SlideShare ist ein Scribd-Unternehmen logo

ITSAC 2011 SCAP for Inter-networking Devices

Als PPTX, PDF herunterladen
C
c3i

This document discusses using the Security Content Automation Protocol (SCAP) to evaluate the security configurations of inter-networking devices such as routers and switches. It covers traditional SCAP methods for probing devices and discusses other methods being explored. The presentation examines current and potential future SCAP capabilities for evaluating the security of inter-networking devices on critical infrastructure and enterprise networks.

Technologie
1 von 26
SCAP for Inter-networking devices Luis Nuñez 7th Annual IT Security Automation Conference 2011
SCAP for Inter-networking devices Survey on SCAP for inter-networking devices such as routers and switches. The critical infrastructure and enterprise networks today are built on routers and switches to transport communications to endpoints and beyond. SCAP expansion into discovering and interrogating inter- networking devices fits into this continuous monitoring paradigm. The presentation will cover traditional SCAP methods used to probe devices and will discuss other methods. The presentation will also will explore current and future SCAP capabilities for inter-networking devices. www.apexassurance.com © 2011 Apex Assurance Group
Apex Assurance Group – Product Security Assurance – FIPS-140 – Common Criteria – DoD Information Assurance (IA) – Security Technical Implementation Guide (STIG) – Security Content Automation Protocol (SCAP) www.apexassurance.com © 2011 Apex Assurance Group
SCAP Servers Endpoints Inter-Networking Devices Windows Windows Cisco Linux Linux IOS Juniper JunOS www.apexassurance.com © 2011 Apex Assurance Group
Endpoints www.apexassurance.com © 2011 Apex Assurance Group
The Network Infrastructure www.apexassurance.com © 2011 Apex Assurance Group
Differences: endpoints and Inter-Networking devices  Data flows through and transits Inter-networking devices.  Router/Switch config usually static.  Inter-networking devices – Intermediary/transit devices – The network is the information highway for the endpoints www.apexassurance.com © 2011 Apex Assurance Group
Why SCAP for inter-networking devices  Anyone can write scripts to check the system? – RAT Perl script – TCL  DISA STIG/XCCDF  Leverage existing standards for consistent authoritative results www.apexassurance.com © 2011 Apex Assurance Group
2 SCAP use cases  Configuration Hygiene – Security Best practices (STIG) – Cisco IOS Check-list – Juniper JUNOS Check-list  Vulnerability Check – IOS OVAL content www.apexassurance.com © 2011 Apex Assurance Group
Cisco IOS OVAL content www.apexassurance.com © 2011 Apex Assurance Group
JunOS Network Time Protocol (NTP) hardening  CCE example related to STIG system { CCI/STIG NET0813 ntp { CCEauthentication-key [key-id] type md5 value "[pass-phrase]"; trusted-key [key-id]; /* Allow NTP to sync if server clock is significantly different than local clock CCE */ boot-server 192.0.2.1; /* NTP server to sync to */ CCE server 192.0.2.1; server 192.0.2.2 key [key-id] prefer; } } *Sample from team cymru www.apexassurance.com © 2011 Apex Assurance Group
Cisco IOS Network Time Protocol hardening  CCE example related to STIG CCI/STIG NET0813 !enable NTP authentication CCE ntp authenticate ntp authentication-key [key-id] md5 [hash] CCE ntp trusted-key [key-id] ntp peer [peer_address] key [key-id] CCE ntp server [server_address] key [key-id] *Sample from team cymru www.apexassurance.com © 2011 Apex Assurance Group
Device access methods  SSH  NETCONF  SNMP  RESTful www.apexassurance.com © 2011 Apex Assurance Group
