About the Author

Omar Santos is a senior network security engineer and Incident Manager within the Product Security Incident Response Team (PSIRT) at Cisco. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and the U.S. Department of Defense (DoD). He is also the author of many Cisco online technical documents and configuration guidelines. Before his current role, Omar was a technical leader...

About the Technical Reviewers

Pavan Reddy, CCIE No. 4575, currently works as a consulting systems engineer for Cisco specializing in network security. Pavan has been collaborating with customers and partners on the design and implementation of large-scale enterprise and service provider security architectures for nearly ten years. Before joining Cisco, Pavan worked as a network security engineer in the construction and financial industries. Pavan also holds a bachelor of science degree in computer engineering from Carnegie...

Access Layer

The first recommendation, and one of the most important, is that you enable two VLANs at the access layer one VLAN for data traffic and another VLAN for voice traffic. The voice VLAN in the Catalyst Switches that are running Catalyst Operating System (CatOS) is also known as an Auxiliary VLAN. Figure 9-4 illustrates this recommendation. Figure 9-4 Access Layer and VLAN Assignment In Figure 9-4, several IP phones are connected to two Cisco Catalyst 3750 switches. User workstations are then...

Adequate Incident Handling Policies and Procedures

The steps you take when reacting to security incidents depend on the type of threat you are mitigating. For example, if you are mitigating a distributed denial-of-service (DDoS) attack, you will probably not take the same steps as when reacting to a theft of information where the attacker does not make that much noise on the network. However, when reacting to any security incident, time is one of the most critical factors. It is extremely important to have well-defined incident handling...

Anomaly Detection Systems

IDS and IPS provide excellent application layer attack-detection capabilities. However, they do have a weakness they cannot detect DDoS attacks using valid packets. IDS and IPS devices are optimized for signature-based application layer attack detection. Most of them do not provide day-zero protection. NOTE Although some IPS devices do offer anomaly-based capabilities, which are required to detect such attacks, they require extensive manual tuning by experts and do not identify the specific...

Anomaly Detection Within Cisco IPS Devices

When you configure a Cisco IPS device running Versions 6.x and later with anomaly detection services, the IPS device initially goes through a learning process. This is done to configure a set of policy thresholds based on the normal behavior of your network. Three different modes of operation take place when an IPS device is configured with anomaly detection The initial learning mode is performed over a period of 24 hours, by default. The initial baseline is referred to as the knowledge base...

Anomaly Detection Zones

The Cisco Detector XT and the Cisco Guard XT allow you to configure zones to categorize and define anomaly detection policies for more granularity and customization. The following are examples of zones you can configure within the Cisco traffic anomaly detectors Collections of servers or clients Collections of routers or other network access devices Network links, subnets, or entire networks Single users or whole companies NOTE The following site provides step-by-step instructions on how to...

Arbor Peakflow SP and Peakflow X

Arbor Peakflow SP (for service providers) and Peakflow X (for enterprises) are excellent tools that allow you to obtain network visibility. Based on information collected from routers, such as interface statistics and NetFlow, Peakflow SP and Peakflow X can show you details of the traffic traversing throughout your network. NOTE For more information about these tools, go to http www.arbor.net. Arbor has excellent white papers about anomaly detection and combating day-zero threats at

Authentication and Authorization of Wireless Users

The 802.11 standard supports different types of authentication. The two most generic types are open and shared-key authentication. In most wireless networks, a service set ID (SSID) is specified to identify the wireless network. The basic mechanisms of 802.11 augment the identification by using SSIDs with authentication mechanisms that prevent the client from sending data to and receiving data from the access point unless the client has the correct shared key. One of the most basic wireless...

Authentication Authorization and Accounting AAA and Identity Management

AAA offers different solutions that provide access control to network resources. This section introduces AAA and identity management concepts. Authentication is the process of validating users based on their identity and predetermined credentials, such as passwords and other mechanisms like digital certificates. Authentication is widely used in many different applications, from a user attempting to log in to the network, web server, and wireless access point to an administrator logging in to a...

Blocking Instant Messaging

The security administrator is now tasked by his management to come up with a solution to prevent internal users from using Yahoo and MSN instant messaging (IM) programs. The solution is to configure the Cisco ASA to block this traffic and log it. The security administrator completes the following steps to achieve this goal. Step 1 The first step is to configure an inspect map on the Cisco ASA. To do this, navigate to Configuration > Firewall > Objects > Inspect Maps > Instant Messaging...

Building an Action Plan

After you have collected all necessary information and documented the different lessons learned, you should build a comprehensive action plan to address any deficiencies in processes, policies, or technology. Some underlying causes may remain unknown at the time of the initial post-incident meetings however, you can capture these causes as open action items to be closed when you have completed your final research. Prioritize the gaps identified to make sure that you address the most critical...

Building Strong Security Policies

What good does a firewall, IPS sensor, encryption device, and your favorite security product and tool do if you do not have guidelines, policies, and best practices on how to effectively configure and use them Building strong security policies is crucial for any organization. These policies should be strong, yet realistically flexible to accommodate ever-changing requirements. Policies communicate not only a standard but also an agreement on what should be the best practice for a specific...

