• Leverages our weakest very likely vulnerability in a secure system data, applications, devices, networks: the user.. • Can create a central user and administrative access DB that all n
Trang 1The basics of IT security: CIA (Confidentiality, Integrity, Availability)
•
Confidentiality
•
Measures that prevent disclosure of information or data to unauthorized individuals or systems
•
Integrity
•
Protecting the data from unauthorized alteration or revision
•
Often ensured through the use of a hash
•
Availability
•
Making systems and data ready for use when legitimate users need them at any time
•
Guaranteed by network hardening mechanisms and backup systems
•
Attacks against availability all fall into the “denial of service” realm
•
Asset
•
It is anything that is valuable to an organization
•
Vulnerability
•
An exploitable weakness in a system or its design
•
Threat
•
Any potential danger to an asset
•
Countermeasure
•
A safeguard that somehow mitigates a potential risk
•
Risk
•
The potential for unauthorized access to, compromise, destruction, or damage to an asset
•
Classifying Assets
•
One reason to classify an asset is so that you can take specific action, based on policy, with regard to assets in
a given class
•
Classifying Vulnerabilities
•
Policy flaws
•
Design errors
•
CCNA Sec 01
Trang 2Design errors
•
Protocol weaknesses
•
Misconfiguration
•
Software vulnerabilities
•
Human factors
•
Malicious software
•
Hardware vulnerabilities
•
Physical access to network resources
•
Classifying Countermeasures
•
Administrative controls
•
Consist of written policies, procedures, guidelines, and standards
•
Physical controls
•
Are exactly what they sound like, physical security for the network servers, equipment, and infrastructure
•
Logical controls (technical controls)
•
Logical controls include passwords, firewalls, IPS, access lists, VPN tunnels, ……
•
Potential Attackers
•
Terrorists
•
Criminals
•
Government agencies
•
Nation states
•
Hackers
•
Disgruntled employees
•
Competitors
•
Attack Methods
•
Reconnaissance
•
This is the discovery process used to find information about the network
•
Social engineering
•
Leverages our weakest (very likely) vulnerability in a secure system (data, applications, devices, networks): the user
•
Could be done through e-mail or misdirection of web pages, which results in the user clicking something that leads to the attacker gaining information
•
Phishing
•
Presents a link that looks like a valid trusted resource to a user
•
Pharming
•
Used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user
•
Privilege escalation
•
The process of taking some level of access and achieving an even greater level of access
•
Backdoor
•
Application can be installed to allow access
•
Code execution
•
When attackers can gain access to a device, they might be able to take several actions
•
Man-in-the-Middle Attacks
•
Results when attackers place themselves in line between two devices that are communicating
•
To mitigate this risk, you could use techniques such as DAI (Dynamic ARP Inspection)
•
Additional Attack Methods
•
Covert channel
•
Uses programs or communications in unintended ways
•
For ex If web traffic is allowed but peer messaging is not, users can attempt to tunnel their
peer-to-•
Trang 3For ex If web traffic is allowed but peer messaging is not, users can attempt to tunnel their peer-to-peer traffic inside of HTTP traffic
•
Also a backdoor application collecting keystroke information from the workstation and then sending it out as ICMP or http packet
•
Trust exploitation
•
Ex an attacker could leverage his gaining access to a DMZ host, and using that location to launch his attacks
•
from there to the inside network
Brute-force (password-guessing) attacks
•
Performed when an attacker’s system attempts thousands of possible passwords looking for the right match
•
Mitigated by limiting how many unsuccessful authentication attempts can occur within a specified time
•
DoS (Denial of Service)
•
An attack is launched from a single device with the intent to cause damage to an asset
•
DDoS (Distributed Denial-of-Service)
•
An attack is launched from multiple devices as from botnet network
•
Botnet
•
A collection of infected computers that are ready to take instructions from the attacker
•
RDoS (Reflected DDoS)
•
When the source of the initial (query) packets is actually spoofed by the attacker
•
The response packets are then “reflected” back from the unknowing participant to the victim of the attack
•
Guidelines for Secure Network Architecture
•
Rule of least privilege
•
Minimal access should only provided to the required network resources
•
Defense in depth
•
You should have security implemented on an early every point of your network
•
Ex filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches your servers, and using host-based security precautions at the servers, as well
•
Separation of duties
•
Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being addressed, because a person who moves into a new role will be required to review the policies in place
•
Auditing
•
Accounting and keeping records about what is occurring on the network
•
Common forms of social engineering
•
Phishing
•
Elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution
•
The e-mail message may ask the user to reply with the sensitive data, or to access a website to update
information such as a bank account number
•
Malvertising
•
This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware
•
Phone scams
•
An example is a miscreant posing as a recruiter asking for names, e-mail addresses, and so on for members of the organization and then using that information to start building a database to leverage for a future attack
•
Defenses Against Social Engineering
•
Password management
•
The number and type of characters that each password must include, how often a password must be changed
•
Two-factor authentication
•
Use two-factor authentication rather than fixed passwords
•
Antivirus/antiphishing defenses
•
Trang 4Antivirus/antiphishing defenses.
