A

Acceptable-encryption policies, 74 acceptable-use policies, 74 access, controlling, 127 access attacks, 91-92 access control Corportate Internet module, 203-204 medium-sized network design, 242-243 access control lists (ACLs), SNMP, 144 Access Control Server (ACS). See ACS (Access Control Server) access control servers, Campus modules, 49 access filtering, Layer 3 switches, 278 access switches, campus module, medium- sized network design, 249 access-group command, 226 accountability policies,...

About the Technical Reviewers

Greg Abelar is a seven year veteran of Cisco Systems, Inc. Greg helped train and assemble the world-class Cisco Technical Assistance Center Security Organization. He is a sought-after speaker on the subject of security architecture. In addition he founded, project managed, and contributed content to the CCIE Security Written Exam. Steven Hanna is an education specialist at Cisco Systems, Inc., where he designs and develops training on Cisco network security products. Steven has more than eight...

Access Filtering

Access filtering within the Campus module takes place on the corporate servers and corporate users VLANs and the management VLAN in the configuration example that follows. This filtering is applied to the appropriate VLAN interface by using the ip access-group command. Apply RFC 2827 filtering to the corporate servers VLAN interface Vlan11 ip access-group 110 in access-list 110 permit ip corporate-servers-network any access-list 110 deny ip any any log Apply RFC 2827 filtering to the corporate...

Acknowledgments

Ido Dubrawsky Paul Grey, for being a wonderful co-author with me on this project. If you hadn't signed on to this Paul, I certainly wasn't going to do it alone Michelle Grandin, acquisitions editor, who must have been biting her nails until the last day hoping I would get all of the chapters done on time. Also, thanks for finding me my co-author. Sorry for the added stress and thanks for sticking with me. David Phillips, for hiring me at Cisco Systems, Inc., and letting me work with an...

Alternative Campus Module Designs

If the medium-sized network is small enough, you can eliminate the Layer 2 switches and connect all end-user workstation directly into the core switch. Private VLANs are still implemented to reduce the risk of attacks due to trust exploitation. If desired, you can replace the NIDS appliance with an IDS module in the core switch, which then provides for higher traffic throughput into the IDS system. In the small network, the lack of a Layer 3 switch places additional emphasis on host and...

Alternative Implementations

The implementation examples shown so far have been based on the small network design model in which the small network is being used in a standalone or headend configuration. If the small network is considered a branch of a larger network, the implementation of the small network in this design model is slightly different than that previously discussed. These differences are as follows Corporate resources are normally centralized at the corporate headquarters therefore, the use of a local public...

Alternative Medium Sized Network Corporate Internet Module Designs

The medium-sized network blueprint provides for alternative placements of devices within the designs. For example, in the medium-sized network, you can implement a stateful firewall on the edge router. This has the added benefit of providing greater defense in depth to this module. Also, you can insert another NIDS just outside the firewall. This NIDS provides for important alarm information that normally is not seen because of the firewall. The NIDS device can also provide validation of the...

Answers to Scenario 181

Configure the router so that it reports to the syslog server. Syslog report is configured as follows 2. Apply the Cisco IOS Firewall to the inside and outside interfaces using the name FIREWALL' and only allow inspection for TCP, UDP, FTP, and SMTP services. Enable the logging of session information. The correct configuration of the Cisco IOS Firewall is as follows FW(config) ip inspect name FIREWALL tcp FW(config) ip inspect name FIREWALL udp FW(config) ip inspect name FIREWALL ftp FW(config)...

Answers to Scenario 182

On the public interface of the edge router, allow IPSec traffic from the remote-site peers 10.10.1.1 and 10.10.2.1 (not shown). Also allow remote-access VPN traffic. The edge router's public interface filtering is configured as follows edge_rtr(config) access-list 100 permit udp host 10.10.1.1 host 172.31.254.2 eq isakmp edge_rtr(config) access-list 100 permit udp host 10.10.2.1 host 172.31.254.2 eq isakmp edge_rtr(config) access-list 100 permit esp host 10.10.1.1 host 172.31.254.2...

Answers to Scenario 183

On the core switch, configure the four VLANs that are shown, including their IP addressing. The correct configuration is as follows core_sw(config-if) ip address 10.1.10.1 255.255.255.0 core_sw(config-if) ip address 10.1.11.1 255.255.255.0 core_sw(config-if) ip address 10.1.1.1 255.255.255.0 core_sw(config-if) ip address 10.1.20.1 255.255.255.0 2. Apply RFC 2827 filtering to VLAN10, VLAN11, and VLAN20. The correct configuration is as follows core_sw(config) access-list 110 permit ip 10.1.10.0...

Answers to Scenario 184

Sketch out a network design for this company based on the information provided. See Figure 18-5 for a network drawing. Figure 18-5 Company XYZNetwork Topology Figure 18-5 Company XYZNetwork Topology NOTE An alternative to the solution shown in Figure 18-5 is to replace the PIX Firewall with a Cisco IOS Firewall router. 2. Company XYZ has 10 salespeople on staff who require network access to company resources from time to time while in the field. How can this be best achieved Because the PIX...