Direct connect Methods SSH connection Config SCAP App NETCONF connection SCAP App Config www.apexassurance.com © 2011 Apex Assurance Group
NETCONF  RFC 6241 Network Configuration Protocol “The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs).” http://tools.ietf.org/html/rfc6241 www.apexassurance.com © 2011 Apex Assurance Group
Leverage existing network management tools  RESTFul HTTP based  JunOS Spaces  SNMP confi g RESTful connection confi g confi g SCAP App www.apexassurance.com © 2011 Apex Assurance Group
 Online and offline OVAL analysis  online direct connection and probe of the device  offline parsing of system config and state information  Leveraging existing network management systems for system information  On box agents – Cisco IOS TLC parser – Cisco Embedded Event Manager (EEM) www.apexassurance.com © 2011 Apex Assurance Group
Challenges  Content contribution  Vendor participation  Network device role – Edge Router/Filter Router/L3/L2/Purpose device (Voice GW)  Virtualization  IOS CPE  OVAL test content for Inter-networking devices www.apexassurance.com © 2011 Apex Assurance Group
Future  EMAP - Events of interests from a network perspective  Trusted Computing Group –Trusted Network Connect and SCAP  TMSAD Trust Model for Security Automation Data – http://csrc.nist.gov/publications/nistir/ir7802/NISTIR-7802.pdf  SCAP for NIAP Common Criteria Protection Profile www.apexassurance.com © 2011 Apex Assurance Group
Luis Nuñez lnunez@apexassurance.com lnunez@c3isecurity.com www.apexassurance.com 20 www.apexassurance.com © 2011 Apex Assurance Group
Cisco IOS Tips  “show running-config” – outputs the current running configuration (in memory)  “show startup-config” – outputs the last saved configuration  “show running-config all” – outputs all configuration include some defaults  “show tech-support” – outputs vital statics  “show version” www.apexassurance.com © 2011 Apex Assurance Group
Cisco IOS show version splinter1#show version Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. Compiled Thu 28-Oct-10 17:09 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1) splinter1 uptime is 12 weeks, 6 days, 3 hours, 13 minutes System returned to ROM by power-on System image file is "flash:c2800nm-adventerprisek9-mz.150-1.M4" Last reload type: Normal Reload Cisco 2851 (revision 53.51) with 509952K/14336K bytes of memory. Processor board ID FTX0925A1BF 2 Gigabit Ethernet interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) License Info: License UDI: ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO2851 FTX0925A1BF Configuration register is 0x2102 www.apexassurance.com © 2011 Apex Assurance Group
Last IOS configuration change Router# show run Building configuration... ! ! Last configuration change at 20:40:41 GMT Nov 2 2011 by lnunez ! Version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname router ! boot-startmarker boot-end-marker ! no aaa new-model www.apexassurance.com © 2011 Apex Assurance Group
Cisco ASA Firewall “fips enable” command Copyright (c) 1996-2005 by Cisco Systems, Inc. Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 .... Cryptochecksum (unchanged): 6c6d2f77 ef13898e 682c9f94 9c2d5ba9 INFO: FIPS Power-On Self-Test in process. Estimate completion in 90 seconds. ...................................................... INFO: FIPS Power-On Self-Test complete. Type help or '?' for a list of available commands. sw8-5520> www.apexassurance.com © 2011 Apex Assurance Group
Cisco IOS versions (Trains) www.apexassurance.com © 2011 Apex Assurance Group
Juniper JUNOS SCAP  junos-definitions-schema.xsd  junos-system-characteristics-schema.xsd www.apexassurance.com © 2011 Apex Assurance Group

