Cisco网络安全部署内部员工培训材料课件

1、125021335_06_2000_c2 2000, Cisco Systems, Inc. 第1页，共87页。Deploying Secure NetworksSession 2502第2页，共87页。What You Can Expect to Learn“Network security is a system”Detailed network attack methodologyThreat mitigation optionsNetwork security design componentsSpecific optimizations to existing infrastruct

2、ure第3页，共87页。Deploying Secure NetworksSecurity Threat ComponentsSecurity Designan ExampleDesign Under FireThreat MitigationDesign OptimizationsSecurity Designa Better ExampleDesign Under Fire (2)第4页，共87页。Distributed Denial of Service (DDoS)第5页，共87页。Smurf AttackICMP REQ D=55 S= Attempt toOverwhelm WAN

3、Link to DestinationICMP REPLY D= S=9ICMP REPLY D= S=8ICMP REPLY D= S=7ICMP REPLY D= S=6ICMP REPLY D= S=5ICMP REPLY D= S=4第6页，共87页。HandlerSystems2. Install Software toScan for, Compromiseand Infect AgentsDDoS, How Does It Work?ClientSystem1. Scan for Systems to Hack4. Client IssuesCommands toHandlers

4、 whichControl Agentsin a Mass AttackAgentSystems3. Agents Get Loaded with Remote Control Attack Software第7页，共87页。Stacheldraht AttackLegitimate CustomerClientHandlerAgents (25)HandlerAgents (25)HandlerAgents (25)xInternet第8页，共87页。Stacheldraht AttackLegitimate CustomerClientHandlerAgent (25)HandlerAge

5、nt (25)HandlerAgent (25)Internet* stacheldraht * (c) in 1999 by . trying to connect. connection established. enter the passphrase : sicken entering interactive session. * welcome to stacheldraht * type .help if you are lame stacheldraht(status: a!1 d!0).micmp 第9页，共87页。Stacheldraht Transport DetailsS

6、RC: ClientClient CommunicationAgent to Handler CommunicationAgent to Handler Communication (Spoof Check)DST: HandlerPort: 16660Data: Encrypted Via blowfishSRC: AgentDST: HandlerICMP Data: SkillzSRC: HandlerDST AgentICMP Data:FickenICMP ID:666ICMP ID:667SRC:DST: HandlerICMPType:0 (Echo Reply)ICMP Dat

7、a:Agent IPSRC: HandlerDST: AgentICMP Data: SpoofworksICMP ID:666ICMP ID:1000ICMPType:0 (Echo Reply)ICMPType:0 (Echo Reply)ICMPType:0 (Echo Reply)第10页，共87页。Root Kits第11页，共87页。Application Layer Attacks第12页，共87页。Port Redirection AttackCompromisedHost AHost BAttackerSource: AttackerDestination: APort: 2

8、5Source: ADestination: BPort: 23Source: AttackerDestination: BPort: 23第13页，共87页。Deploying Secure NetworksSecurity Threat ComponentsSecurity Designan ExampleDesign Under FireThreat MitigationDesign OptimizationsSecurity Designa Better ExampleDesign Under Fire (2)第14页，共87页。How Is Enterprise Security D

9、eployed Today?Building ModuleMainframe ModuleWAN ModuleCoreDistributionDistributionAccessAccessCoreDistributionAccessServer ModuleInternetInternet ModulePublicServices(SMTP, DNS, WWW)Back-EndDatabase第15页，共87页。Access Router ACL (no State Inbound s0)InternetInternet ModuleSourceDestinationProtocolActi

10、onOutsideOutsideOutsideOutsideOutsideOutsideDMZDMZDMZDMZAnyAnySMTPHTTPDNSSSLEstab. TCP, UDP RepliesICMP Echo/ReplyPermitPermitPermitPermitPermitPermit第16页，共87页。Firewall RulesInternetInternet ModuleSourceDestinationProtocolActionInternalWeb ServerPub. SMTPAnyDMZAnyBack-End DatabaseInt.SMTPAnyInternal