Answers to Scenario 186

With reference to Figure 18-4, where would you deploy a NIDS and HIDS NIDS sensors are normally deployed on VLAN B and VLAN C of the PIX Firewall. A NIDS sensor deployed off a SPAN port on the core switch is also commonly performed. 2. In the edge router (ER), what type of mitigation can you apply to the public interface of the router What are the commands to implement this action It is normal practice to provide IP addressing spoofing mitigation and basic filtering on the public interface of...

AntiDoS Features

The implementation of TCP intercept on Cisco routers also helps to mitigate DoS attacks, specifically attacks such as TCP SYN floods. Firewalls can also provide some measure of defense against TCP SYN floods by limiting the number of half-open connections permitted per host. TCP intercept works by requiring the router to intercept or catch the incoming TCP SYN requests from a client. The router responds to the SYN request by sending a SYN-ACK packet back and waiting for the client's final TCP...

Antispoof Features

Antispoof features depend on RFC 2827 filtering. In short, although RFC 2827 is written mainly from an ISP perspective, it is equally applicable to networks of any size. RFC 2827 calls for filtering at the edge of the ISP network where customer networks connect. Traffic should be filtered at the edge by restricting outbound traffic to only those prefixes that are assigned to the customer. For example, in Figure 8-2, the ISP has assigned customer A the range 192.168.100.0 24 and customer B the...

Applications Are Targets

Applications are also targets because, like host operating systems, they are susceptible to coding errors. The extent of the damage caused by application coding errors can vary from a minor HTTP 404 File Not Found error to something considerably worse such as a buffer overflow that provides direct interactive access to a host. Applications need to be kept up to date as much as possible. Furthermore, public domain applications and custom-developed applications should be audited to ensure that...

Authentication and Authorization for Access to Critical Resources

There are two primary methods of access control authentication and authorization. Authentication is the process by which a user or a device proves the validity of their identification to an authoritative source. This source can be the login process on a host, the access device of a network, an application such as a database or web server, or one of a wide range of other systems on a network. Authorization is the process by which a user provides the credentials that prove that she has sufficient...

Book Content Updates

Because Cisco Systems will occasionally update exam objectives without notice, Cisco Press may post additional preparatory content on the web page associated with this book at http www .ciscopress.com 1587200899. It's a good idea to check the website a couple of weeks before taking your exam, to review any updated content that may be posted online. We also recommend that you periodically check back to this page on the Cisco Press website to view any errata or supporting book files that my be...

C

Design alternatives, 207 design guidelines, 206 medium-sized network design, 246-250 threat mitigation, 205-206 Campus module (SAFE), 47-48 alternative designs, 51 devices, 49-51 configuration, 349-351 CD One (CiscoWorks), 185 CERT (Computer Emergency Response Team), 117 CIA (confidentiality, integrity, and availability), 77 Cisco AVVID. See AVVID Cisco IOS Firewall, 160-161 medium-sized networks, 267-268 Cisco PIX Firewall, 161-162 Cisco SAFE Implementation exam scenarios, 299-300 answers,...

Campus Module in Medium Sized Networks

The Campus module of the medium-sized network design provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 and Layer 3 functionality that is required by the network. The various key devices that make up the campus module are described in Table 15-6. Provides authentication services to the network devices Provides services to internal users, such as e-mail, file, and printing services Provides Layer 2 connectivity and supports private VLANs...

Campus Module in Small Networks

The Campus module of the small network design, which is shown in Figure 13-4, provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 functionality via a single switch. Figure 13-4 Small Network Campus Module Four key devices make up the Campus module, which are highlighted in Table 13-5. Provides services to internal users such as e-mail, file, and printing services Provides Layer 2 connectivity and also supports private VLANs Provides...

Ccsp Csi Exam Certification Guide

Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Library...

Characteristics of a Good Security Policy

There are three primary characteristics of a good security policy Most important, the policy must be enforceable and it must apply to everyone. The policy must be capable of being implemented through system administration procedures and through the publication of acceptable-use guidelines or other appropriate methods. The policy must clearly define the areas of responsibility and the roles of users, administrators, and management. Failure to meet these three requirements seriously weakens the...

Cisco AVVID

This section looks at the design concept of the Cisco AVVID. Cisco AVVID is the only enterprise-wide, standards-based network architecture that provides the foundation for today's converged networks. Cisco AVVID provides the roadmap for combining your business and technology strategies into one cohesive model and encompasses the following Cisco AVVID provides the baseline infrastructure that enables enterprises to design networks that scale to meet Internet business demands while delivering the...

Cisco IOS Firewall Implementation

The implementation of the Cisco IOS stateful firewall is implemented as follows Step 1 Because the router is configured with a public services segment or demilitarized zone (DMZ), two separate sets of firewall inspection rules need to be configured. The first set is configured for traffic from the inside of the firewall that is destined for the Internet or the DMZ. The second set is set up for traffic from the Internet that is destined for the DMZ only. The following commands configure the...