Empfohlen

Развитие решений для коммутации в корпоративных сетях Cisco
Развитие решений для коммутации в корпоративных сетях CiscoРазвитие решений для коммутации в корпоративных сетях Cisco
Развитие решений для коммутации в корпоративных сетях CiscoCisco Russia
 
Presentation cisco data center security deep dive
Presentation cisco data center security deep divePresentation cisco data center security deep dive
Presentation cisco data center security deep divexKinAnx
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3Irsandi Hasan
 
Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...xKinAnx
 
Развитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях CiscoРазвитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях CiscoCisco Russia
 
Daniel Pastrana 12-15-19
Daniel Pastrana 12-15-19Daniel Pastrana 12-15-19
Daniel Pastrana 12-15-19Daniel Pastrana
 
Cisco switching technical
Cisco switching technicalCisco switching technical
Cisco switching technicalImranD1
 
Cisco avb switches
Cisco avb switchesCisco avb switches
Cisco avb switchesIT Tech
 

Empfohlen

Развитие решений для коммутации в корпоративных сетях Cisco
Развитие решений для коммутации в корпоративных сетях CiscoРазвитие решений для коммутации в корпоративных сетях Cisco
Развитие решений для коммутации в корпоративных сетях CiscoCisco Russia
 
Presentation cisco data center security deep dive
Presentation cisco data center security deep divePresentation cisco data center security deep dive
Presentation cisco data center security deep divexKinAnx
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3Irsandi Hasan
 
Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...xKinAnx
 
Развитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях CiscoРазвитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях CiscoCisco Russia
 
Daniel Pastrana 12-15-19
Daniel Pastrana 12-15-19Daniel Pastrana 12-15-19
Daniel Pastrana 12-15-19Daniel Pastrana
 
Cisco switching technical
Cisco switching technicalCisco switching technical
Cisco switching technicalImranD1
 
Cisco avb switches
Cisco avb switchesCisco avb switches
Cisco avb switchesIT Tech
 
UCS Automation through the use of API's and UCS PowerTool
UCS Automation through the use of API's and UCS PowerToolUCS Automation through the use of API's and UCS PowerTool
UCS Automation through the use of API's and UCS PowerToolCisco Canada
 
AnyConnect Secure Mobility
AnyConnect Secure MobilityAnyConnect Secure Mobility
AnyConnect Secure MobilityCisco Canada
 
What you can do with cisco avb
What you can do with cisco avbWhat you can do with cisco avb
What you can do with cisco avbIT Tech
 
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 solarisyougood
 
Vpn
VpnVpn
VpnSidhartha Muraleedharan
 
Cisco asa 5500 series adaptive security appliances
Cisco asa 5500 series adaptive security appliancesCisco asa 5500 series adaptive security appliances
Cisco asa 5500 series adaptive security appliancesIT Tech
 
The latest isr 4000 model comparison
The latest isr 4000 model comparisonThe latest isr 4000 model comparison
The latest isr 4000 model comparisonIT Tech
 
Sem cis collab
Sem cis collabSem cis collab
Sem cis collabLino Quivén
 
Cisco one advanced security
Cisco one advanced securityCisco one advanced security
Cisco one advanced securityIT Tech
 
Sba dc netapp_dg (1)
Sba dc netapp_dg (1)Sba dc netapp_dg (1)
Sba dc netapp_dg (1)purushotham m
 
Ccna security
Ccna securityCcna security
Ccna securitydkaya
 
Cisco spa303 administration guide
Cisco spa303 administration guideCisco spa303 administration guide
Cisco spa303 administration guidekaka010
 
AhmetCemilKaratas
AhmetCemilKaratasAhmetCemilKaratas
AhmetCemilKaratasAhmet Cemil Karataş
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
Eyeball AnyConnect™ Gateway Administration Guide
Eyeball AnyConnect™ Gateway Administration GuideEyeball AnyConnect™ Gateway Administration Guide
Eyeball AnyConnect™ Gateway Administration GuideEyeball Networks
 
Presentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringPresentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringxKinAnx
 
Cisco_data_center_solution_for_HondaTH
Cisco_data_center_solution_for_HondaTHCisco_data_center_solution_for_HondaTH
Cisco_data_center_solution_for_HondaTHPredee Kajonpai
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco AP 1200 Series
Cisco AP 1200 SeriesCisco AP 1200 Series
Cisco AP 1200 SeriesHugo Arriagada
 
Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...
Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...
Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...Cisco Russia
 
Networking devices(siddique)
Networking devices(siddique)Networking devices(siddique)
Networking devices(siddique)Siddique Ibrahim
 
Networking devices
Networking devicesNetworking devices
Networking devicesfrestoadi
 

Weitere ähnliche Inhalte

Was ist angesagt?

