1-23, resulting in a 168 bit key
strength
SEC-1000
8020_05_2003_c2
67
DES/3DES Vulnerability
Brute-Force Attack:
A single Pentium III class workstation can break a
DES key in less than 10 hours
A million Pentium III class workstations can break
a (3-key) 3DES key in 10,000,000,000,000 years
3DES is subject to crypto-analytical attacks by
insertion of a known payload.
SEC-1000
8020_05_2003_c2
68
AES The New Encryption Standard
Advanced Encryption Standard

AES is the new U.S. Government approved encryption algorithm
AES
AES is based on the Rijndael algorithm
AES is a single algorithm instance using the Square cipher
AES uses a 128, 192, or 256 bit key to encrypt 128, 192, or 256
bit datagrams, independently
AES operates efficiently in hardware and software
SEC-1000
8020_05_2003_c2
69
Hashing and
Digital Signatures
SEC-1000
8020_05_2003_c2
70
Hash/Signature Protection
Impersonation
Loss of Integrity
Im Bob.
Send Me all Corporate
Correspondence
with Cisco.
Bob
Deposit $1000
Alice
Deposit $ 100
Alice
Customer
Bob
Bank
Hashes and Signatures guarantee identity of

peers and message integrity during transport
over un-trusted or public networks
SEC-1000
8020_05_2003_c2
71
What is a Hash?
Hash A one-way mathematical summary of a
message such that the hash value cannot be
(easily) reconstituted back into the original
message even with knowledge of the hash
algorithm.
age
Mess
Clear
Text
SEC-1000
8020_05_2003_c2
Hash
Hash
Function
Hash
Text
72
Hashing Process
Apple
age
Mess
Original
Message
SEC-1000
8020_05_2003_c2
Slice, Dice, Mash Apple
ag
Mess
y
e Cop
Message
Copy
1. Divide by 2.84
2. Then multiply by 9
3. Then square
Hash
Algorithm
Apple Juice
Hash
=
Hash
Output
73
Hash Verification
If Hashes are
Equal, Message is
Unaltered
If Hashes are
Unequal,
Message is
Altered
opy
age C
Mess
Message
Hash
Hash
Function
Message with
Hash Appended
Hash
Hash
HASH
HASH
Isolate Hash
Compute Hash
Hash
SEC-1000
8020_05_2003_c2
Hash
HASH
74
Hashing Algorithms
MD5 (Message Digest V5):
Older but most widely supported hash algorithm
SHA (Secure Hash Algorithm):
Newer and more secure hash than MD5
HMAC (Hash-based Message Authentication Code):
Further hash security through inclusion of a key with
message in hash process (similar to MAC)
HMAC-MD5 and HMAC-SHA are used by IPSec to

strengthen hash integrity
SEC-1000
8020_05_2003_c2
75
Digital Signature Generation

y
e Cop
g
a
s
s
Me
Signature Guarantees the

Authenticity of the Hash
Copy of Message
Signature Uses Asymmetric Keys:

Private Key Encrypts Hash
Public Key Decrypts Hash
Hash
Function
Hash Algorithm
(MD5, SHA)
(Opposite of Message Encryption)
Only the holder of the private key

could have encrypted the hash
which can be verified through
successful decryption with the
public key.
SEC-1000
8020_05_2003_c2
Hash
Key
PRI
Enc
d
rypte
Hash Output
Private Key
Encrypted Hash
76
Digital Signature Verification

If Hashes are
Equal, Message is
Unaltered
If Hashes are
Unequal,
Message is
Altered
Key
PUB
Hash
opy
age C
Mess
Message
pted
Encry
Hash
Function
Message with
Encrypted Hash
Appended
HASH
HASH
Decrypt Hash
Compute Hash
Hash
SEC-1000
8020_05_2003_c2
Hash
Hash
HASH
77
Signature Algorithms
RSA (Rivest, Shamir, Adelman):
Most popular and widely implemented signature Algorithm.