C

CAM (Clean Access Manager), NAS Appliance, 27, 31 CAS (Clean Access Servers), NAC Appliance, 27-28 Centralized Deployment mode, 31 Edge Deployment mode, 30 Real IP mode, 29 Virtual Gateway mode, 28 large businesses, 401, 403 CSIRT, 403 incident response, 419-420 IPsec remote access VPN, 406, 408, 411-412, 415-417 load-balancing, 415-417 security policy creation, 404-406 medium-sized businesses, 389 configuring AAA on infrastructure devices, 400-401 configuring active-standby failovers on ASA,...

Case Study of a Small Business

This section uses Company-A as an example. Company-A is a small web development company based in Raleigh, North Carolina. Its office in Raleigh hosts 35 employees. The user population is composed of sales, marketing, finance personnel, and several web developers. Figure 12-1 illustrates the network architecture and topology of the Raleigh office of Company-A. The Raleigh office has a simple network architecture. Client workstations are connected to an access switch and then connected to the...

Cisco Guard Active Verification

The Cisco Guard provides multiple layers of defense to identify and block all types of attacks with extreme accuracy. It has integrated dynamic filtering capabilities and active verification technologies. These capabilities and technologies are implemented through the use of a patented Multiverification Process (MVP) architecture, which can process suspicious flows by applying numerous levels of analysis. The MVP enables malicious packets to be identified and removed, while allowing legitimate...

Cisco IOS Role Based CLI Access CLI Views

You can consider the Cisco IOS routers Role-Based CLI Access feature a form of virtualization. This feature, otherwise known as CLI Views, allows you to define a virtual set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS exec and configuration mode commands. A view is a framework of policies that defines which commands are accepted and which configuration information is visible to the user based on his role. NOTE The following site...

Cisco Net Flow in the Data Center

Cisco NetFlow provides network traffic visibility that can help in identifying and classifying potential DDoS attempts and other security threats. In addition, it provides valuable information about application usage that can be beneficial for network planning and traffic engineering. You can enable NetFlow in data center infrastructure devices, such as your distribution switches or routers. A new version of NetFlow called Flexible NetFlow is now available on Cisco IOS routers starting with IOS...

Cisco Network Analysis Module NAM

The Cisco Network Analysis Module (NAM) is designed to analyze and monitor traffic in the Catalyst 6500 series switches and Cisco 7600 series Internet routers. It uses remote monitoring (RMON), RMON extensions for switched networks (SMON), and SNMP MIBs to obtain information from the device. The NAM can also collect and analyze NetFlow information on remote devices. To use the NAM to collect NetFlow data from a remote device, you must configure the remote device to export NDE packets to UDP...

Cisco Secure Device Manager SDM

SDM is an intuitive web-based tool designed for configuring LAN, WAN, and security features on a router. SDM includes a feature called Security Audit that is used to verify your existing router configuration and make sure that it includes the recommended security mechanisms suited for most environments. The SDM Security Audit is based on the Cisco IOS AutoSecure feature. NOTE SDM does not support all AutoSecure features. For a complete list of the functions that Security Audit checks for, and...

Cisco Security Agent CSA

CSA provides several more robust security features than a traditional antivirus or a personal firewall solution. The rich security features of CSA include Protection against buffer overflow attacks Distributed host firewall features Malicious mobile code protection Operating system integrity assurance Extensive audit and logging capabilities Protection against file modification or deletion The CSA solution has two major components Cisco Security Agent Management Center (CSA-MC) The management...

Cisco Security Monitoring Analysis and Response System CSMARS

CS-MARS enables you to identify, classify, validate, and mitigate security threats. In the previous sections in this chapter, you learned different mechanisms that give you visibility of the network and its devices, such as NetFlow, SYSLOGs, and SNMP. The analysis and manipulation of the data provided by these features can be a time-consuming process and, in some environments, may even be impossible because of the staff requirements. CS-MARS supports the correlation of events from numerous...

Collected Incident Data

The postmortem is one of the most important parts of incident response and is also the part that is most often omitted. As mentioned in the previous chapter, documenting events that occurred during the previous phases (identification, classification, traceback, and reaction) is important to effectively create a good postmortem following a security incident. The collection of this data is important because it can be used for future improvement in the process, policies, and device configuration....

Common Vulnerability Scoring System

The National Infrastructure Advisory Council (NIAC) commissioned the development of CVSS as a combined effort by many industry leaders including Cisco. The CVSS standard is now maintained by the Forum for Incident Response and Security Teams (FIRST). For more information about FIRST, go to http www.first.org. CVSS metrics are divided into three major components Cisco has an online tool where you can calculate your CVSS score at

Configuration Logger and Configuration Rollback

The Cisco IOS configuration logger logs all changes that are manually entered at the command-line prompt. In addition, it can notify registered clients about any changes to the log. NOTE The contents of the configuration log are stored in the run-time memory the contents of the log are not persisted after reboots. The Configuration Logger Persistency feature allows you to keep the configuration commands entered by users after reloads. You can enable the Configuration Logger Persistency feature...

