© 1999, Cisco Systems, Inc. www.cisco.com
Module 11: Security Basics
Module 11: Security Basics
11-2CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Agenda
• Why Security?
• Security Technology– Identity
– Integrity
– Active Audit
11-3CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
All Networks Need Security
• No matter the company size, security is important
• Internet connection is to business in the late 1990s what telephones were to business in the late 1940s
• Even small company sites are cracked
11-4CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Why Security?
• Three primary reasons– Policy vulnerabilities
– Configuration vulnerabilities
– Technology vulnerabilities
And People Eager to Take And People Eager to Take Advantage of the VulnerabilitiesAdvantage of the Vulnerabilities
11-5CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Denial of Service Loss of Integrity
BankCustomer
Deposit $1000 Deposit $ 100
Security Threats
Loss of Privacy
m-y-p-a-s-s-w-o-r-d d-a-n
telnet company.orgusername: danpassword:
Impersonation
I’m Bob.Send Me All Corporate
Correspondencewith Cisco.
Bob
CPUCPU
11-6CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Security Objective: Balance Business Needs with Risks
Access SecurityAuthentication
Authorization
Accounting
Assurance
Confidentiality
Data Integrity
Policy ManagementPolicy Management
Connectivity
Performance
Ease of Use
Manageability
Availability
11-7CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Doors, locks, & guards
Keys & badges
Surveillance cameras & motion sensors
Firewalls & access controls
Authentication
Intrusion Intrusion detection systemdetection system
• Complementary mechanisms that together provide in-depth defense
Network Security Components: Physical Security Analogy
Network Security Components: Physical Security Analogy
© 1999, Cisco Systems, Inc. www.cisco.com
Security TechnologySecurity Technology
3-8CSE-Security—Basics © 1999, Cisco Systems, Inc. www.cisco.com
11-9CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Policy
• Identity– Accurately identify users
– Determine what users are allowed to do
• Integrity– Ensure network availability
– Provide perimeter security
– Ensure privacy
• Active audit– Recognize network weak spots
– Detect and react to intruders
Elements of SecurityElements of Security
© 1999, Cisco Systems, Inc. www.cisco.com
Security TechnologySecurity Technology
IdentityIdentity
3-10CSE-Security—Basics © 1999, Cisco Systems, Inc. www.cisco.com
11-11CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
IdentityIdentity
• Uniquely and accurately identify users, applications, services, and resources
– Username/password, PAP, CHAP, AAA server, one-time password, RADIUS, TACACS+, Kerberos, MS-login, digital certificates, directory services, Network Address Translation
11-12CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
AAAServer
Dial-In User NetworkAccess Server
CampusPPPPAP
PasswordPasswordPasswordPassword
ID/PasswordID/PasswordID/PasswordID/PasswordID/PasswordID/Password
ID/PasswordID/PasswordID/PasswordID/PasswordID/PasswordID/Password
Public Network
Username/PasswordUsername/Password
• User dials in with password to NAS
• NAS sends ID/password to AAA server
• AAA server authenticates user ID/password and tells NAS to accept (or reject)
• NAS accepts (or rejects) call
11-13CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Network Access Server
PPPPAP or CHAP
Public Network
PAP and CHAP AuthenticationPAP and CHAP Authentication
• Password Authentication Protocol (PAP)– Authenticates caller only
– Passes password in clear text
• Challenge Handshake Authentication Protocol (CHAP)– Authenticates both sides
– Password is encrypted
11-14CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Campus
AAAServer
Token or S-Key Server• Token cardToken card
• Soft tokenSoft token• S-KeyS-Key ID/One-Time PasswordID/One-Time Password
ID/One-Time Password ID/One-Time Password ID/One-Time PasswordID/One-Time Password
ID/One-Time PasswordID/One-Time PasswordID/One-Time Password ID/One-Time Password ID/One-Time PasswordID/One-Time Password
One-Time One-Time PasswordPasswordOne-Time One-Time PasswordPassword
Dial-In User NetworkAccess Server
Public Network
One-Time PasswordOne-Time Password
• Additional level of security, guards against password guessing and cracking– Prevents spoofing, replay attacks
• Single-use password is generated by token card or in software
• Synchronized central server authenticates user
11-15CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
11 22 3344 55 6677
009988
11 22 3344 55 6677
009988
Authentication, Authorization, and Accounting (AAA)
Authentication, Authorization, and Accounting (AAA)
• Tool for enforcing security policy
– Authentication• Verifies identity—
Who are you?
