Note on Hybrid Device Management

Many devices can be managed by CLI or GUI. The Cisco PIX Firewall, for example, has a CLI and an embedded web server that both can be used to make configuration changes to the device. This can be a great benefit to a SECOPS team possessing varying skill levels and tool preferences. Just make sure that changes can be made by both tools without one taking precedence over the other. Some tools, for example, are database driven. Configuration changes are made to the database and then pushed to the...

Worthwhile DDoS Analogy

Because DDoS attacks continue to attract press attention, it is fairly common for people who work in network security to be asked to explain the attack. I've found that this analogy works best. In fact, if you've ever heard me speak at a conference about DDoS, you've most likely heard this explanation already. Where I grew up in the U.S. Midwest, we had a game we occasionally played when we were 11 or 12 years old called knock and run. I've also heard it referred to as ring and run, ding dong,...

A1

2 When evaluating the SYN flood protections required for a server, when might you use SYN cookies and when might you use TCP Intercept A2 Because security protections are best employed as close to the host as possible, SYN cookies should be preferred in most situations. Use TCP Intercept for systems that do not support SYN cookies. Although it is true that implementing security controls in a central location (such as a firewall) generally offers greater scalability, in this case the feature...

AAA Server Network Resiliency Considerations

Even if your user count and NAS count don't justify more than one AAA server, you might need more th network topology reasons. Consider the topology in Figure 9-4. Here you can see a large central office with a smaller regional office and two satellite sales offices. The < office and the regional office operate dial-up and WLAN services, and the sales offices have local WLAN . (using AAA for key distribution as discussed in Chapter 11). As shown, there is only one AAA server loca...

AAA Server Scalability

Each AAA vendor has different guidelines and builds in different capabilities for how many NASs and use configured on a single AAA server. Your specific deployment will deviate from those guidelines based on features you use, your own network topology, and any interfaces with external systems (user repository The Cisco AAA offering is called the Cisco Secure Access Control Server (ACS). If this is the AAA vendor elected to use, the following two documents will be of interest Guidelines for...

Anomaly Based NIDS

Table 4-22 shows the summary information for anomaly-based NIDS. Network flooding TCP SYN flood Virus worm Trojan The entire anomaly-based NIDS market has fallen victim to the marketing campaigns of companies trying to position their products. This has happened so much that the term anomaly is more of a buzzword than something with real teeth. Anomaly-based NIDS refers to a NIDS that learns normal behaviors and then logs exceptions. In the long run, this could apply to any type of attack,...

Appliance Based Network Services

Just about anything these days can be sold as an appliance. The point, from a marketing perspective, is to promote the fact that the system is easy to use and requires little intervention from the operator. Just like your toaster, you just push down the lever and it works. I like the appliance model but offer one caveat. If your appliance is really just a Linux box in a fancy case, you haven't solved your system management problem you've just hidden it under the covers. Say, for example, you...

Application Firewalls

Similar to inline IDS, though with a slightly different focus, application firewalls are designed to allow forwarding decisions on the payload of a particular protocol. The most actively developed protocol is HTTP, which currently tunnels almost every kind of application across it in an effort to bypass traditional firewalls. Application firewalls would, in theory, allow permitted web traffic to pass while blocking web-based attacks or other applications tunneling over HTTP (when this is a...

Application Flooding

Table 3-20 shows the summary information for the application flooding attack. Authentication flooding CPU process abuse Render an application or system useless IDS, log analysis, and application security Application flooding refers to the range of attacks designed to consume application or system resources. The most common example of this is spam. Although spam is generally not designed to consume resources, it certainly can have this effect on an individual user's or network's mail system....

Application Manipulation

Application manipulation refers to attacks at the application layer that are designed to exploit a flaw in application design or implementation. The most famous application manipulation attack is a buffer overflow attack. A more recent favorite is a web application attack (for example, cross-site scripting and insecure Common Gateway Interface CGI ). This section examines these two attacks as representative of all application manipulation attacks and the technologies used to detect and prevent...

Application Based Extranets

In an application-based extranet, the network infrastructure doesn't take part in the security except as is done in traditional e-commerce environments. Transport can be over the Internet at large or over another IP network. Any security is provided by the application hosts using something like SSH or SSL. In this respect, the design is identical to an e-commerce design. Like e-commerce, it can be insourced or outsourced, hosted locally or at a collocation facility. Depending on the sensitivity...

Applied Knowledge Questions

The following questions are designed to test your knowledge of network security practices, and they sometimes build on knowledge found elsewhere in the book. You might find that each question has more than one possible answer. The answers provided in Appendix B are intended to reinforce concepts that you can apply in your own networking environment. 1 GeeWiz.com just released a patented remote process watchdog tool that allows you to govern the processes running on any server in your network....

ARP Considerations

ARP is designed to map IP addresses to MAC addresses. It was also, like most protocols still used in IP networking today, designed at a time when everyone on a network was supposed to be reasonably trustworthy. As a result, the protocol is designed around efficiently executing its task, with no provisions for dealing with malicious use. At a basic level, the protocol works by broadcasting a packet requesting MAC address that owns a particular IP address. All devices on a LAN will see the...

