Chapter 10: Evaluating Security Solutions for the Network (Part02)

The Cisco Self-Defending Network

This section introduces the Cisco Self-Defending Network and describes how it can be used to design a secure network.

The Cisco Self-Defending Network Framework

To mitigate and prevent information theft, organizations must implement precautions such as establishing formal organizational security policies, enforcing access rights to authenticated users, and securing the transport of data and voice communications. Security must be fully integrated into all aspects of the network to proactively recognize potential suspicious activity, identify threats, react adaptively, and facilitate a coordinated response to attacks. Cisco has defined the Self-Defending Network to take advantage of the intelligence in network resources and to protect organizations by identifying, preventing, and adapting to threats from both internal and external sources.

The Self-Defending Network’s integrated network security incorporates the following three critical elements, as illustrated in Figure 10-7:

• Trust and identity management: To protect critical assets by allowing access based on privilege level

• Threat defense: To minimize and mitigate outbreaks

• Secure connectivity: To ensure privacy and confidentiality of communications

Figure 10-7: Cisco Self-Defending Network

These three elements are explored in detail starting in the upcoming “Trust and Identity Management” section.

Secure Network Platform

The Cisco Self-Defending Network is based on a secure network platform that is a strong, secure, flexible base from which the self-defending network solution is built. With security integrated into the very fabric of the network, security becomes an integral and fundamental network feature. Advanced technologies and security services use the secure network platform to provide the critical elements of security—where and when they are needed. These elements are controlled by security policies and security management applications providing efficient security management, control, and response.

Because the network touches all parts of the infrastructure, it is the ideal location to implement core and advanced security services. The nucleus of secure network infrastructure solutions include adaptive security appliances (ASA) and routers and switches with security integrated and embedded both in and between them, as follows:

• Routers: Routers such as Cisco Integrated Services Routers (ISR) incorporate Cisco IOS firewall, IPS, IPsec VPN (including Cisco Easy VPN and Dynamic Multipoint VPN [DMVPN]), and SSL VPN services into the routing infrastructure, in addition to features that protect the router if it should be the target of an attack. New security features can be deployed on existing routers using updated Cisco IOS software. Routers can also participate in the Network Admission Control (NAC) process. NAC is a multivendor effort that admits endpoints to the network only after they have demonstrated their compatibility with various network security policies.

• Cisco Catalyst switches: Cisco Catalyst switches incorporate firewall, IPS, SSL VPN, IPsec VPN, DDoS and man-in-the-middle attack mitigation, and virtualization services allowing unique policies for each security zone. Integrated security services modules are available for high-performance threat protection and secure connectivity.

• Cisco ASAs: Cisco ASAs consolidate all the foundation security technologies (including high-performance firewall, IPS, network antivirus, and IPsec and SSL VPNs) in a single easily managed unified platform. Device consolidation reduces the overall deployment and operations costs and complexity. ASAs can also be NAC-enabled.

Cisco Self-Defending Network Phases

As shown in Figure 10-8, the Cisco Self-Defending Network contains three characteristic phases that together provide continuous, intelligent, future-proofed security, from the network through to the application layer:

• Integrated security: Security defense technologies are incorporated across all network elements, including routing, switching, wireless, and security platforms so that every point in the network can defend itself. These security features include firewalls, VPNs, and trust and identity capabilities. An example is the use of the Cisco Security Agent, which provides endpoint server and desktop protection against new and emerging threats stemming from malicious network activity.

• Collaborative security systems: The secure network components work together as a security system that adheres to and responds to an organization’s security policies. An example of this collaborative characteristic is NAC, implemented in devices from multiple vendors.

• Adaptive threat defense: The secure network uses several tools to defend against new security threats and changing network conditions. Application awareness defends against security threats entering the network from within Internet-enabled applications. Behavioral recognition defends against worms, viruses, spyware, DDoS attacks, and other threats. Network control intelligently monitors and manages the security infrastructure and provides tools for IT managers to audit, control, and correlate.

Figure 10-8: Cisco Self-Defending Network Phases

The Cisco Self-Defending Network products can be deployed independently of one another or as part of a solution that links multiple products.

Trust and Identity Management

This section discusses the trust and identity management element of the Cisco Self-Defending Network.

---

Key Point

Businesses need to effectively and securely manage who and what can access the network, as well as when, where, and how that access can occur.

---

Trust and identity management is critical for organizations. It underpins the creation of any secure network or system by providing or denying access to business applications and networked resources based on a user’s specific privileges and rights.

Trust and identity management solutions provide secure network access and admission at any point in the network and isolate and control infected or unpatched devices that attempt to access the network. The three aspects of trust and identity management are trust, identity, and access control, as shown in Figure 10-9 and described in the following sections.

Figure 10-9: Trust and Identity Management

Trust

Trust is the root of security.

---

Key Point

Trust defines the relationship in which two or more network entities are allowed to communicate. Security policy decisions are based on trust.

---

Trusted entities are allowed to communicate freely; communication with untrusted entities needs to be carefully managed and controlled because of its higher risk.

---

Key Point

Trust and risk are opposites; security is used to limit risk by enforcing limitations on trust relationships.

---

Trust relationships might be explicitly defined or informally implied. Trust relationships can be inherited—for example, if a user is granted certain privileges on one system, another similar system might extend the same privileges. However granted, trust and privileges are sometimes abused.

Domains of Trust

To segment a network into parts, based on similar policy and concerns, domains of trust are established. The required system security in a network can vary in terms of importance to the business and the likelihood of being attacked. Consistent security controls should be applied within a segment, and trust relationships should be defined between segments. Segments can have different trust models, depending on the security needed.

Figure 10-10 illustrates two domains of trust examples. Case 1 includes internal and external portions of a network in the domain on the far left; the security policy within that domain will not be consistent, though. In contrast, Case 2 includes four domains, each with unique security requirements, and is therefore a better division into domains of trust.

