Note from Cisco Systems on the SAFE Blueprint and Network Security Architectures
As Cisco Systems broadened its security product portfolio and started the process of deepening the security services available on its router and switch platforms, the Cisco SAFE Blueprint effort was launched. The goal was to assist network and security architects and implementers by proactively describing security best practices to assist as engineers work to design or augment their networks to address existing and emerging threats. The core of SAFE consists of technical white papers...
Note on Hybrid Device Management
Many devices can be managed by CLI or GUI. The Cisco PIX Firewall, for example, has a CLI and an embedded web server that both can be used to make configuration changes to the device. This can be a great benefit to a SECOPS team possessing varying skill levels and tool preferences. Just make sure that changes can be made by both tools without one taking precedence over the other. Some tools, for example, are database driven. Configuration changes are made to the database and then pushed to the...
Note on Paging
One way to achieve 24*7*365 monitoring is to set up automated management systems that page a SECOPS staff member in the event of a problem. This is a fine middle ground between no monitoring and having a warm body sitting in front of a console 24*7. Adequately tuning this system becomes paramount. Tuning your IDS is very important without automated paging, but it becomes absolutely essential if you might be awakened at 3 A.M. by an IDS alarm. I have some personal experience with this from my...
Worthwhile DDoS Analogy
Because DDoS attacks continue to attract press attention, it is fairly common for people who work in network security to be asked to explain the attack. I've found that this analogy works best. In fact, if you've ever heard me speak at a conference about DDoS, you've most likely heard this explanation already. Where I grew up in the U.S. Midwest, we had a game we occasionally played when we were 11 or 12 years old called knock and run. I've also heard it referred to as ring and run, ding dong,...
A1
2 When evaluating the SYN flood protections required for a server, when might you use SYN cookies and when might you use TCP Intercept A2 Because security protections are best employed as close to the host as possible, SYN cookies should be preferred in most situations. Use TCP Intercept for systems that do not support SYN cookies. Although it is true that implementing security controls in a central location (such as a firewall) generally offers greater scalability, in this case the feature...
AAA Server Network Resiliency Considerations
Even if your user count and NAS count don't justify more than one AAA server, you might need more th network topology reasons. Consider the topology in Figure 9-4. Here you can see a large central office with a smaller regional office and two satellite sales offices. The < office and the regional office operate dial-up and WLAN services, and the sales offices have local WLAN . (using AAA for key distribution as discussed in Chapter 11). As shown, there is only one AAA server loca...
AAA Server Requirements
Many vendors offer AAA solutions to the market. In addition to all the standard vendor selection criteria use, the following considerations will help you select the AAA vendor that is right for you Does the product interface with the systems for which you wish to provide AAA services Does the product scale to meet the needs of the deployment Does the product interface with the database containing user credentials (skip if locally configuring Does the product interface with your OTP vendor If...
AAA Server Scalability
Each AAA vendor has different guidelines and builds in different capabilities for how many NASs and use configured on a single AAA server. Your specific deployment will deviate from those guidelines based on features you use, your own network topology, and any interfaces with external systems (user repository The Cisco AAA offering is called the Cisco Secure Access Control Server (ACS). If this is the AAA vendor elected to use, the following two documents will be of interest Guidelines for...
AAA Server Summary
AAA servers offer a great method of simplifying user and administrator access to network resources. Ev the administrative headaches AAA can have, these headaches usually pale in comparison to not having deployment at all. Maintaining local user repositories on every network resource is no fun, nor is doing the same for administrative users. When I was doing IT for a company several jobs ago, I deployed the identity infrastructure for the organization. This consisted mainly of an X.500-based...
Anomaly Based NIDS
Table 4-22 shows the summary information for anomaly-based NIDS. Network flooding TCP SYN flood Virus worm Trojan The entire anomaly-based NIDS market has fallen victim to the marketing campaigns of companies trying to position their products. This has happened so much that the term anomaly is more of a buzzword than something with real teeth. Anomaly-based NIDS refers to a NIDS that learns normal behaviors and then logs exceptions. In the long run, this could apply to any type of attack,...
Appliance Based Network Services
Just about anything these days can be sold as an appliance. The point, from a marketing perspective, is to promote the fact that the system is easy to use and requires little intervention from the operator. Just like your toaster, you just push down the lever and it works. I like the appliance model but offer one caveat. If your appliance is really just a Linux box in a fancy case, you haven't solved your system management problem you've just hidden it under the covers. Say, for example, you...
Appliance Based Security Devices
Appliance-based security devices were briefly discussed in Chapter 5, Device Hardening. You might wish to refer to the Appliance-Based Network Services section in that chapter to reread the differences between appliance types. To keep things simple, this section divides appliances into two categories General-purpose hardware OS with appliance packaging The next two subsections highlight the differences between the two options.
Application Evaluation
This chapter provides security recommendations for several popular applications. The security of dozens of other applications is described in various books and websites. There are, however, thousands of proprietary, limited-use applications throughout networking, such as a one-off inventory management system or an accounting system tuned specifically for a type of industry. These applications do not generally see broad security review. As a network security professional, you might be called on...
