| 2 comments ]

The Cisco Self-Defending Network

Add a note here This section introduces the Cisco Self-Defending Network and describes how it can be used to design a secure network.

Add a note here The Cisco Self-Defending Network Framework

Add a note hereTo mitigate and prevent information theft, organizations must implement precautions such as establishing formal organizational security policies, enforcing access rights to authenticated users, and securing the transport of data and voice communications. Security must be fully integrated into all aspects of the network to proactively recognize potential suspicious activity, identify threats, react adaptively, and facilitate a coordinated response to attacks. Cisco has defined the Self-Defending Network to take advantage of the intelligence in network resources and to protect organizations by identifying, preventing, and adapting to threats from both internal and external sources.

Add a note hereThe Self-Defending Network’s integrated network security incorporates the following three critical elements, as illustrated in Figure 10-7:

  • Add a note here Trust and identity management: To protect critical assets by allowing access based on privilege level

  • Add a note here Threat defense: To minimize and mitigate outbreaks

  • Add a note here Secure connectivity: To ensure privacy and confidentiality of communications

Click to collapse
Add a note hereFigure 10-7: Cisco Self-Defending Network

Add a note here These three elements are explored in detail starting in the upcoming “Trust and Identity Management” section.

Secure Network Platform

Add a note hereThe Cisco Self-Defending Network is based on a secure network platform that is a strong, secure, flexible base from which the self-defending network solution is built. With security integrated into the very fabric of the network, security becomes an integral and fundamental network feature. Advanced technologies and security services use the secure network platform to provide the critical elements of security—where and when they are needed. These elements are controlled by security policies and security management applications providing efficient security management, control, and response.

Add a note hereBecause the network touches all parts of the infrastructure, it is the ideal location to implement core and advanced security services. The nucleus of secure network infrastructure solutions include adaptive security appliances (ASA) and routers and switches with security integrated and embedded both in and between them, as follows:

  • Add a note here Routers: Routers such as Cisco Integrated Services Routers (ISR) incorporate Cisco IOS firewall, IPS, IPsec VPN (including Cisco Easy VPN and Dynamic Multipoint VPN [DMVPN]), and SSL VPN services into the routing infrastructure, in addition to features that protect the router if it should be the target of an attack. New security features can be deployed on existing routers using updated Cisco IOS software. Routers can also participate in the Network Admission Control (NAC) process. NAC is a multivendor effort that admits endpoints to the network only after they have demonstrated their compatibility with various network security policies.

  • Add a note here Cisco Catalyst switches: Cisco Catalyst switches incorporate firewall, IPS, SSL VPN, IPsec VPN, DDoS and man-in-the-middle attack mitigation, and virtualization services allowing unique policies for each security zone. Integrated security services modules are available for high-performance threat protection and secure connectivity.

  • Add a note here Cisco ASAs: Cisco ASAs consolidate all the foundation security technologies (including high-performance firewall, IPS, network antivirus, and IPsec and SSL VPNs) in a single easily managed unified platform. Device consolidation reduces the overall deployment and operations costs and complexity. ASAs can also be NAC-enabled.

Cisco Self-Defending Network Phases

Add a note hereAs shown in Figure 10-8, the Cisco Self-Defending Network contains three characteristic phases that together provide continuous, intelligent, future-proofed security, from the network through to the application layer:

  • Add a note here Integrated security: Security defense technologies are incorporated across all network elements, including routing, switching, wireless, and security platforms so that every point in the network can defend itself. These security features include firewalls, VPNs, and trust and identity capabilities. An example is the use of the Cisco Security Agent, which provides endpoint server and desktop protection against new and emerging threats stemming from malicious network activity.

  • Add a note here Collaborative security systems: The secure network components work together as a security system that adheres to and responds to an organization’s security policies. An example of this collaborative characteristic is NAC, implemented in devices from multiple vendors.

  • Add a note here Adaptive threat defense: The secure network uses several tools to defend against new security threats and changing network conditions. Application awareness defends against security threats entering the network from within Internet-enabled applications. Behavioral recognition defends against worms, viruses, spyware, DDoS attacks, and other threats. Network control intelligently monitors and manages the security infrastructure and provides tools for IT managers to audit, control, and correlate.

Click to collapse
Add a note hereFigure 10-8: Cisco Self-Defending Network Phases

Add a note hereThe Cisco Self-Defending Network products can be deployed independently of one another or as part of a solution that links multiple products.

Add a note here Trust and Identity Management

Add a note here This section discusses the trust and identity management element of the Cisco Self-Defending Network.

Add a note hereTrust and identity management is critical for organizations. It underpins the creation of any secure network or system by providing or denying access to business applications and networked resources based on a user’s specific privileges and rights.

Add a note hereTrust and identity management solutions provide secure network access and admission at any point in the network and isolate and control infected or unpatched devices that attempt to access the network. The three aspects of trust and identity management are trust, identity, and access control, as shown in Figure 10-9 and described in the following sections.

Image from book
Add a note hereFigure 10-9: Trust and Identity Management

Trust

Add a note hereTrust is the root of security.

Add a note hereTrusted entities are allowed to communicate freely; communication with untrusted entities needs to be carefully managed and controlled because of its higher risk.

Add a note here Trust relationships might be explicitly defined or informally implied. Trust relationships can be inherited—for example, if a user is granted certain privileges on one system, another similar system might extend the same privileges. However granted, trust and privileges are sometimes abused.

Domains of Trust

Add a note hereTo segment a network into parts, based on similar policy and concerns, domains of trust are established. The required system security in a network can vary in terms of importance to the business and the likelihood of being attacked. Consistent security controls should be applied within a segment, and trust relationships should be defined between segments. Segments can have different trust models, depending on the security needed.

