Lecture CCNA Security - Chapter 9: Managing a Secure Network

This chapter include objectives: Describle the principles of secure network design, describle threat identificaion and risk analysis, describle risk managenment and risk avoidance, describle the Cisco SecureX architecture, describle operation security,...
Nội dung trích xuất từ tài liệu:
Lecture CCNA Security - Chapter 9: Managing a Secure Network Chapter 9- Managing a Secure Network CCNA Security Objectives • Describle the principles of secure network design. • Describle threat identificaion and risk analysis. • Describle risk managenment and risk avoidance. • Describle the Cisco SecureX architecture. • Describle operation security. • Describle network security testing tools and techniques. • Describle business continuity and disaster recovery. • Describle the system development life cycle concept and its application to a secure network life cycle. • Describle the purpose and function of a network security policy Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Introduction • To help simplify network design, it is recommended that all security mechanisms come from a single vendor. • The Cisco SecureX architecture is a comprehensive, end-to-end solution for network security that includes solutions to secure the network, email, web, access, mobile users and data center resources. Ensuring a Network is Secure • Mitigating network attacks requires a comprehensive, end-to-end approach: • Secure network devices with AAA, SSH, role- based CLI, syslog, SNMP, and NTP. • Secure services using AutoSecure and CCP one-step lockdown. • Protect network endpoints (such as workstations and servers) against viruses, Trojan Horses, and worms, with Cisco NAC and Cisco IronPort. Ensuring a Network is Secure • Use Cisco IOS Firewall and accompanying ACLs to secure resources internally while protecting those resources from outside attacks. • Supplement Cisco IOS Firewall with Cisco IPS technology to evaluate traffic using an attack signature database. • Protect the LAN by following Layer 2 and VLAN recommended practices and by using a variety of technologies, including BPDU guard, root guard, PortFast, and SPAN. Ensuring a Network is Secure • When developing security policies, several questions must be answered: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Ensuring a Network is Secure Refer to 9.1.1.1 1. Business needs 2. Threat identification 3. Risk analysis 4. Security needs 5. Industry-recommended practices 6. Security operations Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Ensuring a Network is Secure • Many security assumptions are made when designing and implementing a secure network. • There are guidelines to help you avoid making wrong assumptions: Refer to 9.1.1.2 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Ensuring a Network is Secure 1. Expect that any aspect of a security system might fail. 2. Identify any elements that fail-open. 3. Try to identify all attack possibilities. 4. Evaluate the probability of exploitation. 5. Assume that people will make mistakes. 6. Attackers will not use common and well-established techniques to compromise a system. 7. Check all assumptions with other people. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Threat Identification and Risk Analysis When identifying threats, it is important to ask two questions: 1. What are the possible vulnerabilities of a system? 2. What are the consequences if system vulnerabilities are exploited? Threat Identification – Bank Scenario Refer to 9.1.2.1 Identified Threats Insider attack on the system Internal system compromise Data Center Destruction Stolen customer data Phony transactions Data Input errors Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Risk Analysis • Evaluate each threat to determine its severity and probability • Quantitative Risk Analysis uses a mathematical model • Qualitative Risk Analysis uses a scenario-based model Refer to 9.1.2.2 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Risk Analysis The first step in developing a risk analysis is to evaluate each threat to determine its severity and probability Refer to 9.1.2.2 1. Internal system compromise 2. Stolen customer data 3. Phony transactions if external server is breached 4. Phony transactions using a stolen customer PIN or smart card 5. Insider attack on the system 6. Data input errors 7. Data center destruction Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Quantitative Risk Analysis Refer to 9.1.2.3 • Asset Value (AV) is the cost of an individual asset. • Exposure Factor (EF) is the loss, represented as a percentage, that a realized threat could have on an asset. • Single Loss Expectancy (SLE) is the result of AV * EF, or the cost of a single instance of a threat. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Annualized Rate of Occurrence Refer to 9.1.2.4 • Annualized Rate of Occurrence (ARO) - estimated frequency that a threat is expected to occur. • Single Loss Expectancy (SLE) • Annualized Loss Expectancy (ALE) - expected financial loss that an individual threat will cause an organization. ALE = SLE *ARO Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Threat Identification and Risk Analysis Refer to 9.1.2.5 Ways to Handle Risk Refer to 9.1.3.1 1. Risk management 2. Risk avoidance ...