Cisco Network Core Security Products

In the previous chapter, Cisco Perimeter Security Products, you learned about the specific products available from the Cisco Secure security portfolio that are used to secure the perimeter of a network and those products that provide intrusion detection facilities for the network. In this second chapter on the Cisco Secure product portfolio, we look at securing network connectivity, securing identity, security management, and Cisco Architecture for Voice, Video, and Integrated Data (AVVID).

Cisco Secure IDS Sensors

An IDS sensor can exist in one of two forms a dedicated hardware device, or a software agent that resides on a specific host. The hardware version of the sensor is directly connected to a segment of the network that requires monitoring, whereas the software version resides on each specific host that requires monitoring. These two types of IDS sensor give rise to what is commonly called network IDS (NIDS) and host IDS (HIDS), respectively. A NIDS is designed to support multiple hosts and uses...

Cisco Secure Intrusion Detection System

The Cisco Secure IDS is a real-time intrusion detection system that is designed for enterprise and service provider deployments. It monitors all inbound and outbound network activity on selected segments within a network. The system uses a signature database and looks for predetermined patterns of traffic flow that may indicate a network or system attack from someone attempting to break into or compromise a system. Using this information, the system detects, reports, and can terminate...

Cisco Secure Policy Manager

Cisco Secure Policy Manager (CSPM), formerly Cisco Security Manager, is a centralized, scalable, comprehensive security policy management application for the Cisco Secure security portfolio. CSPM provides the administrator of a network the tools to centrally manage Cisco Secure PIX Firewalls, routers running Cisco IOS Firewall, Cisco IPSec VPN-enabled routers, and Cisco IDS sensors. The CSPM's topology-based GUI allows administrators to visually define high-level security policies for multiple...

Cisco VPN 3000 Series Concentrator

The Cisco VPN 3000 Series Concentrator is a range of purpose-built, remote-access VPN devices that provide high performance, high availability, and scalability. The Cisco VPN 3000 Series Concentrator uses the most advanced state-of-the-art encryption and authentication techniques that are currently available within the industry. The Cisco VPN 3000 Series Concentrator includes models that support a range of enterprise customers, from small businesses requiring 100 or fewer concurrent VPN...

Cisco VPN Client

In the Cisco VPN Client option, the design emphasis is on the mobile or home-office worker. In this model, it is assumed that the user has the Cisco VPN Client installed on his PC, and Internet connectivity is provided from either an ISP dial-up connection or via the LAN. The Cisco VPN Client provides the means to establish a secure, encrypted IPSec tunnel from the client's PC to the VPN headend device located at corporate headquarters. Access and authorization to the corporate network is...

Cisco VPNEnabled Routers

The Cisco IOS Software running in Cisco routers provides feature-rich IPSec VPN services with industry-leading routing and delivers a comprehensive VPN routing solution. The Cisco IOS Software combines IPSec VPN enhancements, such as strong 3DES encryption authentication using either digital certificates or preshared keys, with robust firewall, intrusion detection, and secure administrative capabilities. The actual capability of the router to establish an IPSec VPN connection is determined by...

Classifying Rudimentary Network Attacks

This chapter covers a wide range of attacks, including reconnaissance attacks, unauthorized access, denial of service (DoS) attacks, application layer attacks, and trust exploitation attacks. All of these attacks are designed for either one of two purposes to gain access to a system or network or to deny access to a system or network to legitimate users. To understand how to defend against these attacks, you first must understand how the attacks work. Therefore, each of these attacks is covered...

Classifying Sophisticated Network Attacks

This chapter continues the analysis of various network attacks introduced in Chapter 6, Classifying Rudimentary Network Attacks. Many of the attacks covered in this chapter typically require that the attacker have software skills that are more advanced than the skills needed to execute the attacks described in Chapter 6. The attacks covered in this chapter include IP spoofing attacks, traffic sniffing, password attacks, man-in-the-middle attacks, port redirection, and virus and Trojan-horse...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the Cisco IOS Command Reference, as follows Vertical bars (I) separate alternative, mutually exclusive elements. Square brackets indicate optional elements. Braces indicate a required choice. Braces within brackets ( ) indicate a required choice within an optional element. Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not...

Components of SAFE Medium Sized Network Design

Within the SAFE SMR model, the medium-sized network design consists of three modules Figure 15-1 shows six modules however, the Public Switched Telephone Network (PSTN), Internet Service Provider (ISP), and Frame Relay ATM modules are shown for clarity but are not considered a part of the medium-sized network design model Figure 15-1 Medium-Sized Network Model ISP Module I Corporate Internet Module Figure 15-1 Medium-Sized Network Model ISP Module I Corporate Internet Module As with the small...

Components of SAFE Small Network Design

The following two modules and their associated devices, shown in Figure 13-1, make up the small network design NOTE Figure 13-1 also shows an ISP module, for clarity, but it is not considered a part of the small network design model. The Corporate Internet module provides connectivity to the Internet and terminates any VPN connectivity. Traffic for public services such as mail, web, file transfer, and name lookups are also terminated at the Corporate Internet module. The Campus module...

