Tài liệu Managing Cisco Network Security pdf

Tate Baumrucker Larry Chaffin Jamie Caesar Vitaly Osipov Cisco Network Everything You Need to Secure Your Cisco Network • Complete Coverage of Cisco PIX Firewall, Secure Scanner, VPN Con

Eric Knipp Brian Browne Woody Weaver

C Tate Baumrucker Larry Chaffin

Jamie Caesar Vitaly Osipov

Cisco Network

Everything You Need to Secure Your Cisco Network

• Complete Coverage of Cisco PIX Firewall, Secure Scanner, VPN Concentrator,

and Secure Policy Manager

• Step-by-Step Instructions for Security Management, Including PIX Device

Manager, and Secure Policy Manager

• Hundreds of Designing & Planning and Configuring & Implementing

Sidebars, Security Alerts, and Cisco Security FAQs

®

s o l u t i o n s @ s y n g r e s s c o m

With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Ciscostudy guides in print, we continue to look for ways we can better serve theinformation needs of our readers One way we do that is by listening

Readers like yourself have been telling us they want an Internet-based vice that would extend and enhance the value of our books Based onreader feedback and our own strategic plan, we have created a Web sitethat we hope will exceed your expectations

ser-Solutions@syngress.com is an interactive treasure trove of useful

infor-mation focusing on our book topics and related technologies The siteoffers the following features:

■ One-year warranty against content obsolescence due to vendorproduct upgrades You can access online updates for any affectedchapters

■ “Ask the Author” customer query forms that enable you to postquestions to our authors and editors

■ Exclusive monthly mailings in which our experts provide answers toreader queries and clear explanations of complex material

■ Regularly updated links to sites specially selected by our editors forreaders desiring additional reliable information on key topics

Best of all, the book you’re now holding is your key to this amazing site

Just go to www.syngress.com/solutions, and keep this book handy when

you register to verify your purchase

Thank you for giving us the opportunity to serve your needs And be sure

to let us know if there’s anything else we can do to help you get the maximum value from your investment We’re listening

www.syngress.com/solutions

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results

to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work

is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state

to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc “Mission Critical™,”“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

Managing Cisco © Network Security, Second Edition

Copyright © 2002 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-913836-56-6

Technical Editor: Edgar Danielyan Cover Designer: Michael Kavish

Technical Reviewer: Sean Thurston Page Layout and Art by: Shannon Tozier

Acquisitions Editor: Catherine B Nolan Copy Editor: Michael McGee

Developmental Editor: Jonathan Babcock Indexer: Nara Wood

Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.

Acknowledgments

v

We would like to acknowledge the following people for their kindness and support

in making this book possible

Ralph Troupe, Rhonda St John, Emlyn Rhodes, and the team at Callisma for theirinvaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks

Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,Kevin Votel, Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, PegO’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, PatriciaKelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, and David Dahl of PublishersGroup West for sharing their incredible marketing experience and expertise

Jacquie Shanahan, AnnHelen Lindeholm, David Burton, Febea Marinetti, and RosieMoss of Elsevier Science for making certain that our vision remains worldwide inscope

Annabel Dent and Paul Barry of Elsevier Science/Harcourt Australia for all their help.David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan,and Joseph Chan of Transquest Publishers for the enthusiasm with which they receiveour books

Kwon Sung June at Acorn Publishing for his support

Ethan Atkin at Cranbury International for his help in expanding the Syngressprogram

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, DarleneMorrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associatesfor all their help and enthusiasm representing our product in Canada

Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks atJaguar Book Group for their help with distribution of Syngress books in Canada.Thank you to our hard-working colleagues at New England Fulfillment &

Distribution who manage to get all our books sent pretty much everywhere in theworld.Thank you to Debbie “DJ” Ricardo, Sally Greene, Janet Honaker, and PeterFinch

Contributors

F William Lynch(SCSA, CCNA, LPI-I, MCSE, MCP, Linux+, A+)

is co-author of Hack Proofing Sun Solaris 8 (Syngress Publishing, ISBN: 1-928994-44-X), and Hack Proofing Your Network, Second Edition (Syngress

Publishing, ISBN: 1-928994-70-9) He is an independent security andsystems administration consultant and specializes in firewalls, virtual pri-vate networks, security auditing, documentation, and systems performanceanalysis.William has served as a consultant to multinational corporationsand the federal government including the Centers for Disease Controland Prevention headquarters in Atlanta, GA as well as various airbases ofthe United States Air Force He is also the Founder and Director of theMRTG-PME project, which uses the MRTG engine to track systemsperformance of various UNIX-like operating systems.William holds abachelor’s degree in Chemical Engineering from the University ofDayton in Dayton, OH and a master’s of Business Administration fromRegis University in Denver, CO

