A

Acceptable-encryption policies, 74 acceptable-use policies, 74 access, controlling, 127 access attacks, 91-92 access control Corportate Internet module, 203-204 medium-sized network design, 242-243 access control lists (ACLs), SNMP, 144 Access Control Server (ACS). See ACS (Access Control Server) access control servers, Campus modules, 49 access filtering, Layer 3 switches, 278 access switches, campus module, medium- sized network design, 249 access-group command, 226 accountability policies,...

About the Technical Reviewers

Greg Abelar is a seven year veteran of Cisco Systems, Inc. Greg helped train and assemble the world-class Cisco Technical Assistance Center Security Organization. He is a sought-after speaker on the subject of security architecture. In addition he founded, project managed, and contributed content to the CCIE Security Written Exam. Steven Hanna is an education specialist at Cisco Systems, Inc., where he designs and develops training on Cisco network security products. Steven has more than eight...

Access Filtering

Access filtering within the Campus module takes place on the corporate servers and corporate users VLANs and the management VLAN in the configuration example that follows. This filtering is applied to the appropriate VLAN interface by using the ip access-group command. Apply RFC 2827 filtering to the corporate servers VLAN interface Vlan11 ip access-group 110 in access-list 110 permit ip corporate-servers-network any access-list 110 deny ip any any log Apply RFC 2827 filtering to the corporate...

Acknowledgments

Ido Dubrawsky Paul Grey, for being a wonderful co-author with me on this project. If you hadn't signed on to this Paul, I certainly wasn't going to do it alone Michelle Grandin, acquisitions editor, who must have been biting her nails until the last day hoping I would get all of the chapters done on time. Also, thanks for finding me my co-author. Sorry for the added stress and thanks for sticking with me. David Phillips, for hiring me at Cisco Systems, Inc., and letting me work with an...

Additional SAFE White Papers

Aside from the main SAFE white papers described previously in this chapter, the Cisco SAFE architecture design group has written additional white papers that cover several topics SAFE L2 Application Note Discusses Layer 2 network attacks, their impact, and how to mitigate them SAFE SQL Slammer Worm Attack Mitigation Covers the recent Microsoft SQL Slammer worm and various methods to mitigate its impact on a network SAFE Nimda Attack Mitigation Covers the Nimda worm of September October 2001 and...

Alternative Campus Module Designs

If the medium-sized network is small enough, you can eliminate the Layer 2 switches and connect all end-user workstation directly into the core switch. Private VLANs are still implemented to reduce the risk of attacks due to trust exploitation. If desired, you can replace the NIDS appliance with an IDS module in the core switch, which then provides for higher traffic throughput into the IDS system. In the small network, the lack of a Layer 3 switch places additional emphasis on host and...

Alternative Implementations

The implementation examples shown so far have been based on the small network design model in which the small network is being used in a standalone or headend configuration. If the small network is considered a branch of a larger network, the implementation of the small network in this design model is slightly different than that previously discussed. These differences are as follows Corporate resources are normally centralized at the corporate headquarters therefore, the use of a local public...

Alternative Medium Sized Network Corporate Internet Module Designs

The medium-sized network blueprint provides for alternative placements of devices within the designs. For example, in the medium-sized network, you can implement a stateful firewall on the edge router. This has the added benefit of providing greater defense in depth to this module. Also, you can insert another NIDS just outside the firewall. This NIDS provides for important alarm information that normally is not seen because of the firewall. The NIDS device can also provide validation of the...

Answers to Scenario 181

Configure the router so that it reports to the syslog server. Syslog report is configured as follows 2. Apply the Cisco IOS Firewall to the inside and outside interfaces using the name FIREWALL' and only allow inspection for TCP, UDP, FTP, and SMTP services. Enable the logging of session information. The correct configuration of the Cisco IOS Firewall is as follows FW(config) ip inspect name FIREWALL tcp FW(config) ip inspect name FIREWALL udp FW(config) ip inspect name FIREWALL ftp FW(config)...

Answers to Scenario 182

On the public interface of the edge router, allow IPSec traffic from the remote-site peers 10.10.1.1 and 10.10.2.1 (not shown). Also allow remote-access VPN traffic. The edge router's public interface filtering is configured as follows edge_rtr(config) access-list 100 permit udp host 10.10.1.1 host 172.31.254.2 eq isakmp edge_rtr(config) access-list 100 permit udp host 10.10.2.1 host 172.31.254.2 eq isakmp edge_rtr(config) access-list 100 permit esp host 10.10.1.1 host 172.31.254.2...

Answers to Scenario 183

On the core switch, configure the four VLANs that are shown, including their IP addressing. The correct configuration is as follows core_sw(config-if) ip address 10.1.10.1 255.255.255.0 core_sw(config-if) ip address 10.1.11.1 255.255.255.0 core_sw(config-if) ip address 10.1.1.1 255.255.255.0 core_sw(config-if) ip address 10.1.20.1 255.255.255.0 2. Apply RFC 2827 filtering to VLAN10, VLAN11, and VLAN20. The correct configuration is as follows core_sw(config) access-list 110 permit ip 10.1.10.0...

