discovery smb isp chapter8
TRANSCRIPT
-
8/3/2019 Discovery SMB ISP Chapter8
1/38
1 2007 Cisco Systems, Inc. All rights reserved. Cisco 2007 Cisco Systems, Inc. All rights reserved. Cisco 1Version
Click to Edit Master SubtitleStyle
ISP Responsibility
Working at a Small-to-Medium Business or ISP Chapter 8
-
8/3/2019 Discovery SMB ISP Chapter8
2/38
2 2007 Cisco Systems, Inc. All rights reserved. Cisco
Objectives
Describe ISP security policies and procedures.
Describe the tools used in implementing security at theISP.
Describe the monitoring and managing of the ISP.
Describe the responsibilities of the ISP with regard tomaintenance and recovery.
-
8/3/2019 Discovery SMB ISP Chapter8
3/38
3 2007 Cisco Systems, Inc. All rights reserved. Cisco
ISP Security Considerations
Any active Internet connection for a computer can make thatcomputer a target for malicious activity
Problems that cause large-scale failures in ISP networks oftenoriginate from the ISP customer locations.
ISPs play a big role in helping to protect the home and businessusers that use their services
Important part of the job of an on-site support technician in anISP is to implement security best practices on client computers,that includes:
Helping clients to create secure passwords
Securing applications
Removing unnecessary applications and services that can cause vulnerabilities
Configuring firewalls
Performing security scans
-
8/3/2019 Discovery SMB ISP Chapter8
4/38
4 2007 Cisco Systems, Inc. All rights reserved. Cisco
ISP Security Considerations
ISPs have measures in place to protect the informationof its customers from malicious attack
common security practices on the ISP side include : Encrypting data stored on servers
Using permissions to secure access to files and folders Implement user accounts
Assign levels of access based on the user account or group membership
-
8/3/2019 Discovery SMB ISP Chapter8
5/38
5 2007 Cisco Systems, Inc. All rights reserved. Cisco
ISP Security ConsiderationsThree steps used to reduce network vulnerability
(AAA):
1. Authentication requires users to prove their identity using a username and password
2. Authorization gives users rights to access specific resources and perform specific tasks
3. Accounting tracks which applications are used and the length of time that they are used
. ISPs use RADIUS or TACACS protocols for AAA RADIUS is a client/server protocol that centralizes the profile informationof users in a central database on a RADIUS server
-
8/3/2019 Discovery SMB ISP Chapter8
6/38
6 2007 Cisco Systems, Inc. All rights reserved. Cisco
ISP Security Considerations ISPs must also be concerned with securing data that is
transmitted to and from their servers
By default, data sent over the network is unsecured andtransmitted in clear text.
Unauthorized individuals can intercept unsecured data as it is being
transmitted Encryption: the process of encrypting all transmitted data
between the client and the server Many of the protocols used to transmit data offer a secure version thatuses digital encryption.
As best practice, use the secure version of a protocol wheneverconfidential data is being exchanged
When surfing the Internet and viewing publicly accessible websites,securing the transmitted data is not necessary (additional computationaloverhead and slower response time)
-
8/3/2019 Discovery SMB ISP Chapter8
7/387 2007 Cisco Systems, Inc. All rights reserved. Cisco
ISP Security Considerations
Some network protocols offer secured versions for applications: Web servers: use HTTP by default (not secured)
Using HTTPS, which uses the secure socket layer (SSL) protocol, enables theexchange of data to be performed securely
Email servers: use several different protocols (SMTP, POP3, and IMAP4).Username/password can be captured
POP3 can be secured by using SSL, SMTP and IMAP4 can use either SSL orTransport Layer Security (TLS) as a security protocol
Telnet servers: Telnet sends authentication information and any commands a usertypes across the network in clear text.
Secure Shell (SSH) protocol may be used to authenticate and work with the
router or switch securely FTP servers: unsecured by default, but they can use SSH
IP Security (IPSec): Network Layer security protocol that can be used to secure anyApplication Layer protocol used for communication
-
8/3/2019 Discovery SMB ISP Chapter8
8/388 2007 Cisco Systems, Inc. All rights reserved. Cisco
ISP Security Considerations
-
8/3/2019 Discovery SMB ISP Chapter8
9/389 2007 Cisco Systems, Inc. All rights reserved. Cisco
Security Tools
Even with AAA and encryption, there are many different types ofattacks that an ISP must protect Denial-of-service (DoS): when a server or service is attacked to preventlegitimate access to that service
E.g. ping flood, bandwidth consumption attacks
Distributed denial-of-service (DDoS) : when multiple computers are usedto attack a specific target
Distributed reflected denial-of-service (DRDoS): when an attacker sendsa spoofed (tricking) request to many computer systems on the Internet,with the source address modified to be a target system,
When the computer systems respond to the request, all the requestsare directed at the target computer system.
