About the Technical Reviewers

Greg Abelar is a seven year veteran of Cisco Systems, Inc. Greg helped train and assemble the world-class Cisco Technical Assistance Center Security Organization. He is a sought-after speaker on the subject of security architecture. In addition he founded, project managed, and contributed content to the CCIE Security Written Exam. Steven Hanna is an education specialist at Cisco Systems, Inc., where he designs and develops training on Cisco network security products. Steven has more than eight...

Alternative Medium Sized Network Corporate Internet Module Designs

The medium-sized network blueprint provides for alternative placements of devices within the designs. For example, in the medium-sized network, you can implement a stateful firewall on the edge router. This has the added benefit of providing greater defense in depth to this module. Also, you can insert another NIDS just outside the firewall. This NIDS provides for important alarm information that normally is not seen because of the firewall. The NIDS device can also provide validation of the...

Answers to Scenario 183

On the core switch, configure the four VLANs that are shown, including their IP addressing. The correct configuration is as follows core_sw(config-if) ip address 10.1.10.1 255.255.255.0 core_sw(config-if) ip address 10.1.11.1 255.255.255.0 core_sw(config-if) ip address 10.1.1.1 255.255.255.0 core_sw(config-if) ip address 10.1.20.1 255.255.255.0 2. Apply RFC 2827 filtering to VLAN10, VLAN11, and VLAN20. The correct configuration is as follows core_sw(config) access-list 110 permit ip 10.1.10.0...

Answers to Scenario 184

Sketch out a network design for this company based on the information provided. See Figure 18-5 for a network drawing. Figure 18-5 Company XYZNetwork Topology Figure 18-5 Company XYZNetwork Topology NOTE An alternative to the solution shown in Figure 18-5 is to replace the PIX Firewall with a Cisco IOS Firewall router. 2. Company XYZ has 10 salespeople on staff who require network access to company resources from time to time while in the field. How can this be best achieved Because the PIX...

Answers to Scenario 186

With reference to Figure 18-4, where would you deploy a NIDS and HIDS NIDS sensors are normally deployed on VLAN B and VLAN C of the PIX Firewall. A NIDS sensor deployed off a SPAN port on the core switch is also commonly performed. 2. In the edge router (ER), what type of mitigation can you apply to the public interface of the router What are the commands to implement this action It is normal practice to provide IP addressing spoofing mitigation and basic filtering on the public interface of...

AntiDoS Features

The implementation of TCP intercept on Cisco routers also helps to mitigate DoS attacks, specifically attacks such as TCP SYN floods. Firewalls can also provide some measure of defense against TCP SYN floods by limiting the number of half-open connections permitted per host. TCP intercept works by requiring the router to intercept or catch the incoming TCP SYN requests from a client. The router responds to the SYN request by sending a SYN-ACK packet back and waiting for the client's final TCP...

Applications Are Targets

Applications are also targets because, like host operating systems, they are susceptible to coding errors. The extent of the damage caused by application coding errors can vary from a minor HTTP 404 File Not Found error to something considerably worse such as a buffer overflow that provides direct interactive access to a host. Applications need to be kept up to date as much as possible. Furthermore, public domain applications and custom-developed applications should be audited to ensure that...

Authentication and Authorization for Access to Critical Resources

There are two primary methods of access control authentication and authorization. Authentication is the process by which a user or a device proves the validity of their identification to an authoritative source. This source can be the login process on a host, the access device of a network, an application such as a database or web server, or one of a wide range of other systems on a network. Authorization is the process by which a user provides the credentials that prove that she has sufficient...

Campus Module in Medium Sized Networks

The Campus module of the medium-sized network design provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 and Layer 3 functionality that is required by the network. The various key devices that make up the campus module are described in Table 15-6. Provides authentication services to the network devices Provides services to internal users, such as e-mail, file, and printing services Provides Layer 2 connectivity and supports private VLANs...