Figure 10-10: Domains of Trust

Gradient of Trust

The gradient of trust determines the trust level between domains, which can be minor to extreme, and determines the extent of security safeguards and attention to monitoring required. The trust relationship between segments should be controlled at defined points, using some form of network firewall or access control, as illustrated in the examples in Figure 10-11. Mastering domains of trust is a key component of good network security design.

Figure 10-11: Domains and Gradients of Trust

Identity

Identity defines the parties in a trust relationship.

---

Key Point

The identity is the who of a trust relationship.

The identity of a network entity is verified by credentials.

---

The identity can be individuals, devices, organizations, or all three. Using identities properly enables effective risk mitigation and the ability to apply policy and access control in a granular and accurate manner.

Credentials are elements of information used to verify or authenticate the identity of a network entity. It is important to separate the concept of identification, in which a subject presents its identity, from authentication, in which a subject proves its identity. For example, to log on to a resource, a user might be identified by a username and authenticated by a secret password.

The most common identity credentials are passwords, tokens, and certificates. Passwords and tokens are described in the next sections; certificates are described in the later “Encryption Fundamentals” section.

---

Key Point

Authentication, or the proving of identity, is traditionally based on one (or more) of the following three proofs:

• Something the subject knows: This usually involves knowledge of a unique secret, which the authenticating parties usually share. To a user, this secret appears as a classic password, a personal identification number, or a private cryptographic key.

• Something the subject has: This usually involves physical possession of an item that is unique to the subject. Examples include password token cards, Smartcards, and hardware keys.

• Something the subject is: This involves verifying a subject’s unique physical characteristic, such as a fingerprint, retina pattern, voice, or face.

---

Passwords

Passwords demonstrate the authentication attribute “something the subject knows” and can be used to authenticate an authorized user to network resources. Passwords correlate an authorized user with network resources.

Passwords can be a problem in secure environments because users try to do what is easiest for them. Password policies and procedures must be created and enforced if password authentication is used as a credible security measure. These password policies and procedures should specify the use of strong, nondictionary passwords that are changed often. They should clearly state that passwords should never be shared and never posted where they can be easily found (such as on a monitor or wall or hidden under a keyboard).

---

Implementing Strong Password Policies

A dictionary attack is when a hacker tries to guess a user’s password (to gain network access) by using every “word” in a dictionary of common passwords or possible combinations of passwords. A dictionary attack relies on the fact that a password is often a common word, name, or concatenation of words or names with a minor modification such as a trailing digit or two.

Instructing users to select strong passwords is one of the most effective means to mitigate the possibility of a successful dictionary attack. On a Windows host, it is possible to implement password complexity rules to force users to choose strong passwords, which are more difficult for hackers to determine. Some characteristics of a strong password include the following:

• It is a minimum of ten characters

• It is a mixture of uppercase and lowercase letters

• It contains at least one numeric character (0–9) or nonalphanumeric character (for example, !#@&)

• It has at least one special character within the password—not at the beginning or end

• It is not a form of the user’s name or user ID

• It is a word that is not found in a dictionary (domestic or foreign)

The following are two examples of strong passwords and how they were derived (and therefore how they can be remembered):

• 4yosc10cP!, from “For your own safety, choose ten-character password!”

• cnw84Fri*YAD, from “Cannot wait for Friday.”

The information in this sidebar was derived from http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html.

---

Tokens

Many trusted systems require two-factor authentication.

---

Key Point

Two-factor (or strong) authentication is where a subject provides at least two types of proof of identity.

---

With two-factor authentication, the compromise of one factor does not lead to the compromise of the system. An example is an access control system based on a token and a password, as illustrated in Figure 10-12. A password might become known, but it is useless without the token. Conversely, if the token is stolen, the thief cannot use it without the password.

Figure 10-12: Strong Authentication with a Token

A token can be a physical device or software application that generates a one-time authentication password or number. An example of a token is a keychain-sized device that shows—one at a time in a predefined order—a one-time password (OTP) on its small LCD, for approximately one minute. The token is synchronized with a token server that has the same predefined list of passwords for that user. At any given time, the user has only one valid password. For example, this technology could be used by an organization that needs to deploy remote-access services to its network over the Internet. The organization has implemented remote-access VPN technology and requires proper user authentication before users enter the protected network. The organization has had poor experiences enforcing password updates and wants to deploy a very secure, yet simple, system. Using OTP generators for remote users could be the ideal solution because they are secure and simple to use.

Access Control

Trust and identity management is also supported by access control.

---

Key Point

Access control is the ability to enforce a policy that states which entities (such as users, servers, and applications) can access which network resources.

---

Note

Access control also indirectly helps ensure confidentiality and integrity of sensitive data by limiting access to the data. In contrast, authorization mechanisms limit the access of an entity to resources based on subject identity.

Network access control mechanisms are classified in the following ways:

• Authentication mechanisms, which establish the subject’s identity.

• Authorization mechanisms, which define what a subject can do in a network and thus limit access to a network. The granularity of access, such as read-only or write, may also be defined.

• Accounting mechanisms, such as an audit trail, which provides evidence and accounting of the subject’s actions, and real-time monitoring, which provides security services such as intrusion detection.

Authentication, authorization, and accounting (AAA) are network security services that provide a framework through which access control to a network is defined.

Trust and Identity Management Technologies

Some of the many technologies used for trust and identity management include the following:

• ACLs: Lists maintained by network devices such as routers, switches, and firewalls to control access through the device. An example is an ACL on a router that specifies which clients, based on their IP addresses, can connect to a critical server in the data center.

• Firewall: A device designed to permit or deny network traffic based on certain characteristics, such as source address, destination address, protocol, port number, and application. The firewall enforces the access and authorization policy in the network by specifying which connections are permitted or denied between security perimeters.

