Muhammad Ahad, profile picture
Uploaded byMuhammad Ahad
PPT, PDF888 views

Chapter08

The document outlines a 12-step program for developing network security strategies. It discusses identifying network assets and security risks, analyzing security requirements and tradeoffs, developing a security plan and policy, implementing technical security strategies, and maintaining security. It also covers securing different parts of the network like internet connections, servers, remote access, services, and wireless networks using mechanisms like firewalls, authentication, encryption, and wireless security protocols.

Embed presentation

Downloaded 86 times
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer
Network Security Design The 12 Step Program 1. Identify network assets 2. Analyze security risks 3. Analyze security requirements and tradeoffs 4. Develop a security plan 5. Define a security policy 6. Develop procedures for applying security policies
The 12 Step Program (continued) 7. Develop a technical implementation strategy 8. Achieve buy-in from users, managers, and technical staff 9. Train users, managers, and technical staff 10. Implement the technical strategy and security procedures 11. Test the security and update it if any problems are found 12. Maintain security
Network Assets • Hardware • Software • Applications • Data • Intellectual property • Trade secrets • Company’s reputation
Security Risks • Hacked network devices – Data can be intercepted, analyzed, altered, or deleted – User passwords can be compromised – Device configurations can be changed • Reconnaissance attacks • Denial-of-service attacks
Security Tradeoffs • Tradeoffs must be made between security goals and other goals: – Affordability – Usability – Performance – Availability – Manageability
A Security Plan • High-level document that proposes what an organization is going to do to meet security requirements • Specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy
A Security Policy • Per RFC 2196, “The Site Security Handbook,” a security policy is a – “Formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” • The policy should address – Access, accountability, authentication, privacy, and computer technology purchasing guidelines
Security Mechanisms • Physical security • Authentication • Authorization • Accounting (Auditing) • Data encryption • Packet filters • Firewalls • Intrusion Detection Systems (IDS) • Intrusion Prevention Systems (IPS)
Encryption for Confidentiality and Integrity Figure 8-1. Public/Private Key System for Ensuring Data Confidentiality Figure 8-2. Public/Private Key System for Sending a Digital Signature
Modularizing Security Design • Security defense in depth – Network security should be multilayered with many different techniques used to protect the network • Belt-and-suspenders approach – Don’t get caught with your pants down
Modularizing Security Design • Secure all components of a modular design: – Internet connections – Public servers and e-commerce servers – Remote access networks and VPNs – Network services and network management – Server farms – User services – Wireless networks
Cisco SAFE • Cisco SAFE Security Reference Model addresses security in every module of a modular network architecture.
Securing Internet Connections • Physical security • Firewalls and packet filters • Audit logs, authentication, authorization • Well-defined exit and entry points • Routing protocols that support authentication
Securing Public Servers • Place servers in a DMZ that is protected via firewalls • Run a firewall on the server itself • Enable DoS protection – Limit the number of connections per timeframe • Use reliable operating systems with the latest security patches • Maintain modularity – Front-end Web server doesn’t also run other services
Security Topologies Enterprise Network DMZ Web, File, DNS, Mail Servers Internet
Security Topologies Internet Enterprise Network DMZ Web, File, DNS, Mail Servers Firewall
Securing Remote-Access and Virtual Private Networks • Physical security • Firewalls • Authentication, authorization, and auditing • Encryption • One-time passwords • Security protocols – CHAP – RADIUS – IPSec
Securing Network Services • Treat each network device (routers, switches, and so on) as a high-value host and harden it against possible intrusions • Require login IDs and passwords for accessing devices – Require extra authorization for risky configuration commands • Use SSH rather than Telnet • Change the welcome banner to be less welcoming