Add a note here Figure 10-10 illustrates two domains of trust examples. Case 1 includes internal and external portions of a network in the domain on the far left; the security policy within that domain will not be consistent, though. In contrast, Case 2 includes four domains, each with unique security requirements, and is therefore a better division into domains of trust.

Click to collapse
Add a note hereFigure 10-10: Domains of Trust
Gradient of Trust

Add a note hereThe gradient of trust determines the trust level between domains, which can be minor to extreme, and determines the extent of security safeguards and attention to monitoring required. The trust relationship between segments should be controlled at defined points, using some form of network firewall or access control, as illustrated in the examples in Figure 10-11. Mastering domains of trust is a key component of good network security design.

Click to collapse
Add a note hereFigure 10-11: Domains and Gradients of Trust

Identity

Add a note here Identity defines the parties in a trust relationship.

Add a note hereThe identity can be individuals, devices, organizations, or all three. Using identities properly enables effective risk mitigation and the ability to apply policy and access control in a granular and accurate manner.

Add a note hereCredentials are elements of information used to verify or authenticate the identity of a network entity. It is important to separate the concept of identification, in which a subject presents its identity, from authentication, in which a subject proves its identity. For example, to log on to a resource, a user might be identified by a username and authenticated by a secret password.

Add a note hereThe most common identity credentials are passwords, tokens, and certificates. Passwords and tokens are described in the next sections; certificates are described in the later “Encryption Fundamentals” section.

Passwords

Add a note herePasswords demonstrate the authentication attribute “something the subject knows” and can be used to authenticate an authorized user to network resources. Passwords correlate an authorized user with network resources.

Add a note herePasswords can be a problem in secure environments because users try to do what is easiest for them. Password policies and procedures must be created and enforced if password authentication is used as a credible security measure. These password policies and procedures should specify the use of strong, nondictionary passwords that are changed often. They should clearly state that passwords should never be shared and never posted where they can be easily found (such as on a monitor or wall or hidden under a keyboard).

Tokens

Add a note hereMany trusted systems require two-factor authentication.

Add a note hereWith two-factor authentication, the compromise of one factor does not lead to the compromise of the system. An example is an access control system based on a token and a password, as illustrated in Figure 10-12. A password might become known, but it is useless without the token. Conversely, if the token is stolen, the thief cannot use it without the password.

Click to collapse
Add a note hereFigure 10-12: Strong Authentication with a Token

Add a note hereA token can be a physical device or software application that generates a one-time authentication password or number. An example of a token is a keychain-sized device that shows—one at a time in a predefined order—a one-time password (OTP) on its small LCD, for approximately one minute. The token is synchronized with a token server that has the same predefined list of passwords for that user. At any given time, the user has only one valid password. For example, this technology could be used by an organization that needs to deploy remote-access services to its network over the Internet. The organization has implemented remote-access VPN technology and requires proper user authentication before users enter the protected network. The organization has had poor experiences enforcing password updates and wants to deploy a very secure, yet simple, system. Using OTP generators for remote users could be the ideal solution because they are secure and simple to use.

Access Control

Add a note hereTrust and identity management is also supported by access control.


Note

Add a note hereAccess control also indirectly helps ensure confidentiality and integrity of sensitive data by limiting access to the data. In contrast, authorization mechanisms limit the access of an entity to resources based on subject identity.

Add a note hereNetwork access control mechanisms are classified in the following ways:

  • Add a note here Authentication mechanisms, which establish the subject’s identity.

  • Add a note here Authorization mechanisms, which define what a subject can do in a network and thus limit access to a network. The granularity of access, such as read-only or write, may also be defined.

  • Add a note here Accounting mechanisms, such as an audit trail, which provides evidence and accounting of the subject’s actions, and real-time monitoring, which provides security services such as intrusion detection.

Add a note hereAuthentication, authorization, and accounting (AAA) are network security services that provide a framework through which access control to a network is defined.

Trust and Identity Management Technologies

Add a note hereSome of the many technologies used for trust and identity management include the following:

  • Add a note here ACLs: Lists maintained by network devices such as routers, switches, and firewalls to control access through the device. An example is an ACL on a router that specifies which clients, based on their IP addresses, can connect to a critical server in the data center.

  • Add a note here Firewall: A device designed to permit or deny network traffic based on certain characteristics, such as source address, destination address, protocol, port number, and application. The firewall enforces the access and authorization policy in the network by specifying which connections are permitted or denied between security perimeters.

  • Add a note here NAC: A set of technologies and solutions that uses the network infrastructure to enforce security policy compliance on all devices trying to access network computing resources, thereby limiting damage from emerging security threats.

  • Add a note here IEEE 802.1X: An IEEE standard for media-level access control, providing the ability to permit or deny network connectivity, control VLAN access, and apply traffic policy based on user or device identity.

  • Add a note here Cisco Identity-Based Networking Services (IBNS): An integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources.

Add a note hereThe following sections provide more information about some of these technologies.

Firewall Filtering Using ACLs

Add a note here Figure 10-13 illustrates the use of a network firewall to control (or filter) access; this is a common network authorization implementation. An enterprise network is usually divided into separate security domains (also called perimeters or zones)—such as the untrusted Internet zone, the trusted Enterprise Campus zone, public and semipublic server zones, and so forth—to allow a network firewall to control all traffic that passes between the perimeters. Because all traffic must pass through the network firewall, it enforces the network’s access and authorization policy effectively by specifying which connections are permitted or denied between security zones.

