About the Technical Reviewers

Greg Abelar is a seven year veteran of Cisco Systems, Inc. Greg helped train and assemble the world-class Cisco Technical Assistance Center Security Organization. He is a sought-after speaker on the subject of security architecture. In addition he founded, project managed, and contributed content to the CCIE Security Written Exam. Steven Hanna is an education specialist at Cisco Systems, Inc., where he designs and develops training on Cisco network security products. Steven has more than eight...

Acknowledgments

Ido Dubrawsky Paul Grey, for being a wonderful co-author with me on this project. If you hadn't signed on to this Paul, I certainly wasn't going to do it alone Michelle Grandin, acquisitions editor, who must have been biting her nails until the last day hoping I would get all of the chapters done on time. Also, thanks for finding me my co-author. Sorry for the added stress and thanks for sticking with me. David Phillips, for hiring me at Cisco Systems, Inc., and letting me work with an...

Alternative Medium Sized Network Corporate Internet Module Designs

The medium-sized network blueprint provides for alternative placements of devices within the designs. For example, in the medium-sized network, you can implement a stateful firewall on the edge router. This has the added benefit of providing greater defense in depth to this module. Also, you can insert another NIDS just outside the firewall. This NIDS provides for important alarm information that normally is not seen because of the firewall. The NIDS device can also provide validation of the...

Answers to Scenario 183

On the core switch, configure the four VLANs that are shown, including their IP addressing. The correct configuration is as follows core_sw(config-if) ip address 10.1.10.1 255.255.255.0 core_sw(config-if) ip address 10.1.11.1 255.255.255.0 core_sw(config-if) ip address 10.1.1.1 255.255.255.0 core_sw(config-if) ip address 10.1.20.1 255.255.255.0 2. Apply RFC 2827 filtering to VLAN10, VLAN11, and VLAN20. The correct configuration is as follows core_sw(config) access-list 110 permit ip 10.1.10.0...

Answers to Scenario 184

Sketch out a network design for this company based on the information provided. See Figure 18-5 for a network drawing. Figure 18-5 Company XYZNetwork Topology Figure 18-5 Company XYZNetwork Topology NOTE An alternative to the solution shown in Figure 18-5 is to replace the PIX Firewall with a Cisco IOS Firewall router. 2. Company XYZ has 10 salespeople on staff who require network access to company resources from time to time while in the field. How can this be best achieved Because the PIX...

Answers to Scenario 186

With reference to Figure 18-4, where would you deploy a NIDS and HIDS NIDS sensors are normally deployed on VLAN B and VLAN C of the PIX Firewall. A NIDS sensor deployed off a SPAN port on the core switch is also commonly performed. 2. In the edge router (ER), what type of mitigation can you apply to the public interface of the router What are the commands to implement this action It is normal practice to provide IP addressing spoofing mitigation and basic filtering on the public interface of...

Applications Are Targets

Applications are also targets because, like host operating systems, they are susceptible to coding errors. The extent of the damage caused by application coding errors can vary from a minor HTTP 404 File Not Found error to something considerably worse such as a buffer overflow that provides direct interactive access to a host. Applications need to be kept up to date as much as possible. Furthermore, public domain applications and custom-developed applications should be audited to ensure that...

Authentication and Authorization for Access to Critical Resources

There are two primary methods of access control authentication and authorization. Authentication is the process by which a user or a device proves the validity of their identification to an authoritative source. This source can be the login process on a host, the access device of a network, an application such as a database or web server, or one of a wide range of other systems on a network. Authorization is the process by which a user provides the credentials that prove that she has sufficient...

Campus Module in Medium Sized Networks

The Campus module of the medium-sized network design provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 and Layer 3 functionality that is required by the network. The various key devices that make up the campus module are described in Table 15-6. Provides authentication services to the network devices Provides services to internal users, such as e-mail, file, and printing services Provides Layer 2 connectivity and supports private VLANs...

Campus Module in Small Networks

The Campus module of the small network design, which is shown in Figure 13-4, provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 functionality via a single switch. Figure 13-4 Small Network Campus Module Four key devices make up the Campus module, which are highlighted in Table 13-5. Provides services to internal users such as e-mail, file, and printing services Provides Layer 2 connectivity and also supports private VLANs Provides...