Answers to Scenario 184

Sketch out a network design for this company based on the information provided. See Figure 18-5 for a network drawing. Figure 18-5 Company XYZNetwork Topology Figure 18-5 Company XYZNetwork Topology NOTE An alternative to the solution shown in Figure 18-5 is to replace the PIX Firewall with a Cisco IOS Firewall router. 2. Company XYZ has 10 salespeople on staff who require network access to company resources from time to time while in the field. How can this be best achieved Because the PIX...

Answers to Scenario 186

With reference to Figure 18-4, where would you deploy a NIDS and HIDS NIDS sensors are normally deployed on VLAN B and VLAN C of the PIX Firewall. A NIDS sensor deployed off a SPAN port on the core switch is also commonly performed. 2. In the edge router (ER), what type of mitigation can you apply to the public interface of the router What are the commands to implement this action It is normal practice to provide IP addressing spoofing mitigation and basic filtering on the public interface of...

AntiDoS Features

The implementation of TCP intercept on Cisco routers also helps to mitigate DoS attacks, specifically attacks such as TCP SYN floods. Firewalls can also provide some measure of defense against TCP SYN floods by limiting the number of half-open connections permitted per host. TCP intercept works by requiring the router to intercept or catch the incoming TCP SYN requests from a client. The router responds to the SYN request by sending a SYN-ACK packet back and waiting for the client's final TCP...

Antispoof Features

Antispoof features depend on RFC 2827 filtering. In short, although RFC 2827 is written mainly from an ISP perspective, it is equally applicable to networks of any size. RFC 2827 calls for filtering at the edge of the ISP network where customer networks connect. Traffic should be filtered at the edge by restricting outbound traffic to only those prefixes that are assigned to the customer. For example, in Figure 8-2, the ISP has assigned customer A the range 192.168.100.0 24 and customer B the...

Application Hardening

Application hardening involves staying current on patches for all applications and reducing any information the applications may provide through service banners. It is possible to configure sendmail, a popular mail transport agent (MTA), so that it does not announce its version number when another MTA connects to it. Similarly, many Telnet and FTP daemons can be configured not to announce the operating system type or version number when a client connects. Removing banner information from the...

Applications Are Targets

Applications are also targets because, like host operating systems, they are susceptible to coding errors. The extent of the damage caused by application coding errors can vary from a minor HTTP 404 File Not Found error to something considerably worse such as a buffer overflow that provides direct interactive access to a host. Applications need to be kept up to date as much as possible. Furthermore, public domain applications and custom-developed applications should be audited to ensure that...

Authentication and Authorization for Access to Critical Resources

There are two primary methods of access control authentication and authorization. Authentication is the process by which a user or a device proves the validity of their identification to an authoritative source. This source can be the login process on a host, the access device of a network, an application such as a database or web server, or one of a wide range of other systems on a network. Authorization is the process by which a user provides the credentials that prove that she has sufficient...

Book Content Updates

Because Cisco Systems will occasionally update exam objectives without notice, Cisco Press may post additional preparatory content on the web page associated with this book at http www .ciscopress.com 1587200899. It's a good idea to check the website a couple of weeks before taking your exam, to review any updated content that may be posted online. We also recommend that you periodically check back to this page on the Cisco Press website to view any errata or supporting book files that my be...

Branch Versus Headend Standalone Considerations for Medium Sized Networks

If an IPSec VPN is used to connect to the corporate headquarters, it is possible to omit the WAN module from the design. If the corporate headquarters provides the services, a VPN concentrator or dial-access router might not be needed for remote-access services. Management servers and hosts are normally located at the corporate headquarters, which means that management traffic must traverse either the private WAN link or the IPSec VPN connection. Management traffic can easily flow across the...

Buffer Overflow

Another type of application layer attack is the buffer overflow, which is made possible by improper bounds checking of input data in a program. By sending properly crafted data to the program, the attacker is able to redirect the program to execute code of the attacker's choice. This typically results in the creation of a shell for the attacker to then gain access to the system. Buffer overflows can also result in a DoS as in the case of many of the BIND exploits and the Solaris snmpXdmid...

Campus Module in Medium Sized Networks

The Campus module of the medium-sized network design provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 and Layer 3 functionality that is required by the network. The various key devices that make up the campus module are described in Table 15-6. Provides authentication services to the network devices Provides services to internal users, such as e-mail, file, and printing services Provides Layer 2 connectivity and supports private VLANs...

Campus Module in Small Networks

The Campus module of the small network design, which is shown in Figure 13-4, provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 functionality via a single switch. Figure 13-4 Small Network Campus Module Four key devices make up the Campus module, which are highlighted in Table 13-5. Provides services to internal users such as e-mail, file, and printing services Provides Layer 2 connectivity and also supports private VLANs Provides...

Ccsp Csi Exam Certification Guide

Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Library...

