Cisco Client Security Software
Cisco has four client security software applications that support network security:
-
Cisco NAC Appliance Agent (NAA): Is an optional client-side component of the Cisco NAC Appliance system. It is a read-only client that delivers device-based Registry scans on unmanaged environments. The agent enhances posture assessment functions and streamlines remediation. It is a free download provisioned over the Internet. Many customers who use the Cisco NAC Appliance Agent NAA often require a new download before network access is granted. It works only with Cisco NAS.
-
Cisco Security Agent: Is security software that provides threat protection for server and desktop computing systems. The Cisco Security Agent identifies and prevents malicious behavior before it can occur, thereby removing potential known and unknown security risks that threaten enterprise networks and applications. It also provides the capability at the endpoint to apply QoS markings to application network traffic as specified by Cisco Security Agent policy rules. These markings can be used by Cisco IOS devices upstream in the enterprise network to classify the packets and apply QoS service policies such as policing and queuing. Cisco Security Agent integrates with NAC Framework and Cisco Security Monitoring, Analysis, and Response System (MARS) to support threat identification and investigation across the network. The Cisco Trust Agent client software may be installed as part of the Cisco Security Agent installation.
-
Cisco Secure Services Client (SSC): Is client software that supports the deployment of a single authentication framework on multiple device types, for access to both wired and wireless networks. As a component of the Cisco Unified Wireless Network, the SCC performs the following functions:
-
Provides a single authentication framework for multiple device types on the basis of the 802.1x standard
-
Supports leading security standards such as Wi-Fi Protected Access (WPA), WPA2, and Extensible Authentication Protocol (EAP)
-
Supports Windows 2000 and Windows XP
-
Provides an end-to-end authentication service when combined with the Cisco Secure ACS
-
Fully integrates with the Cisco Unified Wireless Network access points and wireless LAN controllers
-
Supports third-party credential databases
-
Protects network endpoint devices
-
Enforces security policies
-
-
Cisco Trust Agent: Is client software that must be installed on hosts whose host policy state requires validation prior to permitting network access under the NAC Framework. A core component of the NAC Framework, Cisco Trust Agent allows NAC to determine whether Cisco Security Agent, antivirus software, or other required third-party security or management software is installed and current. It also provides information about the operating system version and patch level. As a component of the NAC Framework, the Cisco Trust Agent performs the following functions:
-
Acts as a middleware component that takes host policy information and securely communicates the information to the AAA policy server
-
Interacts directly with “NAC-enabled” applications running on the host without user intervention
-
Can communicate at Layer 3 or Layer 2 using built-in communication components
-
Includes an 802.1x supplicant for Layer 2 communications in wired environments
-
Authenticates the requestor through encrypted communications with the AAA server
-
Allows customers to build scripts for custom information gathering
-
Integrates with Cisco Security Agent and can be distributed by NAC participants with their applications for simplified management and distribution
-
Includes a lightweight version of the Cisco SSC client
-
Designing Intrusion-Detection and -Prevention Services
Cisco intrusion-detection and -prevention solutions are part of the Cisco Self-Defending Network. Designed to identify and stop worms, network viruses, and other malicious traffic, these solutions can help protect networks. Cisco provides a broad array of solutions for intrusion detection and prevention at both the network and at the endpoint.
This section provides an overview of intrusion-detection systems (IDS) and intrusion-prevention systems (IPS) used in enterprise networks.
IDS and IPS Overview
This topic provides an overview of IDS/IPS.
IPS and IDS systems can be a hardware appliance or part of the Cisco IOS Firewall software. Cisco IPS software is usually capable of both inline (IPS feature) and promiscuous (IDS feature) monitoring, whereas Cisco IDS software is capable only of promiscuous (IDS feature) monitoring.
Intrusion-Detection Systems
IDSs passively listen to network traffic, as shown in Figure 8-26. The IDS is not in the traffic path, but listens promiscuously to copies of all traffic on the network. Typically, only one promiscuous interface is required for network monitoring on an IDS. Further promiscuous interfaces could be used to monitor multiple networks. When IDS detects malicious traffic, it sends an alert to the management station. An IDS may also have the capability of sending a TCP reset to the end host to terminate any malicious TCP connections.
In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is that the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices (for example, routers and firewalls) to respond to an attack.