• NAC: A set of technologies and solutions that uses the network infrastructure to enforce security policy compliance on all devices trying to access network computing resources, thereby limiting damage from emerging security threats.

• IEEE 802.1X: An IEEE standard for media-level access control, providing the ability to permit or deny network connectivity, control VLAN access, and apply traffic policy based on user or device identity.

• Cisco Identity-Based Networking Services (IBNS): An integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources.

The following sections provide more information about some of these technologies.

Firewall Filtering Using ACLs

Figure 10-13 illustrates the use of a network firewall to control (or filter) access; this is a common network authorization implementation. An enterprise network is usually divided into separate security domains (also called perimeters or zones)—such as the untrusted Internet zone, the trusted Enterprise Campus zone, public and semipublic server zones, and so forth—to allow a network firewall to control all traffic that passes between the perimeters. Because all traffic must pass through the network firewall, it enforces the network’s access and authorization policy effectively by specifying which connections are permitted or denied between security zones.

Figure 10-13: A Firewall Can Filter Network Sessions

Note

Security domains that are connected to a leg of a firewall and that contain one or more servers are also called demilitarized zones (DMZ). The purpose of a DMZ network is to contain an attacker who has compromised a host so that the firewall again filters all access from the compromised host. This allows the enforcement of an extremely strict connection policy that denies all connections from public servers by default and prevents connectivity to hosts outside the DMZ network. If multiple hosts are located in the same DMZ, LAN switch-based security access control mechanisms such as private VLANs can also effectively restrict communications among such hosts.

For example, the policy for the Internet interface of the firewall in Figure 10-13 is as follows:

• From the Internet, HTTP traffic is permitted to the public web servers, and the public web servers can reply.

• HTTP secured by SSL (HTTPS) traffic from the Internet is permitted to the e-commerce server, and response HTTPS traffic from the e-commerce server is allowed.

• HTTP, FTP, and Telnet traffic initiated from the internal network to the Internet, and responses to this traffic, are allowed.

NAC Framework and Cisco NAC Appliance

NAC allows network access only to compliant and trusted wired or wireless endpoint devices, such as PCs, laptops, servers, and personal digital assistants (PDA), and it can restrict the access of noncompliant devices. Two NAC options are available: the NAC framework and the NAC appliance.

The NAC framework is an industrywide initiative led by Cisco that uses the network infrastructure and third-party software to enforce security policy compliance on all endpoints. The NAC framework is sold through NAC-enabled products, providing an integrated solution that leverages Cisco network products and other vendor products.

The Cisco NAC appliance is a turnkey solution, sold as either a virtual or integrated appliance, to control network access based on user authentication and to provide wired and wireless endpoint compliance with built-in device remediation. The Cisco NAC appliance identifies whether networked devices, such as laptops and PDAs, are compliant with the network security policies. It repairs any vulnerability before permitting the device to access the network.

For example, a Cisco router can act as a network access device (NAD) that intercepts attempts to connect from local or remote users. A Cisco trust agent, installed on a user’s laptop, provides the NAD with pertinent information, such as the version of antivirus software running and the patch level of the laptop’s operating system. The NAD passes this information to a policy server, which decides whether network access will be granted to the laptop; devices not granted access might be quarantined until they meet the NAC standards.

IEEE 802.1x and IBNS

Recall from Chapter 9 that IEEE 802.1X is an open standards–based protocol for authenticating network clients (or ports) based on a user ID or on the device. 802.1X runs between end devices or users (called supplicants) trying to connect to ports, and an Ethernet device, such as a Cisco Catalyst switch or Cisco wireless access point (AP) (called the authenticator). Authentication and authorization are achieved with back-end communication to an authentication server such as Cisco Secure Access Control Server (ACS).

The Cisco IBNS solution supports identity authentication and secure network connectivity, dynamic provisioning of VLANs on a per-user basis, guest VLANs, and 802.1X port security. Figure 10-14 illustrates the IBNS solution. When the Cisco Catalyst switch (the authenticator) detects that a user (the supplicant) is attempting to connect to the network, the authenticator initiates an Extensible Authentication Protocol over LAN (EAPoL) session, asking the supplicant to provide credentials. The supplicant sends its credentials to the authenticator. The switch (the authenticator) passes the user ID and password to an authentication server using RADIUS.

Figure 10-14: Cisco IBNS Provides Enhancements and Extensions to 802.1X

The authentication server determines whether the user ID and password are valid. It also notes the port to which the user is connected, and the MAC address of the user’s device. If the user ID and password are valid, the authentication server sends a message to the authenticator to allow the user to connect to the network on a specific VLAN, and the user accesses the physical LAN services. If the user ID and password are not valid, the server sends a message to the switch to block the port to which the user is connected.

Identity and Access Control Deployment

Figure 10-15 illustrates examples of where authentication can take place in the Cisco Enterprise Architectures, including the following locations:

• Dialup access points, where any subject can establish a dialup connection to the network; authentication is necessary to distinguish between trusted and untrusted subjects.

• WAN and VPN infrastructures, where network devices authenticate each other on WAN or VPN links, thereby mitigating the risk of infrastructure compromise or misconfiguration. WAN peer authentication usually involves PPP mechanisms and routing protocol authentication. In a VPN, authentication is embedded in the VPN security protocols—most often IPsec and Internet Key Exchange (IKE).

• LAN access, where a network device (switch) authenticates the user, typically with IEEE 802.1X, before allowing access to the switched network.

• Wireless access, where only an authenticated user can establish an association with a wireless AP using IEEE 802.1X.

• Firewall authentication, where users must prove their identity when entering a critical network that is protected by a firewall.

Figure 10-15: Trust and Identity Management

Note

Secure Shell (SSH) supports secure Telnet access between applications and router resources.