Application Firewalls
Similar to inline IDS, though with a slightly different focus, application firewalls are designed to allow forwarding decisions on the payload of a particular protocol. The most actively developed protocol is HTTP, which currently tunnels almost every kind of application across it in an effort to bypass traditional firewalls. Application firewalls would, in theory, allow permitted web traffic to pass while blocking web-based attacks or other applications tunneling over HTTP (when this is a...
Application Flooding
Table 3-20 shows the summary information for the application flooding attack. Authentication flooding CPU process abuse Render an application or system useless IDS, log analysis, and application security Application flooding refers to the range of attacks designed to consume application or system resources. The most common example of this is spam. Although spam is generally not designed to consume resources, it certainly can have this effect on an individual user's or network's mail system....
Application Manipulation
Application manipulation refers to attacks at the application layer that are designed to exploit a flaw in application design or implementation. The most famous application manipulation attack is a buffer overflow attack. A more recent favorite is a web application attack (for example, cross-site scripting and insecure Common Gateway Interface CGI ). This section examines these two attacks as representative of all application manipulation attacks and the technologies used to detect and prevent...
Application Based Extranets
In an application-based extranet, the network infrastructure doesn't take part in the security except as is done in traditional e-commerce environments. Transport can be over the Internet at large or over another IP network. Any security is provided by the application hosts using something like SSH or SSL. In this respect, the design is identical to an e-commerce design. Like e-commerce, it can be insourced or outsourced, hosted locally or at a collocation facility. Depending on the sensitivity...
Applied Knowledge Questions
The following questions are designed to test your knowledge of network security practices, and they sometimes build on knowledge found elsewhere in the book. You might find that each question has more than one possible answer. The answers provided in Appendix B are intended to reinforce concepts that you can apply in your own networking environment. 1 GeeWiz.com just released a patented remote process watchdog tool that allows you to govern the processes running on any server in your network....
ARP Considerations
ARP is designed to map IP addresses to MAC addresses. It was also, like most protocols still used in IP networking today, designed at a time when everyone on a network was supposed to be reasonably trustworthy. As a result, the protocol is designed around efficiently executing its task, with no provisions for dealing with malicious use. At a basic level, the protocol works by broadcasting a packet requesting MAC address that owns a particular IP address. All devices on a LAN will see the...
ARP Redirection Spoofing
Table 3-21 shows the summary information for the ARP redirection spoofing attacks. Table 3-21. ARP Redirection Spoofing Table 3-21. ARP Redirection Spoofing Direct access (local LAN connectivity) Redirect outbound network traffic through the attacker's system instead of the default gateway This attack is most commonly referred to as ARP spoofing. However, in this chapter, it is referred to also as ARP redirection because, in the context of this taxonomy, its primary function is traffic...
Asymmetric Routing and State Aware Security Technology
As networks increase in size, so do the chances that they have asymmetric traffic somewhere within them. Asymmetric traffic is traffic that uses a different path for its return than the original path of the request. The topology in Figure 6-21 shows a representative network with several places where asymmetric traffic can occur. Traffic between the user PC and either the finance server or the WWW server can flow in an asymmetric manner at several points along the network. Between the PC and the...
Attack Details
Given the previous explanation of how a CAM table works, let's look at how the CAM table design can be 1. An attacker connects to a switch port. 2. The attacker sends a continuous set of frames with random source MAC addresses and random destination MAC addresses. The attacker is really concerned with making sure steps 1 and 2 of the preceding list repeat constantly, each time with a different MAC address. 3. Because CAM tables have limited size, eventually the switch will run out of room and...
Attack Example
There are only two possible attacks against the classified side of the network. First, an attacker could somehow gain access to the telco links between the facilities and attempt to decrypt the traffic. This should be practically impossible, assuming appropriately strong crypto functions are used. This attack certainly falls into the elite attacker category discussed in Chapter 3, Secure Networking Threats. Second, an attacker could compromise the physical security of any of the three...
Attack Mitigation
Stopping this attack isn't too difficult, but it isn't quite as simple as flipping a switch. Many switches offe the ability to do something called port security. Port security works by limiting the number of MAC addresses that can communicate on any given port on a switch. For example, say you are running switched Ethernet to the desktop in your environment. Each host has its own connection on the switch. Here, you might configure port security to allow only one MAC address per port. Just to be...
Attack Response Recommendations
The interesting catch-22 with respect to shunning and resets is that both technologies are designed to make the NIDS better able to automatically stop attacks, but both work only when you monitor the system 24*7, which makes the automation mostly useless. The vast majority of current NIDS deployments don't try to stop attacks, and I agree with this approach. When paired with host IDSs, the attack prevention can be done at the host level, where the ability to determine whether an attack is real...