Configuring 8021x with Eapfast in the Cisco Unified Wireless Solution

This section describes how to configure the wireless LAN context (WLC), the Cisco Secure Services Client (CSSC), and Cisco Secure Access Control Server (ACS) to perform 802.1x authentication using EAP-FAST. Figure 8-8 illustrates the topology used in this configuration example. Figure 8-8 Configuring 802.1x with EAP-FAST on the Cisco Unified Wireless Solution Figure 8-8 shows a workstation with the CSSC connecting to a Cisco wireless access point (with IP address 172.18.85.123) in a lightweight...

Configuring AAA on the Infrastructure Devices

The network administrator configures authentication, authorization, and accounting (AAA) for administrative access to all routers within the network. The network administrator uses command authorization to enforce which commands users can invoke and execute in the routers. Example 12-11 shows a AAA configuration template used for all routers within the organization Example 12-11 AAA Configuration on Routers aaa authentication login default group tacacs+ local tacacs-server host 172.18.85.181...

Configuring Agent Kits

As previously mentioned, CSA-MC comes with preconfigured agent kits that can be used to fulfill initial security needs. However, CSA-MC allows you to create custom agent kits to fit your specific requirements. For example, you can create different agent kits for the various servers within your data center. To create a new agent kit, complete the following steps Step 1 Choose Systems > Agent Kits from the CSA-MC console. Step 2 Click New at the bottom of the page displayed. A dialog box...

Configuring Basic Network Address Translation NAT

The router administrator needs to configure basic NAT for internal users to access the Internet. The following steps are completed to enable basic NAT on the Cisco IOS router. Step 1 Log in to the router using SDM. Step 2 Navigate to Configure > NAT and click Basic NAT, as illustrated in Figure 12-34. Step 3 Click the Launch the selected task button to start the NAT Configuration Wizard. Step 4 The NAT Configuration Wizard welcome screen appears. Click Next. Step 5 The screen shown in Figure...

Configuring Identity NAT for Inside Users

The inside users must be able to communicate with the DMZ servers. The goal is to configure identity NAT for inside users when communicating to the DMZ servers. Complete the following steps to configure identity NAT for inside users. Step 1 Navigate to Configuration > Firewall > NAT Rules, click Add, as illustrated in Figure 12-13. Figure 12-13 Configuring Identity NAT for the Inside Network on the DMZ Figure 12-13 Configuring Identity NAT for the Inside Network on the DMZ Step 2 Under the...

Configuring Idsips Sensors in the WLC

You can configure IDS IPS using the WLC web management console or through the CLI. This section demonstrates how to use the web management console to add IDS IPS sensors. Step 1 Connect the Cisco IPS device to the same switch where the WLC resides. Step 2 Mirror the WLC ports that carry the wireless client traffic to the Cisco IPS device. You do this because the Cisco IPS device must receive a copy of every packet to be inspected on the wireless network. The Cisco IPS device provides a...

Configuring the CSSC

This section shows how to configure the CSSC to authenticate to the wireless network using EAP-FAST. Complete the following steps to configure the CSSC. Step 1 Launch the CSSC and click Create Network. Step 2 The Network Profile screen shown in Figure 8-18 is displayed. Under Network Configuration Summary and Authentication, click Modify. Figure 8-18 CSSCNetwork Profile Screen Step 3 The Network Authentication screen shown in Figure 8-19 is displayed. Turn on authentication by clicking the...

Contents

Foreword xix Introduction xx Part I Introduction to Network Security Solutions 3 Chapter 1 Overview of Network Security Technologies 5 Network Address Translation (NAT) 7 Stateful Firewalls 9 Deep Packet Inspection 10 Demilitarized Zones 10 Personal Firewalls 11 Virtual Private Networks (VPN) 12 Technical Overview of IPsec 14 Phase 1 14 Phase 2 16 SSL VPNs 18 Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 19 Pattern Matching 20 Protocol Analysis 21 Heuristic-Based...

Control Resource Exhaustion

Today, a growing number of DDoS attacks are being designed to specifically target key infrastructure devices. These types of attacks typically try to consume CPU resources, input queues, and memory. Worms and viruses that are generally designed to target end hosts generate large volumes of traffic that quite often exhaust most of the resources available in infrastructure equipment. You can implement several best practices by controlling the utilization of the limited resources in a device...

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales which may include electronic versions and or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 For sales outside the United States, please contact International Sales Americas Headquarters Asia Pacific Headquarters Europe Headquarters...

CPU Protection

Attackers already know that targeting CPUs and network processors can affect more than just one server within an organization. Worms and DDoS can bring network infrastructure devices onto their knees costing thousands of dollars. Attackers typically follow two strategies when targeting a CPU. The first tactic that attackers employ is generating large volumes of traffic to the CPU or network processor because CPUs always have a finite capacity for processing packets. All processors have a limit...

Creating a Computer Security Incident Response Team CSIRT

It is unfortunate when large Fortune 500 companies do not have a Computer Security Incident Response Team (CSIRT). In some occasions, their CSIRT consists of one parttime employee. This is why it is extremely important to have management support when creating CSIRTs. It is difficult and problematic to create a CSIRT without management approval and support. Also, the support needed goes beyond budget and money. It includes executives, managers, and their staffs committing time to participate in...

CSA Architecture

In the CSA solution architecture, a central management center maintains a database of policies and information about the workstations and servers on which the CSA software is installed. Agents register with the Cisco Security Agent Management Center (CSA-MC). Subsequently, the CSA-MC checks its configuration database and deploys a configured policy for that particular system. NOTE Starting with CSA Version 5.1, the CSA-MC is a standalone system. Prior to Version 5.1, CSA-MC was part of the...

