Note from Cisco Systems on the SAFE Blueprint and Network Security Architectures
As Cisco Systems broadened its security product portfolio and started the process of deepening the security services available on its router and switch platforms, the Cisco SAFE Blueprint effort was launched. The goal was to assist network and security architects and implementers by proactively describing security best practices to assist as engineers work to design or augment their networks to address existing and emerging threats. The core of SAFE consists of technical white papers...
Note on Hybrid Device Management
Many devices can be managed by CLI or GUI. The Cisco PIX Firewall, for example, has a CLI and an embedded web server that both can be used to make configuration changes to the device. This can be a great benefit to a SECOPS team possessing varying skill levels and tool preferences. Just make sure that changes can be made by both tools without one taking precedence over the other. Some tools, for example, are database driven. Configuration changes are made to the database and then pushed to the...
Note on Paging
One way to achieve 24*7*365 monitoring is to set up automated management systems that page a SECOPS staff member in the event of a problem. This is a fine middle ground between no monitoring and having a warm body sitting in front of a console 24*7. Adequately tuning this system becomes paramount. Tuning your IDS is very important without automated paging, but it becomes absolutely essential if you might be awakened at 3 A.M. by an IDS alarm. I have some personal experience with this from my...
Worthwhile DDoS Analogy
Because DDoS attacks continue to attract press attention, it is fairly common for people who work in network security to be asked to explain the attack. I've found that this analogy works best. In fact, if you've ever heard me speak at a conference about DDoS, you've most likely heard this explanation already. Where I grew up in the U.S. Midwest, we had a game we occasionally played when we were 11 or 12 years old called knock and run. I've also heard it referred to as ring and run, ding dong,...
A1
2 When evaluating the SYN flood protections required for a server, when might you use SYN cookies and when might you use TCP Intercept A2 Because security protections are best employed as close to the host as possible, SYN cookies should be preferred in most situations. Use TCP Intercept for systems that do not support SYN cookies. Although it is true that implementing security controls in a central location (such as a firewall) generally offers greater scalability, in this case the feature...
AAA Server
This server can supply your edge and campus with a centralized identity store for systems that can take advantage of it (WLAN, management, VPN, and so on). (AAA deployments are covered in more detail in Chapter 9.) Any AAA deployment should follow the best practices of any other internal server as previously described. The one key additional security technique configured on the AAA server is as follows RADIUS TACACS+ This server provides a central place to store user credentials for use in edge...
AAA Server Network Resiliency Considerations
Even if your user count and NAS count don't justify more than one AAA server, you might need more th network topology reasons. Consider the topology in Figure 9-4. Here you can see a large central office with a smaller regional office and two satellite sales offices. The < office and the regional office operate dial-up and WLAN services, and the sales offices have local WLAN . (using AAA for key distribution as discussed in Chapter 11). As shown, there is only one AAA server loca...
AAA Server Requirements
Many vendors offer AAA solutions to the market. In addition to all the standard vendor selection criteria use, the following considerations will help you select the AAA vendor that is right for you Does the product interface with the systems for which you wish to provide AAA services Does the product scale to meet the needs of the deployment Does the product interface with the database containing user credentials (skip if locally configuring Does the product interface with your OTP vendor If...
AAA Server Scalability
Each AAA vendor has different guidelines and builds in different capabilities for how many NASs and use configured on a single AAA server. Your specific deployment will deviate from those guidelines based on features you use, your own network topology, and any interfaces with external systems (user repository The Cisco AAA offering is called the Cisco Secure Access Control Server (ACS). If this is the AAA vendor elected to use, the following two documents will be of interest Guidelines for...
AAA Server Summary
AAA servers offer a great method of simplifying user and administrator access to network resources. Ev the administrative headaches AAA can have, these headaches usually pale in comparison to not having deployment at all. Maintaining local user repositories on every network resource is no fun, nor is doing the same for administrative users. When I was doing IT for a company several jobs ago, I deployed the identity infrastructure for the organization. This consisted mainly of an X.500-based...
Access
Clear text MartagBmem Trairic Flow - - Secure Managamwrtl Tunnel Flow 00& Management Traffic Flow emore Atfmirt VPN Mows denote Management Listones Qeteway Clear text MartagBmem Trairic Flow - - Secure Managamwrtl Tunnel Flow 00& Management Traffic Flow emore Atfmirt VPN Mows denote Management Listones Qeteway
ACL Options
By default, the last line in an ACL is an implicit deny all. Matches to this list are not logged, however. If to enable logging, a manual entry should be added to the ACL denying all traffic and informing the ACL violation. It is possible to log permits as well, but this tends just to fill up a syslog server. To drop all tra log violations in a standard IP ACL, use the following command Router(config) access-list 1 deny any log For an extended IP ACL, use this command Router(config) access-list...