UCS Automation through the use of API's and UCS PowerTool
UCS Automation through the use of API's and UCS PowerToolUCS Automation through the use of API's and UCS PowerTool
UCS Automation through the use of API's and UCS PowerToolCisco Canada
 
AnyConnect Secure Mobility
AnyConnect Secure MobilityAnyConnect Secure Mobility
AnyConnect Secure MobilityCisco Canada
 
What you can do with cisco avb
What you can do with cisco avbWhat you can do with cisco avb
What you can do with cisco avbIT Tech
 
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 solarisyougood
 
Cisco asa 5500 series adaptive security appliances
Cisco asa 5500 series adaptive security appliancesCisco asa 5500 series adaptive security appliances
Cisco asa 5500 series adaptive security appliancesIT Tech
 
The latest isr 4000 model comparison
The latest isr 4000 model comparisonThe latest isr 4000 model comparison
The latest isr 4000 model comparisonIT Tech
 
Cisco one advanced security
Cisco one advanced securityCisco one advanced security
Cisco one advanced securityIT Tech
 
Sba dc netapp_dg (1)
Sba dc netapp_dg (1)Sba dc netapp_dg (1)
Sba dc netapp_dg (1)purushotham m
 
Ccna security
Ccna securityCcna security
Ccna securitydkaya
 
Cisco spa303 administration guide
Cisco spa303 administration guideCisco spa303 administration guide
Cisco spa303 administration guidekaka010
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
Eyeball AnyConnect™ Gateway Administration Guide
Eyeball AnyConnect™ Gateway Administration GuideEyeball AnyConnect™ Gateway Administration Guide
Eyeball AnyConnect™ Gateway Administration GuideEyeball Networks
 
Presentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringPresentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringxKinAnx
 
Cisco_data_center_solution_for_HondaTH
Cisco_data_center_solution_for_HondaTHCisco_data_center_solution_for_HondaTH
Cisco_data_center_solution_for_HondaTHPredee Kajonpai
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...
Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...
Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...Cisco Russia
 

Was ist angesagt? (20)

UCS Automation through the use of API's and UCS PowerTool
UCS Automation through the use of API's and UCS PowerToolUCS Automation through the use of API's and UCS PowerTool
UCS Automation through the use of API's and UCS PowerTool
 
AnyConnect Secure Mobility
AnyConnect Secure MobilityAnyConnect Secure Mobility
AnyConnect Secure Mobility
 
What you can do with cisco avb
What you can do with cisco avbWhat you can do with cisco avb
What you can do with cisco avb
 
Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0 Cisco Prime infrastructure 3.0
Cisco Prime infrastructure 3.0
 
Vpn
VpnVpn
Vpn
 
Cisco asa 5500 series adaptive security appliances
Cisco asa 5500 series adaptive security appliancesCisco asa 5500 series adaptive security appliances
Cisco asa 5500 series adaptive security appliances
 
The latest isr 4000 model comparison
The latest isr 4000 model comparisonThe latest isr 4000 model comparison
The latest isr 4000 model comparison
 
Sem cis collab
Sem cis collabSem cis collab
Sem cis collab
 
Cisco one advanced security
Cisco one advanced securityCisco one advanced security
Cisco one advanced security
 
Sba dc netapp_dg (1)
Sba dc netapp_dg (1)Sba dc netapp_dg (1)
Sba dc netapp_dg (1)
 
Ccna security
Ccna securityCcna security
Ccna security
 
Cisco spa303 administration guide
Cisco spa303 administration guideCisco spa303 administration guide
Cisco spa303 administration guide
 
AhmetCemilKaratas
AhmetCemilKaratasAhmetCemilKaratas
AhmetCemilKaratas
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
Eyeball AnyConnect™ Gateway Administration Guide
Eyeball AnyConnect™ Gateway Administration GuideEyeball AnyConnect™ Gateway Administration Guide
Eyeball AnyConnect™ Gateway Administration Guide
 
Presentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringPresentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualisering
 
Cisco_data_center_solution_for_HondaTH
Cisco_data_center_solution_for_HondaTHCisco_data_center_solution_for_HondaTH
Cisco_data_center_solution_for_HondaTH
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
 
Cisco AP 1200 Series
Cisco AP 1200 SeriesCisco AP 1200 Series
Cisco AP 1200 Series
 
Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...
Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...
Решения Cisco для Автоматизации Облачных Услуг - Cisco Intelligent Automation...
 

