It will discuss a starting point for network security, sug-gested technology types, ideal points for securing your network using a layered approach, and secure ways to manage your new or
Trang 1Cisco Security Setup & Configuration:
Part 1 –
a Layered Approach
Expert Reference Series of White Papers
Trang 2This paper is the first in a three-part series of white papers, each of which focuses on a functional area of securing your network The three papers work together to create a complete picture of how to configure your network appliances for complete corporate security It will discuss a starting point for network security, sug-gested technology types, ideal points for securing your network using a layered approach, and secure ways to manage your new or existing network
This first paper in the series introduces concepts to get started on network security and begin the process of securing your network at the switch level
Security Policy: Start at the Beginning
Security is one of the fastest growing branches within the networking industry, and current trends point to a steady increase in growth over the years to come This is largely due to the integration of so many critical data types over a single network and the increased realization by companies as to just how vulnerable their net-works can be With security becoming such a focal point of netnet-works, it is increasingly important to understand how to integrate security into a network
As with any new project, you must start with some direction I’m sure you have heard the adage, “If you fail to plan, then you plan to fail.” This is never more true than when planning network security Create your security policy to serve as a starting point and future road map for securing your corporation
A security policy, originally defined in request for comment (RFC) 2196 and now updated in RFC 3704, con-tains the whys, whats, and hows of securing your corporate environment
Isaac A Valdez, Global Knowledge Instructor, CCSI, CCSP, CCNP, CCDP
Cisco Security Setup & Configuration: Part 1 – a Layered Approach
Trang 3Keep in mind that your security policy is a document that defines how you will secure your corporation, corpo-rate resources, and corpocorpo-rate users As your business grows, or corpocorpo-rate direction changes, this document will also grow and change
Security Lifecycle: an Understanding and Review
Take a controlled, metered approach when installing any desktop/network operating system, application, or appliance By taking a metered approach, you ensure consistent installation and hardening of each system The following recommendations for a secure installation come directly from Cisco Systems
Step #1: Secure Install
Install each new operating system, application, and appliance in as secure a manner as possible This may require you to review the documentation as completely as possible, which I know we all have time to do Also, consider staying away from default installations or installation wizards, as they often create the most simple of configurations, which are not always the most secure
Step #2: Monitor
Once the new system has been installed, take the time to review the installation logs, operational logs, and behavior to make sure the system is operating as securely as possible
Why have a security policy? What should be in a security policy? How would I create a security policy?
To create a baseline of your current
security configuration
Statement of authority and scope Use the very documents that govern
your day-to-day business operation For example, your physical site secu-rity regulations or corporate accept-able use policy
To define allowed and not-allowed
behaviors
Identification and authentication policy
Use standards such as SOx, HIPPA, VISA, International Standards Organization (ISO) 27001, etc
To help determine necessary tools
and procedures
Internet use policy Reference web sites for assistance:
• www.computersecuritynow.com
• www.sans.org/resources/policies/
#primersecurity.berkeley.edu/pols.html
To help define roles and
responsibilities
Campus access policy
To state the consequences of
misuse
Remote access policy
To define how to handle security
incidents (social & technical)
Incident handling procedure
To provide a process for continuing
review
Trang 4Step #3: Test
Perform regularly scheduled tests of your new system Such tests should be performed by both internal and external parties You may chose to perform quarterly or bi-annual internal tests and annual audits by an exter-nal entity Of course, no system is perfect, so expect to have areas for improvement discovered as a result of these tests These areas of improvement lead us to the final step in the security lifecycle
Step #4: Improve
From the items found in the testing process of step #3, make improvements in as secure a manner as possible Again, look to the product documentation and try to avoid any cookie cutter fixes
Remember that this process is called a lifecycle Once you improve upon a system, you should do so in a secure manner by performing a secure installation (step #1); then monitor all changes made and new behav-iors that result from your changes (step #2); perform either internal or external tests (step #3) of these
improvements to be sure that they still meet the requirements of your security policy; and, finally, improve (step #4) any areas as needed
This lifecycle, as well as security as a whole, is a continuous process that will evolve and grow with your net-work As your network changes, so will your security policy and the means by which you install, monitor, test, and improve each new system
Device Roles & Definitions
Let’s start with a simple review of six key network security components We will define each device and make suggestions on its placement and use
Router: A junction between two networks to transfer data packets between them.
