About the Author

Omar Santos is a senior network security engineer and Incident Manager within the Product Security Incident Response Team (PSIRT) at Cisco. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and the U.S. Department of Defense (DoD). He is also the author of many Cisco online technical documents and configuration guidelines. Before his current role, Omar was a technical leader...

About the Technical Reviewers

Pavan Reddy, CCIE No. 4575, currently works as a consulting systems engineer for Cisco specializing in network security. Pavan has been collaborating with customers and partners on the design and implementation of large-scale enterprise and service provider security architectures for nearly ten years. Before joining Cisco, Pavan worked as a network security engineer in the construction and financial industries. Pavan also holds a bachelor of science degree in computer engineering from Carnegie...

Access Control Lists ACL

When you react to a DDoS or to a worm outbreak, one of the most important matters is how fast you can quarantine and isolate the problem. Quarantining is the process of identifying all infected machines and blocking them from the network to prevent them from infecting other systems (in case of a worm outbreak). The easiest way to quarantine or block systems is by using router and firewall access control lists (ACL) and VLAN ACLs (or VACL) on Cisco switches. VACLs allow port-level filtering on a...

Access Layer

The first recommendation, and one of the most important, is that you enable two VLANs at the access layer one VLAN for data traffic and another VLAN for voice traffic. The voice VLAN in the Catalyst Switches that are running Catalyst Operating System (CatOS) is also known as an Auxiliary VLAN. Figure 9-4 illustrates this recommendation. Figure 9-4 Access Layer and VLAN Assignment In Figure 9-4, several IP phones are connected to two Cisco Catalyst 3750 switches. User workstations are then...

Adequate Incident Handling Policies and Procedures

The steps you take when reacting to security incidents depend on the type of threat you are mitigating. For example, if you are mitigating a distributed denial-of-service (DDoS) attack, you will probably not take the same steps as when reacting to a theft of information where the attacker does not make that much noise on the network. However, when reacting to any security incident, time is one of the most critical factors. It is extremely important to have well-defined incident handling...

Administrative Tasks

You need to recognize the administrative tasks that are involved in maintaining all the NAC policies. Some of the most common administrative tasks include Keeping the operating system (OS) policies up-to-date Update your NAC policies in ACS every time a new OS critical patch comes out. If you fail to update, the host will be allowed to the network without having this update installed. This can be an administrative headache. That is why it is important that you have clear procedures and the...

AES 192 192 bits long

AES 256 256 bits long Hashing algorithms include these Secure Hash Algorithm (SHA) Message digest algorithm 5 (MD5) The common authentication methods are preshared keys (where the peers agree on a shared secret) and digital certificates with the use of Public Key Infrastructure (PKI). NOTE Typically, small and medium-sized organizations use preshared keys as their authentication mechanism. Several large organizations use digital certificates for scalability, for centralized management, and for...

Anomaly Detection Systems

IDS and IPS provide excellent application layer attack-detection capabilities. However, they do have a weakness they cannot detect DDoS attacks using valid packets. IDS and IPS devices are optimized for signature-based application layer attack detection. Most of them do not provide day-zero protection. NOTE Although some IPS devices do offer anomaly-based capabilities, which are required to detect such attacks, they require extensive manual tuning by experts and do not identify the specific...

Anomaly Detection Within Cisco IPS Devices

When you configure a Cisco IPS device running Versions 6.x and later with anomaly detection services, the IPS device initially goes through a learning process. This is done to configure a set of policy thresholds based on the normal behavior of your network. Three different modes of operation take place when an IPS device is configured with anomaly detection The initial learning mode is performed over a period of 24 hours, by default. The initial baseline is referred to as the knowledge base...

Anomaly Detection Zones

The Cisco Detector XT and the Cisco Guard XT allow you to configure zones to categorize and define anomaly detection policies for more granularity and customization. The following are examples of zones you can configure within the Cisco traffic anomaly detectors Collections of servers or clients Collections of routers or other network access devices Network links, subnets, or entire networks Single users or whole companies NOTE The following site provides step-by-step instructions on how to...

Anomaly Based Analysis

A different practice keeps track of network traffic that diverges from normal behavioral patterns. This practice is called anomaly-based analysis. You must define what is considered to be normal behavior. Systems and applications whose behavior can be easily considered normal could be classified as heuristic-based systems. However, sometimes it is challenging to classify a specific behavior as normal or abnormal based on different factors. These factors include negotiated protocols and ports,...

Arbor Peakflow SP and Peakflow X

Arbor Peakflow SP (for service providers) and Peakflow X (for enterprises) are excellent tools that allow you to obtain network visibility. Based on information collected from routers, such as interface statistics and NetFlow, Peakflow SP and Peakflow X can show you details of the traffic traversing throughout your network. NOTE For more information about these tools, go to http www.arbor.net. Arbor has excellent white papers about anomaly detection and combating day-zero threats at

Authentication

Authentication is now available on most routing protocols. You can configure routing devices with a predefined shared secret key that is used to validate each routing update. Most routing protocols support two types of neighbor authentication plaintext and MD5. With plaintext authentication, a secret key is included inside each routing update message. This does not provide much security because an attacker can easily read keys. MD5 authentication works by processing each routing update with an...