Intrusion-Prevention Systems
IPSs are active devices in the traffic path, as shown in Figure 8-26. An IPS listens to inline network traffic and permits or denies flows and packets into the network. The inline interfaces have no MAC or IP address and cannot be detected directly. All traffic passes through the IPS for inspection. Traffic arrives on one IPS interface and exits on another. When an IPS detects malicious traffic, it sends an alert to the management station and can block the malicious traffic immediately. The original and subsequent malicious traffic is blocked as the IPS proactively prevents attacks protecting against network viruses, worms, malicious applications and vulnerability exploits. An IPS resembles a Layer 2 bridge or repeater. By default, an IPS passes all packets unless specifically denied by a policy.
Operating in inline interface pair mode puts the IPS directly into the traffic flow and affects packet-forwarding rates, making them slower by adding latency. This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on Layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis lets the system identify and stop or block attacks that would normally pass through a traditional firewall device.
IDS and IPS Overview
There are two major components in an IDS or IPS solution:
-
Sensors: Can be either host based, such as the Cisco Security Agent, or network based, such as an IPS appliance. The network-based sensors use specialized software and hardware to collect and analyze network traffic. The network-based sensors can be appliances, modules in a router, or a switch or security appliance. There are three common types of IDS/ or IPS technologies:
-
A signature-based IDS or IPS looks for specific predefined patterns or signatures in network traffic. Traffic patterns are compared to a database of known attacks and trigger an alarm or drop traffic if a match is found.
-
An anomaly-based IDS or IPS checks for defects or anomalies in packets or packet sequences and verifies whether there is any anomaly traffic behavior.
-
A policy-based IDS or IPS is configured based on the network security policy and detects traffic that does not match the policy.
-
-
Security management and monitoring infrastructure: Configures the sensors and serves as the collection point for alarms for security management and monitoring. The management and monitoring applications performs alert collection, aggregation, and correlation. Cisco Security Manager is used to centrally provision device configurations and security policies for Cisco firewalls, virtual private networks (VPN), and IPSs and provides some light monitoring functions. Cisco Security Monitoring, Analysis, and Response System (MARS) provides security monitoring for network security devices and host applications. Cisco IPS Device Manager (IDM) is a web-based Java application that allows configuration and management of IPS sensors. IDS Event Viewer is a Java-based application that enables network managers to view and manage alarms for up to five sensors.
Note | The Cisco IPS Device Manager has been replaced with the Cisco IPS Manager Express. The IPS Manager Express (IME) combines the IDM with the IDS Event Viewer, while adding enhanced health monitoring and the ability to manage up to five sensors. IME requires 6.1 sensor software release to provide the advanced dashboard and health monitoring features. IME is not designed to work with Cisco IOS Software sensor implementations. For more information, refer to http://www.cisco.com/en/US/products/ps9610/index.html. |
Host Intrusion-Prevention Systems
Host intrusion-prevention system (HIPS) deployments include two components:
-
Endpoint agents: Enforces the security policy received from management server. Endpoint agents send event information to the management server, and interact with the user if necessary. The goal of an endpoint agent is to provide threat protection for the end system. Cisco Security Agent is the Cisco endpoint agent that provides threat protection for server and desktop computing systems. Cisco Security Agent consists of host-based agents that report to the Cisco Management Center for Cisco Security Agents. The Cisco Security Agent software resides between the applications and the kernel on a PC, enabling maximum application visibility with minimal impact to the stability and performance of the underlying operating system.
-
Management server: Deploys security policies to endpoints. The management server is responsible for configuring and maintaining the environment. The server receives and stores events information, and sends alerts to administrators. The management server may deploy software such as endpoint agent software updates. The interface to a HIPS management server is typically a GUI console that allows policy configuration and event viewing. For highly scalable environments, it is possible to have a dedicated database running where the configuration and event information is stored. The management center for Cisco Security Agents provides all management functions for Cisco Security Agent deployments.
IDS and IPS Design Considerations
The underlying security policy should be the same for an IDS or an IPS deployment. To deny traffic, an IPS solution must be deployed inline with the network, whereas an IDS sensor is connected in promiscuous mode, where packets do not flow through the sensor. The IDS sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. If your security policy does not support denying traffic, use an IDS deployment.