Characteristics of a Good Security Policy

There are three primary characteristics of a good security policy Most important, the policy must be enforceable and it must apply to everyone. The policy must be capable of being implemented through system administration procedures and through the publication of acceptable-use guidelines or other appropriate methods. The policy must clearly define the areas of responsibility and the roles of users, administrators, and management. Failure to meet these three requirements seriously weakens the...

Cisco IOS Firewall Implementation

The implementation of the Cisco IOS stateful firewall is implemented as follows Step 1 Because the router is configured with a public services segment or demilitarized zone (DMZ), two separate sets of firewall inspection rules need to be configured. The first set is configured for traffic from the inside of the firewall that is destined for the Internet or the DMZ. The second set is set up for traffic from the Internet that is destined for the DMZ only. The following commands configure the...

Cisco Network Core Security Products

In the previous chapter, Cisco Perimeter Security Products, you learned about the specific products available from the Cisco Secure security portfolio that are used to secure the perimeter of a network and those products that provide intrusion detection facilities for the network. In this second chapter on the Cisco Secure product portfolio, we look at securing network connectivity, securing identity, security management, and Cisco Architecture for Voice, Video, and Integrated Data (AVVID).

Cisco Secure IDS Sensors

An IDS sensor can exist in one of two forms a dedicated hardware device, or a software agent that resides on a specific host. The hardware version of the sensor is directly connected to a segment of the network that requires monitoring, whereas the software version resides on each specific host that requires monitoring. These two types of IDS sensor give rise to what is commonly called network IDS (NIDS) and host IDS (HIDS), respectively. A NIDS is designed to support multiple hosts and uses...

Cisco Secure Policy Manager

Cisco Secure Policy Manager (CSPM), formerly Cisco Security Manager, is a centralized, scalable, comprehensive security policy management application for the Cisco Secure security portfolio. CSPM provides the administrator of a network the tools to centrally manage Cisco Secure PIX Firewalls, routers running Cisco IOS Firewall, Cisco IPSec VPN-enabled routers, and Cisco IDS sensors. The CSPM's topology-based GUI allows administrators to visually define high-level security policies for multiple...

Cisco VPN 3000 Series Concentrator

The Cisco VPN 3000 Series Concentrator is a range of purpose-built, remote-access VPN devices that provide high performance, high availability, and scalability. The Cisco VPN 3000 Series Concentrator uses the most advanced state-of-the-art encryption and authentication techniques that are currently available within the industry. The Cisco VPN 3000 Series Concentrator includes models that support a range of enterprise customers, from small businesses requiring 100 or fewer concurrent VPN...

Cisco VPN Client

In the Cisco VPN Client option, the design emphasis is on the mobile or home-office worker. In this model, it is assumed that the user has the Cisco VPN Client installed on his PC, and Internet connectivity is provided from either an ISP dial-up connection or via the LAN. The Cisco VPN Client provides the means to establish a secure, encrypted IPSec tunnel from the client's PC to the VPN headend device located at corporate headquarters. Access and authorization to the corporate network is...

Cisco VPNEnabled Routers

The Cisco IOS Software running in Cisco routers provides feature-rich IPSec VPN services with industry-leading routing and delivers a comprehensive VPN routing solution. The Cisco IOS Software combines IPSec VPN enhancements, such as strong 3DES encryption authentication using either digital certificates or preshared keys, with robust firewall, intrusion detection, and secure administrative capabilities. The actual capability of the router to establish an IPSec VPN connection is determined by...

Classifying Rudimentary Network Attacks

This chapter covers a wide range of attacks, including reconnaissance attacks, unauthorized access, denial of service (DoS) attacks, application layer attacks, and trust exploitation attacks. All of these attacks are designed for either one of two purposes to gain access to a system or network or to deny access to a system or network to legitimate users. To understand how to defend against these attacks, you first must understand how the attacks work. Therefore, each of these attacks is covered...

Configuration Options for Remote User Network Design

Within the SAFE SMR model, the remote-user network design consists of four possible module options Table 17-2 describes each of the preceding options. Table 17-2 Remote-User Network Design Options Table 17-2 Remote-User Network Design Options The remote site is protected by a dedicated firewall, which is IPSec-VPN enabled. WAN connectivity is provided by a broadband access device supplied by an ISP. The remote site uses a router that has both firewall and IPSec-VPN functionality. The router...

