• Aucun résultat trouvé

Implementing Secure Converged Implementing Secure Converged Wide Area Networks (ISCW)Wide Area Networks (ISCW)Network Security Strategies& Cisco Device Hardening

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Implementing Secure Converged Implementing Secure Converged Wide Area Networks (ISCW)Wide Area Networks (ISCW)Network Security Strategies& Cisco Device Hardening"

Copied!
8
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

http://www.INE.com

Implementing Secure Converged Implementing Secure Converged

Wide Area Networks (ISCW) Wide Area Networks (ISCW)

Network Security Strategies

& Cisco Device Hardening

Attack Mitigation Overview Attack Mitigation Overview

• Layer 2 attack review

– VLAN hopping – CAM attacks – DHCP starvation – Rogue DHCP – ARP poisoning – IP/MAC spoofing

• What about layer 3 and above?

(2)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

Reconnaissance Attacks Reconnaissance Attacks

• Used to map the network and discover resources

– What are the routers, links, routing tables, hosts, etc.

• Common methods

– Packet capture (sniffers) – Ping sweeps

– Port scans – DNS queries

Control Plane Attacks Control Plane Attacks

• Disrupt the routing & management protocols of the network

• Common methods

– Prefix injection/withdrawal – BGP reset

– Telnet passwords

– SNMP community strings – NTP spoofing

(3)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

• Used to gain unauthorized access to resources

• Common methods

– Brute force password attacks – Redirection

– Layer 3 Man-in-the-Middle (MiM)

DoS/DDoS

DoS/DDoS Attacks Attacks

• Used to overwhelm links and servers to the point they are unusable

• Common methods

– IP spoofing – Smurf – Fraggle

– TCP SYN flooding

(4)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

Application Attacks Application Attacks

• Targeted at software vulnerabilities

• Common methods

– Buffer overflows – Worms

– Viruses – Trojans – etc.

Reconnaissance Mitigation Reconnaissance Mitigation

• How are they mapping the network in the first place?

– ICMP

• Echo-reply

• Unreachable

• Mask reply

• Redirect

– Proxy ARP – CDP

• How to mitigate?

– Disable unneeded services

(5)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

• Why is the control vulnerable?

– No routing authentication – Promiscuous routing neighbors – Clear text telnet & SNMP passwords – No NTP authentication

• How to mitigate

– Routing authentication – Unicast updates – SSH

– SNMPv3

– NTP authentication

Access Attack Mitigation Access Attack Mitigation

• Why is access vulnerable?

– Lenient password retry policy

– Clear text strings in protocol payloads – Hosts vulnerable to redirection

• How to mitigate?

– AAA & lockouts – SSL/IPsec – HIPS

(6)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

DoS/DDoS

DoS/DDoS Attack Mitigation Attack Mitigation

• Why are we vulnerable?

– TCP stack connection limits – Flood attack amplification

– Input packets not RPF checked

• How to mitigate

– Half-open session monitoring – Disable directed broadcasts – RFC 3704 / BOGON / URPF

Application Attacks Application Attacks

• Why are we vulnerable?

– Patch application not enforced – Virus scan updates not enforced

• How to mitigate?

– NAC

(7)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

• Manually via CLI

• Auto-secure

• SDM audit & lockdown

Securing the Control Plane Examples Securing the Control Plane Examples

• Passwords, privileges, & AAA

• Role based CLI

• Disabling Telnet

• Enabling SSH

• Disabling SMNP v1/v2

• NTP authentication

• Logging sequence numbers

• Banners

(8)

Copyright

Copyright ©© 2009 Internetwork Expert, Inc 2009 Internetwork Expert, Inc www.INE.com

www.INE.com

DoS Mitigation Examples DoS Mitigation Examples

• URPF

• BOGON filtering

• TCP Intercept / CBAC

• Disabling directed broadcasts

Q&A

Q&A

Références

Télécharger maintenant ( PDF - 8 Page - 80.51 KB )

Documents relatifs

P-Store : genuine partial replication in wide area networks

P-Store is a partial database replication protocol for wide area networks that allows transactions to optim- istically execute at multiple sites and certifies transac- tions in

Cisco Secure Virtual Private Networks

This topic explains how to cable the Cisco VPN 3000 Series Concentrator and establish a management session between a PC and the Concentrator. All rights reserved. A power cable

A seismic and pressure transducer system for monitoring velocities and impact pressures of snow avalanches

This is borne out when the pressure traces for cells A and C are examined (Figures 3 and 4). Seismic record from geophone 2... Pressure record from cell A. Pressure record from cell

Optimal atomic broadcast and multicast algorithms for wide area networks

We establish the inherent cost of the genuine atomic multicast problem for messages that are multicast to multiple groups and we show that quiescence has a cost, i.e., in runs where

Diario de la conflictividad en Honduras : 2009 - 2015 : del golpe de Estado a las marchas de las antorchas

Al mismo tiempo, el Poder Ejecutivo apura esfuerzos para finalizar el llama- do Plan de Desarrollo al año 2030, un documento técnico elaborado por los expertos, nacionales

Dynamic bandwidth allocation for all-optical wide-area networks

Figure 2 represents a traditional network interconnecting the same 100 edge nodes using 10 electronic transit routers to concentrate traffic onto high capacity point-to-point

MAC-Network Cross-Layer Energy Optimization model for Wireless Body Area Networks

Indeed, EAWD model considered the topology constraints by minimizing the number of relay nodes, in order to reduce the total energy consumption, as well as the total

Spectral Properties of a New Generation of Multiplication Operators

In this paper, we etablish some spectral properties for a general class of multiplication type-operators containing n involutions on the Hilbert space L 2 ( X, µ).. We construct