Building Cisco IPsec VPNs

Cisco PIX 500 Series security appliances Enhance your existing Cisco PIX Security Appliance with the VPN remote-access solution Security organization owns the VPN solution Cisco ASA 500 Series Adaptive security appliances Security organization owns the VPN solution Three product groups support VPN technology and are shown in the left column of the table in the figure. The top row of the matrix shows the two VPN applications. You can select the most appropriate Cisco product for your application...

Introducing IDS and IPS

Distract and confuse attackers Slow down and avert attacks Traffic profile must be constant Q3) Which responses are the correct Cisco IOS IPS software-based IPS sensor attack responses (Source Introducing IDS and IPS) B) Deny Inline, Deny TCP Promiscuous, Deny UDP Inline C) Drop, Deny Attacker Inline, Deny Flow Inline 5-86 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. Q4) Which attack response creates an ACL that denies all traffic from the IP address source of the attack...

Symmetric vs Asymmetric Encryption Algorithms

This topic explains the difference between and the functionality of symmetric and asymmetric encryption algorithms. The figure shows the differences between symmetric and asymmetric encryption. In symmetric encryption, the sender and the receiver are using the same secret key to encrypt and decrypt the message. The weakness in symmetric encryption is the secret key. Any user can obtain the secret key to crack the code. In asymmetric encryption, one key is used for encryption and another key is...

ARP Spoofing Maninthe Middle Attacks

Legitimate ARP reply 10.1.1.1 MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies ARP spoofing attacks, or ARP cache poisoning, occurs when ARP allows a gratuitous reply from a host even if an ARP request is not received. After the attack, all traffic from the device under attack flows through the attacker computer and then to the router, switch, or host. An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by poisoning the...

VPN Product Placement

Leverage existing infrastructure Broad choice of interfaces Feature-rich Cisco IOS software (routing, QoS, and so on) Cisco PIX 500 Series Security Appliances Purpose-built application inspection firewall Clear demarcation between security and network operation Cisco ASA 5500 Series Security Appliances All-in-one security appliance IPsec and SSL VPN capabilities Feature-rich remote-access platform IPsec and SSL VPN capabilities No individual feature licensing This figure shows the product...

Module Summary

IDS technology is passive it monitors the network for suspicious activity and parsed system log files. IPS technology is reactive it is able to forward or drop packets based on what is detected. Use the Cisco SDM to configure Cisco IOS IPS on Cisco network routers. Cisco IPS sensor platforms are used together to provide intrusion protection. Cisco IOS IPS is used in combination with the Cisco IDS, Cisco IOS Firewall, VPN, and NAC Cisco product. It provides superior threat protection at all...

Editing Firewall Policies and ACLs

Even experienced administrators find configuring firewall policies to be a grueling and tedious task. The key advantage of Cisco SDM is its GUI for setting up firewall policies and associated access control lists (ACLs). You have already learned how to edit firewall policies. This topic explains how to use the ACL editor to customize default ACL settings. The firewall and ACL policy editor is a powerful tool. The Edit Firewall Policy ACL screen gives a high-level view of each policy based on...

Dynamic or Stateful Packet Filtering Firewalls

This topic explains how dynamic or stateful inspection packet filtering provides improved network security and performance. Stateful packet filters, or stateful firewalls, are the most versatile and therefore the most common firewall technologies in use. Stateful filtering provides dynamic packet filtering capabilities to firewalls. Stateful inspection is firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in...

Student Guide

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel 408 526-4000 800 553-NETS (6387) Fax 408 526-4100 Cisco Systems International BV Haarlerb ergp ark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel 31 0 20 357 1000 Fax 31 0 20 357 1100 Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel 408 526-7660 Fax 408 527-0883 www.cisco.com Tel +65 6317 7777 Fax +65 6317 7799 Cisco Systems, Inc. 168...

Normal traffic or a benign action does not cause an alarm

The ability of IDS and IPS sensors to accurately detect an attack or a policy violation and generate an alarm is critical to the functionality of the sensors. Attacks can generate these types of alarms False positive A false positive is an alarm triggered by normal traffic or a benign action. Consider this scenario A signature exists that generates alarms if the enable password of any network devices is entered incorrectly. A network administrator attempts to log in to a Cisco router but enters...