Active Mode
Active mode is the default mode for FTP and the harder of the two modes to pass through a firewall. In this mode, the FTP transfer follows these steps 1. The client initiates a TCP connection from a random high port to port 21 (FTP Command) on the FTP server. 2. When the client is ready to download, it sends the PORT command over this TCP connection, informing the FTP server to which port it should connect on the client machine. This is always a high port above 1023. 3. The server initiates a...
Administrative Networks
The administrative networks follow a design model very similar to the small network campus and edge design in Chapters 13 and 14. A firewall protects the network from the rest of the university network and the Internet at large. Specific access rights are written into the policy to allow the users of these systems to access the applications remotely. Additionally, limited public services can be deployed here using a dedicated interface off of the firewall. This might be most appropriate for the...
Aggressive Mode
Aggressive mode differs from main mode in the number of options available. Certain items such as the Diffie-Hellman (DH) group (more on DH later in this chapter) must be exact matches as opposed to negotiated parameters. In addition, the identity information is sent in the clear. This allows clients in remote user VPNs to use preshared keys with dynamic IP addressing. Authentication options are discussed in the following section. In general, however, you should use main mode whenever possible...
Anomaly Based NIDS
Table 4-22 shows the summary information for anomaly-based NIDS. Network flooding TCP SYN flood Virus worm Trojan The entire anomaly-based NIDS market has fallen victim to the marketing campaigns of companies trying to position their products. This has happened so much that the term anomaly is more of a buzzword than something with real teeth. Anomaly-based NIDS refers to a NIDS that learns normal behaviors and then logs exceptions. In the long run, this could apply to any type of attack,...
Appliance Based Network Services
Just about anything these days can be sold as an appliance. The point, from a marketing perspective, is to promote the fact that the system is easy to use and requires little intervention from the operator. Just like your toaster, you just push down the lever and it works. I like the appliance model but offer one caveat. If your appliance is really just a Linux box in a fancy case, you haven't solved your system management problem you've just hidden it under the covers. Say, for example, you...
Appliance Based Security Devices
Appliance-based security devices were briefly discussed in Chapter 5, Device Hardening. You might wish to refer to the Appliance-Based Network Services section in that chapter to reread the differences between appliance types. To keep things simple, this section divides appliances into two categories General-purpose hardware OS with appliance packaging The next two subsections highlight the differences between the two options.
Application Evaluation
This chapter provides security recommendations for several popular applications. The security of dozens of other applications is described in various books and websites. There are, however, thousands of proprietary, limited-use applications throughout networking, such as a one-off inventory management system or an accounting system tuned specifically for a type of industry. These applications do not generally see broad security review. As a network security professional, you might be called on...
Application Firewalls
Similar to inline IDS, though with a slightly different focus, application firewalls are designed to allow forwarding decisions on the payload of a particular protocol. The most actively developed protocol is HTTP, which currently tunnels almost every kind of application across it in an effort to bypass traditional firewalls. Application firewalls would, in theory, allow permitted web traffic to pass while blocking web-based attacks or other applications tunneling over HTTP (when this is a...
Application Flooding
Table 3-20 shows the summary information for the application flooding attack. Authentication flooding CPU process abuse Render an application or system useless IDS, log analysis, and application security Application flooding refers to the range of attacks designed to consume application or system resources. The most common example of this is spam. Although spam is generally not designed to consume resources, it certainly can have this effect on an individual user's or network's mail system....
Application Manipulation
Application manipulation refers to attacks at the application layer that are designed to exploit a flaw in application design or implementation. The most famous application manipulation attack is a buffer overflow attack. A more recent favorite is a web application attack (for example, cross-site scripting and insecure Common Gateway Interface CGI ). This section examines these two attacks as representative of all application manipulation attacks and the technologies used to detect and prevent...
Application Based Extranets
In an application-based extranet, the network infrastructure doesn't take part in the security except as is done in traditional e-commerce environments. Transport can be over the Internet at large or over another IP network. Any security is provided by the application hosts using something like SSH or SSL. In this respect, the design is identical to an e-commerce design. Like e-commerce, it can be insourced or outsourced, hosted locally or at a collocation facility. Depending on the sensitivity...
Applications
Application security has many of the same security considerations as host security. The most important is keeping your application up-to-date with the latest security fixes. This doesn't always mean buying the latest version of a piece of code. (In fact, sometimes it means sticking with older, stable software.) Just make sure your critical applications are still supported by the developer and that any new security issues that are uncovered will be handled in a timely manner. In addition to...
Applied Knowledge Questions
The following questions are designed to test your knowledge of network security practices, and they sometimes build on knowledge found elsewhere in the book. You might find that each question has more than one possible answer. The answers provided in Appendix B are intended to reinforce concepts that you can apply in your own networking environment. 1 GeeWiz.com just released a patented remote process watchdog tool that allows you to govern the processes running on any server in your network....