Contents

Foreword xxii Introduction xxiii Part I Cisco SAFE Overview 3 SAFE A Security Blueprint for Enterprise Networks SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks 7 SAFE VPN IPSec Virtual Private Networks in Depth 9 SAFE Wireless LAN Security in Depth-Version 2 10 SAFE IP Telephony Security in Depth 10 Additional SAFE White Papers 11 Looking Toward the Future 11 Chapter 2 SAFE Design Fundamentals 13 Do I Know This Already Quiz 13 Foundation Topics 17 Security and...

Corporate Internet Module in Medium Sized Networks

The Corporate Internet module provides internal users with connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity as well as traffic from traditional dial-in users. The various key devices that make up the Corporate Internet module are outlined in Table 15-2. Table 15-2 Corporate Internet Module Devices Terminates analog...

Corporate Internet Module in Small Networks

The Corporate Internet module provides internal users connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity. Several key devices make up the Corporate Internet module. These devices are described in Table 13-2. Table 13-2 Corporate Internet Module Devices Table 13-2 Corporate Internet Module Devices Acts as a relay...

CSI Exam Blueprint

The CSI exam focuses on the SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks blueprint (SAFE SMR for short), published in 2001. This blueprint covers designing and securing small and medium-sized networks and providing secure network access to remote users, such as mobile workers and telecommuters. The CSI course provides the knowledge and skills needed to implement and use the principles and axioms presented in the SAFE SMR white paper. The course primarily...

Design Guidelines

The Corporate Internet module in the medium-sized network design consists of the following key devices, which have different functional roles within the design ISP router Provides Internet connectivity Edge router Provides a demarcation point between the ISP and the network Firewall Provides stateful filtering and site-to-site VPN termination Intrusion detection Detects attacks from permitted firewall traffic Remote-access VPN Provides secure connectivity for remote users Dial-in access users...

Designing Medium Sized SAFE Networks

As mentioned in Chapter 13, Designing Small SAFE Networks, the principle goal of Cisco SAFE blueprints is to provide to interested parties best-practice information on how to design and implement secure networks. SAFE serves as a guide to network architects who are examining the security requirements of their networks and uses a modular format to combat security threats. This enables the creation of scalable, corporate-wide security solutions. In this second of three chapters covering the...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 12-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you determine how to spend your limited study time. Table 2-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions that...

Foreword

CCSP CSI Exam Certification Guide is a complete study tool for the CCSP CSI exam, enabling you to assess your knowledge, identify areas to concentrate your study, and master key concepts to help you succeed on the exams and in your daily job. The book is filled with features that help you master the skills to implement appropriate technologies to build secure networks based on the Cisco Systems SAFE Blueprint. This book was developed in cooperation with the Cisco Internet Learning Solutions...

Foundation Summary

The Foundation Summary section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should at a minimum know all the details in each Foundation Summary section before taking the exam. The heart of SAFE is the inclusion of security throughout the network and within the end systems themselves. To that end, the original SAFE Enterprise document used several...

Identity Management Cisco Secure Access Control Server

As networks and network security have evolved, so too have the methods of controlling access to these networks and their associated resources. Traditionally, a static username and password were considered adequate to secure access to the corporate network. However, with time and the enterprise's need for stronger security, the introduction of stronger security techniques, such as onetime passwords, have been introduced. One of the most significant problems in securing distributed systems is...

IDS Management Console

The IDS management console (MC) is the platform that provides a single GUI management interface for the administrator. All IDS sensors report to this platform, and it is used to configure, log, and display alarms that are generated by the sensors. IDS management consoles are available through the following platforms Cisco Secure Policy Manager (CSPM) Cisco Secure IDS Director (CSID) CiscoWorks VPN Security Management Solution (VMS) You can find more detailed information about the Cisco Secure...

Implementing Small SAFE Networks

In Chapter 13, Designing Small SAFE Networks, you looked in detail at the small network design requirements and guidelines that are recommended to secure a small network. In this chapter, you use those design recommendations as a basis for examining the specific configuration requirements that are necessary to achieve the desired functionality for each component of a small network. NOTE The configuration shown in this chapter highlights only the code that is required to achieve the specific...