Data Center Security

Data centers comprise some of the most critical assets within any organization. Typically, applications, databases, and management servers reside in the data center. For this reason, it is extremely important to have the appropriate defense mechanisms in place to protect the data center against security threats. Attacks against data center assets can result in lost business applications and the theft of confidential information. This chapter covers several best practices and recommendations...

Data Center Segmentation and Tiered Access Control

By isolating different types of servers and services, you can use segmentation and tiered access control in your data center to provide a multilayered architecture while adding security. The easiest way to segment your data center is to configure different Layer 2 domains or VLANs. In addition, you can use firewalls for policy enforcement between each segment. By using private VLANs, you can also use segmentation that is local to the VLAN. This helps in preventing a compromised or infected...

Deploying IPsec Remote Access VPN

Company-C deploys a cluster of Cisco ASAs to provide IPsec remote access VPN services. Figure 12-59 illustrates the topology listing the Cisco ASAs and their corresponding IP addresses. Figure 12-S9 Remote Access VPN Cisco ASAs Figure 12-S9 Remote Access VPN Cisco ASAs Management IP 10.250.30.1 Outside 209.165.202.129 Inside 10.250.10.1 Management IP 10.250.30.1 Outside 209.165.202.129 Inside 10.250.10.1 Management IP 10.250.30.2 Outside 209.165.202.130 Inside 10.250.10.2 The following are the...

Distribution Layer

At the distribution layer, you can apply enforcement mechanisms (such as ACLs) based on your security policies for the IP telephony-enabled network. For example, you can configure Layer 3 ACLs so that they do not allow traffic from the nonvoice VLANS to access the voice gateway and voice applications in the network. Typically, voice application servers (such as Cisco Unified CallManager and Cisco Unity) are protected by firewalls in the distribution layer of the data center. On the other hand,...

Embedded Device Managers

In small environments, you can use embedded devices managers to configure and manage network access devices such as routers, switches, firewalls, IPS devices, and others. Numerous Cisco devices come with an embedded device manager. Examples include the following Cisco Adaptive Security Device Manager (ASDM) Manages Cisco PIX and Cisco Adaptive Security Appliance (ASA) security appliances Cisco IPS Device Manager (IDM) Manages Cisco IPS sensors, in addition to Advanced Inspection and Prevention...

Figure 13 PAT

Source Address 192.168.1.100 Destination Address 209.165.200.230 Source Port 1024 Destination Port 80 Source Address 209.165.200.226 Destination Address 209.165.200.230 Source Port 1234 Destination Port 80 Stateful inspection firewalls track every connection passing through their interfaces by examining not only the packet header contents but also the application layer information within the payload. This is done to find out more about the transaction than just the source and destination...

Firststep

STEP 1 First-Step Benefit from easy-to-grasp explanations. No experience required STEP 2 Fundamentals Understand the purpose, application, and management of technology. STEP 3 Networking Technology Guides Gain the knowledge to master the challenge of the network. The Network Business series helps professionals tackle the business issues surrounding the network. Whether you are a seasoned IT professional or a business manager with minimal technical expertise, this series will help you understand...

How This Book Is Organized

Part I of this book includes Chapter 1 which covers an introduction to security technologies and products. In Part II, which encompasses Chapters 2 through 7, you will learn the six-step methodology of incident readiness and response. Part III includes Chapters 8 through 11 which cover strategies used to protect wireless networks, IP telephony implementations, data centers, and IPv6 networks. Real-life case studies are covered in Part IV which contains Chapter 12. The following is a...

Identifying and Classifying Security Threats

Worms and denial of service (DoS) attacks are used maliciously to consume the resources of your hosts and network that would otherwise be used to serve legitimate users. In some cases, misconfigured hosts and servers can send traffic that consumes network resources unnecessarily. Having the necessary tools and mechanisms to identify and classify security threats and anomalies in the network is crucial. This chapter presents several best practices and methodologies you can use to successfully...

Incident Response Collaborative Teams

Several virtual teams and collaborative efforts exist between large corporations and government organizations to exchange incident information and intelligence. The Cisco Critical Infrastructure Assurance Group (CIAG) has formed two groups that provide guidance and exchange ideas and information with many other large organizations. These groups are the Information Sharing and Analysis Centers (ISAC) and the Cisco Incident Response Communication Arena (CIRCA). CIRCA, specifically, exchanges...

Infrastructure Protection Access Control Lists iACLs

Using iACLs is a technique that was developed by ISPs, however, it is now a common practice by enterprises and other organizations. Employing iACLs involves the use of ACLs that prevent direct attacks to infrastructure devices. You configure these ACLs to specifically allow only authorized traffic to the infrastructure equipment while allowing transit traffic. Cisco recommends that you configure iACLs into four different sections or modules 1 On the Internet edge, deny packets from illegal...

Instrumentation and Management

Instrumentation and management is also an important category within the SAVE framework. You should always implement protocols and mechanisms that achieve the management of every network device. Having good instrumentation and management mechanisms in place not only allows you to provision configurations to your network devices, but it also helps you to maintain control of your environment. Some examples of management and instrumentation tools are as follows Cisco Security Manager (CSM)...