Authentication and Authorization of Wireless Users

The 802.11 standard supports different types of authentication. The two most generic types are open and shared-key authentication. In most wireless networks, a service set ID (SSID) is specified to identify the wireless network. The basic mechanisms of 802.11 augment the identification by using SSIDs with authentication mechanisms that prevent the client from sending data to and receiving data from the access point unless the client has the correct shared key. One of the most basic wireless...

Authentication Authorization and Accounting AAA and Identity Management

AAA offers different solutions that provide access control to network resources. This section introduces AAA and identity management concepts. Authentication is the process of validating users based on their identity and predetermined credentials, such as passwords and other mechanisms like digital certificates. Authentication is widely used in many different applications, from a user attempting to log in to the network, web server, and wireless access point to an administrator logging in to a...

Base Metrics

Seven categories are used to calculate a base score. These categories are the most elementary qualities of a specific vulnerability. 1 Access vector Measures whether a vulnerability is exploitable locally, remotely, or both. 2 Access complexity Appraises the complexity and level of effort required to exploit a specific vulnerability. 3 Authentication Determines whether an attacker must be authenticated to exploit the vulnerability. 4 Confidentiality impact Gauges the impact on confidentiality...

Blocking Instant Messaging

The security administrator is now tasked by his management to come up with a solution to prevent internal users from using Yahoo and MSN instant messaging (IM) programs. The solution is to configure the Cisco ASA to block this traffic and log it. The security administrator completes the following steps to achieve this goal. Step 1 The first step is to configure an inspect map on the Cisco ASA. To do this, navigate to Configuration > Firewall > Objects > Inspect Maps > Instant Messaging...

BOOTP Server

The Bootstrap protocol allows a system to configure itself at boot time by dynamically obtaining the following information The IP address of the BOOTP server BOOTP is defined in RFC 951. Cisco IOS routers can act as BOOTP servers. This service is turned on by default and is used by features such as AutoInstall. If not needed, this service should be disabled with the no ip bootp server global configuration command.

Broadcast Amplification or Smurf Attacks

Broadcast amplification attacks are typically referred to as smurf attacks. These are denial of service (DoS) attacks where the attacker sends an echo-request message with a destination address of a subnet broadcast and a spoofed source address using the host IP address of the victim. This causes all the devices on the subnet to respond to the spoofed source IP address and flood the victim with echo-reply messages. RFC 2463 prohibits IP-directed broadcasts within IPv6. In addition, it states...

Building an Action Plan

After you have collected all necessary information and documented the different lessons learned, you should build a comprehensive action plan to address any deficiencies in processes, policies, or technology. Some underlying causes may remain unknown at the time of the initial post-incident meetings however, you can capture these causes as open action items to be closed when you have completed your final research. Prioritize the gaps identified to make sure that you address the most critical...

Building Strong Security Policies

What good does a firewall, IPS sensor, encryption device, and your favorite security product and tool do if you do not have guidelines, policies, and best practices on how to effectively configure and use them Building strong security policies is crucial for any organization. These policies should be strong, yet realistically flexible to accommodate ever-changing requirements. Policies communicate not only a standard but also an agreement on what should be the best practice for a specific...

C

CAM (Clean Access Manager), NAS Appliance, 27, 31 CAS (Clean Access Servers), NAC Appliance, 27-28 Centralized Deployment mode, 31 Edge Deployment mode, 30 Real IP mode, 29 Virtual Gateway mode, 28 large businesses, 401, 403 CSIRT, 403 incident response, 419-420 IPsec remote access VPN, 406, 408, 411-412, 415-417 load-balancing, 415-417 security policy creation, 404-406 medium-sized businesses, 389 configuring AAA on infrastructure devices, 400-401 configuring active-standby failovers on ASA,...

Case Studies

Having Defense-in-Depth mechanisms and tools in place is important to any organization regardless of its size. This chapter includes three different case studies explaining how a small (Company-A), medium (Company-B), and large enterprise (Company-C) apply the best practices learned in all previous chapters. These case studies provide you with an in-depth and objective analysis of security technologies and techniques applied in different environments. The intent is to help you identify and...

Case Study of a Small Business

This section uses Company-A as an example. Company-A is a small web development company based in Raleigh, North Carolina. Its office in Raleigh hosts 35 employees. The user population is composed of sales, marketing, finance personnel, and several web developers. Figure 12-1 illustrates the network architecture and topology of the Raleigh office of Company-A. The Raleigh office has a simple network architecture. Client workstations are connected to an access switch and then connected to the...

Cisco Discovery Protocol CDP

CDP is a protocol that allows you to obtain information about other devices within the network. This information can include the platform, model, software version, and IP addresses of network devices adjacent to the Cisco IOS routers. NOTE CDP is a Cisco proprietary Layer 2 protocol that is enabled by default. CDP is a useful tool in the hands of an administrator, but it is a tool to be feared in the hands of an attacker. You can disable CDP globally when the service is not used or per...