Robert “Woody” Weaver(CISSP) is a Principal Architect and the FieldPractice Leader for Security at Callisma As an information systems secu-rity professional,Woody’s responsibilities include field delivery and profes-sional services product development His background includes a decade as

a tenured professor teaching mathematics and computer science, as themost senior network engineer for Williams Communications in the SanJose/San Francisco Bay area, providing client services for their networkintegration arm, and as Vice President of Technology for FullspeedNetwork Services, a regional systems integrator.Woody received a bach-elor’s of Science from Caltech, and a Ph.D from Ohio State He currentlyworks out of the Washington, DC metro area

Larry Chaffin(CCNA, CCDA, CCNA-WAN, CCDP-WAN, CSS1,NNCDS, JNCIS) is a Consultant with Callisma He currently providesstrategic design and technical consulting to all Callisma clients His spe-cialties include Cisco WAN routers, Cisco PIX Firewall, Cisco VPN, ISP

design and implementation, strategic network planning, network ture and design, and network troubleshooting and optimization He alsoprovides Technical Training for Callisma in all technology areas thatinclude Cisco, Juniper, Microsoft, and others Larry’s background includespositions as a Senior LAN/WAN Engineer at WCOM-UUNET, and he

architec-also is a freelance sports writer for USA Today and ESPN.

Eric Knipp (CCNP, CCDP, CCNA, CCDA, MCSE, MCP+I) is aConsultant with Callisma He is currently engaged in a broadband opti-mization project for a major US backbone service provider He specializes

in IP telephony and convergence, Cisco routers, LAN switches, as well asMicrosoft NT, and network design and implementation He has alsopassed both the CCIE Routing and Switching written exam as well asthe CCIE Communications and Services Optical qualification exam Eric

is currently preparing to take the CCIE lab later this year Eric’s ground includes positions as a project manager for a major internationallaw firm and as a project manager for NORTEL He is co-author on the

back-previously published Cisco AVVID and IP Telephony Design and

Implementation (Syngress Publishing, ISBN: 1-928994-83-0), and the

forthcoming book Configuring IPv6 for Cisco IOS (Syngress Publishing,

ISBN: 1-928994-84-9)

Jamie Caesar(CCNP) is the Senior Network Engineer for INFO1 Inc.,located in Norcross, GA INFO1 is a national provider of electronic ser-vices to the credit industry and a market leader in electronic credit solu-tions INFO1 provides secure WAN connectivity to customers fore-business services Jamie contributes his time with enterprise connec-tivity architecture, security, deployment, and project management for all WAN services His contributions enable INFO1 to provide mission-critical, 24/7 services to customers across all of North America Jamieholds a bachelor’s degree in Electrical Engineering from Georgia Tech

He resides outside Atlanta, GA with his wife, Julie

Vitaly Osipov(CISSP, CCSA, CCSE) is a Security Specialist with atechnical profile He has spent the last five years consulting various com-panies in Eastern, Central, and Western Europe on information securityissues Last year Vitaly was busy with the development of managed secu-rity service for a data center in Dublin, Ireland He is a regular contrib-utor to various infosec-related mailing lists and recently co-authored

Check Point NG Certified Security Administrator Study Guide.Vitaly has a

degree in mathematics Currently he lives in the British Isles

C Tate Baumrucker (CISSP, CCNP, Sun Enterprise Engineer, MCSE)

is a Senior Consultant with Callisma He is responsible for leading neering teams in the design and implementation of complex and highlyavailable systems infrastructures and networks.Tate is industry recognized

engi-as a subject matter expert in security and LAN/WAN support systemssuch as HTTP, SMTP, DNS, and DHCP He has spent eight years pro-viding technical consulting services in enterprise and service providerindustries for companies including American Home Products, Blue Crossand Blue Shield of Alabama, Amtrak, Iridium, National Geographic,Geico, GTSI, Adelphia Communications, Digex, Cambrian

Communications, and BroadBand Office

Brian Browne(CISSP) is a Senior Consultant with Callisma He vides senior-level strategic and technical security consulting to Callismaclients, has 12 years of experience in the field of information systemssecurity, and is skilled in all phases of the security lifecycle A formerindependent consultant, Brian has provided security consulting for mul-

pro-tiple Fortune 500 clients, and has been published in Business

Communications Review His security experience includes network security,

firewall architectures, virtual private networks (VPNs), intrusion detectionsystems, UNIX security,Windows NT security, and public key infrastruc-ture (PKI) Brian resides in Willow Grove, PA with his wife, Lisa anddaughter, Marisa

