Module 07:

Security Basics

Universidad Autónoma de Yucatán

www.cisco.com
 Agenda

• Why Security?
• Security Technology
– Identity
– Integrity
– Active Audit

Henry M. Ventura Sabido www.cisco.com 11-2

 All Networks Need Security

• No matter the company

size, security is important
• Internet connection is to
business in the late 1990s
what telephones were to
business in the late 1940s
• Even small company sites
are cracked

Henry M. Ventura Sabido www.cisco.com 11-3

 Why Security?

• Three primary reasons

– Policy vulnerabilities
– Configuration vulnerabilities
– Technology vulnerabilities

And People Eager to Take

Advantage of the Vulnerabilities

Henry M. Ventura Sabido www.cisco.com 11-4

 Security Threats

telnet company.org I’m Bob.

username: dan Send Me All Corporate
password: Correspondence
with Cisco.

m-y-p-a-s-s-w-o-r-d d-a-n

Bob

Loss of Privacy Impersonation

Deposit $1000 Deposit $ 100

CPU
Customer Bank

Denial of Service Loss of Integrity

Henry M. Ventura Sabido www.cisco.com 11-5
 Security Objective: Balance
Business Needs with Risks

Access Security
Connectivity Authentication
Performance Authorization
Ease of Use Accounting
Manageability Assurance
Policy Management
Availability Confidentiality
Data Integrity

Henry M. Ventura Sabido www.cisco.com 11-6

 Network Security Components:
Physical Security Analogy

Doors, locks, & Firewalls &

guards access controls
Keys & badges Authentication
Surveillance Intrusion
cameras & detection system
motion sensors
• Complementary mechanisms that
together provide in-depth defense

Henry M. Ventura Sabido www.cisco.com 11-7

 Security Technology

Universidad Autónoma de Yucatán

CSE-Security—Basics www.cisco.com © 1999, Cisco Systems, Inc. 3-8
 Elements of Security

• Identity
– Accurately identify users
– Determine what users are allowed to do
• Integrity
– Ensure network availability
– Provide perimeter security
– Ensure privacy
• Active audit
– Recognize network weak spots
– Detect and react to intruders
Policy

Henry M. Ventura Sabido www.cisco.com 11-9

 Identity
• Uniquely and accurately
identify users,
applications, services,
and resources
– Username/password,
PAP, CHAP, AAA
server, one-time
password, RADIUS,
TACACS+, Kerberos,
MS-login, digital
certificates, directory
services, Network
Address Translation

Henry M. Ventura Sabido www.cisco.com 11-10

 Username/Password
ID/Password
ID/Password
ID/Password
ID/Password
ID/Password
ID/Password

AAA
Server
PPP Public
Campus
Network

Dial-In User Network

Password
Password Access Server

• User dials in with password to NAS

• NAS sends ID/password to AAA server
• AAA server authenticates user ID/password
and tells NAS to accept (or reject)
• NAS accepts (or rejects) call
Henry M. Ventura Sabido www.cisco.com 11-11
 PAP and CHAP Authentication
Network
Access Server
PPP Public
PAP or CHAP Network

• Password Authentication Protocol (PAP)

– Authenticates caller only
– Passes password in clear text
• Challenge Handshake Authentication
Protocol (CHAP)
– Authenticates both sides
– Password is encrypted
Henry M. Ventura Sabido www.cisco.com 11-12
 One-Time Password
Token or
• Token card S-Key Server
• Soft token AAA
• S-Key Server ID/One -Time Password
ID/One-Time Password
ID/One -Time Password
ID/One-Time Password
ID/One -Time Password
ID/One-Time Password
Public Campus
Network

Dial-In User Network

One -Time
One-Time Access
Password Server
Password

• Additional level of security, guards against password

guessing and cracking
– Prevents spoofing, replay attacks
• Single-use password is generated by token
card or in software
• Synchronized central server authenticates user
Henry M. Ventura Sabido www.cisco.com 11-13
Authentication, Authorization, and
Accounting (AAA)
• Tool for enforcing
123
security policy 456
789 123
456

0
– Authentication
789
0

• Verifies identity—
Who are you?
– Authorization
• Configures integrity—
What are you permitted
to do?
– Accounting
• Assists with audit—
What did you do?
Henry M. Ventura Sabido www.cisco.com 11-14
 RADIUS

Re mote Acce ss
Acce ss U se r S e rve r

RAD IU S
S e rve r

• RADIUS is an industry standard—RFC 2138, RFC 2139

• Cisco has full IETF RFC implementation
• Cisco has implemented many nonstandard
vendor proprietary attributes
• Cisco hardware will work well with non-Cisco
RADIUS AAA servers
• Cisco is committed to providing the best RADIUS solution
Henry M. Ventura Sabido www.cisco.com 11-15
 TACACS+ Authentication
• Local or centralized Username/Password
• Cisco customers benefit from Additional Information
additional functionality with TACACS Database
CiscoSecure server of both
TACACS+ and RADIUS
• Cisco enterprise
customers continue
to ask for
TACACS+ TACACS
features