Securing Server Farms • Deploy network and host IDSs to monitor server subnets and individual servers • Configure filters that limit connectivity from the server in case the server is compromised • Fix known security bugs in server operating systems • Require authentication and authorization for server access and management • Limit root password to a few people • Avoid guest accounts
Securing User Services • Specify which applications are allowed to run on networked PCs in the security policy • Require personal firewalls and antivirus software on networked PCs – Implement written procedures that specify how the software is installed and kept current • Encourage users to log out when leaving their desks • Consider using 802.1X port-based security on switches
Securing Wireless Networks • Place wireless LANs (WLANs) in their own subnet or VLAN – Simplifies addressing and makes it easier to configure packet filters • Require all wireless (and wired) laptops to run personal firewall and antivirus software • Disable beacons that broadcast the SSID, and require MAC address authentication – Except in cases where the WLAN is used by visitors
WLAN Security Options • Wired Equivalent Privacy (WEP) • IEEE 802.11i • Wi-Fi Protected Access (WPA) • IEEE 802.1X Extensible Authentication Protocol (EAP) – Lightweight EAP or LEAP (Cisco) – Protected EAP (PEAP) • Virtual Private Networks (VPNs) • Any other acronyms we can think of? :-)
Wired Equivalent Privacy (WEP) • Defined by IEEE 802.11 • Users must possess the appropriate WEP key that is also configured on the access point – 64 or 128-bit key (or passphrase) • WEP encrypts the data using the RC4 stream cipher method • Infamous for being crackable
WEP Alternatives • Vendor enhancements to WEP • Temporal Key Integrity Protocol (TKIP) – Every frame has a new and unique WEP key • Advanced Encryption Standard (AES) • IEEE 802.11i • Wi-Fi Protected Access (WPA) from the Wi-Fi Alliance
Extensible Authentication Protocol (EAP) • With 802.1X and EAP, devices take on one of three roles: – The supplicant resides on the wireless LAN client – The authenticator resides on the access point – An authentication server resides on a RADIUS server
EAP (Continued) • An EAP supplicant on the client obtains credentials from the user, which could be a user ID and password • The credentials are passed by the authenticator to the server and a session key is developed • Periodically the client must reauthenticate to maintain network connectivity • Reauthentication generates a new, dynamic WEP key
Cisco’s Lightweight EAP (LEAP) • Standard EAP plus mutual authentication – The user and the access point must authenticate • Used on Cisco and other vendors’ products
Other EAPs • EAP-Transport Layer Security (EAP-TLS) was developed by Microsoft – Requires certificates for clients and servers. • Protected EAP (PEAP) is supported by Cisco, Microsoft, and RSA Security – Uses a certificate for the client to authenticate the RADIUS server – The server uses a username and password to authenticate the client • EAP-MD5 has no key management features or dynamic key generation – Uses challenge text like basic WEP authentication – Authentication is handled by RADIUS server
VPN Software on Wireless Clients • Safest way to do wireless networking for corporations • Wireless client requires VPN software • Connects to VPN concentrator at HQ • Creates a tunnel for sending all traffic • VPN security provides: – User authentication – Strong encryption of data – Data integrity
Summary • Use a top-down approach – Chapter 2 talks about identifying assets and risks and developing security requirements – Chapter 5 talks about logical design for security (secure topologies) – Chapter 8 talks about the security plan, policy, and procedures – Chapter 8 also covers security mechanisms and selecting the right mechanisms for the different components of a modular network design
Review Questions • How does a security plan differ from a security policy? • Why is it important to achieve buy-in from users, managers, and technical staff for the security policy? • What are some methods for keeping hackers from viewing and changing router and switch configuration information? • How can a network manager secure a wireless network?