Because the attack is reflected, it is very difficult to determine theoriginator of the attack.
-
8/3/2019 Discovery SMB ISP Chapter8
10/3810 2007 Cisco Systems, Inc. All rights reserved. Cisco
Security Tools
Port filtering and access control lists (ACL) can be used by ISPsto control traffic to servers and networking equipment They protect against DoS and DDoS attacks
Port filtering controls the flow of traffic based on a specific TCP orUDP port.
Many server operating systems have options to restrict access using portfiltering
Access Control Lists (ACLs): define traffic that is permitted ordenied through the network based on source and destination IP
addressesACLs can also permit or deny traffic based on the source and destinationports of the protocol
ACLs only prevent access to a network; they do not protect the networkfrom all types of malicious attacks.
-
8/3/2019 Discovery SMB ISP Chapter8
11/3811 2007 Cisco Systems, Inc. All rights reserved. Cisco
Security Tools
-
8/3/2019 Discovery SMB ISP Chapter8
12/3812 2007 Cisco Systems, Inc. All rights reserved. Cisco
Security Tools A firewall is network hardware or software that defines which
traffic can come into and go out of sections of the network andhow traffic is handled
ACLs are one of the tools used by firewalls to control which traffic is passed or blocked
Different firewalls offer different types of features
The Cisco IOS Firewall software is embedded in the Cisco IOSsoftware
-
8/3/2019 Discovery SMB ISP Chapter8
13/3813 2007 Cisco Systems, Inc. All rights reserved. Cisco
Within an ISP network or a medium-sized business, firewalls aretypically implemented in multiple layers
Border firewall, and Internal firewall
Traffic that comes in from an un trusted network first encounters apacket filter on the border router.
Permitted traffic goes through the border router to an internalfirewall to route traffic to a demilitarized zone (DMZ).
A DMZ is used to store servers that users from the Internet are allowed toaccess.
The traffic that is allowed into the internal network is usually traffic that is
being sent due to a specific request by an internal device Internal firewalls restrict access to areas of the network that need to haveadditional protection, by separating and protecting business resources onservers from users inside the organization
Pic next slide
-
8/3/2019 Discovery SMB ISP Chapter8
14/3814 2007 Cisco Systems, Inc. All rights reserved. Cisco
-
8/3/2019 Discovery SMB ISP Chapter8
15/3815 2007 Cisco Systems, Inc. All rights reserved. Cisco
ISPs also have a responsibility to prevent intrusions into theirnetworks and the networks of customers
There are two tools often utilized to prevent intrusion
1. Intrusion Detection System (IDS) A software- or hardware-based solution that passively listens to network traffic
Network traffic does not pass through an IDS device
When the IDS detects malicious traffic, it sends an alert to a preconfiguredmanagement station
2. Intrusion Prevention System (IPS)An active physical device or software feature. Traffic travels in one interface of theIPS and out the other.
The IPS examines the actual data packets that are in the network traffic and worksin real time to permit or deny packets that want access into the network
. IDS or IPS may be: Router configured with Cisco IOS version IPS
Appliance (hardware) specifically designed to provide dedicated IDS or IPS services
Network module installed in an adaptive security appliance (ASA), switch, or router
-
8/3/2019 Discovery SMB ISP Chapter8
16/3816 2007 Cisco Systems, Inc. All rights reserved. Cisco
IDS solutions are reactive in detecting intrusions They do not stop the initial traffic from passing through to the destination,
but react to the detected activity The original malicious traffic has already passed through the network tothe intended destination and cannot be blocked.
Only subsequent traffic is blocked. In this regard, IDS devices cannotprevent some intrusions from being successful
Interactive on 8.2.3 page 2 IPS solutions are proactive
They block all suspicious activity in real time.
When the IPS detects malicious traffic, it blocks the malicious trafficimmediately.
The IPS then sends an alert to a management station about theintrusion.
