Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Network Security
Cisco Systems
SEC-1000
8020_05_2003_c2
Agenda
Security Policy
Setting a Good Foundation
Identity Services
Passwords, Tokens, PKI, Biometrics
Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
Intrusion Protection
Network, Host
Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2
Agenda
Security Policy
Setting a Good Foundation
Identity Services
Passwords, Tokens, PKI, Biometrics
Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
Intrusion Protection
Network, Host
Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2
SEC-1000
8020_05_2003_c2
2001
2002
$151.2
$170.8
Financial Fraud
$92.9
$115.7
$45.3
$49.9
Sabotage
$5.2
$15.1
$6.1
$4.5
Laptop Theft
$8.8
$11.7
Denial of Service
$4.3
$18.4
$19.0
$13.0
$378M
$456M
Total
Number of Incidents
Always on the Rise
CERTNumber of Incidents Reported (*)
http://www.cert.org/stats/cert_stats.html#incidents
(*) An Incident May Involve One Site or Hundreds (or Even Thousands) of Sites;
Also, Some Incidents May Involve Ongoing Activity for Long Periods of Time
SEC-1000
8020_05_2003_c2
SEC-1000
8020_05_2003_c2
SEC-1000
8020_05_2003_c2
SEC-1000
8020_05_2003_c2
10
SEC-1000
8020_05_2003_c2
11
SEC-1000
8020_05_2003_c2
12
SEC-1000
8020_05_2003_c2
13
Network Vulnerabilities
Loss of Privacy
Data Theft
Bob
Alice
Bob
Alice
Corporate Business Plan:
Expand into Mallets
core area
m-y-p-a-s-s-w-o-r-d d-a-n
Impersonation
Loss of Integrity
Im Bob.
Send Me all
Corporate
Correspondence
with Cisco.
Bob
Deposit $1000
Alice
Alice
Customer
SEC-1000
8020_05_2003_c2
Deposit $ 100
Bob
Bank
14
Network Security
Confidentiality
Benefit:
Ensures data privacy
Shuns:
Sniffing
Replay
SEC-1000
8020_05_2003_c2
Integrity
Authentication
Benefit:
Benefit:
Shuns:
Shuns:
Alteration
Replay
Impersonation
Replay
15
Security
Connectivity
Authentication
Performance
Authorization
Ease of Use
Accounting
Manageability
Assurance
Availability
Policy Management
Confidentiality
Data Integrity
SEC-1000
8020_05_2003_c2
16
Agenda
Security Policy
Setting a Good Foundation
Identity Services
Passwords, Tokens, PKI, Biometrics
Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
Intrusion Protection
Network, Host
Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2
17
Security Policy
SEC-1000
8020_05_2003_c2
18
SEC-1000
8020_05_2003_c2
19
SEC-1000
8020_05_2003_c2
20
SEC-1000
8020_05_2003_c2
21
SEC-1000
8020_05_2003_c2
22
POLICY
Misuse
Usage Guidelines
Reconnaissance
Topology/Trust Model
23
Enforcement
Secure
Secure
Identity and authentication
Filtering and stateful inspection
Encryption and VPNs
Audit
Security posture assessment
Vulnerability scanning
Patch verification/application auditing
Policy
Monitor
Manage
Monitor
Manage
Secure device management
Event/data analysis and reporting
Network security intelligence
SEC-1000
8020_05_2003_c2
Audit
Security Wheel
24
Risk Assessment
The cost of secure solutions must be factored into the overall Return
on Investment (ROI)
Security must be included in planning and design
Effective security requires managerial commitment
SEC-1000
8020_05_2003_c2
25
What Is Trust?