11、AnySQLSMTPICMP Echo-ReplySSHPermitPermitPermitPermitPermit第17页，共87页。Design ConsiderationsDual “firewall” configurationInbound traffic limited to relevant services on DMZSSH allowed for encrypted remote administrationOpen internal networkFull outbound access allowed (no traditional FTP)第18页，共87页。Depl

12、oying Secure NetworksSecurity Threat ComponentsSecurity Designan ExampleDesign Under FireThreat MitigationDesign OptimizationsSecurity Designa Better ExampleDesign Under Fire (2)第19页，共87页。Bring on the Hackers!Phase 1: Network ReconPhase 2: “Own” a SystemPhase 3: Exploit TrustPhase 4: Get the GoodsPh

13、ase 5: “Own” the NetworkNETWORK COMPROMISEBuilding ModuleMainframe ModuleWAN ModuleInternetSMTPDNSHTTP/SSLServerModule第20页，共87页。Network ReconAttackerScorecard: Network Security Hacker SMTPDNSHTTP/SSL00 Ping sweep Port scan OthersWhoisDNSWeb pagesInternet第21页，共87页。HTTP/SSL“Own” a SystemAttackerSMTPDN

14、S Vulnerability scan CGI-BIN vulnerabilityStart xterm Buffer overflow vulnerabilityGet “root” Result ownership of one hostInternetOWNED: HTTP/SSLScorecard: Network Security Hacker 0001bash-2.02$ iduid=11117(networkers) gid=1(other)bash-2.02$ cat /etc/shadowcat: cannot open /etc/shadowbash-2.02$ ls -

15、ltotal 48-rwxr-xr-x 1 networkersother 24563 Nov 10 13:58 ex_libbash-2.02$ ./ex_libjumping address : efffe7b8# iduid=11117(networkers) gid=1(other) euid=0(root) egid=3(sys)# cat /etc/shadowroot:07AUBkfmBv7O2:11043:toor:r1CjeWYEWNMDk:10955:daemon:NP:6445:第22页，共87页。Exploit TrustAttackerScorecard: Netwo

16、rk Security Hacker InternetSMTPDNS01OWNED: HTTP/SSL More reconLog filesProcessesConfig filesPassword crackingSniffingBack-end databasediscoveredBack-EndDatabase第23页，共87页。01Get the Goods!AttackerScorecard: Network Security Hacker SMTPDNSOWNED: HTTP/SSLInternetSource: AttackerDestination: Web ServerPo

17、rt: 25 (SMTP)Source: Web ServerDestination: Back-End DatabasePort: 22 (SSH)Source: AttackerDestination: Back-End DatabasePort: 22 (SSH)Back-EndDatabase02OWNED:Back-EndDatabase Setup port redirection Execute attackRoot via cracked passwords第24页，共87页。“Own” the NetworkAttackerScorecard: Network Securit

18、y Hacker SMTPDNSOWNED: HTTP/SSLInternetBack-EndDatabase02OWNED:Back-EndDatabasePast the firewallNo more securityMore reconVulnerability exploits第25页，共87页。“Own” the NetworkPast the firewallNo more securityMore reconVulnerability exploitsHacker has a new playground!AttackerScorecard: Network Security

19、Hacker SMTPDNS0752OWNED: HTTP/SSLInternetOWNED:Back-EndDatabase第26页，共87页。Crunchy on the OutsideSoft in the Middle第27页，共87页。Distributed Denial of Service AttackPhase 1: Setup Distribution NetworkPhase 2: Pick a Target and AttackNow that He Has the Network, why not Have Fun?第28页，共87页。Setup a Distribut

20、ion NetAgentsAgentsHandlerClientInternet Client infects handlerHandler seeks out and infects agents第29页，共87页。Attack!Client coordinates attackVictim bandwidth is quickly eliminatedAgentsAgentsHandlerClientVictim NetworkAgent (25)Agent (25)HandlerHandlerInternetISPDistribution Network BDistribution Ne