Note | It is common practice to deploy a sensor initially in IDS mode while baselining the network. |
IDS or IPS sensors are placed in the network where they can effectively support the underlying security policy. Deployment decisions are often based on where you need to detect or stop an intrusion as soon as possible. Typical scenarios include placing the sensors at the perimeter of the network outside a firewall where the network is most exposed, internal to the network inside the firewall between boundaries between zones of trust, and at critical servers where an incident would be most costly. For example, placement outside the firewall generates many warnings that have relatively low value because no action is likely to be taken on this information.
Note | Some environments deploy an IDS outside the firewall to assist in event correlation and to determine the effectiveness of the firewall. Sensor placement depends on an organization’s security policy, which is a reflection of that organization’s security needs. |
Traffic impact considerations are increased with inline IPS sensors over IDS deployments. A failure of the IDS means traffic monitoring has stopped. A failure of the IPS can disrupt network traffic flow unless bypass methods are implemented. An IPS deployment also impacts inline traffic. The latency through the IPS sensor should generally be under a millisecond and as low as possible. The IPS sensors have bandwidth limitations on the amount of traffic that can be supported through the device. Exceeding the performance of a sensor will result in dropped packets and a general degradation of network performance.
IDS or IPS Deployments
IDS or IPS sensors can be deployed based on the priority of targets. Internet and extranet connections are typically secured first because of their exposure. An IDS outside the firewall can detect all attacks and will generate a lot of alarms, but is useful for analyzing what kind of traffic is reaching the organization and how an attack is executed. An IDS inside the firewall can detect firewall misconfigurations by showing what kind of traffic passes through the firewall. An IPS can provide more focused application protection and firewall augmentation for extranet and DMZ resources.
Management networks and data centers are often next in priority. A layered approach for maximum protection is appropriate for the high-security areas. There might be one system installed after the firewall and a second system at the entry point to the high-security area, such as the data center. Host-specific IDS can detect attacks against a specific server. An IPS can be used to block application-specific traffic, which should not reach the server.
IPS deployments at remote and branch offices can both protect the branch from corporate incidents and protect the corporate resources from security incidents arising from branch practices. Remote-access systems need protection, too.
IPS Appliance Deployment Options
When you are placing an IPS sensor in an enterprise network, you have multiple options available depending on the infrastructure and the desired results. Figure 8-27 illustrates each of the following options:
-
Two Layer 2 devices (no trunk): Sensor placement between two Layer 2 devices without trunking is a typical campus design. In this deployment, the IPS appliance is placed between two switches. The IPS can be between the same VLAN on two different switches or between different VLANs with the same subnet on two different switches. Scenarios include placement between different security zones in a campus environment or between critical devices in a data center.
-
Two Layer 3 devices: Sensor placement between Layer 3 devices is common in Internet, campus, and server farm designs. The two Layer 3 devices are in the same subnet. One advantage in these scenarios is the ease of configuration because the integration can take place without touching any other device.
-
Two VLANs on the same switch: This design allows a sensor to bridge VLANs together on the same switch. The sensor brings packets in on one VLAN and out a different VLAN for traffic in the same subnet.
-
Two Layer 2 devices (trunked): Sensor placement on a trunk port between switches is a common scenario providing protection of several VLANs from a single location.
Note | Deployments using IPS modules follow the same general guidelines as deployments for IPS appliances. |
Feature: Inline VLAN Pairing
The IPS can associate VLANs in pairs on a physical interface. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. The sensor brings packets in on one VLAN and out a different VLAN on the same trunk link for traffic in the same subnet. The sensor replaces the VLAN ID field in the IEEE 802.1Q header of each received packet with the ID of the egress VLAN on which the sensor forwards the packet. This design supports multiple VLAN pairs per physical interface and reduces the need to have many physical interfaces per chassis.
Note | VLAN pairs are supported on all sensors that are compatible with IPS 6.0 except Cisco IDS Network Module, Cisco ASA AIP-SSM-10, and Cisco ASA AIP-SSM-20. |
IPS Deployment Challenges
Asymmetric traffic patterns and high availability are challenges for IPS deployments.
Traditional packet flows in a network are symmetrical and consist of connections that take the same path through the network in both directions. Many newer network designs do not guarantee symmetrical flows, and engineer the network to take advantage of all available links. This greatly increases the chance that traffic may use multiple paths to and from its destination.
