LAN Security Router

Uploaded from authorPOINT
Download as
 PPT
Presentation Description 

No description available

Comments Sign in to comment
By:
 (1 week(s) ago)  
thanx

By:
 (6 month(s) ago)  
Hi, need basic of router ppt

Embed URL Thumbnail


Custom Embed WordPress Embed

authorSTREAM Premium Service
What's up on authorSTREAM?
Views: 1508
Like it  ( Likes) Dislike it  ( Dislikes)
Added: September 13, 2007 This Presentation is Public 
Presentation Category : Entertainment All Rights Reserved
Tags Add Tags
Presentation Statistics
Views on authorSTREAM: 1478 | Views from Embeds: 30
Others - 30 views
Presentation Transcript

LAN Security: LAN Security Prof. Charles


Topics Covered: Topics Covered LAN Guidelines Controlling End User Access Policy-Based Network Management Segmenting LAN Traffic Honey-pot Systems Static IP Addresses vs. DHCP Conclusion


LAN Guidelines: LAN Guidelines Many of the issues on Operating Systems Security Password Guidelines


Controlling End User Access: Controlling End User Access Controlling End User Access Passwords When users can access resources Group association File access Resource limitations


Controlling End User Access: Controlling End User Access Concurrent Logins Should consideration restricting concurrent logins for end users May consider System Administrators Save Network resources Memory, licenses, hard drive andamp; CPU Security Unauthorized use of an account (hacker or co-worker) Forgetting to logout Automatic logout andamp; lock screen w/ inactiveness


Controlling End User Access: Controlling End User Access Available Disk Space Limited disk space to end users Unlimited disk space: Purchase of additional disk drives Uneven usage of end user disk space Information system crashing due to over use Policy Clean up disk space (sys admin, end user or program) Operational Cost Time, personnel andamp; equipment


Controlling End User Access: Controlling End User Access Restrictions To specific workstations Restricted area Confidential information andamp; sensitive transactions To specific Servers Restricted to system administrator only Computer Center/Room Time/Day During business hours Most OS/Information Systems has the capability


Access to Directories and Trustee Rights: Access to Directories and Trustee Rights Least Privilege A user, resource or process has no more privileges that necessary to be able to fulfill its functions Users should only be given access rights to directories they need to function Access should be removed Transferred, temp assignment leave company Trustee rights should be audited


Controlling End User Access: Controlling End User Access File Attributes File access should be granted on need: Read, Write, Delete andamp; Execute Confidential, Sensitive, Classified, FOUO Operating System Executables Strictly enforced for root-kits/Trojans Tripwire, Hash Functions


Other Privileges: Other Privileges Network commands andamp; executables should be restricted to system admins Consider changing Administrators account Do not allow remote network access to admin accounts


Remove Inactive Accounts: Remove Inactive Accounts Review network accounts (Policy) Remove accounts that are not required Guest, group, anonymous FTP, etc.. Lock/Deleted inactive accounts Hacker like inactive accounts No calls to the help desk for password issues


Single Sign-On: Single Sign-On Many time users need to access many system during the day to complete task Multi usernames and passwords Forget information Write down information Create vulnerabilities SSO Systems Kerberos User authenticate once, and control to all resources are controlled by the Kerberos Server by using tickets and tokens


Single Sign-On: Single Sign-On SSO Systems PKI User uses digital certificates for authentication and network access Other approaches Meta-directories LDAP – light weight directory protocol Use to synchronize passwords and user attributes Distributed Computing Environments (DCE) Similar to Kerberos, works well in multi vendor environment


Policy-Based Network Management: Policy-Based Network Management Policy-Based Network Management is the process of bringing together the properties of various network resources under a central administrative control Ideal for organizations with medium to large networks Implemented in Windows 2000 with it Active Directory Services (ADS).


