Discovery SMB ISP Chapter8

8/3/2019 Discovery SMB ISP Chapter8

1/38

1 2007 Cisco Systems, Inc. All rights reserved. Cisco 2007 Cisco Systems, Inc. All rights reserved. Cisco 1Version

Click to Edit Master SubtitleStyle

ISP Responsibility

Working at a Small-to-Medium Business or ISP Chapter 8


2/38

2 2007 Cisco Systems, Inc. All rights reserved. Cisco

Objectives

Describe ISP security policies and procedures.

Describe the tools used in implementing security at theISP.

Describe the monitoring and managing of the ISP.

Describe the responsibilities of the ISP with regard tomaintenance and recovery.


3/38


ISP Security Considerations

Any active Internet connection for a computer can make thatcomputer a target for malicious activity

Problems that cause large-scale failures in ISP networks oftenoriginate from the ISP customer locations.

ISPs play a big role in helping to protect the home and businessusers that use their services

Important part of the job of an on-site support technician in anISP is to implement security best practices on client computers,that includes:

Helping clients to create secure passwords

Securing applications

Removing unnecessary applications and services that can cause vulnerabilities

Configuring firewalls

Performing security scans


4/38



ISPs have measures in place to protect the informationof its customers from malicious attack

common security practices on the ISP side include : Encrypting data stored on servers

Using permissions to secure access to files and folders Implement user accounts

Assign levels of access based on the user account or group membership


5/38


ISP Security ConsiderationsThree steps used to reduce network vulnerability

(AAA):

1. Authentication requires users to prove their identity using a username and password

2. Authorization gives users rights to access specific resources and perform specific tasks

3. Accounting tracks which applications are used and the length of time that they are used

. ISPs use RADIUS or TACACS protocols for AAA RADIUS is a client/server protocol that centralizes the profile informationof users in a central database on a RADIUS server


6/38


ISP Security Considerations ISPs must also be concerned with securing data that is

transmitted to and from their servers

By default, data sent over the network is unsecured andtransmitted in clear text.

Unauthorized individuals can intercept unsecured data as it is being

transmitted Encryption: the process of encrypting all transmitted data

between the client and the server Many of the protocols used to transmit data offer a secure version thatuses digital encryption.

As best practice, use the secure version of a protocol wheneverconfidential data is being exchanged

When surfing the Internet and viewing publicly accessible websites,securing the transmitted data is not necessary (additional computationaloverhead and slower response time)


7/387 2007 Cisco Systems, Inc. All rights reserved. Cisco


Some network protocols offer secured versions for applications: Web servers: use HTTP by default (not secured)

Using HTTPS, which uses the secure socket layer (SSL) protocol, enables theexchange of data to be performed securely

Email servers: use several different protocols (SMTP, POP3, and IMAP4).Username/password can be captured

POP3 can be secured by using SSL, SMTP and IMAP4 can use either SSL orTransport Layer Security (TLS) as a security protocol

Telnet servers: Telnet sends authentication information and any commands a usertypes across the network in clear text.

Secure Shell (SSH) protocol may be used to authenticate and work with the

router or switch securely FTP servers: unsecured by default, but they can use SSH

IP Security (IPSec): Network Layer security protocol that can be used to secure anyApplication Layer protocol used for communication



Security Tools

Even with AAA and encryption, there are many different types ofattacks that an ISP must protect Denial-of-service (DoS): when a server or service is attacked to preventlegitimate access to that service

E.g. ping flood, bandwidth consumption attacks

Distributed denial-of-service (DDoS) : when multiple computers are usedto attack a specific target

Distributed reflected denial-of-service (DRDoS): when an attacker sendsa spoofed (tricking) request to many computer systems on the Internet,with the source address modified to be a target system,

When the computer systems respond to the request, all the requestsare directed at the target computer system.

Because the attack is reflected, it is very difficult to determine theoriginator of the attack.



Security Tools

Port filtering and access control lists (ACL) can be used by ISPsto control traffic to servers and networking equipment They protect against DoS and DDoS attacks

Port filtering controls the flow of traffic based on a specific TCP orUDP port.

Many server operating systems have options to restrict access using portfiltering

Access Control Lists (ACLs): define traffic that is permitted ordenied through the network based on source and destination IP

addressesACLs can also permit or deny traffic based on the source and destinationports of the protocol

ACLs only prevent access to a network; they do not protect the networkfrom all types of malicious attacks.