Attack Results
All attacks have specific attack results that can be categorized as one of five types. The result shown in Figure 3-2 was denial of service. Howard mentions four types of resultsdisclosure of information, corruption of information, denial of service, theft of serviceand, here, we can add a fifth, increased access. The following definitions of the first four types of attack results come straight out of Howard's work. Although the first four definitions provided are from Howard's paper, the...
Authenticator Configuration Switch
Configuration for the authenticator is a matter of enabling the 802.1x functionality for the desired ports defining the communications channel to the authentication server. The following configuration shows a C configuration for the Ethernet switch connecting to a RADIUS AAA server as the authentication server Set RADIUS as the authentication server for dotlx switch-IOS(config) aaa authentication dotlx default group radius Define the radius server parameters (use more than one for critical...
Avoid Security Through Obscurity
When reviewing publications and commentary about security principles, you frequently encounter the postulate security through obscurity is not security. Although it is said often, it is frequently misunderstood and is used as an excuse or justification for all sorts of security ills. Let's consider a few scenarios to better understand this axiom Paper currency is the basis for many of our day-to-day transactions, and counterfeiting is an ongoing concern. Nations could rely on restricting access...
Backscatter DDoS Trace Back
This technique was developed by Chris Morrow and Brian Gemberling at UUNET, and it allows a DDoS attack to be stopped and trace back to occur in approximately 10 minutes. The following site provides more information http www.secsup.org Tracking . At a high level, the mitigation technique works by combining aspects of the sinkhole and black hole routing discussed previously. When a system is under attack, the black hole routing technique allows IS edge routers to route the traffic to null0. This...
Basic AAA Requirements
The first step in designing your AAA solution is determining which network access servers (NASs) will ut service. This should include not only your network infrastructure devices but also applications and netwc services. Although almost any device that has user authentication can be made to query a AAA system, following are the most common clients Firewall user authentication Proxy server user authentication Content-filtering user authentication Network operating system (NOS) authentication...
Basic Foundation Identity Concepts
Almost all network-connected applications support some basic form of identity. Most often this takes the form of a username and a password. By proactively checking for bad passwords, educating users about choosing good passwords, and giving preference to applications with some form of secure transport (for example, Secure Shell SSH ), you can achieve reasonable security for most systems. This chapter discusses more advanced identity systems that usually benefit very specific applications or...
Basic IPsec
Figure 10-29 shows the topology for this design. It is a small, three-site, full mesh IPsec network. Each location houses a 16 IP range in the RFC 1918defined 10.0.0.0 8 network. Traffic from each location's LAN to either of the other two sites' local LAN is encrypted. Figure 10-29. Three-Site, Full Mesh, Basic IPsec Design Figure 10-29. Three-Site, Full Mesh, Basic IPsec Design All intersite routing is static because GRE tunnels are not used. All IPsec traffic is encrypted and authenticated...
Basic PKI
Table 4-5 shows the summary information for basic PKI. PKI is designed as a mechanism to distribute digital certificates that verify the identity of users. Digital certificates are public keys signed by a certificate authority (CA). Certificate authorities validate that a particular digital certificate belongs to a certain individual or organization. At a high level, all a PKI attempts to accomplish is to validate that when Alice and Bob talk to one another, Alice can verify that she is...
Basic Two Tier EMail Design
As shown in Figure 8-1, the standard design uses an internal mail server and an external mail server. This design is most appropriate for midsize organizations based on the amount of server resources utilized. Smaller organizations can use this as well, or they might elect to host their e-mail service at an Internet service provider (ISP). Figure 8-1. Standard Two-Tier E-Mail Design Figure 8-1. Standard Two-Tier E-Mail Design As shown in this design, Simple Mail Transfer Protocol (SMTP) servers...
Basic VLAN Hopping Attack
In the basic VLAN hopping attack, the adversary takes advantage of the default configuration on most switches. As we discussed in the preceding section on DTP, most switch ports default to autotrunking. T means that an attacker that can successfully trick a switch into thinking it is another switch with a need trunk can gain access to all the VLANs allowed on the trunk port. This can be achieved in one of two wa' Spoof the DTP messages from the attacking host to cause the switch to enter...
Bcp
Generally accepted guidelines for the implementation of a specific feature or function on the network. Berkeley Internet Name Domain. The most commonly used Domain Name System (DNS) software. Bridge protocol data unit. A Spanning-Tree Protocol (STP) message unit that describes the attributes of a switch port, such as its Media Access Control (MAC) address, priority, and cost to reach. Cisco Discovery Protocol. Media- and protocol-independent device-discovery protocol that...
Be Aware of Cable Plant Issues
In today's networks, there are two primary cable types unshielded twisted pair (UTP) category 5 (or higher) and fiber optic. The risk of an attacker accessing your physical cabling is important to consider because that level of access often can bypass other security controls and provide the attacker with easy access to information (provided encryption is not used). UTP cable is very easy to tap, but it was thought years ago that fiber was immune to cable taps. We now know that this is not the...