Click to collapse
Add a note hereFigure 10-13: A Firewall Can Filter Network Sessions

Note

Add a note here Security domains that are connected to a leg of a firewall and that contain one or more servers are also called demilitarized zones (DMZ). The purpose of a DMZ network is to contain an attacker who has compromised a host so that the firewall again filters all access from the compromised host. This allows the enforcement of an extremely strict connection policy that denies all connections from public servers by default and prevents connectivity to hosts outside the DMZ network. If multiple hosts are located in the same DMZ, LAN switch-based security access control mechanisms such as private VLANs can also effectively restrict communications among such hosts.

Add a note hereFor example, the policy for the Internet interface of the firewall in Figure 10-13 is as follows:

  • Add a note hereFrom the Internet, HTTP traffic is permitted to the public web servers, and the public web servers can reply.

  • Add a note hereHTTP secured by SSL (HTTPS) traffic from the Internet is permitted to the e-commerce server, and response HTTPS traffic from the e-commerce server is allowed.

  • Add a note hereHTTP, FTP, and Telnet traffic initiated from the internal network to the Internet, and responses to this traffic, are allowed.

NAC Framework and Cisco NAC Appliance

Add a note hereNAC allows network access only to compliant and trusted wired or wireless endpoint devices, such as PCs, laptops, servers, and personal digital assistants (PDA), and it can restrict the access of noncompliant devices. Two NAC options are available: the NAC framework and the NAC appliance.

Add a note hereThe NAC framework is an industrywide initiative led by Cisco that uses the network infrastructure and third-party software to enforce security policy compliance on all endpoints. The NAC framework is sold through NAC-enabled products, providing an integrated solution that leverages Cisco network products and other vendor products.

Add a note hereThe Cisco NAC appliance is a turnkey solution, sold as either a virtual or integrated appliance, to control network access based on user authentication and to provide wired and wireless endpoint compliance with built-in device remediation. The Cisco NAC appliance identifies whether networked devices, such as laptops and PDAs, are compliant with the network security policies. It repairs any vulnerability before permitting the device to access the network.

Add a note hereFor example, a Cisco router can act as a network access device (NAD) that intercepts attempts to connect from local or remote users. A Cisco trust agent, installed on a user’s laptop, provides the NAD with pertinent information, such as the version of antivirus software running and the patch level of the laptop’s operating system. The NAD passes this information to a policy server, which decides whether network access will be granted to the laptop; devices not granted access might be quarantined until they meet the NAC standards.

IEEE 802.1x and IBNS

Add a note here Recall from Chapter 9 that IEEE 802.1X is an open standards–based protocol for authenticating network clients (or ports) based on a user ID or on the device. 802.1X runs between end devices or users (called supplicants) trying to connect to ports, and an Ethernet device, such as a Cisco Catalyst switch or Cisco wireless access point (AP) (called the authenticator). Authentication and authorization are achieved with back-end communication to an authentication server such as Cisco Secure Access Control Server (ACS).

Add a note hereThe Cisco IBNS solution supports identity authentication and secure network connectivity, dynamic provisioning of VLANs on a per-user basis, guest VLANs, and 802.1X port security. Figure 10-14 illustrates the IBNS solution. When the Cisco Catalyst switch (the authenticator) detects that a user (the supplicant) is attempting to connect to the network, the authenticator initiates an Extensible Authentication Protocol over LAN (EAPoL) session, asking the supplicant to provide credentials. The supplicant sends its credentials to the authenticator. The switch (the authenticator) passes the user ID and password to an authentication server using RADIUS.

Image from book
Add a note hereFigure 10-14: Cisco IBNS Provides Enhancements and Extensions to 802.1X

Add a note hereThe authentication server determines whether the user ID and password are valid. It also notes the port to which the user is connected, and the MAC address of the user’s device. If the user ID and password are valid, the authentication server sends a message to the authenticator to allow the user to connect to the network on a specific VLAN, and the user accesses the physical LAN services. If the user ID and password are not valid, the server sends a message to the switch to block the port to which the user is connected.

Identity and Access Control Deployment

Add a note here Figure 10-15 illustrates examples of where authentication can take place in the Cisco Enterprise Architectures, including the following locations:

  • Add a note hereDialup access points, where any subject can establish a dialup connection to the network; authentication is necessary to distinguish between trusted and untrusted subjects.

  • Add a note hereWAN and VPN infrastructures, where network devices authenticate each other on WAN or VPN links, thereby mitigating the risk of infrastructure compromise or misconfiguration. WAN peer authentication usually involves PPP mechanisms and routing protocol authentication. In a VPN, authentication is embedded in the VPN security protocols—most often IPsec and Internet Key Exchange (IKE).

  • Add a note hereLAN access, where a network device (switch) authenticates the user, typically with IEEE 802.1X, before allowing access to the switched network.

  • Add a note hereWireless access, where only an authenticated user can establish an association with a wireless AP using IEEE 802.1X.

  • Add a note hereFirewall authentication, where users must prove their identity when entering a critical network that is protected by a firewall.

Click to collapse
Add a note hereFigure 10-15: Trust and Identity Management

Note

Add a note here Secure Shell (SSH) supports secure Telnet access between applications and router resources.

Add a note hereAuthentication validation should be deployed as close to the network edge as possible, with strong authentication required for access from external and untrusted networks.

Add a note hereAccess controls to enforce policy are deployed at various locations:

  • Add a note hereSource-specific rules (to any destination) should be applied as close to the source as possible.

  • Add a note hereDestination-specific rules (from any source) should be applied as close to the destination as possible.

  • Add a note hereMixed rules, using combinations of specific sources and destinations, should be applied as close to the source as possible.

