Task 5: Review and Complete the Configuration
5. Paralyze. After the worm has used the host system to propagate to other systems to ensure its continuing survival, the worm can now paralyze the
Figure 9.2 illustrates these five phases.
1 2 3
4 5
Probe
Propagate Paralyze
Penetrate Persist
FIGURE 9.2 The five Ps of a worm attack.
Cisco Solutions to Secure Systems and Thwart Endpoint Attacks
As you have probably inferred from the preceding discussion, an Intrusion Protection System would not, by itself, be effective against viruses, worms, and Trojan horses. Many vendors, including Cisco, have products in their security portfolio that are especially effective against such network-borne contagions.
We examine three solutions at a high level:
. IronPort . NAC . CSA
IronPort
IronPort is a recent acquisition by Cisco. IronPort comprises a line of security appliances, deployed at the network perimeter. There are three main series of IronPort security appliances:
. C-Series.Email security appliances. These use the same code base as on IronPortSenderBase, an email traffic-monitoring system used by 80% of the largest ISPs.
. S-Series.Web security appliances. These devices protect against web- borne malware using IronPort’s Web Reputation technology and the Dynamic Vectoring and Streaming™(DVS) engine.
. M-Series.Security management appliances.
NAC
Network Admission Control has two components, the rather confusingly named NAC Framework and the Cisco NAC Appliance. (Why is the “framework” a component of NAC? Isn’t that backwards? Oh well….)
. NAC Framework.Software embedded inside NAC-enabled products, including some Cisco IOS routers. This software acts as an agent and allows the device to collect the bona fides (or “credentials”) of a user or other entity and determine whether they have sufficient privileges to be granted access to the network. These network access devices do not themselves determine whether access privileges should be granted. They forward the credentials to the NAC Appliance. The NAC framework integrates Cisco and other vendors’ NAC-enabled products.
. Cisco NAC Appliance.Rolls the four key NAC components into a sin- gle device. It is a good fit for enterprises that need a simple way to keep track of patch revisions of operating systems, as well as updates for antivirus software and vulnerabilities. Cisco’s NAC Appliance works in a mixed vendor environment and does not need a Cisco network to oper- ate. The four key NAC components are as follows:
❍ Cisco NAC Appliance Server (NAS).A device deployed in-band or out-of-band to perform network access control. As users attempt network access, the user is redirected to the NAS, which checks the device’s compliance. A Cisco IOS router with the right version of Cisco IOS software can perform this function. (See the following Exam Alert for more about using the acronym NAS.)
❍ Cisco NAC Appliance Manager (NAM).A GUI-based central administrative interface for IT security personnel. Security policies and users are created and managed. The NAM manages the NAS, with the NAS remaining the device that actually enforces access.
❍ Cisco NAC Appliance Agent (NAA).This is software that resides on a client endpoint. It is queried by NAM to determine an end- point’s compliance with the network security policy. The endpoint machine is deep-inspected for the following:
Registry settings Services
Files
Required hot fixes for remediation can be determined, as well as the correct version of antivirus software and CSA. From a user’s per- spective, this is the interface that they see when they interact with the NAC appliance.
❍ Rule-Set Updates.Quarantined hosts can obtain the latest patches, software revisions, hot fixes, and so on through automatic updates.
EXAM ALERT
Don’t you just hate acronyms that are made up of other acronyms! Even worse are acronyms that are reused. We saw “NAS” before in Chapter 3, “Security at the Network Perimeter.” In that context, NAS stood for Network Access Server. Even in the NAC context, a NAS (now a “NAC Appliance Server”) still decides whether an entity is allowed access to the network. They both collect credentials to validate against anoth- er device, but unlike AAA where the credentials validate a user’s identity, NAC creden- tials validate a user’s security posture and determine whether they are sufficient to gain access to the network. No wonder, then, that Cisco prefers to call an AAA NAS an
“AAA client.” This terminology is becoming more prevalent.
In order to show how all of these components work in practice, Figure 9.3 rep- resents a slight modification of our reference network design. A NAM and NAS have been added to the network in order to manage network admission control (NAC) to the Internet (or a company intranet) for a user.
= Separate VLANs
Internet/
Intranet
Production
Network Sandbox Cisco IOS Router 802.1Q Trunk
NAS User NAM
Access Control Server SNMP
Server
Terminal Server
3B
3A To Consoles
of Network Devices
1 2
M G R
FIGURE 9.3 NAC in action.
Figure 9.3 illustrates these three basic steps:
1. A user attempts to access a site on the corporate intranet or on the Internet. The connection attempt is intercepted and blocked by a net- work device (IOS router in the diagram) until the next steps complete.