Security Tools



Security Tools A firewall is network hardware or software that defines which

traffic can come into and go out of sections of the network andhow traffic is handled

ACLs are one of the tools used by firewalls to control which traffic is passed or blocked

Different firewalls offer different types of features

The Cisco IOS Firewall software is embedded in the Cisco IOSsoftware



Within an ISP network or a medium-sized business, firewalls aretypically implemented in multiple layers

Border firewall, and Internal firewall

Traffic that comes in from an un trusted network first encounters apacket filter on the border router.

Permitted traffic goes through the border router to an internalfirewall to route traffic to a demilitarized zone (DMZ).

A DMZ is used to store servers that users from the Internet are allowed toaccess.

The traffic that is allowed into the internal network is usually traffic that is

being sent due to a specific request by an internal device Internal firewalls restrict access to areas of the network that need to haveadditional protection, by separating and protecting business resources onservers from users inside the organization

Pic next slide



ISPs also have a responsibility to prevent intrusions into theirnetworks and the networks of customers

There are two tools often utilized to prevent intrusion

1. Intrusion Detection System (IDS) A software- or hardware-based solution that passively listens to network traffic

Network traffic does not pass through an IDS device

When the IDS detects malicious traffic, it sends an alert to a preconfiguredmanagement station

2. Intrusion Prevention System (IPS)An active physical device or software feature. Traffic travels in one interface of theIPS and out the other.

The IPS examines the actual data packets that are in the network traffic and worksin real time to permit or deny packets that want access into the network

. IDS or IPS may be: Router configured with Cisco IOS version IPS

Appliance (hardware) specifically designed to provide dedicated IDS or IPS services

Network module installed in an adaptive security appliance (ASA), switch, or router



IDS solutions are reactive in detecting intrusions They do not stop the initial traffic from passing through to the destination,

but react to the detected activity The original malicious traffic has already passed through the network tothe intended destination and cannot be blocked.

Only subsequent traffic is blocked. In this regard, IDS devices cannotprevent some intrusions from being successful

Interactive on 8.2.3 page 2 IPS solutions are proactive

They block all suspicious activity in real time.

When the IPS detects malicious traffic, it blocks the malicious trafficimmediately.

The IPS then sends an alert to a management station about theintrusion.

The original and subsequent malicious traffic is blocked as the IPSproactively prevents attacks

Interactive on 8.2.3 page 3



Wireless Security

A wireless network can be secured by: Changing default settings

The default values for the SSID, usernames, and passwords

Enabling authentication

A process of permitting entry to a network based on a set of

credentials There are three types of authentication methods

1.Open authentication: most often used on public wirelessnetworks.

1. Pre-shared key (PSK) - Requires a matching, preconfigured

key on both the server and the client1. Extensible Authentication Protocol (EAP) - Provides mutual,

or two-way, authentication and user authentication. The access point communicates with a backend authentication

server, such as RADIUS to verify the user

MAC filtering

Prevents unwanted computers from connecting to a network by



Encryption

There are three major encryption types for wireless networks

Wired Equivalent Privacy (WEP)

provides data security by encrypting data that is sent betweenwireless nodes.

WEP uses a 64, 128, or 256 bit pre-shared hexadecimal key toencrypt the data.

A major weakness of WEP is its use of static encryption keys.

The same key is used by every device to encrypt every packettransmitted.

Wifi Protected Access (WPA)

A newer wireless encryption protocol that uses an improvedencryption algorithm called Temporal Key Integrity Protocol (TKIP).

TKIP generates a unique key for each client and rotates the securitykeys at a configurable interval.

WPA2 is a new, improved version of WPA



Host Security

New vulnerabilities for servers are discovered every day

So it is critical for an ISP to protect its servers from known andunknown vulnerabilities

One way they accomplish this is by using host-based firewalls Software that runs directly on a host operating system

Host-based firewalls typically come with predefined rules thatblock all incoming network traffic.