The original and subsequent malicious traffic is blocked as the IPSproactively prevents attacks
Interactive on 8.2.3 page 3
-
8/3/2019 Discovery SMB ISP Chapter8
17/3817 2007 Cisco Systems, Inc. All rights reserved. Cisco
Wireless Security
A wireless network can be secured by: Changing default settings
The default values for the SSID, usernames, and passwords
Enabling authentication
A process of permitting entry to a network based on a set of
credentials There are three types of authentication methods
1.Open authentication: most often used on public wirelessnetworks.
1. Pre-shared key (PSK) - Requires a matching, preconfigured
key on both the server and the client1. Extensible Authentication Protocol (EAP) - Provides mutual,
or two-way, authentication and user authentication. The access point communicates with a backend authentication
server, such as RADIUS to verify the user
MAC filtering
Prevents unwanted computers from connecting to a network by
-
8/3/2019 Discovery SMB ISP Chapter8
18/3818 2007 Cisco Systems, Inc. All rights reserved. Cisco
Encryption
There are three major encryption types for wireless networks
Wired Equivalent Privacy (WEP)
provides data security by encrypting data that is sent betweenwireless nodes.
WEP uses a 64, 128, or 256 bit pre-shared hexadecimal key toencrypt the data.
A major weakness of WEP is its use of static encryption keys.
The same key is used by every device to encrypt every packettransmitted.
Wifi Protected Access (WPA)
A newer wireless encryption protocol that uses an improvedencryption algorithm called Temporal Key Integrity Protocol (TKIP).
TKIP generates a unique key for each client and rotates the securitykeys at a configurable interval.
WPA2 is a new, improved version of WPA
-
8/3/2019 Discovery SMB ISP Chapter8
19/3819 2007 Cisco Systems, Inc. All rights reserved. Cisco
Host Security
New vulnerabilities for servers are discovered every day
So it is critical for an ISP to protect its servers from known andunknown vulnerabilities
One way they accomplish this is by using host-based firewalls Software that runs directly on a host operating system
Host-based firewalls typically come with predefined rules thatblock all incoming network traffic.
Exceptions are added to the firewall rule set to permit the correct mixtureof inbound and outbound network traffic
ISPs use host-based firewalls to restrict access to the specificservices a server offers
By blocking access to the extraneous (not applicable) ports that areavailable
-
8/3/2019 Discovery SMB ISP Chapter8
20/3820 2007 Cisco Systems, Inc. All rights reserved. Cisco
ISP servers that utilize host-based firewalls are protected fromdifferent types of attacks and vulnerabilities, like:
Known attacks Host-based firewalls can detect a known attack and block traffic on the
port used by the attack
Exploitable services
protect exploitable services running on servers by preventing access to
the ports that the service is using Worms and viruses
Worms and viruses propagate by exploiting vulnerabilities in servicesand other weaknesses in operating systems
Back doors and Trojans
Block hackers from remotely gaining access to servers on a network
Host-based firewalls allow filtering based on a computer addressand port, therefore offering additional protection over regular portfiltering
-
8/3/2019 Discovery SMB ISP Chapter8
21/3821 2007 Cisco Systems, Inc. All rights reserved. Cisco
In addition to host-based firewalls, anti-X software can beinstalled as a more comprehensive security measure.
Anti-X software protects computer systems from viruses, worms,spyware, spam, etc
Not all anti-X software protects against the same threats. The ISP should constantly review which threats the anti-X software
actually protects against and make recommendations based on a threatanalysis of the company.
Many anti-X software packages allow for remote management. This includes a notification system that can alert the administrator orsupport technician about an infection via email or pager
Using anti-X software does not diminish the number of threats tothe network but reduces the risk of being infected.
-
8/3/2019 Discovery SMB ISP Chapter8
22/3822 2007 Cisco Systems, Inc. All rights reserved. Cisco
Monitoring and Managing the ISP An ISP and a user usually have a contract known as a service
level agreement (SLA)
Typical features of SLA:
The SLA is an important document that clearly outlines themanagement, monitoring, and maintenance of a network.
-
8/3/2019 Discovery SMB ISP Chapter8
23/3823 2007 Cisco Systems, Inc. All rights reserved. Cisco
Monitoring and Managing the ISP Monitoring network link performance
The ISP is responsible for monitoring and checking deviceconnectivity
Monitoring and configuration can be performed either out-of-band with a direct console connection, or in-band using a
network connection in-band management is preferred by ISPs
conventional in-band tools can provide more managementfunctionality, such as an overall view of the network design
Traditional in-band management protocols include Telnet, SSH,HTTP, and Simple Network Management Protocol (SNMP)
-
8/3/2019 Discovery SMB ISP Chapter8
24/38
24 2007 Cisco Systems, Inc. All rights reserved. Cisco
Telnet Virtual Terminal (VTY) session
A connection using Telnet is called a Virtual Terminal (VTY)
session or connection The connecting device runs the Telnet client.