Andere mochten auch

Networking devices(siddique)
Networking devices(siddique)Networking devices(siddique)
Networking devices(siddique)Siddique Ibrahim
 
Networking devices
Networking devicesNetworking devices
Networking devicesfrestoadi
 
Networking devices
Networking devicesNetworking devices
Networking devicesrupinderj
 

Andere mochten auch (6)

Networking devices(siddique)
Networking devices(siddique)Networking devices(siddique)
Networking devices(siddique)
 
Networking devices
Networking devicesNetworking devices
Networking devices
 
Networking devices
Networking devices Networking devices
Networking devices
 
Networking devices
Networking devicesNetworking devices
Networking devices
 
Networking devices
Networking devicesNetworking devices
Networking devices
 
Networking devices
Networking devicesNetworking devices
Networking devices
 

Ähnlich wie ITSAC 2011 SCAP for Inter-networking Devices

SCAP and NETCONF
SCAP and NETCONFSCAP and NETCONF
SCAP and NETCONFc3i
 
SDN in the Enterprise
SDN in the EnterpriseSDN in the Enterprise
SDN in the EnterpriseCisco Canada
 
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...PROIDEA
 
Oval Internetworking Devices
Oval Internetworking DevicesOval Internetworking Devices
Oval Internetworking Devicesc3i
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Managing an Enterprise WLAN with Cisco Prime NCS & WCS
Managing an Enterprise WLAN with Cisco Prime NCS & WCSManaging an Enterprise WLAN with Cisco Prime NCS & WCS
Managing an Enterprise WLAN with Cisco Prime NCS & WCSCisco Mobility
 
Router Defense - BRUcon 2010
Router Defense - BRUcon 2010Router Defense - BRUcon 2010
Router Defense - BRUcon 2010fropert
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network EvolutionCisco Canada
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web SystemsInnoTech
 
CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1Chaing Ravuth
 
Eng.Abd Elrhman.pdf
Eng.Abd Elrhman.pdfEng.Abd Elrhman.pdf
Eng.Abd Elrhman.pdfINOGHOST
 
M2M関連状況 roll&core WG meeting in IETF86
M2M関連状況 roll&core WG meeting in IETF86M2M関連状況 roll&core WG meeting in IETF86
M2M関連状況 roll&core WG meeting in IETF86Shoichi Sakane
 
Netsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvNetsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvIntel
 
Cisco Connect 2018 Thailand - Software defined access a transformational appr...
Cisco Connect 2018 Thailand - Software defined access a transformational appr...Cisco Connect 2018 Thailand - Software defined access a transformational appr...
Cisco Connect 2018 Thailand - Software defined access a transformational appr...NetworkCollaborators
 
Network Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XRNetwork Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XRCisco Canada
 
Cisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnhaCisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnhaldangelo0772
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...Cisco DevNet
 
Presentation cisco nexus enabling the cloud infrastructure
Presentation cisco nexus enabling the cloud infrastructurePresentation cisco nexus enabling the cloud infrastructure
Presentation cisco nexus enabling the cloud infrastructurexKinAnx
 
Nfd18 anuta-networks
Nfd18 anuta-networksNfd18 anuta-networks
Nfd18 anuta-networksKiran Sirupa
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecRobb Boyd
 

Ähnlich wie ITSAC 2011 SCAP for Inter-networking Devices (20)

SCAP and NETCONF
SCAP and NETCONFSCAP and NETCONF
SCAP and NETCONF
 
SDN in the Enterprise
SDN in the EnterpriseSDN in the Enterprise
SDN in the Enterprise
 
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
 
Oval Internetworking Devices
Oval Internetworking DevicesOval Internetworking Devices
Oval Internetworking Devices
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
 
Managing an Enterprise WLAN with Cisco Prime NCS & WCS
Managing an Enterprise WLAN with Cisco Prime NCS & WCSManaging an Enterprise WLAN with Cisco Prime NCS & WCS
Managing an Enterprise WLAN with Cisco Prime NCS & WCS
 
Router Defense - BRUcon 2010
Router Defense - BRUcon 2010Router Defense - BRUcon 2010
Router Defense - BRUcon 2010
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network Evolution
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web Systems
 
CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1
 
Eng.Abd Elrhman.pdf
Eng.Abd Elrhman.pdfEng.Abd Elrhman.pdf
Eng.Abd Elrhman.pdf
 
M2M関連状況 roll&core WG meeting in IETF86
M2M関連状況 roll&core WG meeting in IETF86M2M関連状況 roll&core WG meeting in IETF86
M2M関連状況 roll&core WG meeting in IETF86
 
Netsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfvNetsft2017 day in_life_of_nfv
Netsft2017 day in_life_of_nfv
 
Cisco Connect 2018 Thailand - Software defined access a transformational appr...
Cisco Connect 2018 Thailand - Software defined access a transformational appr...Cisco Connect 2018 Thailand - Software defined access a transformational appr...
Cisco Connect 2018 Thailand - Software defined access a transformational appr...
 