Characteristics of a Good Security Policy

There are three primary characteristics of a good security policy Most important, the policy must be enforceable and it must apply to everyone. The policy must be capable of being implemented through system administration procedures and through the publication of acceptable-use guidelines or other appropriate methods. The policy must clearly define the areas of responsibility and the roles of users, administrators, and management. Failure to meet these three requirements seriously weakens the...

Cisco AVVID

This section looks at the design concept of the Cisco AVVID. Cisco AVVID is the only enterprise-wide, standards-based network architecture that provides the foundation for today's converged networks. Cisco AVVID provides the roadmap for combining your business and technology strategies into one cohesive model and encompasses the following Cisco AVVID provides the baseline infrastructure that enables enterprises to design networks that scale to meet Internet business demands while delivering the...

Cisco IOS Firewall Implementation

The implementation of the Cisco IOS stateful firewall is implemented as follows Step 1 Because the router is configured with a public services segment or demilitarized zone (DMZ), two separate sets of firewall inspection rules need to be configured. The first set is configured for traffic from the inside of the firewall that is destined for the Internet or the DMZ. The second set is set up for traffic from the Internet that is destined for the DMZ only. The following commands configure the...

Cisco Network Core Security Products

In the previous chapter, Cisco Perimeter Security Products, you learned about the specific products available from the Cisco Secure security portfolio that are used to secure the perimeter of a network and those products that provide intrusion detection facilities for the network. In this second chapter on the Cisco Secure product portfolio, we look at securing network connectivity, securing identity, security management, and Cisco Architecture for Voice, Video, and Integrated Data (AVVID).

Cisco Perimeter Security Products

The Cisco security strategy is to embed security throughout the network and integrate security services in all its products, making network security a transparent, scalable, and manageable aspect of any business infrastructure. The Cisco Secure product range combines a management framework, hardware devices, identity services, software functionalities, and applications into a single, secure infrastructure. This is the first of two chapters that provide an overview of the Cisco Secure product...

Cisco Secure IDS Sensors

An IDS sensor can exist in one of two forms a dedicated hardware device, or a software agent that resides on a specific host. The hardware version of the sensor is directly connected to a segment of the network that requires monitoring, whereas the software version resides on each specific host that requires monitoring. These two types of IDS sensor give rise to what is commonly called network IDS (NIDS) and host IDS (HIDS), respectively. A NIDS is designed to support multiple hosts and uses...

Cisco Secure Intrusion Detection System

The Cisco Secure IDS is a real-time intrusion detection system that is designed for enterprise and service provider deployments. It monitors all inbound and outbound network activity on selected segments within a network. The system uses a signature database and looks for predetermined patterns of traffic flow that may indicate a network or system attack from someone attempting to break into or compromise a system. Using this information, the system detects, reports, and can terminate...

Cisco Secure PIX Firewall

VPN functionality is provided within the Cisco Secure PIX Firewall product range and uses the industry-standard IPSec protocol suite to enable advanced VPN features. The PIX Firewall's IPSec implementation is based on the same Cisco IOS IPSec found on Cisco routers. It provides high-performance VPN connectivity using 3DES encryption under most normal load conditions. Cisco Secure PIX Firewalls support both site-to-site VPNs between IPSec-compliant devices and client-to-site VPNs that terminate...

Cisco Secure Policy Manager

Cisco Secure Policy Manager (CSPM), formerly Cisco Security Manager, is a centralized, scalable, comprehensive security policy management application for the Cisco Secure security portfolio. CSPM provides the administrator of a network the tools to centrally manage Cisco Secure PIX Firewalls, routers running Cisco IOS Firewall, Cisco IPSec VPN-enabled routers, and Cisco IDS sensors. The CSPM's topology-based GUI allows administrators to visually define high-level security policies for multiple...

Cisco Secure Scanner

The Cisco Secure Scanner is a software application that offers a complete suite of network scanning tools and is designed to run on either the Windows or Solaris operating systems. The product was formerly called Cisco NetSonar. This software suite provides the ability to configure a specific host on the network to become what is referred to as a network scanner. This scanning host is then capable of scanning all or a specific part of the network for known security threats. This makes the...

Cisco VPN 3000 Series Concentrator

The Cisco VPN 3000 Series Concentrator is a range of purpose-built, remote-access VPN devices that provide high performance, high availability, and scalability. The Cisco VPN 3000 Series Concentrator uses the most advanced state-of-the-art encryption and authentication techniques that are currently available within the industry. The Cisco VPN 3000 Series Concentrator includes models that support a range of enterprise customers, from small businesses requiring 100 or fewer concurrent VPN...

Cisco VPN Client

In the Cisco VPN Client option, the design emphasis is on the mobile or home-office worker. In this model, it is assumed that the user has the Cisco VPN Client installed on his PC, and Internet connectivity is provided from either an ISP dial-up connection or via the LAN. The Cisco VPN Client provides the means to establish a secure, encrypted IPSec tunnel from the client's PC to the VPN headend device located at corporate headquarters. Access and authorization to the corporate network is...