To support Telnet client connections, the connected device, or server, runsa service called a Telnet daemon
With telnet, users can perform any authorized function on theserver, just as if they were using a command line session on theserver itself.
A Telnet session can be initiated using the router CLI with the command:telnet [IP address or domain name of remote host]
A Telnet client can connect to multiple servers simultaneouslyA Telnet server can support multiple client connections also.
On a router acting as a server, the show sessions command displaysall client connections.
-
8/3/2019 Discovery SMB ISP Chapter8
25/38
25 2007 Cisco Systems, Inc. All rights reserved. Cisco
Secure Shell (SSH): preferred for security
Telnet protocol supports user authentication, but it does notsupport the transport of encrypted data.
This means that the data can be intercepted and easily understood,including the username and password used to authenticate the device.
If security is a concern, the Secure Shell (SSH) protocol offers an
alternate and secure method for server access. As a best practice, network professionals should always use SSH
in place of Telnet whenever possible.
There are two versions of the SSH server service.
Which SSH version is supported depends on the Cisco IOS image loadedon the device.
There are many different SSH client software packages available for PCs.
An SSH client must support the SSH version configured on the server.
-
8/3/2019 Discovery SMB ISP Chapter8
26/38
26 2007 Cisco Systems, Inc. All rights reserved. Cisco
SNMP: network management protocol Enables administrators to gather data about the network andcorresponding devices
SNMP is made up of four main components: Management station - Computer with the SNMP management
application loaded that is used by the administrator to monitor andconfigure the network.
Management agent - Software installed on a device managed bySNMP.
Management Information Base (MIB) - Database that a device keepsabout itself concerning network performance parameters.
Network management protocol - Communication protocol usedbetween the management station and the management agent.
-
8/3/2019 Discovery SMB ISP Chapter8
27/38
27 2007 Cisco Systems, Inc. All rights reserved. Cisco
Syslog : client/server protocol, used for forwardingnetwork and security event messages
Storing device logs and reviewing them periodically is an important part ofnetwork monitoring.
Log messages normally consist of a ID, type of message, a time stamp(date, time), which device has sent the message, and the message text.
Depending on which network equipment is sending the syslog
messages, it can contain more items than those listed. Syslog is the standard for logging system events.
Like SNMP, syslog is an Application Layer protocol that enables devices tosend information to a syslog daemon that is installed and running on amanagement station.
A syslog system is composed of syslog servers and syslog clients. These servers accept and process log messages from syslog clients.
A syslog client is a monitored device that generates and forwards logmessages to syslog servers.
-
8/3/2019 Discovery SMB ISP Chapter8
28/38
28 2007 Cisco Systems, Inc. All rights reserved. Cisco
Backup and Disaster Recovery
Backup Media
Regardless of the cause of failure, an ISP that hosts websites or email forcustomers must protect the web and email content from being lost.
Data backup is essential. The job of an IT professional is to reduce the risks of data loss and provide
mechanisms for quick recovery of any data that is lost Some of the factors in selecting backup media include:
Amount of data
Cost of media
Performance of media
Reliability of media
Ease of offsite storage
There are many types of backup media available, including tapes,optical discs, hard disks, and solid state devices (like flash disks)
-
8/3/2019 Discovery SMB ISP Chapter8
29/38
29 2007 Cisco Systems, Inc. All rights reserved. Cisco
After backup media is chosen, a backup method must beselected.
1. Normal or Full Backup Copies all selected files, in their entirety.
Each file is then marked as having been backed up.
Only the most recent backup is required to restore files.
This speeds up and simplifies the restore process.
However, because all data is backed up, a full backup takes the mostamount of time.
2. Differential Backup Copies only the files that have been changed since the last full backup.
With differential backups, a full backup on the first day of the backupcycle is necessary.
Only the files that are created or changed since the time of the last fullbackup are then saved.
The differential backup process continues until another full backup is
run
-
8/3/2019 Discovery SMB ISP Chapter8
30/38
30 2007 Cisco Systems, Inc. All rights reserved. Cisco
3. Incremental Backup Whereas a differential backup saves files that were changed since the last
full backup, an incremental backup only saves files that were created orchanged since the last incremental backup.