Can be used for both signatures and message encryption.
Typically slower than DES for message encryption.
DSA (Digital Signature Algorithm):
Proposed by NIST (National Institute of Standards) as FIPS (Federal

Information Processing Standard) digital signature standard (DSS).
Slower signature verification than RSA and 512 or 1024 bit key size.
Plagued by patent infringement issues (Schnorr expires 2008)
SEC-1000
8020_05_2003_c2
78
What is a Digital Certificate?

Digital Certificate A digital document that
authenticates the identity of a subject and
provides their public encryption key (i.e.
individual user, organization)
Standard Certificate Information:
Name
Public Key
Digital Signature
Certificate Issuing Authority
SEC-1000
8020_05_2003_c2
79
X.509v3 Digital Certificate

Version
V3
Certificate Version
Serial Number
5B74 F440 66CC 70CD B972 4C5B 7E20 68D1
Signature Algorithm
md5RSA
Certificate ID
Encryption Algorithm
Issuer
CN = VeriSign Class 1 CA Individual Subscriber-Persona Not Validated

OU = www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98
Certificate Authority
OU = VeriSign Trust Network

O = VeriSign, Inc.
Valid From
Thursday, June 22, 2000 8:00:00 PM
Valid To
Saturday, June 23, 2001 7:59:59 PM
Subject
E = jmccloud@cisco.com
Digital
ID
Certificate Lifetime
CN = Joshua McCloud
OU = Digital ID Class 1 - Microsoft Full Service
OU = Persona Not Validated
OU = www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98
Certificate User ID
OU = VeriSign Trust Network

O = VeriSign, Inc.
Public Key
3481 8B02 9181 01AC AF8B
Thumbprint
7A52 28D0 1A0C FFD6 859A
SEC-1000
8020_05_2003_c2
RSA 1024 bit Public Key

Digital Signature
80
Certificate Infrastructure Entities

Certificate:
Digital identity document with document hash encrypted by CA
Certificate Authority (CA):
Trusted, third party responsible for authorizing certificate CA
encrypts certificate with CA private key
Hierarchical Authority:
Trusted party delegated authority for authorizing certificate
Web of Trust:
Individual party that authorizes certificates based on mutual trust
Certificate Revocation List (CRL):
List of explicitly revoked certificates
Certificate Authority Workstation (CAW):
Special system dedicated to authorizing certificates
SEC-1000
8020_05_2003_c2
81
Certificate Enrollment
1. Candidate Registers Identity with CA
2. CA Generates and Signs Certificate with CA Private Key
3. CA E-mails Candidate URL to Pick-Up Certificate
4. Candidate Downloads Certificate and CA Public Key
Identity Registration
Internet
CA
Certificate/CRL
Database
Candidate
Certificate Distribution
SEC-1000
8020_05_2003_c2
82
Common CA Certificate Validation

LDAP
CA
Certificate/CRL
Database
Bobs Certificate
2. Check CRL for

Validity of Bobs
Certificate
Bob and Alice possess a copy

of CAs Public Key
Bob and Alice verify each others
certificate signature with the CA
Public Key
Bob and Alice check if each
others certificate is listed in the
CRL database
1. Verify Bobs
Certificate with CA
Public Key
Internet
Alice
Bob
Key
PUB
CA Public Key
Alices Certificate
SEC-1000
8020_05_2003_c2
83
Key Management Issues

Multiple Keys:
User may have signature key, encryption key, and application key
Password Loss:
User may forget password for one or more keys
Key Loss:
User may lose one or more keys through equipment loss (i.e.
laptop)
Key Compromise:
User key may be stolen
User Departure:
User may leave company requiring key to be revoked
Lock-Out:
Data encrypted by lost key may be irretrievable
SEC-1000
8020_05_2003_c2
84
IPSec Operational Modes