Cisco VPNEnabled Routers

The Cisco IOS Software running in Cisco routers provides feature-rich IPSec VPN services with industry-leading routing and delivers a comprehensive VPN routing solution. The Cisco IOS Software combines IPSec VPN enhancements, such as strong 3DES encryption authentication using either digital certificates or preshared keys, with robust firewall, intrusion detection, and secure administrative capabilities. The actual capability of the router to establish an IPSec VPN connection is determined by...

Classifying Rudimentary Network Attacks

This chapter covers a wide range of attacks, including reconnaissance attacks, unauthorized access, denial of service (DoS) attacks, application layer attacks, and trust exploitation attacks. All of these attacks are designed for either one of two purposes to gain access to a system or network or to deny access to a system or network to legitimate users. To understand how to defend against these attacks, you first must understand how the attacks work. Therefore, each of these attacks is covered...

Classifying Sophisticated Network Attacks

This chapter continues the analysis of various network attacks introduced in Chapter 6, Classifying Rudimentary Network Attacks. Many of the attacks covered in this chapter typically require that the attacker have software skills that are more advanced than the skills needed to execute the attacks described in Chapter 6. The attacks covered in this chapter include IP spoofing attacks, traffic sniffing, password attacks, man-in-the-middle attacks, port redirection, and virus and Trojan-horse...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the Cisco IOS Command Reference, as follows Vertical bars (I) separate alternative, mutually exclusive elements. Square brackets indicate optional elements. Braces indicate a required choice. Braces within brackets ( ) indicate a required choice within an optional element. Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not...

Components of SAFE Medium Sized Network Design

Within the SAFE SMR model, the medium-sized network design consists of three modules Figure 15-1 shows six modules however, the Public Switched Telephone Network (PSTN), Internet Service Provider (ISP), and Frame Relay ATM modules are shown for clarity but are not considered a part of the medium-sized network design model Figure 15-1 Medium-Sized Network Model ISP Module I Corporate Internet Module Figure 15-1 Medium-Sized Network Model ISP Module I Corporate Internet Module As with the small...

Components of SAFE Small Network Design

The following two modules and their associated devices, shown in Figure 13-1, make up the small network design NOTE Figure 13-1 also shows an ISP module, for clarity, but it is not considered a part of the small network design model. The Corporate Internet module provides connectivity to the Internet and terminates any VPN connectivity. Traffic for public services such as mail, web, file transfer, and name lookups are also terminated at the Corporate Internet module. The Campus module...

Configuration Options for Remote User Network Design

Within the SAFE SMR model, the remote-user network design consists of four possible module options Table 17-2 describes each of the preceding options. Table 17-2 Remote-User Network Design Options Table 17-2 Remote-User Network Design Options The remote site is protected by a dedicated firewall, which is IPSec-VPN enabled. WAN connectivity is provided by a broadband access device supplied by an ISP. The remote site uses a router that has both firewall and IPSec-VPN functionality. The router...

Contents

Foreword xxii Introduction xxiii Part I Cisco SAFE Overview 3 SAFE A Security Blueprint for Enterprise Networks SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks 7 SAFE VPN IPSec Virtual Private Networks in Depth 9 SAFE Wireless LAN Security in Depth-Version 2 10 SAFE IP Telephony Security in Depth 10 Additional SAFE White Papers 11 Looking Toward the Future 11 Chapter 2 SAFE Design Fundamentals 13 Do I Know This Already Quiz 13 Foundation Topics 17 Security and...

Contents at a Glance

Chapter 2 SAFE Design Fundamentals 13 Chapter 3 SAFE Design Concepts 27 Chapter 4 Understanding SAFE Network Modules 43 Part II Understanding Security Risks and Mitigation Techniques 65 Chapter 5 Defining a Security Policy 67 Chapter 6 Classifying Rudimentary Network Attacks 85 Chapter 7 Classifying Sophisticated Network Attacks 97 Chapter 8 Mitigating Rudimentary Network Attacks 109 Chapter 9 Mitigating Sophisticated Network Attacks 123 Chapter 10 Network Management 135 Part III Cisco Security...

Corporate Internet Module in Medium Sized Networks

The Corporate Internet module provides internal users with connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity as well as traffic from traditional dial-in users. The various key devices that make up the Corporate Internet module are outlined in Table 15-2. Table 15-2 Corporate Internet Module Devices Terminates analog...

Corporate Internet Module in Small Networks

The Corporate Internet module provides internal users connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity. Several key devices make up the Corporate Internet module. These devices are described in Table 13-2. Table 13-2 Corporate Internet Module Devices Table 13-2 Corporate Internet Module Devices Acts as a relay...

Cost Effective Deployment

While security is an integral component of today's network architecture, it must be deployed and integrated in a cost-effective manner. The high price of equipment and implementation can become an impediment. The blueprint SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks integrates functionality within various network devices, lowering the cost of security deployment. As in any given architecture, choosing whether to use a network device's integrated...