– Authorization• Configures integrity— What are
you permitted to do?
– Accounting• Assists with audit—
What did you do?
11-16CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
AAA Services
• Centralized security database• High availability• Same policy across many access points• Per-user access control• Single network login• Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password
TACACS+
RADIU
S
TACACS+
RADIUS
ID/User ID/User ProfileProfileID/User ID/User ProfileProfileID/User ID/User ProfileProfile
ID/User ID/User ProfileProfileID/User ID/User ProfileProfileID/User ID/User ProfileProfile
AAAServer
Dial-In User
NetworkAccess Server
Campus
Internet UserGatewayRouter Firewall
Intercept Connection
s
Public Network
Internet
11-17CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• RADIUS is an industry standard—RFC 2138, RFC 2139
• Cisco has full IETF RFC implementation
• Cisco has implemented many nonstandard vendor proprietary attributes
• Cisco hardware will work well with non-Cisco RADIUS AAA servers
• Cisco is committed to providing the best RADIUS solution
RADIUSRADIUS
11-18CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Local or centralized
• Cisco continues to expand TACACS+ and add features in Cisco IOS™ 11.3
• Cisco customers benefit from additional functionality with CiscoSecure server of both TACACS+ and RADIUS
• Cisco enterprise customers continue to ask for TACACS+ features
TACACS
TACACS Database
Username/Password Additional Information
TACACS+ AuthenticationTACACS+ Authentication
11-19CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Lock-and-Key Security
• Dynamically assigns access control lists on a per-user basis
• Allows a remote host to access a local host via the Internet
• Allows local hosts to access a host on a remote network
Authorized User
Corporate Site
Non-Authorized User
Internet
11-20CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Calling Line Identification
1234
Call Setup Message with Local ISDN Numbers
Station ISDN Number
A 1234
Compare with Known Numbers
Accept Call
PPP CHAPAuthentication
(Optional)
Station A
ISDN
11-21CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
User Authentication with KerberosUser Authentication with Kerberos
• Authenticates users and the network services they use
• Uses “tickets” or “credentials” issued by a trusted Kerberos server– Limited life span; can be used in place of
standard “user/password” mechanism
??
Remote User(Kerberos Principal)
Kerberos Credential
(Ticket)
Encrypted ServiceCredential
KerberizedRouter
Kerberos Server
MailServer
11-22CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
DESDES
Public Key
Private Key
Public Key
Private Key
WAN
How Public Key WorksHow Public Key Works
• By exchanging public keys, two devices can determine a new unique key (the secret key) known only to them
11-23CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• If verification is successful, document has not been altered
Bob’sDocument
HashHash
MessageHash
Bob’sPrivate Key
EncryptEncryptDigital
Signature
Bob’sPublic Key
Bob’sDocument
MessageHash
Same?
DecryptDecrypt
HashHash
Message
Message
Message
Digital SignaturesDigital Signatures
11-24CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Certificate Authority
• Certificate Authority (CA) verifies identity
• CA signs digital certificate containing device’s public key
• Certificate equivalent to an ID card
• Partners include Verisign, Entrust, Netscape, and Baltimore Technologies
?B A N K
CACA CACAInternetInternet
11-25CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Network Address Translation
• Provides dynamic or static translation of private addresses to registered IP addresses
• Eliminates readdressing overhead—Large admin. cost benefit
• Conserves addresses—Hosts can share a single registered IPaddress for all external communications via port-level multiplexing
• Permits use of a single IP address range in multiple intranets
• Hides internal addresses
• Augmented by EasyIP DHCP host function
10.0.0.1
SA 10.0.0.1
Inside LocalInside LocalIP AddressIP Address
Inside GlobalInside GlobalIP AddressIP Address
10.0.0.110.0.0.110.0.0.210.0.0.2
171.69.58.80171.69.58.80171.69.58.81171.69.58.81
SA 171.69.58.8
Internet
© 1999, Cisco Systems, Inc. www.cisco.com
Security TechnologySecurity Technology
IntegrityIntegrity
3-26CSE-Security—Basics © 1999, Cisco Systems, Inc. www.cisco.com
11-27CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Integrity—Network AvailabilityIntegrity—Network Availability
• Ensure the network infrastructure remains available– TCP Intercept, route
authentication
11-28CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
TCP Intercept
Connection Transferred
Connection Established
Request Intercepted
• Protects networks against denial of service attacks
• TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory, or waste processor cycles
• TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of the destination
• Can be configured to passively monitor TCP connection requests and respond if connection fails to be established in a configurable interval
11-29CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Route Authentication
Home Gateway
Internet
• Enables routers to identify one another and verify each other’s legitimacy before accepting route updates
• Ensures that routers receive legitimate update information from a “trusted” source
Trusted Source
11-30CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Integrity—Perimeter SecurityIntegrity—Perimeter Security
• Control access to critical network applications, data, and services– Access control lists,
firewall technologies, content filtering, CBAC, authentication
11-31CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Access ListsAccess Lists
• Standard– Filter source address only
– Permit/deny entire protocol suite
• Extended– Filter source,
destination addresses
– Inbound or outbound
– Port number
– Permit/deny specific protocols
– Reflexive
– Time-based
11-32CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Inbound Telnet Stopped Here
Home Gateway
Internet
Policy Enforcement Using Access Control Lists
Policy Enforcement Using Access Control Lists
• Ability to stop or reroute traffic based on packet characteristics
• Access control on incoming or outgoing interfaces
• Works together with NetFlow to provide high-speed enforcement on network access points
• Violation logging provides useful information to network managers
11-33CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Importance of FirewallsImportance of Firewalls
• Permit secure access to resources
• Protect networks from:– Unauthorized intrusion
from both external and internal sources
– Denial of service (DOS) attacks
11-34CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
What Is a Firewall?What Is a Firewall?
• All traffic from inside to outside and vice versa must pass through the firewall
• Only authorized traffic, as defined by the local security policy, is allowed in or out
• The firewall itself is immune to penetration
11-35CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Router with ACLsUsers
Users
ProtectedNetwork
E-mail Server
Micro Webserver
zip 100
Micro WebserverMicro Webserver
Web Server PublicPublicAccessAccess
ISP andISP andInternetInternet
Packet-Filtering RoutersPacket-Filtering Routers
11-36CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Provides user-level security
• Most effective when used with packet filtering
Internal Network
ProxyServer
Internet/Intranet
Proxy ServiceProxy Service
11-37CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
FirewallMail
ServerWWWServer
Internet
Stateful SessionsStateful Sessions
• Highest performance security
• Maintains complete session state
• Connection oriented– Tracks complete connection
– Establishment and termination
• Strong audit capability
• Easy to add new applications
11-38CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Company Network
.5.5
11
55 10102020
4040MegMeg
Per/SecPer/Sec
• Video• Audio• Private link• Web commerce
Internet
Performance RequirementsPerformance Requirements
11-39CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Integrity—PrivacyIntegrity—Privacy
• Provide authenticated private communication on demand– VPNs, IPSec, IKE,
encryption, DES, 3DES, digital certificates, CET, CEP
11-40CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Encryption and Decryption
Clear Text Clear Text
Cipher Text
Bob Is
a Fink
8vyaleh31&d
ktu.dtrw8743
$Fie*nP093h
Bob Is
a Fink
DecryptionDecryptionEncryptionEncryption
11-41CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
What Is IPSec?
• Network-layer encryption and authentication– Open standards for ensuring secure
private communications over any IP network, including the Internet
– Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy
– Data protected with network encryption, digital certification, and device authentication
• Implemented transparently in network infrastructure
• Includes routers, firewalls, PCs, and servers
• Scales from small to very large networks
11-42CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Router to Router
Router to Firewall
PC to Router
PC to Server
PC to Firewall
IPSec Everywhere!IPSec Everywhere!