Authentication Header (AH):
Guarantees integrity and authenticity with key-based hash header
appended to the IP header does NOT employ encryption
Encapsulating Security Payload (ESP):
Guarantees integrity, authenticity, and privacy by encrypting entire IP
packet payload and appending key-based hash trailer
Transport Mode:
IP packet format employing AH, ESP or ESP/AH for protection of
payload data only Provides peer to peer application protection
Tunnel Mode:
IP packet format employing ESP or ESP/AH for protection of entire IP
packet (including IP header) Provides network to network packet
protection
SEC-1000
8020_05_2003_c2
85
Authentication Header (AH)

AH authenticates IP packets or payloads using HMACSHA or HMAC-MD5
AH Expands the size of the original IP packet with
support for fragmentation
IP HDR
IP HDR
AH HDR
DATA
DATA
Protocol Type = 51
SEC-1000
8020_05_2003_c2
86
Encapsulating Security Payload (ESP)

ESP encrypts IP packet payload using DES or 3DES
ESP Auth field is same as AH Authentication Data field
IP HDR
IP HDR
ESP HDR
DATA
Encrypted DATA
TRL
Auth
Protocol Type = 50
SEC-1000
8020_05_2003_c2
87
ESP Transport Mode

Confidentiality with Data Encryption
IP HDR
ESP HDR
Encrypted DATA
TRL
Auth
IPSec Tunnel
Internet
SEC-1000
8020_05_2003_c2
88
ESP Tunnel Mode

Confidentiality with IP Header and Data Encryption
Encrypted IP Packet
New IP HDR
ESP HDR
Original IP HDR
Data
TRL
Auth
IPSec Tunnel
Internet
SEC-1000
8020_05_2003_c2
89
IPSec Framework
IPSec is an IETF umbrella protocol encompassing multiple
standards
IPSec provides data integrity, confidentiality and
authentication
IPSec data confidentiality employs DES and 3DES
encryption
IPSec data integrity employs HMAC-MD5 and HMAC-SHA
hash
IPSec data authentication employs pre-shared keys or
digital certificates using RSA or DSS
IPSec operates in tunnel or transport mode using AH, ESP
or AH/ESP
SEC-1000
8020_05_2003_c2
90
Agenda

Slammer, et. al.
Security Policy

Identity Services
Secure Connectivity
Network, Host
Security Management
SEC-1000
8020_05_2003_c2
91
Monitoring the network and hosts

Network scanning
Packet sniffing
Intrusion detection
primer
SEC-1000
8020_05_2003_c2
92
Monitoring
Where Is
This Van
Going?
SEC-1000
8020_05_2003_c2
Where Did
This Car
Come
from?
93
Network Scanning
Active tool
Identifies devices on the network
Useful in network auditing
Fingerprinting
How a scanner figures out what OS
and version is installed
Examples: Nmap, Nessus
SEC-1000
8020_05_2003_c2
94
Packet Sniffing
Diagnostic tools
Used capture packets
Used to examine packet data (filters)
Can reconstruct sessions and streams
Sniffers can be promiscuous

Passive, listening
Examples: Sniffer, Ethereal
SEC-1000
8020_05_2003_c2
95
Intrusion Detection
Create a system of distributed promiscuous Sniffer-like

devices
Watching activity on a network and
specific hosts
Different approaches
Protocol anomaly/signature
detection
Host-based/network-based
Different IDS technologies can be combined to create a

better solution
SEC-1000
8020_05_2003_c2
96
Intrusion Detection Approaches
Misuse/Signature vs.
Anomaly Detection
Network vs. Host-Based
SEC-1000
8020_05_2003_c2
97
Anomaly vs. Signature Detection
Anomaly detection: Define

normal, authorized activity, and
consider everything else to be
potentially malicious
Misuse/signature detection:
Explicitly define what activity
should be considered malicious
Most commercial IDS products
are signature-based
SEC-1000
8020_05_2003_c2
98
Host vs. Network-Based
Host-based agent software monitors activity on the

computer on which it is installed
Cisco HIDS (Okena)System activity
TripWireFile system activity
Network-based appliance collects and analyzes activity

on a connected network
Integrated IDS
Network-based IDS functionality as deployed in routers,
firewalls, and other network devices
SEC-1000
8020_05_2003_c2
99
Network IDS Sensor