Exceptions are added to the firewall rule set to permit the correct mixtureof inbound and outbound network traffic

ISPs use host-based firewalls to restrict access to the specificservices a server offers

By blocking access to the extraneous (not applicable) ports that areavailable



ISP servers that utilize host-based firewalls are protected fromdifferent types of attacks and vulnerabilities, like:

Known attacks Host-based firewalls can detect a known attack and block traffic on the

port used by the attack

Exploitable services

protect exploitable services running on servers by preventing access to

the ports that the service is using Worms and viruses

Worms and viruses propagate by exploiting vulnerabilities in servicesand other weaknesses in operating systems

Back doors and Trojans

Block hackers from remotely gaining access to servers on a network

Host-based firewalls allow filtering based on a computer addressand port, therefore offering additional protection over regular portfiltering



In addition to host-based firewalls, anti-X software can beinstalled as a more comprehensive security measure.

Anti-X software protects computer systems from viruses, worms,spyware, spam, etc

Not all anti-X software protects against the same threats. The ISP should constantly review which threats the anti-X software

actually protects against and make recommendations based on a threatanalysis of the company.

Many anti-X software packages allow for remote management. This includes a notification system that can alert the administrator orsupport technician about an infection via email or pager

Using anti-X software does not diminish the number of threats tothe network but reduces the risk of being infected.



Monitoring and Managing the ISP An ISP and a user usually have a contract known as a service

level agreement (SLA)

Typical features of SLA:

The SLA is an important document that clearly outlines themanagement, monitoring, and maintenance of a network.



Monitoring and Managing the ISP Monitoring network link performance

The ISP is responsible for monitoring and checking deviceconnectivity

Monitoring and configuration can be performed either out-of-band with a direct console connection, or in-band using a

network connection in-band management is preferred by ISPs

conventional in-band tools can provide more managementfunctionality, such as an overall view of the network design

Traditional in-band management protocols include Telnet, SSH,HTTP, and Simple Network Management Protocol (SNMP)


24/38


Telnet Virtual Terminal (VTY) session

A connection using Telnet is called a Virtual Terminal (VTY)

session or connection The connecting device runs the Telnet client.

To support Telnet client connections, the connected device, or server, runsa service called a Telnet daemon

With telnet, users can perform any authorized function on theserver, just as if they were using a command line session on theserver itself.

A Telnet session can be initiated using the router CLI with the command:telnet [IP address or domain name of remote host]

A Telnet client can connect to multiple servers simultaneouslyA Telnet server can support multiple client connections also.

On a router acting as a server, the show sessions command displaysall client connections.


25/38


Secure Shell (SSH): preferred for security

Telnet protocol supports user authentication, but it does notsupport the transport of encrypted data.

This means that the data can be intercepted and easily understood,including the username and password used to authenticate the device.

If security is a concern, the Secure Shell (SSH) protocol offers an

alternate and secure method for server access. As a best practice, network professionals should always use SSH

in place of Telnet whenever possible.

There are two versions of the SSH server service.

Which SSH version is supported depends on the Cisco IOS image loadedon the device.

There are many different SSH client software packages available for PCs.

An SSH client must support the SSH version configured on the server.


26/38


SNMP: network management protocol Enables administrators to gather data about the network andcorresponding devices

SNMP is made up of four main components: Management station - Computer with the SNMP management

application loaded that is used by the administrator to monitor andconfigure the network.

Management agent - Software installed on a device managed bySNMP.

Management Information Base (MIB) - Database that a device keepsabout itself concerning network performance parameters.

Network management protocol - Communication protocol usedbetween the management station and the management agent.


27/38


Syslog : client/server protocol, used for forwardingnetwork and security event messages

Storing device logs and reviewing them periodically is an important part ofnetwork monitoring.

Log messages normally consist of a ID, type of message, a time stamp(date, time), which device has sent the message, and the message text.

Depending on which network equipment is sending the syslog

messages, it can contain more items than those listed. Syslog is the standard for logging system events.

Like SNMP, syslog is an Application Layer protocol that enables devices tosend information to a syslog daemon that is installed and running on amanagement station.

A syslog system is composed of syslog servers and syslog clients. These servers accept and process log messages from syslog clients.

A syslog client is a monitored device that generates and forwards logmessages to syslog servers.


28/38


Backup and Disaster Recovery

Backup Media

Regardless of the cause of failure, an ISP that hosts websites or email forcustomers must protect the web and email content from being lost.