Authentication validation should be deployed as close to the network edge as possible, with strong authentication required for access from external and untrusted networks.

Access controls to enforce policy are deployed at various locations:

• Source-specific rules (to any destination) should be applied as close to the source as possible.

• Destination-specific rules (from any source) should be applied as close to the destination as possible.

• Mixed rules, using combinations of specific sources and destinations, should be applied as close to the source as possible.

The principle of least privilege should be followed. This principle is based on the practice by which each subject is given only the minimal rights that are necessary (access permissions) to perform the subject’s tasks. For example, if a user needs to access a particular web server, the firewall should allow that user to access only the specified web server. In reality, however, enterprises often introduce lenient rules that allow subjects greater access than they require, which can result in deliberate or accidental confidentiality and integrity breaches. Highly distributed rules afford greater granularity and overall performance scalability at the cost of management complexity. Centralized rules provide easier management at the cost of scalability.

The principle of defense in depth should also be followed. This principle suggests that security mechanisms should be fault-tolerant; that is, a security mechanism should have a backup security mechanism. This is also called the belt-and-suspenders approach—both the belt and suspenders are used to ensure that the trousers stay up. An example includes using a dedicated firewall to limit access to a resource and then using a packet-filtering router to add another line of defense.

Threat Defense

This section discusses the threat defense element of the Cisco Self-Defending Network. Network security must protect a business from increasing threats such as access breaches, “Day Zero” worm attacks and viruses (the first day of the threat), DoS attacks, man-in-the-middle attacks, Trojan horses, and internal threats. Threats today, both known and unknown, continue to become more destructive and frequent than in the past and can significantly affect business profitability.

Appropriate security technologies and advanced networking intelligence are required to effectively defend against attacks. To be most effective, these technologies must be implemented throughout the network, rather than just in specific products or technologies, because an attack can start anywhere and instantly spread across all network resources.

The Cisco Threat Defense System enhances security in an existing network infrastructure, adds comprehensive security on the endpoints (both server and desktops), and adds dedicated security technologies to networking devices and appliances, proactively defending the business, applications, users, and network and protecting businesses from operation disruption, lost revenue, and loss of reputation. The Cisco Threat Defense System comprises several critical technologies and products, enabling security integrated in routers, switches, and appliances—including firewalls, network-based IPS sensors and detection instrumentation, and traffic isolation techniques. The Cisco Security Agent provides endpoint protection. These technologies and products are described in later sections, after a discussion of physical security.

Physical Security

Physical security is critical to the successful implementation of network security and can significantly influence the strength of the total security design. This section discusses various aspects of physical security and provides guidelines for its successful inclusion in the overall security policy.

Physical Threats

---

Key Point

Physical security is an often-overlooked aspect of network security design; most of the protection is implemented inside network devices. However, physical access to the device or the communications medium can compromise security.

---

Consider the following potential physical threats:

• A network device does not always enforce all its security settings when an attacker accesses the hardware directly (for example, it might allow console access, memory probing, and installation of unreliable software).

• Access to the physical communication medium (such as unrestricted access to a switch port, unrestricted wireless network access, or access to the telecommunications infrastructure) could allow an attacker to impersonate trusted systems and view, intercept, and change data that is flowing in a network.

• An attacker might use physically destructive attacks against devices and networks (such as physical force, attacks on the power network, or electromagnetic surveillance and attacks).

• An attacker might steal a device such as a home office router or laptop computer and use it to access the corporate network.

A good security policy must anticipate possible physical attacks and assess their relevance in terms of possible loss, probability, and simplicity of attack. Figure 10-16 illustrates possible physical breaches of network security. In this sample network, an attacker might do the following:

• Break into the computing center, obtain physical access to a firewall, and then compromise its physical connections to bypass it, or access the console port on some routers or switches and alter their security settings.

• Obtain physical access to the copper media of the corporate WAN or the public switched telephone network (PSTN), and intercept all communications. The attacker could read and change sensitive data that is not protected by cryptography.

• Steal a device, such as a small office/home office (SOHO) router or laptop, and use it to access the corporate network.

Figure 10-16: Physical Security Is Often Overlooked

Physical Security Guidelines

The traditional method of managing the risk of physical compromise is to deploy physical access controls using techniques such as locks or alarms. It is also important to identify how a physical security breach might interact with network security mechanisms. For example, there could be a significant risk if an attacker physically accesses a switch port located in a corporate building and from there has unrestricted access to the corporate network. If, during the development of the security policy, it were incorrectly assumed that only legitimate users could obtain such access, the attacker would be able to connect to the network without authentication and thus bypass network access control.

---

SOHO Wireless Routers

Another risk related to physical security is if users bring their personal SOHO wireless routers to work and connect them to the corporate LAN. Unfortunately, the default settings on many SOHO wireless routers do not have any network security. Therefore, anyone within range of the wireless router (whether inside or outside the building) would be able to associate with it and would be connected to the inside of the corporate network, behind the protected perimeter. This threat can be mitigated by enforcing IEEE 802.1X or other port-based security policies on the corporate campus network.

---

A security designer must identify the consequences of device theft on network security. For example, if a laptop computer is stolen from a roaming user, does it contain cryptographic keys that enable the attacker to connect to the enterprise network while impersonating a legitimate user? Moreover, does the network administrator have some scalable means of revoking such credentials that the attacker could obtain through physical theft?

Sometimes a significant portion of the network infrastructure is beyond the enterprise’s physical control, and physical controls cannot be enforced at the media access level. For example, many enterprises rely on the fact that the physical infrastructure of the service provider’s Frame Relay network is well protected, despite the fact that access to its wire conduits might be obtained easily. To protect communications over such networks, cryptography could be used. Cryptography provides confidentiality, protects the integrity of communication over unsafe networks, and is fully under the enterprise’s control. For example, an enterprise that simultaneously transmits sensitive and nonsensitive data over a Frame Relay network could use IPsec protection for the sensitive traffic and send the other traffic unencrypted.

