Chapter 8: Security Services Design (Part04)
[9:34 PM | 0 comments ]

Cisco Client Security Software

Add a note hereCisco has four client security software applications that support network security:

  • Add a note here Cisco NAC Appliance Agent (NAA): Is an optional client-side component of the Cisco NAC Appliance system. It is a read-only client that delivers device-based Registry scans on unmanaged environments. The agent enhances posture assessment functions and streamlines remediation. It is a free download provisioned over the Internet. Many customers who use the Cisco NAC Appliance Agent NAA often require a new download before network access is granted. It works only with Cisco NAS.

  • Add a note here Cisco Security Agent: Is security software that provides threat protection for server and desktop computing systems. The Cisco Security Agent identifies and prevents malicious behavior before it can occur, thereby removing potential known and unknown security risks that threaten enterprise networks and applications. It also provides the capability at the endpoint to apply QoS markings to application network traffic as specified by Cisco Security Agent policy rules. These markings can be used by Cisco IOS devices upstream in the enterprise network to classify the packets and apply QoS service policies such as policing and queuing. Cisco Security Agent integrates with NAC Framework and Cisco Security Monitoring, Analysis, and Response System (MARS) to support threat identification and investigation across the network. The Cisco Trust Agent client software may be installed as part of the Cisco Security Agent installation.

  • Add a note here Cisco Secure Services Client (SSC): Is client software that supports the deployment of a single authentication framework on multiple device types, for access to both wired and wireless networks. As a component of the Cisco Unified Wireless Network, the SCC performs the following functions:

    • Add a note hereProvides a single authentication framework for multiple device types on the basis of the 802.1x standard

    • Add a note hereSupports leading security standards such as Wi-Fi Protected Access (WPA), WPA2, and Extensible Authentication Protocol (EAP)

    • Add a note hereSupports Windows 2000 and Windows XP

    • Add a note hereProvides an end-to-end authentication service when combined with the Cisco Secure ACS

    • Add a note hereFully integrates with the Cisco Unified Wireless Network access points and wireless LAN controllers

    • Add a note hereSupports third-party credential databases

    • Add a note hereProtects network endpoint devices

    • Add a note hereEnforces security policies

  • Add a note here Cisco Trust Agent: Is client software that must be installed on hosts whose host policy state requires validation prior to permitting network access under the NAC Framework. A core component of the NAC Framework, Cisco Trust Agent allows NAC to determine whether Cisco Security Agent, antivirus software, or other required third-party security or management software is installed and current. It also provides information about the operating system version and patch level. As a component of the NAC Framework, the Cisco Trust Agent performs the following functions:

    • Add a note hereActs as a middleware component that takes host policy information and securely communicates the information to the AAA policy server

    • Add a note hereInteracts directly with “NAC-enabled” applications running on the host without user intervention

    • Add a note hereCan communicate at Layer 3 or Layer 2 using built-in communication components

    • Add a note hereIncludes an 802.1x supplicant for Layer 2 communications in wired environments

    • Add a note hereAuthenticates the requestor through encrypted communications with the AAA server

    • Add a note hereAllows customers to build scripts for custom information gathering

    • Add a note here Integrates with Cisco Security Agent and can be distributed by NAC participants with their applications for simplified management and distribution

    • Add a note hereIncludes a lightweight version of the Cisco SSC client


Designing Intrusion-Detection and -Prevention Services

Add a note hereCisco intrusion-detection and -prevention solutions are part of the Cisco Self-Defending Network. Designed to identify and stop worms, network viruses, and other malicious traffic, these solutions can help protect networks. Cisco provides a broad array of solutions for intrusion detection and prevention at both the network and at the endpoint.

Add a note hereThis section provides an overview of intrusion-detection systems (IDS) and intrusion-prevention systems (IPS) used in enterprise networks.


IDS and IPS Overview

Add a note hereThis topic provides an overview of IDS/IPS.

Add a note hereIPS and IDS systems can be a hardware appliance or part of the Cisco IOS Firewall software. Cisco IPS software is usually capable of both inline (IPS feature) and promiscuous (IDS feature) monitoring, whereas Cisco IDS software is capable only of promiscuous (IDS feature) monitoring.

Add a note here Intrusion-Detection Systems

Add a note hereIDSs passively listen to network traffic, as shown in Figure 8-26. The IDS is not in the traffic path, but listens promiscuously to copies of all traffic on the network. Typically, only one promiscuous interface is required for network monitoring on an IDS. Further promiscuous interfaces could be used to monitor multiple networks. When IDS detects malicious traffic, it sends an alert to the management station. An IDS may also have the capability of sending a TCP reset to the end host to terminate any malicious TCP connections.

Click to collapse
Add a note hereFigure 8-26: IDS and IPS Overview

Add a note hereIn promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is that the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices (for example, routers and firewalls) to respond to an attack.

Add a note here Intrusion-Prevention Systems

Add a note hereIPSs are active devices in the traffic path, as shown in Figure 8-26. An IPS listens to inline network traffic and permits or denies flows and packets into the network. The inline interfaces have no MAC or IP address and cannot be detected directly. All traffic passes through the IPS for inspection. Traffic arrives on one IPS interface and exits on another. When an IPS detects malicious traffic, it sends an alert to the management station and can block the malicious traffic immediately. The original and subsequent malicious traffic is blocked as the IPS proactively prevents attacks protecting against network viruses, worms, malicious applications and vulnerability exploits. An IPS resembles a Layer 2 bridge or repeater. By default, an IPS passes all packets unless specifically denied by a policy.

Add a note here Operating in inline interface pair mode puts the IPS directly into the traffic flow and affects packet-forwarding rates, making them slower by adding latency. This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on Layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis lets the system identify and stop or block attacks that would normally pass through a traditional firewall device.

Add a note here IDS and IPS Overview

Add a note hereThere are two major components in an IDS or IPS solution:

  • Add a note here Sensors: Can be either host based, such as the Cisco Security Agent, or network based, such as an IPS appliance. The network-based sensors use specialized software and hardware to collect and analyze network traffic. The network-based sensors can be appliances, modules in a router, or a switch or security appliance. There are three common types of IDS/ or IPS technologies:

    • Add a note hereA signature-based IDS or IPS looks for specific predefined patterns or signatures in network traffic. Traffic patterns are compared to a database of known attacks and trigger an alarm or drop traffic if a match is found.

    • Add a note hereAn anomaly-based IDS or IPS checks for defects or anomalies in packets or packet sequences and verifies whether there is any anomaly traffic behavior.

    • Add a note hereA policy-based IDS or IPS is configured based on the network security policy and detects traffic that does not match the policy.

  • Add a note here Security management and monitoring infrastructure: Configures the sensors and serves as the collection point for alarms for security management and monitoring. The management and monitoring applications performs alert collection, aggregation, and correlation. Cisco Security Manager is used to centrally provision device configurations and security policies for Cisco firewalls, virtual private networks (VPN), and IPSs and provides some light monitoring functions. Cisco Security Monitoring, Analysis, and Response System (MARS) provides security monitoring for network security devices and host applications. Cisco IPS Device Manager (IDM) is a web-based Java application that allows configuration and management of IPS sensors. IDS Event Viewer is a Java-based application that enables network managers to view and manage alarms for up to five sensors.


 Note

Add a note hereThe Cisco IPS Device Manager has been replaced with the Cisco IPS Manager Express. The IPS Manager Express (IME) combines the IDM with the IDS Event Viewer, while adding enhanced health monitoring and the ability to manage up to five sensors. IME requires 6.1 sensor software release to provide the advanced dashboard and health monitoring features. IME is not designed to work with Cisco IOS Software sensor implementations. For more information, refer to http://www.cisco.com/en/US/products/ps9610/index.html.