InBand Network Management

The term in-band network management refers to the flow of management traffic that follows the same path as normal network data. In-band managed devices support various methods and protocols that facilitate remote management of the device while using the normal data flow. The section Network Management Protocols, later in the chapter, provides more details on the protocols that provide this functionality. Because management information is flowing over the same path as data traffic, in-band...

ISP Traffic Filtering

By using an inbound ACL, you can filter traffic that is arriving from the ISP router. This filtering is applied to the public services interface by using the command ip access-group 140 in. You should consider using the following common ACL definitions. Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely, these rules require modification accordingly. access-list 140 deny ip 10.0.0.0 0.255.255.255 any access-list 140 deny ip 172.16.0.0 0.15.255.255 any access-list 140 deny ip...

Key Campus Module Devices

There are significant differences between the Campus module design for the small network and that for the medium-sized network, summarized in Table 4-2. The key devices in the small network Campus module are the Layer 2 switches. In the medium-sized network, there are several key devices, including Layer 2 and Layer 3 switches and an IDS. The functions of these devices along with management hosts are described in the following sections. Table 4-2 Key Devices in the Campus Module Table 4-2 Key...

Key Devices for Remote User Networks

Each of the options presented in Table 17-2 can use a variety of key devices within each model of the remote-user network design. These devices are described in Table 17-3. Provides connectivity to the broadband network. Provides connectivity between local network devices. This can be a standalone device or integrated within the VPN hardware device. Provides local network protection through stateful filtering of traffic. Provides secure VPNs via IPSec tunnels between the headend and local site....

ManInThe Middle Attacks

Man-in-the-middle attacks cover situations in which the attacker is able to intercept packets that are crossing a network, modify or falsify the information in those packets, and then reinject the modified packets into the network. These attacks can be used to capture sensitive information, hijack ongoing sessions, create DoS occurrences, corrupt transmitted data, or introduce new, typically false, information into network sessions. An example of a man-in-the-middle attack is shown in Figure...

Mitigating Port Redirection Attacks

Mitigating port redirection requires the use of good trust models. Trust models can be implemented by proper access restrictions between hosts. As long as there is an implicit trust between hosts that is based on IP addresses, the problem of port redirection will not be solved. A HIDS can be used to detect and possibly prevent an attacker who is trying to install port redirection software, such as HTTPtunnel or NetCat, for use in a port redirection attack. Guarding Against Virus and...

Mitigating Rudimentary Network Attacks

Chapters 6 and 7 covered various attacks that may be launched against a network. This chapter covers the mitigation of the attacks described in Chapter 6, Classifying Rudimentary Network Attacks reconnaissance, unauthorized access, denial of service (DoS), application layer, and trust exploitation attacks. The mitigation techniques discussed in this chapter are based on network security best common practices (BCPs) and on SAFE concepts. Although both this chapter and Chapter 9, Mitigating...

Mitigating Threats in Remote User Networks

Table 17-4 presents the threats that can be anticipated for the remote-user network design model and summarizes the mitigation techniques for each anticipated threat. Mitigating Threats in Remote-User Networks 289 Figure 17-1 Remote-User Design Model Figure 17-1 Remote-User Design Model Table 17-4 Remote-User Network Threats and Threat Mitigation Table 17-4 Remote-User Network Threats and Threat Mitigation Mitigated by using RFC 1918 and RFC 2827 filtering at the ISP edge and remote-site...

Mitigating Threats in the Campus Module

Within the small network Campus module, each device plays a threat-mitigation role, as shown in Figure 13-5. Table 13-6 lists the expected threats and mitigation actions found within this module. Figure 13-5 Small Network Campus Module Threat-Mitigation Roles Table 13-6 Campus Module Threats and Threat Mitigation Table 13-6 Campus Module Threats and Threat Mitigation Operating systems, devices, and applications are kept up to date with the latest security fixes and are protected by HIDSs. A...

Mitigating Threats in the Corporate Internet Module

The most likely point of attack within the Corporate Internet module is on the public services segment. Positioned on this segment are the publicly addressed servers. Table 13-3 shows the anticipated threats and mitigation actions expected on this segment. Table 13-3 Corporate Internet Module Threats and Threat Mitigation Table 13-3 Corporate Internet Module Threats and Threat Mitigation Mitigated through HIDSs on the public servers Limited through the use of CAR* at ISP edge and TCP setup...