Add a note hereThe principle of least privilege should be followed. This principle is based on the practice by which each subject is given only the minimal rights that are necessary (access permissions) to perform the subject’s tasks. For example, if a user needs to access a particular web server, the firewall should allow that user to access only the specified web server. In reality, however, enterprises often introduce lenient rules that allow subjects greater access than they require, which can result in deliberate or accidental confidentiality and integrity breaches. Highly distributed rules afford greater granularity and overall performance scalability at the cost of management complexity. Centralized rules provide easier management at the cost of scalability.

Add a note hereThe principle of defense in depth should also be followed. This principle suggests that security mechanisms should be fault-tolerant; that is, a security mechanism should have a backup security mechanism. This is also called the belt-and-suspenders approach—both the belt and suspenders are used to ensure that the trousers stay up. An example includes using a dedicated firewall to limit access to a resource and then using a packet-filtering router to add another line of defense.

Add a note here Threat Defense

Add a note hereThis section discusses the threat defense element of the Cisco Self-Defending Network. Network security must protect a business from increasing threats such as access breaches, “Day Zero” worm attacks and viruses (the first day of the threat), DoS attacks, man-in-the-middle attacks, Trojan horses, and internal threats. Threats today, both known and unknown, continue to become more destructive and frequent than in the past and can significantly affect business profitability.

Add a note hereAppropriate security technologies and advanced networking intelligence are required to effectively defend against attacks. To be most effective, these technologies must be implemented throughout the network, rather than just in specific products or technologies, because an attack can start anywhere and instantly spread across all network resources.

Add a note here The Cisco Threat Defense System enhances security in an existing network infrastructure, adds comprehensive security on the endpoints (both server and desktops), and adds dedicated security technologies to networking devices and appliances, proactively defending the business, applications, users, and network and protecting businesses from operation disruption, lost revenue, and loss of reputation. The Cisco Threat Defense System comprises several critical technologies and products, enabling security integrated in routers, switches, and appliances—including firewalls, network-based IPS sensors and detection instrumentation, and traffic isolation techniques. The Cisco Security Agent provides endpoint protection. These technologies and products are described in later sections, after a discussion of physical security.

Physical Security

Add a note herePhysical security is critical to the successful implementation of network security and can significantly influence the strength of the total security design. This section discusses various aspects of physical security and provides guidelines for its successful inclusion in the overall security policy.

Physical Threats

Add a note hereConsider the following potential physical threats:

  • Add a note hereA network device does not always enforce all its security settings when an attacker accesses the hardware directly (for example, it might allow console access, memory probing, and installation of unreliable software).

  • Add a note hereAccess to the physical communication medium (such as unrestricted access to a switch port, unrestricted wireless network access, or access to the telecommunications infrastructure) could allow an attacker to impersonate trusted systems and view, intercept, and change data that is flowing in a network.

  • Add a note hereAn attacker might use physically destructive attacks against devices and networks (such as physical force, attacks on the power network, or electromagnetic surveillance and attacks).

  • Add a note hereAn attacker might steal a device such as a home office router or laptop computer and use it to access the corporate network.

Add a note here A good security policy must anticipate possible physical attacks and assess their relevance in terms of possible loss, probability, and simplicity of attack. Figure 10-16 illustrates possible physical breaches of network security. In this sample network, an attacker might do the following:

  • Add a note hereBreak into the computing center, obtain physical access to a firewall, and then compromise its physical connections to bypass it, or access the console port on some routers or switches and alter their security settings.

  • Add a note hereObtain physical access to the copper media of the corporate WAN or the public switched telephone network (PSTN), and intercept all communications. The attacker could read and change sensitive data that is not protected by cryptography.

  • Add a note hereSteal a device, such as a small office/home office (SOHO) router or laptop, and use it to access the corporate network.

Click to collapse
Add a note hereFigure 10-16: Physical Security Is Often Overlooked
Physical Security Guidelines

Add a note hereThe traditional method of managing the risk of physical compromise is to deploy physical access controls using techniques such as locks or alarms. It is also important to identify how a physical security breach might interact with network security mechanisms. For example, there could be a significant risk if an attacker physically accesses a switch port located in a corporate building and from there has unrestricted access to the corporate network. If, during the development of the security policy, it were incorrectly assumed that only legitimate users could obtain such access, the attacker would be able to connect to the network without authentication and thus bypass network access control.

Add a note hereA security designer must identify the consequences of device theft on network security. For example, if a laptop computer is stolen from a roaming user, does it contain cryptographic keys that enable the attacker to connect to the enterprise network while impersonating a legitimate user? Moreover, does the network administrator have some scalable means of revoking such credentials that the attacker could obtain through physical theft?

Add a note hereSometimes a significant portion of the network infrastructure is beyond the enterprise’s physical control, and physical controls cannot be enforced at the media access level. For example, many enterprises rely on the fact that the physical infrastructure of the service provider’s Frame Relay network is well protected, despite the fact that access to its wire conduits might be obtained easily. To protect communications over such networks, cryptography could be used. Cryptography provides confidentiality, protects the integrity of communication over unsafe networks, and is fully under the enterprise’s control. For example, an enterprise that simultaneously transmits sensitive and nonsensitive data over a Frame Relay network could use IPsec protection for the sensitive traffic and send the other traffic unencrypted.

Add a note hereAnother example is a government intelligence agency concerned about the theft of laptops that might contain extremely sensitive data. To manage this risk, the agency deploys robust file encryption software on the laptops; this software decrypts sensitive files only on special request. Sensitive information is therefore hidden from a potential thief, who could otherwise read raw data from the laptop’s disk.

Infrastructure Protection

Add a note hereTo meet business needs, it is critical to utilize security features and services to protect the infrastructure so that network devices are not accessed or altered in an unauthorized manner and so that end-to-end network transport and integrated services are available.