Cisco Guard

The Cisco Detector and Cisco Guard provide anomaly detection and attack mitigation features. You can place them in large data centers to divert traffic directed at the target host for analysis and filtering, so that legitimate transactions can still be processed while illegitimate traffic is dropped. On the other hand, in most cases small, medium, and large enterprises place their Cisco Guard at their Internet edge or subscribe to managed services provided by service providers. NOTE The managed...

Cisco Guard Active Verification

The Cisco Guard provides multiple layers of defense to identify and block all types of attacks with extreme accuracy. It has integrated dynamic filtering capabilities and active verification technologies. These capabilities and technologies are implemented through the use of a patented Multiverification Process (MVP) architecture, which can process suspicious flows by applying numerous levels of analysis. The MVP enables malicious packets to be identified and removed, while allowing legitimate...

Cisco IOS Role Based CLI Access CLI Views

You can consider the Cisco IOS routers Role-Based CLI Access feature a form of virtualization. This feature, otherwise known as CLI Views, allows you to define a virtual set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS exec and configuration mode commands. A view is a framework of policies that defines which commands are accepted and which configuration information is visible to the user based on his role. NOTE The following site...

Cisco Net Flow in the Data Center

Cisco NetFlow provides network traffic visibility that can help in identifying and classifying potential DDoS attempts and other security threats. In addition, it provides valuable information about application usage that can be beneficial for network planning and traffic engineering. You can enable NetFlow in data center infrastructure devices, such as your distribution switches or routers. A new version of NetFlow called Flexible NetFlow is now available on Cisco IOS routers starting with IOS...

Cisco Network Analysis Module NAM

The Cisco Network Analysis Module (NAM) is designed to analyze and monitor traffic in the Catalyst 6500 series switches and Cisco 7600 series Internet routers. It uses remote monitoring (RMON), RMON extensions for switched networks (SMON), and SNMP MIBs to obtain information from the device. The NAM can also collect and analyze NetFlow information on remote devices. To use the NAM to collect NetFlow data from a remote device, you must configure the remote device to export NDE packets to UDP...

Cisco Secure Device Manager SDM

SDM is an intuitive web-based tool designed for configuring LAN, WAN, and security features on a router. SDM includes a feature called Security Audit that is used to verify your existing router configuration and make sure that it includes the recommended security mechanisms suited for most environments. The SDM Security Audit is based on the Cisco IOS AutoSecure feature. NOTE SDM does not support all AutoSecure features. For a complete list of the functions that Security Audit checks for, and...

Cisco Security Agent CSA

CSA provides several more robust security features than a traditional antivirus or a personal firewall solution. The rich security features of CSA include Protection against buffer overflow attacks Distributed host firewall features Malicious mobile code protection Operating system integrity assurance Extensive audit and logging capabilities Protection against file modification or deletion The CSA solution has two major components Cisco Security Agent Management Center (CSA-MC) The management...

Cisco Security Monitoring Analysis and Response System CSMARS

CS-MARS enables you to identify, classify, validate, and mitigate security threats. In the previous sections in this chapter, you learned different mechanisms that give you visibility of the network and its devices, such as NetFlow, SYSLOGs, and SNMP. The analysis and manipulation of the data provided by these features can be a time-consuming process and, in some environments, may even be impossible because of the staff requirements. CS-MARS supports the correlation of events from numerous...

Collected Incident Data

The postmortem is one of the most important parts of incident response and is also the part that is most often omitted. As mentioned in the previous chapter, documenting events that occurred during the previous phases (identification, classification, traceback, and reaction) is important to effectively create a good postmortem following a security incident. The collection of this data is important because it can be used for future improvement in the process, policies, and device configuration....

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Common Vulnerability Scoring System

The National Infrastructure Advisory Council (NIAC) commissioned the development of CVSS as a combined effort by many industry leaders including Cisco. The CVSS standard is now maintained by the Forum for Incident Response and Security Teams (FIRST). For more information about FIRST, go to http www.first.org. CVSS metrics are divided into three major components Cisco has an online tool where you can calculate your CVSS score at

Configuration Logger and Configuration Rollback

The Cisco IOS configuration logger logs all changes that are manually entered at the command-line prompt. In addition, it can notify registered clients about any changes to the log. NOTE The contents of the configuration log are stored in the run-time memory the contents of the log are not persisted after reboots. The Configuration Logger Persistency feature allows you to keep the configuration commands entered by users after reloads. You can enable the Configuration Logger Persistency feature...

Configuring 8021x with Eapfast in the Cisco Unified Wireless Solution

This section describes how to configure the wireless LAN context (WLC), the Cisco Secure Services Client (CSSC), and Cisco Secure Access Control Server (ACS) to perform 802.1x authentication using EAP-FAST. Figure 8-8 illustrates the topology used in this configuration example. Figure 8-8 Configuring 802.1x with EAP-FAST on the Cisco Unified Wireless Solution Figure 8-8 shows a workstation with the CSSC connecting to a Cisco wireless access point (with IP address 172.18.85.123) in a lightweight...

Configuring AAA on the Infrastructure Devices

The network administrator configures authentication, authorization, and accounting (AAA) for administrative access to all routers within the network. The network administrator uses command authorization to enforce which commands users can invoke and execute in the routers. Example 12-11 shows a AAA configuration template used for all routers within the organization Example 12-11 AAA Configuration on Routers aaa authentication login default group tacacs+ local tacacs-server host 172.18.85.181...

Configuring Agent Kits

As previously mentioned, CSA-MC comes with preconfigured agent kits that can be used to fulfill initial security needs. However, CSA-MC allows you to create custom agent kits to fit your specific requirements. For example, you can create different agent kits for the various servers within your data center. To create a new agent kit, complete the following steps Step 1 Choose Systems > Agent Kits from the CSA-MC console. Step 2 Click New at the bottom of the page displayed. A dialog box...

Configuring Authentication Banners

Sometimes people overestimate the benefits of configuring authentication banners. Banners with detailed warnings often make it easier to prosecute attackers who break into your systems. In some cases, you may be forbidden to monitor the activities of unauthorized users unless you have taken steps to notify them of your intent to do so. Typically, authentication banners include the following information A warning that the system you are trying to access should be used only by authorized...

Configuring Basic Network Address Translation NAT

The router administrator needs to configure basic NAT for internal users to access the Internet. The following steps are completed to enable basic NAT on the Cisco IOS router. Step 1 Log in to the router using SDM. Step 2 Navigate to Configure > NAT and click Basic NAT, as illustrated in Figure 12-34. Step 3 Click the Launch the selected task button to start the NAT Configuration Wizard. Step 4 The NAT Configuration Wizard welcome screen appears. Click Next. Step 5 The screen shown in Figure...

Configuring Identity NAT for Inside Users

The inside users must be able to communicate with the DMZ servers. The goal is to configure identity NAT for inside users when communicating to the DMZ servers. Complete the following steps to configure identity NAT for inside users. Step 1 Navigate to Configuration > Firewall > NAT Rules, click Add, as illustrated in Figure 12-13. Figure 12-13 Configuring Identity NAT for the Inside Network on the DMZ Figure 12-13 Configuring Identity NAT for the Inside Network on the DMZ Step 2 Under the...

Configuring Idsips Sensors in the WLC

You can configure IDS IPS using the WLC web management console or through the CLI. This section demonstrates how to use the web management console to add IDS IPS sensors. Step 1 Connect the Cisco IPS device to the same switch where the WLC resides. Step 2 Mirror the WLC ports that carry the wireless client traffic to the Cisco IPS device. You do this because the Cisco IPS device must receive a copy of every packet to be inspected on the wireless network. The Cisco IPS device provides a...

Configuring Static Routing Peers

Several routing protocols include different mechanisms that dynamically discover routing peers. Unfortunately, the same mechanisms can be easily used to insert bogus routers into the routing infrastructure. You can statically configure a list of trusted neighbors to avoid this problem. However, this technique causes controversy among administrators because, in large organizations, it can mean hundreds of configuration lines. For this reason, many prefer to use authentication mechanisms.

Configuring the CSSC

This section shows how to configure the CSSC to authenticate to the wireless network using EAP-FAST. Complete the following steps to configure the CSSC. Step 1 Launch the CSSC and click Create Network. Step 2 The Network Profile screen shown in Figure 8-18 is displayed. Under Network Configuration Summary and Authentication, click Modify. Figure 8-18 CSSCNetwork Profile Screen Step 3 The Network Authentication screen shown in Figure 8-19 is displayed. Turn on authentication by clicking the...

Contents

Foreword xix Introduction xx Part I Introduction to Network Security Solutions 3 Chapter 1 Overview of Network Security Technologies 5 Network Address Translation (NAT) 7 Stateful Firewalls 9 Deep Packet Inspection 10 Demilitarized Zones 10 Personal Firewalls 11 Virtual Private Networks (VPN) 12 Technical Overview of IPsec 14 Phase 1 14 Phase 2 16 SSL VPNs 18 Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 19 Pattern Matching 20 Protocol Analysis 21 Heuristic-Based...

Contents at a Glance

Part I Introduction to Network Security Solutions 3 Chapter 1 Overview of Network Security Technologies 5 Part II Security Lifecycle Frameworks and Methodologies 41 Chapter 3 Identifying and Classifying Security Threats 99 Chapter 5 Reacting to Security Incidents 153 Chapter 6 Postmortem and Improvement 167 Chapter 7 Proactive Security Framework 177 Part III Defense-In-Depth Applied 209 Chapter 8 Wireless Security 211 Chapter 9 IP Telephony Security 261 Chapter 10 Data Center Security 297

Control Resource Exhaustion

Today, a growing number of DDoS attacks are being designed to specifically target key infrastructure devices. These types of attacks typically try to consume CPU resources, input queues, and memory. Worms and viruses that are generally designed to target end hosts generate large volumes of traffic that quite often exhaust most of the resources available in infrastructure equipment. You can implement several best practices by controlling the utilization of the limited resources in a device...

Controlling Access

Next, you need to configure policies on the Cisco ASA to control access and achieve the following goals. The web server should be reachable from outside Internet clients over the HTTP and HTTPS protocols only. The e-mail server should be able to receive e-mail from external hosts over the SMTP only. Complete the following steps to configure access rules on the Cisco ASA. Step 1 Navigate to Configuration > Firewall > Access Rules, click Add. In Figure 12-14 the Access Rule configuration is...

Controlling SNMP Access

SNMP is a network management protocol that many organizations use. Administrators use SNMP not only to manage infrastructure devices but also to manage servers and other systems within their organization. SNMP is a powerful tool, because administrators can reach numerous devices within a large network, push and download configurations, and obtain system statistics. SNMP is considered a double-edged sword by many people, because an attacker can do the same thing when SNMP is not secured...

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales which may include electronic versions and or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 For sales outside the United States, please contact International Sales Americas Headquarters Asia Pacific Headquarters Europe Headquarters...

Correlation

In previous chapters, you learned the different aspects of event correlation. For example, you learned that the more complex the network and devices deployed, the more event messages, alarms, and alerts these devices will generate. In the end, far more data is generated than anyone can easily scan, and it is located in numerous places. In this chapter, you learn the importance of event correlation for maintaining good visibility of what is happening in the network. This chapter also describes...

CPU Protection

Attackers already know that targeting CPUs and network processors can affect more than just one server within an organization. Worms and DDoS can bring network infrastructure devices onto their knees costing thousands of dollars. Attackers typically follow two strategies when targeting a CPU. The first tactic that attackers employ is generating large volumes of traffic to the CPU or network processor because CPUs always have a finite capacity for processing packets. All processors have a limit...

Creating a Computer Security Incident Response Team CSIRT

It is unfortunate when large Fortune 500 companies do not have a Computer Security Incident Response Team (CSIRT). In some occasions, their CSIRT consists of one parttime employee. This is why it is extremely important to have management support when creating CSIRTs. It is difficult and problematic to create a CSIRT without management approval and support. Also, the support needed goes beyond budget and money. It includes executives, managers, and their staffs committing time to participate in...

Creating a New Computer Security Incident Response Team CSIRT

Company-C management starts the process to create a Computer Security Incident Response Team (CSIRT). The CSIRT will comprise staff members from different departments within an organization Global information technology (IT) Information Security (InfoSec) TIP In some large organizations, the CSIRT may be a full-time staff. Deciding whether the staff members should be full-time or not depends on your organizational needs and budget. What is important is to clearly identify who needs to be...

CSA Architecture

In the CSA solution architecture, a central management center maintains a database of policies and information about the workstations and servers on which the CSA software is installed. Agents register with the Cisco Security Agent Management Center (CSA-MC). Subsequently, the CSA-MC checks its configuration database and deploys a configured policy for that particular system. NOTE Starting with CSA Version 5.1, the CSA-MC is a standalone system. Prior to Version 5.1, CSA-MC was part of the...

Data Center Infrastructure Protection

The infrastructure protection best practices that you learned in Chapter 2, Preparation Phase, also apply in the data center. For example, you should harden control protocols as a basic security precaution on all applicable devices in the data center. In addition, you should disable unnecessary services on infrastructure components and implement device protection mechanisms, such as infrastructure access control lists (iACLs) and Control Plane Policing (CoPP). These device protection mechanisms...

Data Center Security

Data centers comprise some of the most critical assets within any organization. Typically, applications, databases, and management servers reside in the data center. For this reason, it is extremely important to have the appropriate defense mechanisms in place to protect the data center against security threats. Attacks against data center assets can result in lost business applications and the theft of confidential information. This chapter covers several best practices and recommendations...

Data Center Segmentation and Tiered Access Control

By isolating different types of servers and services, you can use segmentation and tiered access control in your data center to provide a multilayered architecture while adding security. The easiest way to segment your data center is to configure different Layer 2 domains or VLANs. In addition, you can use firewalls for policy enforcement between each segment. By using private VLANs, you can also use segmentation that is local to the VLAN. This helps in preventing a compromised or infected...

DefenseInDepth Applied

Chapter 9 IP Telephony Security Chapter 10 Data Center Security This chapter covers the following topics Overview of Cisco Unified Wireless Network Architecture Authentication and Authorization of Wireless Users Lightweight Access Point Protocol (LWAPP) Wireless Intrusion Prevention System Integration Management Frame Protection (MFP) Network Admission Control (NAC) in Wireless Networks

Deploying IPsec Remote Access VPN

Company-C deploys a cluster of Cisco ASAs to provide IPsec remote access VPN services. Figure 12-59 illustrates the topology listing the Cisco ASAs and their corresponding IP addresses. Figure 12-S9 Remote Access VPN Cisco ASAs Figure 12-S9 Remote Access VPN Cisco ASAs Management IP 10.250.30.1 Outside 209.165.202.129 Inside 10.250.10.1 Management IP 10.250.30.1 Outside 209.165.202.129 Inside 10.250.10.1 Management IP 10.250.30.2 Outside 209.165.202.130 Inside 10.250.10.2 The following are the...

Deploying Network Intrusion Detection and Prevention Systems

You can use network IDS IPS appliances in small-to-medium organizations or the Cisco IDSM-2 for the Cisco Catalyst 6500 series switches in larger organizations. The implementation of each solution depends on the size of your data center and its requirements. When designing a network IDS IPS solution for the data center, for both scalability and manageability, you should reduce the amount of traffic that is sent to the sensor. You should also avoid sending duplicate frames to the IDS IPS sensors...

DHCP Snooping

DHCP snooping is another technology or feature that can be considered part of identity and trust. It is a DHCP security feature that filters DHCP messages by building and maintaining a binding table. This table contains information that corresponds to the local untrusted interfaces of a switch, such as MAC address of the device connected to the switch IP address of the device connected to the switch NOTE The DHCP snooping table does not contain information regarding hosts interconnected with a...

Digital Certificates and PKI

Digital certificates and PKI are also technologies that are used for trust and identity. Digital certificates bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information. A digital certificate makes it possible to verify a claim that someone has the right to use a given key. This verification helps to prevent people from using phony keys to impersonate other users. Used in conjunction with encryption, digital certificates provide a more complete...

Directed Broadcast

Cisco IOS software versions prior to 11.2 have IP Directed Broadcast enabled by default. You are probably not running a version of IOS this old. However, because directed broadcasts have been used for DoS attacks (that is, SMURF), it is always recommended that you keep IP Directed Broadcast disabled. If for some reason the IP Directed Broadcast feature was enabled, you can disable it with the no ip directed-broadcast interface subcommand, as shown in the following example myrouter(config)...

Disabling Unnecessary Services on Network Components

Infrastructure devices in some cases come with a list of services turned on by default that are considered appropriate for most network environments. However, it is always a good idea to disable unnecessary services because some services present a vulnerability that could be used maliciously to gain unauthorized access or disrupt service. NOTE Not all environments have the same requirements but, on many occasions, disabling these unnecessary services not only enhances security but also helps...

Distribution Layer

At the distribution layer, you can apply enforcement mechanisms (such as ACLs) based on your security policies for the IP telephony-enabled network. For example, you can configure Layer 3 ACLs so that they do not allow traffic from the nonvoice VLANS to access the voice gateway and voice applications in the network. Typically, voice application servers (such as Cisco Unified CallManager and Cisco Unity) are protected by firewalls in the distribution layer of the data center. On the other hand,...

Embedded Device Managers

In small environments, you can use embedded devices managers to configure and manage network access devices such as routers, switches, firewalls, IPS devices, and others. Numerous Cisco devices come with an embedded device manager. Examples include the following Cisco Adaptive Security Device Manager (ASDM) Manages Cisco PIX and Cisco Adaptive Security Appliance (ASA) security appliances Cisco IPS Device Manager (IDM) Manages Cisco IPS sensors, in addition to Advanced Inspection and Prevention...

Endpoint Security

This section includes several best practices and tips that you can use when implementing techniques and tools to increase the security of your endpoints (workstations, servers, and so on). You need to perform two major tasks when you are preparing your organization to enhance endpoint security. The first is patch management and keeping the endpoint systems (servers and workstations specifically) up-to-date. The second is using security software like the Cisco Security Agent (CSA) on servers and...

Endto End Network Security Defensein Depth

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing August 2007 Library of Congress Cataloging-in-Publication Data Santos, Omar. End-to-end...

Environmental Metrics

The environmental metrics are not scored in the Cisco Security Center website however, you can use them to represent the impact of a vulnerability based on your specific environment. Two metrics are used to calculate this impact 1 Collateral damage potential The likelihood for a loss of data, physical equipment, or property damage. 2 Target distribution The relative size of the systems susceptible to such vulnerability. None When no target systems exist Low Typically when the vulnerability...

Extension Headers in IPv6

In IPv6, IP options are replaced with extension headers. An attacker may use these extension headers to evade your security configuration. All devices running IPv6 must accept packets with a routing header. In some cases, it may be possible for end-host devices to also process routing headers and forward the packet somewhere else. Attackers can take advantage of this and use routing headers to evade the ACLs configured on your routers and firewalls. As a best practice, you should designate...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Figure 13 PAT

Source Address 192.168.1.100 Destination Address 209.165.200.230 Source Port 1024 Destination Port 80 Source Address 209.165.200.226 Destination Address 209.165.200.230 Source Port 1234 Destination Port 80 Stateful inspection firewalls track every connection passing through their interfaces by examining not only the packet header contents but also the application layer information within the payload. This is done to find out more about the transaction than just the source and destination...

Filtering Access Control Lists ACL

You can configure the filters or ACLs using Layer 3 and Layer 4 information. You can configure an IPv6 ACL in a Cisco IOS router using the ipv6 access-list command. The command uses the permit and deny subcommands with the following options ipv6 access-list command and its subcommands permit protocol source-ipv6-prefix prefix-length I any I host source-ipv6-address operator port-number destination-ipv6-prefix prefix-length I any I host destination-ipv6-address operator port-number...

Finger

The Finger protocol is used to obtain information about users logged into systems within the network. If you are running Cisco IOS Software versions prior to 12.1(5) and 12.1(5)T, Finger is on by default. Attackers can use Finger in reconnaissance attacks because it does not reveal much sensitive information. However, attackers can use chunks of information to obtain a better understanding of your environment. Always disable Finger whenever possible. You can do this with the no service finger...

Firststep

STEP 1 First-Step Benefit from easy-to-grasp explanations. No experience required STEP 2 Fundamentals Understand the purpose, application, and management of technology. STEP 3 Networking Technology Guides Gain the knowledge to master the challenge of the network. The Network Business series helps professionals tackle the business issues surrounding the network. Whether you are a seasoned IT professional or a business manager with minimal technical expertise, this series will help you understand...

Foreword

Defense-in-Depth is a phrase that is often used and equally misunderstood. This book gives an excellent overview of what this really means and, more importantly, how to apply certain principles to develop appropriate risk mitigation strategies. After you have assimilated the content of this book, you will have a solid understanding of several aspects of security. The author begins with an overview of the basics then provides comprehensive methodologies for preparing for and reacting to security...

H

See penetration testing, 46 IPv6, 332 manipulation attacks IPv6, 333 heuristic-based analysis, 21 High Availability (NAC Appliance), 31 high-level enterprise diagrams, 101, 103 HIPAA (Health Industry Portability and Accountability Act), 156 hop-by-hop tracebacks, 142 botnets, 145 BGP routers, 146 zombies, 145 HSRP (Hot Standby Router Protocol) distribution layer (IP telephony), 273-274 iACL (infrastructure Access Control Lists) infrastructure security policy enforcement, 82 IB...

Header Manipulation and Fragmentation

IPv6 is susceptible to fragmentation and other header manipulation attacks. With these types of attacks, the attacker uses fragmentation to evade network intrusion detection systems (IDS), intrusion prevention systems (IPS), and firewalls. An attacker can also use out-of-order fragments to try to avoid an IDS IPS device that is deployed to detect attacks based on the enabled signatures on the system. RFC 2460 prohibits fragmentation of IPv6 packets by intermediary network devices. As is the...

Heuristic Based Analysis

A different approach to network intrusion detection is to perform heuristic-based analysis. Heuristic scanning uses algorithmic logic from statistical analysis of the traffic passing through the network. Its tasks are CPU and resource intensive. This is an important consideration while planning your deployment. Heuristic-based algorithms may require fine tuning to adapt to network traffic and minimize the possibility of false positives. For example, a system signature can generate an alarm if a...

How This Book Is Organized

Part I of this book includes Chapter 1 which covers an introduction to security technologies and products. In Part II, which encompasses Chapters 2 through 7, you will learn the six-step methodology of incident readiness and response. Part III includes Chapters 8 through 11 which cover strategies used to protect wireless networks, IP telephony implementations, data centers, and IPv6 networks. Real-life case studies are covered in Part IV which contains Chapter 12. The following is a...

ICMP Filtering

You may also want to filter unnecessary ICMPv6 messages, just as with ICMPv4. It is recommended that you configure your ICMPv6 filters and policies in a manner that is similar to your ICMPv4 policies, with the following additions ICMPv6 Type 2 Packet too big ICMPv6 Type 4 Parameter problem ICMPv6 Type 130-132 Multicast listener ICMPv6 Type 133 134 Router solicitation and router advertisement ICMPv6 Type 135 136 Neighbor solicitation and neighbor advertisement Make sure that, if you need to...

Identifying and Classifying Security Threats

Worms and denial of service (DoS) attacks are used maliciously to consume the resources of your hosts and network that would otherwise be used to serve legitimate users. In some cases, misconfigured hosts and servers can send traffic that consumes network resources unnecessarily. Having the necessary tools and mechanisms to identify and classify security threats and anomalies in the network is crucial. This chapter presents several best practices and methodologies you can use to successfully...

Identifying Classifying and Tracking the Security Incident or Attack

One of the members of the CSIRT collects NetFlow data from the data center distribution switch and correlates this data with CS-MARS. He notices that most of the traffic is HTTP (TCP port 80). This traffic is originating from known sources in the sales department (floor) in the New York office and from unknown sources. The CSIRT team works with a network administrator and discovers that the unknown sources are IP addresses belonging to the Atlanta branch office network. However, this process...

Identity Management Concepts

Many identity management solutions and systems automatically manage user access privileges within an organization. Today, enterprises are under great pressure to increase security and meet regulatory and governance requirements, resulting in greater urgency to deploy identity management solutions. Role-based authentication is a key concept of identity management. It helps to answer the critical compliance questions of Who has access to what, when, how, and why For example, with role-based...

Idsips

IDSs and IPSs also provide visibility into what is happening on the network. Most of the network IDS and IPS systems rely on signatures for detection and protection. For this reason, it is extremely important to keep signatures up-to-date and to tune the IDS IPS devices accordingly. Cisco IPS 6.0 now supports anomaly detection capabilities that allow you to detect day-zero vulnerabilities more easily. NOTE An introduction to network IDS and IPS systems is covered in Chapter 1. Chapter 3 teaches...