Add a note here Host Intrusion-Prevention Systems

Add a note hereHost intrusion-prevention system (HIPS) deployments include two components:

  • Add a note here Endpoint agents: Enforces the security policy received from management server. Endpoint agents send event information to the management server, and interact with the user if necessary. The goal of an endpoint agent is to provide threat protection for the end system. Cisco Security Agent is the Cisco endpoint agent that provides threat protection for server and desktop computing systems. Cisco Security Agent consists of host-based agents that report to the Cisco Management Center for Cisco Security Agents. The Cisco Security Agent software resides between the applications and the kernel on a PC, enabling maximum application visibility with minimal impact to the stability and performance of the underlying operating system.

  • Add a note here Management server: Deploys security policies to endpoints. The management server is responsible for configuring and maintaining the environment. The server receives and stores events information, and sends alerts to administrators. The management server may deploy software such as endpoint agent software updates. The interface to a HIPS management server is typically a GUI console that allows policy configuration and event viewing. For highly scalable environments, it is possible to have a dedicated database running where the configuration and event information is stored. The management center for Cisco Security Agents provides all management functions for Cisco Security Agent deployments.

Add a note here IDS and IPS Design Considerations

Add a note here The underlying security policy should be the same for an IDS or an IPS deployment. To deny traffic, an IPS solution must be deployed inline with the network, whereas an IDS sensor is connected in promiscuous mode, where packets do not flow through the sensor. The IDS sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. If your security policy does not support denying traffic, use an IDS deployment.


 Note

Add a note hereIt is common practice to deploy a sensor initially in IDS mode while baselining the network.

Add a note hereIDS or IPS sensors are placed in the network where they can effectively support the underlying security policy. Deployment decisions are often based on where you need to detect or stop an intrusion as soon as possible. Typical scenarios include placing the sensors at the perimeter of the network outside a firewall where the network is most exposed, internal to the network inside the firewall between boundaries between zones of trust, and at critical servers where an incident would be most costly. For example, placement outside the firewall generates many warnings that have relatively low value because no action is likely to be taken on this information.


Note

Add a note hereSome environments deploy an IDS outside the firewall to assist in event correlation and to determine the effectiveness of the firewall. Sensor placement depends on an organization’s security policy, which is a reflection of that organization’s security needs.

Add a note hereTraffic impact considerations are increased with inline IPS sensors over IDS deployments. A failure of the IDS means traffic monitoring has stopped. A failure of the IPS can disrupt network traffic flow unless bypass methods are implemented. An IPS deployment also impacts inline traffic. The latency through the IPS sensor should generally be under a millisecond and as low as possible. The IPS sensors have bandwidth limitations on the amount of traffic that can be supported through the device. Exceeding the performance of a sensor will result in dropped packets and a general degradation of network performance.


IDS or IPS Deployments

Add a note hereIDS or IPS sensors can be deployed based on the priority of targets. Internet and extranet connections are typically secured first because of their exposure. An IDS outside the firewall can detect all attacks and will generate a lot of alarms, but is useful for analyzing what kind of traffic is reaching the organization and how an attack is executed. An IDS inside the firewall can detect firewall misconfigurations by showing what kind of traffic passes through the firewall. An IPS can provide more focused application protection and firewall augmentation for extranet and DMZ resources.

Add a note hereManagement networks and data centers are often next in priority. A layered approach for maximum protection is appropriate for the high-security areas. There might be one system installed after the firewall and a second system at the entry point to the high-security area, such as the data center. Host-specific IDS can detect attacks against a specific server. An IPS can be used to block application-specific traffic, which should not reach the server.

Add a note here IPS deployments at remote and branch offices can both protect the branch from corporate incidents and protect the corporate resources from security incidents arising from branch practices. Remote-access systems need protection, too.