This asymmetric traffic flow can cause problems with inline IPS devices. Because an IPS sensor inspects traffic statefully and needs to see both sides of the connection to function properly, asymmetric traffic flows may cause valid traffic to be dropped.
High availability is another deployment challenge. A failure of any redundant component in the network should not cause an interruption in network availability. This implies that existing sessions should continue to flow normally and not be dropped.
The current Cisco IPS 6.0 solutions do not support asymmetric flows or high availability natively in the product. A design workaround uses the network to mirror all traffic between two sensors in a “failover” pair. The IPS sensors in the pair see all packets traversing a point in the network. If one sensor fails for any reason, the network reroutes all traffic through the other sensor because it is the only available path. The secondary sensor has already seen all the packets and has built a complete state table for the flows, so traffic is not interrupted. Asymmetric traffic is also supported by this mirroring technique.
IDS or IPS Management Interface Deployment Options
Monitoring an IDS or IPS solution is one of the crucial elements to provide fast detection of any suspicious activity and an indication of prevented attacks. IDS or IPS management consolidates and centralizes alarms from multiple sources to provide the required view of the network.
On the network boundary, the sensors are usually installed adjacent to a firewall. The monitoring and management interfaces of an IPS sensor can therefore be connected to two different networks. This is especially critical when the outside sensor needs to communicate with the inside network.
One option is to connect the monitoring interface to the outside network, and the management interface is directly connected to the inside network. All management is done in-band over the internal network. This type of setup is simple, but provides a path around the firewall if the sensor is compromised. This design is not recommended.
A preferred design places the monitoring interface on the outside network, and the management interface on a separate inside VLAN. With this setup, the management interface is isolated by an IPS management VLAN from the rest of the inside network. If the VLAN is sufficiently trusted, this design provides good separation of the IDS or IPS sensor. A recommended practice is to use Secure Shell (SSH) or Secure Sockets Layer (SSL) protocol for management access to the IDS or IPS sensors.
Note | Using PVLANs to put all sensors on isolated ports is recommended because the sensors do not need to talk to each other except when distributed blocking is used. This prevents the compromise of a single sensor, which helps to prevent other sensors from being compromised. |
In-Band Management Through Tunnels
Another option for deploying IDS or IPS uses a combination of management through an OOB network and management through secure tunnels depending on the location of the sensors.
For devices outside the perimeter firewall, the monitoring interface remains on the outside network, but the management interface is terminated on a separate DMZ. Management is supported in-band across an encrypted tunnel. The firewall protects the outside sensor from the inside devices and provides better separation compared to the previous solution. For internal devices in more secure areas, management is provided through a separate management VLAN.
IDS and IPS Monitoring and Management
Cisco Security MARS and Cisco Security Manager (CSM) are part of the Cisco Security Management Suite, which delivers policy administration and enforcement for the Cisco Self-Defending Network. Both tools should be implemented in the management VLAN in a protected place such as the server farm or data center.
Cisco Security MARS provides multivendor event correlation and proactive response, distributing IPS signatures to mitigate active threats. Cisco Security MARS proactively identifies active network threats and distributes IPS signatures to mitigate them:
-
Cisco Security MARS ships with a set of predefined compliance reports that are easy to customize.
-
Cisco Security MARS stores event information from every type of device. This information can be grouped in one single report.
For a small to medium-size organization, a centralized Cisco Security MARS implemented as a local controller is a typical deployment.
Note | In CS-MARS, a local controller is the name given to the hardware appliance that supports the features discussed in this section for monitoring, analysis, and response. The global controller is an appliance used to support the centralized operation and management of multiple local controllers in distributed deployments. |
CSM enables organizations to manage security policies on Cisco security devices. CSM supports integrated provisioning of VPN and firewall services across Cisco IOS routers, Cisco PIX and ASA security appliances, and Cisco Catalyst 6500/Cisco 7600 service modules. It also supports IPS technologies on routers, service modules, and IPS devices. CSM supports provisioning of many platform-specific settings (for example, interfaces, routing, identity, QoS, and logging).