11-43CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Automatically negotiates policy to protect communication
• Authenticated Diffie-Hellman key exchange
• Negotiates (possibly multiple) security associations for IPSec
3DES, MD5, and RSA Signatures, OR
IDEA, SHA, and DSS Signatures, OR
Blowfish, SHA, and RSA Encryption
3DES, MD5, and RSA Signatures, OR
IDEA, SHA, and DSS Signatures, OR
Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS SignaturesIDEA, SHA, and DSS Signatures
IKE Policy TunnelIKE Policy Tunnel
IKE—Internet Key ExchangeIKE—Internet Key Exchange
11-44CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Router A Router B
1. Outbound packet from Alice to Bob—No IPSec security association yet
2. Router A’s IKE begins negotiation with router B’s IKE
3. Negotiation complete; router A and router B now have complete IPSec SAs in place
IKE IKE
4. Packet is sent from Alice to Bob protected by IPSec SA
IKE TunnelIKE TunnelRouter A Router B
How IPSec Uses IKEHow IPSec Uses IKE
11-45CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Encryption—DES and 3DESEncryption—DES and 3DES
• Widely adopted standard
• Encrypts plain text, which becomes cyphertext
• DES performs 16 rounds
• Triple DES (3DES)– The 56-bit DES algorithm runs three times
– 112-bit triple DES includes two keys
– 168-bit triple DES includes three keys
• Accomplished on a VPN client, server, router, or firewall
11-46CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Exhaustive search is the only way to break DES keys (so far)
• Would take hundreds of years on fastest general purpose computers (56-bit DES)– Specialized computer would cost $1,000,000 but could crack
keys in 35 minutes (Source: M.J. Wiener)
• Internet enables multiple computers to work simultaneously
• Electronic Frontier Foundation and distributed.net cracked a 56-bit DES challenge in 22 hours and 15 minutes
Consensus of the cryptographic community is that 56-bit DES, if not currently insecure, will soon be insecure
Breaking DES KeysBreaking DES Keys
© 1999, Cisco Systems, Inc. www.cisco.com
Security TechnologySecurity Technology
Active AuditActive Audit
3-47CSE-Security—Basics © 1999, Cisco Systems, Inc. www.cisco.com
11-48CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Firewalls, authorization, and encryption do not provide VISIBILITY into these problems
Why Active Audit?Why Active Audit?
• The hacker might be an employee or “trusted” partner– Up to 80% of security breaches come from the
inside (Source: FBI)
• Your defense might be ineffective– One out of every three intrusions occur where a firewall
is in place (Source: Computer Security Institute)
• Your employees might make mistakes– Misconfigured firewalls, servers, etc.
• Your network will grow and change– Each change introduces new security risks
11-49CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Why Active Audit?Why Active Audit?
• Network security requires a layered defense– Point security PLUS active systems to measure
vulnerabilities and monitor for misuse
– Network perimeter and the intranet
• Security is an ongoing, operational process– Must be constantly measured, monitored, and
improved
11-50CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Active Audit—Network Vulnerability Assessment
Active Audit—Network Vulnerability Assessment
• Assess and report on the security status of network components–Scanning (active,
passive), vulnerability database
11-51CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
Active Audit—Intrusion Detection System
Active Audit—Intrusion Detection System
• Identify and react to known or suspected network intrusion or anomalies– Passive promiscuous
monitoring
– Database of threats or suspect behavior
– Communication infrastructure or access control changes
11-52CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
IDS Attack Detection
Context:(Header)
Content:(Data)
“Atomic”Single Packet
“Composite”Multiple Packets
Ping of Death
Land Attack
Port SweepPort Sweep
SYN AttackSYN Attack
TCP HijackingTCP Hijacking
MS IE AttackMS IE Attack
DNS AttacksDNS Attacks
Telnet AttacksTelnet Attacks
Character Mode Character Mode AttacksAttacks
11-53CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Actively audit and verify policy
• Detect intrusion and anomalies
• Report
Active Audit
UNIVERSALUNIVERSALPASSPORTPASSPORT
KjkjkjdgdkkjdkjfdkI kdfjkdjIkejkejKkdkdfdKKjkdjdKjkdjfkdKjkdKjdkfjkdj Kjdk
USA
************************
************************
Kdkfldkaloeekjfkjajjakjkjkjkajkjfiejijgkd
kdjfkdkdkdkddfkdjfkdjkdkdkfjdkkdjkfd
kfjdkfjdkjkdjkdjkajkjfdkjfkdjkfjkjajjajdjfla
kjdfkjeiieiefkeieooei
UNIVERSALUNIVERSALPASSPORTPASSPORT
11-54CSE: Networking Fundamentals—Security © 1999, Cisco Systems, Inc. www.cisco.com
• Security is a mission-critical business requirement for all networks
• Security requires a global, corporate-wide policy
• Security requires a multilayered implementation
SummarySummary
55Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com