Another example is a government intelligence agency concerned about the theft of laptops that might contain extremely sensitive data. To manage this risk, the agency deploys robust file encryption software on the laptops; this software decrypts sensitive files only on special request. Sensitive information is therefore hidden from a potential thief, who could otherwise read raw data from the laptop’s disk.

Infrastructure Protection

---

Key Point

Infrastructure protection consists of the measures taken to minimize the risks and threats to which the network elements are exposed so as to preserve the integrity and availability of the network as a transport entity.

---

To meet business needs, it is critical to utilize security features and services to protect the infrastructure so that network devices are not accessed or altered in an unauthorized manner and so that end-to-end network transport and integrated services are available.

Deploying recommended practices and security policy enforcement to harden network devices helps secure the network foundation by protecting network elements and the integrity of their interactions. Cisco has enhanced the Cisco IOS software security features and services for both network elements and infrastructure, to improve the availability of the network elements and the network.

Note

Device hardening is limiting information provided by devices to only the information necessary to support business needs. For example, if it is not necessary for a device to respond to pings, that function should be turned off so that the device will not provide information to hackers.

Secure network infrastructure solutions include ASAs and routers and switches with integrated security.

Infrastructure Protection Deployment Locations

Infrastructure protection practices should be deployed on all network infrastructure devices throughout the network, especially at strategic perimeter points, to control ingress and egress traffic.

Different mechanisms might be available on different platforms, but typically equivalent functions are available on similar devices. More-advanced mechanisms might be available only on higher-end devices.

Recommended Practices for Infrastructure Protection

The following are some recommended practices for infrastructure protection:

• Allow only SSH, instead of Telnet, to access devices.

• Enable AAA and role-based access control (using RADIUS or TACACS+) for access to the command-line interface (CLI) and privileged mode access on all devices.

• Collect and archive syslog messages (event notification messages) from network devices on a syslog server.

• When using Simple Network Management Protocol (SNMP), use SNMP version 3 (SNMPv3) and its authentication and privacy features.

• Disable unused services on network devices, including using the following commands on Cisco IOS devices:

  no service tcp-small-servers

  no service udp-small-servers

  Note

  When the minor TCP/IP servers are disabled using the no service tcp-small-servers command, and a packet trying to access the Echo, Discard, Chargen, and Daytime ports is received, the Cisco IOS software sends a TCP RESET packet to the sender and discards the original incoming packet. When the minor UDP servers are disabled using the no service udp-small-servers command and a packet trying to access Echo, Discard, and Chargen ports is received, the Cisco IOS software sends an “ICMP port unreachable” message to the sender and discards the original incoming packet. These servers are disabled by default.

• Use SSH FTP and Secure Copy (SCP) to move Cisco IOS images and configuration files; avoid using FTP and Trivial File Transfer Protocol (TFTP) when possible.

• Install ACLs on the virtual terminal lines to limit access to management and CLI services.

• Enable protocol authentication in the control plane where it is available. Examples include enabling routing protocol authentication in both Interior Gateway Protocols (IGP) and Exterior Gateway Protocols (EGP), such as in Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol. These routing protocols support Message Digest 5 (MD5) authentication. Other protocols, such as Hot Standby Router Protocol (HSRP) and VLAN Trunking Protocol (VTP), also support authentication.

• Consider using the one-step router lockdown feature in the Cisco Router and Security Device Manager (SDM) to help ensure that all nonessential services in Cisco IOS software are shut off before the Cisco router is connected to the public Internet or a WAN.

  ---

  SDM

  The SDM one-step router lockdown tool might shut off services that it considers nonessential yet prove to be essential in your own enterprise. SDM allows the administrator to view summary information about the suggested changes before the changes are applied. Specific changes can be unchecked as required, and links in the tool to Cisco’s website describe the nature of the suggested changes in greater detail.

  ---

  ---

  AutoSecure

  You might also consider using the Cisco IOS AutoSecure feature when using the command-line interface. AutoSecure is an interactive script that is more granular in its settings than the one-step router lockdown tool in SDM.

  ---

• Perimeter routers should implement ingress traffic filtering to prohibit DoS attacks, which use forged IP addresses to propagate from the Internet. RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, specifies current Internet best practices for ingress traffic filtering.

• All switches should be configured to support bridge protocol data unit guard and root guard, and the VTP mode should be set to transparent.

• More-advanced protection mechanisms, such as DAI and DHCP snooping, might be available only on higher-end switches. When supported, infrastructure devices should consider implementing control plane policing (CoPP) to manage the traffic flow of control plane packets on Cisco IOS routers and switches to limit reconnaissance and DoS attacks.

Threat Detection and Mitigation

Threat detection and mitigation technologies provide early detection and notification of unpredicted malicious traffic or behavior. The goals of these technologies include the following:

• Detecting, notifying, and helping stop events or traffic that are unauthorized and unpredictable

• Helping preserve the network’s availability, particularly against unknown or unforeseen attacks

Threat Detection and Mitigation Technologies

The following are some of the threat detection and mitigation technologies available:

• Network-based intrusion prevention systems (NIPS), such as the ASA, IPS appliances, and Cisco IOS IPS

• Host-based intrusion prevention systems (HIPS), such as Cisco Security Agent

• NetFlow

• Syslog

• Event-correlation systems, such as Cisco Security Monitoring, Analysis, and Response System (MARS)

• Cisco Traffic Anomaly Detector Module

These threat detection and mitigation technologies provide many network security functions, including the following:

• Endpoint protection: Viruses and worms frequently create network congestion as a byproduct of rapid propagation and infection of endpoints. The Cisco Security Agent therefore becomes a first-order dampener of the effects of virus and worm propagation. A second and equally compelling reason for deploying Cisco Security Agent is that it establishes a presence on endpoints that can be used to establish a feedback loop between the endpoint and the network, resulting in a network that rapidly adapts to emerging threats. In addition, antivirus software allows hosts to detect and remove infections based on patterns.