Configuration Options for Remote User Network Design

Within the SAFE SMR model, the remote-user network design consists of four possible module options Table 17-2 describes each of the preceding options. Table 17-2 Remote-User Network Design Options Table 17-2 Remote-User Network Design Options The remote site is protected by a dedicated firewall, which is IPSec-VPN enabled. WAN connectivity is provided by a broadband access device supplied by an ISP. The remote site uses a router that has both firewall and IPSec-VPN functionality. The router...

Contents

Foreword xxii Introduction xxiii Part I Cisco SAFE Overview 3 SAFE A Security Blueprint for Enterprise Networks SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks 7 SAFE VPN IPSec Virtual Private Networks in Depth 9 SAFE Wireless LAN Security in Depth-Version 2 10 SAFE IP Telephony Security in Depth 10 Additional SAFE White Papers 11 Looking Toward the Future 11 Chapter 2 SAFE Design Fundamentals 13 Do I Know This Already Quiz 13 Foundation Topics 17 Security and...

Corporate Internet Module in Medium Sized Networks

The Corporate Internet module provides internal users with connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity as well as traffic from traditional dial-in users. The various key devices that make up the Corporate Internet module are outlined in Table 15-2. Table 15-2 Corporate Internet Module Devices Terminates analog...

Corporate Internet Module in Small Networks

The Corporate Internet module provides internal users connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity. Several key devices make up the Corporate Internet module. These devices are described in Table 13-2. Table 13-2 Corporate Internet Module Devices Table 13-2 Corporate Internet Module Devices Acts as a relay...

CSI Exam Blueprint

The CSI exam focuses on the SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks blueprint (SAFE SMR for short), published in 2001. This blueprint covers designing and securing small and medium-sized networks and providing secure network access to remote users, such as mobile workers and telecommuters. The CSI course provides the knowledge and skills needed to implement and use the principles and axioms presented in the SAFE SMR white paper. The course primarily...

Denial of Service Attacks

DoS attacks are not aimed at gaining access to a network or the information on a network but rather at making a service or a network unavailable to legitimate users. DoS attacks fall into two general categories Nondistributed denial of service These attacks are directed against a specific service such as Telnet, FTP, or some other service. Distributed denial of service (DDoS) These attacks are directed at a specific host or network with the aim of preventing access to the target by consuming...

Design Alternatives

The Campus module discussed in the previous section can have the following alternative designs If the medium-sized network is small enough, the access or building switches can be removed. The removed Layer 2 functionality is then provided by connecting the devices directly to the core switch. Any private VLAN configuration that is lost with the removal of the access switches is offered by the core switch and still mitigates against trust-exploitation attacks. The external NIDS appliance can be...

Design Alternatives for the Corporate Internet Module

Usual deviations from these design guidelines normally include the breaking out of the functional components in the network from a single device to individual, specific devices or an increase in network capacity. When these functions are broken out, the design begins to take on the look of the medium-sized network design, which is discussed in Chapter 16, Implementing Medium-Sized SAFE Networks. Before you decide that you have to adopt the complete design for a medium-sized network, however, it...

Design Guidelines

The Corporate Internet module in the medium-sized network design consists of the following key devices, which have different functional roles within the design ISP router Provides Internet connectivity Edge router Provides a demarcation point between the ISP and the network Firewall Provides stateful filtering and site-to-site VPN termination Intrusion detection Detects attacks from permitted firewall traffic Remote-access VPN Provides secure connectivity for remote users Dial-in access users...

Design Guidelines for the Campus Module

The small network Campus module provides connectivity for the corporate and management servers and also corporate users. Private VLANs can be used within the switch to mitigate trustexploitation attacks between the devices. For example, corporate users might not require inter-user Branch Versus Headend Standalone Considerations for Small Networks 207 communications and only need to communicate directly with corporate servers. This functionality can be provided by using private VLANs. Because...

Designing Medium Sized SAFE Networks

As mentioned in Chapter 13, Designing Small SAFE Networks, the principle goal of Cisco SAFE blueprints is to provide to interested parties best-practice information on how to design and implement secure networks. SAFE serves as a guide to network architects who are examining the security requirements of their networks and uses a modular format to combat security threats. This enables the creation of scalable, corporate-wide security solutions. In this second of three chapters covering the...

Designing Small SAFE Networks

The principle goal of Cisco SAFE blueprints is to provide to interested parties best-practice information on how to design and implement secure networks. SAFE serves as a guide to network architects who are examining the security requirements of their networks. SAFE blueprints combat security threats by using a modular method that allows for the creation of a scalable, corporate-wide security solution. This is the first of three chapters that cover the specific design requirements of the SAFE...

Distributed Denial of Service Attacks

DDoS attacks attempt to inflict damage by flooding the network or the host with useless and undesired traffic. In this type of attack, the attacker gains control of hosts on networks other than the target and installs software on those hosts to control them. Typically, these hosts are considered zombies, slaves, or agents. The hosts that are between the attacker's computer and the agents are known as handlers or masters. The attacker may have developed this additional layer to make it harder to...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 12-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you determine how to spend your limited study time. Table 2-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions that...

Examining SAFE Design Fundamentals

Because an organization's network tends to evolve gradually as the organization's IT requirements increase, many organizations do not have an overall design concept or philosophy in place that guides network growth, the result of which is that networks become less secure and more difficult to manage and troubleshoot as they grow. The SAFE design philosophy is modular, and modularity enhances the flexibility, manageability, and security of a network. This approach has two significant advantages...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

File Management Protocols Trivial File Transfer Protocol

TFTP is a TCP IP file transfer protocol and is commonly used by many network devices to transfer configuration or system files across a network. Unlike FTP, TFTP does not have any directory or password capabilities. Data is sent in clear text, which leaves the TFTP transfer susceptible to a packet-sniffing attack this can lead to sensitive data or configuration information being obtained. TFTP uses UDP port 69 for control and uses the higher UDP ports, greater than 1023, for the data stream...

Foreword

CCSP CSI Exam Certification Guide is a complete study tool for the CCSP CSI exam, enabling you to assess your knowledge, identify areas to concentrate your study, and master key concepts to help you succeed on the exams and in your daily job. The book is filled with features that help you master the skills to implement appropriate technologies to build secure networks based on the Cisco Systems SAFE Blueprint. This book was developed in cooperation with the Cisco Internet Learning Solutions...

Foundation Summary

The Foundation Summary section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should at a minimum know all the details in each Foundation Summary section before taking the exam. The heart of SAFE is the inclusion of security throughout the network and within the end systems themselves. To that end, the original SAFE Enterprise document used several...

General Implementation Recommendations

In the SAFE small network implementation, we will look at the specific configuration requirements for the following components Internet service provider (ISP) router These three components are the major networked devices that can be used within the small network. Technically, the ISP router is not part of the small network design, but because it plays a major role in the overall design aspects, it is included here for completeness. Also, the functionality of the ISP router can be integrated in...

Hosts Are Targets

Hosts are the most frequently targeted aspects of a network. They represent the most visible target to an attacker and the biggest security problem for an administrator. Attackers see hosts as the most valuable target because of the applications that are run on them, the data that is stored on them, and the fact that they can be used as launch points to other destinations. Because hosts are highly visible and consist of numerous different combinations of hardware platforms, operating systems,...

I

Identity management, VPNs, security, 182-183 IDSs (intrusion detection systems), 37-38 design, 249 configuration, PIX Firewall, 227 management console (MC), 165 medium-sized network design, Host Sensor (CiscoWorks), 185 small network services, 221 IIS directory traversal vunerability, 92 implementation medium-sized networks, 259, 264 devices, 264 edge routers, 266-267 HIDS, 275 ISP routers, 265-266 Layer S switches, 277-278 NIDS, 272-275 PIX Firewall, 268-272 VPNS000 Concentrator, 276 small...

Identity Management Cisco Secure Access Control Server

As networks and network security have evolved, so too have the methods of controlling access to these networks and their associated resources. Traditionally, a static username and password were considered adequate to secure access to the corporate network. However, with time and the enterprise's need for stronger security, the introduction of stronger security techniques, such as onetime passwords, have been introduced. One of the most significant problems in securing distributed systems is...

IDS Implementation

The implementation of basic Cisco IOS IDS services and reporting to the syslog server is achieved in the Cisco IOS Firewall router by following these steps ip audit name IDS info action alarm ip audit name IDS attack action alarm drop reset Step 2 Apply the IDS rules to each interface that requires monitoring by using the command ip audit IDS in.

IIS Directory Traversal Vulnerability

One of the most widely known targets of an application layer attack is the Microsoft Internet Information Server (IIS) directory traversal vulnerability or UNICODE attack. An attacker who exploits this vulnerability is capable of searching the directories on the server outside of the web root directory. This allows them to view files that they would normally not have access to. It also allows the attacker to exploit certain commands, such as tftp, to further exploit the host. This can all be...

Implementing Small SAFE Networks

In Chapter 13, Designing Small SAFE Networks, you looked in detail at the small network design requirements and guidelines that are recommended to secure a small network. In this chapter, you use those design recommendations as a basis for examining the specific configuration requirements that are necessary to achieve the desired functionality for each component of a small network. NOTE The configuration shown in this chapter highlights only the code that is required to achieve the specific...

InBand Network Management

The term in-band network management refers to the flow of management traffic that follows the same path as normal network data. In-band managed devices support various methods and protocols that facilitate remote management of the device while using the normal data flow. The section Network Management Protocols, later in the chapter, provides more details on the protocols that provide this functionality. Because management information is flowing over the same path as data traffic, in-band...

Inside Interface Filtering

By using an ACL, you can filter traffic that is entering from the inside interface. This filtering is applied to the inside interface by using the access-group command. You should consider using the following common ACL definitions. Allow management access to the public services network devices access-list inside_access_in permit tcp host management-host-IP host PS-device-IP eq 22 Allow internal user access to public services such as web and FTP services access-list inside_access_in permit tcp...

Internal Threats

Internal threats are typically from disgruntled former or current employees. Internal threats can be structured or unstructured in nature. Structured internal threats represent an extreme danger to enterprise networks because the attacker already has access to the network. The focus of their efforts often is in the elevation of their privilege level from that of a user to an administrator. Although internal threats may seem more ominous than threats from external sources, security measures are...

Internal Traffic Filtering

By using an inbound ACL, you can filter traffic that is entering from the inside interface. This filtering is applied to the inside interface by using the command ip access-group 120 in. You should consider using the following common access list definitions. Allow ssh management access to the public services network devices access-list 120 permit tcp host management-host-IP host PS-device-IP eq 22 Allow internal user access to the public services, such as web and FTP services access-list 120...

Intrusion Detection for Critical Resources and Subnets

Intrusion detection has emerged as one of the critical network technologies that are necessary to properly secure a network. The following are the two general categories of IDSs, which are discussed in the next sections A HIDS is software that is installed and runs on end systems such as servers, desktops, and laptops. The function of a HIDS is to provide a last line of defense if the NIDS misses an attack, which can occur if either the NIDS's signature database is out of date or the attacker...

IP Spoofing Attacks

IP spoofing mitigation can be provided at the egress of the ISP router through the use of RFC 1918 and RFC 2827 filtering. The implementation of these filters is described in the sections that follow. RFC 1918 filtering prevents source address spoofing of the private address ranges, as shown in the following sample configuration access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list...

ISP Traffic Filtering

By using an inbound ACL, you can filter traffic that is arriving from the ISP router. This filtering is applied to the public services interface by using the command ip access-group 140 in. You should consider using the following common ACL definitions. Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely, these rules require modification accordingly. access-list 140 deny ip 10.0.0.0 0.255.255.255 any access-list 140 deny ip 172.16.0.0 0.15.255.255 any access-list 140 deny ip...

Key Campus Module Devices

There are significant differences between the Campus module design for the small network and that for the medium-sized network, summarized in Table 4-2. The key devices in the small network Campus module are the Layer 2 switches. In the medium-sized network, there are several key devices, including Layer 2 and Layer 3 switches and an IDS. The functions of these devices along with management hosts are described in the following sections. Table 4-2 Key Devices in the Campus Module Table 4-2 Key...

Key Devices for Remote User Networks

Each of the options presented in Table 17-2 can use a variety of key devices within each model of the remote-user network design. These devices are described in Table 17-3. Provides connectivity to the broadband network. Provides connectivity between local network devices. This can be a standalone device or integrated within the VPN hardware device. Provides local network protection through stateful filtering of traffic. Provides secure VPNs via IPSec tunnels between the headend and local site....

ManInThe Middle Attacks

Man-in-the-middle attacks cover situations in which the attacker is able to intercept packets that are crossing a network, modify or falsify the information in those packets, and then reinject the modified packets into the network. These attacks can be used to capture sensitive information, hijack ongoing sessions, create DoS occurrences, corrupt transmitted data, or introduce new, typically false, information into network sessions. An example of a man-in-the-middle attack is shown in Figure...

Mitigating Denial of Service Attacks

Defeating DoS attacks or distributed DoS (DDoS) attacks (described in Chapter 6) begins by identifying the weak points in the network architecture where DoS attacks may have an advantage. Typically, weak points are located at the edge router. If an attacker launches a DDoS attack that is meant to consume the available network bandwidth, stopping the attack at the edge router does little good. Stopping a large DDoS attack requires coordination with the upstream ISP. DoS attack defense involves...

Mitigating ManInThe Middle Attacks

Man-in-the-middle attacks can be mitigated effectively only through cryptography. If communication is encrypted, the attacker can capture only the cipher text. If, however, the attacker can determine or capture the session key, man-in-the-middle attacks become possible. A man-in-the-middle attack against an encrypted session can succeed only if attackers can insert themselves into the key-exchange process. Before an encrypted session can be set up, both parties must agree on a session key that...

Mitigating Port Redirection Attacks

Mitigating port redirection requires the use of good trust models. Trust models can be implemented by proper access restrictions between hosts. As long as there is an implicit trust between hosts that is based on IP addresses, the problem of port redirection will not be solved. A HIDS can be used to detect and possibly prevent an attacker who is trying to install port redirection software, such as HTTPtunnel or NetCat, for use in a port redirection attack. Guarding Against Virus and...

Mitigating Rudimentary Network Attacks

Chapters 6 and 7 covered various attacks that may be launched against a network. This chapter covers the mitigation of the attacks described in Chapter 6, Classifying Rudimentary Network Attacks reconnaissance, unauthorized access, denial of service (DoS), application layer, and trust exploitation attacks. The mitigation techniques discussed in this chapter are based on network security best common practices (BCPs) and on SAFE concepts. Although both this chapter and Chapter 9, Mitigating...