ARP Considerations
ARP is designed to map IP addresses to MAC addresses. It was also, like most protocols still used in IP networking today, designed at a time when everyone on a network was supposed to be reasonably trustworthy. As a result, the protocol is designed around efficiently executing its task, with no provisions for dealing with malicious use. At a basic level, the protocol works by broadcasting a packet requesting MAC address that owns a particular IP address. All devices on a LAN will see the...
ARP Redirection Spoofing
Table 3-21 shows the summary information for the ARP redirection spoofing attacks. Table 3-21. ARP Redirection Spoofing Table 3-21. ARP Redirection Spoofing Direct access (local LAN connectivity) Redirect outbound network traffic through the attacker's system instead of the default gateway This attack is most commonly referred to as ARP spoofing. However, in this chapter, it is referred to also as ARP redirection because, in the context of this taxonomy, its primary function is traffic...
Asymmetric Routing and State Aware Security Technology
As networks increase in size, so do the chances that they have asymmetric traffic somewhere within them. Asymmetric traffic is traffic that uses a different path for its return than the original path of the request. The topology in Figure 6-21 shows a representative network with several places where asymmetric traffic can occur. Traffic between the user PC and either the finance server or the WWW server can flow in an asymmetric manner at several points along the network. Between the PC and the...
Attack Details
Given the previous explanation of how a CAM table works, let's look at how the CAM table design can be 1. An attacker connects to a switch port. 2. The attacker sends a continuous set of frames with random source MAC addresses and random destination MAC addresses. The attacker is really concerned with making sure steps 1 and 2 of the preceding list repeat constantly, each time with a different MAC address. 3. Because CAM tables have limited size, eventually the switch will run out of room and...
Attack Example
Here are some attacks that would be likely against this network and how they might fare DDoS This low-tech attack could certainly cause problems with this network, even with dual Internet connections. NetGamesRUs needs clear policies with its upstream Internet service providers (ISPs) to ensure that any attack is quickly dealt with. The NetFlow data it is analyzing will provide good visibility into these kinds of attacks. Game server attack Any successful attack is going to have to happen over...
Attack Mitigation
Stopping this attack isn't too difficult, but it isn't quite as simple as flipping a switch. Many switches offe the ability to do something called port security. Port security works by limiting the number of MAC addresses that can communicate on any given port on a switch. For example, say you are running switched Ethernet to the desktop in your environment. Each host has its own connection on the switch. Here, you might configure port security to allow only one MAC address per port. Just to be...
Attack Response Recommendations
The interesting catch-22 with respect to shunning and resets is that both technologies are designed to make the NIDS better able to automatically stop attacks, but both work only when you monitor the system 24*7, which makes the automation mostly useless. The vast majority of current NIDS deployments don't try to stop attacks, and I agree with this approach. When paired with host IDSs, the attack prevention can be done at the host level, where the ability to determine whether an attack is real...
Attack Results
All attacks have specific attack results that can be categorized as one of five types. The result shown in Figure 3-2 was denial of service. Howard mentions four types of resultsdisclosure of information, corruption of information, denial of service, theft of serviceand, here, we can add a fifth, increased access. The following definitions of the first four types of attack results come straight out of Howard's work. Although the first four definitions provided are from Howard's paper, the...
Attack Taxonomy
Attack taxonomies are almost always inaccurate in some way. They either create conditions in which attacks exist in more than one category or conditions in which a given attack doesn't have a clear home. Still, they are a necessary exercise for this book. Without a reasonably comprehensive attack taxonomy, security designers have no way of knowing whether their architecture addresses the threats it must. This section covers the main types of attacks against networks and the results they...
Attacker Types
Network attackers have a wide variety of backgrounds, experience levels, and objectives. Any attempt to categorize them can't possibly succeed on all counts. Some categorizations define 26 kinds of attackers, although this does not necessarily help you design your security architecture. To adhere to the persistent theme in this book, the categorization presented here focuses on simplicity and relevance to the network designer. Figure 3-3 shows three types of attackersscript kiddie, cracker, and...
Authentication Methods
Within IKE, there are three main methods of authenticating the remote party Feel free to read about the third option if you are interested, but the first two make up 99 percent of IPsec deployments. As such, this chapter focuses on them. In addition to these methods, there are two prestandard techniques that aid in remote user VPN authentication Extended Authentication (Xauth) Preshared keys are the simplest form of IPsec peer authentication. In this method, the same key is statically...
Authenticator Configuration Switch
Configuration for the authenticator is a matter of enabling the 802.1x functionality for the desired ports defining the communications channel to the authentication server. The following configuration shows a C configuration for the Ethernet switch connecting to a RADIUS AAA server as the authentication server Set RADIUS as the authentication server for dotlx switch-IOS(config) aaa authentication dotlx default group radius Define the radius server parameters (use more than one for critical...
Avoid Security Through Obscurity
When reviewing publications and commentary about security principles, you frequently encounter the postulate security through obscurity is not security. Although it is said often, it is frequently misunderstood and is used as an excuse or justification for all sorts of security ills. Let's consider a few scenarios to better understand this axiom Paper currency is the basis for many of our day-to-day transactions, and counterfeiting is an ongoing concern. Nations could rely on restricting access...
Backscatter DDoS Trace Back
This technique was developed by Chris Morrow and Brian Gemberling at UUNET, and it allows a DDoS attack to be stopped and trace back to occur in approximately 10 minutes. The following site provides more information http www.secsup.org Tracking . At a high level, the mitigation technique works by combining aspects of the sinkhole and black hole routing discussed previously. When a system is under attack, the black hole routing technique allows IS edge routers to route the traffic to null0. This...
Basic AAA Requirements
The first step in designing your AAA solution is determining which network access servers (NASs) will ut service. This should include not only your network infrastructure devices but also applications and netwc services. Although almost any device that has user authentication can be made to query a AAA system, following are the most common clients Firewall user authentication Proxy server user authentication Content-filtering user authentication Network operating system (NOS) authentication...
Basic Changes
Because much of the network must stay fairly open, the level of enforcement that the network can provide is limited. The majority of the security concerns falls on the hosts and applications in these designs. The network is not without some impact, though. First, RFC 2827 filtering should be implemented at all L3 edge devices, and bogon filtering should be implemented at the Internet edge (both discussed in Chapter 6). Second, the network devices must be hardened against direct attack using the...
Basic Foundation Identity Concepts
Almost all network-connected applications support some basic form of identity. Most often this takes the form of a username and a password. By proactively checking for bad passwords, educating users about choosing good passwords, and giving preference to applications with some form of secure transport (for example, Secure Shell SSH ), you can achieve reasonable security for most systems. This chapter discusses more advanced identity systems that usually benefit very specific applications or...
Basic IPsec
Figure 10-29 shows the topology for this design. It is a small, three-site, full mesh IPsec network. Each location houses a 16 IP range in the RFC 1918defined 10.0.0.0 8 network. Traffic from each location's LAN to either of the other two sites' local LAN is encrypted. Figure 10-29. Three-Site, Full Mesh, Basic IPsec Design Figure 10-29. Three-Site, Full Mesh, Basic IPsec Design All intersite routing is static because GRE tunnels are not used. All IPsec traffic is encrypted and authenticated...
Basic PKI
Table 4-5 shows the summary information for basic PKI. PKI is designed as a mechanism to distribute digital certificates that verify the identity of users. Digital certificates are public keys signed by a certificate authority (CA). Certificate authorities validate that a particular digital certificate belongs to a certain individual or organization. At a high level, all a PKI attempts to accomplish is to validate that when Alice and Bob talk to one another, Alice can verify that she is...
Basic Two Tier EMail Design
As shown in Figure 8-1, the standard design uses an internal mail server and an external mail server. This design is most appropriate for midsize organizations based on the amount of server resources utilized. Smaller organizations can use this as well, or they might elect to host their e-mail service at an Internet service provider (ISP). Figure 8-1. Standard Two-Tier E-Mail Design Figure 8-1. Standard Two-Tier E-Mail Design As shown in this design, Simple Mail Transfer Protocol (SMTP) servers...
Basic VLAN Hopping Attack
In the basic VLAN hopping attack, the adversary takes advantage of the default configuration on most switches. As we discussed in the preceding section on DTP, most switch ports default to autotrunking. T means that an attacker that can successfully trick a switch into thinking it is another switch with a need trunk can gain access to all the VLANs allowed on the trunk port. This can be achieved in one of two wa' Spoof the DTP messages from the attacking host to cause the switch to enter...
Bcp
Generally accepted guidelines for the implementation of a specific feature or function on the network. Berkeley Internet Name Domain. The most commonly used Domain Name System (DNS) software. Bridge protocol data unit. A Spanning-Tree Protocol (STP) message unit that describes the attributes of a switch port, such as its Media Access Control (MAC) address, priority, and cost to reach. Cisco Discovery Protocol. Media- and protocol-independent device-discovery protocol that...
Be Aware of Cable Plant Issues
In today's networks, there are two primary cable types unshielded twisted pair (UTP) category 5 (or higher) and fiber optic. The risk of an attacker accessing your physical cabling is important to consider because that level of access often can bypass other security controls and provide the attacker with easy access to information (provided encryption is not used). UTP cable is very easy to tap, but it was thought years ago that fiber was immune to cable taps. We now know that this is not the...
Be Aware of Physical PC Security Threats
Oftentimes, inexperienced network designers begin with an unacknowledged assumption that all the sensitive data within an organization is contained on servers. In reality, there is sensitive information about my company sitting on the laptop I am using to write this book, as well as on the servers. Like most employees at my company, server resources are used when necessary, but often interesting Several physical security issues manifest when you operate under the preceding assumption The first...
Best Deployment Practices
Figure 16-1 shows a typical example of cleartext in-band management. A firewall is shown as optional, though some form of L3 filtering should be required if not implemented at the firewall. The filtering should be configured to allow only designated management traffic into the management network (Syslog, SNMP traps, TFTP, and so on). Likewise, the same restrictions should apply from the management network outbound. Traffic can be restricted to required protocols (Telnet, SNMP, HTTP, and so on)....
Best Deployment Uses
OOB management is best used in high-risk networks where insecure management protocols are essential. Internet edge designs are a good place to consider OOB. Within a campus, OOB can be used, but its costs should be considered in comparison to the risk associated with the internal network. Some organizations save money on OOB networks by using a logical separation as opposed to a physical separation. By using a VLAN dedicated to management, the traffic can be separated back to the management...
Biometrics
Table 4-7 shows the summary information for biometrics. Biometrics incorporates the idea of using something you are as a factor in authentication. It can be combined with something you know or something you have. Biometrics can include voice recognition, fingerprints, facial recognition, and iris scans. In terms of enterprise security, fingerprint recognition systems are the most economical biometric technology. The main benefit of biometrics is that users don't need to remember passwords they...
Black Hole Filtering
Through the clever propagation of static routes in BGP, it is possible to inject a route into the ISP network, causing any traffic destined for the IP that is under attack to be dropped. Traffic is typically routed to nullO (the bit bucket) because this has less CPU impact than dropping the traffic by an ACL (in addition to being much faster to propagate to all ISP routers). Black hole filtering can also be made available to you as an ISP customer if your ISP allows it see http www.secsup.org...
Block Outbound Public Server Access
This best practice works best in the three-interface firewall design. Many attacks require the victim server to initiate outbound access to the Internet to accomplish any of the following objectives Allow the attacker to download additional tools By using a stateful firewall, it is easy to block this connectivity. Because servers usually respond to requests from users, oftentimes they can be prevented by policy in the firewall from opening new connections. This does not, in most cases, affect...
Branch Versus Head End Design Considerations
If you have two or more locations for your organization, each will have a network edge at the point of connection between them. Often the extent of the security required at remote locations varies with their connectivity choices. The designs presented later in this chapter assume that the location is a head end (also called a central site) with full services required because these are generally more complex designs. The next four sections highlight specific design considerations around branch...
Business Goals
First you must understand the goals of a given organization. If you are designing a secure network for an e-commerce retailer, knowing the company's role and function should put you into a certain frame of mind regarding the systems you will need to employ. For example, a security policy that dictates that, because of their sensitivity, all financial transactions must occur over private networks might be appropriate for a federal bank, but it would spell certain doom for an online retailer....
Business Priorities Must Come First
A university I once worked with decided it was time to allow the student body and faculty wireless access to the campus network. The convenience of access, cost reduction in wiring buildings, and potential productivity increase were the overarching business drivers for the decision. At first blush, however, the security department was reluctant to proceed. For years, the university did not require students to have accounts to access the network. Rather, authentication was required only when...
Buy a Faster
Although seemingly straightforward, this option is often ignored by organizations that have become comfortable with a particular offering. With advances in hardware inspection for firewalling and NIDS, boxes are available today that far exceed the performance capabilities of a general-purpose PC and operating system (OS). Load-balancing devices are often expensive, and if you need HA, several devices often must be purchased (particularly for the sandwich deployment option described in the next...
Campus Security
The following are the security considerations in the campus network Internal employees are trusted, in addition to being a very small group. Policies were written to encourage strong password selection, antivirus, host patching, and basic hardening, but internal security is left intentionally weak. All devices are stationary, so there is no wireless LAN (WLAN). Physical access to the building is basic lock and key. No inbound access to the campus network should be allowed as a default....
Campus Trust Model
This chapter makes the critical assumption that your campus is semitrusted. This means you assume the individuals that have access to it will generally do the right thing, though an occasional deliberate attack will occur. The majority of threats to the campus are attacks introduced from the edge or introduced inadvertently by a user. For example, if one of your users introduces an insecure wireless LAN access point (WLAN AP), it isn't a deliberate attack. The user is simply trying to get WLAN...
Car
This DDoS mitigation technique is losing favor because more and more attacks fail to be adequately classified by this technology. CAR is a QoS technique that, for the purposes of flooding mitigation, limits traffic matching an extended ACL to a specific rate. For example, you could use CAR to limit the followin types of traffic To understand how CAR works, it is helpful to use a common QoS metaphor. CAR works as a token bucket QoS implementation (see Figure 6-23). Token bucket means traffic...
CAR Design Considerations
One of the first tasks in successfully configuring CAR is determining what normal traffic loads are. One c the easiest ways to do this is to start your CAR policy by setting your conform action to transmit and yo exceed action to transmit. This command for the previous ICMP example looks like this Router(config-if) rate-limit output access-group 102 100000 8000 8000 conform-action transmit exceed-action transmit In this way, no traffic is dropped, but the CAR process is still running. You can...
Caveats
Now that you know what this book is about, I can tell you what it does not include. This book does not cover several important areas of IT security. It is not focused on dissecting attacks and demonstrating the ins and outs of the latest attack tools. It does not focus on each specific feature in security products such as firewalls and antivirus software. It does not describe in detail how to harden popular server operating systems. It is not a configuration guide for Cisco products, even...
Cdp
To allow Cisco devices to exchange information about one another's capabilities, Cisco developed CDP. CDP uses a destination MAC address of 0100.0ccc.cccc and a SNAP protocol type of 0x2000. By default, most Cisco routers and switches have CDP enabled. CDP information is sent in periodic broadcasts that updated locally in each device's CDP database. Because CDP is an L2-only protocol, it (like any other L2 protocol discussed here) is not propagated by routers. Some of the types of data...
Certificate Authority
In a network of this size, chances are you will need a certificate authority (CA) of some kind to manage the distribution of certificates to devices that need them. Application security and VPN site-to-site devices are the most clear applications. A third-party PKI service could alternately be used, as discussed in Chapters 4 and 9. Any CA deployment should follow the best practices of any other internal server as previously described. The one additional security technique configured on the CA...
Network Security Axioms
This chapter covers the following topics Network Security Is a System Business Priorities Must Come First Network Security Promotes Good Network Design Strive for Operational Simplicity Good Network Security Is Predictable Avoid Security Through Obscurity Confidentiality and Security Are Not the Same Appear at points which the enemy must hasten to defend march swiftly to places where you are not expected. The U.S. military must adopt a new capabilities-based approachone that focuses less on who...
Psec VPN Design Considerations
This chapter covers the following topics IPsec Modes of Operation and Security Options Site-to-Site Deployment Examples Oh, how much is today hidden by science Oh, how much it is expected to hide Friedrich Nietzsche, The Genealogy of Morals, 1887 Private information is practically the source of every large modern fortune. Virtual private networks (VPNs) are a means to establish a private network over any other network. Typically, the other network is deemed insecure, so traffic sent over it...
Supporting Technology Design Considerations
This chapter covers the following topics Content You know how it always is, every new idea, it takes a generation or two until it becomes obvious that there's no real problem. I cannot define the real problem, but I'm not sure there's no real problem. Richard Feynman, Simulating Physics with Computers, International Journal of Theoretical Physics, 1982 For a successful technology, reality must take precedence over public relations, for nature cannot be fooled. Richard Feynman, report of space...
Designing Your Security System
This chapter covers the following topics Impact of Network Security on the Entire Design Ten Steps to Designing Your Security System The Park Central Park, New York City throughout is a single work of art, and as such subject to the primary law of every work of art, namely, that it shall be framed upon a single, noble motive, to which the design of all its parts, in some more or less subtle way, shall be confluent and helpful. Calvert Vaux, report submitted with Greensward Plan, awarded first...
Edge Security Design
This chapter covers the following topics Network Design Considerations Small Network Edge Security Design Medium Network Edge Security Design High-End Resilient Edge Security Design Provisions for E-Commerce and Extranet Design During my service in the United States Congress, I took the initiative in creating the Internet. Former Vice President Al Gore, CNN interview with Wolf Blitzer, 1999 I think it is very fair to say that the Internet would not be where it is in the United States without...
Campus
This chapter covers the following topics Network Design Considerations Small Network Campus Security Design Medium Network Campus Security Design High-End Resilient Campus Security Design Thrust ivrybody, but cut th' ca-ards. Finley Peter Dunne (Mr. Dooley), Mr. Dooley's Opinions, 1901 Evil will always triumph over good because good is dumb. Mel Brooks, Dark Helmet in Spaceballs, 1987 In Chapter 13, Edge Security Design, you learned about design considerations for edge networks. This included...
Teleworker Security
This chapter covers the following topics Defining the Teleworker Environment Network Design Considerations Software-Based Teleworker Design Hardware-Based Teleworker Design We find that there are approximately 28 million Americans who are teleworkers that work at home, at a telework center or satellite office, work on the road, or some combination of these. International Telework Association and Council, 2001 Telework America Summary Work expands so as to fill the time available for its...
Secure Network Management and Network Security Management
This chapter covers the following topics Secure Management Design Options Network Security Management Best Practices Things which you do not hope happen more frequently than things which you do hope. Titus Maccius Plautus, Mostellaria, Act I, Sc. iii, l. 40, 259-184 B.C. Anyone can hold the helm when the sea is calm. Publilius Syrus, Maxim 358, first century B.C. In this chapter, you will learn the ins and outs of secure network management and network security management. The first is a way to...
Case Studies
This chapter covers the following topics Black Helicopter Research Limited Practice is the best of all instructors. Publilius Syrus, Maxim 439, first century B.C. Knowledge is to be acquired only by a corresponding experience. How can we know what we are told merely Each man can interpret another's experience only by his own. Henry David Thoreau, A Week on the Concord and Merrimack Rivers, 1849
Conclusions
This chapter covers the following topics Management Problems Will Continue Security Will Become Computationally Less Expensive Homogeneous and Heterogeneous Networks Legislation Should Garner Serious Consideration IP Version 6 Changes Things Network Security Is a System If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor...