• Infection containment: The Cisco ASA 5500 Series ASAs, Cisco PIX 500 Series Security Appliances, Cisco Catalyst 6500 Series Firewall Services Module (FWSM), and the firewall feature set in Cisco IOS software protect the network perimeter and create islands of security on the internal network. Strong network admission policies are important but are not a cure-all and therefore do not eliminate the need to continue monitoring devices after they enter a network. Determined attackers can evade just about any admission check, and the network cannot always rely on, or trust, an infected element to turn itself in. Compliant devices might also become infected through a variety of ways when on a network (for example, a universal serial bus key with infected content could infect another device). To help protect the network further, the Cisco Self-Defending Network is designed to extend the security checks performed by NAC at the time of network admission for the duration of the network connection. The Cisco Self-Defending Network also relies on other network elements, including other endpoints, to detect when another endpoint is no longer trustworthy.

• Inline intrusion and anomaly detection: An important area of ongoing security development is network intrusion detection systems (NIDS). One of the first Cisco innovations in this area was to integrate an NIDS into Cisco router and switch platforms. NIPSs with inline filtering capabilities provide even more protection. NIPSs provide a mechanism to remove unwanted traffic with fine-grained programmable classification engines. Examples of these devices are the Cisco IPS 4200 Series Sensors, the Cisco Catalyst 6500 Series IDS Module (IDSM-2), and the Cisco IOS IPS, which quickly identify, analyze, and stop malevolent traffic. The Cisco Traffic Anomaly Detector XT and Guard XT appliances and the Cisco Catalyst 6500/Cisco 7600 Traffic Anomaly Detector Module and Anomaly Guard Module are further examples of capabilities that help ensure business continuity in the event of DDoS attacks.

• Application security and anti-X defense: Over the past several years, a number of new application-layer network products have emerged to help protect against new classes of threats that were not adequately addressed by classic firewall and NIDS products, including viruses and worms, e-mail-based spam, phishing, and spyware, web services abuse, IP telephony abuse, and unauthorized peer-to-peer activity. Packet- and content-inspection security services on firewalls and IPS appliances help deal with these types of threats and misuse. This convergence brings granular traffic-inspection services to critical network security enforcement points, containing malicious traffic before it can be propagated across the network.

Note

Anti-X services refers to unified antivirus, antispyware, file blocking, antispam, antiphishing, URL blocking and filtering, and content filtering. For example, the Content Security and Control security services module (CSC-SSM) for the Cisco ASA 5500 Series provides a comprehensive set of anti-X services.

Threat Detection and Mitigation Solution Deployment Locations

Threat detection and mitigation solutions can be deployed throughout the network, as illustrated in Figure 10-17.

Figure 10-17: Threat Detection and Mitigation Solution Deployment Locations

In this example, the perimeter Internet WAN router is the first line of defense in a worm attack. A network management station detects an increase in network load through SNMP or NetFlow events from the perimeter router.

Specific ACLs can be applied on this router to identify the attack type. NIPSs can use deep packet examination to determine the specific nature of the attack. HIPSs are typically implemented in software, whereas NIPSs are typically appliances or software features in a network device. Both IPS implementations use inline signature-based attack detection. HIPSs can also be used to provide host policy enforcement and verification.

A stateful firewall can be used to block the attack locally, until the Internet service provider (ISP) shuts down the attack. A key element of a successful threat detection and mitigation system is understanding when to look at which information from sources such as NetFlow, Syslog, SNMP traps, changes in SNMP values and thresholds, and Remote Monitoring (RMON).

A good security information manager such as Cisco Security MARS helps aggregate this data and present it in a useful format.

Secure Connectivity

This section discusses the secure connectivity element of the Cisco Self-Defending Network.

---

Key Point

Secure connectivity relies on privacy and data integrity.

---

Ensuring the privacy and integrity of all information is vital to today’s businesses. Increased network connectivity results in increased exposure. As organizations adopt the use of the Internet for intranet, extranet, and teleworker connectivity—such as broadband always-on connections—maintaining security, data integrity, and privacy across these connections is a paramount requirement. LAN connections, traditionally considered trusted networks, now also require higher levels of security. In fact, internal threats are said to be ten times more financially damaging than external threats. Preserving the confidentiality and integrity of the data and applications that traverse the wired or wireless LAN needs to be an important part of business decisions.

The Cisco secure connectivity systems use encryption and authentication capabilities to provide secure transport across untrusted networks. To protect data, voice, and video applications over wired and wireless media, Cisco offers IPsec, SSL, SSH, and Multiprotocol Label Switching–based VPN technologies in addition to extensive security capabilities incorporated into Cisco wireless and IP telephony solutions to help ensure the privacy of IP communications.

Encryption Fundamentals

---

Key Point

Cryptography provides confidentiality through encryption, which is the process of disguising a message to hide its original content.

---

With encryption, plain text (the readable message) is converted into ciphertext (the unreadable, disguised message); decryption at the destination reverses this process. Figure 10-18 illustrates this process.

Figure 10-18: Encryption Protects Data Confidentiality

The purpose of encryption is to guarantee confidentiality; only authorized entities can encrypt and decrypt data. With most modern algorithms, successful encryption and decryption require knowledge of the appropriate cryptographic keys. A sample use of data encryption is when the IPsec encryption algorithm is used to hide the payload of IP packets.

Encryption Keys

---

Key Point

For encryption and decryption to work, devices need keys. The sender needs a key to lock (encrypt) the message, and the receiver needs a key to unlock (decrypt) the message.