Sample uses: Perimeter security via Access Control Lists ACLs, Committed Access Rate (CAR), routing protocol security and protocol tunneling
Switch: A layer 2, sometimes multilayer, networking device that provides physical
con-nectivity to end stations and redirects a frame between physical ports on that same switch
Sample uses: Physical port security to control a devices initial access to the network
Firewall: A piece of hardware and/or software that exists to prevent specific
communica-tions forbidden by the security policy
Sample uses: Stateful inspection, Virtual Private Network (VPN) tunnel termination, advanced protocol handling, deep packet inspection and Network Address Translation (NATting)
Ex Cisco 1841,
3845, 7206
Ex Cisco Catalyst
3750, 4506, 6513
Ex Cisco PIX 525,
ASA 5540
Trang 5VPN Concentrator: A security device used to connect (terminate) VPN sessions from
Remote Access, Web Clients, and Site-to-Site locations
Sample uses: High volume termination of Remote Access and Clientless VPN sessions Offering extensive control over the VPN sessions of the connecting device
Intrusion Detection or Prevention System (IDS/IPS) Sensor: A device that
gener-ally detects unwanted manipulations to communication systems (individual and streams
of packets) and is required to detect all types of malicious network traffic
Sample uses: As a device that inspects traffic/communications on all critical entry and exit points to a corporate network
Host-based Intrusion Prevention System (HIPS): An agent CSA installed on host
stations that provides security against malicious activity between applications on the host and communications from the host
Used to enforce a company’s security policy at the end-station level
Sample uses: Install on critical end-stations and servers to protect them from access to local or network resources that do not follow the security policy
Device Use and Placement
Now that we’ve completed a cursory review and defined the more common security devices, we will explore sample topology types and device placement
2-Leg Security, Single-Perimeter Device
Figure 1 shows a single-perimeter device controlling access to a corporate network This security device may
be a router with firewall capabilities or a true firewall Such a topology is ideal for remote offices or small branch sites It offers not only a low-cost approach to security, but also significantly limits an administrator’s security options
Ex Cisco 3015, 3030,
3060
Ex NM-CIDS, 4240,
4250XL
Ex Cisco Security
Agent
Trang 6Note: Keep in mind that all security services are offered by this single perimeter device Even though this is a
very affordable approach, it is also very limiting It is like using a screw driver for all home repairs: it may work most of the time, but you’ll just tear things up on those finer jobs
Perimeter Router with Internal Firewall
Figure 2 shows a dual-layered approach to securing your external connection This approach is ideal for medi-um-to-large enterprise networks because you can leverage the services of each device to provide a more com-plete security configuration
The router, for example, could be used for ACL filtering, protocol tunneling, high-level routing and peer routing authentication The firewall can be used for deep packet inspection, NATting and stateful inspection
For added security, you can add a 3rd interface off of your firewall device to serve as a Demilitarized Zone (DMZ) for external access to secure services An example is clients who need to access your corporate web site for order processing
Note: This offers a significant increase in security options and flexibility at a negligible increase in price.
Trang 7Firewall Sandwich
Figure 3 illustrates a very flexible topology that has two routers protecting either side of a firewall device This approach is ideal for large-to-enterprise-size corporate networks The interaction between the perimeter router and internal router offers protection from both externally and internally originating attacks The outer routers off-load functions from the firewall device, which allows each device to process and secure even more traffic Again, you can leverage the abilities of each device to offer a complete security configuration
Note: This topology brings additional costs in hardware and complexity to the administrator, but the security
benefits and options are among the highest available by any other configuration
Dual-Layered
Figure 4 shows a configuration where there are two layers of firewall devices protected by a perimeter router This approach offers the highest level of security as well as a high degree of configuration difficulty Such a topology would be ideal for environments where different departments (IT and Special Projects) control
securi-ty for different portions of the network However, you must have a high degree of communication between these departments for traffic that is to pass through both levels of security devices For added security, you could even incorporate different vendors at each layer
Trang 8Note: This approach does bring the highest level of cost and complexity, but it offers, in return, the greatest
level of secure flexibility
VPN Concentrator
Figure 5 illustrates a topology where a VPN Concentrator has been integrated to offer high-level Remote Access tunnel termination The figure shows a VPN Concentrator that is NOT in parallel but, instead, terminates into a firewall device
Caution: So as not to contradict anyone or any other publication that may have come before this one, I will
simply say that I do not place a VPN Concentrator in parallel with any other device offering security services Technically put, a VPN Concentrator does not offer stateful inspection, deep packet inspection or network-based IDS/IPS functionality As a result, the VPN Concentrator should not be placed in parallel and used to bypass any of those services