Network Link to the
Management Console
IP Address
Passive Interface
No IP Address
Monitoring the Network
Data Capture
Data Flow
SEC-1000
8020_05_2003_c2
100
Host IDS Sensor
Syslog
Passive Agent
(OS Sensor)
Active Agent
(Server Sensor)
Syslog monitoring
Attack interception
Detection
Prevention
Wider platform support
Focused protection
SEC-1000
8020_05_2003_c2
101
Typical IDS Architecture

Management
Console
Management console
Real-time event display
Event database
Sensor configuration
Sensor
Packet signature analysis
Generate alarms
Response/
countermeasures
Host-based
HostBased
IDS
Component
Communications
IDS Sensor
Generate alarms
Response/countermeasures
SEC-1000
8020_05_2003_c2
Production
Network Segment
102
Too Many Choices?
Generally, most efficient approach is to implement

network-based IDS first
Easier to scale and provides broad coverage
Less organizational coordination required
No host/network impact
May want to start with host-based IDS if you only

need to monitor a couple of servers
Keep in mind that IDS is not the security panacea
SEC-1000
8020_05_2003_c2
103
Agenda

Slammer, et. al.
Security Policy

Identity Services
Secure Connectivity
Network, Host
Security Management
SEC-1000
8020_05_2003_c2
104
Security Management
Wrapping it all together

Security management
Scalable and manageable
Syslog and log analysis
SEC-1000
8020_05_2003_c2
105

In the previous sections we discussed:
Security policy
Perimeter security and filtering
Identity services
Virtual Private Networks
Intrusion detection and prevention systems
No one system can defend your networks and hosts

With all this technology, how do we survive?
SEC-1000
8020_05_2003_c2
106
Integrated Network Security
Device Manageability, Embedded Management Tools, Security Policy,

Monitoring and Analysis, Network and Service Management
Analysis
Distributed Investigation
End-to-End
Coverage
Network and End Point Security
Flexible
Deployment
Security
Appliances
Switch
Modules
Router
Modules
Security
Software
Security
Functions
VPN
Firewall
Intrusion
Protection
Identity
Svcs
Network
Services
SEC-1000
8020_05_2003_c2
Security Management
Management
Seamless Collaboration of
Security and Networking Services
107
Security Management
How to manage the network securely

In-band versus out-of-band management
In-band managementmanagement information travels the same network
path as the data
Out-of-band managementa second path exists to manage devices; does
not necessarily depend on the LAN/WAN
If you must use in-band, be sure to use

Encryption
SSH instead of telnet
Making sure that policies are in place and that they are working
SEC-1000
8020_05_2003_c2
108
Syslog
A protocol that supports the transport

of event notification messages
Originally developed as part of BSD Unix
Syslog is supported on most

internetworking devices
BSD SyslogIETF RFC 3164
The RFC documents BSD Syslog
observed behavior
Work continues on reliable and

authenticated Syslog
http://www.employees.org/~lonvick/index.shtml
SEC-1000
8020_05_2003_c2
109
Log Analysis
Log analysis is the process of examining

Syslog and other log data
Building a baseline of what should be considered normal behavior
This is post event analysis because it is not happening in real-time
Log analysis is looking for

Signs of trouble
Evidence that can be used to prosecute
If you log it, read and use it!