Interactive Access Control

You have already learned that you can access network devices via several interactive methods such as Telnet, rlogin, SSH, and local asynchronous, even modem connections for out-of-band access. On Cisco IOS devices, these interactive access methods have two basic types of lines (or sessions). The first type is the use of standard lines used by console and dialup modem connections. The first type of these connections are known as TTYs. TTY stands for Text Telephone. The Y has a historical value...

Intrusion Detection Systems IDS and Intrusion Prevention Systems IPS

This section includes an overview of intrusion detection systems (IDS) and intrusion prevention systems (IPS). IDSs are devices that detect (in promiscuous mode) attempts from an attacker to gain unauthorized access to a network or a host to create performance degradation or to steal information. They also detect distributed denial of service (DDoS) attacks, worms, and virus outbreaks. IPS devices are capable of detecting all these security threats however, they are also able to drop...

Intrusion Prevention Systems IPS and Intrusion Detection Systems IDS

In earlier chapters, you learned the difference between IDS and IPS devices. IDS and IPS appliances and modules are usually placed in the data center distribution center not only to alert an administrator when a security threat has been detected, but also to take action and protect the data center assets. In small environments, one or more IDS IPS appliances (such as the Cisco 4200 sensors) can be placed in the data center. The Cisco Catalyst 6500 IDS IPS module (IDSM) is used in larger...

IP Source Routing

IP source routing enables a device to control the route that the datagram will take toward its destination. This feature is rarely used because it is not practical in environments today. Attackers can take advantage of older IP implementations that do not process source-routed packets properly and may be able to crash machines running these implementations by sending altered packets with source routing options. It is recommended that you disable IP source routing whenever possible with the no...

Psec and IPv6

IPv6 headers have no security mechanisms themselves, just as in IPv4. Administrators rely on the IPsec protocol suite for security. The same security risks for man-in-the-middle attacks in Internet Key Exchange (IKE) in IPv4 are present in IPv6. Most people recommend using IKE main mode negotiations when the use of preshared keys is required. On the other hand, IKE Version 2 (IKEv2) is expected to address this issue in the future. IKEv2 supports different peer...

Pv6 Security

Internet Protocol Version 6 (IPv6) is often called the next generation protocol and is designed to replace the widely deployed Internet Protocol Version 4 (IPv4). Despite that, IPv6 has only been implemented in a few places, but it is expected to grow over time. For example, Microsoft Windows Vista includes support for IPv6. IPv6 enables easier support and maintenance of service provider networks than previous versions. The large address space improves the usage of online support systems and...

Isolation and Virtualization

The fifth pillar in the SAVE framework addresses network isolation and virtualization. Several isolation and virtualization techniques and tools are available, including the following Cisco IOS Role-Based CLI Access (CLI Views) Network device virtualization Segmentation with firewalls Segmentation with VRF VRF-Lite These techniques and tools are illustrated in Figure 7-11. Figure 7-11 Examples of Isolation and Virtualization Techniques and Tools Figure 7-11 Examples of Isolation and...

Laws and Computer Crimes

In most cases, United States and international laws might affect or impact the incident response process. If you want to prosecute an attacker, you might merely have to contact local authorities. In some cases, however, you will need to contact the Federal Bureau of Investigation or equivalent organizations in other countries, especially when dealing with attacks that involve international boundaries. International and inter-jurisdictional cooperation is difficult. What is illegal in one...

Log Files

After a security incident, you can use log files to obtain clues on what happened. However, logs are useful only if they are actually read. Even in small networks, logs from servers, networking devices, end-host machines, and other systems can be large, and their analysis may be tedious and time consuming. That is why it is important to use event correlation systems and other tools to better analyze and study log entries. You can use robust systems such as CS-MARS or even simple tools and...

Main mode

In main mode, the IPsec peers complete a six-packet exchange in three round-trips to negotiate the ISAKMP SA, whereas aggressive mode completes the SA negotiation in three packet exchanges. Main mode provides identity protection if preshared keys are used. Aggressive mode only provides identity protection if digital certificates are used. NOTE Cisco products that support IPsec typically use main mode for site-to-site tunnels and aggressive mode for remote-access VPN tunnels. This is the default...

NAC Appliance Configuration

It is recommended that you configure the CAS in the Real-IP gateway mode for wireless network deployments. When the CAS is configured in the Real-IP gateway mode, it handles all routing between the unprotected and protected networks. In this example, the untrusted (unprotected) interface resides in the 10.10.10.0 24 subnet, and the trusted (protected) interface resides in the 192.168.40.0 24 subnet. Complete the following steps to configure the NAC Appliance solution to protect the corporate...

NAC Framework

NAC Framework is a Cisco-led industry initiative to provide posture validation using embedded software in Cisco network access devices (NAD) such as routers, switches, VPN concentrators, Cisco ASA, wireless access points, and others. Many vendors are part of the Cisco NAC program. These Cisco partners include antivirus software vendors, remediation and patch management companies, identity software manufacturers, and others. NOTE To obtain the latest list of NAC program vendors partners, go to...

