Вы находитесь на странице: 1из 37

Chapter 2: Creating the Secure Network

Objectives
The CCNA Security Topics Covered in this chapter
include:
Creating a Security Policy
Maintaining Operational Security
Evolution of Threats
The Cisco Self-Defending Network
2
Systems Development Life Cycle
(SDLC)
Initiation
Acquisition and Development
Implementation
Operations and Maintenance
Disposition
3
Initiation
Security categorization
High security level
Medium
Low
Preliminary risk assessment
high-level overview of a systems security requirements
Acquisition and Development
Risk assessment
Security functional requirement analysis
Security assurance requirements analysis
Cost considerations and reporting
Security planning
Security control development
Developmental security test and evaluation
Implementation
Inspection and acceptance: The installation of a
system and its functional requirements are verified.
System integration: The system is integrated with all
required components at its operational site, and its
operation is verified.
Security certification: The operation of the
previously specified security controls is verified.
Security accreditation: After the operation of
required security controls is verified, a system is given
appropriate administrative privileges to process, store,
and/or transmit specific data.
Operations and Maintenance
Configuration management and control
Continuous monitoring
Disposition
Information preservation
Media sanitation
Hardware and software disposal
Operations Security Overview
Separation of duties
Rotation of duties
Trusted recovery
Configuration and change control
Evaluating Network Security
Scanning a network for active IP addresses and open ports
on those IP addresses
Scanning identified hosts for known vulnerabilities
Using password-cracking utilities
Reviewing system and security logs
Performing virus scans
Performing penetration testing (perhaps by hiring an
outside consultant to see if he or she can compromise
specific systems)
Scanning for wireless SSIDs to identify unsecured wireless
networks
Result of Evaluation
Creating a baseline for the information systems level
of protection
Identifying strategies to counter identified security
weaknesses
Complementing other SDLC phases, such as
performing risk assessments
Conducting a cost/benefit analysis when evaluating
additional security measures
Primary Goals of Business Continuity
Planning (BCP)
Moving critical business operations to another facility
while the original facility is under repair
Using alternative forms of internal and external
communication
Phases of Recovery
Emergency response phase
Recovery phase
Return to normal operations phase
Types of Disruptions
Non-disaster
Normal business operations are briefly interrupted.
Disaster
Normal business operations are interrupted for one or
more days. However, not all critical resources at a site are
destroyed.
Catastrophe
All resources at a site are destroyed, and normal
business operations must be moved to an alternative
site.
Type of Backup Sites
Hot Site
Warm Site
Cold Site
Security Policy
A security policy is a continually changing document
that dictates a set of guidelines for network use. These
guidelines complement organizational objectives by
specifying rules for how a network is used.
The main purpose of a security policy is to protect an
organizations assets
Benefits of Security Policy
Making employees aware of their obligations as far as
security practices
Identifying specific security solutions required to meet
the goals of the security policy
Acting as a baseline for ongoing security monitoring
Acceptable Use Policy (AUP)
Identifies what users of a network are and are not
allowed to do on the network
Security Policy Components
Governing Policy
Technical Policies
End-User Policies
Standards,
Guidelines, and
Procedures
Governing Policy
Identifying the issue addressed by the policy
Discussing the organizations view of the issue
Examining the relevance of the policy to the work
environment
Explaining how employees are to comply with the
policy
Enumerating appropriate activities, actions, and
processes
Explaining the consequences of noncompliance
Technical Policies
E-mail
Wireless networks
Remote access
End-User Policies
End-user policies address security issues and
procedures relevant to end users.
More-Detailed Documents
Standards
Guidelines
Procedures

Security Policy Responsibilities
Chief Security Officer (CSO)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Risk Management
Risk Analysis
Threats
Vulnerabilities
Countermeasures
Risk Management
Control physical access
Password protection
Develop a Security Policy
The process of assessing and quantifying risk and establishing an
acceptable level of risk for the organization
Risk can be mitigated, but cannot be eliminated
Risk Assessment
Risk assessment involves determining the likelihood that
the vulnerability is a risk to the organization
Each vulnerability can be ranked by the scale
Sometimes calculating anticipated losses can be helpful in
determining the impact of a vulnerability
Asset Identification
Categories of assets
Information Assets (people, hardware, software, systems)
Supporting Assets (facilities, utilities, services)
Critical Assets (can be either of those listed above)
Attributes of the assets need to be compiled
Determine each items relative value
How much revenue/profit does it generate?
What is the cost to replace it?
How difficult would it be to replace?
How quickly can it be replaced?
Risk Management Terms
Vulnerability a system, network or device weakness
Threat potential danger posed by a vulnerability
Threat agent the entity that indentifies a
vulnerability and uses it to attack the victim
Risk likelihood of a threat agent taking advantage of
a vulnerability and the corresponding business impact
Exposure potential to experience losses from a threat
agent
Countermeasure put into place to mitigate the
potential risk
Understanding Risk
Threat
Agent
Risk
Threat
Vulnerability
Asset
Countermeasure
Exposure
Gives rise to
Exploits
Leads to
Can damage
Causes
Can be safeguarded by
Directly affects
Quantitative Risk Analysis
Exposure Factor (EF)
% of loss of an asset
Single Loss Expectancy (SLE)
EF x Value of asset in $
Annualized Rate of Occurrence (ARO)
A number representing frequency of occurrence of a threat
Example: 0.0 = Never 1000 = Occurs very often
Annualized Loss Expectancy (ALE)
Dollar value derived from: SLE x ARO

ALE = AV * EF * ARO
SLE = AV * EF
Risk Analysis Benefits
It identifies a cost/value ratio for the cost of security
measures versus the anticipated value of the security
measures
It justifies requested capital expenditures for security
solutions
It identifies areas in the network that would benefit
most from a security solution
It provides statistics for future security planning
Qualitative Risk Analysis
A new worm
Web site defacement
Fire protection system
Floods datacenter
Exposure values prioritize the order for addressing risks
Managing Risks
Acknowledge that the
risk exists, but apply
no safeguard
Shift responsibility
for the risk to a third
party (ISP,
Insurance, etc.)
Change the assets risk
exposure (apply
safeguard)
Eliminate the assets
exposure to risk, or
eliminate the asset
altogether
Accept
Avoid Mitigate
Transfer
Risk
Factors Contributing to a Secure
Network Design
Business needs
Risk analysis
Security policy
Best practices
Security operations
35
The Cisco Self-Defending Network
Three core characteristics of the Cisco Self-Defending
Network
Integrated

Collaborative

Adaptive
36
The Cisco Self-Defending Network
Hierarchy

Secure Network Platform
Secure Communications
Threat Containment
Management of Policy and Operations
37