Henry M. Ventura Sabido www.cisco.com 11-16

 Lock-and-Key Security
Authorized User

Internet

Corporate Site

Non-Authorized User

• Dynamically assigns access control lists on a per-user basis

• Allows a remote host to access a local host via the Internet
• Allows local hosts to access a host on a remote network

Henry M. Ventura Sabido www.cisco.com 11-17

 Digital Signatures
age
Mess
Bob’s
Document
Bob’s
Mess
age Document

Mess
age Hash
Bob’s Bob’s
Private Key Public Key
Hash

Same?
Encrypt Decrypt
Message Digital Message
Hash Signature Hash

• If verification is successful,
document has not been altered
Henry M. Ventura Sabido www.cisco.com 11-18
 Certificate Authority
BANK

?
CA Internet CA

• Certificate Authority (CA) verifies identity

• CA signs digital certificate containing
device’s public key
• Certificate equivalent to an ID card
• Partners include Verisign, Entrust,
Netscape, and Baltimore Technologies
Henry M. Ventura Sabido www.cisco.com 11-19
 Network Address Translation

SA 10.0.0.1 SA 171.69.58.8

Internet
Inside Local Inside Global
IP Address IP Address
10.0.0.1 171.69.58.80
10.0.0.1 10.0.0.2 171.69.58.81

• Provides dynamic or static translation of private addresses to

registered IP addresses
• Eliminates readdressing overhead—Large admin. cost benefit
• Conserves addresses—Hosts can share a single registered IP
address for all external communications via port-level multiplexing
• Permits use of a single IP address range in multiple intranets
• Hides internal addresses
• Augmented by EasyIP DHCP host function
Henry M. Ventura Sabido www.cisco.com 11-20
 Security Technology

Integrity

Universidad Autónoma de Yucatán

CSE-Security—Basics www.cisco.com © 1999, Cisco Systems, Inc. 3-21
 Integrity—Network Availability

• Ensure the network

infrastructure
remains available
– TCP Intercept, route
authentication

Henry M. Ventura Sabido www.cisco.com 11-22

 Integrity—Perimeter Security

• Control access to
critical network
applications, data,
and services
– Access control lists,
firewall technologies,
content filtering,
CBAC, authentication

Henry M. Ventura Sabido www.cisco.com 11-23

 Importance of Firewalls

• Permit secure
access to resources
• Protect networks
from:
– Unauthorized
intrusion from both
external and internal
sources
– Denial of service
(DOS) attacks

Henry M. Ventura Sabido www.cisco.com 11-24

 What Is a Firewall?

• All traffic from inside to outside and vice

versa must pass through the firewall
• Only authorized traffic, as defined by the local
security policy, is allowed in or out
• The firewall itself is immune to penetration

Henry M. Ventura Sabido www.cisco.com 11-25

 Packet-Filtering Routers

Protected
Users Network
Router with Filters

Users ISP and

Internet
Micro Webserver

100
Micro Webserver zip

E-mail Public
Server Web Server
Access

Henry M. Ventura Sabido www.cisco.com 11-26

 Proxy Service

Internet/
• Provides user-level security Intranet

• Most effective when used

with packet filtering
Proxy
Server

Internal Network
Henry M. Ventura Sabido www.cisco.com 11-27
 Performance Requirements
5 10
Company Network 20
1
40
.5 Meg
Per/Sec

Internet
• Video
• Audio
• Private link
• Web commerce

Henry M. Ventura Sabido www.cisco.com 11-28

 Integrity—Privacy

• Provide authenticated
private communication
on demand
– VPNs, IPSec, IKE,
encryption, DES, 3DES,
digital certificates,
CET, CEP

Henry M. Ventura Sabido www.cisco.com 11-29

 Encryption and Decryption

Clear Text Clear Text

s
B ob I B ob I
s
a Fink a Fink
le h 3 1&d
8vya w8743
tr
ktu.d P093h
n
$Fie*

Encryption Decryption

Cipher Text

Henry M. Ventura Sabido www.cisco.com 11-30

 What Are VPNs?
Service Provider Internet, IP, FR, ATM
Shared
Network
VPN

• Virtual Private Networks (VPNs) extend the classic WAN

• VPNs leverage the classic WAN infrastructure, including Cisco’s family of
VPN-enabled routers and policy management tools
• VPNs provide connectivity on a shared infrastructure
with the same policies and “performance” as a private
network with lower total cost of ownership

Henry M. Ventura Sabido www.cisco.com 11-31

 Virtual Private Networks

IP Packet
(Private,
Encrypted)

IP Header
(Public)

Internet Paris

Hong Kong

• Extends private network through public Internet

• Lower cost than private WAN
• Relies on tunneling and encryption
Henry M. Ventura Sabido www.cisco.com 11-32
 Why Build a VPN?

• Company information
secured
• Lower costs
– Connectivity costs
– Capital costs
– Management and
support costs

• Wider connectivity
options
• Speed of deployment

Henry M. Ventura Sabido www.cisco.com 11-33

 Who Buys VPNs?