Trust is the inherent ability for hosts to
communicate within a network design
Trust and risk are opposites; security is based on
enforcing and limiting trust
Within subnets, trust is based on Layer 2
forwarding mechanisms
Between subnets, trust is based on
Layer 3+ mechanisms
SEC-1000
8020_05_2003_c2
26
Incident Response
SEC-1000
8020_05_2003_c2
27
Agenda
Security Policy
Setting a Good Foundation
Identity Services
Passwords, Tokens, PKI, Biometrics
Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
Intrusion Protection
Network, Host
Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2
28
Access control
Firewallsfirst line of defense
SEC-1000
8020_05_2003_c2
29
IP Telephony
Security/VPN
Campus LAN
Multiservice
WAN (Sonet, IP,
ATM, Frame
Relay)
Mainframe
Campus/WAN
Backbone
Multi-Gigabit
Ethernet
SEC-1000
8020_05_2003_c2
Suppliers
Video
Conferencing
ISDN
PSTN
Content
Networking
International
Sales Offices
Telecommuters
Mobile Users
Storage
30
SEC-1000
8020_05_2003_c2
31
15 16
31 bit
Source IP Address
Destination IP Address
20 bytes
IP Packet Header
Many filters are based on the packets Source and Destination IP address
Extended ACLs look further into the packet or at the TCP or UDP port
number in use for the TCP/IP connection between hosts
SEC-1000
8020_05_2003_c2
32
Reflexive ACLs
Creates a temporary ACL to allows specified IP packets
to be filtered based on TCP or UDP session information;
the ACL expires shortly after the session ends (no
sequence #)
SEC-1000
8020_05_2003_c2
33
Firewalls
Four types of firewalls
Proxies (application-layer firewalls)
Stateful
Hybrid
Personal
Implementation methods
Software
Appliance
SEC-1000
8020_05_2003_c2
34
Proxy Firewalls
SEC-1000
8020_05_2003_c2
35
Stateful Firewalls
Access Control Lists plus
Maintaining state
Stateful firewalls inspect and maintain a record (a state table) of the
state of each connection that passes through the firewall
To adequately maintain the state of a connection the firewall needs
to inspect every packet
But short cuts can be made once a packet is identified as being part
of an established connection
Different vendors record slightly different information about the
state of a connection
SEC-1000
8020_05_2003_c2
36
Hybrid Firewalls
Hybrid firewalls combine features of other firewall
approaches such as
Access Control Lists
Application specific proxies
State tables
SEC-1000
8020_05_2003_c2
37
Personal Firewalls
Personal firewalls
Protecting remote users/home users
Watching inbound/outbound traffic
Creating basic rules
ExampleZoneAlarm
SEC-1000
8020_05_2003_c2
38
Agenda
Security Policy
Setting a Good Foundation
Identity Services
Passwords, Tokens, PKI, Biometrics
Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
Intrusion Protection
Network, Host
Security Management
Wrapping it All Together
SEC-1000
8020_05_2003_c2
39
Identity Services
User identity
Passwords
Tokens
PKI
Biometrics
SEC-1000
8020_05_2003_c2
40
User Identity
SEC-1000
8020_05_2003_c2
41
Validating Identity
SEC-1000
8020_05_2003_c2
42
Passwords
Correlates an
authorized user
with network
resources
Username and Password
Required
PIX
student
Password:
123@456
OK
SEC-1000
8020_05_2003_c2
Cancel
43
Passwords
Passwords have long been, and will continue to be a
problem
People will do what is easiest
Create and enforce good password procedures
Non-dictionary passwords
Changed often (90120 days)
SEC-1000
8020_05_2003_c2
44
Tokens
Strong (2-factor) Authentication based
on something you know and something
you have
Username and Password Required
PIX Firewall
User Name:
Password:
Access Is
234836
Granted or
Denied
jdoe
OK
Cancel
Ace Server
SEC-1000
8020_05_2003_c2
45
I am
jdoe!
Authenticate
and Decrypt
This Is
jdoe
Signed by
us.org
SEC-1000
8020_05_2003_c2
Internet
Certificates
Signed by
us.org
jdoe
Certificate
Certificate Authority
46
Biometrics
SEC-1000
8020_05_2003_c2
47
Agenda
Security Policy
Setting a Good Foundation
Identity Services
Passwords, Tokens, PKI, Biometrics
Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
Intrusion Protection
Network, Host
Security Management
Wrapping It All Together
SEC-1000
8020_05_2003_c2
48
Secure Connectivity
SEC-1000
8020_05_2003_c2
49
At home (teleworking)
137 million telecommuters by 2003
40% of U.S. telecommuters from large or
mid-size firms
Source: On the Road (TIA Travel Poll, 11/99); At Home (Gartner 2001,
Cahners Instat 5/01); At Work (Wharton Center for Applied Research)
SEC-1000
8020_05_2003_c2
50
Partners
SEC-1000
8020_05_2003_c2
Virtual Private
Network
Central/HQ
Customers
51
Secure Connectivity
Defines peers
Two devices in a network that need to connect
Tunnel makes peers seem virtually next to each other
Ignores network complexity in between
Technologies
PPTPPoint-to-Point Tunneling Protocol
L2TPLayer 2 Tunneling Protocol
IPSec
Secure shell
SSL
SEC-1000
8020_05_2003_c2
52
What is IPSec?
