Network Security
Principles & Practices
By Saadat Malik
Cisco Press
2003
Network Security
2
–
Chapter 3
–
Device Security
•
A device is a
node
helping to form the
topology of the network.
•
A compromised device may be used by
the attacker as a jumping board.
•
A DoS attack may be launched against a
device.
Network Security
3
Two aspects of device security
•
Physical security
–
Placing the device in a secure location
•
Logical security
–
Securing the device against nonphysical
attacks
Network Security
4
Physical security
Considerations:
•
Using redundant devices?
•
Network topology (serialized, star, fully meshed?)
•
Where to place the network devices?
•
Media security (wire tapping, physical eavesdropping)
•
Adequate/uninterrupted power supply
•
disasters
Network Security
5
Device Redundancy
•
A
backup
device (router, switch, gateway, …)
is configured to take over the functionality of a
failed
active
device.
•
Means of achieving redundancy:
A.
Use routing to enable redundancy
B.
Use a redundancy protocol
–
Hot Standby Router Protocol (HSRP)
–
Virtual Router Redundancy Protocol (VRRP)
–
Failover
protocols
Network Security
6
Cisco Command Reference
•
Cisco IOS Commands Master List, Release 12.2
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122mindx/l22index.htm
•
Network Access Security Commands
http://www.cisco.com/en/US/products/sw/iosswrel/ps1824/products_command_reference_chapter09186
a0080087141.html
•
Configuration Guide for the Cisco Secure PIX Firewall Version 6.0:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/index.htm
•
PIX Command Reference:
http://www.cisco.com/uni vercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm#xtocid0
Note: A PDF file may be downloaded from the above sites.
•
Cisco Command Summary:
http://networking.ringofsaturn.com/Cisco/ciscocommandguide.php
•
Other useful sites:
–
http://www.elings.com/
Windows Administration Support Portal
–
http://www.freebraindumps.com/CCIE/
–
http://www.groupstudy.com/
Network Security
7
EIGRP
(used in Example 3
-
1)
•
IGRP: Cisco’s Interior Gateway Routing Protocol
•
EIGRP: Enhanced IGRP
–
A router running EIGRP stores all its neighbors' routing tables so that
it can quickly adapt to alternate routes.
–
If no appropriate route exists, EIGRP queries its neighbors to
discover an alternate route.
–
These queries propagate until an alternate route is found.
•
To enable EIGRP on the router you simply need to
enable
eigrp
and define a network number. This is
done as follows:
Router# conf t
Router(config)# router eigrp 1
Router(config
-
router)# network 172.16.0.0
•
http://networking.ringofsaturn.com/Cisco/eigrp.php
Network Security
8
Routing
-
enabled Redundancy
•
To set up routing in such a way that the routing
protocols converge to one set of routes under normal
conditions, and a different set of routes when some of
the devices fail.
1.
(floating) static routes with varying weights:
example 3
-
1
2.
Dynamic routing protocols:
e.g., Routing
Information Protocol
(RIP)
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/rip.htm
Network Security
9
Dynamic routing using RIP
•
Alternative paths are used when the
normal
path fails.
•
Fig. 3
-
3
Network Security
10
HSRP
•
Host Standby Routing Protocol
•
proprietary (Cisco)
•
A host uses a IP address as its default gateway.
•
A
virtual router
is set up for that IP:
–
a pair of
IP
and
MAC
addresses
•
The addresses are ‘taken’ by a set of routers configured
with HSRP
•
One of the routers is designated as the
active
router.
•
When the active router fails, one of the standby routers
takes ownership of the IP and the MAC addresses.
Network Security
11
HSRP
•
HSRP group (aka.
standby group
)
•
election protocol
•
Packet format of HSRP messages: Fig. 3
-
4
•
Messages:
hello
,
coup hello
,
resign
•
How HSRP provides redundancy?
Fig. 3
-
5 (next slide)
A virtual IP is shared between router A and B, so when
B becomes the
active
router, no change of default
gateway IP is needed in the end hosts.
Network Security
12
Example HSRP Implementation
Fig. 3
-
5
Network Security
13
HSRP
•
Drawback: not very secure
The
authentication
field contains a password that is
transmitted as clear text.
•
c.f., VRRP provides better security.
Network Security
14
VRRP
•
Virtual Router Redundancy Protocol
•
RFC 2338,
RFC 3768 (4/04)
:
ftp://ftp.rfc
-
editor.org/in
-
notes/rfc3768.txt
•
Non
-
proprietary (unlike HSRP)
•
an election protocol that dynamically assigns
responsibility for a
virtual router
to one of the VRRP
routers on a LAN (the
master
router)
•
The election process provides dynamic fail over in the
forwarding responsibility should the Master become
unavailable.
•
allows any of the virtual router IP addresses on the LAN
to be used as the default first hop router by end
-
hosts.
Network Security
15
VRRP
•
When is the
master router
considered down?
–
The
master router
periodically sends out an
advertisement message that contains an
advertisement interval
.
–
Each
backup router
uses a timer to decide when the
master router
is down.
•
The
election
process:
–
When a backup router detects that the
master router
is down, it sends an advertisement message with its
own
priority
value in it.
–
The backup router with the highest
priority value
becomes the new
master router
.
Network Security
16
VRRP
•
Question:
How if an attacker injects a fake
VRRP advertisement message (possibly with
very high
priority value) into the network?
Would it then be elected to be the new
master
router
?
•
The answer:
VRRP security features
–
Three authentication methods
1.
No authentication
2.
Simple clear
-
text passwords
3.
Strong authentication (using IP authentication with MD5
HMAC) Q: What’s the Implication? Shared key
–
A mechanism that protects against VRRP packets
being injected from a remote network
•
sets TTL = 255
Network Security
17
VRRP
•
RFC2338 (4/1998), obsoleted by
RFC3768
(R. Hinden,
Ed; April 2004)
ftp://ftp.rfc
-
editor.org/in
-
notes/rfc3768.txt
Network Security
18
Failover Protocol
•
Cisco PIX firewall
•
The functionality of a failed firewall is taken over
by a standby firewall.
•
See chapter 8 for details
Network Security
19
Security of major devices
•
Next:
–
Router security
–
Firewall security
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο