A

Acceptable-encryption policies, 74 acceptable-use policies, 74 access, controlling, 127 access attacks, 91-92 access control Corportate Internet module, 203-204 medium-sized network design, 242-243 access control lists (ACLs), SNMP, 144 Access Control Server (ACS). See ACS (Access Control Server) access control servers, Campus modules, 49 access filtering, Layer 3 switches, 278 access switches, campus module, medium- sized network design, 249 access-group command, 226 accountability policies,...

About the Technical Reviewers

Greg Abelar is a seven year veteran of Cisco Systems, Inc. Greg helped train and assemble the world-class Cisco Technical Assistance Center Security Organization. He is a sought-after speaker on the subject of security architecture. In addition he founded, project managed, and contributed content to the CCIE Security Written Exam. Steven Hanna is an education specialist at Cisco Systems, Inc., where he designs and develops training on Cisco network security products. Steven has more than eight...

Acknowledgments

Ido Dubrawsky Paul Grey, for being a wonderful co-author with me on this project. If you hadn't signed on to this Paul, I certainly wasn't going to do it alone Michelle Grandin, acquisitions editor, who must have been biting her nails until the last day hoping I would get all of the chapters done on time. Also, thanks for finding me my co-author. Sorry for the added stress and thanks for sticking with me. David Phillips, for hiring me at Cisco Systems, Inc., and letting me work with an...

Alternative Campus Module Designs

If the medium-sized network is small enough, you can eliminate the Layer 2 switches and connect all end-user workstation directly into the core switch. Private VLANs are still implemented to reduce the risk of attacks due to trust exploitation. If desired, you can replace the NIDS appliance with an IDS module in the core switch, which then provides for higher traffic throughput into the IDS system. In the small network, the lack of a Layer 3 switch places additional emphasis on host and...

Alternative Medium Sized Network Corporate Internet Module Designs

The medium-sized network blueprint provides for alternative placements of devices within the designs. For example, in the medium-sized network, you can implement a stateful firewall on the edge router. This has the added benefit of providing greater defense in depth to this module. Also, you can insert another NIDS just outside the firewall. This NIDS provides for important alarm information that normally is not seen because of the firewall. The NIDS device can also provide validation of the...

Answers to Scenario 182

On the public interface of the edge router, allow IPSec traffic from the remote-site peers 10.10.1.1 and 10.10.2.1 (not shown). Also allow remote-access VPN traffic. The edge router's public interface filtering is configured as follows edge_rtr(config) access-list 100 permit udp host 10.10.1.1 host 172.31.254.2 eq isakmp edge_rtr(config) access-list 100 permit udp host 10.10.2.1 host 172.31.254.2 eq isakmp edge_rtr(config) access-list 100 permit esp host 10.10.1.1 host 172.31.254.2...

Answers to Scenario 183

On the core switch, configure the four VLANs that are shown, including their IP addressing. The correct configuration is as follows core_sw(config-if) ip address 10.1.10.1 255.255.255.0 core_sw(config-if) ip address 10.1.11.1 255.255.255.0 core_sw(config-if) ip address 10.1.1.1 255.255.255.0 core_sw(config-if) ip address 10.1.20.1 255.255.255.0 2. Apply RFC 2827 filtering to VLAN10, VLAN11, and VLAN20. The correct configuration is as follows core_sw(config) access-list 110 permit ip 10.1.10.0...

Answers to Scenario 184

Sketch out a network design for this company based on the information provided. See Figure 18-5 for a network drawing. Figure 18-5 Company XYZNetwork Topology Figure 18-5 Company XYZNetwork Topology NOTE An alternative to the solution shown in Figure 18-5 is to replace the PIX Firewall with a Cisco IOS Firewall router. 2. Company XYZ has 10 salespeople on staff who require network access to company resources from time to time while in the field. How can this be best achieved Because the PIX...

Answers to Scenario 186

With reference to Figure 18-4, where would you deploy a NIDS and HIDS NIDS sensors are normally deployed on VLAN B and VLAN C of the PIX Firewall. A NIDS sensor deployed off a SPAN port on the core switch is also commonly performed. 2. In the edge router (ER), what type of mitigation can you apply to the public interface of the router What are the commands to implement this action It is normal practice to provide IP addressing spoofing mitigation and basic filtering on the public interface of...

AntiDoS Features

The implementation of TCP intercept on Cisco routers also helps to mitigate DoS attacks, specifically attacks such as TCP SYN floods. Firewalls can also provide some measure of defense against TCP SYN floods by limiting the number of half-open connections permitted per host. TCP intercept works by requiring the router to intercept or catch the incoming TCP SYN requests from a client. The router responds to the SYN request by sending a SYN-ACK packet back and waiting for the client's final TCP...

Applications Are Targets

Applications are also targets because, like host operating systems, they are susceptible to coding errors. The extent of the damage caused by application coding errors can vary from a minor HTTP 404 File Not Found error to something considerably worse such as a buffer overflow that provides direct interactive access to a host. Applications need to be kept up to date as much as possible. Furthermore, public domain applications and custom-developed applications should be audited to ensure that...

Authentication and Authorization for Access to Critical Resources

There are two primary methods of access control authentication and authorization. Authentication is the process by which a user or a device proves the validity of their identification to an authoritative source. This source can be the login process on a host, the access device of a network, an application such as a database or web server, or one of a wide range of other systems on a network. Authorization is the process by which a user provides the credentials that prove that she has sufficient...

Book Content Updates

Because Cisco Systems will occasionally update exam objectives without notice, Cisco Press may post additional preparatory content on the web page associated with this book at http www .ciscopress.com 1587200899. It's a good idea to check the website a couple of weeks before taking your exam, to review any updated content that may be posted online. We also recommend that you periodically check back to this page on the Cisco Press website to view any errata or supporting book files that my be...

C

Design alternatives, 207 design guidelines, 206 medium-sized network design, 246-250 threat mitigation, 205-206 Campus module (SAFE), 47-48 alternative designs, 51 devices, 49-51 configuration, 349-351 CD One (CiscoWorks), 185 CERT (Computer Emergency Response Team), 117 CIA (confidentiality, integrity, and availability), 77 Cisco AVVID. See AVVID Cisco IOS Firewall, 160-161 medium-sized networks, 267-268 Cisco PIX Firewall, 161-162 Cisco SAFE Implementation exam scenarios, 299-300 answers,...

Campus Module in Medium Sized Networks

The Campus module of the medium-sized network design provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 and Layer 3 functionality that is required by the network. The various key devices that make up the campus module are described in Table 15-6. Provides authentication services to the network devices Provides services to internal users, such as e-mail, file, and printing services Provides Layer 2 connectivity and supports private VLANs...

Campus Module in Small Networks

The Campus module of the small network design, which is shown in Figure 13-4, provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 functionality via a single switch. Figure 13-4 Small Network Campus Module Four key devices make up the Campus module, which are highlighted in Table 13-5. Provides services to internal users such as e-mail, file, and printing services Provides Layer 2 connectivity and also supports private VLANs Provides...

Characteristics of a Good Security Policy

There are three primary characteristics of a good security policy Most important, the policy must be enforceable and it must apply to everyone. The policy must be capable of being implemented through system administration procedures and through the publication of acceptable-use guidelines or other appropriate methods. The policy must clearly define the areas of responsibility and the roles of users, administrators, and management. Failure to meet these three requirements seriously weakens the...

Cisco AVVID

This section looks at the design concept of the Cisco AVVID. Cisco AVVID is the only enterprise-wide, standards-based network architecture that provides the foundation for today's converged networks. Cisco AVVID provides the roadmap for combining your business and technology strategies into one cohesive model and encompasses the following Cisco AVVID provides the baseline infrastructure that enables enterprises to design networks that scale to meet Internet business demands while delivering the...

Cisco IOS Firewall Implementation

The implementation of the Cisco IOS stateful firewall is implemented as follows Step 1 Because the router is configured with a public services segment or demilitarized zone (DMZ), two separate sets of firewall inspection rules need to be configured. The first set is configured for traffic from the inside of the firewall that is destined for the Internet or the DMZ. The second set is set up for traffic from the Internet that is destined for the DMZ only. The following commands configure the...

Cisco Network Core Security Products

In the previous chapter, Cisco Perimeter Security Products, you learned about the specific products available from the Cisco Secure security portfolio that are used to secure the perimeter of a network and those products that provide intrusion detection facilities for the network. In this second chapter on the Cisco Secure product portfolio, we look at securing network connectivity, securing identity, security management, and Cisco Architecture for Voice, Video, and Integrated Data (AVVID).

Cisco Secure IDS Sensors

An IDS sensor can exist in one of two forms a dedicated hardware device, or a software agent that resides on a specific host. The hardware version of the sensor is directly connected to a segment of the network that requires monitoring, whereas the software version resides on each specific host that requires monitoring. These two types of IDS sensor give rise to what is commonly called network IDS (NIDS) and host IDS (HIDS), respectively. A NIDS is designed to support multiple hosts and uses...

Cisco Secure Scanner

The Cisco Secure Scanner is a software application that offers a complete suite of network scanning tools and is designed to run on either the Windows or Solaris operating systems. The product was formerly called Cisco NetSonar. This software suite provides the ability to configure a specific host on the network to become what is referred to as a network scanner. This scanning host is then capable of scanning all or a specific part of the network for known security threats. This makes the...

Cisco VPN 3000 Series Concentrator

The Cisco VPN 3000 Series Concentrator is a range of purpose-built, remote-access VPN devices that provide high performance, high availability, and scalability. The Cisco VPN 3000 Series Concentrator uses the most advanced state-of-the-art encryption and authentication techniques that are currently available within the industry. The Cisco VPN 3000 Series Concentrator includes models that support a range of enterprise customers, from small businesses requiring 100 or fewer concurrent VPN...

Cisco VPN Client

In the Cisco VPN Client option, the design emphasis is on the mobile or home-office worker. In this model, it is assumed that the user has the Cisco VPN Client installed on his PC, and Internet connectivity is provided from either an ISP dial-up connection or via the LAN. The Cisco VPN Client provides the means to establish a secure, encrypted IPSec tunnel from the client's PC to the VPN headend device located at corporate headquarters. Access and authorization to the corporate network is...

Cisco VPNEnabled Routers

The Cisco IOS Software running in Cisco routers provides feature-rich IPSec VPN services with industry-leading routing and delivers a comprehensive VPN routing solution. The Cisco IOS Software combines IPSec VPN enhancements, such as strong 3DES encryption authentication using either digital certificates or preshared keys, with robust firewall, intrusion detection, and secure administrative capabilities. The actual capability of the router to establish an IPSec VPN connection is determined by...

Classifying Rudimentary Network Attacks

This chapter covers a wide range of attacks, including reconnaissance attacks, unauthorized access, denial of service (DoS) attacks, application layer attacks, and trust exploitation attacks. All of these attacks are designed for either one of two purposes to gain access to a system or network or to deny access to a system or network to legitimate users. To understand how to defend against these attacks, you first must understand how the attacks work. Therefore, each of these attacks is covered...

Components of SAFE Medium Sized Network Design

Within the SAFE SMR model, the medium-sized network design consists of three modules Figure 15-1 shows six modules however, the Public Switched Telephone Network (PSTN), Internet Service Provider (ISP), and Frame Relay ATM modules are shown for clarity but are not considered a part of the medium-sized network design model Figure 15-1 Medium-Sized Network Model ISP Module I Corporate Internet Module Figure 15-1 Medium-Sized Network Model ISP Module I Corporate Internet Module As with the small...

Components of SAFE Small Network Design

The following two modules and their associated devices, shown in Figure 13-1, make up the small network design NOTE Figure 13-1 also shows an ISP module, for clarity, but it is not considered a part of the small network design model. The Corporate Internet module provides connectivity to the Internet and terminates any VPN connectivity. Traffic for public services such as mail, web, file transfer, and name lookups are also terminated at the Corporate Internet module. The Campus module...

Configuration Options for Remote User Network Design

Within the SAFE SMR model, the remote-user network design consists of four possible module options Table 17-2 describes each of the preceding options. Table 17-2 Remote-User Network Design Options Table 17-2 Remote-User Network Design Options The remote site is protected by a dedicated firewall, which is IPSec-VPN enabled. WAN connectivity is provided by a broadband access device supplied by an ISP. The remote site uses a router that has both firewall and IPSec-VPN functionality. The router...

Contents

Foreword xxii Introduction xxiii Part I Cisco SAFE Overview 3 SAFE A Security Blueprint for Enterprise Networks SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks 7 SAFE VPN IPSec Virtual Private Networks in Depth 9 SAFE Wireless LAN Security in Depth-Version 2 10 SAFE IP Telephony Security in Depth 10 Additional SAFE White Papers 11 Looking Toward the Future 11 Chapter 2 SAFE Design Fundamentals 13 Do I Know This Already Quiz 13 Foundation Topics 17 Security and...

Corporate Internet Module in Medium Sized Networks

The Corporate Internet module provides internal users with connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity as well as traffic from traditional dial-in users. The various key devices that make up the Corporate Internet module are outlined in Table 15-2. Table 15-2 Corporate Internet Module Devices Terminates analog...

Corporate Internet Module in Small Networks

The Corporate Internet module provides internal users connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity. Several key devices make up the Corporate Internet module. These devices are described in Table 13-2. Table 13-2 Corporate Internet Module Devices Table 13-2 Corporate Internet Module Devices Acts as a relay...

CSI Exam Blueprint

The CSI exam focuses on the SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks blueprint (SAFE SMR for short), published in 2001. This blueprint covers designing and securing small and medium-sized networks and providing secure network access to remote users, such as mobile workers and telecommuters. The CSI course provides the knowledge and skills needed to implement and use the principles and axioms presented in the SAFE SMR white paper. The course primarily...

Design Alternatives

The Campus module discussed in the previous section can have the following alternative designs If the medium-sized network is small enough, the access or building switches can be removed. The removed Layer 2 functionality is then provided by connecting the devices directly to the core switch. Any private VLAN configuration that is lost with the removal of the access switches is offered by the core switch and still mitigates against trust-exploitation attacks. The external NIDS appliance can be...

Design Considerations

The Cisco Security Products Portfolio offers a wide diversity of products with an equally wide range of features and functionality. Consequently, the network architect gains an unusually high level of flexibility in the products that are available to satisfy any particular security requirements that are needed in a design. Common factors affecting the choice of products in any design are as follows Network architects consider these factors when choosing products to meet a specific customer...

Design Guidelines

The Corporate Internet module in the medium-sized network design consists of the following key devices, which have different functional roles within the design ISP router Provides Internet connectivity Edge router Provides a demarcation point between the ISP and the network Firewall Provides stateful filtering and site-to-site VPN termination Intrusion detection Detects attacks from permitted firewall traffic Remote-access VPN Provides secure connectivity for remote users Dial-in access users...

Design Guidelines for the Campus Module

The small network Campus module provides connectivity for the corporate and management servers and also corporate users. Private VLANs can be used within the switch to mitigate trustexploitation attacks between the devices. For example, corporate users might not require inter-user Branch Versus Headend Standalone Considerations for Small Networks 207 communications and only need to communicate directly with corporate servers. This functionality can be provided by using private VLANs. Because...

Designing Medium Sized SAFE Networks

As mentioned in Chapter 13, Designing Small SAFE Networks, the principle goal of Cisco SAFE blueprints is to provide to interested parties best-practice information on how to design and implement secure networks. SAFE serves as a guide to network architects who are examining the security requirements of their networks and uses a modular format to combat security threats. This enables the creation of scalable, corporate-wide security solutions. In this second of three chapters covering the...

Distributed Denial of Service Attacks

DDoS attacks attempt to inflict damage by flooding the network or the host with useless and undesired traffic. In this type of attack, the attacker gains control of hosts on networks other than the target and installs software on those hosts to control them. Typically, these hosts are considered zombies, slaves, or agents. The hosts that are between the attacker's computer and the agents are known as handlers or masters. The attacker may have developed this additional layer to make it harder to...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 12-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you determine how to spend your limited study time. Table 2-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions that...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Foreword

CCSP CSI Exam Certification Guide is a complete study tool for the CCSP CSI exam, enabling you to assess your knowledge, identify areas to concentrate your study, and master key concepts to help you succeed on the exams and in your daily job. The book is filled with features that help you master the skills to implement appropriate technologies to build secure networks based on the Cisco Systems SAFE Blueprint. This book was developed in cooperation with the Cisco Internet Learning Solutions...

Foundation Summary

The Foundation Summary section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should at a minimum know all the details in each Foundation Summary section before taking the exam. The heart of SAFE is the inclusion of security throughout the network and within the end systems themselves. To that end, the original SAFE Enterprise document used several...

General Implementation Recommendations

In the SAFE small network implementation, we will look at the specific configuration requirements for the following components Internet service provider (ISP) router These three components are the major networked devices that can be used within the small network. Technically, the ISP router is not part of the small network design, but because it plays a major role in the overall design aspects, it is included here for completeness. Also, the functionality of the ISP router can be integrated in...

Hosts Are Targets

Hosts are the most frequently targeted aspects of a network. They represent the most visible target to an attacker and the biggest security problem for an administrator. Attackers see hosts as the most valuable target because of the applications that are run on them, the data that is stored on them, and the fact that they can be used as launch points to other destinations. Because hosts are highly visible and consist of numerous different combinations of hardware platforms, operating systems,...

I

Identity management, VPNs, security, 182-183 IDSs (intrusion detection systems), 37-38 design, 249 configuration, PIX Firewall, 227 management console (MC), 165 medium-sized network design, Host Sensor (CiscoWorks), 185 small network services, 221 IIS directory traversal vunerability, 92 implementation medium-sized networks, 259, 264 devices, 264 edge routers, 266-267 HIDS, 275 ISP routers, 265-266 Layer S switches, 277-278 NIDS, 272-275 PIX Firewall, 268-272 VPNS000 Concentrator, 276 small...

Identity Management Cisco Secure Access Control Server

As networks and network security have evolved, so too have the methods of controlling access to these networks and their associated resources. Traditionally, a static username and password were considered adequate to secure access to the corporate network. However, with time and the enterprise's need for stronger security, the introduction of stronger security techniques, such as onetime passwords, have been introduced. One of the most significant problems in securing distributed systems is...

IDS Implementation

The implementation of basic Cisco IOS IDS services and reporting to the syslog server is achieved in the Cisco IOS Firewall router by following these steps ip audit name IDS info action alarm ip audit name IDS attack action alarm drop reset Step 2 Apply the IDS rules to each interface that requires monitoring by using the command ip audit IDS in.

IIS Directory Traversal Vulnerability

One of the most widely known targets of an application layer attack is the Microsoft Internet Information Server (IIS) directory traversal vulnerability or UNICODE attack. An attacker who exploits this vulnerability is capable of searching the directories on the server outside of the web root directory. This allows them to view files that they would normally not have access to. It also allows the attacker to exploit certain commands, such as tftp, to further exploit the host. This can all be...

InBand Network Management

The term in-band network management refers to the flow of management traffic that follows the same path as normal network data. In-band managed devices support various methods and protocols that facilitate remote management of the device while using the normal data flow. The section Network Management Protocols, later in the chapter, provides more details on the protocols that provide this functionality. Because management information is flowing over the same path as data traffic, in-band...

Internal Threats

Internal threats are typically from disgruntled former or current employees. Internal threats can be structured or unstructured in nature. Structured internal threats represent an extreme danger to enterprise networks because the attacker already has access to the network. The focus of their efforts often is in the elevation of their privilege level from that of a user to an administrator. Although internal threats may seem more ominous than threats from external sources, security measures are...

Intrusion Detection for Critical Resources and Subnets

Intrusion detection has emerged as one of the critical network technologies that are necessary to properly secure a network. The following are the two general categories of IDSs, which are discussed in the next sections A HIDS is software that is installed and runs on end systems such as servers, desktops, and laptops. The function of a HIDS is to provide a last line of defense if the NIDS misses an attack, which can occur if either the NIDS's signature database is out of date or the attacker...

IP Spoofing Attacks

IP spoofing mitigation can be provided at the egress of the ISP router through the use of RFC 1918 and RFC 2827 filtering. The implementation of these filters is described in the sections that follow. RFC 1918 filtering prevents source address spoofing of the private address ranges, as shown in the following sample configuration access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list...

ISP Traffic Filtering

By using an inbound ACL, you can filter traffic that is arriving from the ISP router. This filtering is applied to the public services interface by using the command ip access-group 140 in. You should consider using the following common ACL definitions. Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely, these rules require modification accordingly. access-list 140 deny ip 10.0.0.0 0.255.255.255 any access-list 140 deny ip 172.16.0.0 0.15.255.255 any access-list 140 deny ip...

Key Campus Module Devices

There are significant differences between the Campus module design for the small network and that for the medium-sized network, summarized in Table 4-2. The key devices in the small network Campus module are the Layer 2 switches. In the medium-sized network, there are several key devices, including Layer 2 and Layer 3 switches and an IDS. The functions of these devices along with management hosts are described in the following sections. Table 4-2 Key Devices in the Campus Module Table 4-2 Key...

Key Devices for Remote User Networks

Each of the options presented in Table 17-2 can use a variety of key devices within each model of the remote-user network design. These devices are described in Table 17-3. Provides connectivity to the broadband network. Provides connectivity between local network devices. This can be a standalone device or integrated within the VPN hardware device. Provides local network protection through stateful filtering of traffic. Provides secure VPNs via IPSec tunnels between the headend and local site....

ManInThe Middle Attacks

Man-in-the-middle attacks cover situations in which the attacker is able to intercept packets that are crossing a network, modify or falsify the information in those packets, and then reinject the modified packets into the network. These attacks can be used to capture sensitive information, hijack ongoing sessions, create DoS occurrences, corrupt transmitted data, or introduce new, typically false, information into network sessions. An example of a man-in-the-middle attack is shown in Figure...

Mitigating ManInThe Middle Attacks

Man-in-the-middle attacks can be mitigated effectively only through cryptography. If communication is encrypted, the attacker can capture only the cipher text. If, however, the attacker can determine or capture the session key, man-in-the-middle attacks become possible. A man-in-the-middle attack against an encrypted session can succeed only if attackers can insert themselves into the key-exchange process. Before an encrypted session can be set up, both parties must agree on a session key that...

Mitigating Port Redirection Attacks

Mitigating port redirection requires the use of good trust models. Trust models can be implemented by proper access restrictions between hosts. As long as there is an implicit trust between hosts that is based on IP addresses, the problem of port redirection will not be solved. A HIDS can be used to detect and possibly prevent an attacker who is trying to install port redirection software, such as HTTPtunnel or NetCat, for use in a port redirection attack. Guarding Against Virus and...

Mitigating Rudimentary Network Attacks

Chapters 6 and 7 covered various attacks that may be launched against a network. This chapter covers the mitigation of the attacks described in Chapter 6, Classifying Rudimentary Network Attacks reconnaissance, unauthorized access, denial of service (DoS), application layer, and trust exploitation attacks. The mitigation techniques discussed in this chapter are based on network security best common practices (BCPs) and on SAFE concepts. Although both this chapter and Chapter 9, Mitigating...

Mitigating Threats in Remote User Networks

Table 17-4 presents the threats that can be anticipated for the remote-user network design model and summarizes the mitigation techniques for each anticipated threat. Mitigating Threats in Remote-User Networks 289 Figure 17-1 Remote-User Design Model Figure 17-1 Remote-User Design Model Table 17-4 Remote-User Network Threats and Threat Mitigation Table 17-4 Remote-User Network Threats and Threat Mitigation Mitigated by using RFC 1918 and RFC 2827 filtering at the ISP edge and remote-site...

Mitigating Threats in the Campus Module

Within the small network Campus module, each device plays a threat-mitigation role, as shown in Figure 13-5. Table 13-6 lists the expected threats and mitigation actions found within this module. Figure 13-5 Small Network Campus Module Threat-Mitigation Roles Table 13-6 Campus Module Threats and Threat Mitigation Table 13-6 Campus Module Threats and Threat Mitigation Operating systems, devices, and applications are kept up to date with the latest security fixes and are protected by HIDSs. A...

Mitigating Threats in the Corporate Internet Module

The most likely point of attack within the Corporate Internet module is on the public services segment. Positioned on this segment are the publicly addressed servers. Table 13-3 shows the anticipated threats and mitigation actions expected on this segment. Table 13-3 Corporate Internet Module Threats and Threat Mitigation Table 13-3 Corporate Internet Module Threats and Threat Mitigation Mitigated through HIDSs on the public servers Limited through the use of CAR* at ISP edge and TCP setup...

N

Network Infrastructure (AVVID), 187 network intrusion detection system (NIDS). See NIDS (network intrusion detection system) network management, 139 in-band network management, 139 out-of-band network management, 139-140 policies, 73 protocols, 140-141 control protocols, 143-144 file-management protocols, 144 logging protocols, 143 monitoring protocols, 143-144 remote-access protocols, 141-143 reporting protocols, 143 time-synchronization protocols, 145 traffic attacks, mitigating, 140 network...

Exams Required for Certification

Successful completion of a group of exams is required to achieve the CCSP certification. The exams generally match the topics covered in the official Cisco courses. Table I-1 summarizes CCSP exam-to-course mappings. CCSP certifications are valid for three years like the CCNP and the CCDP. Re-certification is required to keep the certification valid for every three-year period after that. Introduction to Cisco Networking Technologies (INTRO) and Interconnecting Cisco Network Devices (ICND)...

Network Intrusion Detection System Overview

An in-depth look at the implementation of a NIDS is beyond the scope of this book. Furthermore, the configuration that is required to implement any NIDS depends on the system to be used. Within the medium-sized network design, NIDS appliances are used within the following Inside PIX Firewall segment Figure 16-1 shows the deployment of these NIDS sensors within the medium-sized network. A NIDS works by using dedicated, hardened devices known as sensors, which analyze all network traffic that is...

How to Use This Book to Pass the Exam

One way to use this book is to read it from cover to cover. Although that may be helpful to many people, it also may not be very time efficient, especially if you already know some of the material covered by this book. One effective method is to take the Do I Know This Already quiz at the beginning of each chapter. You can determine how to proceed with the material in the chapter based on your score on the quiz. If you get a high score, you might simply review the Foundation Summary section of...

Network Management Protocols

Network management encompasses several different protocols that provide a wide variety of services that are used to manage a network. These services range from configuration management protocols, to monitoring and logging protocols, to time synchronization protocols. Of primary concern when selecting which protocol type to use to achieve a particular management objective is the level of security that the proposed protocol provides. Inherently, some management protocols are much more secure than...

Network Posture Visibility

Reducing the visibility of the network posture involves reducing the number of services in the public-facing segment of the network to a minimum. This means that if a web server, an SMTP server, an FTP server, and a DNS server are situated in the DMZ of the Corporate Internet module, the only inbound ports open at the edge router are for web, e-mail, FTP, and DNS to those servers. All other ports are blocked with an access control list (ACL). If other hosts exist in the DMZ but access from the...

Networks Are Targets

Network attacks are the most difficult to defend against because they typically take advantage of an intrinsic property of the network itself. This category of attacks includes Layer 2 attacks, distributed denial of service (DDoS) attacks, and network sniffers. The Layer 2 attacks can be mitigated through the use of the best practices previously listed in the sections Routers Are Targets and Switches Are Targets. The impact of sniffing can be mitigated through the implementation of a switched...

Other Certifications

Cisco has a wide variety of certifications beyond the CCSP. These certifications are outlined in Table I-2. For additional information regarding any Cisco certifications, consult the website at Cisco.com and clicking on Learning & Events> Career Certifications and Paths. Table I-2 Additional Cisco Certifications Demonstrates a basic level of knowledge of networking and Cisco device configuration Demonstrates a basic level of knowledge in the design and implementation of networks using...

Protecting Against Unauthorized Access

Mitigating unauthorized access is one of the easier mitigation techniques. Because an attacker must be able to access a port to gain unauthorized access to the system, the simple solution is to deny access to that port. For example, for an attacker to gain access to a system, she may need to Telnet to that system. By blocking Telnet access to systems at the router for DMZ systems and the firewall, you can prevent the attacker from reaching the Telnet port on the protected systems. Mitigation of...

Qa

As mentioned in the introduction, All About the Cisco Certified Security Professional Certification, you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in Appendix A. For more practice...

R

Reconnaissance attacks, 89-90 remote access, medium-sized network design, 244 configuration, 287-288 design guidelines, 290-292 Cisco VPN clients, 292 remote-site firewalls, 290-291 remote-site routers, 291 VPN hardware clients, 291-292 devices, 288-289 threat mitigation, 288, 290 remote-access policies, 74 remote-access protocols, network management protocols, 141-143 remote-access segment filtering, PIX firewall, medium-sized networks, 271 remote-access VPN clients (remote-user networks), 288...

Reconnaissance Attacks

Network reconnaissance is the act of gathering information about a network in preparation for a possible attack. This information can be garnered from a wide variety of sources. The sources of information for a reconnaissance attack can include what is called uncontrollable information, which is information that the network staff cannot control because it is disseminated to network sweeps and port scans. Some examples of uncontrollable information include the IP address ranges owned by a...