Campus Module in Small Networks

The Campus module of the small network design, which is shown in Figure 13-4, provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 functionality via a single switch. Figure 13-4 Small Network Campus Module Four key devices make up the Campus module, which are highlighted in Table 13-5. Provides services to internal users such as e-mail, file, and printing services Provides Layer 2 connectivity and also supports private VLANs Provides...

Characteristics of a Good Security Policy

There are three primary characteristics of a good security policy Most important, the policy must be enforceable and it must apply to everyone. The policy must be capable of being implemented through system administration procedures and through the publication of acceptable-use guidelines or other appropriate methods. The policy must clearly define the areas of responsibility and the roles of users, administrators, and management. Failure to meet these three requirements seriously weakens the...

Cisco AVVID

This section looks at the design concept of the Cisco AVVID. Cisco AVVID is the only enterprise-wide, standards-based network architecture that provides the foundation for today's converged networks. Cisco AVVID provides the roadmap for combining your business and technology strategies into one cohesive model and encompasses the following Cisco AVVID provides the baseline infrastructure that enables enterprises to design networks that scale to meet Internet business demands while delivering the...

Cisco IOS Firewall Implementation

The implementation of the Cisco IOS stateful firewall is implemented as follows Step 1 Because the router is configured with a public services segment or demilitarized zone (DMZ), two separate sets of firewall inspection rules need to be configured. The first set is configured for traffic from the inside of the firewall that is destined for the Internet or the DMZ. The second set is set up for traffic from the Internet that is destined for the DMZ only. The following commands configure the...

Cisco Network Core Security Products

In the previous chapter, Cisco Perimeter Security Products, you learned about the specific products available from the Cisco Secure security portfolio that are used to secure the perimeter of a network and those products that provide intrusion detection facilities for the network. In this second chapter on the Cisco Secure product portfolio, we look at securing network connectivity, securing identity, security management, and Cisco Architecture for Voice, Video, and Integrated Data (AVVID).

Cisco Secure IDS Sensors

An IDS sensor can exist in one of two forms a dedicated hardware device, or a software agent that resides on a specific host. The hardware version of the sensor is directly connected to a segment of the network that requires monitoring, whereas the software version resides on each specific host that requires monitoring. These two types of IDS sensor give rise to what is commonly called network IDS (NIDS) and host IDS (HIDS), respectively. A NIDS is designed to support multiple hosts and uses...

Cisco Secure Scanner

The Cisco Secure Scanner is a software application that offers a complete suite of network scanning tools and is designed to run on either the Windows or Solaris operating systems. The product was formerly called Cisco NetSonar. This software suite provides the ability to configure a specific host on the network to become what is referred to as a network scanner. This scanning host is then capable of scanning all or a specific part of the network for known security threats. This makes the...

Cisco VPN 3000 Series Concentrator

The Cisco VPN 3000 Series Concentrator is a range of purpose-built, remote-access VPN devices that provide high performance, high availability, and scalability. The Cisco VPN 3000 Series Concentrator uses the most advanced state-of-the-art encryption and authentication techniques that are currently available within the industry. The Cisco VPN 3000 Series Concentrator includes models that support a range of enterprise customers, from small businesses requiring 100 or fewer concurrent VPN...

Cisco VPN Client

In the Cisco VPN Client option, the design emphasis is on the mobile or home-office worker. In this model, it is assumed that the user has the Cisco VPN Client installed on his PC, and Internet connectivity is provided from either an ISP dial-up connection or via the LAN. The Cisco VPN Client provides the means to establish a secure, encrypted IPSec tunnel from the client's PC to the VPN headend device located at corporate headquarters. Access and authorization to the corporate network is...