ARP Redirection Spoofing

Table 3-21 shows the summary information for the ARP redirection spoofing attacks. Table 3-21. ARP Redirection Spoofing Table 3-21. ARP Redirection Spoofing Direct access (local LAN connectivity) Redirect outbound network traffic through the attacker's system instead of the default gateway This attack is most commonly referred to as ARP spoofing. However, in this chapter, it is referred to also as ARP redirection because, in the context of this taxonomy, its primary function is traffic...

Asymmetric Routing and State Aware Security Technology

As networks increase in size, so do the chances that they have asymmetric traffic somewhere within them. Asymmetric traffic is traffic that uses a different path for its return than the original path of the request. The topology in Figure 6-21 shows a representative network with several places where asymmetric traffic can occur. Traffic between the user PC and either the finance server or the WWW server can flow in an asymmetric manner at several points along the network. Between the PC and the...

Attack Example

There are only two possible attacks against the classified side of the network. First, an attacker could somehow gain access to the telco links between the facilities and attempt to decrypt the traffic. This should be practically impossible, assuming appropriately strong crypto functions are used. This attack certainly falls into the elite attacker category discussed in Chapter 3, Secure Networking Threats. Second, an attacker could compromise the physical security of any of the three...

Attack Mitigation

Stopping this attack isn't too difficult, but it isn't quite as simple as flipping a switch. Many switches offe the ability to do something called port security. Port security works by limiting the number of MAC addresses that can communicate on any given port on a switch. For example, say you are running switched Ethernet to the desktop in your environment. Each host has its own connection on the switch. Here, you might configure port security to allow only one MAC address per port. Just to be...

Avoid Security Through Obscurity

When reviewing publications and commentary about security principles, you frequently encounter the postulate security through obscurity is not security. Although it is said often, it is frequently misunderstood and is used as an excuse or justification for all sorts of security ills. Let's consider a few scenarios to better understand this axiom Paper currency is the basis for many of our day-to-day transactions, and counterfeiting is an ongoing concern. Nations could rely on restricting access...

Backscatter DDoS Trace Back

This technique was developed by Chris Morrow and Brian Gemberling at UUNET, and it allows a DDoS attack to be stopped and trace back to occur in approximately 10 minutes. The following site provides more information http www.secsup.org Tracking . At a high level, the mitigation technique works by combining aspects of the sinkhole and black hole routing discussed previously. When a system is under attack, the black hole routing technique allows IS edge routers to route the traffic to null0. This...

Basic PKI

Table 4-5 shows the summary information for basic PKI. PKI is designed as a mechanism to distribute digital certificates that verify the identity of users. Digital certificates are public keys signed by a certificate authority (CA). Certificate authorities validate that a particular digital certificate belongs to a certain individual or organization. At a high level, all a PKI attempts to accomplish is to validate that when Alice and Bob talk to one another, Alice can verify that she is...

Basic Two Tier EMail Design

As shown in Figure 8-1, the standard design uses an internal mail server and an external mail server. This design is most appropriate for midsize organizations based on the amount of server resources utilized. Smaller organizations can use this as well, or they might elect to host their e-mail service at an Internet service provider (ISP). Figure 8-1. Standard Two-Tier E-Mail Design Figure 8-1. Standard Two-Tier E-Mail Design As shown in this design, Simple Mail Transfer Protocol (SMTP) servers...

Be Aware of Cable Plant Issues

In today's networks, there are two primary cable types unshielded twisted pair (UTP) category 5 (or higher) and fiber optic. The risk of an attacker accessing your physical cabling is important to consider because that level of access often can bypass other security controls and provide the attacker with easy access to information (provided encryption is not used). UTP cable is very easy to tap, but it was thought years ago that fiber was immune to cable taps. We now know that this is not the...

Be Aware of Physical PC Security Threats

Oftentimes, inexperienced network designers begin with an unacknowledged assumption that all the sensitive data within an organization is contained on servers. In reality, there is sensitive information about my company sitting on the laptop I am using to write this book, as well as on the servers. Like most employees at my company, server resources are used when necessary, but often interesting Several physical security issues manifest when you operate under the preceding assumption The first...

Best Deployment Practices

Figure 16-1 shows a typical example of cleartext in-band management. A firewall is shown as optional, though some form of L3 filtering should be required if not implemented at the firewall. The filtering should be configured to allow only designated management traffic into the management network (Syslog, SNMP traps, TFTP, and so on). Likewise, the same restrictions should apply from the management network outbound. Traffic can be restricted to required protocols (Telnet, SNMP, HTTP, and so on)....

Best Deployment Uses

OOB management is best used in high-risk networks where insecure management protocols are essential. Internet edge designs are a good place to consider OOB. Within a campus, OOB can be used, but its costs should be considered in comparison to the risk associated with the internal network. Some organizations save money on OOB networks by using a logical separation as opposed to a physical separation. By using a VLAN dedicated to management, the traffic can be separated back to the management...

Black Hole Filtering

Through the clever propagation of static routes in BGP, it is possible to inject a route into the ISP network, causing any traffic destined for the IP that is under attack to be dropped. Traffic is typically routed to nullO (the bit bucket) because this has less CPU impact than dropping the traffic by an ACL (in addition to being much faster to propagate to all ISP routers). Black hole filtering can also be made available to you as an ISP customer if your ISP allows it see http www.secsup.org...

Business Priorities Must Come First

A university I once worked with decided it was time to allow the student body and faculty wireless access to the campus network. The convenience of access, cost reduction in wiring buildings, and potential productivity increase were the overarching business drivers for the decision. At first blush, however, the security department was reluctant to proceed. For years, the university did not require students to have accounts to access the network. Rather, authentication was required only when...

Buy a Faster

Although seemingly straightforward, this option is often ignored by organizations that have become comfortable with a particular offering. With advances in hardware inspection for firewalling and NIDS, boxes are available today that far exceed the performance capabilities of a general-purpose PC and operating system (OS). Load-balancing devices are often expensive, and if you need HA, several devices often must be purchased (particularly for the sandwich deployment option described in the next...

CAR Design Considerations

One of the first tasks in successfully configuring CAR is determining what normal traffic loads are. One c the easiest ways to do this is to start your CAR policy by setting your conform action to transmit and yo exceed action to transmit. This command for the previous ICMP example looks like this Router(config-if) rate-limit output access-group 102 100000 8000 8000 conform-action transmit exceed-action transmit In this way, no traffic is dropped, but the CAR process is still running. You can...

Network Security Axioms

This chapter covers the following topics Network Security Is a System Business Priorities Must Come First Network Security Promotes Good Network Design Strive for Operational Simplicity Good Network Security Is Predictable Avoid Security Through Obscurity Confidentiality and Security Are Not the Same Appear at points which the enemy must hasten to defend march swiftly to places where you are not expected. The U.S. military must adopt a new capabilities-based approachone that focuses less on who...

Security Policy and Operations Life Cycle

This chapter covers the following topics You Can't Buy Network Security Security System Development and Operations Overview A policy is a temporary creed liable to be changed, but while it holds good it has got to be pursued with apostolic zeal. Mohandas K. Gandhi, letter to the general secretary of the Congress Party, India, March 8, 1922 You do the policy. I'll do the politics. Dan Quayle, U.S. Vice President (19881992), remark to aide, quoted in International Herald Tribune, Paris, January...

Cisco Specific Protocols

Over the years, Cisco Systems has developed a number of proprietary protocols that have been used to perform different functions on an L2 network. Most of these protocols use an IEEE 802.3 frame format with an 802.2 SNAP encapsulation. Most have a Logical Link Control (LLC) of 0xAAAA03 (indicating SNA and the Cisco Organizational Unit Identifier (OUI) 0x00000c. The majority use a multicast destination M address to communicate. This is generally a variation on 0100.0ccc.cccc. The SNAP protocol...

Classic Dual Router DMZ

As security started to become a problem on the Internet, savvy network administrators migrated to a dual-router system, as shown in Figure 7-4. This is traditionally referred to as a DMZ. Today, many refer to a third segment on a firewall as a DMZ, but this is not strictly correct because the firewall is still protecting the third segment. The main benefit of this design over a single router is that the public servers are separated from the rest of the internal network. A compromise of a server...

Cleartext InBand

The most insecure management option available today sadly is the management option used by the majority of organizations. All management takes place in-band, meaning the management traffic travels across the same logical links as the production traffic. This is contrasted with out-of-band (OOB), in which a separate logical, and sometimes physical, network is built exclusively for management traffic. Additionally, this management traffic is cleartext, so not only are passwords sent in the clear...

Compliance Checking

Compliance checking is often the most interesting and the most useful exercise in the security operations life cycle. The primary reason is that compliance checking takes policies, standards, and guidelines and puts them to the test against real exploits in the wild today. Compliance checking is the process of ensuring two things Your security system is implementing the requirements of your security policies in an effective way. Your security policies are adequately addressing the threats that...

Confidentiality and Security Are Not the Same

Confidentiality and security are not the same. Here is a working definition of the two terms Confidentiality is the protection of information to ensure that it is not disclosed to unauthorized audiences. Security is the protection of systems, resources, and information from unintended and unauthorized access or misuse. The difference is clear security is a superset of confidentiality because it goes beyond protecting information by also protecting system functions and preventing their...

Content Filtering Summary

Table 4-20 shows the summary scores for the content-filtering options. Table 4-20. Content-Filtering Summary Table 4-20. Content-Filtering Summary Because the ratings in this chapter are skewed toward threat prevention, the overall ratings for the content filtering technologies are lower than other sections. E-mail filtering has a clear security benefit, as do portions of web filtering (mobile code). Proxy servers perform more as a user control function than they do in a security role, so the...

Core Distribution Access Edge

Most of the network design seen today follows a model of core, distribution, and access. Figure 12-1 shows a basic model of this design when applied to a campus network. The access layer is where most end hosts connect to the network. Typically, it is the wiring closets in a building or on a floor. The access layer has historically been Layer 2 (L2), meaning no routing occurs on the first device to which a PC connects. Over time, more Layer 3 (L3) and higher decisions can be made at the access...

Cost Benefit Analysis

The security architect must understand the costs associated with security incidents. Chapter 3, Secure Networking Threats, provides details on many types of security incidents. For the purposes of this chapter, security incidents can be divided into two main categories Security compromises Data is modified or learned by the attacker. Loss of network availability One or multiple services that the network provides are rendered unavailable as the result of an attack. An example of security...

Creative VLAN Hopping Attacks

This section is a catchall for various methods to achieve VLAN hopping when trunking is turned off on th port to which the attacker is connected. As these methods are discovered, they tend to be closed by the vendors affected. One tricky attack will take some time to stop on all devices. You might wish to refer t( the previous section on 802.1q if you need more information. The attack works by sending frames with two 802.1q tags instead of one. The attack requires the use of two switches, and...

Current Design

The NGRU network is shown in Figure 17-1. Figure 17-1. NetGamesRUs Current Network Design Figure 17-1. NetGamesRUs Current Network Design The NRGU network is currently a flat internal network with a firewall between the internal network and the Internet. As you can see, all public services are in front of the firewall. This was done because NGRU didn't spend the money on a three-interface firewall when it built out the network originally. All public servers, including the gaming servers, are...

DoS

Table 3-18 shows the summary information for the DDoS attack. Tribe Flood Network 2000 (TFN2K) Shaft Ability to infect large numbers of systems to build a zombie network Overwhelm the victim's Internet connection CAR, specific filtering, ISP options (through prearranged agreements) As the family of attacks that brought down some prominent Internet company websites in 2000, DDoS attacks have a fair degree of notoriety. Before amplification flood attacks (smurf and DDoS, for example), a network...

Decreased Security Alternative

Although it is tough to make this design more secure, it is easy to make it less secure. If you have to start cutting corners, the following list shows which technologies and devices you can consider eliminating first 2. NIDS on the public server segment The resulting design is shown in Figure 13-8. Like the small network design, application controls are not affected and the core network design stays the same, just without as many control points. Any further reductions or integrations will...

Deploy Close to the Systems You Are Trying to Protect

This best practice is fairly easy to implement. If you are really concerned about protecting your finance systems and your human resources (HR) systems, you will have better luck deploying a NIDS sensor in each of these networks than deploying one system at a central location that sees traffic to both. Figure 7-14 shows a simplified example of this. In this example, it is preferable to deploy a NIDS sensor at points A and C rather than a single sensor at point B. Certainly, other factors go...

Deployment Best Practices

Some security purists prefer almost no management functions enabled on devices and certainly not SNMP. Although this eliminates some security issues with the management protocols, more security issi are introduced by the organization's inability to monitor and maintain the network. With that in mind, u SNMP where it adds significant value, giving preference to v3 but using v1 or v2c where no secure alternative exists. The following best practices will improve the security of your SNMP use...

Design Choices

A number of factors drive the design. First, it appears that there isn't a lot of concern with internal security. With only 30 employees in one main location, user education and compliance with policies should be fairly straightforward. This allows the nontechnical compliance checks discussed in Chapter 2, Security Policy and Operations Life Cycle, to mitigate the need for technical controls. For example, deploying a set of controls to mitigate DHCP attacks is overkill for 30 trusted employees....

Design Overview

In this design, a standard PC as defined earlier has an IPsec VPN software client installed along with appropriate keying mechanisms (most likely group preshared with OTP using extended authentication Xauth ). When the system boots, the crypto connections are initiated to the central site as the user requires. Basic web browsing can, and often does, occur without a VPN connection, making securing the host still very critical. When connected to the VPN, most networks opt to prevent split...

Dhcp Vacls

Not all switch deployments are able to take advantage of DHCP snooping. A lower-tech solution to this problem can be partially achieved with DHCP VACLs. The VACL can specify which addresses are able to send DHCP replies. These replies will come from the unicast IP address of the DHCP server offering the lease. By filtering these replies by source address, rogue DHCP servers can be properly filtered. Conside the typical DHCP deployment depicted in Figure 6-9. Here, a local LAN is being served by...

Direct Access

Table 3-6 shows the summary information for the direct access attack. Logging on to a server and stealing the etc passwd file Unauthorized access to information assets steal data Direct access includes an entire range of attacks in which the attacker attempts to gain direct access to network resources. For example, once an attacker finds a way through a firewall, the attacker uses a direct access attack to log on to the systems formerly protected by that firewall. From there, the attacker can...

Disable Unneeded Services

Turn off Domain Name System (DNS) lookups for the router with the following command. Although not security related, this is the first command to type on a fresh router before doing any other configuration (assuming, of course, you don't need domain resolution for a feature you plan to use). Otherwise, be ca avoid input errors. Typing the command enadle instead of enable will result in a long timeout while the tries to find host enadle and communicate with it. Disable small services such as...

Distributed AAA Server Synchronization Considerations

Vendors differ in their approach to AAA server synchronization. Some offer a peer-to-peer system, while operate a master-slave relationship similar to DNS. In either case, the replication of the data on multiple servers is critical. The three factors that impact this replication are as follows Replication frequency requirements Similar to synchronizing with an external database, a AAA might need to replicate data several times a day or perhaps only once a week. Database size If you are...

Distributed WAN Considerations

Your network might include international WAN links. If this is the case, you likely have one or two main connections between, for example, the United States and Europe and several WAN connections within tl locations to interconnect sites. Assuming the master AAA server is in the United States, the recommend synchronization method for Europe would be to first synchronize from the United States to a primary loc Europe and then from that European server to all other local servers. This allows for...

Domains of Trust

Within all networks, there are devices with differing levels of value and differing levels of attack susceptibility. This concept is discussed in Chapter 2, Security Policy and Operations Life Cycle. By combining these factors, you can start to define the relative attention needed for a given information asset. In a flat network, as shown in Figure 12-7, the security of these assets is left completely up to the applications. As you can see, there is no segmentation except where necessary (WAN...

Domains of Trust and Network Design

Although it is easy to define domains on paper, in your own network you will find that trade-offs must be made. Your network, and its users, very rarely falls into obvious and nonoverlapping categories. In addition, if your network was designed purely from a security standpoint, it might not function very well in terms of performance, application support, and general usability. As an example, consider an access-control-centric design for a campus network, as shown in Figure 12-9. Figure 12-9....

Domains of Trust Recommendations

When creating domains of trust, you should put resources with similar trust, asset value, and attack profile into similar locations on the network. Attack profile includes not only the likelihood of a system being attacked (as discussed in Chapter 2) but also the likelihood of a system attacking someone else. This outbound attack profile can adjust the trust level you have for a domain. For example, a public web server might have a high asset value, a high chance of successfully being attacked,...

Dsn iff

Dsniff is a suite of tools released by Dug Song and available at the following URL http monkey.org duqsonq dsniff . Each element can be used on its own to perform various attacks. The macof tool can do MAC flooding, arpspoof can do ARP redirection and spoofing, and dsniff (the tool) can act as a selective sniffer and pull out important usernames and passwords. Using these tools together with other tools included in the dsniff suite allows an attacker to perpetrate a full MITM attack. Several...

Dynamic Multipoint VPN

In Cisco IOS Release 12.2(13)T, Cisco introduced a new mechanism to establish GRE + IPsec tunnels th uses a protocol called Nonbroadcast Multiaccess (NBMA) Next Hop Resolution Protocol (NHRP). NHRP is described in RFC 2332 and defines an ARP-like functionality for NBMA networks. NHRP allows systems o NBMA network to learn the addresses of other systems on that same network. In this case, the NBMA network is a multipoint GRE (mGRE) tunnel. In our previous examples, GRE was configured in a...

Commerce

E-commerce design is discussed in the section titled Three-Tier Web Design in Chapter 8. Figures 8-8 and 8-9 show these designs using firewalls to act as choke points. Figure 13-13 shows the same design integrated with all the relevant security technology. Figure 13-13. Three-Tier E-Commerce Design Figure 13-13. Three-Tier E-Commerce Design If your application and database layers don't have a clean way to separate, you can optionally use the two-tier design discussed in Chapter 8. This design...

Commerce Specific Filtering

In most designs, the e-commerce portion of an organization's network uses the same bandwidth as the rest of the network. Users, mail servers, and e-commerce transactions all occur over the same WAN linl This is suboptimal for several reasons A successful flood attack against your Internet connection will affect both general Internet and ecommerce traffic. A spike in internal user Internet usage can affect e-commerce availability. Because internal user traffic is so diverse (lots of...

Everything Is a Target

As a designer of secure networks, one of the first things you must consider is the vast interdependency of today's larger networks. The Internet is the best example, but within each organization there exists a microcosm of the Internet. From an attacker's perspective, these interdependencies allow for the attacker's goals to be met in any number of ways. As an example, assume an attacker wants to bring down your website. The following list outlines the attacker's options Find an application or...

Everything Is a Weapon

One of the biggest reasons everything is a target is because nearly everything can be used as a weapon, and an attacker is motivated to acquire weapons to wield against future targets. So, nearly every successful attack has not only a direct result for the attacker, but an indirect result in that the attacker gains an additional weapon to use against new targets. For example, if an attacker is able to compromise a Dynamic Host Configuration Protocol (DHCP) server, consider the potential next...

Example 32 OS Identification Scan on Default Gateway

tick Users sconvery sconvery nmap -O 10.1.1.1 Starting nmap V. 3.00 ( www.insecure.org nmap ) Warning OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1601 scanned ports on (10.1.1.1) are closed Remote OS guesses Cisco PIX 515 or 525 running 6.2(1), Stratus VOS Release 14.3.1ae Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds It is interesting to note that Nmap reports all ports closed but was still able to correctly...

Example 33 Scan of Debian Linux

tick Users sconvery sconvery nmap -O -I -sT 10.1.1.23 Starting nmap V. 3.00 ( www.insecure.org nmap ) (The 1588 ports scanned but not shown below are in state closed) (The 1588 ports scanned but not shown below are in state closed) Remote operating system guess Linux 2.1.19 - 2.2.20 Uptime 0.242 days (since Tue Jan 7 14 18 08 2003) Remote operating system guess Linux 2.1.19 - 2.2.20 Uptime 0.242 days (since Tue Jan 7 14 18 08 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 6...

Expected Threats

Table 3-29 in Chapter 3, Secure Networking Threats, is a summarized list of all the basic threats discussed in that chapter. Each threat was weighted in the following four subjective categories Ease of use (for the attacker) These categories combined to give an overall score for each attack. Based on the overall scores in that chapter, the top five attacks were as follows As discussed in Chapter 3, the attack list can be tuned to the particular area of the network you are trying to protect. In...

Expressly Permit Implicitly Deny

This concept has been touched on already, but it bears repeating. When you deploy a firewall, defining the traffic types you must permit is a lot more secure than defining the types you think you must deny. Whenever you build an ACL, try to follow this principle. Permit the traffic types you need for your network to function and then deny everything else. Larger organizations might have difficulty defining what is needed, especially if they have been less concerned about security historically.

Figure 1021 GRE IPsec with PMTUD

As you can see in Figure 10-21, IPsec transport mode ESP, for example, adds a maximum of 38 bytes t ESP information. Tunnel mode adds a maximum of 58 bytes because of the new IP header. Both of these numbers assume all the security options enabled for IPsec. Therefore, you can optimize y minimize the number of PMTUD rounds you must go through. Simply start your GRE tunnel with a defai transport mode or 1418 for tunnel mode. This ensures that, by the time the packet is fully encrypted, it...

Figure 1026 Semitrusted IPsec Topology Integrated Firewa

I Psec GakNMy i ic riiiefl Siateiul Firev a ACLfl Slop AN N(HV PMC TrsJiic lo Ci tewey i Psec GakNMy i ic riiiefl Siateiul Firev a ACLfl Slop AN N(HV PMC TrsJiic lo Ci tewey Figure 10-24 shows the main difference in the semitrusted topology when compared to trusted traffic i firewall after decryption. This allows you to define the applications that can be run by remote IPsec conr way that you can restrict the access for Internet users into your private network. Figure 10-24 shows the main...

Figure 1030 GRE Huband Spoke Design No HA

Noteworthy differences in the following configurations as compared to basic IPsec are the addition of a routing protocol and the GRE interfaces. IPsec, in this case, can also run in transport mode instead of ti mode to reduce the amount of wasted bytes in the headers. As mentioned earlier, certain hardware acceleration devices for IPsec are optimized for tunnel mode, so check for this on your own gear before making your choice. R40 is acting as the head end. R20 and R10 can no longer...

Figure 109 IKE Phases and Modes

IKE Phase 1 Esl-aWish secure, authenticated IKE SA S messes, identity information protected 3 messages ideality inlormalion in the clear, no opliofi for DH group negotiation Exchange inter malion necessary to crcato IPsoc SAs 3 ne5i> 3c es. 6fsiatiitsn IPseo A parameiers i t SP, AH. SHA. MO ), SA lilslima. session keys

Figure 1112 Sshssl Gateway WLAN Design

SSH SSL Application WLAN Design Figure 11-13. SSH SSL Application WLAN Design Use the design in Figure 11-12 when you must support legacy applications without built-in SSH SSL sup preferred here, but some small devices offer SSH SSL but not IPsec. The design in Figure 11-13 should Holes can be put in the ACLs on the router to permit access to any number of application servers. The considerations with this design are similar to those for the IPsec design. Some users might be confu...

Figure 1114 Direct Internet Access WLAN Design

By implementing an IPsec gateway or other security device to provide access to the corporate network, organization's users and guests to both make use of the same network. The same security consideratioi design apply, only now there is another route out of the network that requires some basic security. Gen appropriate here. Depending on your policy, you can use a dedicated WLAN Internet firewall, as shown can route the traffic through the main corporate firewall. In either case, be sure to...

Figure 112 SSL Offload

SSL offload offers some security benefit by allowing NIDS to receive cleartext copies of traffic after it has been decrypted and before it is sent over the SSL tunnel to the server. A NIDS would otherwise see only ciphertext and thus be unable to see any attacks. Care should be taken to ensure that only the NIDS is able to see the cleartext traffic, possibly by sending cleartext traffic to a dedicated interface containing only the NIDS. Otherwise, a compromise of one of the load-balanced...

Figure 116 Stick Lb Nids Design

10 Gb > s Link 9 20 utiiia& bon 10 Gb > s Link 9 20 utiiia& bon IOS A IDS 8 HDSC IDSD IOS A IDS 8 HDSC IDSD It should be rare that you employ such a design, primarily because by deploying your NIDS as close to your critical networks as possible, you can lessen the performance requirements. NIDS in a load-balanced design, as shown in Figure 11-6, has a reduced ability to stop attacks because TCP resets sometimes can't be sent back through the load-balancing device. In addition,...

Figure 119 Basic IPsec WLAN Design

There are several considerations with this design Because IPsec is an L3 mechanism, you need IP connectivity before the IPsec tunnel can be establ DHCP server be reachable by the entire network before IPsec establishment. This DHCP server she HIDS, firewalls (network host), and any other mechanism appropriate because it is directly reacha network. Filtering can be enforced either at the first L3 port, the AP, or both to stop traffic types not needed the VPN. The following ACL configuration...

Figure 1211 Three Domains of Trust

All three domains must be connected to one another. The data center should reach the Internet by way of the campus LAN. Looking at the trust levels of the domains, you see that the Internet is completely untrusted, the campus LAN is fairly trusted, and the data center is highly trusted. When deciding which choke point technology to use, start by considering this delta and then evaluate the direction of the traffic flows. The campus LAN connection to the Internet requires the most security. The...

Figure 1213 Security System Rough Draft

During this stage, you should consider likely management and deployment problems and network locations that have the greatest security requirements. Try to be as specific and thorough as you can be because errors made at this stage are much easier to fix than errors made after you've deployed. Rather than being a science project design with no real-world applicability, this rough draft should represent what is reasonable and possible given your current network. This is why the previous three...

Figure 123 Global WAN

In this case, the core routers have some redundancy to each other and to their distribution layer peers. Redundancy could be added from the access layer devices to the distribution layer by adding more routers or even multiple access layer routers for device redundancy in each location. From the WAN's perspective, each site is at the access layer. From each site's perspective, which might each have a design similar to Figure 12-1, the WAN is at the access layer. Core, distribution, and access...

