Network Security Fundamentals [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Network Security Fundamentals [Electronic resources] - نسخه متنی

Gert De Laet, Gert Schauwers

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Acknowledgments

Icons Used in This Book

Command Syntax Conventions

Foreword

Introduction

Part I. Introduction

Chapter 1. Network Security Overview

Defining Trust

Weaknesses and Vulnerabilities

Responsibilities for Network Security

Security Objectives

Conclusion

Q&A

Chapter 2. Understanding VulnerabilitiesThe Need for Security

Risk and Vulnerability

TCP/IP Suite Weaknesses

Buffer Overflows

Spoofing Techniques

Social Engineering

Conclusion

Q&A

Chapter 3. Understanding Defenses

Digital IDs

Intrusion Detection System

PC CardBased Solutions

Physical Security

Encrypted Login

Firewalls

Reusable Passwords

Antivirus Software

Encrypted Files

Biometrics

Conclusion

Q&A

Part II. Building Blocks

Chapter 4. Cryptography

Cryptography versus Cryptanalysis

Modern-Day Techniques

Conclusion

Q&A

Chapter 5. Security Policies

Defining a Security Policy?

Importance of a Security Policy

Development Process

Incident Handling Process

Security Wheel

Sample Security Policy

Conclusion

Q&A

Chapter 6. Secure Design

Network DesignPrinciples

Network DesignMethodology

Return on Investment

Physical Security Issues

Switches and Hubs

Conclusion

Q&A

Part III. Tools and Techniques

Chapter 7. Web Security

Hardening

Case Study

Conclusion

Q&A

Chapter 8. Router Security

Basic Router Security

Router Security to Protect the Network

CBAC

Case Study

Conclusion

Q&A

References in This Chapter

Chapter 9. Firewalls

Firewall Basics

Different Types of Firewalls

Enhancements for Firewalls

Case Study: Placing Filtering Routers and Firewalls

Summary

Q&A

Chapter 10. Intrusion Detection System Concepts

Introduction to Intrusion Detection

Host-Based IDSs

Network-Based IDSs

IDS Management CommunicationsMonitoring the Network

Sensor Maintenance

Case Study: Deployment of IDS Sensors in the Organization and Their Typical Placement

Conclusion

Q&A

Chapter 11. Remote Access

AAA Model

AAA Servers

Lock-and-Key Feature

Two-Factor Identification

Case Study: Configuring Secure Remote Access

Summary

Q&A

Chapter 12. Virtual Private Networks

Generic Routing Encapsulation Tunnels

IP Security

VPNs with IPSec

Case Study: Remote Access VPN

Conclusion

Q&A

Chapter 13. Public Key Infrastructure

Public Key Distribution

Trusted Third Party

PKI Topology

Enrollment Procedure

Revocation Procedure

Case Study: Creating Your Own CA

Conclusion

Q&A

Chapter 14. Wireless Security

Different WLAN Configurations

What Is a WLAN?

How Wireless Works

Risks of Open Wireless Ports

War-Driving and War-Chalking

SAFE WLAN Design Techniques and Considerations

Case Study: Adding Wireless Solutions to a Secure Network

Conclusion

Q&A

Chapter 15. Logging and Auditing

Logging

SYSLOG

Simple Network Management Protocol

Remote Monitoring

Service Assurance Agent

Case Study

Conclusion

Q&A

Part IV. Appendixes

Appendix A. SAFE Blueprint

Introduction to the SAFE Blueprint

SAFE Blueprint: Overview of the Architecture

Summary

References in This Appendix

Appendix B. SANS Policies

SANS Overview

SANS Initiatives and Programs

Security Policy Project

Is It a Policy, a Standard, or a Guideline?