Cisco VPNEnabled Routers

The Cisco IOS Software running in Cisco routers provides feature-rich IPSec VPN services with industry-leading routing and delivers a comprehensive VPN routing solution. The Cisco IOS Software combines IPSec VPN enhancements, such as strong 3DES encryption authentication using either digital certificates or preshared keys, with robust firewall, intrusion detection, and secure administrative capabilities. The actual capability of the router to establish an IPSec VPN connection is determined by...

Classifying Rudimentary Network Attacks

This chapter covers a wide range of attacks, including reconnaissance attacks, unauthorized access, denial of service (DoS) attacks, application layer attacks, and trust exploitation attacks. All of these attacks are designed for either one of two purposes to gain access to a system or network or to deny access to a system or network to legitimate users. To understand how to defend against these attacks, you first must understand how the attacks work. Therefore, each of these attacks is covered...

Configuration Options for Remote User Network Design

Within the SAFE SMR model, the remote-user network design consists of four possible module options Table 17-2 describes each of the preceding options. Table 17-2 Remote-User Network Design Options Table 17-2 Remote-User Network Design Options The remote site is protected by a dedicated firewall, which is IPSec-VPN enabled. WAN connectivity is provided by a broadband access device supplied by an ISP. The remote site uses a router that has both firewall and IPSec-VPN functionality. The router...

Contents

Foreword xxii Introduction xxiii Part I Cisco SAFE Overview 3 SAFE A Security Blueprint for Enterprise Networks SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks 7 SAFE VPN IPSec Virtual Private Networks in Depth 9 SAFE Wireless LAN Security in Depth-Version 2 10 SAFE IP Telephony Security in Depth 10 Additional SAFE White Papers 11 Looking Toward the Future 11 Chapter 2 SAFE Design Fundamentals 13 Do I Know This Already Quiz 13 Foundation Topics 17 Security and...

Corporate Internet Module in Medium Sized Networks

The Corporate Internet module provides internal users with connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity as well as traffic from traditional dial-in users. The various key devices that make up the Corporate Internet module are outlined in Table 15-2. Table 15-2 Corporate Internet Module Devices Terminates analog...

Corporate Internet Module in Small Networks

The Corporate Internet module provides internal users connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity. Several key devices make up the Corporate Internet module. These devices are described in Table 13-2. Table 13-2 Corporate Internet Module Devices Table 13-2 Corporate Internet Module Devices Acts as a relay...

CSI Exam Blueprint

The CSI exam focuses on the SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks blueprint (SAFE SMR for short), published in 2001. This blueprint covers designing and securing small and medium-sized networks and providing secure network access to remote users, such as mobile workers and telecommuters. The CSI course provides the knowledge and skills needed to implement and use the principles and axioms presented in the SAFE SMR white paper. The course primarily...

Design Guidelines

The Corporate Internet module in the medium-sized network design consists of the following key devices, which have different functional roles within the design ISP router Provides Internet connectivity Edge router Provides a demarcation point between the ISP and the network Firewall Provides stateful filtering and site-to-site VPN termination Intrusion detection Detects attacks from permitted firewall traffic Remote-access VPN Provides secure connectivity for remote users Dial-in access users...

Designing Medium Sized SAFE Networks

As mentioned in Chapter 13, Designing Small SAFE Networks, the principle goal of Cisco SAFE blueprints is to provide to interested parties best-practice information on how to design and implement secure networks. SAFE serves as a guide to network architects who are examining the security requirements of their networks and uses a modular format to combat security threats. This enables the creation of scalable, corporate-wide security solutions. In this second of three chapters covering the...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 12-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you determine how to spend your limited study time. Table 2-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions that...

Foreword

CCSP CSI Exam Certification Guide is a complete study tool for the CCSP CSI exam, enabling you to assess your knowledge, identify areas to concentrate your study, and master key concepts to help you succeed on the exams and in your daily job. The book is filled with features that help you master the skills to implement appropriate technologies to build secure networks based on the Cisco Systems SAFE Blueprint. This book was developed in cooperation with the Cisco Internet Learning Solutions...

