Network Security

Chapter 11

powered by DJ 1

Chapter Objectives

Describe today's increasing network security threats and explain the need to implement a comprehensive security policy to mitigate the threats. Explain general methods to mitigate common security threats to network devices, hosts, and applications Describe the functions of common security appliances and applications Describe security recommended practices including initial steps to secure network devices

At the end of this Chapter you will be

able to:

powered by DJ 2

Perimeter, Firewall, and Internal Routers Typically, in medium to large enterprise networks, the various

strategies for security are based on a some recipe of internal and perimeter routers plus firewall devices. Internal routers provide additional security to the network by screening traffic to various parts of the protected corporate network, and they do this using access lists. You can see where each of these types of devices are found in Figure below.

powered by DJ 3

A Typical Secured Networkpowered by DJ 4

Recognizing Security Threats let’s examine some common attack profiles:

Application-layer attacks

These attacks commonly zero in on well-known holes in the software that’s typically found running on servers. Favorite targets include FTP, send mail, and HTTP. Because the permissions level granted to these accounts is most often “privileged,” bad guys simply access and exploit the machine that’s running one of these applications.

Trojan horse attacks and viruses

powered by DJ 5

Backdoors

These are simply paths leading into a computer or network. Through simple invasions, or via more elaborate “Trojan horse” code, bad guys can use their implanted inroads into a specific host or even a network whenever they want to—until you detect and stop them.

IP spoofing

Packet sniffers

Password attacks

Brute force attack

Port redirection attacks

Denial of service (DoS) attackpowered by DJ 6

Mitigating Security Threats

What solution should we use to mitigate security threats? Something from Juniper, McAfee, or some other firewall product? NO, we probably should use something from Cisco.

Cisco IOS software runs on upwards of 80 percent of the Internet backbone routers out there; it’s probably the most critical part of network infrastructure. So let’s just keep it real and use the Cisco . IOS’s software-based security, known as the Cisco IOS Firewall feature set, for our end-to-end Internet, intranet, and remote-access network security solutions. It’s a good idea to go with this because Cisco ACLs really are quite efficient tools for mitigating many of the most common threats around.

powered by DJ 7

Cisco’s IOS Firewall

Authentication proxy

A feature that makes users authenticate any time they want to access the network’s resources through HTTP, HTTPS, FTP, and Telnet. It keeps personal network access profiles for users and automatically gets them for you from a RADIUS and applies them as well.

Destination URL policy management

A buffet of features that’s commonly referred to as URL Filtering.

Per-user firewalls

These are basically personalized, user-specific, downloadable firewalls obtained through service providers. You can also get personalized ACLs and other settings via AAA server profile storage.

powered by DJ 8

Cisco IOS router and firewall provisioning

Allows for no-touch router provisioning, version updates, and security policies.

Denial of service (DoS) detection and prevention

A feature that checks packet headers and drops any packets it finds suspicious.

Dynamic port mapping

A sort of adapter that permits applications supported by firewalls on nonstandard ports.

Java applet blocking

Protects you from any strange, unrecognized Java applets.

powered by DJ 9

Basic and Advanced Traffic Filtering

You can use standard, extended, even dynamic ACLs like Lock-and-Key traffic filtering with Cisco’s IOS Firewall. And you get to apply access controls to any network segment you want. Plus, you can specify the exact kind of traffic you want to allow to pass through any segment.

Policy-based, multi-interface support

Allows you to control user access by IP address and interface depending on your security policy.

powered by DJ 10

Network Address Translation (NAT)

Conceals the internal network from the outside, increasing security.

Time-based access lists

Determine security policies based upon the exact time of day and the particular day of the week.

Peer router authentication

Guarantees that routers are getting dependable routing information from actual, trusted sources. (For this to work, you need a routing protocol that supports authentication, like RIPv2, EIGRP, or OSPF.)

powered by DJ 11

THANK YOU

powered by DJ 12