Add a note hereDeploying recommended practices and security policy enforcement to harden network devices helps secure the network foundation by protecting network elements and the integrity of their interactions. Cisco has enhanced the Cisco IOS software security features and services for both network elements and infrastructure, to improve the availability of the network elements and the network.


Note

Add a note here Device hardening is limiting information provided by devices to only the information necessary to support business needs. For example, if it is not necessary for a device to respond to pings, that function should be turned off so that the device will not provide information to hackers.

Add a note hereSecure network infrastructure solutions include ASAs and routers and switches with integrated security.

Infrastructure Protection Deployment Locations

Add a note hereInfrastructure protection practices should be deployed on all network infrastructure devices throughout the network, especially at strategic perimeter points, to control ingress and egress traffic.

Add a note hereDifferent mechanisms might be available on different platforms, but typically equivalent functions are available on similar devices. More-advanced mechanisms might be available only on higher-end devices.

Recommended Practices for Infrastructure Protection

Add a note hereThe following are some recommended practices for infrastructure protection:

  • Add a note hereAllow only SSH, instead of Telnet, to access devices.

  • Add a note hereEnable AAA and role-based access control (using RADIUS or TACACS+) for access to the command-line interface (CLI) and privileged mode access on all devices.

  • Add a note here Collect and archive syslog messages (event notification messages) from network devices on a syslog server.

  • Add a note hereWhen using Simple Network Management Protocol (SNMP), use SNMP version 3 (SNMPv3) and its authentication and privacy features.

  • Add a note hereDisable unused services on network devices, including using the following commands on Cisco IOS devices:

    Add a note here no service tcp-small-servers

    Add a note here no service udp-small-servers


    Note

    Add a note hereWhen the minor TCP/IP servers are disabled using the no service tcp-small-servers command, and a packet trying to access the Echo, Discard, Chargen, and Daytime ports is received, the Cisco IOS software sends a TCP RESET packet to the sender and discards the original incoming packet. When the minor UDP servers are disabled using the no service udp-small-servers command and a packet trying to access Echo, Discard, and Chargen ports is received, the Cisco IOS software sends an “ICMP port unreachable” message to the sender and discards the original incoming packet. These servers are disabled by default.

  • Add a note hereUse SSH FTP and Secure Copy (SCP) to move Cisco IOS images and configuration files; avoid using FTP and Trivial File Transfer Protocol (TFTP) when possible.

  • Add a note hereInstall ACLs on the virtual terminal lines to limit access to management and CLI services.

  • Add a note hereEnable protocol authentication in the control plane where it is available. Examples include enabling routing protocol authentication in both Interior Gateway Protocols (IGP) and Exterior Gateway Protocols (EGP), such as in Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol. These routing protocols support Message Digest 5 (MD5) authentication. Other protocols, such as Hot Standby Router Protocol (HSRP) and VLAN Trunking Protocol (VTP), also support authentication.

  • Add a note hereConsider using the one-step router lockdown feature in the Cisco Router and Security Device Manager (SDM) to help ensure that all nonessential services in Cisco IOS software are shut off before the Cisco router is connected to the public Internet or a WAN.

  • Add a note herePerimeter routers should implement ingress traffic filtering to prohibit DoS attacks, which use forged IP addresses to propagate from the Internet. RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, specifies current Internet best practices for ingress traffic filtering.

  • Add a note hereAll switches should be configured to support bridge protocol data unit guard and root guard, and the VTP mode should be set to transparent.

  • Add a note hereMore-advanced protection mechanisms, such as DAI and DHCP snooping, might be available only on higher-end switches. When supported, infrastructure devices should consider implementing control plane policing (CoPP) to manage the traffic flow of control plane packets on Cisco IOS routers and switches to limit reconnaissance and DoS attacks.

Threat Detection and Mitigation

Add a note hereThreat detection and mitigation technologies provide early detection and notification of unpredicted malicious traffic or behavior. The goals of these technologies include the following:

  • Add a note hereDetecting, notifying, and helping stop events or traffic that are unauthorized and unpredictable

  • Add a note hereHelping preserve the network’s availability, particularly against unknown or unforeseen attacks

Threat Detection and Mitigation Technologies

Add a note hereThe following are some of the threat detection and mitigation technologies available:

  • Add a note hereNetwork-based intrusion prevention systems (NIPS), such as the ASA, IPS appliances, and Cisco IOS IPS

  • Add a note hereHost-based intrusion prevention systems (HIPS), such as Cisco Security Agent

  • Add a note hereNetFlow

  • Add a note hereSyslog

  • Add a note hereEvent-correlation systems, such as Cisco Security Monitoring, Analysis, and Response System (MARS)

  • Add a note hereCisco Traffic Anomaly Detector Module

Add a note here These threat detection and mitigation technologies provide many network security functions, including the following:

  • Add a note here Endpoint protection: Viruses and worms frequently create network congestion as a byproduct of rapid propagation and infection of endpoints. The Cisco Security Agent therefore becomes a first-order dampener of the effects of virus and worm propagation. A second and equally compelling reason for deploying Cisco Security Agent is that it establishes a presence on endpoints that can be used to establish a feedback loop between the endpoint and the network, resulting in a network that rapidly adapts to emerging threats. In addition, antivirus software allows hosts to detect and remove infections based on patterns.

  • Add a note here Infection containment: The Cisco ASA 5500 Series ASAs, Cisco PIX 500 Series Security Appliances, Cisco Catalyst 6500 Series Firewall Services Module (FWSM), and the firewall feature set in Cisco IOS software protect the network perimeter and create islands of security on the internal network. Strong network admission policies are important but are not a cure-all and therefore do not eliminate the need to continue monitoring devices after they enter a network. Determined attackers can evade just about any admission check, and the network cannot always rely on, or trust, an infected element to turn itself in. Compliant devices might also become infected through a variety of ways when on a network (for example, a universal serial bus key with infected content could infect another device). To help protect the network further, the Cisco Self-Defending Network is designed to extend the security checks performed by NAC at the time of network admission for the duration of the network connection. The Cisco Self-Defending Network also relies on other network elements, including other endpoints, to detect when another endpoint is no longer trustworthy.