Exams Required for Certification

Successful completion of a group of exams is required to achieve the CCSP certification. The exams generally match the topics covered in the official Cisco courses. Table I-1 summarizes CCSP exam-to-course mappings. CCSP certifications are valid for three years like the CCNP and the CCDP. Re-certification is required to keep the certification valid for every three-year period after that. Introduction to Cisco Networking Technologies (INTRO) and Interconnecting Cisco Network Devices (ICND)...

Network Intrusion Detection System Overview

An in-depth look at the implementation of a NIDS is beyond the scope of this book. Furthermore, the configuration that is required to implement any NIDS depends on the system to be used. Within the medium-sized network design, NIDS appliances are used within the following Inside PIX Firewall segment Figure 16-1 shows the deployment of these NIDS sensors within the medium-sized network. A NIDS works by using dedicated, hardened devices known as sensors, which analyze all network traffic that is...

How to Use This Book to Pass the Exam

One way to use this book is to read it from cover to cover. Although that may be helpful to many people, it also may not be very time efficient, especially if you already know some of the material covered by this book. One effective method is to take the Do I Know This Already quiz at the beginning of each chapter. You can determine how to proceed with the material in the chapter based on your score on the quiz. If you get a high score, you might simply review the Foundation Summary section of...

Network Posture Visibility

Reducing the visibility of the network posture involves reducing the number of services in the public-facing segment of the network to a minimum. This means that if a web server, an SMTP server, an FTP server, and a DNS server are situated in the DMZ of the Corporate Internet module, the only inbound ports open at the edge router are for web, e-mail, FTP, and DNS to those servers. All other ports are blocked with an access control list (ACL). If other hosts exist in the DMZ but access from the...

Networks Are Targets

Network attacks are the most difficult to defend against because they typically take advantage of an intrinsic property of the network itself. This category of attacks includes Layer 2 attacks, distributed denial of service (DDoS) attacks, and network sniffers. The Layer 2 attacks can be mitigated through the use of the best practices previously listed in the sections Routers Are Targets and Switches Are Targets. The impact of sniffing can be mitigated through the implementation of a switched...

Other Certifications

Cisco has a wide variety of certifications beyond the CCSP. These certifications are outlined in Table I-2. For additional information regarding any Cisco certifications, consult the website at Cisco.com and clicking on Learning & Events> Career Certifications and Paths. Table I-2 Additional Cisco Certifications Demonstrates a basic level of knowledge of networking and Cisco device configuration Demonstrates a basic level of knowledge in the design and implementation of networks using...

Packet Sniffers

A packet sniffer is a software application that uses a network adapter card in promiscuous mode. In promiscuous mode, the network adapter card is able to receive all packets on the physical network wire and pass those packets up to an application. Packet sniffers are typically used for network troubleshooting and traffic analysis, but they can also be used to capture sensitive information such as usernames and passwords. Telnet, FTP, SNMP, and SMTP all send their traffic between the client and...

Protecting Against Unauthorized Access

Mitigating unauthorized access is one of the easier mitigation techniques. Because an attacker must be able to access a port to gain unauthorized access to the system, the simple solution is to deny access to that port. For example, for an attacker to gain access to a system, she may need to Telnet to that system. By blocking Telnet access to systems at the router for DMZ systems and the firewall, you can prevent the attacker from reaching the Telnet port on the protected systems. Mitigation of...

Public Services Segment Filtering

By using an ACL, you can filter traffic that is entering from the public services interface. This filtering is applied to the public services interface by using the access-group command. You should consider using the following common ACL definitions. Allow mail services between the public and internal mail servers access-list ps_access_in permit tcp host public-mail-server-IP host internal-mail-server-IP eq smtp Allow echo replies from the internal network access-list ps_access_in permit icmp...

Qa

As mentioned in the introduction, All About the Cisco Certified Security Professional Certification, you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in Appendix A. For more practice...

Reconnaissance Attacks

Network reconnaissance is the act of gathering information about a network in preparation for a possible attack. This information can be garnered from a wide variety of sources. The sources of information for a reconnaissance attack can include what is called uncontrollable information, which is information that the network staff cannot control because it is disseminated to network sweeps and port scans. Some examples of uncontrollable information include the IP address ranges owned by a...