Two secure ways to ensure that the receiving device has the correct key are the use of shared secrets and the Public Key Infrastructure (PKI).

---

With shared secrets, both sides know the same key. The encryption key can either be identical to the decryption key or just need a simple transformation to create the decryption key. The keys represent a shared secret between two or more parties that can be used to maintain a private information link. The key is carried out-of-band to the remote side; for example, one user might telephone the other to tell him or her what the key is. Although this is the easiest mechanism, it has some inherent security concerns. Because the keys are potentially subject to discovery, they need to be changed often and kept secure during distribution and while in service. Reliably selecting, distributing, and maintaining shared keys without error or discovery can be difficult.

PKI uses asymmetric keys, in which the encryption key is different from the decryption key. Most PKI systems rely on certificates to establish a party’s identity and its public key; certificates are issued by a centralized certificate authority (CA) computer whose legitimacy is trusted. Each unique pair of public and private keys is related but not identical.

---

Key Point

Data encrypted with a public key can be decrypted only with the corresponding private key, and data that is encrypted with a private key can be decrypted only with the corresponding public key.

In PKI, data encrypted with the public key cannot be decrypted with the public key.

---

Parties that need to encrypt their communications exchange their public keys (contained in certificates) but do not disclose their private keys. The sending party uses the receiving party’s public key to encrypt the message data and forwards the ciphertext (the encrypted data) to the receiving party. The receiving party then decrypts the ciphertext with its private key. PKI encryption is widely used in e-commerce sites.

VPN Protocols

IPsec and SSL are the two common VPN protocols. IPsec VPNs are built directly on the IP layer using protocol 50, the Encapsulating Security Payload, to encrypt traffic. IPsec VPNs use the IKE protocol to exchange keys; IKE normally uses PKI certificates. IPsec requires both communicating endpoints to run software that understands IPsec. Most routers and security appliances currently support high-speed IPsec.

SSL VPNs are built on top of the TCP layer using port 443, the HTTPS port. SSL VPNs are used extensively to provide confidentiality for web traffic and are supported by all major browsers.

Transmission Confidentiality: Ensuring Privacy

Transmission confidentiality protects data as it is transported over unsafe networks. When connecting trusted and untrusted networks (for example, when connecting a corporate network to the Internet), data can be transmitted among trusted subjects over untrusted networks. Untrusted networks do not allow implementation of classic access control mechanisms, because a corporation does not have control over users and network resources in the untrusted network. Therefore, the transmitted data must be protected to ensure that no one in the untrusted network can view it (violate its confidentiality) or change it (violate its integrity). Modern network security relies on cryptography to provide confidentiality and integrity for transmitted data.

The network shown in Figure 10-19 shows a connection of two sites over an untrusted network, the Internet. To provide data confidentiality, a VPN technology that supports encryption creates a secured point-to-point association of the sites over the Internet. All packets that leave one site are encrypted, forwarded through the untrusted network, and decrypted by a device on the remote site. Anyone who eavesdrops on the untrusted network should not be able to decrypt the packet payloads to read sensitive data.

Figure 10-19: Transmission Confidentiality Provided by Encryption

Transmission Confidentiality Guidelines

Following are some specific cryptography guidelines to consider when designing and implementing a solution for transmission confidentiality:

• Cryptography can become a performance bottleneck, and careful analysis is required to determine where data should be protected. In general, if confidential or sensitive data travels over a network where an attacker could easily intercept communications (such as a network outside of the organization’s physical control or a network where device compromises are likely), communications must be protected as the security policy defines.

• Modern cryptography algorithms can now be exported, although some might still be subject to controls, depending on legal regulations. Use the strongest available cryptography to provide sufficient protection. Be cautious, however; some cryptographic algorithms allow you to specify extremely long key lengths, which, at some point, do not provide worthwhile confidentiality improvements over shorter keys.

• Use only well-known cryptographic algorithms, because only well-known algorithms that have been tested and analyzed are considered trustworthy. Examples of well-known algorithms are Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), and Rivest Cipher 4 (RC4). In general, do not trust any algorithms that claim to represent a security breakthrough; these are often extremely weak and easily broken.

  Note

  The data encryption standard (DES) uses a 56-bit key. 3DES encrypts the data three times, with up to three different keys.

• Do not forget that encryption provides only confidentiality, and most organizations consider data integrity and authenticity equally important security elements. If possible, use both confidentiality- and integrity-guaranteeing cryptographic algorithms.

For example, to lower communication costs, a health insurance company decides to connect some of its branch offices to its headquarters over the Internet. The company must protect patient record confidentiality; because attackers on the Internet can intercept communications, the company implements a VPN using the strongest possible encryption algorithms to guarantee data confidentiality. In the event of interception, it is unlikely that the attacker can decrypt messages that are protected with modern cryptographic algorithms such as 3DES, AES, or RC4.

Maintaining Data Integrity

Cryptography also provides data integrity mechanisms to protect data in transit over untrusted networks. Cryptographic protocols, such as secure fingerprints and digital signatures, can detect any integrity violation of sensitive data.

---

Key Point

Secure fingerprints attach a cryptographically strong checksum to data. This checksum is generated and verified using a secret key that only authorized subjects know.

---

By verifying the checksum of received data, an authorized subject can verify data integrity. For example, a method of secure fingerprints known as a Hash-Based Message Authentication Code (HMAC) is implemented in the IPsec standard to provide packet integrity and authenticity in IP networks. The HMAC method is very fast and is suitable for real-time traffic protection (for both integrity and authentication).

---

Key Point

Digital signing of data uses a cryptography method that attaches a digital signature to sensitive data. This signature is generated using a unique signature generation key that is known only to the signer, not to anyone else. Other parties use the signer’s signature verification key to verify the signature.