2. The user is redirected to a login page, where he is prompted for his login credentials by the NAS. While this occurs, the user’s PC and the network are scanned to determine whether they are compliant to the organization’s security policy.
3. If the device is compliant, it is allowed to connect to the original destina- tion (indicated by the “3A” in Figure 9.3). If the device is noncompliant, the connection is redirected to a quarantine network or sandbox, where remedial action can be taken (indicated by the “3B” in Figure 9.3). The user might be presented with a web page where they download the latest version of the organization’s anti-virus software or invited to reread the organization’s security policy. This network is typically deployed in a separate VLAN.
CSA
CSA was covered at a high level in Chapter 8. Take a look at Figure 8.5 of that chapter. You may recall that CSA sits between an application (malicious or not) and the operating system kernel. The question is what type of intelligence is in CSA, which is represented by the padlock in that figure. CSA comprises four interceptors, as follows:
. File System Interceptor.All file read/write requests are intercepted and permitted or denied based on the security policy.
. Network Interceptor.All network read/write requests (network con- nections) through the NDIS (Network Driver Interface Specification) driver are filtered through the security policy. DoS attacks can be stymied by limiting the number of connections that can be made in a specified period.
. Configuration Interceptor.Read/write requests to the Windows sys- tem registry or (in Unix) the run control (rc) files are cleared by the security policy.
. Execution Space Interceptor.This interceptor ensures that each appli- cation plays by the rules by only allowing write access to memory that is owned by that application. It also blocks the injection of arbitrary code in Dynamic Link Libraries (DLLs) and buffer overflows and maintains the integrity of dynamic resources such as memory and network I/O.
EXAM ALERT
Memorize these four CSA interceptors.
You may have guessed that the interceptors perform functions similar to some of the functions of HIPS and firewalls. Very intuitive! In fact, CSA’s interceptors perform many functions, some of them complimentary. Table 9.2 lists the inter- ceptors and how they correspond to certain high-level security applications TABLE 9.2 CSA Interceptors and Corresponding Security Applications
Security Application Interceptor
Network File Configuration Execution
System Space
Distributed Firewall Yes No No No
Host Intrusion Detection Yes No No Yes
Application Sandbox No Yes Yes Yes
Network Worm Prevention Yes No No Yes
File Integrity Monitor No Yes Yes No
Endpoint Best Practices
As always, there is the classic tradeoff between usability and security. That said, assume the worst and design for the worst. A reasonable level of paranoia in oper- ating system and application design is not only healthy but strongly encouraged.
Specifically for applications, consider the following best practices:
. Make security part of the design and not an afterthought.
. Follow the principle of least privilege.
. Modularize.
. Employ practices of secure programming.
. Use cryptography where practical against both inside and outside attacks.
. Assume data from outside sources is untrustworthy.
. Assume that your application users are malicious.
The following are best practices for operating systems:
. Consider using trusted operating systems for critical systems.
. Hardening of the operating system remains critical for sensitive environ- ments.
. NAC firewalls are recommended to limit hosts’ exposure.
. Other security add-ons are indicated, including integrity checkers and HIPS and host-based firewalls.
Exploring SAN Security
A Storage Area Network (SAN) is a fast and reliable network that provides access to internal and external storage resources. Typically, the intra-SAN traffic does not cross any of the cables of the production network and is usually deployed in its own IP subnet and VLAN for security and performance reasons. Storage devices are shared as peer resources amongst all network servers and are not owned by any one server. A well-designed SAN exemplifies the principle of separation of services.
SAN Advantages
There are three main benefits of SANs:
. Reduced capital and operating expenses.
. Flexibility and scalability as the business grows and application require- ments change.
. Greater reach for replication and backups when compared with storage devices collocated with network servers.
SAN Technologies
There are three main SAN interconnection technologies, all based on the Small Computer Systems Interface (SCSI) communications model:
. Fiber Channel.This is SCSI over a network infrastructure and has these features:
. Used for host-to-SAN connections.
. Is the primary transport technology for SANs.
. iSCSI (SCSI over TCP/IP).This is SCSI using TCP/IP for transport and has these features:
. Used for host-to-SAN connections.
. Typically used for implementing SAN connectivity in a LAN envi- ronment.
. FCIP (Fiber Channel over IP).Used to communicate fiber channel commands over IP and to interconnect SANs:
. SAN-to-SAN connections.
. Typically used in a Metropolitan Area Network (MAN) or WAN.
EXAM ALERT
Understand which SAN technology is used for host-to-SAN and SAN-to-SAN connectivity.
SAN Address Vulnerabilities
There are two types of logical addresses implemented within a SAN:
. Logical Unit Number (LUN):A 64-bit field that SCSI uses to identify a logically addressable unit of a targetwithin a SCSI device. This address can be masked through a process called LUN masking to hide physical or logical volumes from misbehaving servers but is considered unsecure because these addresses can be spoofed.
. World Wide Names (WWN).A 64-bit field used by Fiber Channel to uniquely identify each element on that fiber channel network. Zoning of the fiber switch fabric (similar to VLANs) can use WWNs to assign security permissions, but this is considered unsecure because WWNs are user-configurable. This zoning capability is only possible in a fiber- switched infrastructure and not a simple fiber channel.
Virtual SANs (VSANs)
Given the relative ease of spoofing both LUNs and WWNs, existing SAN tech- nology cannot be trusted to separate the different SANs’ data planes. With vir- tual SANs (VSANs):
. SAN traffic is isolated by hardware.
. A single switch can be configured with ports in multiple VSANs.
. Only ports in the same VSAN can communicate with each other.
. In a similar fashion to VLANs, a VSAN can span several switches because all the inter-switch traffic is tagged with the VSAN membership info.
NOTE
In a SAN, iSCSI volumes will definitely be “targets.” Ugly pun, but you’ll remember the terminology now, right?
NOTE
Cisco invented VSANs, although VSANs have since been adopted as an ANSI standard.
SAN Security Strategies
There are six areas to target in securing a SAN, as follows:
. SAN Management Access.Secure management services access.
. Fabric Access.Secure access of devices to fiber fabric service.
. Target Access.Secure access to LUNs and targets. Can be secured with zoning (see the next section).
. IP Storage Access.iSCSI and FCIP use IP for transport. Secure the underlying IP network. Can be secured with these features in Cisco IOS routers:
. IPSec VPNs when transiting public carriers.
. Hardware-accelerated encryption.
. Firewall filters.
. SAN Protocol.Secure FCIP, the switch-to-switch communication pro- tocol.
. Data Integrity and Confidentiality (Secrecy).Secure data that crosses the network, as well as stored on volumes.
NOTE
iSCSI has many similarities to security features that we have examined in previous chapters:
. Fiber Channel zones are similar to ACLs.
. Fiber Channel VSANs are similar to VLANs.
. Fiber Channel port security is similar to 802.1X port-based authentication.
Zoning
The main strategy for securing access to SAN targets is zoning. We saw zoning a bit earlier in the context of using user-configurable WWNs to place SAN devices in different zones. This is the same idea, but a different context. In fact, zoning to assure target access security is probably most analogous to zones in the Zone-Based Policy Firewall (ZPF) that we introduced in Chapter 5, “Using Cisco IOS Firewalls to Implement a Network Security Policy.”
There are two basic steps, as follows:
1. Associate physical ports on the SAN Fiber switch with VSANs (again, much like a VLAN).
2. Logically divide the VSANs into zones. Zones can be either soft or hard:
. Soft Zoning.The visibility of device IDs is restricted, although a server can still connect to a known target using its address.
. Hard Zoning.More secure than soft zoning. Access to SAN resources is physically controlled across the switch fabric. This is most commonly used.
Zoning is illustrated in Figure 9.4. Two VSANs are created inside a single phys- ical topology, with each VSAN containing more than one zone. Disks and hosts can exist across multiple zones in a single VSAN but can never span VSANs.
VSAN 99
VSAN 100 Physical
Topology
Volume 2 Host A
Volume 6 Host C Volume 1
Volume 3
Volume 4 Volume 5 Host B
Volume 7 Host D
= Zone
FIGURE 9.4 VSANs and zoning.
Exploring Voice Security
Given that VoIP is another application that uses an IP network, it is also fair to say that many of the best practices that we have discussed in previous chapters will be employed in securing a VoIP network. Before we look at methods of securing a VoIP network, we first look at some basic VoIP terminology. Only then can we examine specific vulnerabilities and the possible exploits that might be leveraged against those vulnerabilities.
VoIP Components
In order to understand VoIP security, you should first understand these basic VoIP components and concepts:
. IP Phones.Responsible for delivering voice over IP to the desktop.
. Gatekeeper.Like a traffic cop on a VoIP network. Provides Call Admission Control (CAC), bandwidth management and control, and network address translation.
. Gateway.Translates VoIP to PSTN and vice versa. A gateway also rep- resents a physical connection point for an organization’s local analog and digital voice devices (phones, fax machines, and so on) and Private Branch Exchanges (PBXs).
. Multipoint Control Unit (MCU).Allows multiple participants in differ- ent locations to connect to the same conference call or video conference.
. Call Agent.Similar to a proxy, acts as an agent for controlling IP phones, CAC (see Gatekeeper above), bandwidth management and con- trol, and network address translation. Cisco Unified Communications Manager (UCM) and Unified Communications Manager Business Edition serve as call agents.