Add a note here IPS Appliance Deployment Options

Add a note hereWhen you are placing an IPS sensor in an enterprise network, you have multiple options available depending on the infrastructure and the desired results. Figure 8-27 illustrates each of the following options:

  • Add a note here Two Layer 2 devices (no trunk): Sensor placement between two Layer 2 devices without trunking is a typical campus design. In this deployment, the IPS appliance is placed between two switches. The IPS can be between the same VLAN on two different switches or between different VLANs with the same subnet on two different switches. Scenarios include placement between different security zones in a campus environment or between critical devices in a data center.

  • Add a note here Two Layer 3 devices: Sensor placement between Layer 3 devices is common in Internet, campus, and server farm designs. The two Layer 3 devices are in the same subnet. One advantage in these scenarios is the ease of configuration because the integration can take place without touching any other device.

  • Add a note here Two VLANs on the same switch: This design allows a sensor to bridge VLANs together on the same switch. The sensor brings packets in on one VLAN and out a different VLAN for traffic in the same subnet.

  • Add a note here Two Layer 2 devices (trunked): Sensor placement on a trunk port between switches is a common scenario providing protection of several VLANs from a single location.

    Add a note here Click to collapse
    Add a note hereFigure 8-27: IPS Appliance Deployment Options


Note

Add a note hereDeployments using IPS modules follow the same general guidelines as deployments for IPS appliances.

Feature: Inline VLAN Pairing

Add a note hereThe IPS can associate VLANs in pairs on a physical interface. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. The sensor brings packets in on one VLAN and out a different VLAN on the same trunk link for traffic in the same subnet. The sensor replaces the VLAN ID field in the IEEE 802.1Q header of each received packet with the ID of the egress VLAN on which the sensor forwards the packet. This design supports multiple VLAN pairs per physical interface and reduces the need to have many physical interfaces per chassis.


Note

Add a note hereVLAN pairs are supported on all sensors that are compatible with IPS 6.0 except Cisco IDS Network Module, Cisco ASA AIP-SSM-10, and Cisco ASA AIP-SSM-20.

Add a note here IPS Deployment Challenges

Add a note hereAsymmetric traffic patterns and high availability are challenges for IPS deployments.

Add a note hereTraditional packet flows in a network are symmetrical and consist of connections that take the same path through the network in both directions. Many newer network designs do not guarantee symmetrical flows, and engineer the network to take advantage of all available links. This greatly increases the chance that traffic may use multiple paths to and from its destination.

Add a note hereThis asymmetric traffic flow can cause problems with inline IPS devices. Because an IPS sensor inspects traffic statefully and needs to see both sides of the connection to function properly, asymmetric traffic flows may cause valid traffic to be dropped.

Add a note hereHigh availability is another deployment challenge. A failure of any redundant component in the network should not cause an interruption in network availability. This implies that existing sessions should continue to flow normally and not be dropped.

Add a note hereThe current Cisco IPS 6.0 solutions do not support asymmetric flows or high availability natively in the product. A design workaround uses the network to mirror all traffic between two sensors in a “failover” pair. The IPS sensors in the pair see all packets traversing a point in the network. If one sensor fails for any reason, the network reroutes all traffic through the other sensor because it is the only available path. The secondary sensor has already seen all the packets and has built a complete state table for the flows, so traffic is not interrupted. Asymmetric traffic is also supported by this mirroring technique.

Add a note here IDS or IPS Management Interface Deployment Options

Add a note here Monitoring an IDS or IPS solution is one of the crucial elements to provide fast detection of any suspicious activity and an indication of prevented attacks. IDS or IPS management consolidates and centralizes alarms from multiple sources to provide the required view of the network.

Add a note hereOn the network boundary, the sensors are usually installed adjacent to a firewall. The monitoring and management interfaces of an IPS sensor can therefore be connected to two different networks. This is especially critical when the outside sensor needs to communicate with the inside network.

