Advanced Security Concepts

A wealth of security concepts have been covered in the previous chapters; now, you are ready to look at some of the techniques that are used to secure areas of your network that are vulnerable to attacks, in particular the demilitarized zone (DMZ).

The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet.

Figure 6-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of defense for hosts that can be scarified in case of a network attack or attacks).

Figure 6-1 DMZ Design

Figure 6-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of defense for hosts that can be scarified in case of a network attack or attacks).

Figure 6-1 displays a typical perimeter network in which the DMZ is separated by a firewall. Firewalls are network devices such as Cisco Private Internet Exchange (PIX) Firewall, discussed later in this chapter. Firewalls are designed to protect the internal (or private) parts of a network from the public domain. Firewalls can operate at several levels of the OSI model, namely the application layer (7), network layer (3), and transport layer (4). Another popular design option is to configure the DMZ on a third interface of the firewall so that the firewall can protect both the DMZ servers and the internal network.

The aim of all firewalls is to accomplish the following:

■ Serve as a traffic point—The traffic or choke point from inside and outside the network must pass through the traffic point.

■ Authorize traffic—Permits only authorized traffic.

■ Designed to be immune from penetration—Firewalls are designed to be immune from attacks. However, firewalls are still often attacked by outside hosts.

■ Provide invisibility—Ensures that the private network is invisible to the outside world.

As shown in Figure 6-1, the perimeter router sits between the DMZ and the public domain. Typically, a high-performance router or routers will be located here, performing various duties, including the following:

■ Ensure that access to IP is restricted using access lists.

■ Restrict TCP services.

■ Prevent attacks on firewall systems.

■ Prevent DoS attacks on bastion hosts and the private network.

■ Permit only authorized traffic to the bastion hosts.

■ Log all network events to external or internal systems.

■ Perform address translation (NAT/PAT).

■ Run static or dynamic routing protocols; Cisco PIX release 6.3 is no longer limited to RIP and static routing but now supports OSPF. PIX Firewall software version 6.3 is now capable of supporting RIP versions 1 and 2 along with OSPF.

NOTE Proxy servers are designed to shield internal devices from outside intruders by replacing the internal hosts' IP addresses with its own IP address. Most new vendors (supplying routers) now allow routers to act as proxy servers. Proxy servers have scalability and speed issues, because all packets must be examined and IP headers must be modified for packet delivery.

Firewalls and perimeter routers have the additional function of packet filtering. A packet filter is a device that inspects all incoming and outgoing packets based on IP source address, destination IP address, and protocol type, such as TCP or UDP. Based on configurable options, the filter decides whether to reject traffic or allow traffic to pass through the device.

Table 6-1 summarizes the main functions of a perimeter and firewall router.

Table 6-1 Perimeter/Firewall Router Functions

Protection Service

Method

Sniffer or snooping capabilities

Control eavesdropping with the TCP/IP service and network layer encryption (IPSec).

Control unauthorized access

Use authentication, authorization, and accounting (AAA), and Cisco Secure ACS. Also, use access list filtering and PIX Firewall.

Control session replay

Control which TCP/IP sessions are authorized.

Block SNMP, IP source routing, and finger services to outside hosts.

Control inbound connections

Filter internal address as the source from the outside world. Filter all private addresses.

Filter Bootp, Trivial File Transfer Protocol (TFTP), and traceroute commands.

Allow connections only for required services.

Allow TCP connections established from the inside network.

Permit inbound traffic to DMZ only.

Control outbound connections

Allow only valid IP addresses to the outside world and filter remaining illegal addresses and outbound service requests.

Packet filtering

Use predefined access lists that control the transmission of packets from any given interface, control vty lines and access, and ensure that routing updates are authenticated.

Cisco IOS routers can filter TCP or UDP protocol types. Example 6-1 displays the variety of TCP services that you can filter on a Cisco IOS router using extended access lists.

Example 6-1 TCP Services Filtered on Cisco IOS Routers

R1(config)#access-list 100 permit tcp any any eq ?

<0-65535>

Port number

bgp

Border Gateway Protocol (179)

chargen

Character generator (19)

cmd

Remote commands (rcmd, 514)

daytime

Daytime (13)

discard

Discard (9)

domain

Domain Name Service (53)

echo

Echo (7)

exec

Exec (rsh, 512)

Example 6-1 TCP Services Filtered on Cisco IOS Routers (Continued)

finger

Finger (79)

ftp

File Transfer Protocol (21)

ftp-data

FTP data connections (used infrequently, 20)

gopher

Gopher (70)

hostname

NIC hostname server (101)

ident

Ident Protocol (113)

irc

Internet Relay Chat (194)

klogin

Kerberos login (543)

kshell

Kerberos shell (544)

login

Login (rlogin, 513)

lpd

Printer service (515)

nntp

Network News Transport Protocol (119)

pim-auto-rp

PIM Auto-RP (496)

pop2

Post Office Protocol v2 (109)

pop3

Post Office Protocol v3 (110)

smtp

Simple Mail Transport Protocol (25)

sunrpc

Sun Remote Procedure Call (111)

syslog

Syslog (514)

tacacs

TAC Access Control System (49)

talk

Talk (517)

telnet

Telnet (23)

time

Time (37)

uucp

Unix-to-Unix Copy Program (540)

whois

Nicname (43)

www

World Wide Web (HTTP, 80)

Example 6-2 displays the extended access list when filtering services based on the UDP protocol suite of services.

Example 6-2 UDP Services Filtered on Cisco IOS Routers

R1(config)#access-list 101 permit udp any any eq ?

<0-65535>

Port number

biff

Biff (mail notification, comsat, 512)

bootpc

Bootstrap Protocol (BOOTP) client (68)

bootps

Bootstrap Protocol (BOOTP) server (67)

discard

Discard (9)

dnsix

DNSIX security protocol auditing (195)

domain

Domain Name Service (DNS, 53)

echo

Echo (7)

isakmp

Internet Security Association and Key Management Protocol (500)

mobile-ip

Mobile IP registration (434)

nameserver

IEN116 name service (obsolete, 42)

netbios-dgm

NetBios datagram service (138)

netbios-ns

NetBios name service (137)

netbios-ss

NetBios session service (139)

Example 6-2 UDP Services Filtered on Cisco IOS Routers (Continued)

ntp

Network Time Protocol (123)

pim-auto-rp

PIM Auto-RP (496)

rip

Routing Information Protocol (router, in.routed, 520)

snmp

Simple Network Management Protocol (161)

snmptrap

SNMP Traps (162)

sunrpc

Sun Remote Procedure Call (111)

syslog

System Logger (514)

tacacs

TAC Access Control System (49)

talk

Talk (517)

tftp

Trivial File Transfer Protocol (69)

time

Time (37)

who

Who service (rwho, 513)

xdmcp

X Display Manager Control Protocol (177)

Examples 6-1 and 6-2 clearly indicate that a network administrator has flexibility when designing perimeter security based on particular port numbers, as defined in RFC 1700.

The growth of the Internet and increased ease of information transfer has also meant a proliferation of network hacking tools. Whisker, Nmap and strobe are perfect examples of this fact. A simple search on the Internet reveals many more tools. Firewalls are your first line of defense but should not be your last.

Intrusion detection systems (IDSs) are the next level of security now being added to secure IP networks, providing even greater awareness of IP packet flow through a network. IDSs are covered later in this chapter. The next section introduces basic NAT and PAT.

0 0

Post a comment