Technical Reviewer

Sean Thurston (CCDP, CCNP, MCSE, MCP+I) is an employee ofWestern Wireless, a leading provider of communications services in theWestern United States His specialties include implementation of multi-vendor routing and switching equipment and XoIP (Everything over IPinstallations) Sean’s background includes positions as a Technical Analystfor Sprint-Paranet and the Director of a brick-and-mortar advertising dot

com Sean is also a contributing author to Building a Cisco Network for

Windows 2000 (Syngress Publishing, ISBN: 1-928994-00-8) and Cisco AVVID & IP Telephony Design and Implementation (Syngress Publishing,

ISBN: 1-928994-83-0) Sean lives in Renton,WA with his fiancée, Kerry

He is currently pursuing his CCIE

Edgar Danielyan(CCNP Security, CCDP, CSE, SCNA) is a employed consultant, author, and editor specializing in security, UNIX,

self-and internetworking He is the author of Solaris 8 Security available from

New Riders, and has contributed his expertise as a Technical Editor of

several books on security and networking including Hack Proofing Linux (Syngress Publishing, ISBN: 1-928994-34-2) and Hack Proofing Your Web

Applications (Syngress Publishing, ISBN: 1-928994-31-8) Edgar is also a

member of the ACM, IEEE, IEEE Computer Society, ISACA, SAGE, andthe USENIX Association

Technical Editor

Network Access Layer Security 10

IPSec 14Process Application Layer Security 17PGP 19S-HTTP 19Secure Sockets Layer and Transport

Authentication 21Terminal Access Controller Access

open standard and

available from many

vendors:

■ RADIUS uses UDP, so it

only offers best effort

delivery at a lower

overhead.

■ RADIUS encrypts only

the password sent

between the Cisco

access client and

RADIUS server RADIUS

does not provide

encryption between

the workstation and

the Cisco access client.

■ RADIUS does not

support multiple

protocols, and only

works on IP networks.

■ RADIUS does not

provide the ability to

control the commands

that can be executed

on a router: It provides

authentication, but not

authorization to Cisco

devices.

Remote Dial-in User System 23

Layer 1:The Physical Layer 26Layer 2:The Data-link Layer 26

Layer 4:The Transport Layer 29

Layer 6:The Presentation Layer 31Layer 7:The Application Layer 32

Composition of a Data Packet 44Ethernet 44

Cisco IP Security Hardware and Software 46The Cisco Secure PIX Firewall 46Cisco Secure Integrated Software 49Cisco Secure Integrated VPN Software 50

Cisco Secure Access Control Server 50

Cisco Secure Intrusion Detection System 51

Cisco Secure Consulting Services 53Summary 54

Chapter 2 What Are We Trying to Prevent? 61

Introduction 62What Threats Face Your Network? 64

A: Not necessarily The

Cisco product is not

terribly expensive, and

there exist open source

solutions which are

free to use The actual

assessment program is

probably less expensive

than the remediation

efforts: Maintaining all

your hosts on an

ongoing basis is a

steep maintenance

requirement, and one

that not all enterprises

have accepted But

ever since the summer

of 2001, there has

been clear evidence

that you have to

manage your hosts

and keep their patch

levels up-to-date just

to stay in business.

Distributed Denial of Service (DDoS) Attacks 75

File System Integrity Software 77Network Traffic Anomaly Tools 78

What Are the Key Steps after a Breach

Introduction 98Overview of the Security Features 100Differences between PIX OS Version 4.x

con-CPU Utilization Statistics 107Dynamic Shunning with Cisco

Intrusion Detection System 107Port Address Translations 108

Session Initiation Protocol 108Stateful Sharing of HTTP (port 80)

Installing the IOS over TFTP 113

Contents xv

Confidentiality Configuration in PIX 138URL, ActiveX, and Java Filtering 138

Protecting a Private Network 140Protecting a Network Connected to

Protecting Server Access UsingAuthentication 145Protecting Public Servers Connected

Chapter 4 Traffic Filtering in the Cisco

Introduction 164

Source Address and Wildcard Mask 170

Source Address and Wildcard-mask 182Destination Address and Wildcard-mask 183Source and Destination Port Number 183

Named Access Lists 189

Building Reflexive Access Lists 202Applying Reflexive Access Lists 205

The Context-based Access Control Process 208Configuring Context-based Access Control 208