Foundation Summary

The Foundation Summary section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should at a minimum know all the details in each Foundation Summary section before taking the exam. The heart of SAFE is the inclusion of security throughout the network and within the end systems themselves. To that end, the original SAFE Enterprise document used several...

InBand Network Management

The term in-band network management refers to the flow of management traffic that follows the same path as normal network data. In-band managed devices support various methods and protocols that facilitate remote management of the device while using the normal data flow. The section Network Management Protocols, later in the chapter, provides more details on the protocols that provide this functionality. Because management information is flowing over the same path as data traffic, in-band...

ISP Traffic Filtering

By using an inbound ACL, you can filter traffic that is arriving from the ISP router. This filtering is applied to the public services interface by using the command ip access-group 140 in. You should consider using the following common ACL definitions. Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely, these rules require modification accordingly. access-list 140 deny ip 10.0.0.0 0.255.255.255 any access-list 140 deny ip 172.16.0.0 0.15.255.255 any access-list 140 deny ip...

Key Campus Module Devices

There are significant differences between the Campus module design for the small network and that for the medium-sized network, summarized in Table 4-2. The key devices in the small network Campus module are the Layer 2 switches. In the medium-sized network, there are several key devices, including Layer 2 and Layer 3 switches and an IDS. The functions of these devices along with management hosts are described in the following sections. Table 4-2 Key Devices in the Campus Module Table 4-2 Key...

Key Devices for Remote User Networks

Each of the options presented in Table 17-2 can use a variety of key devices within each model of the remote-user network design. These devices are described in Table 17-3. Provides connectivity to the broadband network. Provides connectivity between local network devices. This can be a standalone device or integrated within the VPN hardware device. Provides local network protection through stateful filtering of traffic. Provides secure VPNs via IPSec tunnels between the headend and local site....

ManInThe Middle Attacks

Man-in-the-middle attacks cover situations in which the attacker is able to intercept packets that are crossing a network, modify or falsify the information in those packets, and then reinject the modified packets into the network. These attacks can be used to capture sensitive information, hijack ongoing sessions, create DoS occurrences, corrupt transmitted data, or introduce new, typically false, information into network sessions. An example of a man-in-the-middle attack is shown in Figure...

Mitigating Port Redirection Attacks

Mitigating port redirection requires the use of good trust models. Trust models can be implemented by proper access restrictions between hosts. As long as there is an implicit trust between hosts that is based on IP addresses, the problem of port redirection will not be solved. A HIDS can be used to detect and possibly prevent an attacker who is trying to install port redirection software, such as HTTPtunnel or NetCat, for use in a port redirection attack. Guarding Against Virus and...

Mitigating Rudimentary Network Attacks

Chapters 6 and 7 covered various attacks that may be launched against a network. This chapter covers the mitigation of the attacks described in Chapter 6, Classifying Rudimentary Network Attacks reconnaissance, unauthorized access, denial of service (DoS), application layer, and trust exploitation attacks. The mitigation techniques discussed in this chapter are based on network security best common practices (BCPs) and on SAFE concepts. Although both this chapter and Chapter 9, Mitigating...

Mitigating Threats in Remote User Networks

Table 17-4 presents the threats that can be anticipated for the remote-user network design model and summarizes the mitigation techniques for each anticipated threat. Mitigating Threats in Remote-User Networks 289 Figure 17-1 Remote-User Design Model Figure 17-1 Remote-User Design Model Table 17-4 Remote-User Network Threats and Threat Mitigation Table 17-4 Remote-User Network Threats and Threat Mitigation Mitigated by using RFC 1918 and RFC 2827 filtering at the ISP edge and remote-site...