Incident Response Collaborative Teams

Several virtual teams and collaborative efforts exist between large corporations and government organizations to exchange incident information and intelligence. The Cisco Critical Infrastructure Assurance Group (CIAG) has formed two groups that provide guidance and exchange ideas and information with many other large organizations. These groups are the Information Sharing and Analysis Centers (ISAC) and the Cisco Incident Response Communication Arena (CIRCA). CIRCA, specifically, exchanges...

Infrastructure Protection

A typical network infrastructure is built with routers, switches, and other equipment that provide indispensable services designed to increase the productivity of your organization. Each day results in new security threats, including DoS attacks and worm and virus outbreaks deliberately created to directly or indirectly disrupt the services that your network infrastructure attempts to provide. That is why it is critical to understand how to protect your organizational infrastructure by using...

Infrastructure Protection Access Control Lists iACLs

Using iACLs is a technique that was developed by ISPs, however, it is now a common practice by enterprises and other organizations. Employing iACLs involves the use of ACLs that prevent direct attacks to infrastructure devices. You configure these ACLs to specifically allow only authorized traffic to the infrastructure equipment while allowing transit traffic. Cisco recommends that you configure iACLs into four different sections or modules 1 On the Internet edge, deny packets from illegal...

Instrumentation and Management

Instrumentation and management is also an important category within the SAVE framework. You should always implement protocols and mechanisms that achieve the management of every network device. Having good instrumentation and management mechanisms in place not only allows you to provision configurations to your network devices, but it also helps you to maintain control of your environment. Some examples of management and instrumentation tools are as follows Cisco Security Manager (CSM)...

Interactive Access Control

You have already learned that you can access network devices via several interactive methods such as Telnet, rlogin, SSH, and local asynchronous, even modem connections for out-of-band access. On Cisco IOS devices, these interactive access methods have two basic types of lines (or sessions). The first type is the use of standard lines used by console and dialup modem connections. The first type of these connections are known as TTYs. TTY stands for Text Telephone. The Y has a historical value...

Internet Usage Policy

The Internet usage policy allows for reasonable use of the Internet by outlining the permitted and prohibited behaviors and defining violations. This policy should apply to all Internet users who access the Internet through the computing or networking resources. This includes permanent, full-time, and part-time employees contract workers temporary agency workers business partners and vendors. The Internet users of your organization are expected to be familiar with and to comply with this...

Intrusion Detection and Intrusion Prevention Systems IDSIPS

In Chapter 1, Overview of Network Security Technologies, you learned the basics about IDS and IPS systems. IDSs are devices that in promiscuous mode detect malicious activity within the network. IPS devices are capable of detecting all these security threats however, they are also able to drop noncompliant packets inline. Traditionally, IDS systems have provided excellent application layer attack-detection capabilities however, they were not able to protect against day-zero attacks using valid...

Intrusion Detection Systems IDS and Intrusion Prevention Systems IPS

This section includes an overview of intrusion detection systems (IDS) and intrusion prevention systems (IPS). IDSs are devices that detect (in promiscuous mode) attempts from an attacker to gain unauthorized access to a network or a host to create performance degradation or to steal information. They also detect distributed denial of service (DDoS) attacks, worms, and virus outbreaks. IPS devices are capable of detecting all these security threats however, they are also able to drop...

Intrusion Prevention Systems IPS and Intrusion Detection Systems IDS

In earlier chapters, you learned the difference between IDS and IPS devices. IDS and IPS appliances and modules are usually placed in the data center distribution center not only to alert an administrator when a security threat has been detected, but also to take action and protect the data center assets. In small environments, one or more IDS IPS appliances (such as the Cisco 4200 sensors) can be placed in the data center. The Cisco Catalyst 6500 IDS IPS module (IDSM) is used in larger...

IP Source Guard

IP Source Guard is a Layer 2 feature that works in conjunction with DHCP snooping. When IP Source Guard is enabled, all IP traffic on the port is initially blocked, with the exception of DHCP packets that are processed by the DHCP snooping feature (if enabled). After the end host receives a valid IP address from the DHCP server, or when a user configures a static IP source binding, a Port Access Control List (PACL) is applied on the port to restrict the client IP traffic to specific source IP...

IP Source Routing

IP source routing enables a device to control the route that the datagram will take toward its destination. This feature is rarely used because it is not practical in environments today. Attackers can take advantage of older IP implementations that do not process source-routed packets properly and may be able to crash machines running these implementations by sending altered packets with source routing options. It is recommended that you disable IP source routing whenever possible with the no...

IP Telephony Security

Cisco alone has sold more than 4.5 million IP phones and 3 million Cisco Unity unified messaging licenses. The company has more than 20,000 IP Communications customers. IP telephony or Voice over IP (VoIP) deployments are growing dramatically on a daily basis. Consequently, the need to secure IP telephony networks is also growing by the minute. IP telephony security threats generally fall into one of two categories. The first category includes risks that are aimed to hijack listening or...