Be Aware of Physical PC Security Threats
Oftentimes, inexperienced network designers begin with an unacknowledged assumption that all the sensitive data within an organization is contained on servers. In reality, there is sensitive information about my company sitting on the laptop I am using to write this book, as well as on the servers. Like most employees at my company, server resources are used when necessary, but often interesting Several physical security issues manifest when you operate under the preceding assumption The first...
Best Deployment Practices
Figure 16-1 shows a typical example of cleartext in-band management. A firewall is shown as optional, though some form of L3 filtering should be required if not implemented at the firewall. The filtering should be configured to allow only designated management traffic into the management network (Syslog, SNMP traps, TFTP, and so on). Likewise, the same restrictions should apply from the management network outbound. Traffic can be restricted to required protocols (Telnet, SNMP, HTTP, and so on)....
Best Deployment Uses
OOB management is best used in high-risk networks where insecure management protocols are essential. Internet edge designs are a good place to consider OOB. Within a campus, OOB can be used, but its costs should be considered in comparison to the risk associated with the internal network. Some organizations save money on OOB networks by using a logical separation as opposed to a physical separation. By using a VLAN dedicated to management, the traffic can be separated back to the management...
Black Hole Filtering
Through the clever propagation of static routes in BGP, it is possible to inject a route into the ISP network, causing any traffic destined for the IP that is under attack to be dropped. Traffic is typically routed to nullO (the bit bucket) because this has less CPU impact than dropping the traffic by an ACL (in addition to being much faster to propagate to all ISP routers). Black hole filtering can also be made available to you as an ISP customer if your ISP allows it see http www.secsup.org...
Block Outbound Public Server Access
This best practice works best in the three-interface firewall design. Many attacks require the victim server to initiate outbound access to the Internet to accomplish any of the following objectives Allow the attacker to download additional tools By using a stateful firewall, it is easy to block this connectivity. Because servers usually respond to requests from users, oftentimes they can be prevented by policy in the firewall from opening new connections. This does not, in most cases, affect...
Branch Versus Head End Design Considerations
If you have two or more locations for your organization, each will have a network edge at the point of connection between them. Often the extent of the security required at remote locations varies with their connectivity choices. The designs presented later in this chapter assume that the location is a head end (also called a central site) with full services required because these are generally more complex designs. The next four sections highlight specific design considerations around branch...
Business Priorities Must Come First
A university I once worked with decided it was time to allow the student body and faculty wireless access to the campus network. The convenience of access, cost reduction in wiring buildings, and potential productivity increase were the overarching business drivers for the decision. At first blush, however, the security department was reluctant to proceed. For years, the university did not require students to have accounts to access the network. Rather, authentication was required only when...
Buy a Faster
Although seemingly straightforward, this option is often ignored by organizations that have become comfortable with a particular offering. With advances in hardware inspection for firewalling and NIDS, boxes are available today that far exceed the performance capabilities of a general-purpose PC and operating system (OS). Load-balancing devices are often expensive, and if you need HA, several devices often must be purchased (particularly for the sandwich deployment option described in the next...
Campus Trust Model
This chapter makes the critical assumption that your campus is semitrusted. This means you assume the individuals that have access to it will generally do the right thing, though an occasional deliberate attack will occur. The majority of threats to the campus are attacks introduced from the edge or introduced inadvertently by a user. For example, if one of your users introduces an insecure wireless LAN access point (WLAN AP), it isn't a deliberate attack. The user is simply trying to get WLAN...
CAR Design Considerations
One of the first tasks in successfully configuring CAR is determining what normal traffic loads are. One c the easiest ways to do this is to start your CAR policy by setting your conform action to transmit and yo exceed action to transmit. This command for the previous ICMP example looks like this Router(config-if) rate-limit output access-group 102 100000 8000 8000 conform-action transmit exceed-action transmit In this way, no traffic is dropped, but the CAR process is still running. You can...
Network Security Axioms
This chapter covers the following topics Network Security Is a System Business Priorities Must Come First Network Security Promotes Good Network Design Strive for Operational Simplicity Good Network Security Is Predictable Avoid Security Through Obscurity Confidentiality and Security Are Not the Same Appear at points which the enemy must hasten to defend march swiftly to places where you are not expected. The U.S. military must adopt a new capabilities-based approachone that focuses less on who...
Psec VPN Design Considerations
This chapter covers the following topics IPsec Modes of Operation and Security Options Site-to-Site Deployment Examples Oh, how much is today hidden by science Oh, how much it is expected to hide Friedrich Nietzsche, The Genealogy of Morals, 1887 Private information is practically the source of every large modern fortune. Virtual private networks (VPNs) are a means to establish a private network over any other network. Typically, the other network is deemed insecure, so traffic sent over it...
Supporting Technology Design Considerations
This chapter covers the following topics Content You know how it always is, every new idea, it takes a generation or two until it becomes obvious that there's no real problem. I cannot define the real problem, but I'm not sure there's no real problem. Richard Feynman, Simulating Physics with Computers, International Journal of Theoretical Physics, 1982 For a successful technology, reality must take precedence over public relations, for nature cannot be fooled. Richard Feynman, report of space...
