Академический Документы
Профессиональный Документы
Культура Документы
Routers, and
Firewalls
MIS 450 Auditing and Security
Controls
Ted Wallerstedt
Community Faculty
Networking Hardware
Switches Layer 2 Networks within
local
Sends the message only to the port with
the correct destination MAC address
Network Addresses
MAC address media access control
assigned to each NIC network
interface card (unique)
IP address internet protocol
static unique to computer
Now dynamically assigned within a LAN
Networks Models
OSI Model
Firewalls
Protects information in Security zones
Packet-Filtering layer 3 routers, list of
IP addresses
Stateful Packet Inspection layers 3 &
4, session states from layers 4 and 5
are protected from other traffic
Application proxies layer 7 (proxies
hide the source of the communication
Application-Level 7 gateways,
dynamically refuses or allows access
to the application
1. How
Monitor Security mailing list (seclists.org)
Routinely apply latest patches
Strictly followed existing configuration guideline
(http://www.juniper.net/techpubs/software/junos
/junos94/swconfig-routing/bgp-configurationguidelines.html)
Regularly scan for vulnerabilities pen tests
Regularly compare actual with guidelines
Issue regular status reports of network security
to upper management
3. Unnecessary
services are
Disabled
unnecessary services are susceptible
Make sure exceptions have a
legitimate business need.
Figure 5-3 Cisco device services that
should be disabled
4. Follow good
SNMP management
practices
Simple Network Management Protocol
Full administrative Access to network
devices
Check if SNMP is supported
Version 3 authenticates packets and
encrypts passwords
Version 2 used clear text and are not
authenticated
Follow standard password policies
Users should be restricted
5. Procedures for
User Accounts
Only create accounts when
necessary
Remove or disable obsolete accounts
Strong login procedures
Never share accounts
6. Password
controls
Strong, Encrypted, change required
Passwords
Passwords should be unique for privileged
modes of operation
Type 5 encryption strong, MD5 hash
Type 7 weak, reversible algorithm
Any plain text passwords should not be the
same as any encrypted passwords
Dont share passwords on different devices
SSH
Encrypted Kerberized Telnet
IPSec
SNMPv3
Switches Layer 2
Avoid using VLAN 1 Cisco routers
by default have all ports assigned to
VLAN 1. Therefore intruders can
easily get to everything.
Trunk autonegotiation
Spanning-Tree protocol attack
mitigation is ON
VLANs
Virtual LANs break up domains and divide
the network into multiple security levels
Disable unused ports and put them in an
unused VLAN
VLAN Trunking Protocol VTP distributes
config info over trunks
An attacker could change or destroy all vlans
Firewall controls