Network Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XRNetwork Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XR
 
Cisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnhaCisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnha
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
 
Presentation cisco nexus enabling the cloud infrastructure
Presentation cisco nexus enabling the cloud infrastructurePresentation cisco nexus enabling the cloud infrastructure
Presentation cisco nexus enabling the cloud infrastructure
 
Nfd18 anuta-networks
Nfd18 anuta-networksNfd18 anuta-networks
Nfd18 anuta-networks
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
 

Kürzlich hochgeladen

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

ITSAC 2011 SCAP for Inter-networking Devices

  • 1. SCAP for Inter-networking devices Luis Nuñez 7th Annual IT Security Automation Conference 2011
  • 2. SCAP for Inter-networking devices Survey on SCAP for inter-networking devices such as routers and switches. The critical infrastructure and enterprise networks today are built on routers and switches to transport communications to endpoints and beyond. SCAP expansion into discovering and interrogating inter- networking devices fits into this continuous monitoring paradigm. The presentation will cover traditional SCAP methods used to probe devices and will discuss other methods. The presentation will also will explore current and future SCAP capabilities for inter-networking devices. www.apexassurance.com © 2011 Apex Assurance Group
  • 3. Apex Assurance Group – Product Security Assurance – FIPS-140 – Common Criteria – DoD Information Assurance (IA) – Security Technical Implementation Guide (STIG) – Security Content Automation Protocol (SCAP) www.apexassurance.com © 2011 Apex Assurance Group
  • 4. SCAP Servers Endpoints Inter-Networking Devices Windows Windows Cisco Linux Linux IOS Juniper JunOS www.apexassurance.com © 2011 Apex Assurance Group
  • 5. Endpoints www.apexassurance.com © 2011 Apex Assurance Group
  • 6. The Network Infrastructure www.apexassurance.com © 2011 Apex Assurance Group
  • 7. Differences: endpoints and Inter-Networking devices  Data flows through and transits Inter-networking devices.  Router/Switch config usually static.  Inter-networking devices – Intermediary/transit devices – The network is the information highway for the endpoints www.apexassurance.com © 2011 Apex Assurance Group
  • 8. Why SCAP for inter-networking devices  Anyone can write scripts to check the system? – RAT Perl script – TCL  DISA STIG/XCCDF  Leverage existing standards for consistent authoritative results www.apexassurance.com © 2011 Apex Assurance Group
  • 9. 2 SCAP use cases  Configuration Hygiene – Security Best practices (STIG) – Cisco IOS Check-list – Juniper JUNOS Check-list  Vulnerability Check – IOS OVAL content www.apexassurance.com © 2011 Apex Assurance Group
  • 10. Cisco IOS OVAL content www.apexassurance.com © 2011 Apex Assurance Group
  • 11. JunOS Network Time Protocol (NTP) hardening  CCE example related to STIG system { CCI/STIG NET0813 ntp { CCEauthentication-key [key-id] type md5 value "[pass-phrase]"; trusted-key [key-id]; /* Allow NTP to sync if server clock is significantly different than local clock CCE */ boot-server 192.0.2.1; /* NTP server to sync to */ CCE server 192.0.2.1; server 192.0.2.2 key [key-id] prefer; } } *Sample from team cymru www.apexassurance.com © 2011 Apex Assurance Group
  • 12. Cisco IOS Network Time Protocol hardening  CCE example related to STIG CCI/STIG NET0813 !enable NTP authentication CCE ntp authenticate ntp authentication-key [key-id] md5 [hash] CCE ntp trusted-key [key-id] ntp peer [peer_address] key [key-id] CCE ntp server [server_address] key [key-id] *Sample from team cymru www.apexassurance.com © 2011 Apex Assurance Group
  • 13. Device access methods  SSH  NETCONF  SNMP  RESTful www.apexassurance.com © 2011 Apex Assurance Group
  • 14. Direct connect Methods SSH connection Config SCAP App NETCONF connection SCAP App Config www.apexassurance.com © 2011 Apex Assurance Group