• Organizations wishing to:

– Implement more cost- Businesses with:
effective WAN solutions
• Multiple branch
– Connect multiple remote sites office locations

– Deploy intranets • Telecommuters

• Remote workers
– Connect to suppliers, business
• Contractors and
partners, and customers consultants
– Get back to their core business,
and leave the WAN to the experts
– Lower operational and
capital equipment costs
Henry M. Ventura Sabido www.cisco.com 11-34
 Networked Applications

• Traditional applications
– E-mail
– Database
– File transfer
• New applications
– Videoconferencing
– Distance learning
– Advanced publishing
– Voice

Henry M. Ventura Sabido www.cisco.com 11-35

 Example of a VPN

• Private networking service over

a public network infrastructure
Munich Main Office Paris Office

Mobile
Worker
Internet
Dials to Munich
over Internet

New York Office Milan Office

Henry M. Ventura Sabido www.cisco.com 11-36
 What Is IPSec?

• Network-layer encryption and authentication

– Open standards for ensuring secure
private communications over any IP
network, including the Internet
– Provides a necessary component
of a standards-based, flexible solution
for deploying a network-wide security policy
– Data protected with network encryption,
digital certification, and device authentication
• Implemented transparently in network infrastructure
• Includes routers, firewalls, PCs, and servers
• Scales from small to very large networks
Henry M. Ventura Sabido www.cisco.com 11-37
 IPSec Everywhere!

Router to Firewall

Router to Router

PC to Firewall

PC to Router

PC to Server

Henry M. Ventura Sabido www.cisco.com 11-38

 IKE—Internet Key Exchange

• Automatically negotiates policy to protect

communication
• Authenticated Diffie-Hellman key exchange
• Negotiates (possibly multiple) security associations
for IPSec
3DES,
3DES, MD5,
MD5, and
and RSA
RSA Signatures,
Signatures,
OR
OR
IDEA,
IDEA, SHA,
SHA, and
and DSS
DSS Signatures,
Signatures,
OR
OR
Blowfish,
Blowfish, SHA,
SHA, and
and RSA
RSA Encryption
Encryption IDEA,
IDEA, SHA,
SHA, and
and DSS
DSS Signatures
Signatures

IKE Policy Tunnel

Henry M. Ventura Sabido www.cisco.com 11-39

 How IPSec Uses IKE

1. Outbound packet from 4. Packet is sent from Alice to

Alice to Bob—No IPSec Bob protected by IPSec SA
security association yet

Router A Router B

IKE IKE Tunnel IKE

Router A Router B

2. Router A’s IKE begins 3. Negotiation complete;

negotiation with router A and router B now have
router B’s IKE complete IPSec SAs in place
Henry M. Ventura Sabido www.cisco.com 11-40
 Security Technology

Active Audit

Universidad Autónoma de Yucatán

CSE-Security—Basics www.cisco.com © 1999, Cisco Systems, Inc. 3-41
 Why Active Audit?

• The hacker might be an employee or “trusted” partner

– Up to 80% of security breaches come from the
inside (Source: FBI)
• Your defense might be ineffective
– One out of every three intrusions occur where a firewall
is in place (Source: Computer Security Institute)
• Your employees might make mistakes
– Misconfigured firewalls, servers, etc.
• Your network will grow and change
– Each change introduces new security risks

Firewalls, authorization, and encryption do not provide

VISIBILITY into these problems

Henry M. Ventura Sabido www.cisco.com 11-42

 Why Active Audit?

• Network security requires a layered

defense
– Point security PLUS active systems to measure
vulnerabilities and monitor for misuse
– Network perimeter and the intranet
• Security is an ongoing, operational
process
– Must be constantly measured, monitored, and
improved

Henry M. Ventura Sabido www.cisco.com 11-43

 Active Audit—Network
Vulnerability Assessment

• Assess and report on

the security status of
network components
–Scanning (active,
passive), vulnerability
database

Henry M. Ventura Sabido www.cisco.com 11-44

 Active Audit—Intrusion Detection
System

• Identify and react to

known or suspected
network intrusion or
anomalies
– Passive promiscuous
monitoring
– Database of threats or
suspect behavior
– Communication
infrastructure or access
control changes
Henry M. Ventura Sabido www.cisco.com 11-45
 Active Audit

• Actively audit and UNIVERSAL

verify policy
PASSPORT
Kdkfldkaloee
kjfkjajjakjkjkjkajkjfiejijgkd
kdjfkdkdkdkddfkdjfkdjkdkd
kfjdkkdjkfd
kfjdkfjdkjkdjkdjkaj
kjfdkjfkdjkfjkjajjajdjfla
kjdfkjeiieie
fkeieooei

************************
USA
Kjkjkjdgdk

• Detect intrusion
kjdkjfdkI kdfjkdj
IkejkejKkdkd
fdKKjkdjd
KjkdjfkdKjkd
Kjdkfjkdj Kjdk

************************

and anomalies UNIVERSAL

PASSPORT

• Report

Henry M. Ventura Sabido www.cisco.com 11-46

 Summary

• Security is a mission-critical
business requirement for all
networks
• Security requires a global,
corporate-wide policy
• Security requires a
multilayered implementation

Henry M. Ventura Sabido www.cisco.com 11-47