•
Document handling and destruction
•
Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash
•
Physical security
•
Malware Identification Tools
•
Packet captures
•
Snort IDS
•
An open source IDS/IPS developed by the founder of Sourcefire
-NetFlow
•
IPS events
•
Advanced Malware Protection (AMP)
•
Designed for Cisco FirePOWER network security appliances
•
Provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware threats
•
NGIPS (Next-Generation Intrusion Prevention System)
•
The Cisco FirePOWER NGIPS solution provides multiple layers of advanced threat protection at high inspection throughput rates
•
Implementing AAA in Cisco IOS
Administrative access methods
•
Password only
•
Local database
•
AAA Local Authentication (self-contained AAA)
•
AAA Server-based
•
AAA provides:
•
Authentication
•
Who is permitted to access a network
•
Authorization
•
What they can do while they are there
•
Accounting
•
Records in details what they did
•
Methods of implementing AAA services
•
Local AAA Authentication
•
Uses a local database stored in the router for authentication
-Server-Based AAA Authentication
•
Uses an external database server that leverages RADIUS or TACACS+ protocols
-Preferred in large environment
-Server-Based Authentication
•
The user establishes a connection with the router
•
The router prompts the user for a username and password
•
The router passes the username and password to the Cisco Secure ACS
•
The ACS authenticates and authorizes the user based on its database
•
ACS (Access Control Server)
•
Can create a central user and administrative access DB that all network devices can access
•
Can work with many external databases, such as Active Directory
•
Supports both TACACS+ and RADIUS protocols
•
Both protocols can be used to communicate between AAA client (Router) and AAA servers (ACS)
•
Provides user and device group profiles
•
Trang 5Restrictions to network access based on a specific time
•
Can be software installed on windows server or a physical appliance can be purchased from Cisco
•
RADIUS (Remote Authentication Dial-In User Service)
•
Open standard, RFCs 2865, 2866, 2867, and 2868
•
Combines authentication & authorization, but separates accounting
•
Supports detailed accounting required for billing users, so preferred by ISPs
•
Encrypts only the password
•
Does not encrypt user name, or any other data in the message
•
Used UDP port 1645 & now 1812 for authentication & authorization
•
Used UDP port 1646 & now 1813 for accounting
•
Supports remote-access technologies, 802.1X, and SIP
•
•
TACACS+ (Terminal Access Control Access Control Server)
•
Cisco proprietary
•
Separates authentication and authorization
•
Provides limited detailed accounting
•
Encrypts all packet not only the password
•
Utilizes TCP port 49
•
Multiprotocol support, such as IP and AppleTalk
•
Incompatible with any previous version of TACACS
•
•
AAA clients must run Cisco IOS Release 11.2 or later
•
ISE (Identity Services Engine)
•
An identity and access control policy platform
•
Can validate that a computer meets the requirements of a company’s policy related to virus definition files, service pack levels, and so on before allowing the device on the network
•
Leverages many AAA-like (authentication, authorization, and accounting) features, but is not a 100 percent replacement for ACS
•
ACS should be used mainly for AAA, and ISE for the posturing & policy compliance checking for hosts
•
Login method types:
•
Trang 6Login method types:
•
Enable
•
Uses the enable password for authentication
•
Line
•
Uses the line password for authentication
•
Local
•
Uses the local username database for authentication
•
Local-case
•
Uses case-sensitive local username authentication
•
Group radius
•
Uses the list of all RADIUS servers for authentication
•
Group tacacs+
•
Uses the list of all TACACS+ servers for authentication
•
•
Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius
or aaa group server tacacs+ command
•
None
•
To ensure that the authentication succeeds even if all methods return an error
•
AAA lists
•
When AAA is enabled, the default list is automatically applied to all interfaces and lines but with no methods defined unless a predefined list is assigned
•
If the default method list is not set and there is no other list, only the local user database is checked
•
Authorization
•
What a user can and cannot do on the network after that user is authenticated
•
Implemented using a AAA server-based solution
•
When a user has been authenticated, a session is established with the AAA server
•
The router requests authorization for the requested service from the AAA server
•
The AAA server returns a PASS/FAIL for authorization
•
TACACS+ establishes a new TCP session for every authorization request
•
When AAA authorization is not enabled, all users are allowed full access
•
To enable AAA
•
R(config)# aaa new-model
•
To Configure Authentication to Use the AAA Server
•
•
R(config)# aaa authentication login default group radius group tacacs+ local …
•
•
Methods are used in order, if no response from one, the next is used
•
To specify the number of unsuccessful login attempts (then the user will be locked out)
•
•
The account (non priv 15) will stay locked until it is cleared by an administrator
•
To display a list of all locked-out users
•
R# show aaa local user lockout
•
To unlock a specific user or to unlock all locked users
•
•
To display the attributes that are collected for a AAA session
•
•
To show the unique ID of a session
•
R# show aaa sessions
•
Trang 7R# show aaa sessions
•
For vty lines
•
R(config)# line vty 0 4
•
•
•
To debug aaa authentication
•
R# debug aaa authentication|authorization
•
Look specifically for GETUSER and GETPASS status messages
•
To configure AAA with CCP
•
CCP, Configure, Router, AAA,…
•
To create a local user account
•
CCP > Router > Router Access > User Accounts/View > Add
•
To configure the AAA client (router) with the TACACS+ server
•
•
To configure the AAA client (router) with the RADIUS server
•
•
AAA Authorization (Router)
•
To get the priviege level that should be given to user from the local user database
•
R(config)# aaa authorization exec default local
•
To get the priviege level that should be given to user from the tacacs server
•
R(config)# aaa authorization exec default group tacacs+
•
To enable command authorization on the console
•
R(config)# aaa authorization console
•
To assign level 15 automatically to any user just authenticated
•
R(config)# aaa authorization exec default if-authenticated
•
To authorize each command, you enter at config and it's submode
•
R(config)# aaa authorization config-commands
•
To authorize level x (1-15) users
•
•
R(config)# no aaa authorization config-commands
•
AAA debugging
•
To debug aaa
•
R# debug aaa authentication
•
To debug RADIUS or TACACS+
•
R# debug radius|tacacs events
•
AAA Accounting
•
Each session established through the ACS can be fully accounted for and stored on the server
•
To configure AAA accounting
•
•
ACS server configurations.
•
Network device groups
•
Groups of network devices, normally based on routers or switches with similar functions/devices managed by the same administrators
•
Network devices (ACS clients/routers/switches)
•
The individual network devices that go into the device groups
•
Identity groups (user/admin groups)
•
Groups of administrators, normally based on users who will need similar rights and access to specific groups
of network devices
•
Trang 8of network devices.
•
User accounts
•
Individual administrator/user accounts that are placed in identity groups
•
Authorization profiles
•
These profiles control what rights are permitted
•
The profile is associated with a network device group and a user/administrator identity group
•
To manage ACS server.