SAFE Modules Overview

The SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks (SAFE SMR) blueprint was written approximately one year after the successful release of SAFE A Security Blueprint for Enterprise Networks (SAFE Enterprise). The SAFE SMR blueprint provides best practice information about designing and securing networks that are of a smaller scale than that described in the original SAFE Enterprise white paper. SAFE SMR uses the same principles as the original SAFE Enterprise...

Safe Vpn Ipsec Virtual Private Networks in Depth

The SAFE VPN IPSec Virtual Private Networks in Depth white paper discusses in detail the design and security of IPSec VPNs, including specific design considerations and best-practice recommendations for enterprise IPSec VPN deployment. This white paper considers VPN design at various levels, from the remote-user network design all the way up to a distributed large network VPN design. The design objectives used in the SAFE VPN white paper include The need for secure connectivity Reliability,...

SAFE Wireless LAN Security in Depth Version

The SAFE Wireless LAN Security in Depth-Version 2 white paper discusses wireless LAN (WLAN) implementations, with a focus on the overall security of the design. Among the best practices this white paper recommends is to consider network design elements, such as mobility and quality of service (QoS). This white paper describes the following design objectives, listed in order of priority Security and attack mitigation based on policy Authentication and authorization of users to wired network...

Scenario 184

A small company, Company XYZ, is a supplier of printer consumables through a locally hosted website. It is located in a single premises with two floors. There are about 20 users located on each of these floors. All users require access to the Internet and to local services such as the corporate intranet. Internet connectivity is provided by a local ISP router. Public services consist of domain name, file, e-mail, and web services. Recently, concerns have been raised about the network's lack of...

Security Policy Characteristics Goals and Components

A security policy defines the framework that is used to protect the assets that are connected to a network. RFC 2196, Site Security Handbook, defines a security policy as . . .a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. Without a security policy, the availability of a network can be compromised. By defining the basis with which the information assets and the systems connected to the network are used and...

Security Policy Components

A successful security policy can be subdivided into smaller subpolicies, each of which covers a specific topic related to the overall security of the network. The breadth and scope of each subpolicy can vary according to the needs of administrators and managers. Each subpolicy can be referenced as a standalone document as well as function as part of an overall security policy. Section 2.2 of the Site Security Handbook lists several elements of an overall security policy, including Computer...

Support for Emerging Networked Applications

Technology evolves through the need for newer, better, and faster applications. These applications are more dependent than ever on the network for their proper use and operation. In the past, applications were monolithic in nature and relied on the fact that users accessed the application from within the same system the application was installed on. Today's distributed applications require a secure network to ensure secure communication between the application and the user. SAFE accommodates...

The Need for Network Security

With the recent unparalleled growth of the Internet has come a greater degree of exposure to personal information, government secrets, and confidential data as well as corporate information assets. Network systems are at a greater degree of exposure to attack than ever before. Attackers are posing an increasing threat to the capabilities of businesses to function efficiently and securely. Attackers are no longer only individuals external to the network who are solely interested in gaining...

The Security Wheel

The implementation of a security policy typically involves four steps Step 1 Develop the security policy. Step 2 Implement the security products called for by the security policy. Step 3 Inspect the policy periodically. Step 4 Handle incidents as they occur. This process does not provide for the continual adaptation of the security policy to changes in the network environment. The Security Wheel concept treats network security as a continuous process that is built around the corporate security...

Traffic Rate Limiting

An organization can implement, in cooperation with its ISP, traffic-rate limiting, whereby all nonessential traffic is given only a small fraction of the total bandwidth in the link. Additionally, an organization can implement quality of service (QoS) to identify permitted traffic and ensure that it is handled quickly while other, potentially unauthorized traffic is relegated to slower handling. Utilizing rate limits along with QoS shaping of traffic can greatly help to mitigate the impact of...

Trust Exploitation Attacks

A trust relationship exists between two systems when each system agrees to accept communication from the other system without explicitly authenticating the connection. Trust is established in a variety of ways. There are Windows trust relationships in which one domain may trust another domain and provide for pass-through authentication. On UNIX systems, there is the r-services trust relationship. The trust involved with r-services differs from Windows trust relationships in that no...

Understanding the Campus Module

The Campus module contains the end-user workstations and the corporate intranet servers and management servers. This module also contains the Layer 2 and Layer 3 devices that provide the underlying network infrastructure. In the medium-sized and small networks covered in the SAFE SMR design, the Campus module is a combination of the various modules that comprise the campus segment in the SAFE Enterprise white paper. This combination is done to reflect the smaller scale of the design in the...