Add a note hereOne option is to connect the monitoring interface to the outside network, and the management interface is directly connected to the inside network. All management is done in-band over the internal network. This type of setup is simple, but provides a path around the firewall if the sensor is compromised. This design is not recommended.

Add a note hereA preferred design places the monitoring interface on the outside network, and the management interface on a separate inside VLAN. With this setup, the management interface is isolated by an IPS management VLAN from the rest of the inside network. If the VLAN is sufficiently trusted, this design provides good separation of the IDS or IPS sensor. A recommended practice is to use Secure Shell (SSH) or Secure Sockets Layer (SSL) protocol for management access to the IDS or IPS sensors.


Note

Add a note hereUsing PVLANs to put all sensors on isolated ports is recommended because the sensors do not need to talk to each other except when distributed blocking is used. This prevents the compromise of a single sensor, which helps to prevent other sensors from being compromised.

In-Band Management Through Tunnels

Add a note hereAnother option for deploying IDS or IPS uses a combination of management through an OOB network and management through secure tunnels depending on the location of the sensors.

Add a note hereFor devices outside the perimeter firewall, the monitoring interface remains on the outside network, but the management interface is terminated on a separate DMZ. Management is supported in-band across an encrypted tunnel. The firewall protects the outside sensor from the inside devices and provides better separation compared to the previous solution. For internal devices in more secure areas, management is provided through a separate management VLAN.


IDS and IPS Monitoring and Management

Add a note hereCisco Security MARS and Cisco Security Manager (CSM) are part of the Cisco Security Management Suite, which delivers policy administration and enforcement for the Cisco Self-Defending Network. Both tools should be implemented in the management VLAN in a protected place such as the server farm or data center.

Add a note hereCisco Security MARS provides multivendor event correlation and proactive response, distributing IPS signatures to mitigate active threats. Cisco Security MARS proactively identifies active network threats and distributes IPS signatures to mitigate them:

  • Add a note here Cisco Security MARS ships with a set of predefined compliance reports that are easy to customize.

  • Add a note hereCisco Security MARS stores event information from every type of device. This information can be grouped in one single report.

Add a note hereFor a small to medium-size organization, a centralized Cisco Security MARS implemented as a local controller is a typical deployment.


Note

Add a note hereIn CS-MARS, a local controller is the name given to the hardware appliance that supports the features discussed in this section for monitoring, analysis, and response. The global controller is an appliance used to support the centralized operation and management of multiple local controllers in distributed deployments.

Add a note hereCSM enables organizations to manage security policies on Cisco security devices. CSM supports integrated provisioning of VPN and firewall services across Cisco IOS routers, Cisco PIX and ASA security appliances, and Cisco Catalyst 6500/Cisco 7600 service modules. It also supports IPS technologies on routers, service modules, and IPS devices. CSM supports provisioning of many platform-specific settings (for example, interfaces, routing, identity, QoS, and logging).

Add a note hereCSM, through its Cisco IPS Manager component, supports the management and configuration of Cisco IPS sensors (appliances, switch modules, network modules, and Security Service Modules [SSM]) and Cisco IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco Integrated Services Routers [ISR]). You configure IPS sensors and Cisco IOS IPS devices through the use of policies, each of which defines a different part of the configuration of the sensor. Whereas CSM 3.0 allowed you to cross-launch the CiscoWorks IPS Management Center to access IPS functionality, Cisco Security Manager 3.1 provides fully integrated IPS features.

Add a note hereCisco Security Manager 3.1 enables you to manage security policies on Cisco security devices. CSM supports integrated provisioning of firewall, IPS, and VPN (site to site, remote access, and SSL). It provides integrated IPS provisioning services. Starting in version 3.1, Cisco Security Manager supports Cisco IPS 5.1 and 6.0; and Cisco IOS Firewall IPS features in Cisco IOS Software Release 12.4(11)T. It provides support for the following features on IPS 6.0 devices:

  • Add a note hereVirtual sensors

  • Add a note hereAnomaly detection

  • Add a note herePassive operating system fingerprinting

  • Add a note hereSimplified custom signature creation

  • Add a note hereSignature update wizard, preview and tuning of new signatures

  • Add a note hereIPS signature update license management

  • Add a note here External product interface (linkage of IPS sensor with Management Center for Cisco Security Agent)

Add a note here Scaling Cisco Security MARS with Global Controller Deployment

Add a note hereThe Cisco Security MARS Global controller enables network monitoring scaling, as shown in Figure 8-28.