More Related Content

PPT
Chapter02
byMuhammad Ahad
 
PPT
Chapter07
byMuhammad Ahad
 
PPT
Chapter14
byMuhammad Ahad
 
PPT
Chapter01
byMuhammad Ahad
 
PPT
Chapter05
byMuhammad Ahad
 
PPT
Chapter06
byMuhammad Ahad
 
PPT
Chapter12
byMuhammad Ahad
 
PPT
Chapter03
byMuhammad Ahad
 
Chapter02
byMuhammad Ahad
 
Chapter07
byMuhammad Ahad
 
Chapter14
byMuhammad Ahad
 
Chapter01
byMuhammad Ahad
 
Chapter05
byMuhammad Ahad
 
Chapter06
byMuhammad Ahad
 
Chapter12
byMuhammad Ahad
 
Chapter03
byMuhammad Ahad
 

What's hot

PPTX
CCNA v6.0 ITN - Chapter 01
byIrsandi Hasan
 
PPT
Chapter09
byMuhammad Ahad
 
PPT
Chapter03
bySomrak Rungwanlapa
 
PPT
Chapter11
byMuhammad Ahad
 
PPT
Chapter13
byMuhammad Ahad
 
PPTX
Network design
byAmir Jafari
 
PPTX
Networking infrastructure
byKerry Cole
 
PPTX
Virtual Private Network
byHASHIR RAZA
 
PPTX
Routing protocols
bySourabh Goyal
 
PPTX
Networking devices
byfrestoadi
 
PPTX
6 understanding DHCP
byHameda Hurmat
 
PPTX
Cisco Networking (Routing and Switching)
byAlan Mark
 
PPTX
Ipv6
bysatish 486
 
PPTX
Network design
bycsk selva
 
PPTX
Mikrotik Tutorial
byMd Sohrab Hossain Sourav
 
PDF
200 301-ccna
byJasser Kouki
 
PDF
Cisco Router Basic Configuration
byProf. Erwin Globio
 
PPT
TCP/ IP
byHarshit Srivastava
 
PPTX
IP Address
bybaabtra.com - No. 1 supplier of quality freshers
 
PDF
Introduction to Web Services
byThanachart Numnonda
 
CCNA v6.0 ITN - Chapter 01
byIrsandi Hasan
 
Chapter09
byMuhammad Ahad
 
Chapter03
bySomrak Rungwanlapa
 
Chapter11
byMuhammad Ahad
 
Chapter13
byMuhammad Ahad
 
Network design
byAmir Jafari
 
Networking infrastructure
byKerry Cole
 
Virtual Private Network
byHASHIR RAZA
 
Routing protocols
bySourabh Goyal
 
Networking devices
byfrestoadi
 
6 understanding DHCP
byHameda Hurmat
 
Cisco Networking (Routing and Switching)
byAlan Mark
 
Ipv6
bysatish 486
 
Network design
bycsk selva
 
Mikrotik Tutorial
byMd Sohrab Hossain Sourav
 
200 301-ccna
byJasser Kouki
 
Cisco Router Basic Configuration
byProf. Erwin Globio
 
TCP/ IP
byHarshit Srivastava
 
IP Address
bybaabtra.com - No. 1 supplier of quality freshers
 
Introduction to Web Services
byThanachart Numnonda
 

Viewers also liked

PPT
Network Security
byphanleson
 
PDF
Zh solaris-11-whatsnew-201111-1388248
bywayne huang
 
PDF
Exeter Presentation March 2017 for Website
byExeter Resource Corporation
 
PDF
AC1
byAgathaChristie04
 
PDF
PROFILE
byDerijck Nugroho
 
PDF
12-sti2011-changing_climate-environmental_migrants
byLauren Vander Pluym
 
PPT
Presentación jornada 3-9 1
byMario Quiroga
 
PPTX
Trabajo del blog
byTeresita Carranza Perez
 
PDF
Remote Desktop Services Component Architecture
byPaulo Freitas
 
PDF
Presentation network design and security for your v mware view deployment w...
bysolarisyourep
 
PPTX
RAE, cambios 2010
byGabriela Rosas I.
 
PPT
Dmz
bytoby jesse
 
PPT
Remote Desktop Services and Virtual Desktop infrastructure in Windows Server ...
byctc TrainCanada
 
PDF
Microsoft Remote Desktop Services
byRonnie Isherwood
 
PDF
Lesson - 02 Network Design and Management
byAngel G Diaz
 
Network Security
byphanleson
 
Zh solaris-11-whatsnew-201111-1388248
bywayne huang
 
Exeter Presentation March 2017 for Website
byExeter Resource Corporation
 
AC1
byAgathaChristie04
 
PROFILE
byDerijck Nugroho
 
12-sti2011-changing_climate-environmental_migrants
byLauren Vander Pluym
 
Presentación jornada 3-9 1
byMario Quiroga
 
Trabajo del blog
byTeresita Carranza Perez
 
Remote Desktop Services Component Architecture
byPaulo Freitas
 
Presentation network design and security for your v mware view deployment w...
bysolarisyourep
 
RAE, cambios 2010
byGabriela Rosas I.
 