This means that if an incremental backup is run every day, the backupmedia would only contain files created or changed on that day.
Incremental backups are the quickest backup.
However, they take the longest time to restore because the last normalbackup and every incremental backup since the last full backup must berestored.
-
8/3/2019 Discovery SMB ISP Chapter8
31/38
31 2007 Cisco Systems, Inc. All rights reserved. Cisco
Backup systems require regular maintenance to keep themrunning properly.
There are measures that help to ensure that backups aresuccessful:
Swap media:
daily swapping of media to maintain a history of backed up data
Review backup logs: All backup software produces logs.
These logs report on the success of the backup or specify where itfailed
Perform trial restores:
Even if a backup logs shows that the backup was successful, therecould be other problems not indicated in the log.
Periodically perform a trial restore of data to verify that the backup datais usable and that the restore procedure works
Perform drive maintenance
-
8/3/2019 Discovery SMB ISP Chapter8
32/38
32 2007 Cisco Systems, Inc. All rights reserved. Cisco
Cisco IOS Software Backup and Recovery
Use TFTP to protect configurations and Cisco IOSsoftware (backup)
Restore a Cisco IOS image using TFTP inROMmon mode (recovery)
-
8/3/2019 Discovery SMB ISP Chapter8
33/38
33 2007 Cisco Systems, Inc. All rights reserved. Cisco
Disaster Recovery Plan
A disaster recovery plan is a comprehensivedocument that describes how to restore operationquickly and keep a business running during or after adisaster occurs
The objective of the disaster recovery plan is toensure that the business can adapt to the physicaland social changes that a disaster causes.
A disaster can include anything from natural disasters
that affect the network structure to malicious attackson the network itself
-
8/3/2019 Discovery SMB ISP Chapter8
34/38
34 2007 Cisco Systems, Inc. All rights reserved. Cisco
There are several steps to accomplish designing an effectiverecovery plan:
Vulnerability assessment: how vulnerable the critical businessprocesses and associated applications are to common disasters.
Risk assessment - Analyze the risk of a disaster occurring and theassociated effects and costs to the business
Management awareness - Use the information gathered onvulnerability and risks to get senior management approval on thedisaster recovery project.
Planning group - Establish a planning group to manage thedevelopment and implementation of the disaster recovery strategy andplan
Prioritize - Assign a priority for each disaster scenario, such as mission
critical, important, or minor, for the business network, applications, andsystems
-
8/3/2019 Discovery SMB ISP Chapter8
35/38
35 2007 Cisco Systems, Inc. All rights reserved. Cisco
After the services and applications that are most critical to abusiness are identified, that information should be used to create
a disaster recovery plan There are five major phases to creating and implementing a
disaster recovery plan:
Phase 1 - Network Design Recovery Strategy
Analyze the network design. Some aspects of the network design thatshould be included in the disaster recovery are:
Is the network designed to survive a major disaster? Are there backupconnectivity options and is there redundancy in the network design?
Availability of offsite servers that can support applications such asemail and database services.
Phase 2 - Inventory and Documentation Create an inventory of all locations, devices, vendors, used services, andcontact names.
Verify cost estimates that are created in the risk assessment step.
-
8/3/2019 Discovery SMB ISP Chapter8
36/38
36 2007 Cisco Systems, Inc. All rights reserved. Cisco
Phase 3 Verification Create a verification process to prove that the disaster recover strategy
works. Practice disaster recovery exercises to ensure that the plan is up to dateand workable.
Phase 4 - Approval and Implementation Obtain senior management approval and develop a budget to implement
the disaster recovery plan.
Phase 5 ReviewAfter the disaster recovery plan has been implemented for a year, reviewthe plan.
-
8/3/2019 Discovery SMB ISP Chapter8
37/38
37 2007 Cisco Systems, Inc. All rights reserved. Cisco
Summary
ISPs provide desktop security services for customers, such ascreating passwords, implementing patches and updates, andassigning permissions.
Many protocols offer secure versions utilizing digitalencryption, which should be used when the data being
exchanged is confidential.
Port filtering and Access Lists use TCP and UDP port featuresto permit or deny traffic.
Firewalls can utilize hardware or software to define what
traffic can come into or go out of parts of a network. ISPs are responsible for providing efficient and effective
backup and disaster recovery methods for their customers.
-
8/3/2019 Discovery SMB ISP Chapter8
38/38