Security Policy and Operations Life Cycle
This chapter covers the following topics You Can't Buy Network Security Security System Development and Operations Overview A policy is a temporary creed liable to be changed, but while it holds good it has got to be pursued with apostolic zeal. Mohandas K. Gandhi, letter to the general secretary of the Congress Party, India, March 8, 1922 You do the policy. I'll do the politics. Dan Quayle, U.S. Vice President (19881992), remark to aide, quoted in International Herald Tribune, Paris, January...
Secure Networking
This chapter covers the following topics Though the enemy be stronger in numbers, we may prevent him from fighting. Scheme so as to discover his plans and the likelihood of their success. That vulnerability is completely theoretical. As discussed in Chapter 2, Security Policy and Operations Life Cycle, when considering the characteristics of your network security system, you must understand the likely threats your network will encounter. The bulk of the information contained in this chapter...
Network Security
This chapter covers the following topics The Difficulties of Secure Networking Emerging Security Technologies Technology . . . is a queer thing. It brings you great gifts with one hand, and it stabs you in the back with the other. C. P. Snow, New York Times, March 15, 1971 L0pht, making the theoretical practical since 1992. L0pht Heavy Industries Chapter 3 discussed secure networking threats. This chapter focuses on the broad technologies that can mitigate those threats. The technologies...
Device Hardening
This chapter covers the following topics Components of a Hardening Strategy Appliance-Based Network Services At the stumbling of a horse, the fall of a tile, the slightest pin prick, let us promptly chew on this Well, what if it were death itself And thereupon let us stiffen and fortify ourselves. Michel de Montaigne, That to Philosophize Is to Learn to Die, 1580 There is no security for any of us unless there is security for all. Howard Koch, Mission to Moscow, 1943 This chapter defines basic...
General Design
This chapter covers the following topics Layer 2 Security Considerations IP Addressing Design Considerations Transport Protocol Design Considerations Many things difficult to design prove easy to performance. Samuel Johnson, Rasselas The History of Rasselas, Prince of Abissinia, 1759 A good scientist is a person with original ideas. A good engineer is a person who makes a design that works with as few original ideas as possible. There are no prima donnas in engineering Freeman Dyson, Physicist,...
Network Security Platform Options and Best Deployment Practices
This chapter covers the following topics Network Security Platform Options Network Security Device Best Practices But lo men have become the tools of their tools. Henry David Thoreau, Economy, Walden, 1854 All of the books in the world contain no more information than is broadcast as video in a single large American city in a single year. Not all bits have equal value. When preparing to deploy security technology, many decisions must be made. Two of the main ones are deciding which kinds of...
Common Application Design Considerations
This chapter covers the following topics I don't want to insist on it, Dave, but I am incapable of making an error. Arthur C. Clarke, 2001 A Space Odyssey, 1968 The Answer to the Great Question . . . Of Life, the Universe and Everything . . . Is . . . Forty-two. Douglas Adams, The Hitch Hiker's Guide to the Galaxy, 1979 Although this book will certainly not go into great detail on application security, in certain cases application security relies on the network for its overall security...
Choke Points
In the previous section, all the L3 interconnections in each design were made by using basic routers. In today's designs, you have L3 switches and firewalls as other potential interconnection points. In addition, technologies such as IPsec, NIDS, and content filtering can help define the boundaries between these domains of trust. The combination of hardware and software that makes up a network transit point between two domains of trust is called a choke point. Deciding which choke point is...
Cisco Specific Protocols
Over the years, Cisco Systems has developed a number of proprietary protocols that have been used to perform different functions on an L2 network. Most of these protocols use an IEEE 802.3 frame format with an 802.2 SNAP encapsulation. Most have a Logical Link Control (LLC) of 0xAAAA03 (indicating SNA and the Cisco Organizational Unit Identifier (OUI) 0x00000c. The majority use a multicast destination M address to communicate. This is generally a variation on 0100.0ccc.cccc. The SNAP protocol...
Classic Dual Router DMZ
As security started to become a problem on the Internet, savvy network administrators migrated to a dual-router system, as shown in Figure 7-4. This is traditionally referred to as a DMZ. Today, many refer to a third segment on a firewall as a DMZ, but this is not strictly correct because the firewall is still protecting the third segment. The main benefit of this design over a single router is that the public servers are separated from the rest of the internal network. A compromise of a server...
Classified Areas
The only access point to the classified area of the facility is through zone D. At zone D is a full-time security guard and a number of additional security controls that include the following 1. All users are required to check all metal objects, pen and paper, cell phones, pagers, and so on in lockers during their time in the classified area. 2. Users then pass through a biometric scan supervised by the security guard. 3. After walking through a metal detector, users then pass through a...