Designing Your Security System
This chapter covers the following topics Impact of Network Security on the Entire Design Ten Steps to Designing Your Security System The Park Central Park, New York City throughout is a single work of art, and as such subject to the primary law of every work of art, namely, that it shall be framed upon a single, noble motive, to which the design of all its parts, in some more or less subtle way, shall be confluent and helpful. Calvert Vaux, report submitted with Greensward Plan, awarded first...
Edge Security Design
This chapter covers the following topics Network Design Considerations Small Network Edge Security Design Medium Network Edge Security Design High-End Resilient Edge Security Design Provisions for E-Commerce and Extranet Design During my service in the United States Congress, I took the initiative in creating the Internet. Former Vice President Al Gore, CNN interview with Wolf Blitzer, 1999 I think it is very fair to say that the Internet would not be where it is in the United States without...
Secure Network Management and Network Security Management
This chapter covers the following topics Secure Management Design Options Network Security Management Best Practices Things which you do not hope happen more frequently than things which you do hope. Titus Maccius Plautus, Mostellaria, Act I, Sc. iii, l. 40, 259-184 B.C. Anyone can hold the helm when the sea is calm. Publilius Syrus, Maxim 358, first century B.C. In this chapter, you will learn the ins and outs of secure network management and network security management. The first is a way to...
Security Policy and Operations Life Cycle
This chapter covers the following topics You Can't Buy Network Security Security System Development and Operations Overview A policy is a temporary creed liable to be changed, but while it holds good it has got to be pursued with apostolic zeal. Mohandas K. Gandhi, letter to the general secretary of the Congress Party, India, March 8, 1922 You do the policy. I'll do the politics. Dan Quayle, U.S. Vice President (19881992), remark to aide, quoted in International Herald Tribune, Paris, January...
Network Security Platform Options and Best Deployment Practices
This chapter covers the following topics Network Security Platform Options Network Security Device Best Practices But lo men have become the tools of their tools. Henry David Thoreau, Economy, Walden, 1854 All of the books in the world contain no more information than is broadcast as video in a single large American city in a single year. Not all bits have equal value. When preparing to deploy security technology, many decisions must be made. Two of the main ones are deciding which kinds of...
Common Application Design Considerations
This chapter covers the following topics I don't want to insist on it, Dave, but I am incapable of making an error. Arthur C. Clarke, 2001 A Space Odyssey, 1968 The Answer to the Great Question . . . Of Life, the Universe and Everything . . . Is . . . Forty-two. Douglas Adams, The Hitch Hiker's Guide to the Galaxy, 1979 Although this book will certainly not go into great detail on application security, in certain cases application security relies on the network for its overall security...
Cisco Specific Protocols
Over the years, Cisco Systems has developed a number of proprietary protocols that have been used to perform different functions on an L2 network. Most of these protocols use an IEEE 802.3 frame format with an 802.2 SNAP encapsulation. Most have a Logical Link Control (LLC) of 0xAAAA03 (indicating SNA and the Cisco Organizational Unit Identifier (OUI) 0x00000c. The majority use a multicast destination M address to communicate. This is generally a variation on 0100.0ccc.cccc. The SNAP protocol...
Classic Dual Router DMZ
As security started to become a problem on the Internet, savvy network administrators migrated to a dual-router system, as shown in Figure 7-4. This is traditionally referred to as a DMZ. Today, many refer to a third segment on a firewall as a DMZ, but this is not strictly correct because the firewall is still protecting the third segment. The main benefit of this design over a single router is that the public servers are separated from the rest of the internal network. A compromise of a server...
Classified Network
The classified network has stringent expectations placed on it. To recap, all data must be cryptographically protected on the network, and data must reside in one central location rather than being distributed. Doing this properly in a traditional PC-and-server topology is very problematic based on today's technology. Also, the application requirements of the network are limited, making the flexibility of the PC platform not strictly necessary. As a result, diskless terminals are used with all...
Cleartext InBand
The most insecure management option available today sadly is the management option used by the majority of organizations. All management takes place in-band, meaning the management traffic travels across the same logical links as the production traffic. This is contrasted with out-of-band (OOB), in which a separate logical, and sometimes physical, network is built exclusively for management traffic. Additionally, this management traffic is cleartext, so not only are passwords sent in the clear...
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...
Commercial OSs and Security Software
People select commercial software for a few main reasons Support Commercial software (open or closed source) almost always comes with support. When you hit a wall in your troubleshooting, it is nice to know a phone number exists that you can use to get help. Open source can offer support by e-mail, but if your firewall is down at 2 00 a.m., you aren't going to have a lot of luck getting an immediate response. Comfort Commercial products often have a level of polish to them. Their management...
Compliance Checking
Compliance checking is often the most interesting and the most useful exercise in the security operations life cycle. The primary reason is that compliance checking takes policies, standards, and guidelines and puts them to the test against real exploits in the wild today. Compliance checking is the process of ensuring two things Your security system is implementing the requirements of your security policies in an effective way. Your security policies are adequately addressing the threats that...