  • Add a note here Inline intrusion and anomaly detection: An important area of ongoing security development is network intrusion detection systems (NIDS). One of the first Cisco innovations in this area was to integrate an NIDS into Cisco router and switch platforms. NIPSs with inline filtering capabilities provide even more protection. NIPSs provide a mechanism to remove unwanted traffic with fine-grained programmable classification engines. Examples of these devices are the Cisco IPS 4200 Series Sensors, the Cisco Catalyst 6500 Series IDS Module (IDSM-2), and the Cisco IOS IPS, which quickly identify, analyze, and stop malevolent traffic. The Cisco Traffic Anomaly Detector XT and Guard XT appliances and the Cisco Catalyst 6500/Cisco 7600 Traffic Anomaly Detector Module and Anomaly Guard Module are further examples of capabilities that help ensure business continuity in the event of DDoS attacks.

  • Add a note here Application security and anti-X defense: Over the past several years, a number of new application-layer network products have emerged to help protect against new classes of threats that were not adequately addressed by classic firewall and NIDS products, including viruses and worms, e-mail-based spam, phishing, and spyware, web services abuse, IP telephony abuse, and unauthorized peer-to-peer activity. Packet- and content-inspection security services on firewalls and IPS appliances help deal with these types of threats and misuse. This convergence brings granular traffic-inspection services to critical network security enforcement points, containing malicious traffic before it can be propagated across the network.


Note

Add a note here Anti-X services refers to unified antivirus, antispyware, file blocking, antispam, antiphishing, URL blocking and filtering, and content filtering. For example, the Content Security and Control security services module (CSC-SSM) for the Cisco ASA 5500 Series provides a comprehensive set of anti-X services.

Threat Detection and Mitigation Solution Deployment Locations

Add a note hereThreat detection and mitigation solutions can be deployed throughout the network, as illustrated in Figure 10-17.

Click to collapse
Add a note hereFigure 10-17: Threat Detection and Mitigation Solution Deployment Locations

Add a note hereIn this example, the perimeter Internet WAN router is the first line of defense in a worm attack. A network management station detects an increase in network load through SNMP or NetFlow events from the perimeter router.

Add a note here Specific ACLs can be applied on this router to identify the attack type. NIPSs can use deep packet examination to determine the specific nature of the attack. HIPSs are typically implemented in software, whereas NIPSs are typically appliances or software features in a network device. Both IPS implementations use inline signature-based attack detection. HIPSs can also be used to provide host policy enforcement and verification.

Add a note hereA stateful firewall can be used to block the attack locally, until the Internet service provider (ISP) shuts down the attack. A key element of a successful threat detection and mitigation system is understanding when to look at which information from sources such as NetFlow, Syslog, SNMP traps, changes in SNMP values and thresholds, and Remote Monitoring (RMON).

Add a note hereA good security information manager such as Cisco Security MARS helps aggregate this data and present it in a useful format.

Add a note here Secure Connectivity

Add a note hereThis section discusses the secure connectivity element of the Cisco Self-Defending Network.

Add a note hereEnsuring the privacy and integrity of all information is vital to today’s businesses. Increased network connectivity results in increased exposure. As organizations adopt the use of the Internet for intranet, extranet, and teleworker connectivity—such as broadband always-on connections—maintaining security, data integrity, and privacy across these connections is a paramount requirement. LAN connections, traditionally considered trusted networks, now also require higher levels of security. In fact, internal threats are said to be ten times more financially damaging than external threats. Preserving the confidentiality and integrity of the data and applications that traverse the wired or wireless LAN needs to be an important part of business decisions.

Add a note hereThe Cisco secure connectivity systems use encryption and authentication capabilities to provide secure transport across untrusted networks. To protect data, voice, and video applications over wired and wireless media, Cisco offers IPsec, SSL, SSH, and Multiprotocol Label Switching–based VPN technologies in addition to extensive security capabilities incorporated into Cisco wireless and IP telephony solutions to help ensure the privacy of IP communications.

Encryption Fundamentals

Add a note hereWith encryption, plain text (the readable message) is converted into ciphertext (the unreadable, disguised message); decryption at the destination reverses this process. Figure 10-18 illustrates this process.

Click to collapse
Add a note hereFigure 10-18: Encryption Protects Data Confidentiality

Add a note hereThe purpose of encryption is to guarantee confidentiality; only authorized entities can encrypt and decrypt data. With most modern algorithms, successful encryption and decryption require knowledge of the appropriate cryptographic keys. A sample use of data encryption is when the IPsec encryption algorithm is used to hide the payload of IP packets.

Encryption Keys

Add a note hereWith shared secrets, both sides know the same key. The encryption key can either be identical to the decryption key or just need a simple transformation to create the decryption key. The keys represent a shared secret between two or more parties that can be used to maintain a private information link. The key is carried out-of-band to the remote side; for example, one user might telephone the other to tell him or her what the key is. Although this is the easiest mechanism, it has some inherent security concerns. Because the keys are potentially subject to discovery, they need to be changed often and kept secure during distribution and while in service. Reliably selecting, distributing, and maintaining shared keys without error or discovery can be difficult.

