Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

GAD(config)

advertisement 
Network Security
DMZ (De-Militarized Zone)
Privilege levels in Cisco routers
 Cisco IOS offers 16 privilege levels
◦ User Exec mode: Level 1
◦

◦
Privilege EXEC mode: Level 15
 Levels of access to commands,
called privilege levels can be
configured to protect the system
from unauthorized access to
 Allow access to the specified
command or,
 ‘All’ keyword is used to enable
access to all commands that
start with the specified string
http://www.cisco.com/en/US/docs/ios/
12_2t/12_2t13/feature/guide/ftprienh.
html#wp1027184

◦

Configures the specified privilege level
Router(config) # privilege exec all level 5
show ip
Sets the password for the specified privilege
level.
Router(config)# enable secret password
level 6 0 letmein
 0 indicates an unencrypted password
string follows,
 5 indicates an encrypted password
string follows
Router# show privilege
Current privilege level is 15

Set the configure command to privilege level
14
 Router(config) # privilege exec level 14
configure
 Router(config) # enable secret level 14
SecretPswd14
General Framework
J. Wang. Computer Network Security Theory
and Practice. Springer 2008
What is a DMZ?
 A DMZ is a computer
network that sits between a
trusted internal network,
such as a corporate private
LAN, and an untrusted
external network, such as
the public Internet
 Also known as a
 Data Management Zone or
 Demarcation Zone
 Perimeter Network
Typical components of DMZ network

Web servers that need to be made
available to the general public, such as
company's primary Web presence
advertising its products or services.

Public DNS servers that resolve the names
in your domain for users outside your
organization to the appropriate IP
addresses.

Public FTP servers on which you provide
files to the public
 Downloads of your product manuals or
 Software drivers

Anonymous SMTP relays that forward email from the Internet to internal mail
server(s)

Servers running complex e-commerce
Internet and extranet applications

Proxy Servers
Split Configurations


Mail services can be split between
servers on the DMZ and the
internal network.
 Internal mail server handles email from one computer to
another on the internal network.
 Mail that comes in or is sent to
computers outside the internal
network over the Internet is
handled by an SMTP gateway
located in the DMZ.
For e-commerce systems
 Front-end server, directly
accessible by Internet users is
in the DMZ,
 Back-end servers that store
sensitive information are on the
internal network.
LAN
interface
DMZ
interface
DMZ with two firewalls
 DMZ that uses two firewalls,
called a back to back DMZ.
 Advantage of this configuration
 Fast packet filtering
firewall/router at the front end
(the Internet edge) to increase
performance of your public
servers,
 Slower application layer
filtering (ALF) firewall at the
back end (next to the
corporate LAN) to provide
more protection to the internal
network without negatively
impacting performance for
your public servers
Tri-homed DMZ
 When a single firewall is
used to create a DMZ, it's
called a trihomed DMZ.
 The firewall computer or
appliance has interfaces to
three separate networks:
 The internal interface to
the trusted network (the
internal LAN)
 The external interface to
the untrusted network (the
public Internet)
 The interface to the semitrusted network (the DMZ)
Creating a DMZ Infrastructure
 Two important characteristics of the
DMZ are:
 A different network ID from the
internal network
 A DMZ can use either public or
private IP addresses, depending
on its architecture
 subnet the IP address block
that is assigned by your ISP
 If using private IP addresses
for the DMZ, a Network
Address Translation (NAT)
device will be required
 It is separated from both the Internet
and the internal network by a firewall
Security of DMZ
 The level of security within the DMZ also depends
on the nature of the servers that are placed there.
We can divide DMZs into two security categories:
 DMZs designed for unauthenticated or
anonymous access
 DMZs designed for authenticated access
Host Security on the DMZ
 Be sure to set strong passwords
and use RADIUS or other
certificate based authentication for
accessing the management
console remotely.

username richard privilege 15 secret
bigXdogYlover

Router(config)# username natalie privilege 15
secret BIGxDOGyLOVER

Router(config)# ip http server

Router(config)# ip http authentication local

Set up your VTY access for SSH (optional,
but recommended):
 Router(config)# username name secret
password
 Router(config)# line vty 0 4
 Router(config-line)# transport input ssh
 Router(config-line)# transport output ssh
 Router(config-line) login local
 To allow you to manage the router
through a Web page, it runs an
HTTP server. It is a good security
practice to disable the HTTP
server, as it can serve as a point of
attack.