Components of a Hardening Strategy
Device hardening is an inexact science. One administrator's locked-down Linux box is another's security nightmare. Device hardening refers to changing the default posture of a system out of the box to make it more secure. This can have many different meanings and includes everything from disabling unneeded services on a UNIX system to shutting off the physical ports you aren't using on an Ethernet switch. Hardening isn't just a one-time event, but something that must be done on a regular basis...
Confidentiality and Security Are Not the Same
Confidentiality and security are not the same. Here is a working definition of the two terms Confidentiality is the protection of information to ensure that it is not disclosed to unauthorized audiences. Security is the protection of systems, resources, and information from unintended and unauthorized access or misuse. The difference is clear security is a superset of confidentiality because it goes beyond protecting information by also protecting system functions and preventing their...
Configuration Provisioning Tools
To configure the security capabilities of your devices, you need a good tool to minimize the chances of errors and to ensure consistent implementation of security functions across the network. Some of these tools manage the entire configuration on a device others are focused only on the security-specific portions of it. Some are designed to manage a single device others are designed to push configuration changes to hundreds of devices. The Cisco ACL Manager, for example, is focused only on...
Consider Defensein Depth
As discussed in Chapter 1, Network Security Axioms, it is important for your design to have more than one technology, best practice, or other element to mitigate a given threat. These elements should be different in their method of threat mitigation and must stay within the operational management capabilities of your IT staff. There is no sense in having four layers of defense against denial of service (DoS) attacks if your team has trouble maintaining one. The chart in Table 6-1 shows the...
Consider L2 Redundancy as a Workaround
With the careful introduction of L2 redundancy as opposed to L3, technologies such as Virtual Router Redundancy Protocol (VRRP) or Hot Standby Router Protocol (HSRP) can allow traffic to flow through a single location while still providing redundancy. This option works best on high-speed connections where the use of only one path instead of two or more does not affect network performance. The result is that normally asymmetric flows can be made symmetric for short distances in the network, such...
Content Distribution and Routing
Content distribution and routing refers to a broad area of networking concerned with efficient delivery of content to a diverse set of clients. You might have already used such a system when downloading a file or viewing streaming content on the web. Such systems generally work by creating several copies of a given piece of content in different geographic locations. The system determines your location on the network when you make a request and can therefore forward the copy of the content...
Content Filtering Summary
Table 4-20 shows the summary scores for the content-filtering options. Table 4-20. Content-Filtering Summary Table 4-20. Content-Filtering Summary Because the ratings in this chapter are skewed toward threat prevention, the overall ratings for the content filtering technologies are lower than other sections. E-mail filtering has a clear security benefit, as do portions of web filtering (mobile code). Proxy servers perform more as a user control function than they do in a security role, so the...
Control Physical Access to Data Centers
Data-center access can utilize any of the preceding mechanisms in addition to PIN-reader-only access. The important difference with data-center access is that you are often dealing with a smaller set of operators, so issues around key management are somewhat reduced. I once had the pleasure of experiencing a physical security audit by a client who was considering using a facility in one of my previous jobs. Needless to say, it didn't go well. One of the auditors was able to gain access to the...
Core Distribution Access Edge
Most of the network design seen today follows a model of core, distribution, and access. Figure 12-1 shows a basic model of this design when applied to a campus network. The access layer is where most end hosts connect to the network. Typically, it is the wiring closets in a building or on a floor. The access layer has historically been Layer 2 (L2), meaning no routing occurs on the first device to which a PC connects. Over time, more Layer 3 (L3) and higher decisions can be made at the access...
Cost Benefit Analysis
The security architect must understand the costs associated with security incidents. Chapter 3, Secure Networking Threats, provides details on many types of security incidents. For the purposes of this chapter, security incidents can be divided into two main categories Security compromises Data is modified or learned by the attacker. Loss of network availability One or multiple services that the network provides are rendered unavailable as the result of an attack. An example of security...
Creative VLAN Hopping Attacks
This section is a catchall for various methods to achieve VLAN hopping when trunking is turned off on th port to which the attacker is connected. As these methods are discovered, they tend to be closed by the vendors affected. One tricky attack will take some time to stop on all devices. You might wish to refer t( the previous section on 802.1q if you need more information. The attack works by sending frames with two 802.1q tags instead of one. The attack requires the use of two switches, and...
Credits
Acquisitions Editor Production Manager Development Editor Production Technical Editors John Wait John Kane Brett Bartow Anthony Wolfenden Nannette M. Noble Michelle Grandin Patrick Kanouse Grant Munroe Argosy Publishing Qiang Huang, Jeff Recor, Russell Rice, and Roland Saville Tammi Barnett Louisa Adair Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA 800 553-NETS (6387) Fax 408 526-4100 Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam...