Network Admission Control

In Chapter 1, Overview of Network Security Technologies, you learned the concepts of Network Admission Control (NAC) and the differences between the appliance-based approach and the architecture-based framework solution. The architecture-based framework solution is intended to use a collection of both Cisco networking and security technologies, as well as existing deployments of security and management solutions from other vendors. This section includes several best practices when implementing...

Network Admission Control NAC in Wireless Networks

Network Admission Control (NAC) was initially designed as two separate solutions the NAC Framework and NAC Appliance (formerly known as Cisco Clean Access). The most commonly deployed NAC solution for wireless networks is the NAC Appliance. This section covers how to integrate the Cisco NAC Appliance into the Cisco Unified Wireless solution. As mentioned in previous chapters, the NAC Appliance has three major components In the example illustrated in Figure 8-26, the CAS is configured inline and...

Network Visibility

The first step in the process of preparing your network and staff to successfully identify security threats is achieving complete network visibility. You cannot protect against or mitigate what you cannot view detect. You can achieve this level of network visibility through existing features on network devices you already have and on devices whose potential you do not even realize. In addition, you should create strategic network diagrams to clearly illustrate your packet flows and where,...

Open Source Monitoring Tools

You can use several open source monitoring tools in conjunction with NetFlow. If your organization is small, or if you do not have the budget for more sophisticated monitoring tools, you can take advantage of any of these open source tools that are freely available. Table 3-1 includes the most commonly used open source monitoring tools. Table 3-1 Open Source Monitoring Tools Table 3-1 Open Source Monitoring Tools My Netflow Reporting System by Dynamic Networks Most of these tools are designed...

Overview of Cisco Unified Wireless Network Architecture

The Cisco Unified Wireless Architecture is a multiservice solution designed for any type of organization. It can be deployed in your corporate offices, branches, retail stores, hospitals, manufacturing plants, warehouses, educational institutions, financial institutions, government agencies, and any other type of organization that needs wireless connectivity. Industry standards including the IEEE 802.11 and the draft IETF Control and Provisioning of Wireless Access Points (CAPWAP) are...

Overview of Network Security Technologies

Technology can be considered your best friend. Nowadays, you can do almost everything over networked systems or the Internet from simple tasks, such as booking a flight reservation, to a multibillion dollar wire transfer between two large financial organizations. You cannot take security for granted An attacker can steal credit card information from your online travel reservation or launch a denial of service (DoS) attack to disrupt a wire transfer. It is extremely important to learn new...

Penetration Testing

Penetration testing is often referred to as ethical hacking. Using this procedure, a trusted third party or a security engineer of an organization attempts to compromise or break into the network and its devices by scanning, simulating live attacks, and exploiting vulnerable machines to measure the overall security posture. Penetration testing techniques are of three common types In the black-box technique, the tester has no prior knowledge of the network of the organization. Typically, the...

Policy Enforcement

An entire book could be devoted to a discussion of policy enforcement. Also, you must design the enforcement of security policies according to your organization goals. Therefore, this section cannot fully cover policy enforcement or provide recommendations specific to your own business organization. It can, however, outline some common strategies that you can use when configuring network infrastructure devices to make sure that access to the areas of your network and its devices is granted only...

Postmortem

The CSIRT creates a postmortem including the following information Total amount of labor spent working on the incident Elapsed time from the beginning of the incident to its resolution Elapsed time for each stage of the incident-handling process Time it took the incident response team to respond to the initial report of the incident Estimated monetary damage from the incident The lessons learned section in the postmortem is documented, including all items that will improve the incident response...

Precise Location Tracking

The Cisco Wireless Location Appliance uses RF fingerprinting technology to track mobile devices to within a few meters. This allows you to gain visibility into the location of people and assets. In addition, RF fingerprinting technology enables you to respond to security issues and thereby gain insight into the location and movement of people and assets, as well as locating rogue wireless access points. The Cisco Wireless Location Appliance supports two location tracking options On-demand...

Private VLANs

Private VLANs can be used to achieve Layer 2 isolation of hosts within a VLAN. Some people use private VLANs in their data center to isolate servers in case they are compromised or infected. However, private VLANs do not provide perfect isolation. For example, you can insert a Layer 3 device to a promiscuous port and hop from one system to another using the destination IP address with the Layer 3 device MAC address. This type of attack and others are explained extensively in the whitepaper at

Protecting Cisco Personal Assistant

This section covers the most common best practices to harden the Cisco Personal Assistant. The recommendations to increase the security of the Cisco Personal Assistant server can be summarized into two major areas NOTE The Cisco Personal Assistant operating environment is made up of several third-party products. You should follow the security guidelines documented by each of these third-party product vendors. This chapter covers several general guidelines on securing the Cisco Personal...

Protecting Cisco Unity Express

As mentioned previously in this chapter, Cisco Unity Express is a Linux-based application that runs on Cisco IOS Software routers with either an NM or an AIM. No external interfaces exist on the Cisco Unity Express hardware. In reality, a physical Fast Ethernet interface does exist however, it is software disabled. All traffic to the Cisco Unity Express hardware must pass through the router. On the other hand, you can access Cisco Unity Express via the router command-line interface (CLI) using...