VPN Hardware Client

The VPN hardware client option is also nearly identical to the remote-site firewall option previously discussed, with the exception that the VPN hardware client does not have a resident stateful firewall. Consequently, this option requires the use of a personal firewall on each individual host that is located behind the VPN hardware client. The use of a personal firewall is even more paramount if split tunneling is enabled, because without the use of a personal firewall, the individual hosts...

WAN Module in Medium Sized Networks

The inclusion of the WAN module in the medium-sized network design is feasible only if there is a requirement to connect to a remote site using a private circuit such as Frame Relay or ATM. The design of a WAN module includes only one device, a Cisco IOS Firewall router, which provides routing, access-control, and QoS mechanisms to remote locations. The WAN module and its associated components is shown in Figure 15-6. Figure 15-6 Medium-Sized Network WAN Module Figure 15-6 Medium-Sized Network...

Warning and Disclaimer

This book is designed to provide information about the Cisco CSI exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that...

What Is SAFE

SAFE is a network architecture blueprint developed by engineers at Cisco Systems. SAFE is intended to be a flexible and dynamic blueprint for security and virtual private networks (VPNs) that is based on the Cisco Architecture for Voice, Video, and Integrated Data (AVVID). The intention is to enable businesses to successfully and securely take advantage of available e-business economies and to compete in the emerging Internet economy with assurance. While the SAFE architecture lab was built on...

Cisco Works VPNSecurity Management Solution

CiscoWorks VPN Security Management Solution (VMS) is an integrated security management solution that forms an integral part of the SAFE blueprint for network security. VMS enables customers to deploy security infrastructures from small networks to large, complex, and widely distributed environments. VMS's strength is that it combines many administrative tasks that would normally be handled separately through a single integrated interface. This interface combines web-based tools for secure...

Mitigating Reconnaissance Attacks

Reconnaissance attack mitigation centers on protecting the network from scouting forays by attackers. It is not possible to completely protect address range information in ARIN, APNIC, and RIPE or domain name information in a network registrar from being evaluated by an attacker. You must assume that an attacker can ferret out that information with relative ease. With that in mind, you should understand that, realistically, defense begins at the network perimeter, and starting it there involves...

Port Redirection

Port redirection is a specific case of trust exploitation. Essentially, this is a tunneling type of attack. In this case, an attacker uses a compromised host to relay traffic passed through an open port on a firewall or in a router's ACLs that would normally be denied. This is shown in Figure 7-2. Consider a firewall with three interfaces internal, external, and a DMZ interface, as shown in Figure 7-1. The hosts on the external interface (those that are in the Internet) can reach the hosts in...

All About the Cisco Certified Security Professional Certification

The Cisco Certified Security Professional (CCSP) certification is the newest midlevel certification from Cisco Systems. This certification is on a par with CCNP and CCDP. The aim of this certification is to provide professional-level recognition to network engineers in the design and implementation of Cisco secure networks. This certification provides validation of knowledge and skills in key areas of security, including firewalls, intrusion detection, VPNs, identity, and security management....

Design Guidelines for the Corporate Internet Module

The small network model represents a scaled-down security-centric network design with all the security and VPN functionality that is found within a single device. As described earlier and shown in Figure 13-2, two options are available within this design model The first option uses a Cisco IOS router with firewall and VPN functionality. This option provides the greatest flexibility within the small network design because the router is capable of supporting not only the firewall and VPN...

Key Corporate Internet Module Devices

There are several key devices in the Corporate Internet module that are common between the medium-sized network design and the small network design. The key devices in both the small and medium-sized network designs are summarized in Table 4-3. This table also indicates in which network these devices can be found. Table 4-3 Key Devices in Corporate Internet Module Table 4-3 Key Devices in Corporate Internet Module DNS Server Provides authoritative external DNS resolution relays internal...

CatOS Switches

The generic security configuration used within Cisco CatOS switches is described in the following steps Step 1 Shut down all unneeded services by issuing the following commands set ip http server disable set cdp disable Step 2 Set passwords and access restrictions. Enable AAA. To set passwords, use the following Set access restrictions with the following commands set ip permit enable telnet set ip permit management-host-address 255.255.255.255 telnet set tacacs server tacacs-server-address set...