About the Technical Reviewers

Pavan Reddy, CCIE No. 4575, currently works as a consulting systems engineer for Cisco specializing in network security. Pavan has been collaborating with customers and partners on the design and implementation of large-scale enterprise and service provider security architectures for nearly ten years. Before joining Cisco, Pavan worked as a network security engineer in the construction and financial industries. Pavan also holds a bachelor of science degree in computer engineering from Carnegie...

Access Layer

The first recommendation, and one of the most important, is that you enable two VLANs at the access layer one VLAN for data traffic and another VLAN for voice traffic. The voice VLAN in the Catalyst Switches that are running Catalyst Operating System (CatOS) is also known as an Auxiliary VLAN. Figure 9-4 illustrates this recommendation. Figure 9-4 Access Layer and VLAN Assignment In Figure 9-4, several IP phones are connected to two Cisco Catalyst 3750 switches. User workstations are then...

Adequate Incident Handling Policies and Procedures

The steps you take when reacting to security incidents depend on the type of threat you are mitigating. For example, if you are mitigating a distributed denial-of-service (DDoS) attack, you will probably not take the same steps as when reacting to a theft of information where the attacker does not make that much noise on the network. However, when reacting to any security incident, time is one of the most critical factors. It is extremely important to have well-defined incident handling...

Anomaly Detection Systems

IDS and IPS provide excellent application layer attack-detection capabilities. However, they do have a weakness they cannot detect DDoS attacks using valid packets. IDS and IPS devices are optimized for signature-based application layer attack detection. Most of them do not provide day-zero protection. NOTE Although some IPS devices do offer anomaly-based capabilities, which are required to detect such attacks, they require extensive manual tuning by experts and do not identify the specific...

Anomaly Detection Within Cisco IPS Devices

When you configure a Cisco IPS device running Versions 6.x and later with anomaly detection services, the IPS device initially goes through a learning process. This is done to configure a set of policy thresholds based on the normal behavior of your network. Three different modes of operation take place when an IPS device is configured with anomaly detection The initial learning mode is performed over a period of 24 hours, by default. The initial baseline is referred to as the knowledge base...

Anomaly Detection Zones

The Cisco Detector XT and the Cisco Guard XT allow you to configure zones to categorize and define anomaly detection policies for more granularity and customization. The following are examples of zones you can configure within the Cisco traffic anomaly detectors Collections of servers or clients Collections of routers or other network access devices Network links, subnets, or entire networks Single users or whole companies NOTE The following site provides step-by-step instructions on how to...

Arbor Peakflow SP and Peakflow X

Arbor Peakflow SP (for service providers) and Peakflow X (for enterprises) are excellent tools that allow you to obtain network visibility. Based on information collected from routers, such as interface statistics and NetFlow, Peakflow SP and Peakflow X can show you details of the traffic traversing throughout your network. NOTE For more information about these tools, go to http www.arbor.net. Arbor has excellent white papers about anomaly detection and combating day-zero threats at

Authentication and Authorization of Wireless Users

The 802.11 standard supports different types of authentication. The two most generic types are open and shared-key authentication. In most wireless networks, a service set ID (SSID) is specified to identify the wireless network. The basic mechanisms of 802.11 augment the identification by using SSIDs with authentication mechanisms that prevent the client from sending data to and receiving data from the access point unless the client has the correct shared key. One of the most basic wireless...

Authentication Authorization and Accounting AAA and Identity Management

AAA offers different solutions that provide access control to network resources. This section introduces AAA and identity management concepts. Authentication is the process of validating users based on their identity and predetermined credentials, such as passwords and other mechanisms like digital certificates. Authentication is widely used in many different applications, from a user attempting to log in to the network, web server, and wireless access point to an administrator logging in to a...

Blocking Instant Messaging

The security administrator is now tasked by his management to come up with a solution to prevent internal users from using Yahoo and MSN instant messaging (IM) programs. The solution is to configure the Cisco ASA to block this traffic and log it. The security administrator completes the following steps to achieve this goal. Step 1 The first step is to configure an inspect map on the Cisco ASA. To do this, navigate to Configuration > Firewall > Objects > Inspect Maps > Instant Messaging...

Building an Action Plan

After you have collected all necessary information and documented the different lessons learned, you should build a comprehensive action plan to address any deficiencies in processes, policies, or technology. Some underlying causes may remain unknown at the time of the initial post-incident meetings however, you can capture these causes as open action items to be closed when you have completed your final research. Prioritize the gaps identified to make sure that you address the most critical...

Building Strong Security Policies

What good does a firewall, IPS sensor, encryption device, and your favorite security product and tool do if you do not have guidelines, policies, and best practices on how to effectively configure and use them Building strong security policies is crucial for any organization. These policies should be strong, yet realistically flexible to accommodate ever-changing requirements. Policies communicate not only a standard but also an agreement on what should be the best practice for a specific...

C

CAM (Clean Access Manager), NAS Appliance, 27, 31 CAS (Clean Access Servers), NAC Appliance, 27-28 Centralized Deployment mode, 31 Edge Deployment mode, 30 Real IP mode, 29 Virtual Gateway mode, 28 large businesses, 401, 403 CSIRT, 403 incident response, 419-420 IPsec remote access VPN, 406, 408, 411-412, 415-417 load-balancing, 415-417 security policy creation, 404-406 medium-sized businesses, 389 configuring AAA on infrastructure devices, 400-401 configuring active-standby failovers on ASA,...

Cisco Net Flow in the Data Center

Cisco NetFlow provides network traffic visibility that can help in identifying and classifying potential DDoS attempts and other security threats. In addition, it provides valuable information about application usage that can be beneficial for network planning and traffic engineering. You can enable NetFlow in data center infrastructure devices, such as your distribution switches or routers. A new version of NetFlow called Flexible NetFlow is now available on Cisco IOS routers starting with IOS...

Cisco Network Analysis Module NAM

The Cisco Network Analysis Module (NAM) is designed to analyze and monitor traffic in the Catalyst 6500 series switches and Cisco 7600 series Internet routers. It uses remote monitoring (RMON), RMON extensions for switched networks (SMON), and SNMP MIBs to obtain information from the device. The NAM can also collect and analyze NetFlow information on remote devices. To use the NAM to collect NetFlow data from a remote device, you must configure the remote device to export NDE packets to UDP...

Cisco Secure Device Manager SDM

SDM is an intuitive web-based tool designed for configuring LAN, WAN, and security features on a router. SDM includes a feature called Security Audit that is used to verify your existing router configuration and make sure that it includes the recommended security mechanisms suited for most environments. The SDM Security Audit is based on the Cisco IOS AutoSecure feature. NOTE SDM does not support all AutoSecure features. For a complete list of the functions that Security Audit checks for, and...

Cisco Security Agent CSA

CSA provides several more robust security features than a traditional antivirus or a personal firewall solution. The rich security features of CSA include Protection against buffer overflow attacks Distributed host firewall features Malicious mobile code protection Operating system integrity assurance Extensive audit and logging capabilities Protection against file modification or deletion The CSA solution has two major components Cisco Security Agent Management Center (CSA-MC) The management...

Cisco Security Monitoring Analysis and Response System CSMARS

CS-MARS enables you to identify, classify, validate, and mitigate security threats. In the previous sections in this chapter, you learned different mechanisms that give you visibility of the network and its devices, such as NetFlow, SYSLOGs, and SNMP. The analysis and manipulation of the data provided by these features can be a time-consuming process and, in some environments, may even be impossible because of the staff requirements. CS-MARS supports the correlation of events from numerous...

Collected Incident Data

The postmortem is one of the most important parts of incident response and is also the part that is most often omitted. As mentioned in the previous chapter, documenting events that occurred during the previous phases (identification, classification, traceback, and reaction) is important to effectively create a good postmortem following a security incident. The collection of this data is important because it can be used for future improvement in the process, policies, and device configuration....

Configuration Logger and Configuration Rollback

The Cisco IOS configuration logger logs all changes that are manually entered at the command-line prompt. In addition, it can notify registered clients about any changes to the log. NOTE The contents of the configuration log are stored in the run-time memory the contents of the log are not persisted after reboots. The Configuration Logger Persistency feature allows you to keep the configuration commands entered by users after reloads. You can enable the Configuration Logger Persistency feature...

Configuring AAA on the Infrastructure Devices

The network administrator configures authentication, authorization, and accounting (AAA) for administrative access to all routers within the network. The network administrator uses command authorization to enforce which commands users can invoke and execute in the routers. Example 12-11 shows a AAA configuration template used for all routers within the organization Example 12-11 AAA Configuration on Routers aaa authentication login default group tacacs+ local tacacs-server host 172.18.85.181...

Configuring Agent Kits

As previously mentioned, CSA-MC comes with preconfigured agent kits that can be used to fulfill initial security needs. However, CSA-MC allows you to create custom agent kits to fit your specific requirements. For example, you can create different agent kits for the various servers within your data center. To create a new agent kit, complete the following steps Step 1 Choose Systems > Agent Kits from the CSA-MC console. Step 2 Click New at the bottom of the page displayed. A dialog box...

Configuring Basic Network Address Translation NAT

The router administrator needs to configure basic NAT for internal users to access the Internet. The following steps are completed to enable basic NAT on the Cisco IOS router. Step 1 Log in to the router using SDM. Step 2 Navigate to Configure > NAT and click Basic NAT, as illustrated in Figure 12-34. Step 3 Click the Launch the selected task button to start the NAT Configuration Wizard. Step 4 The NAT Configuration Wizard welcome screen appears. Click Next. Step 5 The screen shown in Figure...

Configuring Idsips Sensors in the WLC

You can configure IDS IPS using the WLC web management console or through the CLI. This section demonstrates how to use the web management console to add IDS IPS sensors. Step 1 Connect the Cisco IPS device to the same switch where the WLC resides. Step 2 Mirror the WLC ports that carry the wireless client traffic to the Cisco IPS device. You do this because the Cisco IPS device must receive a copy of every packet to be inspected on the wireless network. The Cisco IPS device provides a...

Configuring the CSSC

This section shows how to configure the CSSC to authenticate to the wireless network using EAP-FAST. Complete the following steps to configure the CSSC. Step 1 Launch the CSSC and click Create Network. Step 2 The Network Profile screen shown in Figure 8-18 is displayed. Under Network Configuration Summary and Authentication, click Modify. Figure 8-18 CSSCNetwork Profile Screen Step 3 The Network Authentication screen shown in Figure 8-19 is displayed. Turn on authentication by clicking the...

Control Resource Exhaustion

Today, a growing number of DDoS attacks are being designed to specifically target key infrastructure devices. These types of attacks typically try to consume CPU resources, input queues, and memory. Worms and viruses that are generally designed to target end hosts generate large volumes of traffic that quite often exhaust most of the resources available in infrastructure equipment. You can implement several best practices by controlling the utilization of the limited resources in a device...

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales which may include electronic versions and or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 For sales outside the United States, please contact International Sales Americas Headquarters Asia Pacific Headquarters Europe Headquarters...

CPU Protection

Attackers already know that targeting CPUs and network processors can affect more than just one server within an organization. Worms and DDoS can bring network infrastructure devices onto their knees costing thousands of dollars. Attackers typically follow two strategies when targeting a CPU. The first tactic that attackers employ is generating large volumes of traffic to the CPU or network processor because CPUs always have a finite capacity for processing packets. All processors have a limit...

Creating a Computer Security Incident Response Team CSIRT

It is unfortunate when large Fortune 500 companies do not have a Computer Security Incident Response Team (CSIRT). In some occasions, their CSIRT consists of one parttime employee. This is why it is extremely important to have management support when creating CSIRTs. It is difficult and problematic to create a CSIRT without management approval and support. Also, the support needed goes beyond budget and money. It includes executives, managers, and their staffs committing time to participate in...

Data Center Security

Data centers comprise some of the most critical assets within any organization. Typically, applications, databases, and management servers reside in the data center. For this reason, it is extremely important to have the appropriate defense mechanisms in place to protect the data center against security threats. Attacks against data center assets can result in lost business applications and the theft of confidential information. This chapter covers several best practices and recommendations...

Data Center Segmentation and Tiered Access Control

By isolating different types of servers and services, you can use segmentation and tiered access control in your data center to provide a multilayered architecture while adding security. The easiest way to segment your data center is to configure different Layer 2 domains or VLANs. In addition, you can use firewalls for policy enforcement between each segment. By using private VLANs, you can also use segmentation that is local to the VLAN. This helps in preventing a compromised or infected...

Distribution Layer

At the distribution layer, you can apply enforcement mechanisms (such as ACLs) based on your security policies for the IP telephony-enabled network. For example, you can configure Layer 3 ACLs so that they do not allow traffic from the nonvoice VLANS to access the voice gateway and voice applications in the network. Typically, voice application servers (such as Cisco Unified CallManager and Cisco Unity) are protected by firewalls in the distribution layer of the data center. On the other hand,...

Figure 13 PAT

Source Address 192.168.1.100 Destination Address 209.165.200.230 Source Port 1024 Destination Port 80 Source Address 209.165.200.226 Destination Address 209.165.200.230 Source Port 1234 Destination Port 80 Stateful inspection firewalls track every connection passing through their interfaces by examining not only the packet header contents but also the application layer information within the payload. This is done to find out more about the transaction than just the source and destination...

Firststep

STEP 1 First-Step Benefit from easy-to-grasp explanations. No experience required STEP 2 Fundamentals Understand the purpose, application, and management of technology. STEP 3 Networking Technology Guides Gain the knowledge to master the challenge of the network. The Network Business series helps professionals tackle the business issues surrounding the network. Whether you are a seasoned IT professional or a business manager with minimal technical expertise, this series will help you understand...

How This Book Is Organized

Part I of this book includes Chapter 1 which covers an introduction to security technologies and products. In Part II, which encompasses Chapters 2 through 7, you will learn the six-step methodology of incident readiness and response. Part III includes Chapters 8 through 11 which cover strategies used to protect wireless networks, IP telephony implementations, data centers, and IPv6 networks. Real-life case studies are covered in Part IV which contains Chapter 12. The following is a...

Identifying and Classifying Security Threats

Worms and denial of service (DoS) attacks are used maliciously to consume the resources of your hosts and network that would otherwise be used to serve legitimate users. In some cases, misconfigured hosts and servers can send traffic that consumes network resources unnecessarily. Having the necessary tools and mechanisms to identify and classify security threats and anomalies in the network is crucial. This chapter presents several best practices and methodologies you can use to successfully...

Infrastructure Protection Access Control Lists iACLs

Using iACLs is a technique that was developed by ISPs, however, it is now a common practice by enterprises and other organizations. Employing iACLs involves the use of ACLs that prevent direct attacks to infrastructure devices. You configure these ACLs to specifically allow only authorized traffic to the infrastructure equipment while allowing transit traffic. Cisco recommends that you configure iACLs into four different sections or modules 1 On the Internet edge, deny packets from illegal...

Intrusion Detection Systems IDS and Intrusion Prevention Systems IPS

This section includes an overview of intrusion detection systems (IDS) and intrusion prevention systems (IPS). IDSs are devices that detect (in promiscuous mode) attempts from an attacker to gain unauthorized access to a network or a host to create performance degradation or to steal information. They also detect distributed denial of service (DDoS) attacks, worms, and virus outbreaks. IPS devices are capable of detecting all these security threats however, they are also able to drop...

Intrusion Prevention Systems IPS and Intrusion Detection Systems IDS

In earlier chapters, you learned the difference between IDS and IPS devices. IDS and IPS appliances and modules are usually placed in the data center distribution center not only to alert an administrator when a security threat has been detected, but also to take action and protect the data center assets. In small environments, one or more IDS IPS appliances (such as the Cisco 4200 sensors) can be placed in the data center. The Cisco Catalyst 6500 IDS IPS module (IDSM) is used in larger...

IP Source Routing

IP source routing enables a device to control the route that the datagram will take toward its destination. This feature is rarely used because it is not practical in environments today. Attackers can take advantage of older IP implementations that do not process source-routed packets properly and may be able to crash machines running these implementations by sending altered packets with source routing options. It is recommended that you disable IP source routing whenever possible with the no...

Psec and IPv6

IPv6 headers have no security mechanisms themselves, just as in IPv4. Administrators rely on the IPsec protocol suite for security. The same security risks for man-in-the-middle attacks in Internet Key Exchange (IKE) in IPv4 are present in IPv6. Most people recommend using IKE main mode negotiations when the use of preshared keys is required. On the other hand, IKE Version 2 (IKEv2) is expected to address this issue in the future. IKEv2 supports different peer...

Pv6 Security

Internet Protocol Version 6 (IPv6) is often called the next generation protocol and is designed to replace the widely deployed Internet Protocol Version 4 (IPv4). Despite that, IPv6 has only been implemented in a few places, but it is expected to grow over time. For example, Microsoft Windows Vista includes support for IPv6. IPv6 enables easier support and maintenance of service provider networks than previous versions. The large address space improves the usage of online support systems and...

Laws and Computer Crimes

In most cases, United States and international laws might affect or impact the incident response process. If you want to prosecute an attacker, you might merely have to contact local authorities. In some cases, however, you will need to contact the Federal Bureau of Investigation or equivalent organizations in other countries, especially when dealing with attacks that involve international boundaries. International and inter-jurisdictional cooperation is difficult. What is illegal in one...

Log Files

After a security incident, you can use log files to obtain clues on what happened. However, logs are useful only if they are actually read. Even in small networks, logs from servers, networking devices, end-host machines, and other systems can be large, and their analysis may be tedious and time consuming. That is why it is important to use event correlation systems and other tools to better analyze and study log entries. You can use robust systems such as CS-MARS or even simple tools and...

Main mode

In main mode, the IPsec peers complete a six-packet exchange in three round-trips to negotiate the ISAKMP SA, whereas aggressive mode completes the SA negotiation in three packet exchanges. Main mode provides identity protection if preshared keys are used. Aggressive mode only provides identity protection if digital certificates are used. NOTE Cisco products that support IPsec typically use main mode for site-to-site tunnels and aggressive mode for remote-access VPN tunnels. This is the default...

NAC Appliance Configuration

It is recommended that you configure the CAS in the Real-IP gateway mode for wireless network deployments. When the CAS is configured in the Real-IP gateway mode, it handles all routing between the unprotected and protected networks. In this example, the untrusted (unprotected) interface resides in the 10.10.10.0 24 subnet, and the trusted (protected) interface resides in the 192.168.40.0 24 subnet. Complete the following steps to configure the NAC Appliance solution to protect the corporate...

NAC Framework

NAC Framework is a Cisco-led industry initiative to provide posture validation using embedded software in Cisco network access devices (NAD) such as routers, switches, VPN concentrators, Cisco ASA, wireless access points, and others. Many vendors are part of the Cisco NAC program. These Cisco partners include antivirus software vendors, remediation and patch management companies, identity software manufacturers, and others. NOTE To obtain the latest list of NAC program vendors partners, go to...

Network Admission Control NAC in Wireless Networks

Network Admission Control (NAC) was initially designed as two separate solutions the NAC Framework and NAC Appliance (formerly known as Cisco Clean Access). The most commonly deployed NAC solution for wireless networks is the NAC Appliance. This section covers how to integrate the Cisco NAC Appliance into the Cisco Unified Wireless solution. As mentioned in previous chapters, the NAC Appliance has three major components In the example illustrated in Figure 8-26, the CAS is configured inline and...

Open Source Monitoring Tools

You can use several open source monitoring tools in conjunction with NetFlow. If your organization is small, or if you do not have the budget for more sophisticated monitoring tools, you can take advantage of any of these open source tools that are freely available. Table 3-1 includes the most commonly used open source monitoring tools. Table 3-1 Open Source Monitoring Tools Table 3-1 Open Source Monitoring Tools My Netflow Reporting System by Dynamic Networks Most of these tools are designed...

Overview of Cisco Unified Wireless Network Architecture

The Cisco Unified Wireless Architecture is a multiservice solution designed for any type of organization. It can be deployed in your corporate offices, branches, retail stores, hospitals, manufacturing plants, warehouses, educational institutions, financial institutions, government agencies, and any other type of organization that needs wireless connectivity. Industry standards including the IEEE 802.11 and the draft IETF Control and Provisioning of Wireless Access Points (CAPWAP) are...

Overview of Network Security Technologies

Technology can be considered your best friend. Nowadays, you can do almost everything over networked systems or the Internet from simple tasks, such as booking a flight reservation, to a multibillion dollar wire transfer between two large financial organizations. You cannot take security for granted An attacker can steal credit card information from your online travel reservation or launch a denial of service (DoS) attack to disrupt a wire transfer. It is extremely important to learn new...

Penetration Testing

Penetration testing is often referred to as ethical hacking. Using this procedure, a trusted third party or a security engineer of an organization attempts to compromise or break into the network and its devices by scanning, simulating live attacks, and exploiting vulnerable machines to measure the overall security posture. Penetration testing techniques are of three common types In the black-box technique, the tester has no prior knowledge of the network of the organization. Typically, the...

Policy Enforcement

An entire book could be devoted to a discussion of policy enforcement. Also, you must design the enforcement of security policies according to your organization goals. Therefore, this section cannot fully cover policy enforcement or provide recommendations specific to your own business organization. It can, however, outline some common strategies that you can use when configuring network infrastructure devices to make sure that access to the areas of your network and its devices is granted only...

Postmortem

The CSIRT creates a postmortem including the following information Total amount of labor spent working on the incident Elapsed time from the beginning of the incident to its resolution Elapsed time for each stage of the incident-handling process Time it took the incident response team to respond to the initial report of the incident Estimated monetary damage from the incident The lessons learned section in the postmortem is documented, including all items that will improve the incident response...

Private VLANs

Private VLANs can be used to achieve Layer 2 isolation of hosts within a VLAN. Some people use private VLANs in their data center to isolate servers in case they are compromised or infected. However, private VLANs do not provide perfect isolation. For example, you can insert a Layer 3 device to a promiscuous port and hop from one system to another using the destination IP address with the Layer 3 device MAC address. This type of attack and others are explained extensively in the whitepaper at

Protecting Cisco Personal Assistant

This section covers the most common best practices to harden the Cisco Personal Assistant. The recommendations to increase the security of the Cisco Personal Assistant server can be summarized into two major areas NOTE The Cisco Personal Assistant operating environment is made up of several third-party products. You should follow the security guidelines documented by each of these third-party product vendors. This chapter covers several general guidelines on securing the Cisco Personal...

Protecting the IP Telephony Infrastructure

The first step in IP telephony security is to make sure that you apply the best practices learned in previous chapters to protect the infrastructure as a whole. As previously mentioned, all the infrastructure components are networking devices deployed within your organization, such as Figure 9-1 illustrates a common IP telephony deployment in a medium-to-large enterprise. In Figure 9-1, several infrastructure components are depicted within a headquarters main office topology, which demonstrates...

Segmentation with VLANs

You can achieve network segmentation and isolation in many ways. The use of VLANs is one of the most commonly used methods because of its simplicity and ease of deployment. Figure 7-13 illustrates how you can isolate segment different types of devices just by using VLANs. Figure 7-13 Segmentation Using VLANs Figure 7-13 Segmentation Using VLANs Web Servers Database Servers LDAP Servers Management Web Servers Database Servers LDAP Servers Management In Figure 7-13, a set of web, database,...

Segmentation with Vrfvrflite

You can also use Multiprotocol Label Switching (MPLS) VPN routing and forwarding (VRF) or the MPLS VRF-Lite feature on Cisco IOS routers for network segmentation purposes. This concept is illustrated in Figure 7-15. Figure 7-14 Segmentation Using VLANs and Firewalls for Policy Enforcement Figure 7-15 Segmentation Using VRF and VRF-Lite Figure 7-15 Segmentation Using VRF and VRF-Lite The main challenge of implementing VRFs and VRF-Lite is that most enterprises do not run MPLS within their...

Syslog

System logs or SYSLOG provide you with information for monitoring and troubleshooting devices within your infrastructure. In addition, they give you excellent visibility into what is happening within your network. You can enable SYSLOG on network devices such as routers, switches, firewalls, VPN devices, and others. This section covers how to enable SYSLOG on routers, switches, the Cisco ASA, and Cisco PIX security appliances. Enabling Logging (SYSLOG) on Cisco IOS Routers and Switches The...

Telemetry and Anomaly Detection

Anomaly detection systems passively monitor network traffic, looking for any deviation from normal or baseline behavior that may indicate a security threat or a misconfiguration. You can use several commercial tools and even open source tools to successfully identify security threats within your network. These tools include the following Cisco Security Monitoring, Analysis and Response System (CS-MARS) Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation Appliances Cisco IPS sensors...

The Importance of Tuning

Chapter 1 showed you the important factors to consider when tuning your IPS IDS devices. Each IPS IDS device comes with a preset number of signatures enabled. These signatures are suitable in most cases however, it is important that you tune your IPS IDS devices when you first deploy them and then tune them again periodically. You could receive numerous false positive events (false alarms), which could cause you to overlook real security incidents. The initial tuning will probably take more...

Timeto Live TTL Security Check

TTL Security Check is a security feature implemented in BGP. It helps protect BGP peers from multihop attacks. This feature is based on the Generalized TTL Security Mechanism (GTSM) defined in RFC 3682 and applies only to external BGP (eBGP). NOTE Several organizations are working to implement this feature for other routing protocols, such as OSPF and EIGRP. You can configure a minimum acceptable TTL value for the packets exchanged between two eBGP peers when you use the TTL Security Check...

Warning and Disclaimer

This book is designed to provide information about end-to-end network security. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs...

Wireless Intrusion Prevention System Integration

You can integrate Cisco IPS sensors with the Cisco Unified Wireless Solution. This includes the Cisco IPS sensors, the Cisco Adaptive Security Appliance (ASA), Advanced Inspection and Prevention Security Services Module (AIP-SSM), the Catalyst 6500 Intrusion Detection Prevention Services Module Version 2 (IDSM-2), and the IPS modules for Cisco IOS routers. When you integrate IPS with the Cisco Unified Wireless Solution, the WLC talks to the Cisco IPS sensor via its management port using the...

WLC Configuration

This section includes the steps necessary to configure the WLC for the NAC Appliance solution to work. Complete the following steps to configure the WLC. Step 1 As a best practice, it is recommended that you configure separate VLANs for guest and internal users. To do this, you need to configure two new pseudointerfaces. Log in to the WLC, navigate to Controller > Interfaces, and click New to add a new interface. Enter the name for the new interface and the VLAN you want to assign. This is...

On Wireless Networks

In Chapter 1, Technology Overview, you learned the basics of the 802.1X. As a refresher, 802.1x is a standard that defines the encapsulation methodologies for the transport of the Extensible Authentication Protocol (EAP) protocol. NOTE EAP was originally defined in RFC 2284, which is now obsolete due to RFC 3748. The 802.1X standard allows you to enforce access control when wired and wireless devices attempt to access the network. Figure 8-5 illustrates the main components of 802.1x. Figure 8-5...

Configuring the Cisco Secure ACS Server for 8021x and Eapfast

Complete the following steps to configure the Cisco Secure ACS server for 802.1x authentication using the EAP-FAST method. You first add the WLC as AAA client on the Cisco Secure ACS server. To add the WLC as a AAA client on Cisco Secure ACS, click the Network Configuration radio button. You can create a network device group to maintain a collection of AAA clients and AAA servers, or you can use the default Not Assigned network device group. In this example, the WLC is added to the Not Assigned...

Traceback in the Enterprise

The ability to track where attacks are coming from and the techniques that are used within an enterprise depend on the type of attack. If the attacks are coming from external sources, such as the Internet, the enterprises often depend on their providers to be able to track down sources of attack. Additionally, the network telemetry techniques and features discussed in Chapter 3, Identifying and Classifying Security Threats, are extremely helpful for tracking where attack traffic is being...

Configuring Active Standby Failover on the Cisco ASA

Maintaining appropriate redundancy mechanisms within infrastructure devices is extremely important for any organization. The Cisco ASA supports active-active and active-standby failover. NOTE When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active takes ownership of the IP addresses and MAC addresses of the failed unit. The unit that is now in standby state takes over the standby IP addresses and MAC addresses....

Cisco ASA Antispoofing Configuration

The Company-A security administrator wants to protect the infrastructure from spoofed sources. The administrator enables Unicast Reverse Path Forwarding (Unicast RPF) to protect against IP spoofing attacks by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. To enable Unicast RPF, navigate to Configuration > Firewall > Advanced > Anti-spoofing. Select the desired interface, and click Enable, as illustrated in...

Protecting Cisco Unified Call Manager

Server and operating system best practices apply when protecting the Cisco Unified CallManager. Just as with any other critical application, you should make major configuration changes within a maintenance window to avoid the disruption of voice services. However, some standard security policies for application servers might not be adequate for IP telephony servers. For example, on e-mail and web servers, you can easily resend an e-mail message or refresh a web page. On the other hand, voice...

Raleigh Office Cisco ASA Configuration

The following sections cover the steps necessary to complete the goals listed earlier. Configuring IP Addressing and Routing This section demonstrates how to configure the interfaces and default gateway on the Cisco ASA using the Adaptive Security Device Manager (ASDM). The following are the configuration steps Step 1 Working with a new Cisco ASA installation, the administrator logs in via the command-line interface (CLI) and sets the management interface IP address (10.10.30.1) and other...

Net Flow

Cisco NetFlow was initially introduced as a packet accounting system for network administration and, in some cases, for billing. However, today you can use NetFlow to listen to the network itself, thereby gaining valuable insight into the overall security state of the network. This is why it is classified as a form of telemetry that provides information about traffic passing through or directly to each router or switch. NetFlow is supported in the following Cisco platforms Cisco 7600 6500...

Segmenting the Data Center with the Cisco FWSM

In this section, you will learn how to take advantage of some of the Cisco FWSM features to segment your data center. It covers the modes of operation of the FWSM, design considerations, and configuration steps. Cisco FWSM Modes of Operation and Design Considerations You can use the Cisco FWSM not only to segment your data center, but also to enforce policy and to provide additional security benefits such as stateful and deep packet inspection. You can configure the Cisco FWSM in two different...

Identity and Trust

Identity and trust is one of the SAVE pillars. You should consider deploying a complete trust and identity management solution for secure network access and admission at every point in the network. The following are the most common technologies that are part of the identity and trust pillar Authentication, authorization, and accounting (AAA) Cisco Guard active verification Digital certificates and PKI Internet Key Exchange (IKE) protocol Network Admission Control and 802.1x Routing protocol...

Virtual Private Networks VPN

Organizations of all sizes deploy VPNs to provide data integrity, authentication, and data encryption to assure confidentiality of the packets sent over an unprotected network or the Internet. VPNs are designed to avoid the cost of unnecessary leased lines. Many different protocols are used for VPN implementations, including these Point-to-Point Tunneling Protocol (PPTP) Layer 2 Forwarding (L2F) Protocol Layer 2 Tunneling Protocol (L2TP) Generic Routing Encapsulation (GRE) Protocol...

Configuring Load Balancing

The administrator configures load-balancing on each security appliance. The following are the steps to configure load-balancing for remote access VPN. Step 1 Log in to the Cisco ASA using ASDM. Step 2 On the main menu, choose Wizards. Step 3 Choose the High Availability and Scalability Wizard. Step 4 The High Availability and Scalability Wizard starts. The screen shown in Figure 12-69 is displayed. Click Configure VPN Cluster Load Balancing, as shown in Figure 12-69. Figure 12-69 High...

Configuring the Aipssm on the Cisco ASA

Two Cisco ASAs protect the Chicago office internal network. The IP address configuration of both Cisco ASAs is illustrated in Figure 12-51. Figure 12-51 Cisco ASAs at the Chicago Office Figure 12-51 Cisco ASAs at the Chicago Office The following are the IP addresses of each of the interfaces of the primary Cisco ASA (ASA-1) AIP-SSM Management interface 10.200.30.3 The following are the IP addresses of each of the interfaces of the secondary Cisco ASA (ASA-2) AIP-SSM management interface...

Protecting Cisco Unity

The Cisco Unity solution provides advanced voice mail and messaging features. In this section, you will learn tips for increasing the security of the Cisco Unity solution. Cisco Unity runs over the Microsoft Windows operating system (OS). The first step in protecting the Cisco Unity system is to have a good patch management procedure. Microsoft has different recommendations for installing and securing Windows Server 2003 and Windows 2000 Server systems. For Windows Server 2003, refer to the...

Routing Mechanisms as Security Tools

Many people do not realize that routing is one of the most powerful security tools available. Several routing techniques help identify, classify, and mitigate security threats. Examples include remotely triggered black holes (RTBH) and sinkholes. RTBH is a filtering technique that provides the ability to drop malicious traffic before it penetrates your network. Historically, RTBH has been a tool that many service providers have used to mitigate DDoS attacks. Many other organizations are now...

Sending Selective Traffic to the Idsips Devices

Depending on the size of your data center, you may use one or more IPS IDS devices. In large data centers, you can use several IDSMs to monitor the activity within your server farms. Figure 10-13 illustrates a data center with three different IDSMs installed on each Cisco Catalyst 6500 along with the Cisco FWSM. Figure 10-13 IDSMs Deployed in the Data Center In some cases, exposing IPS IDS sensors to all the traffic that flows within a data center can oversubscribe the IPS IDS devices. To avoid...

Control Plane Policing CoPP

You can configure Quality of Service (QoS) policies to rate limit the traffic sent to the RP that is protecting the control plane from reconnaissance and DDoS attacks. With the Modular QoS Command-line (MQC) policies, you can permit, block, or rate limit traffic to the RP. You can use MQC to define traffic into separate classes and to apply distinct QoS policies based on different criteria. NOTE CoPP was introduced initially in 12.2(18)S for Cisco 7200, Cisco 7300, and Cisco 7500 series...

Lightweight Access Point Protocol LWAPP

In the Cisco Unified Wireless Architecture, a wireless LAN controller (WLC) is used to manage the wireless access point configuration and firmware creating an LWAPP tunnel. LWAP provides the control messaging protocol and data encapsulation. In other words, the wireless client data packets are encapsulated between the access point and the WLC. Figure 8-21 illustrates how a WLC controls a wireless access point over an LWAPP tunnel. The following steps are illustrated in Figure 8-21 1 The...

Protecting the Internet Edge Routers

On the Internet edge routers (R1 and R2), the administrator configures an ACL to deny packets from illegal sources (RFC 1918 and RFC 3330 addresses). In addition, this ACL denies traffic with source addresses belonging within the internal address space of Company-B (that is, 209.165.201.0 24) that is entering from an external source. Example 12-5 shows the ACL configuration. NOTE In addition, the administrator performs a security audit using SDM and makes the necessary changes, as the Company-A...

Resource Thresholding Notification

Always monitor the resource usage of infrastructure devices for unusual sustained high levels of CPU utilization, low free memory, and large volumes of dropped packets. These practices ease the detection and classification of attacks and outbreaks. NOTE Chapter 3, Identifying and Classifying Security Threats, details numerous techniques to successfully identify and classify network attacks and outbreaks. Several Cisco platforms provide automatic notification mechanisms that are generally based...

Cisco IOS Auto Secure

Cisco AutoSecure disables the unnecessary global services previously discussed in this chapter. It also enables certain services that help further secure global services that are often necessary. In addition, Cisco AutoSecure hardens administrative access by enabling appropriate security-related logging features. It is recommended in most environments because it implements a range of best practices that help secure any organization. It also reduces the time required to configure each item by...