Internet Protocol Security
A set of security protocols and algorithms used to
secure IP data at the network layer
IPSec provides data confidentiality (encryption),
integrity (hash), authentication (signature/certificates) of
IP packets while maintaining the ability to route them
through existing IP networks
SEC-1000
8020_05_2003_c2
53
Encryption Layers
Application-Layer (SSL, PGP, S-HTTP)
Application
Layers (5-7)
Transport/
Network
Layers (3-4)
Link/Physical
Layers (1-2)
54
IPSec Protocols
Encryption
Data Privacy
DES
Integrity/Authentication
IKE
3DES
RSA / DSS
Modes
X.509v3
Digital Certificates
MD5 / SHA
AH / ESP
Authentication
Header /
Encapsulating
Security Payload
Tunnel /
Transport
Network to Network
/ Host to Host
55
What is Encryption?
56
What is a KEY?
Key An initial, primary value input to a
computational algorithm, producing a
theoretically unique result exclusive to the input
value.
Correct
KEY
Opened
KEY
Encrypted
Algorithm
Decrypted
Incorrec
t KEY
Locked
KEY
SEC-1000
8020_05_2003_c2
Key
Encrypted
Algorithm
Encrypted
57
One-Time Key
One-Time Key A unique key is used once, and
only once per encryption operation. For every
encryption operation a new, unrelated key is
generated, used, then discarded.
Key
First
Operation
KEY
Encrypt
New KEY
Encrypt
Second
Operation
SEC-1000
8020_05_2003_c2
58
Symmetrical Keys
Symmetrical Key The same key is used for
initiating the encryption process and initiating the
decryption process.
Encryption
KEY (A)
SEC-1000
8020_05_2003_c2
Locked
Decryption
KEY (A)
Unlocked
59
Asymmetrical Keys
Asymmetrical Key A different key is used for
initiating the encryption process and initiating the
decryption process.
Encryption
KEY (A)
SEC-1000
8020_05_2003_c2
Locked
Decryption
KEY (B)
Unlocked
60
Soft Key
Soft Key A numerical value that acts as the
algorithmic input to initiate the encryption or
decryption process.
Key
61
Encryption Process
Encryption Process Inputting a key into an
algorithm that acts upon a message to produce
encrypted output.
Key
+
Key
(numerical)
SEC-1000
8020_05_2003_c2
age
Mess
Message
(converted to
numerical)
Encryption
Algorithm
p
Encry
ted
=
Encrypted
Output
62
Shared Key
p
Encry
Key
Encrypt
Decrypt
ag
Mess
ted
Key
Encrypt
Decrypt
Internet
ag
Mess
pted
Encry
Alice
Bob
SEC-1000
8020_05_2003_c2
63
Key
PUB
ted
Key
PRI
Encrypt
ag
Mess
Bob
Decrypt
Key
PRI
Key
PUB
pted
Encry
Decrypt
Internet
ag
Mess
Alice
Encrypt
Encryption Key
a ge
Mess
Key
Key
2. Initial Permutation
(Split Data Block
into two 32 bit
blocks)
48 bit (left)
48 bit key
48 bit
(right)
Left
Data
Key
Right
Cipher
3. Final Permutation
(Join Data Block
into one 64 bit
block)
SEC-1000
8020_05_2003_c2
2. 56 bit key
transformed with
shift permutation
3. Data Blocks
Expanded to 48 bit
Blocks
IP
1. 64 bit Key
Reduced to 56 bit
key (every 8th bit
ignored)
Data
Key
p
Encry
Cipher
FP
2003, Cisco Systems, Inc. All rights reserved.
65
Lucifer
CA-1.1
IPSec Standard
Encryption Algorithm
Madryga
FEAL
REDOC
LOKI
Khufu/Khafre
SEC-1000
8020_05_2003_c2
RC5
MMB
Blowfish
RSA
RC2
SkipJack
GOST
CAST
SAFER
3-Way
CRAB
66
What is DES/3DES?