Chapter 5 Network Address Translation/Port Address Translation 233

Introduction 234

RFC 1918 Private Addressing 235NAT 237Transparent Address Assignment 237

Public, Global, and External Networks 240Private and Local Networks 240Application Level Gateways 240

Configuration

Commands

Before NAT can be

implemented, the “inside”

and “outside” networks

must be defined To define

the “inside” and “outside”

networks, use the ip nat

to the inside network

(the network is subject

Contents xvii

Traditional NAT or Outbound NAT 241

Session Initiation Protocol 252

Configuring NAT between a Private

Configuring NAT in a Network with DMZ 261

IP Address Information in Data 263Bundled Session Applications 264Peer-to-Peer Applications 264

IP Fragmentation with PAT en Route 264Applications Requiring Retention

Summary 266

Introduction 274Understanding Cryptography Concepts 274History 275

Learning about Standard CryptographicAlgorithms 277

Encryption Key Types

Cryptography uses two

types of keys: symmetric and asymmetric.

Symmetric keys have been around the longest; they utilize a single key for both the encryption and decryption of the ciphertext This type of key

is called a secret key,

because you must keep it secret Otherwise, anyone

in possession of the key can decrypt messages that have been encrypted with

it The algorithms used in symmetric key encryption have, for the most part, been around for many years and are well known,

so the only thing that is secret is the key being used Indeed, all of the really useful algorithms in use today are completely open to the public

Understanding Symmetric Algorithms 278DES 278

IDEA 281Understanding Asymmetric Algorithms 282Diffie-Hellman 282RSA 284

Using Brute Force to Obtain Passwords 286L0phtcrack 288Crack 289

Knowing When Real Algorithms Are

Using a Short Password to Generate

Contents xix

Chapter 7 Cisco LocalDirector and DistributedDirector 313

Introduction 314Improving Security Using Cisco LocalDirector 314LocalDirector Technology Overview 315LocalDirector Product Overview 315LocalDirector Security Features 316Filtering of Access Traffic 316Using synguard to Protect Against

Using NAT to Hide Real Addresses 320Restricting Who Is Authorized to

Have Telnet Access to LocalDirector 321

The key chain Command 327 The key Command 328 The key-string Command 328

The enable secret Password 329 The enable Password 330 The telnet Password 330

Summary 331

LocalDirector Product Overview

The LocalDirector product

is available in three different ranges:

■ LocalDirector 416

This is both the level product as well as the medium-size product It supports up

entry-to 90 Mbps throughput and 7,000 connections per second

■ LocalDirector 430

This is the high-end product It supports up

to 400 Mbps throughput and 30,000 connections per second.

■ LocalDirector 417

Newer platform with different mounting fea- tures It is even more productive than 430 series and has more memory—two Fast Ethernet and one Gigabit Ethernet inter- faces.

Chapter 8 Virtual Private Networks

Introduction 336Overview of the Different VPN Technologies 336

IPSec and Cisco Encryption Technology 357

IPSec Manual Keying Configuration 358IPSec over GRE Tunnel Configuration 364

basis to another edge

node (customer site).

■ Link Layer VPNs are

implemented at link

layer (Layer 2) of the

OSI Reference model.

Contents xxi

Connecting IPSec Clients to Cisco IPSec 373

Summary 376

Chapter 9 Cisco Authentication, Authorization, and Accounting Mechanisms 379

Supported AAA Security Protocols 387RADIUS 388TACACS+ 393Kerberos 397Choosing RADIUS,TACAS+, or

Kerberos 405Configuring AAA Authentication 407Configuring Login Authentication

Configuring PPP Authentication

Enabling Password Protection for

to the router To mize the security risk, use a cross-over cable that is directly con- nected from a PC to the router’s Ethernet interface Configure both interfaces with IP addresses in the same subnet By doing this,

mini-it is physically sible for anyone to cap- ture the packets as they are transferred from the Kerberos server to the router.

impos-RADIUS Configuration Example 429Typical RAS Configuration Using AAA 431Typical Firewall Configuration Using AAA 435

How the Authentication Proxy Works 439Comparison with the Lock-and-key Feature 440Benefits of Authentication Proxy 441Restrictions of Authentication Proxy 442Configuring Authentication Proxy 442Configuring the HTTP Server 443Configuring the Authentication Proxy 444Authentication Proxy Configuration

Example 446Summary 448

Chapter 10 Cisco Content Services Switch 455

Introduction 456Overview of Cisco Content Services Switch 456Cisco Content Services Switch Technology

Overview 457Cisco Content Services Switch Product

Example of Firewall Load Balancing

The SuperUser Access Level 469

FlowWall Security

FlowWall provides

intelligent flow inspection

technology that screens

for all common DoS

attacks, such as SYN

floods, ping floods,

smurfs, and abnormal or

malicious connection

attempts It does this by

discarding packets that

have the following

■ Source address = Cisco

address, or the source

Vulnerabilities 473

Summary 474

Chapter 11 Cisco Secure Scanner 479

Introduction 480Minimum System Specifications for Secure

Scanner 481Searching the Network for Vulnerabilities 483Identifying Network Addresses 485Identifying Vulnerabilities 487

Saving Grid Views and Charts 502

Summary 508

Searching the Network for Vulnerabilities

There are three primary steps in creating a session

to search your network for vulnerabilities:

1 Identifying the network addresses to scan

2 Identifying vulnerabilities to scan

by specifying the TCP and UDP ports (and any active probe settings)

3 Scheduling the session

Chapter 12 Cisco Secure Policy Manager 513

Introduction 514Overview of the Cisco Secure Policy Manager 514The Benefits of Using Cisco Secure Policy

Manager 515Installation Requirements for the Cisco

Features of the Cisco Secure Policy Manager 518

VPN and IPSec Security Management 520

Security Policy Definition 522Security Policy Enforcement 523

Network Security Deployment Options 526Cisco Secure Policy Manager Device

Using the Cisco Secure Policy Manager 528Configuration 528CSPM Configuration Example 530Summary 535

Compromise 545Identifying Errors of Configuration 546

Documenting Existing Threat Levels for Planning or Resource Allocation 546

Embedded IDS features

of Cisco PIX firewalls

and Cisco IOS routers

are not supported.

Contents xxv

Deploying an IDS in a Network 547

Application and Operating SoftwareWeaknesses 556

The Cisco Secure Policy Manager 567

Distributed Denial of Service Attacks

Recently, distributed denial

of service (DDoS) attacks have become more common Typical tools used by attackers are Trinoo, TFN, TFN2K and Stacheldraht (“barbed wire” in German) How does a DDoS attack work?

The attacker gains access

to a Client PC From there, the cracker can use tools

to send commands to the nodes These nodes then flood or send malformed packets to the victim.

Coordinated traceroutes from several sources are used to probe the same target to construct a table

of routes for the network.

This information is then used as the basis for further attacks

Director and Probe Setup 570

The Data Management Package 576

An E-mail Notification Example 576Cisco IOS Intrusion Detection Systems 577Configuring Cisco IOS IDS Features 578

Summary 583

Chapter 14 Network Security Management 593

Introduction 594

PIX Device Manager Overview 595PIX Device Manager Benefits 595Supported PIX Firewall Versions 596

Requirements for a Host Running the PIX Device Management Client 597

Configuring the PIX Device Manager 598Installing the PIX Device Manager 599

management issues, Cisco

has developed several

Control Lists Manager

■ Cisco Secure Policy

Manager

■ Cisco Secure Access

Control Server

Contents xxvii

Configuring Basic Firewall Properties 609Implementing Network Address

Translation 612Allowing Inbound Traffic from

CiscoWorks2000 Access Control List Manager 617

ACL Manager Device and SoftwareSupport 619Installation Requirements for ACL Manager 619

Using a Structured Access Control

Decreasing Deployment Time for

Ensure Consistency of Access

Using the Optimizer and the HitsOptimizer 625

Configuring the ACL Manager 626Installing the ACL Manager and

Configuration Example: Creating ACLs

Cisco Secure Access Control Server 633Overview of the Cisco Secure Access

Benefits of the Cisco Secure Access

Authentication 634Authorization 635Accounting 636Installation Requirements for the

Cisco Access Control Server 636Features of Cisco Secure ACS 637Placing Cisco Secure ACS in the

Network 638Cisco Secure ACS Device and Software

Support 639

Installing Cisco Secure ACS 641Configuration 642Configuration Example: Adding

and Configuring a AAA Client 643Summary 646

Chapter 15 Looking Ahead:

Introduction 650Understanding Security Fundamentals

Security protection starts

with the preservation of

the confidentiality,

integrity, and availability

(CIA) of data and

computing resources.

These three tenets of

information security, often

referred to as “The Big

Three,” are sometimes

represented by the CIA

triad.

Confidentiality

Contents xxix

Configuration and Deployment of LEAP 669

Where in the Authentication/AssociationProcess Does MAC Filtering Occur? 673Determining MAC Filtering Is Enabled 674

Accounting and Audit Trails 678

The WEP Authentication Process 693WEP Benefits and Advantages 693

Security of 64-Bit versus 128-Bit Keys 696

Addressing Common Risks and Threats 697

Finding Weaknesses in a Target 698Exploiting Those Weaknesses 700Sniffing, Interception, and Eavesdropping 701

Defining Sniffing 701

Protecting Against Sniffing andEavesdropping 704Spoofing and Unauthorized Access 704

Protecting Against Spoofing and

Network Hijacking and Modification 706

Protection against Network Hijacking

Denial of Service and Flooding Attacks 709

DoS and Flooding Case Scenario 710Protecting Against DoS and Flooding Attacks 711Summary 712

Today’s Security Environment

Information security has become an extremely important topic for everyone over thepast few years In today’s environment the number of touch points between an orga-nization’s information assets and the outside world has drastically increased: millions

of customers can interact via a Web site, thousands of employees and partners mayconnect using Virtual Private Network s (VPNs), and dozens of critical applicationsmay be completely outsourced to application service providers (ASPs).The deploy-ment of wireless LANs also means that users no longer even need a physical connec-tion to the network to gain access

In addition to an explosion of touch points, we are faced with an infinitivelycomplex and rapidly changing web of networks, applications, systems, client software,and service providers Under these circumstances, absolute security cannot be guaran-teed since it’s impossible to test the security implications of every configuration com-bination of hardware and software under every set of conditions

A critical strategy for reducing security risk is to practice defense-in-depth.Theessence of defense-in-depth is to create an architecture that incorporates multiplelayers of security protection Recognizing this requirement, Cisco Systems has placed

a high priority on security and offers a wide range of stand-alone and integrated

security products Managing Cisco Network Security, Second Edition is important to

anyone involved with Cisco networks, as it provides practical information on using abroad spectrum of Cisco’s security products Security is not just for “security geeks”anymore It is an absolute requirement of all network engineers, system administra-tors, and other technical staff to understand how best to implement security

xxxi

Foreword

About This Book

In addition to providing a general understanding of IP network security and thethreat environment, this book offers detailed and practical information on how to useCisco’s suite of security products Callisma’s contributing authors are industry expertswith real world implementation experience Each chapter will guide you through aparticular aspect of security, from the family of PIX firewalls, to the Cisco SecureIntrusion Detection System (IDS), to traffic filtering in IOS, to the Cisco SecurePolicy Manager (CSPM) In reading this book, you will obtain a firm understanding

of how to secure your Cisco network

results-ori-in Silicon Valley, with offices located throughout the United States For more results-ori-tion, visit the Callisma Web site at www.callisma.com or call 888-805-7075

informa-—Ralph Troupe President and CEO, Callisma

Introduction to IP Network Security

Solutions in this chapter:

■ What Role Does Security Play in a Network?

■ The Fundamentals of Networking

■ Where Does Security Fit in?

■ Cisco IP Security Hardware and Software

Chapter 1

1

; Summary

; Solutions Fast Track

; Frequently Asked Questions

This book is intended to help people implement IP network security in a Ciscoenvironment It will provide the language, architectural framework, technicalinsight, technical configuration, and practical advice to ensure best practice secu-rity implementation Successfully digesting the material presented in this bookwill allow you to protect your environment and client services using a wide array

of Cisco security technologies and equipment

What Role Does Security

Play in a Network?

This book is about IP network security.Though you probably already knowsomething about networking, we’ll go over some of the language to be sure weare all working from the same concepts Let’s begin by discussing what we aretrying to accomplish with IP network security

■ Integrity Integrity ensures that information or software is complete,accurate, and authentic (in other words, it isn’t altered without autho-rization).We want to ensure mechanisms are in place to protect againstaccidental or malicious changes, and may wish to produce documentedtrails of which communications have occurred

■ Availability Availability ensures that information and services are sible and functional when needed and authorized.There is a related con-cept of trust.The formal definition of trust concerns the extent towhich someone who relies on a system can have confidence that thesystem meets its specifications (that is, the system does what it claims to

acces-do and acces-does not perform unwanted functions)

Different systems and businesses will place differing levels of importance oneach of these three characteristics For example, while Internet service providers(ISPs) may be concerned with confidentiality and integrity, they will be moreconcerned with protecting availability for their customers.The military, by con-trast, places more emphasis on confidentiality, with its system of classifications ofinformation, and the clearances for people who need to access it Most businessesmust be concerned with all three elements, but will be concerned primarily withthe integrity of their data

Confidentiality

Confidentiality protects sensitive information from unauthorized disclosure orintelligible interception Cryptography and access control are used to protect confi-dentiality.The effort applied to protecting confidentiality depends on the sensitivity

of the information and the likelihood of it being observed or intercepted

Network encryption can be applied at any level in the protocol stack

Applications can provide end-to-end encryption, but each application must beadapted to provide this service Encryption at the transport layer is used fre-quently today.Virtual private networks (VPNs) can be used to establish securechannels of communication between two sites or between an end user and a site

(VPNs are covered in more detail in Chapter 5.) Encryption can be used at theOSI data-link layer, but doesn’t scale easily; every networking device in the com-munication pathway would have to participate in the encryption scheme Data-link layer encryption is making a comeback in the area of wireless security, such

as in IEEE 802.11 Physical security, meanwhile, is used to prevent unauthorizedaccess to network ports or equipment rooms One of the risks at the physical

Introduction to IP Network Security • Chapter 1 3

Cleartext Passwords

Passing passwords in cleartext that permits administrative access to tems is a severe security risk Use access control mechanisms, and where possible, encryption controls (such as SSH) to communicate with infra- structure devices Many Cisco devices will support SSH with a modern image.

sys-Damage & Defense…

level is violation of access control through the attachment of promiscuous

packet capture devices to the network, particularly with the widespread use

of open source tools such as Ethereal (www.ethereal.com) and tcpdump

(www.tcpdump.org) that permits nearly any host to become a packet decoder

Integrity

Integrity ensures that information or software is complete, accurate, and

authentic.We want to keep unauthorized people or processes from making anychanges to the system, and keep authorized users from making changes thatexceed their authority.These changes may be intentional or unintentional, andsimilar mechanisms can protect a system from both

For network integrity, we need to ensure that the message received is thesame message that was sent.The content of the message must be complete andunmodified, and that the link is between a valid source and destination nodes.Connection integrity can be provided by cryptography and routing control.Simple integrity assurance methods to detect incidental changes, like adding upall the bytes in a message and recording that as an element in the packet, are used

in everyday IP flows More robust approaches, such as taking the output from ahash function like message digest (version) 5 (MD5) or secure hash algorithim(SHA) and adding that to the message, as is used in IPSec, can detect attemptedmalicious changes to a communication

For host integrity, cryptography can also come to the rescue Using a securehash can identify whether an unauthorized change has occurred However, offundamental importance are careful use of audit trails to determine what

changed, when the change occurred, and who made the change Sound securitydesign includes a centralized log server, and policy and procedure around safehandling of audit data

Integrity also extends to the software images for network devices that aretransporting data.The images must be verified as authentic, and that they havenot been modified or corrupted Just as a transported IP packet has a checksum

to verify it wasn’t accidentally damaged in transit, Cisco provides a checksum forIOS images.When copying an image into flash memory, verify that the checksum

of the bundled image matches the checksum listed in the README file thatcomes with the upgrade

Availability

Availability ensures that information and services are accessible and functionalwhen needed Redundancy, fault tolerance, reliability, failover, backups, recovery,

Introduction to IP Network Security • Chapter 1 5

resilience, and load balancing are the network design concepts used to assureavailability If systems aren’t available, then integrity and confidentiality won’tmatter Build networks that provide high availability

Your customers or end users will perceive availability as being the entiresystem—application, servers, network, and workstation If they can’t run theirapplications, then it is not available.To provide high availability, ensure that secu-rity processes are reliable and responsive Modular systems and software, includingsecurity systems, need to be interoperable

Denial of service (DoS) attacks are aimed at crippling the availability of works and servers, and can create severe losses for organizations In February,

net-2000, large Web sites such as Yahoo!, eBay, Amazon, CNN, ZDNet, E*Trade,Excite, and Buy.com were knocked offline or had their availability reduced toabout 10 percent for many hours by distributed denial of service attacks (DDoS)

The attacks were not particularly sophisticated—they were launched by ateenager—but were disastrously effective

NOTE

Having a good inventory and documentation of your network is tant for day-to-day operations, but in a disaster, you can’t depend on having it available Business Continuity/Disaster Recovery is an important aspect of security design Store the configurations and software images

impor-of network devices impor-offsite with your backups from servers, and keep

them up to date Include documentation about the architecture of your network All of this documentation should be available in printed form because electronic versions may be unavailable or difficult to locate in an emergency Such information will save valuable time in a crisis.