Figure 124 Collapsed Campus Design

In Figure 12-4, you can see there is still a distinct access layer for user connections and edge connectivity, but in the case of the data center devices, the core switch is acting as an access layer for them as well. This design is very common in midsize networks. In even smaller networks (Figure 12-5), all three layers can be collapsed into a single device (sometimes even an L2 switch rather than an L3). Here, only the edge connectivity is separated as an additional layer.

Figure 131 Small Network Edge Design

As you can see, the small network edge compresses the essential network security elements into a single security gateway. Dividing functionality into different devices doesn't make financial sense in a network of this size. As a result, careful attention must be paid to the integrity of the gateway's configuration. Manageable systems are a key element in this design because, with as many functions as you will configure on this one device, mistakes are likely.

Figure 135 Decreased Security Small Network Design

In this design, the key to remember is sacrifice at the network first, not the applications. Since the number of hosts is small, hardening these systems should be a top priority. For the absolute bare minimum, deploy the design in Figure 13-5 using only application and OS hardening on the hosts. The lone router should be configured with stateless ACLs defining the traffic needed in each direction. For VPN, you might need to resort to older technologies for site-to-site. GRE tunnels (without...

Figure 153 Software Based Teleworker Security Design

Although I connect to my employer's network using a software VPN client or SSH and I dutifully keep my system up-to-date on fixes, I have a large number of IP-connected devices in my home that I don't particularly trust. For example, I have an MP3 appliance with an Ethernet connection and almost no security. As a result, I use a stateful firewall between me and the Internet to prevent the unwashed masses from seeing anything useful through network scanning and attempting to connect to every...

Figure 154 Hardware VPN Device Authentication

1.1 would Ifte Lo use ihe VPN, Whg( are yogf ciedemjais1 1.1 would Ifte Lo use ihe VPN, Whg( are yogf ciedemjais1 This authentication event generally consists of opening a web page on the gateway and often involves the central site as well to prevent the edge devices from needing to maintain user credential information. The authentication event should be protected by SSL or some other secure mechanism and ideally should use OTP. This authentication provides some assurance that the individual...

Figure 163 IPsec Management Tunneling Options

Clearest Management Traffic IPsec Manago merit Tunnei Clearest Management Traffic IPsec Manago merit Tunnei In option 1, the firewall simply passes IPsec traffic between the management host and the managed device. Option 2 allows the management host to not be aware of the IPsec process but just to attempt to communicate directly with the managed devices. The management firewall handles the encrypt and decrypt functions on behalf of the management network. Not only does option 2 ease...

Figure 164 Multisite IPsec Connected Management Networks

lea rtext Management TraHic - I Psec Management Tunnali----- If you are already using IPsec between sites, you can try to take advantage of those tunnels rather than build a separate set just for management. Oftentimes, though, it is easier to do so on the management firewalls directly and have the traffic encrypted twice as it transits to a remote site. This lets the management traffic not care whether the remote site is reachable by leased line, frame relay, or IPsec VPN. Whether to take...

Figure 167 Outof Band Management with PVLANs and Firewall

The main benefits of an OOB management design are as follows Production traffic is not impacted by management traffic (and vice versa). An attacker on the production network, or accessing the production network, has no ability to access the management network without first compromising a device that is managed OOB, and even then, the only directly reachable IP on the OOB network is the firewall interface. Because of this lack of attacker access, insecure management protocols can be used on the...

Figure 169 Hybrid Management Design

Here you can see some cleartext management from the management network, secure management from the management network and the user network, IPsec-tunneled management through the management firewall, and OOB management for the NIDS appliances. This will work fine the main consideration is the IP ranges you use. Using a separate IP range allows the production devices to filter any OOB traffic very easily. However, you might need the same server in the management network to do both in-band and OOB...

Figure 31 Attack Process

Attach lhat exploits e Vulnerability lo achieve an Attack Result to f j IiII an Objective Attach lhat exploits e Vulnerability lo achieve an Attack Result to f j IiII an Objective Irtif& aaed ActtifiS InlO Disclosure Thai Al Servfeb DerVar ol S& rvita The process starts with an attacker. The fact that any attack is launched against a particular target is assumed and not represented in the diagram. The attack is launched by using a specific vulnerability to bring about a specific attack...

Figure 311 Smurf Attack

At the bottom of Figure 3-11 you can see the attacker sending an ICMP echo request packet to the broadcast address of the bounce network. The bounce network is not the actual attack target, though it often experiences an indirect denial of service effect as a result. The ICMP packet has a spoofed source address from a device on the victim network (typically a router interface). The smurf attack is a type of amplification attack because when the single spoofed broadcast ping arrives at the...

Figure 313 Transport Redirection

Opinai Tfafiic Source Atracver Opinai Tfafiic Source Atracver Effective Connectivity Souro Atlacker eslinalran F3 Port 23 In the figure, you can see that the attacker is running the transport redirection attack on a compromised host in the public server network. This host is redirecting queries (with Netcat) so that Telnet queries from the Internet are redirected to SSH queries to the internal network. In this way, the attacker is able to take advantage of an existing rule in the firewall to...