Policy-Based Network Management: Policy-Based Network Management Policy-Based Network Management Goals: Simplify network management process Ensure security andamp; integrity through centralized management of the distributed network resources Availability of network resources Priority traffic handling (QoS) Ensure critical information does not content with FTP and Internet traffic.


Segmenting LAN Traffic: Segmenting LAN Traffic Ethernet is the most commonly used LAN protocol. Any device on a network segment can monitor communications between any other device on the same network. Should segment for security and performance Security Eavesdropping -andgt; Sniffers Performance Hub, collision -andgt; switches


Honey-pot Systems: Honey-pot Systems Deception systems are components put in place to entice and deceive unauthorized users while or after they have gained access to information system. Honey-pot systems are decoy or lure systems Create deception of available services, ports and protocols


Honey-pot Systems: Honey-pot Systems Honey-pots are usually deployed with IDS Two deployment approaches Minefield Grouped with other information systems DMZ Separate network away from production information systems The Law Enticement vs. Entrapment


Honey-pot Systems: Honey-pot Systems Honey-pots are usually deployed with IDS Honey-pot products CyberCop Simulate an entire network from one work stations Deception ToolKit Dr. Fred Cohen – www.all.net Deception application Recourse Technologies ManTrap ManHunt HoneyNet Project Default systems


Honey-pot Systems: Honey-pot Systems HoneyNet Project The Honeynet Project is a non-profit research group of thirty security professionals dedicated to information security. Goal to learn the tools, tactics, and motives of the blackhat community and share these lessons learned. It is hoped that our research will benefit both its members and the security community.


Honey-pot Systems: Honey-pot Systems HoneyNet Project It is our hope and intent to support the security community in the three following ways. Raise awareness. To raise awareness of the threats and vulnerabilities that exist in the Internet today. We raise awareness by demonstrating real systems that were compromised in the wild by the blackhat community. Many people believe it can't happen to them. We hope to change their mind. Teach and inform. For those in the community who are already aware and concerned, we hope to give you the information to better secure and defend your resources. Historically, intelligence about attackers has been limited to the tools they use. The Project intends on providing additional information, such as their motives in attacking, how they communicate, when they attack systems and their actions after compromising a system. Research To provide the technology and methods of information gathering. Organizations, such as universities, may be interested in developing their own ability to research threats or adversaries.


Honey-pot Systems: Honey-pot Systems HoneyNet Project Information http://project.honeynet.org/ Lance Spitzner Know your enemy


Static IP Addresses vs. DHCP: Static IP Addresses vs. DHCP DHCP Enables an automated assignment of IP addresses Static IP addresses Each system is individually configured with an IP address


Static IP Addresses vs. DHCP: Static IP Addresses vs. DHCP DHCP Workstation (DHCP Client) dynamically obtain an IP addresses from a server (DHCP Server). When logging on Obtain new IP after time Static IP Address Administrators assign to a workstation Permanent


Static IP Addresses vs. DHCP: Static IP Addresses vs. DHCP DHCP Advantages Simple configurations Efficient assignment of IP addresses Ease of administration DHCP Disadvantages Temporary IP Assignments Hard to ID suspicious systems Unauthorized access Hot ports for connectivity


Static IP Addresses vs. DHCP: Static IP Addresses vs. DHCP Static IP addressing Advantages Location and identity Static IP addressing Disadvantages Administratively intensive New PC roll outs New organization/Mergers


The End: The End Questions


Routers & SNMP: Routers andamp; SNMP Prof. Charles


Topics Covered: Topics Covered Router Issues Risks Cisco IOS Cisco Secure Integrated Software (SIS) Simple Network Management Protocol (SNMP)


Router Issues: Router Issues Router are a critical element of the Internet and corporate networks. Routers are network devices Connect two or more networks Operate at level 3 of the OSI Model Control the flow of data packets Determine the best path Separate LAN segments First Line of Defense ACLs packet filtering VPNs