References in This Appendix

Appendix C. NSA Guidelines

Security Guides

References in This Appendix

Appendix D. Answers to Chapter Q&A

Chapter 1 Q&A

Chapter 2 Q&A

Chapter 3 Q&A

Chapter 4 Q&A

Chapter 5 Q&A

Chapter 6 Q&A

Chapter 7 Q&A

Chapter 8 Q&A

Chapter 9 Q&A

Chapter 10 Q&A

Chapter 11 Q&A

Chapter 12 Q&A

Chapter 13 Q&A

Chapter 14 Q&A

Chapter 15 Q&A

Bibliography

Books

Website References

Index
توضیحات
افزودن یادداشت جدید

Case Study: Configuring Secure Remote Access


The remote access case study covers the configuration of the AAA server (CiscoSecure ACS) in a real scenario. The setup and configuration of a corporate router are covered using some screenshots of the AAA server. Figure 11-9 illustrates the network diagram of Company XYZ for this scenario.

Figure 11-9. Company XYZ Top-Level Network Layout

[View full size image]

The IT manager has decided to configure all internal network devices with AAA authentication. All internal devices authenticate (via TACACS+) with the ACS located on the management VLAN (10.100.1.0/24). When IT engineers need to log in to any network device (routers, switches, firewalls, or concentrators), they are required to authenticate first with a username/password combination, which is maintained centrally on the AAA server.

Figure 11-10 zooms in on an aspect of Figure 11-9 so that only the relevant devices for this case study are shown. The remote IT engineer must log in to router COMMSROOM1 for some maintenance work. For this case study, it is assumed that a secure VPN has been set up for the IT engineer to connect across the Internet to the corporate network.

Figure 11-10. IT Support Network Layout

Before delving into the specific configurations for this case study, examine the TACACS+ configuration tasks required when enabling TACACS+ on a Cisco IOS router.

TACACS+ Configuration Task List


To configure your router to support TACACS+, you must perform the following tasks:

  • Use the

    aaa new-model global configuration command to enable AAA. AAA must be configured if you plan to use TACACS+.

  • Use the

    tacacs-server host command to specify the IP address of one or more TACACS+ servers. Use the

    tacacs-server key command to specify an encryption key that is used to encrypt all exchanges between the NAS and the TACACS+ server. This same key must also be configured on the TACACS+ server.

  • Use the

    aaa authentication global configuration command to define method lists that use TACACS+ for authentication.

  • Use

    line and

    interface commands to apply the defined method lists to various interfaces.


Router COMMSROOM1 Setup and Configuration for This Scenario


After enabling AAA, complete the following tasks:


Step 1.

Identify the TACACS+ server host (required).

tacacs-server host

hostname

[

single-connection ] [

port

integer ] [

timeout

integer ] [

key

string ]

Step 2.

Specify a TACACS+ key. The command

tacacs-server key

key sets the encryption key to match that used on the TACACS+ daemon.


Optional configuration tasks:


Step 3.

Configure AAA server groups (optional).

Step 4.

Configure AAA server group selection based on DNIS (optional).

Step 5.

Specify TACACS+ authentication (required).

Step 6.

Specify TACACS+ authorization (optional).

Step 7.

Specify TACACS+ accounting (optional).


Example 11-5 displays the configuration of a router COMMSROOM1 with TACACS+ authentication for login services.

Example 11-5. TACACS+ Login Example


COMMSROOM1#
show running-config 
...
<snip>
...
aaa new-model 
aaa authentication login SecFundamentals group tacacs+ local 
...
<snip>
...
tacacs-server host 10.100.1.246
tacacs-server key Cisco 
...
<snip>
...
line vty 0 4 
exec-timeout 0 0
password cisco
logging synchronous
login authentication SecFundamentals

The lines in the preceding sample configuration are defined as follows:

  • The

    aaa new-model command enables the AAA security services.

  • The

    aaa authentication command defines a method list, "SecFundamentals," to be used on all vty connections. The keyword

    group tacacs+ means that authentication is accomplished through TACACS+. If TACACS+ returns an error of some sort during authentication, the keyword

    local indicates that authentication is attempted using the local database on the NAS.