Dmz
bytoby jesse
 
Remote Desktop Services and Virtual Desktop infrastructure in Windows Server ...
byctc TrainCanada
 
Microsoft Remote Desktop Services
byRonnie Isherwood
 
Lesson - 02 Network Design and Management
byAngel G Diaz
 

Similar to Chapter08

PPT
Material best practices in network security using ethical hacking
byDesmond Devendran
 
PPTX
Investigation, Design and Implementation of a Secure
byFiras Alsayied
 
PPTX
PACE-IT, Security+1.5: Wireless Security Considerations
byPace IT at Edmonds Community College
 
PPTX
501 ch 4 securing your network
bygocybersec
 
PDF
INE-Security+-Domain-4-Security-Operations-I-Course-File.pdf
byahmedhossami778
 
PDF
SMB Network Security Checklist
byMobeen Khan
 
PPT
Wireless Device and Network level security
byChetan Kumar S
 
PPTX
Ccna v5-S1-Chapter 11
byHamza Malik
 
PDF
IT infrastructure security 101
byApril Mardock CISSP
 
PDF
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
byJiunn-Jer Sun
 
PDF
What is (not) Network Security
byJohn ILIADIS
 
PPTX
20141208_ITN_instructorPPT_Chapter11_final.pptx
bywsbkomputer
 
PDF
Attacking and Securing WPA Enterprise Networks
byNortheast Ohio Information Security Forum
 
PPTX
IS- Lecture 8 (Network Security Fundamentals).pptx
byabdulbaseerk135
 
PPTX
Wireless Security
byUniversità Degli Studi Di Salerno
 
PDF
Wireless Security Architecture Designing and Maintaining Secure Wireless for ...
byortiqbrowny82
 
PPTX
CCNA RS_NB - Chapter 11
byIrsandi Hasan
 
PDF
Introduction to Cyber security module - III
byTAMBEMAHENDRA1
 
PDF
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
byTương Hoàng
 
PDF
CCNAv5 - S1: Chapter11 It's A Network
byVuz Dở Hơi
 
Material best practices in network security using ethical hacking
byDesmond Devendran
 
Investigation, Design and Implementation of a Secure
byFiras Alsayied
 
PACE-IT, Security+1.5: Wireless Security Considerations
byPace IT at Edmonds Community College
 
501 ch 4 securing your network
bygocybersec
 
INE-Security+-Domain-4-Security-Operations-I-Course-File.pdf
byahmedhossami778
 
SMB Network Security Checklist
byMobeen Khan
 
Wireless Device and Network level security
byChetan Kumar S
 
Ccna v5-S1-Chapter 11
byHamza Malik
 
IT infrastructure security 101
byApril Mardock CISSP
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
byJiunn-Jer Sun
 
What is (not) Network Security
byJohn ILIADIS
 
20141208_ITN_instructorPPT_Chapter11_final.pptx
bywsbkomputer
 
Attacking and Securing WPA Enterprise Networks
byNortheast Ohio Information Security Forum
 
IS- Lecture 8 (Network Security Fundamentals).pptx
byabdulbaseerk135
 
Wireless Security
byUniversità Degli Studi Di Salerno
 
Wireless Security Architecture Designing and Maintaining Secure Wireless for ...
byortiqbrowny82
 