Different privilege levels to users

Router(config)#privilege exec all level 5
show ip
Specify Traffic exiting corporate
network
 The corporate network zone houses
172.16.2.0/2
4
10.1.1.1/2
4





private servers and internal clients. No
other network should be able to
access it.
Configure an extended access list to
specify which traffic can exit out the
network
GAD(config)#access-list 101 permit ip
10.10.10.0 0.0.0.255 any
GAD(config)#access-list 101 deny ip
any any
GAD(config)#interface fa1
GAD(config-if)#ip access-group 101 in




Can Host A ping the Web Server?
Can Host A ping Host B?
Can Host B ping the Web Server?
Can Host B ping Host A?
Limit Traffic allowed into corporate
network
172.16.2.0/24

Traffic can be allowed into the corporate network must
be limited.

Traffic entering the corporate network will be coming
from either the Internet or the DMZ.

Allow all traffic that originated from the corporate
network can be allowed back into that network. Enter
the following:
10.1.1.1/24


Can Host A ping the Web Server?
Can Host A ping Host B?
Can Host B ping the Web Server?
Can Host B ping Host A

Permit ICMP into the network. This will allow the
internal hosts to receive ICMP messages

GAD(config)#access-list 102 permit icmp any
any echo-reply

GAD(config)#access-list 102 permit icmp any
any unreachable
No other traffic is desired into the corporate network


GAD(config)#access-list 102 permit tcp any any
established
GAD(config)#access-list 102 deny ip any any
Finally, apply the access-list to the corporate network
Fast Ethernet port.

GAD(config)#interface ethernet1

GAD(config-if)#ip access-group 102 out
Protect the DMZ Network

172.16.2.0/24
Configure an extended access list to protect the DMZ network

GAD(config)#access-list 111 permit ip 10.1.1.0
0.0.0.255 any

GAD(config)#access-list 111 deny ip any any

GAD(config)#interface ethernetfa0

GAD(config-if)#ip access-group 111 in

Specify which traffic can enter the DMZ network. Traffic
entering the DMZ network will be coming from either the
Internet or the corporate network requesting World Wide Web
services.

Configure an outbound extended access-list specifying that
World Wide Web requests be allowed into the network.
10.1.1.1/24


What command would be entered to allow


GAD(config)#access-list 112 permit tcp any host
10.1.1.10 eq www
DNS, Email and FTP requests into the DMZ?
For management purposes, it would be useful to let corporate
users ping the Web Server but not for Internet users.

GAD(config)#access-list 112 permit icmp 10.10.10.0
0.0.0.255 host 10.1.1.10

GAD(config)#access-list 112 deny ip any any

GAD(config)#interface fa ethernet 0

GAD(config-if)#ip access-group 112 out
Deter Spoofing

Spoofing - A common method to attempt to forge a
valid internal source IP addresses.

To deter spoofing, it is decided to configure an
access list so that Internet hosts cannot easily
spoof an internal network addresses.

Three common source IP addresses that hackers
attempt to forge are valid internal addresses (e.g.,
10.10.10.0), loopback addresses (i.e.,127.x.x.x),
and multicast addresses (i.e., 224.x.x.x – 239.x.x.x).

GAD(config)#access-list 121 deny ip 10.10.10.0
0.0.0.255 any

GAD(config)#access-list 121 deny ip 127.0.0.0
0.255.255.255 any

GAD(config)#access-list 121 deny ip 224.0.0.0
31.255.255.255 any

GAD(config)#access-list 121 permit ip any any

GAD(config)#interface serial 0

GAD(config-if)#ip access-group 121 in
172.16.2.0/24
10.1.1.1/24
Related documents
Chapter 12
Chapter 12
(c)We Want to Hear from You
(c)We Want to Hear from You
Chapter12 - Cal State L.a.
Chapter12 - Cal State L.a.
True IP for DMZ Host - Static/DHCP IP Address for WAN
True IP for DMZ Host - Static/DHCP IP Address for WAN
SSH beáll
SSH beáll
Packet Tracer Part 2
Packet Tracer Part 2
Continuous Delivery
Continuous Delivery
PSY212 Gummow guided reading questions
PSY212 Gummow guided reading questions
Preview - Reid Writers
Preview - Reid Writers
Errata - Pearsoncmg
Errata - Pearsoncmg
Download
advertisement