CSI Exam Blueprint

The CSI exam focuses on the SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks blueprint (SAFE SMR for short), published in 2001. This blueprint covers designing and securing small and medium-sized networks and providing secure network access to remote users, such as mobile workers and telecommuters. The CSI course provides the knowledge and skills needed to implement and use the principles and axioms presented in the SAFE SMR white paper. The course primarily...

D

Data manipulation attacks, 158 DDoS (distributed denial of service) attacks, 91 mitigating, medium-sized networks, 265 medium-sized network design, 233, 237-238 branches, 251 Campus module, 246-250 Corporate Internet module, considerations, 251 WAN module, 250-251 remote network design, 283, 287-292 configuration, 287-288 design guidelines, 290-292 devices, 288-289 threat mitigation, 288, 290 SAFE blueprints, 17, 31-32 access authorization, 18 architecture, 31 authentication, 18-19 axioms,...

Dedications

I wish to thank my beloved wife, Diana, for putting up with all of the late nights and time lost together working on this project she is truly an Eishet Chayil to me. I would also like to thank my three wonderful children, Isaac, Hadas, and Rinat, for being as good and as understanding as they are when daddy can't spend as much time as they would like playing with them and being with them. I also wish to thank my parents, Chagai and Nechama Dubrawsky, as well as my sister, Malka, and my brother...

Defining a Security Policy

The first step in implementing security in a networked environment is to determine how that security will be defined and enforced. A security policy provides the overall framework for the network security implementation and provides the rationale and the motive for the guidelines and procedures that will be used. The security policy is the blueprint, or constitution, that describes in broad terms how security will be conducted in the network. Without a security policy, efforts to implement and...

Denial of Service Attacks

DoS attacks are not aimed at gaining access to a network or the information on a network but rather at making a service or a network unavailable to legitimate users. DoS attacks fall into two general categories Nondistributed denial of service These attacks are directed against a specific service such as Telnet, FTP, or some other service. Distributed denial of service (DDoS) These attacks are directed at a specific host or network with the aim of preventing access to the target by consuming...

Design Alternatives

The Corporate Internet module discussed in the previous section can have a number of alternative designs, which are summarized in the following list and then explored in more detail The basic filtering of the edge router can be replaced with the advanced functionality of a Cisco IOS Firewall router A NIDS appliance can be placed on the outside of the firewall The inside router located between the firewall and the Campus module can be removed A form of content inspection can be added, such as...

Design Alternatives for the Corporate Internet Module

Usual deviations from these design guidelines normally include the breaking out of the functional components in the network from a single device to individual, specific devices or an increase in network capacity. When these functions are broken out, the design begins to take on the look of the medium-sized network design, which is discussed in Chapter 16, Implementing Medium-Sized SAFE Networks. Before you decide that you have to adopt the complete design for a medium-sized network, however, it...

Design Considerations

The Cisco Security Products Portfolio offers a wide diversity of products with an equally wide range of features and functionality. Consequently, the network architect gains an unusually high level of flexibility in the products that are available to satisfy any particular security requirements that are needed in a design. Common factors affecting the choice of products in any design are as follows Network architects consider these factors when choosing products to meet a specific customer...

Design Guidelines

The Corporate Internet module in the medium-sized network design consists of the following key devices, which have different functional roles within the design ISP router Provides Internet connectivity Edge router Provides a demarcation point between the ISP and the network Firewall Provides stateful filtering and site-to-site VPN termination Intrusion detection Detects attacks from permitted firewall traffic Remote-access VPN Provides secure connectivity for remote users Dial-in access users...

Design Guidelines for the Campus Module

The small network Campus module provides connectivity for the corporate and management servers and also corporate users. Private VLANs can be used within the switch to mitigate trustexploitation attacks between the devices. For example, corporate users might not require inter-user Branch Versus Headend Standalone Considerations for Small Networks 207 communications and only need to communicate directly with corporate servers. This functionality can be provided by using private VLANs. Because...

Designing Medium Sized SAFE Networks

As mentioned in Chapter 13, Designing Small SAFE Networks, the principle goal of Cisco SAFE blueprints is to provide to interested parties best-practice information on how to design and implement secure networks. SAFE serves as a guide to network architects who are examining the security requirements of their networks and uses a modular format to combat security threats. This enables the creation of scalable, corporate-wide security solutions. In this second of three chapters covering the...

Designing Remote SAFE Networks

As mentioned in Chapter 13, Designing Small SAFE Networks, and Chapter 15, Designing Medium-Sized SAFE Networks, the principle goal of the Cisco SAFE blueprints is to provide to interested parties best-practice information on how to design and implement secure networks. SAFE serves as a guide to network architects who are examining the security requirements of their networks. SAFE combats security threats on a modular basis, which enables network architects to create scalable, corporate-wide...