CCNA RS_NB - Chapter 11
byIrsandi Hasan
 
Introduction to Cyber security module - III
byTAMBEMAHENDRA1
 
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
byTương Hoàng
 
CCNAv5 - S1: Chapter11 It's A Network
byVuz Dở Hơi
 

More from Muhammad Ahad

PPTX
11. operating-systems-part-2
byMuhammad Ahad
 
PPTX
11. operating-systems-part-1
byMuhammad Ahad
 
PPTX
10. compute-part-2
byMuhammad Ahad
 
PPTX
10. compute-part-1
byMuhammad Ahad
 
PPTX
09. storage-part-1
byMuhammad Ahad
 
PPTX
08. networking-part-2
byMuhammad Ahad
 
PPTX
08. networking
byMuhammad Ahad
 
PPTX
07. datacenters
byMuhammad Ahad
 
PPTX
06. security concept
byMuhammad Ahad
 
PPTX
05. performance-concepts-26-slides
byMuhammad Ahad
 
PPTX
05. performance-concepts
byMuhammad Ahad
 
PPTX
04. availability-concepts
byMuhammad Ahad
 
PPTX
03. non-functional-attributes-introduction-4-slides
byMuhammad Ahad
 
PPTX
01. 03.-introduction-to-infrastructure
byMuhammad Ahad
 
PPTX
01. 02. introduction (13 slides)
byMuhammad Ahad
 
PPT
Chapter10
byMuhammad Ahad
 
PPTX
Chapter04
byMuhammad Ahad
 
PPT
Artificial Intelligence
byMuhammad Ahad
 
PPT
Artificial Intelligence
byMuhammad Ahad
 
11. operating-systems-part-2
byMuhammad Ahad
 
11. operating-systems-part-1
byMuhammad Ahad
 
10. compute-part-2
byMuhammad Ahad
 
10. compute-part-1
byMuhammad Ahad
 
09. storage-part-1
byMuhammad Ahad
 
08. networking-part-2
byMuhammad Ahad
 
08. networking
byMuhammad Ahad
 
07. datacenters
byMuhammad Ahad
 
06. security concept
byMuhammad Ahad
 
05. performance-concepts-26-slides
byMuhammad Ahad
 
05. performance-concepts
byMuhammad Ahad
 
04. availability-concepts
byMuhammad Ahad
 
03. non-functional-attributes-introduction-4-slides
byMuhammad Ahad
 
01. 03.-introduction-to-infrastructure
byMuhammad Ahad
 
01. 02. introduction (13 slides)
byMuhammad Ahad
 
Chapter10
byMuhammad Ahad
 
Chapter04
byMuhammad Ahad
 
Artificial Intelligence
byMuhammad Ahad
 
Artificial Intelligence
byMuhammad Ahad
 

Recently uploaded

PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
December Patch Tuesday
byIvanti
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
In this document
Powered by AI

Introduction to developing network security strategies via a 12-step program covering risk analysis and policy establishment.

Identification of network assets including hardware, software, applications, and data critical for security.

Overview of security risks such as hacking, reconnaissance attacks, and denial-of-service threats affecting devices.

Discussion of tradeoffs in security goals versus affordability, usability, performance, availability, and manageability.

The importance of a high-level security plan outlining required resources and implementation strategies.

Definition and components of a security policy that governs access and behavior concerning technology assets.

Different security mechanisms including physical security, authentication, firewalls, and intrusion detection systems.

Importance of encryption technologies like public/private key systems for ensuring data confidentiality.

Approaches to modularize security for comprehensive protection, including securing all network components.

Introduction to the Cisco SAFE Security Reference Model for addressing security in modular networks.

Strategies for securing internet connections using physical security measures, firewalls, and auditing.

Best practices for securing public servers including place in DMZ and employing effective firewall strategies.

Visual representation of security topologies with emphasis on DMZ and firewall placements within a network.

Security measures for remote access and VPN technologies, focusing on encryption and authentication protocols.

Recommendations for hardening network devices, enforcing access rules, and employing secure communication methods.

Security measures for server farms, including monitoring, restricting access, and patching known vulnerabilities.

Implementation of security policies for user services, including application control and antivirus measures.

Guidelines for securing wireless networks through subnet placement, personal firewalls, and MAC address authentication.

Overview of wireless encryption standards and authentication protocols essential for secure wireless communication.

Detailed explanation of WEP encryption, its configuration, and known vulnerabilities.

Discussion of alternatives to WEP, such as TKIP and WPA, for enhancing wireless security.

Introduction to EAP roles in wireless networks, including supplicant, authenticator, and RADIUS server.

Detailed workflow for the EAP authentication process, including user credential handling and key generation.

Description of LEAP, its mutual authentication feature, and its application in Cisco products.

Comparison of different EAP variants including EAP-TLS and PEAP, highlighting their distinct authentication methods.

Recommendation for using VPN software on wireless clients to ensure secure data transmission in corporate environments.

Summary of the top-down approach for network security design, focusing on key chapters covering assets and mechanisms.

Questions to review the material, emphasizing the differences between a security plan and policy and importance of user buy-in.