This topology has the following benefits: it offers filterable control of the Internet Protocol Security (IPSec) pro-tected traffic at the perimeter router, stateful firewalling of the post IPSec-propro-tected traffic as the client data passes through the firewall, and conservation of firewall interfaces by using only a single firewall interface to offer security services If you wanted to increase the level of security offered, you could connect both VPN Concentrator interfaces (public and private) to separate interfaces on the firewall Again, this approach offers increased security but will require additional firewall interfaces which, depending on the number of interfaces and operating system currently in use, may require additional funds in the form of a licensing upgrade
Note: Again, it is NOT recommended to place a VPN Concentrator in parallel with your network’s firewall
device (router or firewall) Although a concentrator can perform some security services, it does not offer state-ful inspection, deep packet inspection, or IDS/IPS functionality
IDS/IPS Sensors
Incorporating an external sensor, as shown in Figure 6, is ideal for medium-to-large corporate environments Sensor placement is one of the first and most important questions to answer during network design It is
Trang 9rec-ommended that you sense all entry/exit points to your network, as well as subnets containing critical corpo-rate resources, such as server farms The number of sensors used is determined by the number of points sensed, and whether you chose IDS or Intrusion Prevention (IPS)
For IDS/IPS functionality at a small to medium-size remote office, consider using the integrated IDS/IPS services
of your router and firewall operating system or a network module that can be installed in your routers (NM-CIDS in the 2611XM & above) and firewall (AIP-SSM in the ASA5500 series) The installed modules perform and are configured just as a true external sensor
The topology will change considerably, based on the use of IDS versus IPS
Note: The term “firewall device” was used instead of “firewall” simply to illustrate how a router with the
proper software can be used as a firewall just the same as a dedicated firewall
Device Hardening:Taking a Layered Approach
When it comes to securing your network, taking a layered approach offers the most comprehensive level of security This approach uses the Open Systems Interconnection Reference Model OSI as guidance and simply incorporates security at as many layers of the network as possible Just as the Physical and Data Link layers start the OSI Model, so should you protect your network using Physical and Data Link technologies For that, there is no better device to offer initial protection to your network than a LAN Switch
Switch
A LAN switch is typically a user’s first point of connectivity to your corporate network As a result, it should be the first point of security for your network Incorporate the following methods of network security, as they are available on your model of switch:
Trang 10Disable un-used ports
These would be all ports that are not run to a location within your organization, or are leading to offices and cubicles that are not currently used Here is sample syntax for disabling a range of access ports:
AccSw01#conf t
AccSw01(config)#int range fast0/13 - 20
AccSw01(config-if-range)#shutdown
Set the ports type
This would be either setting a port to be an access or trunk port By default, switch ports dynamically negoti-ate with their connected peer to become either an access or trunk port This could lead to access layer attacks
by roguely connected switches negotiating a trunk connection with your corporate network Now all traffic travels down the newly established trunk and to the roguely connected switch:
AccSw01(config-if-range)#int range fast0/1 - 20
AccSw01(config-if-range)#switchport mode access
Use physical device authentication
This can ensure only controlled stations will communicate on your corporate network, and can be performed using IEEEs 802.1x This standard, which was originally defined for the LAN, can also be used on wireless access points to authenticate wireless clients before they connect to an access point Here is a sample of how
to configure the switch to be an 802.1x authenticator using RADIUS as the authentication protocol:
AccSw01(config)#aaa new-model
AccSw01(config)#radius-server host 10.1.1.1
AccSw01(config)#radius-server key RADk3y01
AccSw01(config)#aaa authentication dot1x default group radius
AccSw01(config)#int range f0/1 - 20
AccSw01(config-if-range)#dot1x port-control auto
Enable port security
This is a great way to define how many and exactly which devices can connect to your switch ports This is ideal to prevent the connection of unauthorized hubs, switches, and access points throughout your network Here, we enable port security and define the number of MAC addresses permitted on each port:
AccSw01(config)#int range fast0/1 - 20
AccSw01(config-if-range)#switchport port-security maximum 1
AccSw01(config-if-range)#switchport port-security violation restrict
Secure Spanning Tree Protocol (STP)
This is an often overlooked point of control in a LAN environment Keep in mind two key points about STP: STP operates automatically, converges on its own, and will re-converge each time a new switch is connected; and the direction for all traffic that flows throughout your layer 2 network is determined by STP This means that a compromised STP configuration can be used to create a Denial of Service (DoS) by way of constant conver-gence and cause slow performance by directing traffic through less-than-optimal points in your network