Mitigating Threats in the Campus Module

Within the small network Campus module, each device plays a threat-mitigation role, as shown in Figure 13-5. Table 13-6 lists the expected threats and mitigation actions found within this module. Figure 13-5 Small Network Campus Module Threat-Mitigation Roles Table 13-6 Campus Module Threats and Threat Mitigation Table 13-6 Campus Module Threats and Threat Mitigation Operating systems, devices, and applications are kept up to date with the latest security fixes and are protected by HIDSs. A...

Mitigating Threats in the Corporate Internet Module

The most likely point of attack within the Corporate Internet module is on the public services segment. Positioned on this segment are the publicly addressed servers. Table 13-3 shows the anticipated threats and mitigation actions expected on this segment. Table 13-3 Corporate Internet Module Threats and Threat Mitigation Table 13-3 Corporate Internet Module Threats and Threat Mitigation Mitigated through HIDSs on the public servers Limited through the use of CAR* at ISP edge and TCP setup...

N

Network Infrastructure (AVVID), 187 network intrusion detection system (NIDS). See NIDS (network intrusion detection system) network management, 139 in-band network management, 139 out-of-band network management, 139-140 policies, 73 protocols, 140-141 control protocols, 143-144 file-management protocols, 144 logging protocols, 143 monitoring protocols, 143-144 remote-access protocols, 141-143 reporting protocols, 143 time-synchronization protocols, 145 traffic attacks, mitigating, 140 network...

Exams Required for Certification

Successful completion of a group of exams is required to achieve the CCSP certification. The exams generally match the topics covered in the official Cisco courses. Table I-1 summarizes CCSP exam-to-course mappings. CCSP certifications are valid for three years like the CCNP and the CCDP. Re-certification is required to keep the certification valid for every three-year period after that. Introduction to Cisco Networking Technologies (INTRO) and Interconnecting Cisco Network Devices (ICND)...

Network Intrusion Detection System Overview

An in-depth look at the implementation of a NIDS is beyond the scope of this book. Furthermore, the configuration that is required to implement any NIDS depends on the system to be used. Within the medium-sized network design, NIDS appliances are used within the following Inside PIX Firewall segment Figure 16-1 shows the deployment of these NIDS sensors within the medium-sized network. A NIDS works by using dedicated, hardened devices known as sensors, which analyze all network traffic that is...

How to Use This Book to Pass the Exam

One way to use this book is to read it from cover to cover. Although that may be helpful to many people, it also may not be very time efficient, especially if you already know some of the material covered by this book. One effective method is to take the Do I Know This Already quiz at the beginning of each chapter. You can determine how to proceed with the material in the chapter based on your score on the quiz. If you get a high score, you might simply review the Foundation Summary section of...

Network Posture Visibility

Reducing the visibility of the network posture involves reducing the number of services in the public-facing segment of the network to a minimum. This means that if a web server, an SMTP server, an FTP server, and a DNS server are situated in the DMZ of the Corporate Internet module, the only inbound ports open at the edge router are for web, e-mail, FTP, and DNS to those servers. All other ports are blocked with an access control list (ACL). If other hosts exist in the DMZ but access from the...

Networks Are Targets

Network attacks are the most difficult to defend against because they typically take advantage of an intrinsic property of the network itself. This category of attacks includes Layer 2 attacks, distributed denial of service (DDoS) attacks, and network sniffers. The Layer 2 attacks can be mitigated through the use of the best practices previously listed in the sections Routers Are Targets and Switches Are Targets. The impact of sniffing can be mitigated through the implementation of a switched...

Other Certifications

Cisco has a wide variety of certifications beyond the CCSP. These certifications are outlined in Table I-2. For additional information regarding any Cisco certifications, consult the website at Cisco.com and clicking on Learning & Events> Career Certifications and Paths. Table I-2 Additional Cisco Certifications Demonstrates a basic level of knowledge of networking and Cisco device configuration Demonstrates a basic level of knowledge in the design and implementation of networks using...