---

The cryptography behind digital signing guarantees the data’s authenticity and the fact that the data has not been modified since it was signed. In the financial world, digital signatures also provide nonrepudiation of transactions, in which a subject can prove to a third party that a transaction has indeed occurred. Digital signature protocols are based on public-key cryptography and, because of their performance limitations, are not used for bulk protection.

Figure 10-20 illustrates a connection between two network sites over the Internet. To provide data integrity, a VPN that supports secure fingerprinting is used to create a secured point-to-point association over the Internet. All packets that leave one site are imprinted with a secure digital fingerprint (similar to a very strong checksum) that uniquely identifies the data at the sender’s side. The packets are forwarded onto the untrusted network, and a device on the remote site verifies the secure fingerprint to ensure that no one has tampered with the packet. Anyone who eavesdrops on the untrusted network should not be able to change the packet payloads; therefore, they should not be able to change sensitive data without being detected.

Figure 10-20: Secure Fingerprints Ensure Data Integrity

Transmission Integrity Guidelines

Following are some guidelines for using data integrity cryptography mechanisms, which are similar to those for confidentiality mechanisms:

• Carefully evaluate the need for integrity and enforce only where justified by potential threats.

• Use the strongest available mechanisms for integrity, but take the performance effects into account.

• Use only established and well-known cryptographic algorithms.

For example, consider an organization that must transmit stock market data over the Internet. Confidentiality is not its main concern; rather, its primary risk lies in the possibility of an attacker changing data in transit and presenting false stock market data to the organization. Because e-mail is the organization’s preferred data exchange application, it decides to implement digital signatures of all e-mail messages when exchanging data among partners over the Internet.

Security Management

This section provides an overview of security management.

---

Key Point

A secured network must be managed securely.

---

Security management applications and technologies are used to monitor and control the network, including performing the following tasks:

• Collecting, analyzing, and presenting network data to network managers. The tools used should allow for centrally storing and analyzing audit results, including logs and traps. In addition to logging using the syslog protocol, IDSs can be used to provide automatic correlation and in-depth visibility into complex security events, saving administrators a considerable amount of time.

• Structured deployment and provisioning of security policies on security devices.

• Maintaining consistency and change control of policies.

• Providing roles-based access control and accounts for all activities, and implementing change control and monitoring to prevent accidental damage.

Organizations must audit changes made and ensure that new versions of device configurations and device software are installed according to corporate policies.

Security implementation is only as good as the security policies being implemented. The biggest risk to security in a properly planned network architecture is an error in the security policy. Network management personnel must be aware of the security policies and defined operational procedures so that they can respond to an incident quickly, reliably, and appropriately.

Cisco Security Management Technologies

The Cisco Security Management Suite is a framework of products and technologies designed for scalable policy administration and enforcement for the Cisco Self-Defending Network. This integrated solution can simplify and automate the tasks associated with security management operations, including configuration, monitoring, analysis, and response. The key components of this suite include the following:

• Cisco Security Manager: Cisco Security Manager is a powerful but easy-to-use solution for configuring firewall, VPN, and IPS policies on Cisco security appliances, firewalls, routers, and switch modules. Using a GUI, Cisco Security Manager allows security policies to be easily configured per device, per device group, or globally.

• Cisco Security MARS: Cisco Security MARS is an appliance-based solution that allows network and security administrators to monitor, identify, isolate, and counter security threats. Cisco Security MARS obtains network intelligence by understanding the topology and device configurations from routers, switches, NetFlow, IPS, firewalls, and other network devices and by profiling network traffic. The integrated network discovery in the system builds a topology map containing device configuration and current security policies that enables Cisco Security MARS to model packet flows through the network. Because the appliance does not operate inline and makes minimal use of existing software agents, there is minimal impact on network or system performance.

These products are built on an architecture that facilitates integration with other security management tools, such as the following:

• Cisco SDM: Cisco SDM is a web-based device-management tool for Cisco routers that can improve the productivity of network managers; simplify router deployments for integrated services such as dynamic routing, WAN access, WLAN, firewall, VPN, SSL VPN, IPS, and quality of service (QoS); and help troubleshoot complex network and VPN connectivity issues. Cisco SDM supports a wide range of Cisco IOS Software releases and is available free of charge on Cisco router models from Cisco 830 Series Routers to Cisco 7301 Routers.

• Cisco Adaptive Security Device Manager (ASDM): Cisco ASDM provides security management and monitoring services for the Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX 500 Series Security Appliances (running Cisco PIX Security Appliance Software Release 7.0 or later) and the Cisco Catalyst 6500 Series Firewall Services Modules (FWSM version 3.1 or later) through an intuitive, easy-to-use web-based management interface. Cisco ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services.

• Cisco Intrusion Prevention System Device Manager (IDM): Cisco IDM is a web-based Java application that allows configuration and management of IPS sensors. The web server software for Cisco IDM resides on the sensor and is accessed through Netscape or Internet Explorer web browsers with SSL. The whole range of IPS v5.0-capable platforms can be managed using Cisco IDM.

• CiscoWorks Management Center for Cisco Security Agents: Using Management Center for Cisco Security Agents (a component of the CiscoWorks VPN/Security Management Solution), network devices are assembled into specified groups, and then security policies are attached to those groups. All configuration is done through the web-based user interface and then is deployed to the agents. The Management Center for Cisco Security Agents software is installed on a system that maintains all policy and host groups. The administration user interface is accessed securely using SSL from any device on the network that can connect to the server and run a web browser. The web-based interface is used to deploy policies from the Management Center for Cisco Security Agents software to agents across the network.

• Cisco Secure Access Control Server: Cisco Secure ACS provides identity-based services that provide centralized control for role-based access to all Cisco devices and security management applications, including Cisco IOS routers, VPNs, firewalls, dialup and DSL connections, cable access solutions, storage, content, VoIP connections, Cisco wireless solutions, and Cisco Catalyst switches.