Add a note here PKI uses asymmetric keys, in which the encryption key is different from the decryption key. Most PKI systems rely on certificates to establish a party’s identity and its public key; certificates are issued by a centralized certificate authority (CA) computer whose legitimacy is trusted. Each unique pair of public and private keys is related but not identical.

Add a note hereParties that need to encrypt their communications exchange their public keys (contained in certificates) but do not disclose their private keys. The sending party uses the receiving party’s public key to encrypt the message data and forwards the ciphertext (the encrypted data) to the receiving party. The receiving party then decrypts the ciphertext with its private key. PKI encryption is widely used in e-commerce sites.

VPN Protocols

Add a note hereIPsec and SSL are the two common VPN protocols. IPsec VPNs are built directly on the IP layer using protocol 50, the Encapsulating Security Payload, to encrypt traffic. IPsec VPNs use the IKE protocol to exchange keys; IKE normally uses PKI certificates. IPsec requires both communicating endpoints to run software that understands IPsec. Most routers and security appliances currently support high-speed IPsec.

Add a note hereSSL VPNs are built on top of the TCP layer using port 443, the HTTPS port. SSL VPNs are used extensively to provide confidentiality for web traffic and are supported by all major browsers.

Transmission Confidentiality: Ensuring Privacy

Add a note here Transmission confidentiality protects data as it is transported over unsafe networks. When connecting trusted and untrusted networks (for example, when connecting a corporate network to the Internet), data can be transmitted among trusted subjects over untrusted networks. Untrusted networks do not allow implementation of classic access control mechanisms, because a corporation does not have control over users and network resources in the untrusted network. Therefore, the transmitted data must be protected to ensure that no one in the untrusted network can view it (violate its confidentiality) or change it (violate its integrity). Modern network security relies on cryptography to provide confidentiality and integrity for transmitted data.

Add a note hereThe network shown in Figure 10-19 shows a connection of two sites over an untrusted network, the Internet. To provide data confidentiality, a VPN technology that supports encryption creates a secured point-to-point association of the sites over the Internet. All packets that leave one site are encrypted, forwarded through the untrusted network, and decrypted by a device on the remote site. Anyone who eavesdrops on the untrusted network should not be able to decrypt the packet payloads to read sensitive data.

Click to collapse
Add a note hereFigure 10-19: Transmission Confidentiality Provided by Encryption
Transmission Confidentiality Guidelines

Add a note hereFollowing are some specific cryptography guidelines to consider when designing and implementing a solution for transmission confidentiality:

  • Add a note hereCryptography can become a performance bottleneck, and careful analysis is required to determine where data should be protected. In general, if confidential or sensitive data travels over a network where an attacker could easily intercept communications (such as a network outside of the organization’s physical control or a network where device compromises are likely), communications must be protected as the security policy defines.

  • Add a note hereModern cryptography algorithms can now be exported, although some might still be subject to controls, depending on legal regulations. Use the strongest available cryptography to provide sufficient protection. Be cautious, however; some cryptographic algorithms allow you to specify extremely long key lengths, which, at some point, do not provide worthwhile confidentiality improvements over shorter keys.

  • Add a note here Use only well-known cryptographic algorithms, because only well-known algorithms that have been tested and analyzed are considered trustworthy. Examples of well-known algorithms are Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), and Rivest Cipher 4 (RC4). In general, do not trust any algorithms that claim to represent a security breakthrough; these are often extremely weak and easily broken.


    Note

    Add a note hereThe data encryption standard (DES) uses a 56-bit key. 3DES encrypts the data three times, with up to three different keys.

  • Add a note hereDo not forget that encryption provides only confidentiality, and most organizations consider data integrity and authenticity equally important security elements. If possible, use both confidentiality- and integrity-guaranteeing cryptographic algorithms.

Add a note hereFor example, to lower communication costs, a health insurance company decides to connect some of its branch offices to its headquarters over the Internet. The company must protect patient record confidentiality; because attackers on the Internet can intercept communications, the company implements a VPN using the strongest possible encryption algorithms to guarantee data confidentiality. In the event of interception, it is unlikely that the attacker can decrypt messages that are protected with modern cryptographic algorithms such as 3DES, AES, or RC4.

Maintaining Data Integrity

Add a note hereCryptography also provides data integrity mechanisms to protect data in transit over untrusted networks. Cryptographic protocols, such as secure fingerprints and digital signatures, can detect any integrity violation of sensitive data.

Add a note hereBy verifying the checksum of received data, an authorized subject can verify data integrity. For example, a method of secure fingerprints known as a Hash-Based Message Authentication Code (HMAC) is implemented in the IPsec standard to provide packet integrity and authenticity in IP networks. The HMAC method is very fast and is suitable for real-time traffic protection (for both integrity and authentication).

Add a note here The cryptography behind digital signing guarantees the data’s authenticity and the fact that the data has not been modified since it was signed. In the financial world, digital signatures also provide nonrepudiation of transactions, in which a subject can prove to a third party that a transaction has indeed occurred. Digital signature protocols are based on public-key cryptography and, because of their performance limitations, are not used for bulk protection.

Add a note here Figure 10-20 illustrates a connection between two network sites over the Internet. To provide data integrity, a VPN that supports secure fingerprinting is used to create a secured point-to-point association over the Internet. All packets that leave one site are imprinted with a secure digital fingerprint (similar to a very strong checksum) that uniquely identifies the data at the sender’s side. The packets are forwarded onto the untrusted network, and a device on the remote site verifies the secure fingerprint to ensure that no one has tampered with the packet. Anyone who eavesdrops on the untrusted network should not be able to change the packet payloads; therefore, they should not be able to change sensitive data without being detected.

