Beruflich Dokumente
Kultur Dokumente
Security Basics
• Why Security?
• Security Technology
– Identity
– Integrity
– Active Audit
m-y-p-a-s-s-w-o-r-d d-a-n
Bob
CPU
Customer Bank
Access Security
Connectivity Authentication
Performance Authorization
Ease of Use Accounting
Manageability Assurance
Policy Management
Availability Confidentiality
Data Integrity
• Identity
– Accurately identify users
– Determine what users are allowed to do
• Integrity
– Ensure network availability
– Provide perimeter security
– Ensure privacy
• Active audit
– Recognize network weak spots
– Detect and react to intruders
Policy
AAA
Server
PPP Public
Campus
Network
0
– Authentication
789
0
• Verifies identity—
Who are you?
– Authorization
• Configures integrity—
What are you permitted
to do?
– Accounting
• Assists with audit—
What did you do?
Henry M. Ventura Sabido www.cisco.com 11-14
RADIUS
Re mote Acce ss
Acce ss U se r S e rve r
RAD IU S
S e rve r
Internet
Corporate Site
Non-Authorized User
Mess
age Hash
Bob’s Bob’s
Private Key Public Key
Hash
Same?
Encrypt Decrypt
Message Digital Message
Hash Signature Hash
• If verification is successful,
document has not been altered
Henry M. Ventura Sabido www.cisco.com 11-18
Certificate Authority
BANK
?
CA Internet CA
SA 10.0.0.1 SA 171.69.58.8
Internet
Inside Local Inside Global
IP Address IP Address
10.0.0.1 171.69.58.80
10.0.0.1 10.0.0.2 171.69.58.81
Integrity
• Control access to
critical network
applications, data,
and services
– Access control lists,
firewall technologies,
content filtering,
CBAC, authentication
• Permit secure
access to resources
• Protect networks
from:
– Unauthorized
intrusion from both
external and internal
sources
– Denial of service
(DOS) attacks
Protected
Users Network
Router with Filters
100
Micro Webserver zip
E-mail Public
Server Web Server
Access
Internet/
• Provides user-level security Intranet
Internal Network
Henry M. Ventura Sabido www.cisco.com 11-27
Performance Requirements
5 10
Company Network 20
1
40
.5 Meg
Per/Sec
Internet
• Video
• Audio
• Private link
• Web commerce
• Provide authenticated
private communication
on demand
– VPNs, IPSec, IKE,
encryption, DES, 3DES,
digital certificates,
CET, CEP
Encryption Decryption
Cipher Text
IP Packet
(Private,
Encrypted)
IP Header
(Public)
Internet Paris
Hong Kong
• Company information
secured
• Lower costs
– Connectivity costs
– Capital costs
– Management and
support costs
• Wider connectivity
options
• Speed of deployment
• Traditional applications
– E-mail
– Database
– File transfer
• New applications
– Videoconferencing
– Distance learning
– Advanced publishing
– Voice
Mobile
Worker
Internet
Dials to Munich
over Internet
Router to Firewall
Router to Router
PC to Firewall
PC to Router
PC to Server
Router A Router B
Active Audit
verify policy
PASSPORT
Kdkfldkaloee
kjfkjajjakjkjkjkajkjfiejijgkd
kdjfkdkdkdkddfkdjfkdjkdkd
kfjdkkdjkfd
kfjdkfjdkjkdjkdjkaj
kjfdkjfkdjkfjkjajjajdjfla
kjdfkjeiieie
fkeieooei
************************
USA
Kjkjkjdgdk
• Detect intrusion
kjdkjfdkI kdfjkdj
IkejkejKkdkd
fdKKjkdjd
KjkdjfkdKjkd
Kjdkfjkdj Kjdk
************************
• Report
• Security is a mission-critical
business requirement for all
networks
• Security requires a global,
corporate-wide policy
• Security requires a
multilayered implementation