Chapter08

  • 1.
    Top-Down Network Design ChapterEight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer
  • 2.
    Network Security Design The12 Step Program 1. Identify network assets 2. Analyze security risks 3. Analyze security requirements and tradeoffs 4. Develop a security plan 5. Define a security policy 6. Develop procedures for applying security policies
  • 3.
    The 12 StepProgram (continued) 7. Develop a technical implementation strategy 8. Achieve buy-in from users, managers, and technical staff 9. Train users, managers, and technical staff 10. Implement the technical strategy and security procedures 11. Test the security and update it if any problems are found 12. Maintain security
  • 4.
    Network Assets • Hardware •Software • Applications • Data • Intellectual property • Trade secrets • Company’s reputation
  • 5.
    Security Risks • Hackednetwork devices – Data can be intercepted, analyzed, altered, or deleted – User passwords can be compromised – Device configurations can be changed • Reconnaissance attacks • Denial-of-service attacks
  • 6.
    Security Tradeoffs • Tradeoffsmust be made between security goals and other goals: – Affordability – Usability – Performance – Availability – Manageability
  • 7.
    A Security Plan •High-level document that proposes what an organization is going to do to meet security requirements • Specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy
  • 8.
    A Security Policy •Per RFC 2196, “The Site Security Handbook,” a security policy is a – “Formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” • The policy should address – Access, accountability, authentication, privacy, and computer technology purchasing guidelines
  • 9.
    Security Mechanisms • Physicalsecurity • Authentication • Authorization • Accounting (Auditing) • Data encryption • Packet filters • Firewalls • Intrusion Detection Systems (IDS) • Intrusion Prevention Systems (IPS)
  • 10.
    Encryption for Confidentiality andIntegrity Figure 8-1. Public/Private Key System for Ensuring Data Confidentiality Figure 8-2. Public/Private Key System for Sending a Digital Signature
  • 11.
    Modularizing Security Design •Security defense in depth – Network security should be multilayered with many different techniques used to protect the network • Belt-and-suspenders approach – Don’t get caught with your pants down
  • 12.
    Modularizing Security Design •Secure all components of a modular design: – Internet connections – Public servers and e-commerce servers – Remote access networks and VPNs – Network services and network management – Server farms – User services – Wireless networks
  • 13.
    Cisco SAFE • CiscoSAFE Security Reference Model addresses security in every module of a modular network architecture.
  • 14.
    Securing Internet Connections •Physical security • Firewalls and packet filters • Audit logs, authentication, authorization • Well-defined exit and entry points • Routing protocols that support authentication
  • 15.
    Securing Public Servers •Place servers in a DMZ that is protected via firewalls • Run a firewall on the server itself • Enable DoS protection – Limit the number of connections per timeframe • Use reliable operating systems with the latest security patches • Maintain modularity – Front-end Web server doesn’t also run other services
  • 16.
  • 17.
  • 18.
    Securing Remote-Access and VirtualPrivate Networks • Physical security • Firewalls • Authentication, authorization, and auditing • Encryption • One-time passwords • Security protocols – CHAP – RADIUS – IPSec
  • 19.
    Securing Network Services •Treat each network device (routers, switches, and so on) as a high-value host and harden it against possible intrusions • Require login IDs and passwords for accessing devices – Require extra authorization for risky configuration commands • Use SSH rather than Telnet • Change the welcome banner to be less welcoming
  • 20.
    Securing Server Farms •Deploy network and host IDSs to monitor server subnets and individual servers • Configure filters that limit connectivity from the server in case the server is compromised • Fix known security bugs in server operating systems • Require authentication and authorization for server access and management • Limit root password to a few people • Avoid guest accounts
  • 21.
    Securing User Services •Specify which applications are allowed to run on networked PCs in the security policy • Require personal firewalls and antivirus software on networked PCs – Implement written procedures that specify how the software is installed and kept current • Encourage users to log out when leaving their desks • Consider using 802.1X port-based security on switches
  • 22.