21、twork AISP第30页，共87页。Attack ReviewNetwork compromise was completely successfulFirewall acted as configuredVulnerabilities started at the host level via an out of date systemNetwork DDoS was completely successfulAll available Internet bandwidth was consumedSite under attack could have had DoS protecti

22、on measures on their routers and firewalls and it wouldnt have made a difference第31页，共87页。Deploying Secure NetworksSecurity Threat ComponentsSecurity Designan ExampleDesign Under FireThreat MitigationDesign OptimizationsSecurity Designa Better ExampleDesign Under Fire (2)第32页，共87页。Threat MitigationA

23、pplication Layer AttacksRoot KitsDDoS SourceDDoSVictimPassword CrackingGood System AdministrationPort RedirectionProper Trust ModelCommitted Access RateRFC 1918 FilteringRFC 2827 FilteringIntrusion Detection第33页，共87页。Threat Mitigation (Cont.)Application Layer AttacksRoot KitsDDoS SourceDDoSVictimPas

24、sword CrackingPort RedirectionPrivate VLANsNetwork AuditVerify Unicast RP forwardingSP FilteringSpecific FilteringVMPS VLANs第34页，共87页。A new study by Cisco Secure Consulting Services offers some insight into where many common vulnerabilities exist in IT network systems. The study, which analyzed 33 m

25、idsize and large customer sites over a period of six months, found vulnerabilities in all the customer sites, but almost all the vulnerabilities could be traced to outdated software or lax system administration maintenance, not to inherent flaws in the systems. While the need for careful system admi

26、nistration and continual system security analysis has been well-understood, Ciscos study indicates that most businesses, especially those that are conducting E-commerce activities over the Internet, arent being careful enough.Good System Administration“”Information Week February 21, 2000,Issue: 774

27、第35页，共87页。Good System AdministrationMailing listsPatchesLoggingBasicsStrong or one-time passwordsEncryptionSwitched infrastructureFirewalls or sysadmins?After you log it, read or analyze it!FundamentalsTips第36页，共87页。Intrusion Detection SystemsHost and networkboth have their placeFalse positivesPlace

28、mentAlarm or enforce?AttackerPublic ServicesInternal ServicesInternal Users第37页，共87页。Proper Trust ModelPublicHost APublicHost BAdminHost CDatabase ServerHost Dokokxx第38页，共87页。Committed Access RateTraffic Matching SpecificationTraffic Measurement InstrumentationAction PolicyNext PolicyExcess TrafficC

29、onforming TrafficBurst LimitTokensRate limitingSeveral ways to filter“Token bucket” implementation第39页，共87页。CAR Rate LimitingLimit outbound ping to 256 Kbps Limit inbound TCP SYN packets to 8 Kbpsinterface xy rate-limit output access-group 102 256000 8000 8000conform-action transmit exceed-action dr

30、op !access-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-replyinterface xy rate-limit input access-group 103 8000 8000 8000conform-action transmit exceed-action drop !access-list 103 deny tcp any host establishedaccess-list 103 permit tcp any host 第40页，共87页。RFC 1918 Filte

31、ringinterface Serial n ip access-group 101 in!access-list 101 deny ip 55 anyaccess-list 101 deny ip 55 anyaccess-list 101 deny ip 55 anyaccess-list 101 permit ip any anyISPNetworkCustomerNetworkIngress to Internet第41页，共87页。RFC 2827 Filtering interface Serial n ip access-group 101 in!access-list 101

32、permit 55 anyaccess-list 101 deny ip any anyISPNetworkCustomerNetwork:/16Ingress to InternetIngress packets must be from customer addressesinterface Serial n ip access-group 120 in ip access-group 130 out!access-list 120 deny ip 55 anyaccess-list 120 permit ip any any!access-list 130 permit 55 anyac

33、cess-list 130 deny ip any anyEgress from InternetEgress packets cannot be fromand to customerEnsure ingress packets are valid第42页，共87页。Verify Unicast Reverse-PathMitigates source address spoofing by checking that a packets return path uses the same interface it arrives onBest Implemented at your ISP