  • 15. NETCONF  RFC 6241 Network Configuration Protocol “The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs).” http://tools.ietf.org/html/rfc6241 www.apexassurance.com © 2011 Apex Assurance Group
  • 16. Leverage existing network management tools  RESTFul HTTP based  JunOS Spaces  SNMP confi g RESTful connection confi g confi g SCAP App www.apexassurance.com © 2011 Apex Assurance Group
  • 17.  Online and offline OVAL analysis  online direct connection and probe of the device  offline parsing of system config and state information  Leveraging existing network management systems for system information  On box agents – Cisco IOS TLC parser – Cisco Embedded Event Manager (EEM) www.apexassurance.com © 2011 Apex Assurance Group
  • 18. Challenges  Content contribution  Vendor participation  Network device role – Edge Router/Filter Router/L3/L2/Purpose device (Voice GW)  Virtualization  IOS CPE  OVAL test content for Inter-networking devices www.apexassurance.com © 2011 Apex Assurance Group
  • 19. Future  EMAP - Events of interests from a network perspective  Trusted Computing Group –Trusted Network Connect and SCAP  TMSAD Trust Model for Security Automation Data – http://csrc.nist.gov/publications/nistir/ir7802/NISTIR-7802.pdf  SCAP for NIAP Common Criteria Protection Profile www.apexassurance.com © 2011 Apex Assurance Group
  • 20. Luis Nuñez lnunez@apexassurance.com lnunez@c3isecurity.com www.apexassurance.com 20 www.apexassurance.com © 2011 Apex Assurance Group
  • 21. Cisco IOS Tips  “show running-config” – outputs the current running configuration (in memory)  “show startup-config” – outputs the last saved configuration  “show running-config all” – outputs all configuration include some defaults  “show tech-support” – outputs vital statics  “show version” www.apexassurance.com © 2011 Apex Assurance Group
  • 22. Cisco IOS show version splinter1#show version Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. Compiled Thu 28-Oct-10 17:09 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1) splinter1 uptime is 12 weeks, 6 days, 3 hours, 13 minutes System returned to ROM by power-on System image file is "flash:c2800nm-adventerprisek9-mz.150-1.M4" Last reload type: Normal Reload Cisco 2851 (revision 53.51) with 509952K/14336K bytes of memory. Processor board ID FTX0925A1BF 2 Gigabit Ethernet interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) License Info: License UDI: ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO2851 FTX0925A1BF Configuration register is 0x2102 www.apexassurance.com © 2011 Apex Assurance Group
  • 23. Last IOS configuration change Router# show run Building configuration... ! ! Last configuration change at 20:40:41 GMT Nov 2 2011 by lnunez ! Version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname router ! boot-startmarker boot-end-marker ! no aaa new-model www.apexassurance.com © 2011 Apex Assurance Group
  • 24. Cisco ASA Firewall “fips enable” command Copyright (c) 1996-2005 by Cisco Systems, Inc. Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 .... Cryptochecksum (unchanged): 6c6d2f77 ef13898e 682c9f94 9c2d5ba9 INFO: FIPS Power-On Self-Test in process. Estimate completion in 90 seconds. ...................................................... INFO: FIPS Power-On Self-Test complete. Type help or '?' for a list of available commands. sw8-5520> www.apexassurance.com © 2011 Apex Assurance Group
  • 25. Cisco IOS versions (Trains) www.apexassurance.com © 2011 Apex Assurance Group
  • 26. Juniper JUNOS SCAP  junos-definitions-schema.xsd  junos-system-characteristics-schema.xsd www.apexassurance.com © 2011 Apex Assurance Group

Hinweis der Redaktion

  1. Endpoints – Workstations, Laptops, Tablets, Smart Phones and Servers
  2. Sample taken from http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.htmlSecurity Technical Implementation Guide (STIG)Control Correlation Identifier (CCI)
  3. Sample taken from http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
  4. http://tools.ietf.org/html/rfc6241
  5. http://www.juniper.net/us/en/products-services/software/junos-platform/junos-space/