Designing Small SAFE Networks

The principle goal of Cisco SAFE blueprints is to provide to interested parties best-practice information on how to design and implement secure networks. SAFE serves as a guide to network architects who are examining the security requirements of their networks. SAFE blueprints combat security threats by using a modular method that allows for the creation of a scalable, corporate-wide security solution. This is the first of three chapters that cover the specific design requirements of the SAFE...

Distributed Denial of Service Attacks

DDoS attacks attempt to inflict damage by flooding the network or the host with useless and undesired traffic. In this type of attack, the attacker gains control of hosts on networks other than the target and installs software on those hosts to control them. Typically, these hosts are considered zombies, slaves, or agents. The hosts that are between the attacker's computer and the agents are known as handlers or masters. The attacker may have developed this additional layer to make it harder to...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 12-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you determine how to spend your limited study time. Table 2-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions that...

Ef

Corporate Internet module, 53, 55, 239 medium-sized networks, 266-267 ISP traffic filtering, 266 public VLAN traffic filtering, 267 external security threats, 22 extranet policies, 74 file web servers, Corporate Internet module, 239 access filtering, Layer 3 switches, 278 Corporate Internet module, 203-204 inside interface filtering, PIX Firewall, 269270 IOS Firewall routers, 222 PIX Firewall, 226 ISP traffic filtering, edge routers, 266 medium-sized network design, 242-243 outside interface...

Exam Registration

The CSI exam is a computer-based exam, with multiple-choice, fill-in-the-blank, list-in-order, and simulation-based questions. You can take the exam at any Pearson VUE (http www.pearsonvue .com) or Prometric (http www.2test.com) testing center. Your testing center can tell you the exact length of the exam. Be aware that when you register for the exam, you might be told to allow a certain amount of time to take the exam that is longer than the testing time indicated by the testing software when...

Examining SAFE Design Fundamentals

Because an organization's network tends to evolve gradually as the organization's IT requirements increase, many organizations do not have an overall design concept or philosophy in place that guides network growth, the result of which is that networks become less secure and more difficult to manage and troubleshoot as they grow. The SAFE design philosophy is modular, and modularity enhances the flexibility, manageability, and security of a network. This approach has two significant advantages...

Features of This Book

Do I Know This Already Quiz Each chapter begins with a quiz that helps you determine the amount of time you need to spend studying that chapter. The first table in each chapter outlines the major topics discussed and the Do I Know This Already quiz questions that correspond to those topics. After completing the quiz, use this table to help determine which topics of the chapter you need to focus on most. Foundation Topics This is the core section of each chapter that explains the protocols,...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

File Management Protocols Trivial File Transfer Protocol

TFTP is a TCP IP file transfer protocol and is commonly used by many network devices to transfer configuration or system files across a network. Unlike FTP, TFTP does not have any directory or password capabilities. Data is sent in clear text, which leaves the TFTP transfer susceptible to a packet-sniffing attack this can lead to sensitive data or configuration information being obtained. TFTP uses UDP port 69 for control and uses the higher UDP ports, greater than 1023, for the data stream...

Firewalls

By definition, a firewall is a system or group of systems designed to prevent unauthorized access to or from a private network. Firewalls are generally implemented as a hardware device, but software versions are also available. The method by which firewalls operate can be based on one of three technologies Packet filtering Limits the information that is permitted into a network based on the destination and source address. Proxy server Requests connections between a client on the inside of the...

Foreword

CCSP CSI Exam Certification Guide is a complete study tool for the CCSP CSI exam, enabling you to assess your knowledge, identify areas to concentrate your study, and master key concepts to help you succeed on the exams and in your daily job. The book is filled with features that help you master the skills to implement appropriate technologies to build secure networks based on the Cisco Systems SAFE Blueprint. This book was developed in cooperation with the Cisco Internet Learning Solutions...

Foundation Summary

The Foundation Summary section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should at a minimum know all the details in each Foundation Summary section before taking the exam. The heart of SAFE is the inclusion of security throughout the network and within the end systems themselves. To that end, the original SAFE Enterprise document used several...

Foundation Topics

The design philosophy behind the SAFE blueprint was first introduced in Chapter 2, SAFE Design Fundamentals. This chapter builds on the objectives of that design philosophy by combining them with the desired network functionality required for a small network. The small network is like most networks connected to the Internet. Internal users require access to external resources, whereas external users might need access to internal resources. Consequently, this can leave the network open to...

General Implementation Recommendations

In the SAFE small network implementation, we will look at the specific configuration requirements for the following components Internet service provider (ISP) router These three components are the major networked devices that can be used within the small network. Technically, the ISP router is not part of the small network design, but because it plays a major role in the overall design aspects, it is included here for completeness. Also, the functionality of the ISP router can be integrated in...