Cisco NIPS Deployment

The figure shows a typical network IPS deployment. The key difference between this Network IPS deployment example and the previous HIPS deployment example is that there are no CSA agents on the various platforms. In this topology, the network IPS sensors are deployed at network entry points that protect critical network segments. The network segments have internal and external corporate resources. The sensors report to a central management and monitoring server located inside the corporate...

Supported Signature Micro Engines

Signatures that examine simple packets, such as ICMP and UDP Signatures that examine the many services that are attacked Signatures that use regular expression-based patterns to detect intrusions Supports flexible pattern matching and supports Trend Labs signatures Internal engine to handle miscellaneous signatures The Supported Signature Micro-Engines table summarizes the types of signature microengines available in Cisco IOS Release 12.3(14)T. 5-36 Securing Cisco Network Devices (SND) v2.0...

Cisco Works IPS MC

An IPS solution can be configured using the CLI, but configuration is simpler with a GUI-based device manager. The following describes the Cisco device management software available to help you manage an IPS solution Cisco Security Monitoring, Analysis, and Response System (MARS) Cisco Security MARS is an appliance-based, all-inclusive solution that allows network and security administrators to monitor, identify, isolate, and counter security threats. This family of high-performance appliances...

Types of IDS and IPS Sensors

No detection of unknown signatures Initially a lot of false positives Signatures must be created, updated, and tuned Difficult to profile typical activity in large networks Traffic profile must be constant Distract and confuse attackers Slow down and avert attacks Collect information about attack Honey pot server must not be trusted The table in the figure summarizes the advantages and disadvantages of the various types of IDS and IPS sensors available. The list here describes these IDS and...

Use ACLs to disable and limit services ports and protocols

To review, always apply these general rules when deciding how to handle router services, ports, and protocols Disable unused services, ports, or protocols In the case where no one, including the router itself, needs to use an enabled service, port, or protocol, disable that service, port, or protocol. Limit access to services, ports, or protocols In the case where a limited number of users or systems require access to an enabled router service, port, or protocol, limit access to that service,...

Performance and Limitations of Platforms

Inline (IPS) Ready Performance (Mbps) Standard Command and Control Interface Four 10 100 1000 BASE-TX (4-FE) Four 10 100 1000 BASE-SX (future) Inline (IPS) Ready Performance (Mbps) Standard Command and Control Interface Four 10 100 1000 BASE-TX (4-FE) Four 10 100 1000 BASE-SX (future) The table in the figure shows the performance and interface limitations of the Cisco 4200 Series IDS and IPS platforms running as an in-line IPS sensor. Note The performance numbers for the Cisco platforms listed...

Restrict access to firewalls

Your firewall is an implementation of your policy, not the other way around. Your firewall policy comes first and details what traffic to filter and the nature of network connectivity needed before you start to set up your firewalls. Defending unplanned decisions after you have set up a firewall always complicates firewall administration. As an example, suppose that a firewall configuration blocks Microsoft Remote Procedure Call (RPC)-based traffic from entering or leaving a protected subnet....

Inspection engines protocol support trough firewalls conformity of commands through checks

To INVITE sip cch 62.3.3.3 SIP 2.0 62.3.3.3 75.1.1.1 TCP 5060 Permit From < sip bill 75.1.1.1> tag 4c101d Media Port 33005 HTTP GET HTTP 1.1 r n Host www.magazin.com r n < applet code fbun.class width 550 height 300 aligne left> The examples in the figure show inspection engines, a subset of the application inspection firewall. One inspection engine is responsible for checking a specific protocol. The first example shows how a client establishes a pre-Fast Serial Interface Processor...

Ensure that you place common HIPS hosts into groups based on your security plan

HIPS implementations scale in a similar way as network IDS and IPS implementations. Here are some best practices when scaling a HIPS system Deploy a central management console that is used to maintain a database of policies and system nodes. Each system node will have a HIPS agent installed. To streamline the process of assigning policies on many HIPS systems, the HIPS agents installed on similar systems should be grouped together. Servers that perform mission-critical roles benefit from being...

ACL Caveats Cont

Adding new statements may require that a new ACL be created (Cisco IOS Release 12.2 and earlier). If filtering router-generated packets is part of the security policy, they must be acted upon by inbound ACLs on adjacent routers or through other router filter mechanisms using ACLs. Always consider placing extended ACLs on routers as close as possible to the source being filtered. Always place standard ACLs as close to the destination as possible. Modifying ACLs Always append new statements added...