Click to collapse
Add a note hereFigure 8-28: Scaling Cisco Security MARS with Global Controller Deployment

Add a note hereIf an organization is supporting multiple Cisco Security MARS local controllers, they can deploy a distributed solution using a global controller to summarize the findings of two or more local controllers and manage the local controllers.

Add a note hereThe global controller communicates over HTTPS using certificates. Only incidents from global rules are rolled up into the global controller. The global controller can distribute updates, rules, report templates, access rules, and queries across the local controller.


Summary

Add a note here In this chapter, you learned about firewalls, Network Admission Control, and intrusion-prevention and -detection systems.

Add a note hereFirewalls have long provided the first line of defense in network security infrastructures. They accomplish this by comparing corporate policies about network access rights for users to the connection information surrounding each access attempt. User policies and connection information must match; otherwise, the firewall does not grant access to network resources.

Add a note hereNAC is a set of technologies and solutions that is built on an industry initiative led by Cisco. The NAC Framework uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats such as viruses, worms, and spyware by using embedded software modules within NAC-enabled products. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices. Cisco NAC Appliance condenses NAC capabilities into an appliance form where client, server, and manager products enable network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines before allowing users onto the network.

Add a note hereCisco intrusion-detection and -prevention solutions are part of the Cisco Self-Defending Network. Designed to identify and stop worms, network viruses, and other malicious traffic, these solutions can help protect networks. Cisco provides a broad array of solutions for intrusion detection and prevention at both the network and at the endpoint.

References

Add a note hereFor additional information, refer to these resources:

  • Add a note hereCisco Systems, Inc. “Cisco Catalyst 6500 Series Firewall Services Module,” at http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/index.html

  • Add a note hereCisco Systems, Inc. “Network Admission Control (NAC) Framework,” at http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

  • Add a note hereCisco Systems, Inc. “Release s for Network Admission Control, Release 2.0,” at http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/ntadctrl/nac20rn1.pdf

  • Add a note hereCisco Systems, Inc. “Cisco NAC Appliance (Clean Access) Releases,” at http://www.cisco.com/en/US/products/ps6128/prod_release_s_list.html

  • Add a note hereCisco Systems, Inc. “Switch Support for Cisco NAC Appliance,” at http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/switch.htm

  • Add a note hereCisco Systems, Inc. “Cisco NAC Appliance Data Sheet,” at http://www.cisco.com/application/pdf/en/us/guest/products/ps6128/c1650/cdccont_0900aecd802da1b5.pdf

  • Add a note hereCisco Systems, Inc. “Cisco Intrusion Prevention System,” at http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html.

  • Add a note here Cisco Systems, Inc. “Cisco Secure Services Client Introduction,” at http://www.cisco.com/en/US/products/ps7034/index.html

  • Add a note hereCisco Systems, Inc. “Installing and Using Cisco Intrusion Prevention System Device Manager 6.0,” at http://www.cisco.com/application/pdf/en/us/guest/products/ps4077/c2001/ccmigration_09186a00807a9287.pdf

  • Add a note hereCisco Systems, Inc. “Cisco Security Agent,” at http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html

  • Add a note hereCisco Systems, Inc. “Cisco Trust Agent,” at http://www.cisco.com/en/US/products/ps5923/index.html

  • Add a note hereCisco Systems, Inc. “Zone-Based Policy Firewall Design Guide,” at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124sup/zone_dg.pdf

0 comments

Post a Comment