Outof Band Network Management

Out-of band network management refers to the flow of management traffic that does not follow the same path as normal network data. Normally, a parallel network or communications path is used for management purposes in this case. This path either directly interfaces to a dedicated network port on the device needing to be managed or terminates on a device, such as a terminal server, which then provides direct connection to the networked device's console port. Generally, out-of-band management is...

Protecting Against Unauthorized Access

Mitigating unauthorized access is one of the easier mitigation techniques. Because an attacker must be able to access a port to gain unauthorized access to the system, the simple solution is to deny access to that port. For example, for an attacker to gain access to a system, she may need to Telnet to that system. By blocking Telnet access to systems at the router for DMZ systems and the firewall, you can prevent the attacker from reaching the Telnet port on the protected systems. Mitigation of...

Public Services Segment Filtering

By using an ACL, you can filter traffic that is entering from the public services interface. This filtering is applied to the public services interface by using the access-group command. You should consider using the following common ACL definitions. Allow mail services between the public and internal mail servers access-list ps_access_in permit tcp host public-mail-server-IP host internal-mail-server-IP eq smtp Allow echo replies from the internal network access-list ps_access_in permit icmp...

Qa

As mentioned in the introduction, All About the Cisco Certified Security Professional Certification, you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in Appendix A. For more practice...

Reconnaissance Attacks

Network reconnaissance is the act of gathering information about a network in preparation for a possible attack. This information can be garnered from a wide variety of sources. The sources of information for a reconnaissance attack can include what is called uncontrollable information, which is information that the network staff cannot control because it is disseminated to network sweeps and port scans. Some examples of uncontrollable information include the IP address ranges owned by a...

Remote Access Segment Filtering

By using an ACL, you can filter traffic that is entering from the remote-access interface. This filtering is applied to the RS interface by using the access-group command. You should consider using the following common ACL definitions. Allow traffic from the remote-access segment devices to the management servers for syslog, TACACS+, and TFTP access-list remote_access_in permit host ra-segment-device-IP host management-server-IP eq syslog access-list remote_access_in permit host...

SAFE Extending the Security Blueprint to Small Midsize and Remote User Networks

The white paper SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks extends the principles discussed in the SAFE Enterprise white paper and sizes them appropriately for smaller networks. These smaller networks include branches of larger enterprise networks as well as standalone and small to medium-sized network deployments. The design also covers the telecommuter and the mobile worker. The SAFE small network blueprint is shown in Figure 1-2. Here the emphasis is...

SAFE Modules Overview

The SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks (SAFE SMR) blueprint was written approximately one year after the successful release of SAFE A Security Blueprint for Enterprise Networks (SAFE Enterprise). The SAFE SMR blueprint provides best practice information about designing and securing networks that are of a smaller scale than that described in the original SAFE Enterprise white paper. SAFE SMR uses the same principles as the original SAFE Enterprise...

Safe Vpn Ipsec Virtual Private Networks in Depth

The SAFE VPN IPSec Virtual Private Networks in Depth white paper discusses in detail the design and security of IPSec VPNs, including specific design considerations and best-practice recommendations for enterprise IPSec VPN deployment. This white paper considers VPN design at various levels, from the remote-user network design all the way up to a distributed large network VPN design. The design objectives used in the SAFE VPN white paper include The need for secure connectivity Reliability,...

Security Policy Characteristics Goals and Components

A security policy defines the framework that is used to protect the assets that are connected to a network. RFC 2196, Site Security Handbook, defines a security policy as . . .a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. Without a security policy, the availability of a network can be compromised. By defining the basis with which the information assets and the systems connected to the network are used and...

Security Policy Components

A successful security policy can be subdivided into smaller subpolicies, each of which covers a specific topic related to the overall security of the network. The breadth and scope of each subpolicy can vary according to the needs of administrators and managers. Each subpolicy can be referenced as a standalone document as well as function as part of an overall security policy. Section 2.2 of the Site Security Handbook lists several elements of an overall security policy, including Computer...