Figure 35 Ethereal in Action

Cilt. fill T.< .Mrr i di v ritiv Cilt. fill T.< .Mrr i di v ritiv Smi l nrfcfl- 383 9 tf3 N > t i ucncr rtjibtr 38LB3E0L fcJtrovLedaevcnt rUbw 561f ffil2 Htxfcr njlh iO tyt SFlijs KCO10 P H, mO Uhrriov is L ES J Chcik-i O'dSiF cWrrcO Fttsr i 2 bjtsi) 0 ferstr lAEUf h-otowl KA+f 15 jjtjr Lm MIJ IS Ogt T f J PEH ItatUtt (1 V -iiwij I fly t tlMt If KV idmuFltr l G.lii.KW.i O Efcli-MJ pi-Hirtr - IfujOi Q joio m 53 w ce co ni W Fi- Sb (S tj W 3 40 Sft S sf ft> w l 1 X 0 If < 5 K E7 4C le...

Figure 36 IP Header

No field is particularly hard to spoof. All the attacker needs is access to the raw packet driver on a system (this typically requires root or administrator access), and then the attacker can send a packet with any IP header. Several applications and libraries exist to aid the attacker or system administrators interested in creating raw packets to test security. Some of the most popular are the following Libnet Hping http www.hping.org The impact section of the preceding IP spoofing table...

Figure 37 UDP Header

The UDP header is even simpler than the IP header. It contains the port numbers, length field, and an optional checksum. This is why security folks refer to UDP as being easy to spoof. There is no notion of connection associated with the protocol. Any spoof mitigation or security extensions must be handled by the application layer in the UDP payload. Management applications such as Simple Network Management Protocol (SNMP), Syslog, and Trivial File Transfer Protocol (TFTP) use UDP as their...

Figure 39 Poor Attacker Position for TCP Spoofing Attack

In this attack scenario, the adversary attempts to appear like a trusted client by interjecting into the conversation after the true client has authenticated. This sort of attack is very difficult if the attacker is unable to see the packets exchanged between client and server. TCP spoofing becomes much more damaging when launched from a location along the path between the true client and the server. A topology for such an attack is shown in Figure 3-10. Figure 3-10. Ideal Attacker Position for...

Figure 613 RFC 2827 Filtering

Access-list 101 pefmil 195 0 2.0 0.0.0.255 any aecess-l.st 101 deny ip any any 1 access-Nst 102 deny 192.02 0 Q.IJ.Q.2& 5 any access-list 102 pcrnnil ip any any interlace Serial n ip access-group i2Q in ip access-group f 30 cut access-list 120 cieny ipi 52,0,3,0 0.0,0.355 any access-list 120 permit any any access-list 130 permit 102.0.2.0 0.0.0.255 any access-list 130 denyip any any When implementing RFC 2827 filtering in your own network, it is important to push this filtering as close to...

Figure 618 RIP v2 MD5 Authentication

T (HIP< 2 Length - 24) tiytes of Data Authentication Data (Var.Lengtht 1Styles with Keyed MD5)' The configuration for RIPv2 authentication is as follows Router(config-if) ip rip authentication key-chain name-of-chain Specify authentication type Router(config-if) ip rip authentication mode text md5) Identify key chain Router(config) key chain name-of-chain Specify key number Router(config-keychain) key number Specify actual key Router(config-keychain-key) key-string text

Figure 622 Asymmetric Traffic with Security Devices

Now asymmetric flows really start to cause problems Again, consider the PC communicating with server WWW. A perfectly reasonable packet flow might have the outgoing connection flow through S4, S1, FW1, Inet_RTR_1, ISP A, and then to server WWW. Along the way, FW1 learns that the PC is trying to communicate with server WWW, and so it adds an entry in its state table to enable the return traffic to flow when it comes back from server WWW. Unfortunately, the return path for the packet from server...

Figure 626 ECommerce Specific Filtering

Source Atlacker iir GiiSlinrrwir Pestin lion Public Sortes Port Ports ao.i AfiiiOii Permit Port. UOP HwO DDoS Action Deny Aije t Port. UOP HwO DDoS Action Deny Aije t Source Atlacker iir GiiSlinrrwir Pestin lion Public Sortes Port Ports ao.i AfiiiOii Permit Don't think of this as a service-provider-managed firewall all you are asking your SP to do is implemen a basic ACL outbound on your interface. If your BGP router IP is 96.20.20.2, the SP router IP is 96.20.20.1, and your web SSL server is...

Figure 711 DMZ Proxy Design

There are two main considerations with this design. First, the firewall is no longer a single accounting control point for Internet access. Because the firewall sees only SOCKS requests, the accounting data from the SOCKS proxy must be combined with the firewall logs to get a true picture of Internet usage Second, the SOCKS proxy is open to attack in this design. Extra precautions should be taken to protect the SOCKS proxy. This includes diligent host hardening as described in Chapter 5 and...

Figure 712 Prefirewall NIDS

The main reason this is a bad placement choice for most organizations is that you wind up being saturated with alarms that might or might not actually get through the firewall. The main benefit of a NIDS in front of a firewall is that you can see who is knocking at your front door. As anyone who's managed an Internet firewall will tell you, the problem with this approach is that nearly everyone is knocking at your front door. Well-staffed SECOPS teams might like to see this traffic as a way of...

Figure 713 Postfirewall NIDS

Here you gain two principal benefits over NIDS in front of the firewall Attacks detected by the NIDS have already passed through the firewall, making their potential impact, and consequently the degree to which a SECOPS team will want to be made aware of the attack, greater. In the case of the public services segment, a NIDS deployed here is easier to tune because it is dealing with a limited set of hosts and services.