DES
3DES
3DES is the DES algorithm
performed three times
sequentially
Two-key 3DES encrypts 1-2-1,
resulting in a 112 bit key
strength
Three-key 3DES encrypts 1-23, resulting in a 168 bit key
strength
SEC-1000
8020_05_2003_c2
67
DES/3DES Vulnerability
Brute-Force Attack:
A single Pentium III class workstation can break a
DES key in less than 10 hours
A million Pentium III class workstations can break
a (3-key) 3DES key in 10,000,000,000,000 years
3DES is subject to crypto-analytical attacks by
insertion of a known payload.
SEC-1000
8020_05_2003_c2
68
AES
AES is based on the Rijndael algorithm
AES is a single algorithm instance using the Square cipher
AES uses a 128, 192, or 256 bit key to encrypt 128, 192, or 256
bit datagrams, independently
AES operates efficiently in hardware and software
SEC-1000
8020_05_2003_c2
69
Hashing and
Digital Signatures
SEC-1000
8020_05_2003_c2
70
Hash/Signature Protection
Impersonation
Loss of Integrity
Im Bob.
Send Me all Corporate
Correspondence
with Cisco.
Bob
Deposit $1000
Alice
Deposit $ 100
Alice
Customer
Bob
Bank
71
What is a Hash?
Hash A one-way mathematical summary of a
message such that the hash value cannot be
(easily) reconstituted back into the original
message even with knowledge of the hash
algorithm.
age
Mess
Clear
Text
SEC-1000
8020_05_2003_c2
Hash
Hash
Function
Hash
Text
72
Hashing Process
Apple
age
Mess
Original
Message
SEC-1000
8020_05_2003_c2
ag
Mess
y
e Cop
Message
Copy
1. Divide by 2.84
2. Then multiply by 9
3. Then square
Hash
Algorithm
Apple Juice
Hash
=
Hash
Output
73
Hash Verification
If Hashes are
Equal, Message is
Unaltered
If Hashes are
Unequal,
Message is
Altered
opy
age C
Mess
Message
Hash
Hash
Function
Message with
Hash Appended
Hash
Hash
HASH
HASH
Isolate Hash
Compute Hash
Hash
SEC-1000
8020_05_2003_c2
Hash
HASH
74
Hashing Algorithms
MD5 (Message Digest V5):
Older but most widely supported hash algorithm
SHA (Secure Hash Algorithm):
Newer and more secure hash than MD5
HMAC (Hash-based Message Authentication Code):
Further hash security through inclusion of a key with
message in hash process (similar to MAC)
75
Copy of Message
Hash
Function
Hash Algorithm
(MD5, SHA)
SEC-1000
8020_05_2003_c2
Hash
Key
PRI
Enc
d
rypte
Hash Output
Private Key
Encrypted Hash
76
Hash
opy
age C
Mess
Message
pted
Encry
Hash
Function
Message with
Encrypted Hash
Appended
HASH
HASH
Decrypt Hash
Compute Hash
Hash
SEC-1000
8020_05_2003_c2
Hash
Hash
HASH
77
Signature Algorithms
RSA (Rivest, Shamir, Adelman):
SEC-1000
8020_05_2003_c2
78
SEC-1000
8020_05_2003_c2
79
V3
Certificate Version
Serial Number
Signature Algorithm
md5RSA
Certificate ID
Encryption Algorithm
Issuer
Certificate Authority
Valid From
Valid To
Subject
E = jmccloud@cisco.com
Digital
ID
Certificate Lifetime
CN = Joshua McCloud
OU = Digital ID Class 1 - Microsoft Full Service
OU = Persona Not Validated
OU = www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98
Certificate User ID
Public Key
Thumbprint
SEC-1000
8020_05_2003_c2
SEC-1000
8020_05_2003_c2
81
Certificate Enrollment
1. Candidate Registers Identity with CA
2. CA Generates and Signs Certificate with CA Private Key
3. CA E-mails Candidate URL to Pick-Up Certificate
4. Candidate Downloads Certificate and CA Public Key
Identity Registration
Internet
CA
Certificate/CRL
Database
Candidate
Certificate Distribution
SEC-1000
8020_05_2003_c2
82
CA
Certificate/CRL
Database
Bobs Certificate
1. Verify Bobs
Certificate with CA
Public Key
Internet
Alice
Bob
Key
PUB
CA Public Key
Alices Certificate
SEC-1000
8020_05_2003_c2
83
SEC-1000
8020_05_2003_c2
84
85
IP HDR
AH HDR
DATA
DATA
Protocol Type = 51
SEC-1000
8020_05_2003_c2
86
IP HDR
IP HDR
ESP HDR
DATA
Encrypted DATA
TRL
Auth
Protocol Type = 50
SEC-1000
8020_05_2003_c2
87
IP HDR
ESP HDR
Encrypted DATA
TRL
Auth
IPSec Tunnel
Internet
SEC-1000
8020_05_2003_c2
88
ESP HDR
Original IP HDR
Data
TRL
Auth
IPSec Tunnel
Internet
SEC-1000
8020_05_2003_c2
89
IPSec Framework
IPSec is an IETF umbrella protocol encompassing multiple
standards
IPSec provides data integrity, confidentiality and
authentication
IPSec data confidentiality employs DES and 3DES
encryption
IPSec data integrity employs HMAC-MD5 and HMAC-SHA
hash
IPSec data authentication employs pre-shared keys or
digital certificates using RSA or DSS
IPSec operates in tunnel or transport mode using AH, ESP
or AH/ESP
SEC-1000
8020_05_2003_c2
90
Agenda
Security Policy
Setting a Good Foundation
Identity Services
Passwords, Tokens, PKI, Biometrics
Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
Intrusion Protection
Network, Host
Security Management
Wrapping It All Together
SEC-1000
8020_05_2003_c2
91
Intrusion Protection
SEC-1000
8020_05_2003_c2
92
Monitoring
Where Is
This Van
Going?