Gh

Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act, 71 hardening applications, 115 hardware clients, 181-182 headend standalone considerations, small network design, 207 Health Insurance Portability and Accountability Act (HIPAA), 71 HIDS (host-based intrusion detection system), 48, 163 Corporate Internet module, 54 HTTP servers, Corporate Internet module, 53-54

Host Intrusion Detection System Overview

An in-depth look at the implementation of a HIDS is beyond the scope of this book. Furthermore, the configuration that is required to implement any HIDS depends on the software that is used. Within the medium-sized network design, HIDSs are implemented on all servers, as shown in Figure 16-1. A HIDS is a host-based, real-time, intrusion-prevention and security-enforcement system that is designed to protect system resources and applications. The main installed elements of a HIDS are the...

Hosts Are Targets

Hosts are the most frequently targeted aspects of a network. They represent the most visible target to an attacker and the biggest security problem for an administrator. Attackers see hosts as the most valuable target because of the applications that are run on them, the data that is stored on them, and the fact that they can be used as launch points to other destinations. Because hosts are highly visible and consist of numerous different combinations of hardware platforms, operating systems,...

I

Identity management, VPNs, security, 182-183 IDSs (intrusion detection systems), 37-38 design, 249 configuration, PIX Firewall, 227 management console (MC), 165 medium-sized network design, Host Sensor (CiscoWorks), 185 small network services, 221 IIS directory traversal vunerability, 92 implementation medium-sized networks, 259, 264 devices, 264 edge routers, 266-267 HIDS, 275 ISP routers, 265-266 Layer S switches, 277-278 NIDS, 272-275 PIX Firewall, 268-272 VPNS000 Concentrator, 276 small...

Identity Management Cisco Secure Access Control Server

As networks and network security have evolved, so too have the methods of controlling access to these networks and their associated resources. Traditionally, a static username and password were considered adequate to secure access to the corporate network. However, with time and the enterprise's need for stronger security, the introduction of stronger security techniques, such as onetime passwords, have been introduced. One of the most significant problems in securing distributed systems is...

IDS Implementation

The implementation of basic Cisco IOS IDS services and reporting to the syslog server is achieved in the Cisco IOS Firewall router by following these steps ip audit name IDS info action alarm ip audit name IDS attack action alarm drop reset Step 2 Apply the IDS rules to each interface that requires monitoring by using the command ip audit IDS in.

IDS Management Console

The IDS management console (MC) is the platform that provides a single GUI management interface for the administrator. All IDS sensors report to this platform, and it is used to configure, log, and display alarms that are generated by the sensors. IDS management consoles are available through the following platforms Cisco Secure Policy Manager (CSPM) Cisco Secure IDS Director (CSID) CiscoWorks VPN Security Management Solution (VMS) You can find more detailed information about the Cisco Secure...

IIS Directory Traversal Vulnerability

One of the most widely known targets of an application layer attack is the Microsoft Internet Information Server (IIS) directory traversal vulnerability or UNICODE attack. An attacker who exploits this vulnerability is capable of searching the directories on the server outside of the web root directory. This allows them to view files that they would normally not have access to. It also allows the attacker to exploit certain commands, such as tftp, to further exploit the host. This can all be...

Implementing Medium Sized SAFE Networks

In Chapter 15, Designing Medium-Sized SAFE Networks, you looked in detail at the design requirements and guidelines that are recommended to secure the medium-sized network. In this chapter, you use an understanding of those design recommendations to examine the specific configuration requirements to achieve the desired functionality for each component of the medium-sized network. NOTE The configuration that is shown in this chapter highlights only the code that is required to achieve the...

Implementing Small SAFE Networks

In Chapter 13, Designing Small SAFE Networks, you looked in detail at the small network design requirements and guidelines that are recommended to secure a small network. In this chapter, you use those design recommendations as a basis for examining the specific configuration requirements that are necessary to achieve the desired functionality for each component of a small network. NOTE The configuration shown in this chapter highlights only the code that is required to achieve the specific...

InBand Network Management

The term in-band network management refers to the flow of management traffic that follows the same path as normal network data. In-band managed devices support various methods and protocols that facilitate remote management of the device while using the normal data flow. The section Network Management Protocols, later in the chapter, provides more details on the protocols that provide this functionality. Because management information is flowing over the same path as data traffic, in-band...

Info

Finally, in the SAFE remote-user network blueprint, shown in Figure 1-4, the focus is on the flexibility of the designs. The objectives of SAFE can be met through more than one implementation method. SAFE VPN IPSec Virtual Private Networks in Depth 9 Broadband Access Device (Optional) VPN Software Client with Personal Firewall Home i Office r Firewall with VPN Broadband Access Device (Optional)

Inside Interface Filtering

By using an ACL, you can filter traffic that is entering from the inside interface. This filtering is applied to the inside interface by using the access-group command. You should consider using the following common ACL definitions. Allow management access to the public services network devices access-list inside_access_in permit tcp host management-host-IP host PS-device-IP eq 22 Allow internal user access to public services such as web and FTP services access-list inside_access_in permit tcp...

Internal Threats

Internal threats are typically from disgruntled former or current employees. Internal threats can be structured or unstructured in nature. Structured internal threats represent an extreme danger to enterprise networks because the attacker already has access to the network. The focus of their efforts often is in the elevation of their privilege level from that of a user to an administrator. Although internal threats may seem more ominous than threats from external sources, security measures are...