Click to collapse
Add a note hereFigure 10-20: Secure Fingerprints Ensure Data Integrity
Transmission Integrity Guidelines

Add a note hereFollowing are some guidelines for using data integrity cryptography mechanisms, which are similar to those for confidentiality mechanisms:

  • Add a note hereCarefully evaluate the need for integrity and enforce only where justified by potential threats.

  • Add a note here Use the strongest available mechanisms for integrity, but take the performance effects into account.

  • Add a note hereUse only established and well-known cryptographic algorithms.

Add a note hereFor example, consider an organization that must transmit stock market data over the Internet. Confidentiality is not its main concern; rather, its primary risk lies in the possibility of an attacker changing data in transit and presenting false stock market data to the organization. Because e-mail is the organization’s preferred data exchange application, it decides to implement digital signatures of all e-mail messages when exchanging data among partners over the Internet.

Add a note here Security Management

Add a note hereThis section provides an overview of security management.

Add a note hereSecurity management applications and technologies are used to monitor and control the network, including performing the following tasks:

  • Add a note hereCollecting, analyzing, and presenting network data to network managers. The tools used should allow for centrally storing and analyzing audit results, including logs and traps. In addition to logging using the syslog protocol, IDSs can be used to provide automatic correlation and in-depth visibility into complex security events, saving administrators a considerable amount of time.

  • Add a note hereStructured deployment and provisioning of security policies on security devices.

  • Add a note hereMaintaining consistency and change control of policies.

  • Add a note hereProviding roles-based access control and accounts for all activities, and implementing change control and monitoring to prevent accidental damage.

Add a note hereOrganizations must audit changes made and ensure that new versions of device configurations and device software are installed according to corporate policies.

Add a note hereSecurity implementation is only as good as the security policies being implemented. The biggest risk to security in a properly planned network architecture is an error in the security policy. Network management personnel must be aware of the security policies and defined operational procedures so that they can respond to an incident quickly, reliably, and appropriately.

Cisco Security Management Technologies

Add a note here The Cisco Security Management Suite is a framework of products and technologies designed for scalable policy administration and enforcement for the Cisco Self-Defending Network. This integrated solution can simplify and automate the tasks associated with security management operations, including configuration, monitoring, analysis, and response. The key components of this suite include the following:

  • Add a note here Cisco Security Manager: Cisco Security Manager is a powerful but easy-to-use solution for configuring firewall, VPN, and IPS policies on Cisco security appliances, firewalls, routers, and switch modules. Using a GUI, Cisco Security Manager allows security policies to be easily configured per device, per device group, or globally.

  • Add a note here Cisco Security MARS: Cisco Security MARS is an appliance-based solution that allows network and security administrators to monitor, identify, isolate, and counter security threats. Cisco Security MARS obtains network intelligence by understanding the topology and device configurations from routers, switches, NetFlow, IPS, firewalls, and other network devices and by profiling network traffic. The integrated network discovery in the system builds a topology map containing device configuration and current security policies that enables Cisco Security MARS to model packet flows through the network. Because the appliance does not operate inline and makes minimal use of existing software agents, there is minimal impact on network or system performance.

Add a note hereThese products are built on an architecture that facilitates integration with other security management tools, such as the following:

  • Add a note here Cisco SDM: Cisco SDM is a web-based device-management tool for Cisco routers that can improve the productivity of network managers; simplify router deployments for integrated services such as dynamic routing, WAN access, WLAN, firewall, VPN, SSL VPN, IPS, and quality of service (QoS); and help troubleshoot complex network and VPN connectivity issues. Cisco SDM supports a wide range of Cisco IOS Software releases and is available free of charge on Cisco router models from Cisco 830 Series Routers to Cisco 7301 Routers.

  • Add a note here Cisco Adaptive Security Device Manager (ASDM): Cisco ASDM provides security management and monitoring services for the Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX 500 Series Security Appliances (running Cisco PIX Security Appliance Software Release 7.0 or later) and the Cisco Catalyst 6500 Series Firewall Services Modules (FWSM version 3.1 or later) through an intuitive, easy-to-use web-based management interface. Cisco ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services.

  • Add a note here Cisco Intrusion Prevention System Device Manager (IDM): Cisco IDM is a web-based Java application that allows configuration and management of IPS sensors. The web server software for Cisco IDM resides on the sensor and is accessed through Netscape or Internet Explorer web browsers with SSL. The whole range of IPS v5.0-capable platforms can be managed using Cisco IDM.

  • Add a note here CiscoWorks Management Center for Cisco Security Agents: Using Management Center for Cisco Security Agents (a component of the CiscoWorks VPN/Security Management Solution), network devices are assembled into specified groups, and then security policies are attached to those groups. All configuration is done through the web-based user interface and then is deployed to the agents. The Management Center for Cisco Security Agents software is installed on a system that maintains all policy and host groups. The administration user interface is accessed securely using SSL from any device on the network that can connect to the server and run a web browser. The web-based interface is used to deploy policies from the Management Center for Cisco Security Agents software to agents across the network.

  • Add a note here Cisco Secure Access Control Server: Cisco Secure ACS provides identity-based services that provide centralized control for role-based access to all Cisco devices and security management applications, including Cisco IOS routers, VPNs, firewalls, dialup and DSL connections, cable access solutions, storage, content, VoIP connections, Cisco wireless solutions, and Cisco Catalyst switches.



2 comments

Unknown said... @ December 23, 2016 at 3:47 AM



Cloudace is reputed Anti-Spam Solution Providers that ensure successful deployment and installation of the solution and make sure stringent email security in place.Cloud Services

Unknown said... @ February 26, 2017 at 10:27 PM


Being a global Antivirus Solution Providers, CloudAce is delivering wide range of advanced IT security solutions, which offer protection for computer systems of your organization.IT Security Solutions

Post a Comment