Configuring IPsec Remote Access VPN

The administrator completes the following steps to configure IPsec remote access VPN on the Cisco ASAs Step 1 Log in to the Cisco ASA using ASDM. Step 2 On the main menu, choose Wizards. Step 3 Select the IPsec VPN Wizard. Step 4 The IPsec VPN Wizard starts. Specify the tunnel type as shown in Figure 12-60. Figure 12-60 Configuring the Tunnel Type Figure 12-60 Configuring the Tunnel Type Step 5 All remote access VPN clients will be connecting to the outside interface. Choose the outside...

Protecting Cisco Unified Communications Manager Express CME

As previously discussed in this chapter, the Cisco Unified CME is an entry-level VoIP solution that runs on Cisco IOS Software routers. It is designed for small businesses and autonomous small enterprise branch offices. CME enables you to provide voice, data, and IP telephony services on a single platform. Because it is an integrated solution within Cisco IOS Software routers, all the best practices of router security that you learned in Chapter 2 apply when securing the Cisco Unified CME...

Protecting Against Eavesdropping Attacks

Eavesdropping attacks are also known as phone tapping attacks. The main goal is for an attacker to listen, copy, or record a conversation. An example of an eavesdropping attack is an incident reported back in 2006. The phones of about 100 Greek politicians and offices (including the U.S. embassy in Athens and the Greek prime minister) were compromised by a malicious code embedded in Vodafone mobile phone software. The attackers tapped into their conference call system. Basically, by using...

Proactive Security Framework

Many network security frameworks are in the marketplace and most of them have the common goal of providing a methodical and efficient approach to network security. No framework is perfect, you should choose an approach that can help reduce the time, cost, and resources needed to plan and deploy your security strategy. This chapter highlights best practices and benefits of different security frameworks. A framework can help you establish a view of your entire security landscape, identify...

Traceback in the Service Provider Environment

For the implementation of traceback techniques to be successful, they must meet the following requirements Do not violate current protocol semantics and can be successful without changes in the core routing structure Are difficult for the attacker to detect and can function in a passive mode, without requiring much intervention Are useful in asymmetric environments Work through multiple hops, across jurisdictions Allow you to generate a good postmortem after an attack has mitigated In some...

Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation Appliances

The Cisco traffic anomaly detectors and DDoS mitigation appliances provide a new approach that not only detects increasingly complex and unrepresentative denial of service attacks but also mitigates their effect to ensure business continuity and resource availability. The Cisco DDos solution has two distinct appliances Cisco Traffic Anomaly Detector (TAD) XT This solution is also available in the form of two individual modules for the Catalyst 6500 series switches and the Cisco 7600 Internet...

The Importance of Signatures Updates

Traditionally, IPS and IDS systems depend on signatures to operate. Because of this, it is extremely important to tune the IPS IDS device accordingly and to develop policies and procedures to continuously update the signatures. The Cisco IPS software allows you to automatically download signatures from a management station. Signature updates are posted to Cisco.com almost on a weekly basis. In Chapter 2, you learned about the Cisco Security Center (historically named mySDN or my Self Defending...

SYN Cookies in Firewalls and Load Balancers

A commonly used distributed denial of service (DDoS) attack is known as SYN-flooding. In this type of attack, the attacker sends a series of TCP SYN packets that typically originate from spoofed IP addresses. The constant flood of SYN packets can prevent servers within the data center from handling legitimate connection requests. You can use firewalls and security appliances such as the Cisco ASA and the Cisco PIX enabled with the SYN cookies algorithm to combat SYN flood attacks. In large data...

Configuring Siteto Site VPN

Users at the office in Atlanta need to securely access resources in the Raleigh office. The security administrator configures a site-to-site IPsec tunnel between the Cisco ASA in Raleigh and the Cisco IOS router in Atlanta. The following are the steps that need to be completed to configure the Cisco IOS router in Atlanta to terminate a site-to-site IPsec tunnel with the Cisco ASA in Raleigh. Step 1 Log in to the router using SDM. Step 2 Navigate to Configure > VPN and choose Site-to-Site VPN,...

Locking Down the Cisco IOS Router

The security administrator at Company-A must configure the router appropriately to increase the security of the Atlanta office network. The administrator uses the Security Device Manager (SDM) to configure the router and perform a security audit. Using SDM, the administrator can configure the router quickly using the best practices recommended in Chapter 2, Preparation Phase. You can complete the following steps to perform a security audit and fix any discrepancies found on the Cisco IOS...

Configuring the WLC

Complete the following steps to configure the WLC to use the Cisco Secure ACS server for authentication. Cisco Secure ACS validates the user credentials using the Windows database. (The Cisco Secure ACS server configuration is covered in the next section.) Step 1 Log in to the WLC as an administrator and click the Security tab then click New to add a new RADIUS server, as illustrated in Figure 8-9. You will then see the screen shown in Figure 8-10. Figure 8-9 Adding a RADIUS Server to the WLC...

Linux Forensics Tools

Two of the most commonly used Linux forensics tools are Autopsy and the Sleuth Kit. These programs are intuitive and are a compilation of the following Despite the fact that Autopsy and the Sleuth Kit run on Linux, they support the NTFS, FAT, Ext2 3, and UFS1 2 file systems. You can download Autopsy and the Sleuth Kit free from http www.sleuthkit.org. Figure 5-2 is a screen shot of Autopsy. Figure 5-2 Autopsy Linux Forensics Tool Figure 5-2 Autopsy Linux Forensics Tool Figure 5-2 shows how you...