Critical System Compromises
Another common attack will be directed against the public services, administrative systems, or other high-profile systems within the university. Attackers could be motivated by nearly anything, including changing their grades Because these systems are far less numerous than the rest of the network, more time can be spent securing these systems and diligently keeping them up-to-date. The firewall, host security controls, and NIDS (where deployed) augment this increased attention from the IT...
Cryptographic Identity Considerations
The decision to deploy a cryptographic identity mechanism rather than a cleartext mechanism should be based on a number of factors Do you need encryption If the application or device must encrypt data (because you are using an insecure transport or for any other reason), you must use a cryptographic mechanism to exchange identity. Internet Key Exchange (IKE) for Internet Protocol Security (IPsec) is a good example. You don't want to exchange encryption keys for data transmission over a link...
Cryptographically Secure InBand Network Layer
As discussed in the previous section, sometimes it is not possible to encrypt all the types of traffic you might want to use for management. Either a secure option is not available (as in Syslog) or a management tool you need does not yet support the secure alternative (as in SNMP). In these cases, an IPsec tunnel (Chapter 10) can be built between the managed device and the management host or, better yet, between the managed device and the management firewall. Figure 16-3 shows the two options.
Current Design
The NGRU network is shown in Figure 17-1. Figure 17-1. NetGamesRUs Current Network Design Figure 17-1. NetGamesRUs Current Network Design The NRGU network is currently a flat internal network with a firewall between the internal network and the Internet. As you can see, all public services are in front of the firewall. This was done because NGRU didn't spend the money on a three-interface firewall when it built out the network originally. All public servers, including the gaming servers, are...
Data Interception
Because most IPT solutions today do not offer strong encryption, data can be easily read off the wire using one of the many attacks discussed in Chapter 4. The general best practices in Chapter 6, particularly for L2 security, can help to reduce this threat. Because the data can be read off of the wire, it can be reassembled into a human-understandable form. A tool has been released on the Internet as a proof of concept for just such an attack. It is called Voice over Misconfigured Internet...
DoS
Table 3-18 shows the summary information for the DDoS attack. Tribe Flood Network 2000 (TFN2K) Shaft Ability to infect large numbers of systems to build a zombie network Overwhelm the victim's Internet connection CAR, specific filtering, ISP options (through prearranged agreements) As the family of attacks that brought down some prominent Internet company websites in 2000, DDoS attacks have a fair degree of notoriety. Before amplification flood attacks (smurf and DDoS, for example), a network...
DoS Infections Attacks
It is quite common for attackers to target university networks to build DDoS networks. Universities often have high-speed connections to the Internet and very little control over all hosts on the network, making them ideal victims for DDoS infection. This is certainly true for UI. Nothing in the proposed design prevents these infections from occurring for hosts not protected by firewalls. Even hosts behind firewalls are vulnerable if there is an exploit available for the application versions...
Decreased Security Alternative
Although it is tough to make this design more secure, it is easy to make it less secure. If you have to start cutting corners, the following list shows which technologies and devices you can consider eliminating first 2. NIDS on the public server segment The resulting design is shown in Figure 13-8. Like the small network design, application controls are not affected and the core network design stays the same, just without as many control points. Any further reductions or integrations will...
Deploy Close to the Systems You Are Trying to Protect
This best practice is fairly easy to implement. If you are really concerned about protecting your finance systems and your human resources (HR) systems, you will have better luck deploying a NIDS sensor in each of these networks than deploying one system at a central location that sees traffic to both. Figure 7-14 shows a simplified example of this. In this example, it is preferable to deploy a NIDS sensor at points A and C rather than a single sensor at point B. Certainly, other factors go...
Deployment Best Practices
As a general rule, use SSH when possible and Telnet when necessary. SSH offers greater functionality a security. Some low-power devices don't have the capability to run SSH or, if they do, the CPU is unduly impacted. When using Telnet or SSH, it is useful to limit access to the Telnet SSH daemon to the IP addresses that need it. The configuration for doing this is shown in Chapter 5. This should be considerec desirable for SSH but required for Telnet with most security policies. The risks of...
Design Choices
A number of factors drive the design. First, it appears that there isn't a lot of concern with internal security. With only 30 employees in one main location, user education and compliance with policies should be fairly straightforward. This allows the nontechnical compliance checks discussed in Chapter 2, Security Policy and Operations Life Cycle, to mitigate the need for technical controls. For example, deploying a set of controls to mitigate DHCP attacks is overkill for 30 trusted employees....
Design Evaluation
You can now evaluate the success of this design against the edge-focused threat list in Table 13-1. If you recall Chapter 12, Designing Your Security System, this step appears a bit out of order because threat evaluation should also occur during the design of the network, not just after. It is presented in this form to ease understanding of the designs and threats. Table 13-2 shows the top 10 attacks from Table 13-1 and shows the security elements used in this design that mitigate these threats...
Design Overview
From a security flow standpoint, the design is very similar to the medium design. The key difference is a completely separate infrastructure for remote access. Separate remote access firewalls, as described in Chapter 10, allow for focused remote access ACLs and tight enforcement of NIDS violations. Other differences include anomaly-based NIDS on the WAN routers, more than one public server segment (to allow for greater segmentation), and routed connections exiting from all modules. These...