Internal Traffic Filtering

By using an inbound ACL, you can filter traffic that is entering from the inside interface. This filtering is applied to the inside interface by using the command ip access-group 120 in. You should consider using the following common access list definitions. Allow ssh management access to the public services network devices access-list 120 permit tcp host management-host-IP host PS-device-IP eq 22 Allow internal user access to the public services, such as web and FTP services access-list 120...

Intrusion Detection for Critical Resources and Subnets

Intrusion detection has emerged as one of the critical network technologies that are necessary to properly secure a network. The following are the two general categories of IDSs, which are discussed in the next sections A HIDS is software that is installed and runs on end systems such as servers, desktops, and laptops. The function of a HIDS is to provide a last line of defense if the NIDS misses an attack, which can occur if either the NIDS's signature database is out of date or the attacker...

IP Spoofing

IP spoofing occurs when attackers, whether within a network or outside a network, attempt to gain access to a restricted resource by disguising the IP address of their systems as that of other systems. The system being spoofed by the attacker has access to the restricted resource and the restriction is solely based on the source IP address of the communication. Typically, IP spoofing is carried out by injecting data into a pre-existing communication channel between two systems to gain...

IP Spoofing Attacks

IP spoofing mitigation can be provided at the egress of the ISP router through the use of RFC 1918 and RFC 2827 filtering. The implementation of these filters is described in the sections that follow. RFC 1918 filtering prevents source address spoofing of the private address ranges, as shown in the following sample configuration access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list...

ISP Traffic Filtering

By using an inbound ACL, you can filter traffic that is arriving from the ISP router. This filtering is applied to the public services interface by using the command ip access-group 140 in. You should consider using the following common ACL definitions. Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely, these rules require modification accordingly. access-list 140 deny ip 10.0.0.0 0.255.255.255 any access-list 140 deny ip 172.16.0.0 0.15.255.255 any access-list 140 deny ip...

Key Campus Module Devices

There are significant differences between the Campus module design for the small network and that for the medium-sized network, summarized in Table 4-2. The key devices in the small network Campus module are the Layer 2 switches. In the medium-sized network, there are several key devices, including Layer 2 and Layer 3 switches and an IDS. The functions of these devices along with management hosts are described in the following sections. Table 4-2 Key Devices in the Campus Module Table 4-2 Key...

Key Devices for Remote User Networks

Each of the options presented in Table 17-2 can use a variety of key devices within each model of the remote-user network design. These devices are described in Table 17-3. Provides connectivity to the broadband network. Provides connectivity between local network devices. This can be a standalone device or integrated within the VPN hardware device. Provides local network protection through stateful filtering of traffic. Provides secure VPNs via IPSec tunnels between the headend and local site....

M

(CiscoWorks), 185 Management Center for PIX Firewalls (CiscoWorks), 185 Management Center for VPN Routers (CiscoWorks), 185 management hosts, Campus modules, 49, 51 management traffic attacks, mitigating, 140 managers, SNMP, 144 man-in-the-middle attacks, 103-104 remote-user networks, 289 medium-sized network design, 233, 237-238 branches, 251 Campus module, 246-250 Corporate Internet module, 238-246 design alternatives, 245-246 design guidelines, 241-245 threat mitigation, 240-241 headend...

ManInThe Middle Attacks

Man-in-the-middle attacks cover situations in which the attacker is able to intercept packets that are crossing a network, modify or falsify the information in those packets, and then reinject the modified packets into the network. These attacks can be used to capture sensitive information, hijack ongoing sessions, create DoS occurrences, corrupt transmitted data, or introduce new, typically false, information into network sessions. An example of a man-in-the-middle attack is shown in Figure...

Mitigating Application Layer Attacks

Unfortunately, application layer attacks can never be completely eliminated. New vulnerabilities are being discovered across every platform and operating system. Additionally, as software becomes increasingly complex, the likelihood of a catastrophic vulnerability increases dramatically. Following system administration BCPs for host or server operating systems is the first step toward reducing the risk of an application layer attack. Additionally, the following is recommended Keep current on...

Mitigating Denial of Service Attacks

Defeating DoS attacks or distributed DoS (DDoS) attacks (described in Chapter 6) begins by identifying the weak points in the network architecture where DoS attacks may have an advantage. Typically, weak points are located at the edge router. If an attacker launches a DDoS attack that is meant to consume the available network bandwidth, stopping the attack at the edge router does little good. Stopping a large DDoS attack requires coordination with the upstream ISP. DoS attack defense involves...

Mitigating IP Spoofing Attacks

Measures for mitigating IP spoofing attacks should be built into the defenses of both the enterprise network and the service provider. Although IP spoofing attacks cannot be completely eliminated, the threat they present can be reduced through access control and RFC 2827 filtering. IP spoofing can function correctly only when devices use an IP address-based trust model for authentication, which permits or denies access to a host based on the IP address of the client. Additional authentication...