SEC-1000
8020_05_2003_c2
Where Did
This Car
Come
from?
93
Network Scanning
Active tool
Identifies devices on the network
Useful in network auditing
Fingerprinting
How a scanner figures out what OS
and version is installed
SEC-1000
8020_05_2003_c2
94
Packet Sniffing
Diagnostic tools
Used capture packets
Used to examine packet data (filters)
Can reconstruct sessions and streams
SEC-1000
8020_05_2003_c2
95
Intrusion Detection
Different approaches
Protocol anomaly/signature
detection
Host-based/network-based
SEC-1000
8020_05_2003_c2
96
Misuse/Signature vs.
Anomaly Detection
Network vs. Host-Based
SEC-1000
8020_05_2003_c2
97
SEC-1000
8020_05_2003_c2
98
SEC-1000
8020_05_2003_c2
99
SEC-1000
8020_05_2003_c2
100
Syslog
Passive Agent
(OS Sensor)
Active Agent
(Server Sensor)
Syslog monitoring
Attack interception
Detection
Prevention
Focused protection
SEC-1000
8020_05_2003_c2
101
Management console
Real-time event display
Event database
Sensor configuration
Sensor
Packet signature analysis
Generate alarms
Response/
countermeasures
Host-based
HostBased
IDS
Component
Communications
IDS Sensor
Generate alarms
Response/countermeasures
SEC-1000
8020_05_2003_c2
Production
Network Segment
102
SEC-1000
8020_05_2003_c2
103
Agenda
Security Policy
Setting a Good Foundation
Identity Services
Passwords, Tokens, PKI, Biometrics
Secure Connectivity
Work Happens Everywhere, Virtual Private Networks
Intrusion Protection
Network, Host
Security Management
Wrapping It All Together
SEC-1000
8020_05_2003_c2
104
Security Management
SEC-1000
8020_05_2003_c2
105
SEC-1000
8020_05_2003_c2
106
Analysis
Distributed Investigation
End-to-End
Coverage
Flexible
Deployment
Security
Appliances
Switch
Modules
Router
Modules
Security
Software
Security
Functions
VPN
Firewall
Intrusion
Protection
Identity
Svcs
Network
Services
SEC-1000
8020_05_2003_c2
Security Management
Management
Seamless Collaboration of
Security and Networking Services
107
Security Management
Making sure that policies are in place and that they are working
SEC-1000
8020_05_2003_c2
108
Syslog
SEC-1000
8020_05_2003_c2
109
Log Analysis
SEC-1000
8020_05_2003_c2
110
SEC-1000
8020_05_2003_c2
111
Crystal ball
Attacks will continue
Greater complexity
Still see unpatched vulnerabilities taken advantage of
SEC-1000
8020_05_2003_c2
112
Conclusions
SEC-1000
8020_05_2003_c2
113
SEC-1000
8020_05_2003_c2
114
SEC-1000
8020_05_2003_c2
115
Thank You
SEC-1000
8020_05_2003_c2
116
Questions
SEC-1000
8020_05_2003_c2
117
SEC-1000
8020_05_2003_c2
118