Security Policy Goals

Without an overall design, network security can become a hodge-podge of rules and guidelines that can easily contradict each other. Any and all security-related decisions that are made affect the security level of the network as well as its functionality and ease of use. Good decisions regarding security cannot be made without first defining the overall goals and a roadmap to attain those goals. Without this roadmap, using security tools is meaningless, because it is impossible to determine...

Support for Emerging Networked Applications

Technology evolves through the need for newer, better, and faster applications. These applications are more dependent than ever on the network for their proper use and operation. In the past, applications were monolithic in nature and relied on the fact that users accessed the application from within the same system the application was installed on. Today's distributed applications require a secure network to ensure secure communication between the application and the user. SAFE accommodates...

The Need for Network Security

With the recent unparalleled growth of the Internet has come a greater degree of exposure to personal information, government secrets, and confidential data as well as corporate information assets. Network systems are at a greater degree of exposure to attack than ever before. Attackers are posing an increasing threat to the capabilities of businesses to function efficiently and securely. Attackers are no longer only individuals external to the network who are solely interested in gaining...

The Security Wheel

The implementation of a security policy typically involves four steps Step 1 Develop the security policy. Step 2 Implement the security products called for by the security policy. Step 3 Inspect the policy periodically. Step 4 Handle incidents as they occur. This process does not provide for the continual adaptation of the security policy to changes in the network environment. The Security Wheel concept treats network security as a continuous process that is built around the corporate security...

Traffic Rate Limiting

An organization can implement, in cooperation with its ISP, traffic-rate limiting, whereby all nonessential traffic is given only a small fraction of the total bandwidth in the link. Additionally, an organization can implement quality of service (QoS) to identify permitted traffic and ensure that it is handled quickly while other, potentially unauthorized traffic is relegated to slower handling. Utilizing rate limits along with QoS shaping of traffic can greatly help to mitigate the impact of...

Trust Exploitation Attacks

A trust relationship exists between two systems when each system agrees to accept communication from the other system without explicitly authenticating the connection. Trust is established in a variety of ways. There are Windows trust relationships in which one domain may trust another domain and provide for pass-through authentication. On UNIX systems, there is the r-services trust relationship. The trust involved with r-services differs from Windows trust relationships in that no...

Unauthorized Access Attacks

Although the category unauthorized access is not limited to specific attacks against networks, it does cover the most common type of attack that is executed today. When users, whether legitimate or not, connect to a service port such as SSH or Telnet, they may be greeted with a message stating Unauthorized Access Is Prohibited. If attackers continue to attempt to access the system, their actions are unauthorized. These attacks can occur both outside of and within a network. This attack category...

Understanding the Campus Module

The Campus module contains the end-user workstations and the corporate intranet servers and management servers. This module also contains the Layer 2 and Layer 3 devices that provide the underlying network infrastructure. In the medium-sized and small networks covered in the SAFE SMR design, the Campus module is a combination of the various modules that comprise the campus segment in the SAFE Enterprise white paper. This combination is done to reflect the smaller scale of the design in the...

VLAN Segregation

VLAN segregation within the Campus module, as shown in Figure 16-1, uses the following five VLANs The configuration in Example 16-1 defines the preceding VLANS. Example 16-1 Defining VLANs interface Vlan10 description ** Link to Corporate Internet Module *** ip address corporate-internet-VLAN-IP mask interface Vlan11 description ** Corporate Servers *** ip address corporate-server-VLAN-IP mask interface Vlan12 description ** Corporate Users *** ip address corporate-user-VLAN-IP mask interface...

VPN Hardware Client

The VPN hardware client option is also nearly identical to the remote-site firewall option previously discussed, with the exception that the VPN hardware client does not have a resident stateful firewall. Consequently, this option requires the use of a personal firewall on each individual host that is located behind the VPN hardware client. The use of a personal firewall is even more paramount if split tunneling is enabled, because without the use of a personal firewall, the individual hosts...