Cisco makes many products designed for high hardware availability.Thesedevices are characterized by a long mean time between failure (MTBF) withredundant power supplies, and hot-swappable cards or modules For example,devices that provide 99.999 percent availability would have about five minutesdowntime per year

Availability of individual devices can be enhanced by their configuration

Using features such as redundant uplinks with Hot Standby Router Protocol(HSRP), fast convergent Spanning Tree, or Fast EtherChannel provide a failover ifone link should fail Uninterruptible power supplies (UPSs) and backup genera-tors are used to protect mission-critical equipment in the event of a power

www.syngress.com

outage.These are not security features per se—and in some instances may workagainst security, such as using HSRP to force a router offline to allow the

bypassing of access controls—but are a valid part of a security design

Although not covered in this book, Cisco IOS includes reliability featuressuch as:

■ Hot Standby Router Protocol (HSRP)

■ Simple Server Redundancy Protocol (SSRP)

■ Deterministic Load Distribution (DLD)

Philosophy

The underlying philosophy behind security is different from what most work managers face.There are three common perspectives behind the design ofnetworks:

net-■ User perspective Get it out fast, and as inexpensively as possible Make

it work If it breaks, fix it

■ Operations management perspective Get it out to meet all needs,and do it as reliably as possible Document how it’s working Don’t let itbreak, or at least recover from breaks transparently

■ Security perspective Get it out in a controlled fashion, meetingauthorized needs Allow only authorized services to work If it breaks,make sure it fails in a fashion that doesn’t allow unauthorized services.The way to think of the user perspective is to imagine you are programming

a computer:Write code to make it work, and move on If the code is a littlebuggy, that’s okay—it’s less expensive, and you get most of what you need.Theway to think of the operations management perspective is to see yourself pro-gramming Murphy’s computer:Write code with the understanding that thingswill break at the worst possible time, and deal with it gracefully.You spend timedeveloping useful error messages, and help the user understand what is happeninginside the program It costs more, but it’s a better “quality” program.The way tothink of the security perspective is to imagine yourself programming Satan’scomputer:Write code with the understanding that there is an actively maliciousagent at the heart of the environment trying to break things; protect yourself andyour clients.You spend time checking for buffer overflows or impossible inputs.It’s more difficult of course, but hey, it’s a dangerous world out there…

Introduction to IP Network Security • Chapter 1 7

None of these perspectives is best; they all have advantages.Working from anoperations management perspective is expensive; it means you usually have tobuy two of everything, provide redundant routes, and spend time thinking aboutcommand and management issues.Working from a security perspective is incon-venient; in addition to the increased complexities, we often have to reduce fea-tures and try to streamline systems to provide the necessary controls Maintainingall three perspectives simultaneously is the challenge that network managers face

Cisco has documented its fundamental blueprints in the SAFE program (seewww.cisco.com/warp/public/779/largeent/issues/security/safebprint.html forfurther information) A quick summary might state that security does not comefrom a single product but is based upon a triad of people, processes, and tech-nology; and that security should not be in a single location but be handled by adistributed, defense-in-depth approach that’s spread across the enterprise.Thoughsecurity policy and its procedural issues are outside the scope of this book, bewarned that some sidebars may creep into these pages from time to time.What

we will do is show how the various pieces of security technology can bedeployed across your environment to enhance your security posture

What if I Don’t Deploy Security?

Security costs significant money, and is rather inconvenient.These are rather goodreasons not to deploy security, and for many enterprises that was the standardoperating procedure Unfortunately, that turned out to be a shortsighted decision

According to an Information Week / Price Waterhouse Cooper survey (theSecurity Benchmarking Service), losses due to security breaches cost over 1.39

trillion dollars last year.The Computer Security Institue (CSI)/FBI survey showed

that the average annual loss per company exceeded two million dollars One

inter-esting study is Egghead Software: On the day a security breach was announced,their stock dropped 25 percent, and they never recovered.What is a fourth ofyour company’s capitalization? If you can reduce or eliminate this number, thatcan fund a pretty significant security program

An effective security program can make a difference Computer Economics

estimated the three most costly mobile code events were CodeRed and its variants

at 2.62 billion dollars; SirCam at 1.15 billion dollars; and Nimda at 635 milliondollars.The first and last could have been stopped by an effective vulnerabilityassessment program, such as a solid Cisco Secure Scanner deployment, while theSirCam could have been stopped by an effective antivirus filtering program at theperimeter of the network

www.syngress.com