CSM, through its Cisco IPS Manager component, supports the management and configuration of Cisco IPS sensors (appliances, switch modules, network modules, and Security Service Modules [SSM]) and Cisco IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco Integrated Services Routers [ISR]). You configure IPS sensors and Cisco IOS IPS devices through the use of policies, each of which defines a different part of the configuration of the sensor. Whereas CSM 3.0 allowed you to cross-launch the CiscoWorks IPS Management Center to access IPS functionality, Cisco Security Manager 3.1 provides fully integrated IPS features.
Cisco Security Manager 3.1 enables you to manage security policies on Cisco security devices. CSM supports integrated provisioning of firewall, IPS, and VPN (site to site, remote access, and SSL). It provides integrated IPS provisioning services. Starting in version 3.1, Cisco Security Manager supports Cisco IPS 5.1 and 6.0; and Cisco IOS Firewall IPS features in Cisco IOS Software Release 12.4(11)T. It provides support for the following features on IPS 6.0 devices:
-
Virtual sensors
-
Anomaly detection
-
Passive operating system fingerprinting
-
Simplified custom signature creation
-
Signature update wizard, preview and tuning of new signatures
-
IPS signature update license management
-
External product interface (linkage of IPS sensor with Management Center for Cisco Security Agent)
Scaling Cisco Security MARS with Global Controller Deployment
The Cisco Security MARS Global controller enables network monitoring scaling, as shown in Figure 8-28.
If an organization is supporting multiple Cisco Security MARS local controllers, they can deploy a distributed solution using a global controller to summarize the findings of two or more local controllers and manage the local controllers.
The global controller communicates over HTTPS using certificates. Only incidents from global rules are rolled up into the global controller. The global controller can distribute updates, rules, report templates, access rules, and queries across the local controller.
Summary
In this chapter, you learned about firewalls, Network Admission Control, and intrusion-prevention and -detection systems.
Firewalls have long provided the first line of defense in network security infrastructures. They accomplish this by comparing corporate policies about network access rights for users to the connection information surrounding each access attempt. User policies and connection information must match; otherwise, the firewall does not grant access to network resources.
NAC is a set of technologies and solutions that is built on an industry initiative led by Cisco. The NAC Framework uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats such as viruses, worms, and spyware by using embedded software modules within NAC-enabled products. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices. Cisco NAC Appliance condenses NAC capabilities into an appliance form where client, server, and manager products enable network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines before allowing users onto the network.
Cisco intrusion-detection and -prevention solutions are part of the Cisco Self-Defending Network. Designed to identify and stop worms, network viruses, and other malicious traffic, these solutions can help protect networks. Cisco provides a broad array of solutions for intrusion detection and prevention at both the network and at the endpoint.
References
For additional information, refer to these resources:
-
Cisco Systems, Inc. “Cisco Catalyst 6500 Series Firewall Services Module,” at http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/index.html
-
Cisco Systems, Inc. “Network Admission Control (NAC) Framework,” at http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html
-
Cisco Systems, Inc. “Release s for Network Admission Control, Release 2.0,” at http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/ntadctrl/nac20rn1.pdf
-
Cisco Systems, Inc. “Cisco NAC Appliance (Clean Access) Releases,” at http://www.cisco.com/en/US/products/ps6128/prod_release_s_list.html
-
Cisco Systems, Inc. “Switch Support for Cisco NAC Appliance,” at http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/switch.htm
-
Cisco Systems, Inc. “Cisco NAC Appliance Data Sheet,” at http://www.cisco.com/application/pdf/en/us/guest/products/ps6128/c1650/cdccont_0900aecd802da1b5.pdf
-
Cisco Systems, Inc. “Cisco Intrusion Prevention System,” at http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html.
-
Cisco Systems, Inc. “Cisco Secure Services Client Introduction,” at http://www.cisco.com/en/US/products/ps7034/index.html
-
Cisco Systems, Inc. “Installing and Using Cisco Intrusion Prevention System Device Manager 6.0,” at http://www.cisco.com/application/pdf/en/us/guest/products/ps4077/c2001/ccmigration_09186a00807a9287.pdf
-
Cisco Systems, Inc. “Cisco Security Agent,” at http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html
-
Cisco Systems, Inc. “Cisco Trust Agent,” at http://www.cisco.com/en/US/products/ps5923/index.html
-
Cisco Systems, Inc. “Zone-Based Policy Firewall Design Guide,” at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124sup/zone_dg.pdf
0 comments
Post a Comment