Protecting the IP Telephony Infrastructure

The first step in IP telephony security is to make sure that you apply the best practices learned in previous chapters to protect the infrastructure as a whole. As previously mentioned, all the infrastructure components are networking devices deployed within your organization, such as Figure 9-1 illustrates a common IP telephony deployment in a medium-to-large enterprise. In Figure 9-1, several infrastructure components are depicted within a headquarters main office topology, which demonstrates...

Role Based Command Line Interface CLI Access in Cisco IOS

Role-based command-line interface (CLI) access is often referred to as CLI views. This is a feature introduced in Cisco IOS Software Release 12.3(7)T. The purpose of this feature is to explicitly control the commands that are accepted and the configuration information that is visible to different groups of users depending on their role. For instance, certain users from your network operations group could have limited access to EXEC and configuration commands and no access to security...

Scheduler Allocate Interval

You can use the scheduler interval command to control the CPU time spent on processes versus interrupts. This is helpful when you are under attack or during a worm outbreak. When the router is handling thousands of packets per second, the console or Telnet SSH access may be slow and it may be almost impossible do anything. In the following example, process-level tasks will be handled no less frequently than every 500 milliseconds. myrouter(config) scheduler interval 500 In newer platforms, the...

Segmentation with VLANs

You can achieve network segmentation and isolation in many ways. The use of VLANs is one of the most commonly used methods because of its simplicity and ease of deployment. Figure 7-13 illustrates how you can isolate segment different types of devices just by using VLANs. Figure 7-13 Segmentation Using VLANs Figure 7-13 Segmentation Using VLANs Web Servers Database Servers LDAP Servers Management Web Servers Database Servers LDAP Servers Management In Figure 7-13, a set of web, database,...

Segmentation with Vrfvrflite

You can also use Multiprotocol Label Switching (MPLS) VPN routing and forwarding (VRF) or the MPLS VRF-Lite feature on Cisco IOS routers for network segmentation purposes. This concept is illustrated in Figure 7-15. Figure 7-14 Segmentation Using VLANs and Firewalls for Policy Enforcement Figure 7-15 Segmentation Using VRF and VRF-Lite Figure 7-15 Segmentation Using VRF and VRF-Lite The main challenge of implementing VRFs and VRF-Lite is that most enterprises do not run MPLS within their...

Syslog

System logs or SYSLOG provide you with information for monitoring and troubleshooting devices within your infrastructure. In addition, they give you excellent visibility into what is happening within your network. You can enable SYSLOG on network devices such as routers, switches, firewalls, VPN devices, and others. This section covers how to enable SYSLOG on routers, switches, the Cisco ASA, and Cisco PIX security appliances. Enabling Logging (SYSLOG) on Cisco IOS Routers and Switches The...

T

In Real IP mode, the CAS acts as a Layer 3 router. In this example, the CAS trusted and untrusted interfaces are in different subnets. The trusted subnet is 10.10.10.0 24, and the untrusted subnet is 192.168.10.0 24. In Real IP mode, DHCP clients usually point to the CAS to obtain their IP addresses and other DHCP information. It is a best practice to assign a 30-bit address to the DHCP clients. This enables you to isolate machines that can be infected with a virus and block them from infecting...

Telemetry and Anomaly Detection

Anomaly detection systems passively monitor network traffic, looking for any deviation from normal or baseline behavior that may indicate a security threat or a misconfiguration. You can use several commercial tools and even open source tools to successfully identify security threats within your network. These tools include the following Cisco Security Monitoring, Analysis and Response System (CS-MARS) Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation Appliances Cisco IPS sensors...

The Importance of Tuning

Chapter 1 showed you the important factors to consider when tuning your IPS IDS devices. Each IPS IDS device comes with a preset number of signatures enabled. These signatures are suitable in most cases however, it is important that you tune your IPS IDS devices when you first deploy them and then tune them again periodically. You could receive numerous false positive events (false alarms), which could cause you to overlook real security incidents. The initial tuning will probably take more...

Threat Modeling

The primary goal of any threat modeling technique is to develop a formal process while identifying, documenting, and mitigating security threats. This process has a huge impact on any organization because it is basically a methodology used to understand how attacks can take place and how they will impact the network, systems, and users. Organizations have adopted several threat modeling techniques. For example, Microsoft uses the DREAD model. The DREAD acronym defines five key areas In the...

Timeto Live TTL Security Check

TTL Security Check is a security feature implemented in BGP. It helps protect BGP peers from multihop attacks. This feature is based on the Generalized TTL Security Mechanism (GTSM) defined in RFC 3682 and applies only to external BGP (eBGP). NOTE Several organizations are working to implement this feature for other routing protocols, such as OSPF and EIGRP. You can configure a minimum acceptable TTL value for the packets exchanged between two eBGP peers when you use the TTL Security Check...

Unicast Reverse Path Forwarding Unicast RPF

Unicast Reverse Path Forwarding (Unicast RPF) is a feature that can replace the use of RFC 2827 ingress traffic filtering techniques. Unicast RPF is configured and enabled on a perinterface basis. The main purpose of Unicast RPF is to verify that all packets received from a specific interface have a source address that is reachable via that same interface. The router drops all packets that do not comply. NOTE You must turn on Cisco Express Forwarding (CEF) for Unicast RPF to work. Two Unicast...