  • The

    tacacs-server host command identifies the TACACS+ daemon as having an IP address of 10.100.1.246. The

    tacacs-server key command defines the shared encryption key to be "Cisco."

  • The

    login command selects the line, and the

    authentication command applies the test method SecFundamentals to this line.


To keep this setup simple, assume that the AAA server is already installed. Figure 11-11 shows the front page of the ACS when logging in to the server.

Figure 11-11. ACS Home

[View full size image]

On the AAA server or ACS, you need to define router COMMSROOM1 as a NAS. Figure 11-12 illustrates the configuration of COMMSROOM1 in the server.

Figure 11-12. ACS NAS Configuration

[View full size image]

The NAS IP address is defined as 10.100.1.252 per definition on Figure 11-10, and the AAA client host name is set to COMMSROOM1. TACACS+ is the authentication method configured for the COMMSROOM1 client, as displayed in Figure 11-12.

Once the NAS is defined, the network administrator needs to define the users. Figure 11-13 illustrates the LocalIT user configuration on the ACS.

Figure 11-13. ACS User Configurations

[View full size image]

This completes the configuration segment for this scenario. Now the remote engineer can try to log in to the COMMSROOM1 router, and AAA authentication using TACACS+ should occur.

Test and Troubleshoot Configuration for This Scenario


To test and visualize this configuration,

debug aaa authentication on the router is turned on. Example 11-6 shows the debug output on COMMSROOM1 after the remote engineer attempts to authenticate.

Example 11-6. TACACS+ Login Example

[View full width]


COMMSROOM1#
5d21h: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0
5d21h: AAA/MEMORY: create_user (0x82782F8C) user='NULL' ruser='NULL' ds0=0 port='tty66'
 rem_addr='160.100.1.1' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0'
5d21h: AAA/AUTHEN/START (234160424): port='tty66' list='SecFundamentals' action=LOGIN
 service=LOGIN
5d21h: AAA/AUTHEN/START (234160424): found list SecFundamentals
5d21h: AAA/AUTHEN/START (234160424): Method=tacacs+ (tacacs+)
5d21h: TAC+: send AUTHEN/START packet ver=192 id=234160424
5d21h: TAC+: ver=192 id=234160424 received AUTHEN status = GETUSER
5d21h: AAA/AUTHEN (234160424): status = GETUSER
COMMSROOM1#
5d21h: AAA/AUTHEN/CONT (234160424): continue_login (user='(undef)')
5d21h: AAA/AUTHEN (234160424): status = GETUSER
5d21h: AAA/AUTHEN (234160424): Method=tacacs+ (tacacs+)
5d21h: TAC+: send AUTHEN/CONT packet id=234160424
5d21h: TAC+: ver=192 id=234160424 received AUTHEN status = GETPASS
5d21h: AAA/AUTHEN (234160424): status = GETPASS
COMMSROOM1#
5d21h: AAA/AUTHEN/CONT (234160424): continue_login (user='localIT')
5d21h: AAA/AUTHEN (234160424): status = GETPASS
5d21h: AAA/AUTHEN (234160424): Method=tacacs+ (tacacs+)
5d21h: TAC+: send AUTHEN/CONT packet id=234160424
5d21h: TAC+: ver=192 id=234160424 received AUTHEN status = PASS
5d21h: AAA/AUTHEN (234160424): status = PASS
COMMSROOM1#

There are also some log files to troubleshoot on the ACS to find out why the authentication is not working. Figure 11-14 shows the main Reports and Activity page. Examine the TACACS+ log, as displayed in Figure 11-15.

Figure 11-14. ACS Reports and Activities

[View full size image]

Figure 11-15. ACS TACACS+ Log

[View full size image]

In the passed authentication file, notice the successful authentication of user "localIT" with IP address 160.100.1.1 for NAS 10.100.1.252.


/ 196