Data backup is essential. The job of an IT professional is to reduce the risks of data loss and provide

mechanisms for quick recovery of any data that is lost Some of the factors in selecting backup media include:

Amount of data

Cost of media

Performance of media

Reliability of media

Ease of offsite storage

There are many types of backup media available, including tapes,optical discs, hard disks, and solid state devices (like flash disks)


29/38


After backup media is chosen, a backup method must beselected.

1. Normal or Full Backup Copies all selected files, in their entirety.

Each file is then marked as having been backed up.

Only the most recent backup is required to restore files.

This speeds up and simplifies the restore process.

However, because all data is backed up, a full backup takes the mostamount of time.

2. Differential Backup Copies only the files that have been changed since the last full backup.

With differential backups, a full backup on the first day of the backupcycle is necessary.

Only the files that are created or changed since the time of the last fullbackup are then saved.

The differential backup process continues until another full backup is

run


30/38


3. Incremental Backup Whereas a differential backup saves files that were changed since the last

full backup, an incremental backup only saves files that were created orchanged since the last incremental backup.

This means that if an incremental backup is run every day, the backupmedia would only contain files created or changed on that day.

Incremental backups are the quickest backup.

However, they take the longest time to restore because the last normalbackup and every incremental backup since the last full backup must berestored.


31/38


Backup systems require regular maintenance to keep themrunning properly.

There are measures that help to ensure that backups aresuccessful:

Swap media:

daily swapping of media to maintain a history of backed up data

Review backup logs: All backup software produces logs.

These logs report on the success of the backup or specify where itfailed

Perform trial restores:

Even if a backup logs shows that the backup was successful, therecould be other problems not indicated in the log.

Periodically perform a trial restore of data to verify that the backup datais usable and that the restore procedure works

Perform drive maintenance


32/38


Cisco IOS Software Backup and Recovery

Use TFTP to protect configurations and Cisco IOSsoftware (backup)

Restore a Cisco IOS image using TFTP inROMmon mode (recovery)


33/38


Disaster Recovery Plan

A disaster recovery plan is a comprehensivedocument that describes how to restore operationquickly and keep a business running during or after adisaster occurs

The objective of the disaster recovery plan is toensure that the business can adapt to the physicaland social changes that a disaster causes.

A disaster can include anything from natural disasters

that affect the network structure to malicious attackson the network itself


34/38


There are several steps to accomplish designing an effectiverecovery plan:

Vulnerability assessment: how vulnerable the critical businessprocesses and associated applications are to common disasters.

Risk assessment - Analyze the risk of a disaster occurring and theassociated effects and costs to the business

Management awareness - Use the information gathered onvulnerability and risks to get senior management approval on thedisaster recovery project.

Planning group - Establish a planning group to manage thedevelopment and implementation of the disaster recovery strategy andplan

Prioritize - Assign a priority for each disaster scenario, such as mission

critical, important, or minor, for the business network, applications, andsystems


35/38


After the services and applications that are most critical to abusiness are identified, that information should be used to create

a disaster recovery plan There are five major phases to creating and implementing a

disaster recovery plan:

Phase 1 - Network Design Recovery Strategy

Analyze the network design. Some aspects of the network design thatshould be included in the disaster recovery are:

Is the network designed to survive a major disaster? Are there backupconnectivity options and is there redundancy in the network design?

Availability of offsite servers that can support applications such asemail and database services.

Phase 2 - Inventory and Documentation Create an inventory of all locations, devices, vendors, used services, andcontact names.

Verify cost estimates that are created in the risk assessment step.


36/38


Phase 3 Verification Create a verification process to prove that the disaster recover strategy

works. Practice disaster recovery exercises to ensure that the plan is up to dateand workable.

Phase 4 - Approval and Implementation Obtain senior management approval and develop a budget to implement

the disaster recovery plan.

Phase 5 ReviewAfter the disaster recovery plan has been implemented for a year, reviewthe plan.


37/38


Summary

ISPs provide desktop security services for customers, such ascreating passwords, implementing patches and updates, andassigning permissions.

Many protocols offer secure versions utilizing digitalencryption, which should be used when the data being

exchanged is confidential.

Port filtering and Access Lists use TCP and UDP port featuresto permit or deny traffic.

Firewalls can utilize hardware or software to define what

traffic can come into or go out of parts of a network. ISPs are responsible for providing efficient and effective

backup and disaster recovery methods for their customers.


38/38

Documents

Discovery SMB ISP Chapter8