Classified Network
The classified network must be physically secure to prevent any access to the classified network's data. Controls should be put in place to prevent local users from removing data from the systems in any way. This includes removable media, AV recorders, pen and paper, and any form of printer. All data transmitted on the classified network must be cryptographically protected throughout the network. All classified data must be centrally stored and secured in a physically separate area from the...
Cleartext InBand
The most insecure management option available today sadly is the management option used by the majority of organizations. All management takes place in-band, meaning the management traffic travels across the same logical links as the production traffic. This is contrasted with out-of-band (OOB), in which a separate logical, and sometimes physical, network is built exclusively for management traffic. Additionally, this management traffic is cleartext, so not only are passwords sent in the clear...
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...
Commercial OSs and Security Software
People select commercial software for a few main reasons Support Commercial software (open or closed source) almost always comes with support. When you hit a wall in your troubleshooting, it is nice to know a phone number exists that you can use to get help. Open source can offer support by e-mail, but if your firewall is down at 2 00 a.m., you aren't going to have a lot of luck getting an immediate response. Comfort Commercial products often have a level of polish to them. Their management...
Compliance Checking
Compliance checking is often the most interesting and the most useful exercise in the security operations life cycle. The primary reason is that compliance checking takes policies, standards, and guidelines and puts them to the test against real exploits in the wild today. Compliance checking is the process of ensuring two things Your security system is implementing the requirements of your security policies in an effective way. Your security policies are adequately addressing the threats that...
Components of a Hardening Strategy
Device hardening is an inexact science. One administrator's locked-down Linux box is another's security nightmare. Device hardening refers to changing the default posture of a system out of the box to make it more secure. This can have many different meanings and includes everything from disabling unneeded services on a UNIX system to shutting off the physical ports you aren't using on an Ethernet switch. Hardening isn't just a one-time event, but something that must be done on a regular basis...
Confidentiality and Security Are Not the Same
Confidentiality and security are not the same. Here is a working definition of the two terms Confidentiality is the protection of information to ensure that it is not disclosed to unauthorized audiences. Security is the protection of systems, resources, and information from unintended and unauthorized access or misuse. The difference is clear security is a superset of confidentiality because it goes beyond protecting information by also protecting system functions and preventing their...
Configuration Provisioning Tools
To configure the security capabilities of your devices, you need a good tool to minimize the chances of errors and to ensure consistent implementation of security functions across the network. Some of these tools manage the entire configuration on a device others are focused only on the security-specific portions of it. Some are designed to manage a single device others are designed to push configuration changes to hundreds of devices. The Cisco ACL Manager, for example, is focused only on...
Cons
The aforementioned flexibility benefit comes with a price. From a management standpoint, you are responsible for managing two systems the security software and the OS and hardware that it runs on. This has implications not just in the initial staging of the system but also in its ongoing management. Someone managing a firewall running on a Windows system must manage the OS (patches, logs, and so forth) in addition to performing the same tasks for the firewall software. This increases the skill...
Consider Defensein Depth
As discussed in Chapter 1, Network Security Axioms, it is important for your design to have more than one technology, best practice, or other element to mitigate a given threat. These elements should be different in their method of threat mitigation and must stay within the operational management capabilities of your IT staff. There is no sense in having four layers of defense against denial of service (DoS) attacks if your team has trouble maintaining one. The chart in Table 6-1 shows the...
Consider L2 Redundancy as a Workaround
With the careful introduction of L2 redundancy as opposed to L3, technologies such as Virtual Router Redundancy Protocol (VRRP) or Hot Standby Router Protocol (HSRP) can allow traffic to flow through a single location while still providing redundancy. This option works best on high-speed connections where the use of only one path instead of two or more does not affect network performance. The result is that normally asymmetric flows can be made symmetric for short distances in the network, such...
Content Distribution and Routing
Content distribution and routing refers to a broad area of networking concerned with efficient delivery of content to a diverse set of clients. You might have already used such a system when downloading a file or viewing streaming content on the web. Such systems generally work by creating several copies of a given piece of content in different geographic locations. The system determines your location on the network when you make a request and can therefore forward the copy of the content...
Content Filtering Summary
Table 4-20 shows the summary scores for the content-filtering options. Table 4-20. Content-Filtering Summary Table 4-20. Content-Filtering Summary Because the ratings in this chapter are skewed toward threat prevention, the overall ratings for the content filtering technologies are lower than other sections. E-mail filtering has a clear security benefit, as do portions of web filtering (mobile code). Proxy servers perform more as a user control function than they do in a security role, so the...
Control Physical Access to Data Centers
Data-center access can utilize any of the preceding mechanisms in addition to PIN-reader-only access. The important difference with data-center access is that you are often dealing with a smaller set of operators, so issues around key management are somewhat reduced. I once had the pleasure of experiencing a physical security audit by a client who was considering using a facility in one of my previous jobs. Needless to say, it didn't go well. One of the auditors was able to gain access to the...