34、Requires CEFNot appropriate where asymmetric paths existip cef distributed ! interface Serial n ip verify unicast reverse-path第43页，共87页。Service Provider FilteringBest in e-commerce environmentsDDoS mitigation Bandwidth optimizationAttackerPublic ServicesInternal ServicesInternal UsersCustomerDDoS Ag

35、entokPorts:80443xSource: DDoS AgentDestination: Public ServicesPort: UDP FloodSource: AttackerDestination: Public ServicesPort: 23(Telnet)x第44页，共87页。Private VLANsPromiscuousPortPromiscuousPortCommunityACommunityBIsolatedPortsPrimary VLANCommunity VLANCommunity VLANIsolated VLANOnly One Subnet!xxx第45

36、页，共87页。VMPS VLANsAssociates VLAN assignment with MAC addressVMPS server simplifies managementConsider User Registration ToolVLANs via NT and Novell usernames第46页，共87页。Network Audit FundamentalsSyslogLeast common denominator for most network equipmentNearly all Cisco products support output to a sysl

37、og systemIP accountingAdds additional visibility into ACL violationsNetwork vulnerability analysisAllows an external perspective of your network第47页，共87页。Optional Network Audit ToolsDedicated log analysis toolAllows drill down into multiple systems for manual event correlationHomegrown scriptsGreat

38、for specific logging applicationsEvent correlation systemsJust beginning to be seen in the marketVery promising idea第48页，共87页。Specific FilteringNo outbound for web serversBe specific on other accessConsider the risks of ICMPAdd IDS if full ICMP is requiredCustomerPublic ServicesInternal ServicesInte

39、rnal UsersSource: Public ServicesDestination: InternetPort: Anyokokx第49页，共87页。Deploying Secure NetworksSecurity Threat ComponentsSecurity Designan ExampleDesign Under FireThreat MitigationDesign OptimizationsSecurity Designa Better ExampleDesign Under Fire (2)第50页，共87页。Design OptimizationsOptimizati

40、onsPublic host placementBuilding Mod.Mainframe Mod.WAN ModuleServer ModuleInternetSMTPBack-endDatabaseDNSHTTP/SSL第51页，共87页。Design OptimizationsOptimizationsPublic host placementIntrusion detection placementInternetBack-endDatabaseHTTP/SSLWAN ModuleBuilding Mod.Server ModuleMainframe Mod.SMTPDNS第52页，

41、共87页。WAN ModuleBuilding Mod.Server ModuleMainframe Mod.Design OptimizationsOptimizationsPublic host placementIntrusion detection placementCatalyst featuresInternetBack-endDatabaseHTTP/SSLSMTPDNS第53页，共87页。Design OptimizationsOptimizationsPublic host placementIntrusion detection placementCatalyst feat

42、uresRouter filtering/firewallingMainframe Mod.InternetBack-endDatabaseHTTP/SSLBuilding Mod.WAN ModuleServer ModuleSMTPDNS第54页，共87页。Design OptimizationsOptimizationsPublic host placementIntrusion detection placementCatalyst featuresRouter filtering/firewallingWAN ModuleBuilding Mod.Server ModuleMainf

43、rame Mod.InternetBack-endDatabaseHTTP/SSLSMTPDNSEncryption第55页，共87页。Design OptimizationsOptimizationsPublic host placementIntrusion detection placementCatalyst featuresRouter filtering/firewallingWAN ModuleBuilding Mod.Server ModuleMainframe Mod.InternetBack-endDatabaseHTTP/SSLSMTPDNSEncryptionNetwo

44、rk Audit第56页，共87页。Internet ModuleProblems:Public services are not protectedInternet links are vulnerable to DDoS attacksNo effective visibility into host attacksInternetInternet Module第57页，共87页。Firewall the Access RoutersPro: No topology impactPro: session vs. packet trackingPro: Multiple perimeters

