Session
CERT/CC 60000 50000 40000 52,658 30000 26,829 20000 10000 0 2,412 1995 1999 2000 2001 Q1, 2002 Source: http://www.cert.org/stats/
CERT/CC 3000 2500 2000 2,437 1500 1000 500 0 171 1,065 1995 1999 2000 2001 Q1, 2002 Source: http://www.cert.org/stats/
AAA Any Time Any Where Any How
21 Apache HTTP Java Kazaa Linux Microsoft IIS Morpheous PayPal IP
http://www.cisco.com/warp/public/126/secpol.html
0 15 16 31 Bit 32 Bit IP 32 Bit IP 20
TCP UDP 3
HTTP www.cisco.com 198.133.219.25 DNS GET /index.html HTTP: ----- Hypertext Transfer Protocol ----- HTTP: HTTP: Line 1: HTTP/1.0 302 Found HTTP: Line 2: : Netscape-Enterprise/2.01 HTTP: Line 3: Date: Tue, 08 May 2001 20:52:20 GMT GET http://www.cisco.com/index.html
TCP/IP IP TCP TCP UDP UDP UDP
PIX TCP UDP TCP TCP TCP ACK bit Syslog
Telnet A PIX / A A ID AAA AAA
Cisco PIX LAN/WAN IOS Software / Blade 802.1Q VLAN
SOHO
DMZ DMZ A DMZ SOHO SOHO
DMZ VPN DMZ Out DMZ In DMZ DMZ SOHO
QoS
Dual Design DMZ
Web Layer 7 DoS Cisco IOS SMTP DDoS ISP PIX URL VPN/
VoIP
SMTP
Web
Web
Joel Synder Oops
arp
Syslog vs
NetSonar NMap Nessus
??? DNS Syslog
20 SANS
Sniffer Sniffer Sniffer
Telnet SSH FTP rlogin RPC NFS Portmapper, lockd NetBIOS X Windows DNS LDAP Web SMTP POP IMAP HTTP SSL TFTP finger NNTP NTP LPD Syslog SNMP BGP SOCKS From http://www.sans.org/top20.htm
SANS SANS SANS/FBI
SANS Telnet: 23/TCP, SSH: 22/TCP*, FTP: 21/TCP, NetBIOS: 139/TCP, rlogin: 512-514/TCP NetBIOS MS NT: 135, 137-138/UDP, 139/TCP; W2K: 445 [*] SSH
SANS RPC NFS Portmap/rpcbind: 111, NFS: 2049, : 4045 6000 6255 TCP* X Windows [*] X Windows 6000 X Windows
SANS DNS 53/UDP *, DNS Zone Transfers 53/ TCP **, LDAP 389/ TCP and UDP *** **** SMTP 25/TCP, POP 109-110/TCP IMAP 143/TCP [*] DNS [**] DNS Zone Transfer [***] MS Netmeeting 389 TCP [****]
Netmeeting Web HTTP: 80/TCP, SSL: 443/TCP 8080 HTTP HTTP HTTP
SANS 20 TCP/IP Echo: 7, Systat: 11, QOTD: 17, Time 37 TFTP: 69/UDP, finger: 79/TCP, LPD/LPR: 515/TCP Traceroute: 33460/UDP
ICMP Echo Echo Echo type 3, code 4
IP ICMP (source routing) TCP
IP RFC 1597 IP IANA 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255 SOHO http://www.cisco.com/warp/public/701/35.html
ICMP X TrustedNetwork.com MyNetwork.com Attacker.com TrustedNetwork.com MyNetworks.com ICMP Unreachable MyNetworks.Com TrustedNetwork http://rr.sans.org/threats/icmp.php
IP #1 ICMP #2 #3 Telnet rlogin #4
#2 #3 #1 X TrustedNetwork.com MyNetwork.com Attacker.com #4 IP
TCP TrustedNetwork.com MyNetwork.com Attacker.com
3 Syslog (Trap) Syslog (Console) (Monitor) Telnet Syslog PIX IP Syslog UDP 514 PIX Syslog over TCP 514 Syslog
telnet
Syslog 0 1 2 3 4 5 6 7
Syslog / / / IP Tab 05-02-2002 10:27:25 Local4.Warning 192.168.123.1 May 02 2002 06:30:13: %PIX-4-106023: Deny icmp src outside:171.68.88.1 dst inside:171.68.89.147 type 3, code 1 by access-group " outside _access_in" PIX PIX Syslog Syslog PIX PIX Syslog
Syslog ID IP %PIX-4-106023: Deny icmp src outside:171.68.88.1 dst inside :171.68.89.147 type 3, code 1 by access-group " outside _access_in" IP /
Syslog Sunday Monday Tuesday Wednesday Thursday Friday Saturday Syslog
Syslog 101 Syslog Monday 5
Syslog Cisco Avvid Partner Program Site http://www.cisco.com/warp/public/779/largeent/partner/esap/secvpn.html
config term TFTP OS
Cisco VMS 2.1 PIX
MIB MIB SNMP Cisco http://www.cisco.com/public/swcenter/netmgmt/cmtk/mibs.shtml
/
/
IP?
http://www.cisco.com/go/firewall http://www.cisco.com/go/pix http://www.cisco.com/go/vms http://www.cisco.com/go/conten http://www.cisco.com/go/safe
Networkers 2002 SEC-100 SEC-200 1 SEC-201 2 SEC-320
http://www.cisco.com/warp/public/126/ secpol.html http://rr.sans.org/policy/sec_policy.php http://wwws.sun.com/software/whitepapers/wpsecurity-devsecpolicy/ http://downloads. security focus.com/library/why_ security _Policies_Fail.pdf
PIX v6.2 http://www.cisco.com/univercd/cc/td/doc/ product/iaabu/pix/pix_62/index.htm IOS v12.2 http://www.cisco.com/univercd/cc/td/doc/ product/software/ios122/122cgcr/fsecur_c/ index.htm http://www.cisco.com/univercd/cc/td/doc/ product/iaabu/newsecf/index.htm
Session
Session