    Securing Wireless Networks •Place wireless LANs (WLANs) in their own subnet or VLAN – Simplifies addressing and makes it easier to configure packet filters • Require all wireless (and wired) laptops to run personal firewall and antivirus software • Disable beacons that broadcast the SSID, and require MAC address authentication – Except in cases where the WLAN is used by visitors
  • 23.
    WLAN Security Options •Wired Equivalent Privacy (WEP) • IEEE 802.11i • Wi-Fi Protected Access (WPA) • IEEE 802.1X Extensible Authentication Protocol (EAP) – Lightweight EAP or LEAP (Cisco) – Protected EAP (PEAP) • Virtual Private Networks (VPNs) • Any other acronyms we can think of? :-)
  • 24.
    Wired Equivalent Privacy(WEP) • Defined by IEEE 802.11 • Users must possess the appropriate WEP key that is also configured on the access point – 64 or 128-bit key (or passphrase) • WEP encrypts the data using the RC4 stream cipher method • Infamous for being crackable
  • 25.
    WEP Alternatives • Vendorenhancements to WEP • Temporal Key Integrity Protocol (TKIP) – Every frame has a new and unique WEP key • Advanced Encryption Standard (AES) • IEEE 802.11i • Wi-Fi Protected Access (WPA) from the Wi-Fi Alliance
  • 26.
    Extensible Authentication Protocol (EAP) •With 802.1X and EAP, devices take on one of three roles: – The supplicant resides on the wireless LAN client – The authenticator resides on the access point – An authentication server resides on a RADIUS server
  • 27.
    EAP (Continued) • AnEAP supplicant on the client obtains credentials from the user, which could be a user ID and password • The credentials are passed by the authenticator to the server and a session key is developed • Periodically the client must reauthenticate to maintain network connectivity • Reauthentication generates a new, dynamic WEP key
  • 28.
    Cisco’s Lightweight EAP (LEAP) •Standard EAP plus mutual authentication – The user and the access point must authenticate • Used on Cisco and other vendors’ products
  • 29.
    Other EAPs • EAP-TransportLayer Security (EAP-TLS) was developed by Microsoft – Requires certificates for clients and servers. • Protected EAP (PEAP) is supported by Cisco, Microsoft, and RSA Security – Uses a certificate for the client to authenticate the RADIUS server – The server uses a username and password to authenticate the client • EAP-MD5 has no key management features or dynamic key generation – Uses challenge text like basic WEP authentication – Authentication is handled by RADIUS server
  • 30.
    VPN Software onWireless Clients • Safest way to do wireless networking for corporations • Wireless client requires VPN software • Connects to VPN concentrator at HQ • Creates a tunnel for sending all traffic • VPN security provides: – User authentication – Strong encryption of data – Data integrity
  • 31.
    Summary • Use atop-down approach – Chapter 2 talks about identifying assets and risks and developing security requirements – Chapter 5 talks about logical design for security (secure topologies) – Chapter 8 talks about the security plan, policy, and procedures – Chapter 8 also covers security mechanisms and selecting the right mechanisms for the different components of a modular network design
  • 32.
    Review Questions • Howdoes a security plan differ from a security policy? • Why is it important to achieve buy-in from users, managers, and technical staff for the security policy? • What are some methods for keeping hackers from viewing and changing router and switch configuration information? • How can a network manager secure a wireless network?

Editor's Notes

  • #3 The first three steps were covered more in Chapter 2. Chapter 8 picks up that discussion and focuses on selecting the right security mechanisms for the different components of a modular network design.
  • #4 Maintain security by scheduling periodic independent audits, reading audit logs, responding to incidents, reading current literature and agency alerts, installing patches and security fixes, continuing to test and train, and updating the security plan and policy.
  • #7 An example of a tradeoff is that security can reduce network redundancy. If all traffic must go through an encryption device, for example, the device becomes a single point of failure. This makes it hard to meet availability goals.
  • #11 This page was added on 9/01/10 to address the fact that early printings of the book had the wrong graphic for Figure 8-2.
  • #16 Security experts recommend that FTP services not run on the same server as Web services. FTP users have more opportunities for reading and possibly changing files than Web users do. A hacker could use FTP to damage a company’s Web pages, thus damaging the company’s image and possibly compromising Web-based electronic-commerce and other applications. In addition, any e-commerce database server that holds sensitive customer financial information should be separate from the front-end Web server that users see.