•
https://ip
•
Default username and password: acsadmin pass: default
•
For trial license
•
https://www.cisco.com/go/license
username: adelmohammad , pass: P@ssw0rd
get other licenses , demo and , search for access control ,
To create a device group
•
ACS > Network Resources > Network Device Groups > Device Type > Create
•
To add a device to the group
•
Network Resources > Network Devices and AAA Clients > Create
•
Click the Select button to the right of the device type and select the device group
•
Select tacacs+ and type the password
•
In the ip address select range and type the range (ex 10.0.0.100-200) , Add V
•
To create a user group
•
Users and Identity Stores > Identity Groups > Create
•
To create individual user
•
Users and Identity Stores > Internal Identity Stores > Users and click > Create
•
To create a shell profile
•
Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Create
•
Custom tasks tab, Default Privilege:static, type a privilige level
•
To configure authorization policies (To assign permisions to identity group to access device group)
•
Access Policies > Access Services > Default Device Admin > Authorization > Create
•
Then select a shell profile or create one (shell profile has a name and defines a privilige level)
•
Verifying and Troubleshooting Router-to-ACS Server Interactions
•
Ping the ACS server from the router
•
•
Using debug Commands to Verify Functionality
•
To look at the reports on the ACS server
•
Monitoring & Reports > Reports > Catalog > AAA Protocol
•
Bring Your Own Device (BYOD)
Allowing users bringing their own network-connected devices while also maintaining an appropriate
•
security posture
The organization’s security policy must be lever-aged to govern the level of access for BYOD devices
•
Trang 9BYOD Solution Components
•
BYOD devices
•
The corporate-owned and personally owned endpoints that require access to the corporate network regardless
of their physical location
•
Wireless access points (AP)
•
Provide wireless network connectivity to the corporate network for both local & BYOD devices
•
Wireless LAN (WLAN) controllers
•
Serve as a centralized point for the configuration, management, and monitoring of the Cisco WLAN solution
•
Used to implement and enforce the security requirements for the BYOD solution
•
Works with the ISE to enforce both authentication and authorization policies on each BYOD endpoint
•
Identity Services Engine (ISE)
•
The cornerstone of the AAA requirements for endpoint access, which are governed by the security policies put forth by the organization
•
Cisco AnyConnect Secure Mobility Client
•
Provides connectivity for end users who need access to the corporate network
•
Inside network users leverages 802.1X to provide secure access to the corporate network
•
Outside users uses AnyConnect Client to provide secure VPN connectivity, including posture checking
•
Integrated Services Routers (ISR)
•
Will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and Internet access for home office environments
•
Can provide VPN connectivity for mobile devices that are part of the BYOD solution
•
Adaptive Security Appliance (ASA)
•
Provides all the standard security functions for the BYOD solution at the Internet edge
•
Can provide IPS and VPN for end devices
•
Cloud Web Security (CWS)
•
Provides enhanced security for all the BYOD solution endpoints while they access Internet
•
RSA SecurID
•
The RSA SecurID server provides one-time password (OTP) generation and logging for users that access network devices and other applications which require OTP authentication
•
Trang 10network devices and other applications which require OTP authentication.
•
Active Directory
•
Restricts access to those users with valid authentication credentials
•
Certificate authority
•
The CA server ensures that only devices with corporate certificates can access the corporate network
•
Mobile Device Management (MDM)
•
Deploy, manage, and monitor the mobile devices that make up the Cisco BYOD solution
•
Specific functions provided by MDM include:
•
Enforcement of a PIN lock (locking a device after a set threshold of failed login attempts has been reached)
-Enforcement of strong passwords for all BYOD devices
-Detection of attempts to “jailbreak” or “root” BYOD devices, specifically smartphones, and then attempting
to use these compromised devices on the corporate network
-Enforcement of data encryption requirements based on an organization’s security policies
-Ability to remotely wipe a stolen or lost BYOD device so that all data is completely removed
-MDM Deployment Options.
•
On-Premise MDM Deployment
•
MDM application software is installed and maintained on servers within the corporate data center
•
Consists of the following topology and network components:
•
Data center
•
The data center consists of the servers and ISE to enforce posture assessment and access control
•
Internet edge
•
Includes an ASA firewall, WLC and the MDM which provides all the policies and profiles, digital
certificates, applications, data, and configuration settings for all the BYOD devices
•
Services
•
Contains the WLC for all APs to which the corporate users connect; however, any other network-based services required for the corporate
•
Core
•
Serves as the main distribution and routing point for all network traffic traversing the corporate network environment
•
Campus building
•
A distribution switch provides the main ingress/egress point for all network traffic entering and exiting from the campus environment
•
Cloud-Based MDM Deployment
•
MDM application software is hosted, managed and maintained by a service provider who is solely
•