Mitigating Threats in Remote User Networks

Table 17-4 presents the threats that can be anticipated for the remote-user network design model and summarizes the mitigation techniques for each anticipated threat. Mitigating Threats in Remote-User Networks 289 Figure 17-1 Remote-User Design Model Figure 17-1 Remote-User Design Model Table 17-4 Remote-User Network Threats and Threat Mitigation Table 17-4 Remote-User Network Threats and Threat Mitigation Mitigated by using RFC 1918 and RFC 2827 filtering at the ISP edge and remote-site...

Mitigating Threats in the Campus Module

Within the small network Campus module, each device plays a threat-mitigation role, as shown in Figure 13-5. Table 13-6 lists the expected threats and mitigation actions found within this module. Figure 13-5 Small Network Campus Module Threat-Mitigation Roles Table 13-6 Campus Module Threats and Threat Mitigation Table 13-6 Campus Module Threats and Threat Mitigation Operating systems, devices, and applications are kept up to date with the latest security fixes and are protected by HIDSs. A...

Mitigating Threats in the Corporate Internet Module

The most likely point of attack within the Corporate Internet module is on the public services segment. Positioned on this segment are the publicly addressed servers. Table 13-3 shows the anticipated threats and mitigation actions expected on this segment. Table 13-3 Corporate Internet Module Threats and Threat Mitigation Table 13-3 Corporate Internet Module Threats and Threat Mitigation Mitigated through HIDSs on the public servers Limited through the use of CAR* at ISP edge and TCP setup...

N

Network Infrastructure (AVVID), 187 network intrusion detection system (NIDS). See NIDS (network intrusion detection system) network management, 139 in-band network management, 139 out-of-band network management, 139-140 policies, 73 protocols, 140-141 control protocols, 143-144 file-management protocols, 144 logging protocols, 143 monitoring protocols, 143-144 remote-access protocols, 141-143 reporting protocols, 143 time-synchronization protocols, 145 traffic attacks, mitigating, 140 network...

Exams Required for Certification

Successful completion of a group of exams is required to achieve the CCSP certification. The exams generally match the topics covered in the official Cisco courses. Table I-1 summarizes CCSP exam-to-course mappings. CCSP certifications are valid for three years like the CCNP and the CCDP. Re-certification is required to keep the certification valid for every three-year period after that. Introduction to Cisco Networking Technologies (INTRO) and Interconnecting Cisco Network Devices (ICND)...

Network Intrusion Detection System Overview

An in-depth look at the implementation of a NIDS is beyond the scope of this book. Furthermore, the configuration that is required to implement any NIDS depends on the system to be used. Within the medium-sized network design, NIDS appliances are used within the following Inside PIX Firewall segment Figure 16-1 shows the deployment of these NIDS sensors within the medium-sized network. A NIDS works by using dedicated, hardened devices known as sensors, which analyze all network traffic that is...

How to Use This Book to Pass the Exam

One way to use this book is to read it from cover to cover. Although that may be helpful to many people, it also may not be very time efficient, especially if you already know some of the material covered by this book. One effective method is to take the Do I Know This Already quiz at the beginning of each chapter. You can determine how to proceed with the material in the chapter based on your score on the quiz. If you get a high score, you might simply review the Foundation Summary section of...

Network Management

Today's networks can consist of numerous different networked devices, each requiring a varying degree of management. The ability to remotely and securely manage each of these devices is crucial to any network administrator. For this reason, several network management protocols are available that help the network administrator access, monitor, log, report, and transfer information between the management console and the managed device. This management information flows bidirectionally logging and...

Network Management Protocols

Network management encompasses several different protocols that provide a wide variety of services that are used to manage a network. These services range from configuration management protocols, to monitoring and logging protocols, to time synchronization protocols. Of primary concern when selecting which protocol type to use to achieve a particular management objective is the level of security that the proposed protocol provides. Inherently, some management protocols are much more secure than...

Network Posture Visibility

Reducing the visibility of the network posture involves reducing the number of services in the public-facing segment of the network to a minimum. This means that if a web server, an SMTP server, an FTP server, and a DNS server are situated in the DMZ of the Corporate Internet module, the only inbound ports open at the edge router are for web, e-mail, FTP, and DNS to those servers. All other ports are blocked with an access control list (ACL). If other hosts exist in the DMZ but access from the...

Networks Are Targets

Network attacks are the most difficult to defend against because they typically take advantage of an intrinsic property of the network itself. This category of attacks includes Layer 2 attacks, distributed denial of service (DDoS) attacks, and network sniffers. The Layer 2 attacks can be mitigated through the use of the best practices previously listed in the sections Routers Are Targets and Switches Are Targets. The impact of sniffing can be mitigated through the implementation of a switched...

Nondistributed Denial of Service Attacks

DoS attacks against specific services such as web, FTP, or Telnet services are typically accomplished by acquiring and keeping open all available connections to the service. This approach exploits weaknesses in network architecture and network protocols rather than introducing a software bug. Another method commonly used in DoS attacks is an attack that causes the service to terminate for example, through a buffer overflow against the BIND named process. DoS attacks include such notables as...