45、Con: Router performance impactInternetInternet Module第58页，共87页。Add a Third Firewall InterfacePro: Third interface increases securityPro: Leaves routers routingCon: Increased load on firewallsCon: Topology impactInternet ModuleInternet第59页，共87页。Internet ModuleInternetDo Both!Pro: Maximum securityPro:

46、 Tiered filtering and audit modelCon: Performance impact第60页，共87页。Internet ModuleInternetDDoS VulnerabilitySolution:CAR at ISP and local access routerRFC 1918 and 2827 filteringOther optimizations as described earlierCAR第61页，共87页。Host Security VisibilitySolution:Intrusion detection deploymentNetwork

47、 auditPrivate VLANsInternet ModuleInternetCAR第62页，共87页。Server ModuleProblemsNo security (I think that covers it!)Server Module第63页，共87页。Server ModuleSolutionsSegment department specific servers to department VLANsFilter between VLANs based on network numberPrivate VLANs for corporate-wide serversIDS

48、Network auditServer Module第64页，共87页。Building ModuleProblemsDisparate points of accessHosts are hard to protect and manage第65页，共87页。Building ModuleSolutionsVMPS VLANsPrivate VLANs第66页，共87页。Mainframe ModuleProblemsMainframe security is often overlooked in security deploymentsNo access control第67页，共87页

49、。Mainframe ModuleSolutionsAAA and access control at ingress routerConsider encryption when existing Layer 7 access is in the clearNetwork audit第68页，共87页。WAN ModuleProblemsTrust issues with Internet connections also exist with traditional “private” WAN linksPhysical issuesPackets in clearAuditing is

50、seldom done第69页，共87页。WAN ModuleSolutionsNetwork auditEncryption (Layer 3 or 7)For security enthusiasts only第70页，共87页。Deploying Secure NetworksSecurity Threat ComponentsSecurity Designan ExampleDesign Under FireThreat MitigationDesign OptimizationsSecurity Designa Better ExampleDesign Under Fire (2)第

51、71页，共87页。Security Design (a Better Example)Building ModuleMainframe ModuleWAN ModuleCoreDistributionDistributionAccessAccessCoreDistributionAccessServer ModuleCARInternetInternet Module第72页，共87页。Access Router ACL (Stateful Inbound s0)InternetSourceDestinationProtocolActionOutsideOutsideOutsideOutsid

52、eMail ServerWeb ServerDNS ServerWeb ServerSMTPHTTPDNSSSLPermitPermitPermitPermitInternet ModuleCAR第73页，共87页。Access Router ACL (Stateful Inbound e0)InternetSourceDestinationProtocolActionInternalMail ServerDNSAnyOutsideOutsideAnySMTPDNSPermitPermitPermitInternet ModuleCAR第74页，共87页。Firewall RulesInter

53、netSourceDestinationProtocolActionInternalWeb ServerPub. SMTPDNSAnyBack-End DatabaseInt. SMTP and OutsideOutsideAnySQLSMTPDNSPermitPermitPermitPermitInternet ModuleCARSMTPPermitOutsideMail ServerOutsideOutsideOutsideWeb ServerDNS ServerWeb ServerHTTPDNSSSLPermitPermitPermit第75页，共87页。Deploying Secure

54、 NetworksSecurity Threat ComponentsSecurity Designan ExampleDesign Under FireThreat MitigationDesign OptimizationsSecurity Designa Better ExampleDesign Under Fire (2)第76页，共87页。Bring on the Hackers (Again)Building ModuleMainframe ModuleWAN ModuleServer ModuleCARInternetInternet Module第77页，共87页。Networ

55、k Compromise AttackPhase 1: Network reconSame level of successIDS alarmed on activityPhase 2: “Own” a systemProperly patched system would likely not be vulnerable, but lets assume it is.Xterm would fail, preventing the buffer overflow attackPhase 3: Exploit trustAssuming port redirection was successful (which it was not), no interactive sessions are possible from web server to insidePhase 4 and 5:Fail due to no inbound access from server systems第