Router Issues: Router Issues Routers server 3 primary purposes: Route network traffic Static routes and routing tables Segment Frames for intra-LAN/WAN Communications Ethernet to Token Ring/ Ethernet to Frame Relay Ability to deny and permit traffic ACLs Protocols, ports and IPs


Risks: Risks Routers are subjected to the same risk as computers Has OS Configuration Weakness (passwords, telnet) Technology weakness (Bugs, DoS) Policy weakness (not monitor) Incorrectly configured/comprised router Bring down a whole site


Cisco IOS: Cisco IOS Started at Stanford Univ. in ’84 80 to 90 percent of market for routers, switches and hubs. Majority of products on the Internet and Corp. IOS (Internetworking Operating Systems) Runs on all Cisco routers and other Cisco devices


Cisco IOS: Cisco IOS Examples of how Cisco IOS is similar to Server Os for security Banner or MOTD Multi passwords levels and encrypted passwords Default settings not encrypt Show startup or show running commands Configuration details (IP, SNMP andamp; routing info) TFTP Way to administer Cisco router Information on an unsecured server can cause problem IP, passwords andamp; etc… Modifications TFTP does not require authentication


Cisco IOS: Cisco IOS CDP (Cisco Discovery Protocol) Gather information about other routers on the network Platform and protocols Hackers can use to further compromise Configuration weakness - Enabled by default, should be disabled on most routers, unless needed.


Cisco Secure Integrated Software (SIS): Cisco Secure Integrated Software (SIS) Optional software by Cisco Formerly called Cisco IOS firewall feature set Must be purchased, does not come with standard IOS package Secure network perimeter Provides secure connections over the Internet Can provide Firewall Stateful inspection andamp; application-based filtering IDS Signature-based VPN IPSEC andamp; L2TP Comes with client software


Simple Network Management Protocol (SNMP): Simple Network Management Protocol (SNMP) Developed to allow remote monitoring and management of devices and information systems. Can obtain Statistics Example page 195, figure 10.3 HP Open view andamp; Cisco REM SNMP not Secure Clear text Information Eavesdropping threat


Simple Network Management Protocol (SNMP): Simple Network Management Protocol (SNMP) SNMP andamp; MRTG MRTG – Multi Router Traffic Grapher Developed by Tobias Oetiker nad Dave Rand Using Perl andamp; C Obtained at www.mrtg.org Communications with SNMP To review traffic load Generates web pages and GIF for visual representation SNMP provides device management through agents Any SNMP managed device must have an SNMP agent


Simple Network Management Protocol (SNMP): Simple Network Management Protocol (SNMP) SNMP Problem Weak and insecure authentication Community strings pass in clear text Password equivalent Request and Response function uses community strings Many tools to aid hackers SNMP Sniff A SNMP packet sniffer for SNMPv1 andamp; SNMPv2 Hacker can Modify and delete router configurations Change routing tables Crash the network Open for all access


Simple Network Management Protocol (SNMP): Simple Network Management Protocol (SNMP) SNMP Countermeasures Use ACLs to limit exposure Never use default community strings Tools to detect SNMP Sniffers SNMPSweep Ex. Pg 198, figure 10.4


Simple Network Management Protocol (SNMP): Simple Network Management Protocol (SNMP) SNMPv2 andamp; SNMPv3 When SNMPv1 was designed Security not an issue Security not my problem Became popular for hackers SNMPv2 Offers a little more security, but didn’t catch on SNMPv3 Will offer grater and better security


Simple Network Management Protocol (SNMP): Simple Network Management Protocol (SNMP) SNMPv2 andamp; SNMPv3 When SNMPv1 was designed Security not an issue Security not my problem Became popular for hackers SNMPv2 Offers a little more security, but didn’t catch on SNMPv3 Will offer grater and better security


Simple Network Management Protocol (SNMP): Simple Network Management Protocol (SNMP) SNMP Hints Limit access to SNMP devices to read-only functionality Prevent unauthorized users from gaining control and causing great damage Send traps information to a syslog server and review as part of your policy Reporting of events