WAN Module in Medium Sized Networks

The inclusion of the WAN module in the medium-sized network design is feasible only if there is a requirement to connect to a remote site using a private circuit such as Frame Relay or ATM. The design of a WAN module includes only one device, a Cisco IOS Firewall router, which provides routing, access-control, and QoS mechanisms to remote locations. The WAN module and its associated components is shown in Figure 15-6. Figure 15-6 Medium-Sized Network WAN Module Figure 15-6 Medium-Sized Network...

Warning and Disclaimer

This book is designed to provide information about the Cisco CSI exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that...

What Is SAFE

SAFE is a network architecture blueprint developed by engineers at Cisco Systems. SAFE is intended to be a flexible and dynamic blueprint for security and virtual private networks (VPNs) that is based on the Cisco Architecture for Voice, Video, and Integrated Data (AVVID). The intention is to enable businesses to successfully and securely take advantage of available e-business economies and to compete in the emerging Internet economy with assurance. While the SAFE architecture lab was built on...

Cisco Works VPNSecurity Management Solution

CiscoWorks VPN Security Management Solution (VMS) is an integrated security management solution that forms an integral part of the SAFE blueprint for network security. VMS enables customers to deploy security infrastructures from small networks to large, complex, and widely distributed environments. VMS's strength is that it combines many administrative tasks that would normally be handled separately through a single integrated interface. This interface combines web-based tools for secure...

Mitigating Reconnaissance Attacks

Reconnaissance attack mitigation centers on protecting the network from scouting forays by attackers. It is not possible to completely protect address range information in ARIN, APNIC, and RIPE or domain name information in a network registrar from being evaluated by an attacker. You must assume that an attacker can ferret out that information with relative ease. With that in mind, you should understand that, realistically, defense begins at the network perimeter, and starting it there involves...

Port Redirection

Port redirection is a specific case of trust exploitation. Essentially, this is a tunneling type of attack. In this case, an attacker uses a compromised host to relay traffic passed through an open port on a firewall or in a router's ACLs that would normally be denied. This is shown in Figure 7-2. Consider a firewall with three interfaces internal, external, and a DMZ interface, as shown in Figure 7-1. The hosts on the external interface (those that are in the Internet) can reach the hosts in...

All About the Cisco Certified Security Professional Certification

The Cisco Certified Security Professional (CCSP) certification is the newest midlevel certification from Cisco Systems. This certification is on a par with CCNP and CCDP. The aim of this certification is to provide professional-level recognition to network engineers in the design and implementation of Cisco secure networks. This certification provides validation of knowledge and skills in key areas of security, including firewalls, intrusion detection, VPNs, identity, and security management....

Design Guidelines for the Corporate Internet Module

The small network model represents a scaled-down security-centric network design with all the security and VPN functionality that is found within a single device. As described earlier and shown in Figure 13-2, two options are available within this design model The first option uses a Cisco IOS router with firewall and VPN functionality. This option provides the greatest flexibility within the small network design because the router is capable of supporting not only the firewall and VPN...

Key Corporate Internet Module Devices

There are several key devices in the Corporate Internet module that are common between the medium-sized network design and the small network design. The key devices in both the small and medium-sized network designs are summarized in Table 4-3. This table also indicates in which network these devices can be found. Table 4-3 Key Devices in Corporate Internet Module Table 4-3 Key Devices in Corporate Internet Module DNS Server Provides authoritative external DNS resolution relays internal...

CatOS Switches

The generic security configuration used within Cisco CatOS switches is described in the following steps Step 1 Shut down all unneeded services by issuing the following commands set ip http server disable set cdp disable Step 2 Set passwords and access restrictions. Enable AAA. To set passwords, use the following Set access restrictions with the following commands set ip permit enable telnet set ip permit management-host-address 255.255.255.255 telnet set tacacs server tacacs-server-address set...