Resources
http://www.counterpane.com/log-analysis.html
SEC-1000
8020_05_2003_c2
110
Security = Tools Implementing Policy
Now more than ever

Identity tools
Filtering tools
Connectivity tools
Monitoring tools
Management tools
SEC-1000
8020_05_2003_c2
111
The Threat Forecast

New vulnerabilities and exploits are uncovered
everyday
Subscribe to bugtraq to watch the fun!
Crystal ball
Attacks will continue
Greater complexity
Still see unpatched vulnerabilities taken advantage of
SEC-1000
8020_05_2003_c2
112
Conclusions
Things sound dire!!!

The sky really is not falling!!!
Take care of those security issues that you
have control over
Security is a process, not a box!
SEC-1000
8020_05_2003_c2
113
Security Resources at Cisco
Cisco Connection Online

http://www.cisco.com/go/security
Cisco Product Specific Incident

Response Team (PSIRT)
http://www.cisco.com/go/psirt
SEC-1000
8020_05_2003_c2
114
Security Resources on the Internet
Cisco Connection Onlinehttp://www.cisco.com

SecurityFocus.comhttp://www.securityfocus.com
SANShttp://www.sans.org
CERThttp://www.cert.org
CIAChttp://www.ciac.org/ciac
CVEhttp://cve.mitre.org
Computer Security Institutehttp://www.gocsi.com
Center for Internet Securityhttp://www.cisecurity.org
SEC-1000
8020_05_2003_c2
115
Thank You
SEC-1000
8020_05_2003_c2
116
Questions
SEC-1000
8020_05_2003_c2
117
SEC-1000
8020_05_2003_c2
118

Network Security

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Network Security

Caricato da

Copyright:

Formati disponibili

Introduction to

2003, Cisco Systems, Inc. All rights reserved.

Security Year in Review

Extended Perimeter Security

2003, Cisco Systems, Inc. All rights reserved.

Security Year in Review

Extended Perimeter Security

2003, Cisco Systems, Inc. All rights reserved.

Security Year in Review

Are incidents decreasing?

2003, Cisco Systems, Inc. All rights reserved.

Are Incidents Decreasing?

Insider Net Abuse

Unauthorized Access by Insiders

Theft of Proprietary Information

System Penetration by Outsiders

Compare This to the Cost of Implementing a Comprehensive Security Solution!

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

Two of the Most Significant Vulnerabilities

Multiple vulnerabilities in Bind

Multiple vulnerabilities in SNMP

2003, Cisco Systems, Inc. All rights reserved.

The SQL Slammer Worm:

2003, Cisco Systems, Inc. All rights reserved.

The SQL Slammer Worm:

Infections doubled every 8.5 seconds

2003, Cisco Systems, Inc. All rights reserved.

Network Effects of the SQL

2003, Cisco Systems, Inc. All rights reserved.

Network Effects of the

2003, Cisco Systems, Inc. All rights reserved.

Other Security Headlines

Lots of pomp, no circumstance3/2002

2003, Cisco Systems, Inc. All rights reserved.

Other Security Headlines

2003, Cisco Systems, Inc. All rights reserved.

2003, Cisco Systems, Inc. All rights reserved.

Data Security Assurance

Ensures data is unaltered during

Ensures identity of originator or

2003, Cisco Systems, Inc. All rights reserved.

Business Security Objectives

2003, Cisco Systems, Inc. All rights reserved.

Security Year in Review

Extended Perimeter Security

2003, Cisco Systems, Inc. All rights reserved.

Setting a good foundation

2003, Cisco Systems, Inc. All rights reserved.

Start with a Security Policy

Security policy defines and sets a good foundation by:

2003, Cisco Systems, Inc. All rights reserved.

What Is a Security Policy?

A security policy is a formal

2003, Cisco Systems, Inc. All rights reserved.

Why Create a Security Policy?

2003, Cisco Systems, Inc. All rights reserved.

What Should the

2003, Cisco Systems, Inc. All rights reserved.

Security Policy Elements

On the left are the network design factors upon which

2003, Cisco Systems, Inc. All rights reserved.

Intrusion detection and response

2003, Cisco Systems, Inc. All rights reserved.