Uploading and Configuring Idsips Signatures

Several signatures come with the WLC by default. You can view the standard signatures by navigating to Security > Wireless Protection Policies and then clicking Standard Signatures. This is illustrated in Figure 8-25. You can also upload a signature file from the WLC to customize the signatures. To do this, navigate to Commands > Upload File > Signature File. To download the modified signature file, navigate to Commands > Download File > Signature File. After you download (or push)...

Visualization Techniques

This section includes a few examples of how you can create topology maps and other diagrams to visualize your network resources and apply SAVE. These diagrams give you the basic idea so that you can then customize the diagrams to fit your organizational needs. You can create circular diagrams like the one illustrated in Figure 7-17. Typically, these types of diagrams include resources that surround a critical system or area of the network you want to protect. In Figure 7-17, a cluster of...

Warning and Disclaimer

This book is designed to provide information about end-to-end network security. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs...

Wireless Intrusion Prevention System Integration

You can integrate Cisco IPS sensors with the Cisco Unified Wireless Solution. This includes the Cisco IPS sensors, the Cisco Adaptive Security Appliance (ASA), Advanced Inspection and Prevention Security Services Module (AIP-SSM), the Catalyst 6500 Intrusion Detection Prevention Services Module Version 2 (IDSM-2), and the IPS modules for Cisco IOS routers. When you integrate IPS with the Cisco Unified Wireless Solution, the WLC talks to the Cisco IPS sensor via its management port using the...

WLC Configuration

This section includes the steps necessary to configure the WLC for the NAC Appliance solution to work. Complete the following steps to configure the WLC. Step 1 As a best practice, it is recommended that you configure separate VLANs for guest and internal users. To do this, you need to configure two new pseudointerfaces. Log in to the WLC, navigate to Controller > Interfaces, and click New to add a new interface. Enter the name for the new interface and the VLAN you want to assign. This is...

On Wireless Networks

In Chapter 1, Technology Overview, you learned the basics of the 802.1X. As a refresher, 802.1x is a standard that defines the encapsulation methodologies for the transport of the Extensible Authentication Protocol (EAP) protocol. NOTE EAP was originally defined in RFC 2284, which is now obsolete due to RFC 3748. The 802.1X standard allows you to enforce access control when wired and wireless devices attempt to access the network. Figure 8-5 illustrates the main components of 802.1x. Figure 8-5...

Configuring the Cisco Secure ACS Server for 8021x and Eapfast

Complete the following steps to configure the Cisco Secure ACS server for 802.1x authentication using the EAP-FAST method. You first add the WLC as AAA client on the Cisco Secure ACS server. To add the WLC as a AAA client on Cisco Secure ACS, click the Network Configuration radio button. You can create a network device group to maintain a collection of AAA clients and AAA servers, or you can use the default Not Assigned network device group. In this example, the WLC is added to the Not Assigned...

Traceback in the Enterprise

The ability to track where attacks are coming from and the techniques that are used within an enterprise depend on the type of attack. If the attacks are coming from external sources, such as the Internet, the enterprises often depend on their providers to be able to track down sources of attack. Additionally, the network telemetry techniques and features discussed in Chapter 3, Identifying and Classifying Security Threats, are extremely helpful for tracking where attack traffic is being...

Configuring Active Standby Failover on the Cisco ASA

Maintaining appropriate redundancy mechanisms within infrastructure devices is extremely important for any organization. The Cisco ASA supports active-active and active-standby failover. NOTE When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active takes ownership of the IP addresses and MAC addresses of the failed unit. The unit that is now in standby state takes over the standby IP addresses and MAC addresses....

Cisco ASA Antispoofing Configuration

The Company-A security administrator wants to protect the infrastructure from spoofed sources. The administrator enables Unicast Reverse Path Forwarding (Unicast RPF) to protect against IP spoofing attacks by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. To enable Unicast RPF, navigate to Configuration > Firewall > Advanced > Anti-spoofing. Select the desired interface, and click Enable, as illustrated in...

Protecting Cisco Unified Call Manager

Server and operating system best practices apply when protecting the Cisco Unified CallManager. Just as with any other critical application, you should make major configuration changes within a maintenance window to avoid the disruption of voice services. However, some standard security policies for application servers might not be adequate for IP telephony servers. For example, on e-mail and web servers, you can easily resend an e-mail message or refresh a web page. On the other hand, voice...

Raleigh Office Cisco ASA Configuration

The following sections cover the steps necessary to complete the goals listed earlier. Configuring IP Addressing and Routing This section demonstrates how to configure the interfaces and default gateway on the Cisco ASA using the Adaptive Security Device Manager (ASDM). The following are the configuration steps Step 1 Working with a new Cisco ASA installation, the administrator logs in via the command-line interface (CLI) and sets the management interface IP address (10.10.30.1) and other...

Atlanta Office Cisco IOS Configuration

Company-A opened a small branch office in Atlanta, Georgia. This new office has only 4 salesmen and 12 web developers. The Atlanta office network topology is simple. A Cisco IOS Software router with the IOS Firewall features set is configured to protect the internal network. This is illustrated in Figure 12-20. Figure 12-20 Atlanta Office Network Topology Figure 12-20 Atlanta Office Network Topology The router has only two interfaces enabled. The inside interface resides on the 10.100.10.0 24...