Remote Access Segment Filtering

By using an ACL, you can filter traffic that is entering from the remote-access interface. This filtering is applied to the RS interface by using the access-group command. You should consider using the following common ACL definitions. Allow traffic from the remote-access segment devices to the management servers for syslog, TACACS+, and TFTP access-list remote_access_in permit host ra-segment-device-IP host management-server-IP eq syslog access-list remote_access_in permit host...

Routers

The following steps outline the generic process for strengthening security on Cisco routers Step 1 Shut down all unneeded servers and services. For small services (for example, Echo, discard, chargen), issue the following commands no service tcp-small-servers no service udp-small-servers For BOOTP, Finger, HTTP, DNS, Source Routing, and CDP, issue the following commands no ip boot server no service finger no ip http server no ip domain-lookup no ip source-route no cdp run Step 2 Secure...

Routers Are Targets

Three functions of routers are discussed in this section. First, routers are devices that announce network addresses through routing protocols. Second, routers filter the functionality of network traffic. Third, routers connect one network to another, a function that has made routers an increasingly popular target for intruders. Because they are so often targets, hardening them is critical. Router security postures can be improved by implementing the following best practices Lock down Telnet...

S

Applications are targets, 37-38 hosts are targets, 35 networks are targets, 36-37 routers are targets, 33 switches are targets, 34 blueprint policy-based attack mitigation, 17-18 security, 17-18 Enterprise blueprint, 6-7 Extending the Security Blueprint to Small, Midsize, and Remote-User Networks, 7 IP telephony security, 10-11 IP Telephony Security in Depth, 10 medium-sized network design, 233, 237-238 branches, 251 Campus module, 246-250 Corporate Internet module, 238-246 headend standalone...

SAFE Extending the Security Blueprint to Small Midsize and Remote User Networks

The white paper SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks extends the principles discussed in the SAFE Enterprise white paper and sizes them appropriately for smaller networks. These smaller networks include branches of larger enterprise networks as well as standalone and small to medium-sized network deployments. The design also covers the telecommuter and the mobile worker. The SAFE small network blueprint is shown in Figure 1-2. Here the emphasis is...

Safe Ip Telephony Security in Depth

The SAFE IP Telephony Security in Depth white paper covers best-practice information for designing and implementing secure IP telephony networks. Like the other two SAFE in Depth white papers previously discussed, this white paper focuses on one technology and details how to best secure that technology within the overall context of SAFE. Similar to the SAFE Wireless white paper, SAFE IP Telephony Security in Depth covers several deployment models for IP telephony, ranging from a large network...

SAFE Modules Overview

The SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks (SAFE SMR) blueprint was written approximately one year after the successful release of SAFE A Security Blueprint for Enterprise Networks (SAFE Enterprise). The SAFE SMR blueprint provides best practice information about designing and securing networks that are of a smaller scale than that described in the original SAFE Enterprise white paper. SAFE SMR uses the same principles as the original SAFE Enterprise...

Safe Vpn Ipsec Virtual Private Networks in Depth

The SAFE VPN IPSec Virtual Private Networks in Depth white paper discusses in detail the design and security of IPSec VPNs, including specific design considerations and best-practice recommendations for enterprise IPSec VPN deployment. This white paper considers VPN design at various levels, from the remote-user network design all the way up to a distributed large network VPN design. The design objectives used in the SAFE VPN white paper include The need for secure connectivity Reliability,...

SAFE Wireless LAN Security in Depth Version

The SAFE Wireless LAN Security in Depth-Version 2 white paper discusses wireless LAN (WLAN) implementations, with a focus on the overall security of the design. Among the best practices this white paper recommends is to consider network design elements, such as mobility and quality of service (QoS). This white paper describes the following design objectives, listed in order of priority Security and attack mitigation based on policy Authentication and authorization of users to wired network...

Scenario 183

This scenario, depicted in Figure 18-3, involves a typical Campus module from the medium-sized network design model. Figure 18-3 Medium-Sized Network Design with Campus Module Figure 18-3 Medium-Sized Network Design with Campus Module Assume that basic security has already been applied to all the devices and that you are connected to the console port and able to access exec mode. Given this network scenario, perform the following tasks 1. On the core switch, configure the four VLANs that are...

Scenario 184

A small company, Company XYZ, is a supplier of printer consumables through a locally hosted website. It is located in a single premises with two floors. There are about 20 users located on each of these floors. All users require access to the Internet and to local services such as the corporate intranet. Internet connectivity is provided by a local ISP router. Public services consist of domain name, file, e-mail, and web services. Recently, concerns have been raised about the network's lack of...

Secure Connectivity

The Internet has evolved into an inexpensive, efficient form of doing business. The number of businesses that rely on the Internet to communicate with clients has increased and is still growing. The current techniques used for routing IP packets on the Internet, however, leave it vulnerable to security attacks such as spoofing, sniffing, and session hijacking, to name a few. As companies move from expensive, dedicated, secure connections to cost-effective use of the Internet, they require...