Use private VLANs

Similar to the steps necessary for securing routers, these issues should be considered for If an attacker can gain access to a Telnet prompt, the attacker can attempt unauthorized access. For general administrative functions, devices should have a direct local connection. Where remote access is necessary, the device should connect via a private encrypted tunnel over the production network. Such a tunnel should be preconfigured to communicate only across the specific ports required for...

Comparing IDS and IPS Solutions

No impact on network (latency, jitter) No impact on sensor failure No network impact on sensor overload Response action cannot stop trigger packets Correct tuning required for response actions More vulnerable to network evasion techniques Can use stream normalization techniques Sensor issues might affect network traffic Sensor overloading impacts network Some impact on network (latency, jitter) The table in the figure shows some of the advantages and disadvantages of an IDS in promiscuous mode...

Converged security and VPN management

The Cisco ASA 5500 Series Adaptive Security Appliances form a high-performance, multifunction security appliance family delivering converged firewall, IPS, network antivirus, and VPN services. As a key component of the Cisco Self-Defending Network, Cisco ASA 5500 Series Adaptive Security Appliances provide proactive threat mitigation that stops attacks before they spread through the network, control network activity and application traffic, and deliver flexible VPN connectivity while remaining...

Circuit Level Firewalls

This topic describes the operation of a circuit level firewall. This topic describes the operation of a circuit level firewall. Requires reprogramming of transport handling A circuit level firewall, also called a circuit level gateway, is second-generation firewall technology that validates that a packet is either a connection request or a data packet belonging to a connection or virtual circuit between two peer transport layers. In addition to allowing or disallowing packets, the circuit level...

When you need more stringent controls over security than stateful filtering provides

Layered Defense Strategy

Application inspection firewalls are more stringent than stateful firewalls but do not add significant cost to your implementation. Application inspection firewalls also provide more control than stateful filtering firewalls do, still at a minimal increase in cost. 4-34 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. 2. Cisco IOS firewall forwards the request to the web server and sends a look up request of the requested URL to the 2. Cisco IOS firewall forwards the request...

Cisco ASA 5500 Series Adaptive Security Appliance Platforms

Simultaneo us Web VPN (clientless) users Site-to-site tunnels and remote access server (RAS) VPN peers The table shows how the performance of Cisco ASA 5500 Series Adaptive Security Appliances depends on the platform feature license used. Here are the available licenses Cisco ASA 5510 Adaptive Security Appliance Base license and Security Plus license Cisco ASA 5520 Adaptive Security Appliance Base license with VPN Plus add-on license Cisco ASA 5540 Adaptive Security Appliance Base license with...

Intrusion Prevention Technologies

This topic provides an explanation of IPS technologies, attack responses, and monitoring options. When an IPS sensor, configured with Cisco IOS IPS 5.0 or later, detects malicious activity, it can choose from any or all of these actions Deny Attacker Inline This action terminates the current packet and future packets from this attacker address for a specified period of time. The sensor maintains a list of the attackers currently being denied by the system. You can remove entries from the list...

Configuring Port Security on a Cisco Catalyst Switch

Enter interface configuration mode for the port that you want to secure. 3. Enable basic port security on the interface. 4. Set the maximum number of MAC addresses allowed on this interface. 5. Set the interface security violation mode. The default is shutdown. For mode, select one of these keywords 6. Return to privileged EXEC mode. The figure lists the tasks required to configure port security on a Cisco Catalyst switch. The Enabling Port Security with...

Throughput on Cisco Routers That Support Cisco Ios Ips

Cisco 1841 Integrated Services Router Cisco 2801 Integrated Services Router Cisco 2811 Integrated Services Router Cisco 2821 Integrated Services Router Cisco 2851 Integrated Services Router Cisco 3825 Integrated Services Router Cisco 3845 Integrated Services Router The table in the figure lists the maximum throughput obtained for various router platforms with Cisco IOS IPS enabled. Maximum throughput numbers change often. The numbers presented in the table provide a good comparison of the...

Be a good citizen and prevent your network from being spoofed

As a rule, you should not allow any outbound IP packets with a source address other than a valid IP address of the internal network. The example in the figure shows ACL 105 for router R2. This ACL permits only those packets that contain source addresses from the 16.2.1.0 24 network and denies all others. This ACL is applied inbound to the inside interface (e0 1) of router R2. Note Cisco routers running Cisco IOS Release 12.0 and later may use IP Unicast Reverse Path Forwarding (RPF)...