. Application Servers.These provide extra services such as unified mes- saging and voice mail. Cisco Unity is an application server.
. Videoconference Station.Provides an interface to videoconferencing services for an end user. The stations have a camera for video input cap- ture and a microphone for audio, as well as screens and speakers to pro- vide two-way videoconferencing with a remote user.
Common VoIP Protocols
Table 9.3 lists and defines some common VoIP protocols.
TABLE 9.3 Common VoIP Protocols
VoIP Protocol Who Owns? Where Used?
H.323 ITU ITU standard, originally used for conferencing.
Complex but flexible.
Media Gateway IETF Currently evolving standard that defines a method Control Protocol (MGCP) to control PSTN gateways or thin devices.
H.248 (Megaco) IETF Similar to MGCP but more flexibility over a wider and ITU range of vendor applications and gateways.
Session Initiation IETF A complex protocol (but simpler than H.323), very Protocol (SIP) similar to HTTP, which defines security, proxy, and
transport services (TCP or UDP) for a VoIP call.
Describes processes for setting up and tearing down calls.
Works with:
. Session Announcement Protocol (SAP) . Session Description Protocol (SDP) Real-Time Transport IETF Media-streaming protocol.
Protocol (RTP)
RTP Control Protocol IETF Provides flow control out-of-
(RTCP) band for RTP.
Secure RTP (SRTP) IETF Provides for encryption of voice data as it leaves a voice device.
Skinny Client Control Cisco Proprietary. Used between Cisco
Protocol (SCCP) UCM and Cisco IP phones.
TABLE 9.3 Common VoIP Protocols continued VoIP Protocol Who Owns? Where Used?
EXAM ALERT
Memorize these terms, as they will likely be on the exam. Also, although all of these VoIP protocols have their own specific vulnerabilities, SIP has such a large (and grow- ing) installed base that Cisco has chosen SIP alone as an example to analyze shortly in the subsection, “SIP Vulnerabilities.”
Threats to VoIP Endpoints
Regardless of the VoIP protocol chosen, there are common threats to a VoIP net- work:
. Reconnaissance.Using commonly known reconnaissance techniques to discover the protocols that are being used for the VoIP implementation.
. Spam over IP Telephony (SPIT).Not a problem yet, but the fact that we are talking about it means that it might be a future threat. Traditional anti-spam measures (such as IronPort) will not be effective in dealing with this threat. That said, simple measures, such as implementing authentication and TLS (Transport Layer Security), would be effective tools to mitigate its threat.
. DoS Attacks.These fall into three general categories:
. Network resource overload.Most commonly uses bandwidth overloading to make a network resource such as a VoIP phone or a call agent unavailable.
. Host resource starvation.Using up host resources such that the host can no longer serve legitimate connection requests. A SYN flood is a good example.
. Out-of-bounds attacks.The process of creating anomalous data packets with unexpected data that is outside the scope (or bounds) causing system crashes.
. Eavesdropping.The unauthorized interception of RTP media streams of VoIP packets for the purpose of accessing confidential information. Can be mitigated simply by using encryption.
. Man-in-the-Middle Attacks.Common man-in-the middle attacks such as those discussed in Chapter 1, “Network Insecurity,” could prove to be effective.
Fraud
The two most common forms of fraud on VoIP networks are the following:
. Vishing.Phishing a VoIP network to attempt to compromise confidentiality.
. Theft and Toll Fraud.Fraudulently using VoIP services that do not belong to you.
These Cisco Unified Communications Manager (UCM) features can protect the VoIP network against fraud:
. Partitioning.Limit phone access to only certain parts of the dial plan.
. Dial Plans.Filter possibly exploitive phone numbers.
. Forced Authorization Codes (FACs).A feature in UCM that can track calls and prevent unauthorized calls in the first place.
SIP Vulnerabilities
As mentioned, all VoIP protocols have specific vulnerabilities. SIP is a good exam- ple of a protocol whose design did not include security, and as such is a poster child for examining securing VoIP protocols. SIP has very little integral security. It is a relatively immature protocol that is nevertheless seeing widespread adoption.
There are three main vulnerabilities with the protocol, as follows:
. Registration Hacking.Hackers can intercept incoming calls and spoof the registration server, thus rerouting the calls through themselves. This is similar to an ICMP redirect (see Chapter 1).
. Message Tampering.Because the VoIP messages are carried in cleartext, it is relatively simple for a hacker to alter the VoIP packet contents travel- ing between SIP endpoints.
. Session Tear-Down.Allows a hacker to prematurely tear down an existing VoIP session. Similar to an RST attack employed in many IP DoS attacks.
These three main vulnerabilities can be mitigated using the techniques and tech- nologies discussed in the next section, “Mitigating VoIP Hacking.”