Other Certifications

Cisco has a wide variety of certifications beyond the CCSP. These certifications are outlined in Table I-2. For additional information regarding any Cisco certifications, consult the website at Cisco.com and clicking on Learning & Events> Career Certifications and Paths. Table I-2 Additional Cisco Certifications Demonstrates a basic level of knowledge of networking and Cisco device configuration Demonstrates a basic level of knowledge in the design and implementation of networks using...

Outof Band Network Management

Out-of band network management refers to the flow of management traffic that does not follow the same path as normal network data. Normally, a parallel network or communications path is used for management purposes in this case. This path either directly interfaces to a dedicated network port on the device needing to be managed or terminates on a device, such as a terminal server, which then provides direct connection to the networked device's console port. Generally, out-of-band management is...

Outside Interface Filtering

By using an ACL, you can filter traffic that is entering from the outside (Internet) interface. This filtering is applied to the outside interface by using the access-group command. You should consider the following common ACL definitions. Allow access to the services that are available on the public services segment access-list outside_access_in permit tcp any host public-NAT-IP eq ftp access-list outside_access_in permit tcp any host public-NAT-IP eq www access-list outside_access_in permit...

Password Testing

Password testing involves the periodic attempt by administrators to crack account passwords. This is done by taking the password file and running it through a password-testing program such as LC4 (formerly known as LOphtCrack 4), Crack, or John the Ripper. These programs can apply case changes (change capitals letters to lowercase) and add nonalphanumeric characters to a list of known passwords. Although these tools may be seen as falling within the realm of the black hat community, they serve...

Protecting Against Unauthorized Access

Mitigating unauthorized access is one of the easier mitigation techniques. Because an attacker must be able to access a port to gain unauthorized access to the system, the simple solution is to deny access to that port. For example, for an attacker to gain access to a system, she may need to Telnet to that system. By blocking Telnet access to systems at the router for DMZ systems and the firewall, you can prevent the attacker from reaching the Telnet port on the protected systems. Mitigation of...

Public Services Segment Filtering

By using an ACL, you can filter traffic that is entering from the public services interface. This filtering is applied to the public services interface by using the access-group command. You should consider using the following common ACL definitions. Allow mail services between the public and internal mail servers access-list ps_access_in permit tcp host public-mail-server-IP host internal-mail-server-IP eq smtp Allow echo replies from the internal network access-list ps_access_in permit icmp...

Public Services Traffic Filtering

Using an ACL, traffic that is entering from the DMZ interface can be filtered. This filtering is applied to the DMZ interface by using the access-group command. You should consider the following common ACL definitions. Allow mail services between the public and internal mail servers access-list dmz_access_in permit tcp host public-mail-server-IP host internal-mail-server-IP eq smtp Allow echo replies from the internal network access-list dmz_access_in permit icmp public-services-network...

Public Traffic Filtering

You can use an inbound ACL to filter traffic that is entering from the public (Internet) interface. This filtering is applied to the public interfaceby using the command ip access-group 140 in. You should consider the following common ACL definitions. If required, allow traffic from remotes sites access-list 140 permit ip remote-site-A-network internal-network access-list 140 permit ip remote-site-B-network internal-network Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely,...

Public VLAN Traffic Filtering

By using an inbound ACL, you can filter traffic that is entering from the public VLAN interface. This filtering is applied to the public VLAN interface by using the command ip access-group 120 in. You should consider using the following common ACL definitions. Allow management access to the edge router access-list 120 permit tcp host management-host-NAT-IP host public-VLAN-IP Allow other public VLAN devices to use the edge router as a time server access-list 120 permit udp public-VLAN-network...

Qa

As mentioned in the introduction, All About the Cisco Certified Security Professional Certification, you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in Appendix A. For more practice...

R

Reconnaissance attacks, 89-90 remote access, medium-sized network design, 244 configuration, 287-288 design guidelines, 290-292 Cisco VPN clients, 292 remote-site firewalls, 290-291 remote-site routers, 291 VPN hardware clients, 291-292 devices, 288-289 threat mitigation, 288, 290 remote-access policies, 74 remote-access protocols, network management protocols, 141-143 remote-access segment filtering, PIX firewall, medium-sized networks, 271 remote-access VPN clients (remote-user networks), 288...

Recommended Training for CCSP

The recommended training path for the CCSP certification is as follows Securing Cisco IOS Networks (SECUR) Covers router security, AAA, basic threat mitigation, Cisco IOS Firewall CBAC, authentication proxy, and IDS implementation, as well as configuring IPSec on Cisco IOS routers. Cisco Secure VPN (CSVPN) Covers VPNs and IPSec technologies, configuring the Cisco VPN 3000 concentrator and the Cisco VPN 3002 hardware client, and configuring the Cisco VPN 3000 concentrator for LAN-to-LAN IPSec...