Device to Network
Although there are a number of ways to perform device-to-network authentication, it is most easily done at L3. You have two main options IP addresses With properly deployed RFC 2827 filtering, IP addresses can be a basic method of authentication that grows stronger when combined with an authentication key or other higher-layer authentication. Filtering the access of certain IP ranges to the services your network provides is straightforward and ubiquitous in secure networking. It is successfully...
Device Versus User Identity
Central to any design discussion on identity is an understanding of the differences between device and user identity. Device identity is the identity of a network entity. The Media Access Control (MAC) address on an Ethernet card is a form of device identity, albeit a weak one, for the host in which it is installed. Device identity controls can assert the validity of a given device but generally not the individual who is accessing it. That is left to the realm of user identity. User identity is...
DHCP Considerations
Dynamic Host Configuration Protocol (DHCP) allows hosts to request IP addresses from a central server Additional parameters are usually passed as well, including DNS server IP address and the default gateway. Attackers could continue to request IP addresses from a DHCP server by changing their source MA addresses in much the same way as is done in a CAM table flooding attack. A tool to execute such attack is available here http packetstormsecurity.org DoS DHCP Gobbler.tar.gz. If successful, t...
DHCP Snooping
Some Cisco switches offer the ability to suppress certain types of DHCP information on certain ports. Th primary feature enabling this functionality is DHCP snooping. DHCP snooping works by separating truste from untrusted interfaces on a switch. Trusted interfaces are allowed to respond to DHCP requests untrusted interfaces are not. The switch keeps track of the untrusted port's DHCP bindings and rate limi the DHCP messages to a certain speed. The first task in configuring DHCP snooping is to...
Dhcp Vacls
Not all switch deployments are able to take advantage of DHCP snooping. A lower-tech solution to this problem can be partially achieved with DHCP VACLs. The VACL can specify which addresses are able to send DHCP replies. These replies will come from the unicast IP address of the DHCP server offering the lease. By filtering these replies by source address, rogue DHCP servers can be properly filtered. Conside the typical DHCP deployment depicted in Figure 6-9. Here, a local LAN is being served by...
Differentiated Groups WLAN
In some networks, the WLAN network must serve several different functions. It might provide basic resl applications to one group while providing full access to another. This design is discussed in Chapter 9 an differentiation. WLANs generally have no means of differentiating users. Everyone is on the same flat ne differentiation must occur at the application level, not at the network level. By using IPsec, user differentiation becomes easy because specific IPsec access control policies can be a...
Direct Access
Table 3-6 shows the summary information for the direct access attack. Logging on to a server and stealing the etc passwd file Unauthorized access to information assets steal data Direct access includes an entire range of attacks in which the attacker attempts to gain direct access to network resources. For example, once an attacker finds a way through a firewall, the attacker uses a direct access attack to log on to the systems formerly protected by that firewall. From there, the attacker can...
Disable Unneeded Services
Turn off Domain Name System (DNS) lookups for the router with the following command. Although not security related, this is the first command to type on a fresh router before doing any other configuration (assuming, of course, you don't need domain resolution for a feature you plan to use). Otherwise, be ca avoid input errors. Typing the command enadle instead of enable will result in a long timeout while the tries to find host enadle and communicate with it. Disable small services such as...
Distribute the Security Functions
Instead of redesigning the network, you can instead redistribute the security functions among more devices. In the single-firewall example just discussed, perhaps you can perform basic filtering on your WAN router as discussed in Chapter 6. This should stop a portion of the traffic from even reaching the firewall for inspection. In extreme cases, you can move from stateful firewalls to stateless access control lists (ACLs), many of which can be run at line rate (the full capacity of the link)...
Distributed AAA Server Synchronization Considerations
Vendors differ in their approach to AAA server synchronization. Some offer a peer-to-peer system, while operate a master-slave relationship similar to DNS. In either case, the replication of the data on multiple servers is critical. The three factors that impact this replication are as follows Replication frequency requirements Similar to synchronizing with an external database, a AAA might need to replicate data several times a day or perhaps only once a week. Database size If you are...
Distributed WAN Considerations
Your network might include international WAN links. If this is the case, you likely have one or two main connections between, for example, the United States and Europe and several WAN connections within tl locations to interconnect sites. Assuming the master AAA server is in the United States, the recommend synchronization method for Europe would be to first synchronize from the United States to a primary loc Europe and then from that European server to all other local servers. This allows for...
Domains of Trust
Within all networks, there are devices with differing levels of value and differing levels of attack susceptibility. This concept is discussed in Chapter 2, Security Policy and Operations Life Cycle. By combining these factors, you can start to define the relative attention needed for a given information asset. In a flat network, as shown in Figure 12-7, the security of these assets is left completely up to the applications. As you can see, there is no segmentation except where necessary (WAN...
