【正文】 t 2502 1335_06_2022_c2 69 169。 2022, Cisco Systems, Inc. WAN Module ? Problems Trust issues with Inter connections also exist with traditional “private” WAN links Physical issues Packets in clear Auditing is seldom done 2502 1335_06_2022_c2 70 169。 2022, Cisco Systems, Inc. WAN Module ? Solutions Network audit Encryption (Layer 3 or 7) For security enthusiasts only… 2502 1335_06_2022_c2 71 169。 2022, Cisco Systems, Inc. Deploying Secure Networks ? Security Threat Components ? Security Design—an Example ? Design Under Fire ? Threat Mitigation ? Design Optimizations ? Security Design—a Better Example ? Design Under Fire (2) 2502 1335_06_2022_c2 72 169。 2022, Cisco Systems, Inc. Security Design (a Better Example) Building Module Mainframe Module WAN Module Core Distribution Distribution Access Access Core Distribution Access Server Module CAR Inter Inter Module 2502 1335_06_2022_c2 73 169。 2022, Cisco Systems, Inc. Access Router ACL (Stateful Inbound s0) Inter Source Destination Protocol Action Outside Outside Outside Outside Mail Server Web Server DNS Server Web Server SMTP HTTP DNS SSL Permit Permit Permit Permit Inter Module CAR 2502 1335_06_2022_c2 74 169。 2022, Cisco Systems, Inc. Access Router ACL (Stateful Inbound e0) Inter Source Destination Protocol Action Internal Mail Server DNS Any Outside Outside Any SMTP DNS Permit Permit Permit Inter Module CAR 2502 1335_06_2022_c2 75 169。 2022, Cisco Systems, Inc. Firewall Rules Inter Source Destination Protocol Action Internal Web Server Pub. SMTP DNS Any BackEnd Database Int. SMTP and Outside Outside Any SQL SMTP DNS Permit Permit Permit Permit Inter Module CAR SMTP Permit Outside Mail Server Outside Outside Outside Web Server DNS Server Web Server HTTP DNS SSL Permit Permit Permit 2502 1335_06_2022_c2 76 169。 2022, Cisco Systems, Inc. Deploying Secure Networks ? Security Threat Components ? Security Design—an Example ? Design Under Fire ? Threat Mitigation ? Design Optimizations ? Security Design—a Better Example ? Design Under Fire (2) 2502 1335_06_2022_c2 77 169。 2022, Cisco Systems, Inc. Bring on the Hackers (Again) Building Module Mainframe Module WAN Module Server Module CAR Inter Inter Module 2502 1335_06_2022_c2 78 169。 2022, Cisco Systems, Inc. Network Compromise Attack ? Phase 1: Network recon Same level of success IDS alarmed on activity ? Phase 2: “Own” a system Properly patched system would likely not be vulnerable, but let?s assume it is... Xterm would fail, preventing the buffer overflow attack ? Phase 3: Exploit trust Assuming port redirection was successful (which it was not), no interactive sessions are possible from web server to inside ? Phase 4 and 5: Fail due to no inbound access from server systems 2502 1335_06_2022_c2 79 169。 2022, Cisco Systems, Inc. Crunchy on the Outside… Crunchy in the Middle 2502 1335_06_2022_c2 80 169。 2022, Cisco Systems, Inc. Distributed Denial of Service Attack ? Phase 1: Setup a distribution Attack would fail on our work, but the attacker has many works to choose from Assuming the attack worked, CAR, IDS, 2827 filtering, and auditing would detect the attack ? Phase 2: Attack CAR stopped TCP SYN and ICMP DDoS attacks UDP flooding was still successful Could be fixed with SP filtering or extensive CAR configuration 2502 1335_06_2022_c2 81 169。 2022, Cisco Systems, Inc. Lessons Learned ? Network security IS a system ? Network security is only as strong as your weakest link ? Network security is more than about firewalls ? Good system administration is the most important ponent of work security 2502 1335_06_2022_c2 82 169。 2022, Cisco Systems, Inc. Summary ? Security Threat Components ? Security Design—an Example ? Design Under Fire ? Threat Mitigation ? Design Optimizations ? Security Design—a Better Example ? Design Under Fire (2) ? Questions? 2502 1335_06_2022_c2 83 169。 2022, Cisco Systems, Inc. Further Reading ? Other Networkers Sessions: Sessions 2503, 2504, 2505, 2400, 2401, 2403, 2404, and 2405. ? Read Improving Security on Cisco Routers Good info on tweaking Cisco routers to improve their security ? Read Essential IOS Features Every ISP Should Consider Discuss this with your ISP。 be proactive! ? Read Increasing Security on IP Networks Oldie but a goodie! 2502 1335_06_2022_c2 84 169。 2022, Cisco Systems, Inc. Call to Action ? Examine how these attacks (and variations) would play out in your work environment ? Reevaluate your security posture and your emphasis, or lack thereof, on system administration 199985 169。 2022, Cisco Systems, Inc. 2502 1335_06_2022_c2 Deploying Secure Networks Session 2502 1999, , . 86 169。 2022, Cisco Systems, Inc. 2502 1335_06_2022_c2 Please Complete Your Evaluation Form Session 2502 1999, , . 87 2502 1335_06_2022_c2 169。 1999, Cisco Systems, Inc.