Secure Management and Reporting

All management of network devices and end systems is conducted in a secure manner. This requires that network devices ideally be managed through an out-of-band (OOB) network. Ideally this network is where access to the console interface of the network devices is located. An OOB network is completely separate from the network that carries the normal enterprise traffic. If an OOB network cannot be constructed or used for management, then the next best solution is to use encryption to secure...

Security and Attack Mitigation Based on Policy

At the heart of any network security effort is the policy. The network security policy drives the decisions that determine whether an action or an event is considered a threat. A good security policy enables the network administrators or security personnel to deploy security systems and software throughout the infrastructure. This includes providing to the administrative personnel the capacity to deploy intrusion detection systems (IDSs), antivirus software, and other technologies in order to...

Security Policy Characteristics Goals and Components

A security policy defines the framework that is used to protect the assets that are connected to a network. RFC 2196, Site Security Handbook, defines a security policy as . . .a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. Without a security policy, the availability of a network can be compromised. By defining the basis with which the information assets and the systems connected to the network are used and...

Security Policy Components

A successful security policy can be subdivided into smaller subpolicies, each of which covers a specific topic related to the overall security of the network. The breadth and scope of each subpolicy can vary according to the needs of administrators and managers. Each subpolicy can be referenced as a standalone document as well as function as part of an overall security policy. Section 2.2 of the Site Security Handbook lists several elements of an overall security policy, including Computer...

Security Policy Goals

Without an overall design, network security can become a hodge-podge of rules and guidelines that can easily contradict each other. Any and all security-related decisions that are made affect the security level of the network as well as its functionality and ease of use. Good decisions regarding security cannot be made without first defining the overall goals and a roadmap to attain those goals. Without this roadmap, using security tools is meaningless, because it is impossible to determine...

Selecting the Right Product

The products that are used and the complexity of the design that is implemented to secure any network perimeter will likely differ from one network to another, because each design can be influenced to varying degrees by numerous different factors. Just a few of the factors that can influence a design are Regardless of which products are used within a particular perimeter security design, they should always provide the required functionality specified by the customer. Remember that if...

Structured Threats

Structured threats are created by attackers who typically are highly motivated and technically competent. Such attackers may act alone or in small groups to understand, develop, and use sophisticated hacking techniques to bypass all security measures to penetrate unsuspecting enterprises. These groups or individuals may be involved with major fraud and theft cases reported to law enforcement agencies. Occasionally such attackers are hired by organized crime, industry competitors, or...

Support for Emerging Networked Applications

Technology evolves through the need for newer, better, and faster applications. These applications are more dependent than ever on the network for their proper use and operation. In the past, applications were monolithic in nature and relied on the fact that users accessed the application from within the same system the application was installed on. Today's distributed applications require a secure network to ensure secure communication between the application and the user. SAFE accommodates...

T

TCP intercept, 116 Telnet, 141-142 testing passwords, 129 TFTP (Trivial File Transfer Protocol), 141, 144 threads, identifying, risk assessments, 78 threats, 21 external threats, 22 internal threats, 22 mitigation Campus module, 205-206 Corporate Internet module, 201-202, 240-241 medium-sized network design, 247-251 remote networks, 288-290 structured threats, 21 unstructured threats, 22 time-synchronization protocols, network management protocols, 145 traffic-rate limiting, 117 Trivial File...

The Need for Network Security

With the recent unparalleled growth of the Internet has come a greater degree of exposure to personal information, government secrets, and confidential data as well as corporate information assets. Network systems are at a greater degree of exposure to attack than ever before. Attackers are posing an increasing threat to the capabilities of businesses to function efficiently and securely. Attackers are no longer only individuals external to the network who are solely interested in gaining...

The Security Wheel

The implementation of a security policy typically involves four steps Step 1 Develop the security policy. Step 2 Implement the security products called for by the security policy. Step 3 Inspect the policy periodically. Step 4 Handle incidents as they occur. This process does not provide for the continual adaptation of the security policy to changes in the network environment. The Security Wheel concept treats network security as a continuous process that is built around the corporate security...

Traffic Rate Limiting

An organization can implement, in cooperation with its ISP, traffic-rate limiting, whereby all nonessential traffic is given only a small fraction of the total bandwidth in the link. Additionally, an organization can implement quality of service (QoS) to identify permitted traffic and ensure that it is handled quickly while other, potentially unauthorized traffic is relegated to slower handling. Utilizing rate limits along with QoS shaping of traffic can greatly help to mitigate the impact of...

Trust Exploitation Attacks

A trust relationship exists between two systems when each system agrees to accept communication from the other system without explicitly authenticating the connection. Trust is established in a variety of ways. There are Windows trust relationships in which one domain may trust another domain and provide for pass-through authentication. On UNIX systems, there is the r-services trust relationship. The trust involved with r-services differs from Windows trust relationships in that no...