Lesson 7 SAFE Small Network Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.17-1

Small Network Design Overview © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.17-2

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE Design for Small Networks Campus Module Corporate Servers Corporate Users Service Provider Edge Small Network or Branch Campus Management Server Small Network or Branch Edge Public services Corporate Internet Module Firewall Isolated Service Network ISP

Small Network Corporate Internet Module © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.17-4

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Network Corporate Internet Module Components and Key Devices The following are key devices: Servers –SMTP –DNS –FTP or HTTP Cisco PIX Security Appliances or Cisco IOS Firewall Layer 2 switch HIDS or HIPS Public Services To Campus One or the Other ISP Layer 2 switch Servers Cisco IOS Firewall or Cisco PIX Security Appliances ISP router

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module: Expected Threats and Mitigation Roles The following threats can be expected: Unauthorized access: ACL Application layer attacks: HIDS or HIPS Virus and Trojan horse attacks: Virus scanning Password attacks: IDS DoS: CAR and TCP setup controls

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module: Expected Threats and Mitigation Roles (Cont.) IP spoofing: RFC 2827 and RFC 1918 filtering Packet sniffers: Switched infrastructure and HIDS or HIPS Network reconnaissance: HIDS or HIPS Trust exploitation: Trust model and PVLANs Port redirection: Restrictive filtering and HIDS or HIPS

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Public Services To Campus One or the Other ISP Small Network Attack Mitigation Roles for the Corporate Internet Module Stateful packet filtering, basic Layer 7 filtering, host DoS mitigation, and spoof mitigation Spoof mitigation and rate limiting PVLANs HIDS or HIPS local attack mitigation

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines and Alternatives The following guidelines and alternatives are available: Cisco IOS Firewall versus Cisco PIX Security Appliances –WAN connectivity: Router required –Cisco PIX Security Appliances for DSL or cable modem –RFC 1918 and RFC 2827 filtering Alternatives geared toward increasing network capacity (Cisco VPN Concentrator could be used)

Small Network Campus Module © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Network Campus Module Key Devices The following are key devices: Layer 2 switch Corporate servers –SMTP or POP3 –File and print User workstations Management host –CSA MC –Syslog –TACACS+ or RADIUS To the Corporate Internet Module Layer 2 switch Corporate servers Management host User workstations

© 2005 Cisco Systems, Inc. All rights reserved. CSI v To corporate Internet Module Campus Module: Expected Threats and Mitigation Roles You can expect the following threats: Packet sniffers Virus and Trojan horse applications Unauthorized access Application-layer attacks Trust exploitation Port redirection Corporate Servers Corporate Users Management Server HIDS or HIPS local attack mitigation PVLANs Host virus scanning HIDS or HIPS local attack mitigation

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines and Alternatives The following are guidelines and alternatives: PVLANs can be enabled in order to mitigate trust-exploitation attacks between the devices. There are no Layer 3 services within the campus module, so it is important to note that this design places an increased emphasis on application and host security because of the open nature of the internal network. Alternatives involve setting a small filtering router or firewall between the management stations and the rest of the network.

Implementation: ISP Router © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v ISP Router: Implementation Commands The following are necessary mitigation roles and implementation commands: Spoof mitigation and RFC filtering –access-list –access-group Rate limiting –rate-limit Corporate Users Management Server Public Services Firewall ISP Spoof mitigation rate limiting

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Spoof Mitigation and RFC Filtering The access-list command enables you to specify whether an IP address is permitted or denied access to a port or protocol. router(config)# access-list 101 deny ip any log The access-group command binds an ACL to an interface. router(config-if)# ip access-group 101 in

Implementation: Cisco IOS Firewall © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Public Services To Campus ISP The Cisco IOS Firewall Stateful packet filtering, basic Layer 7 filtering, host DoS mitigation, spoof mitigation, remote-site authentication, remote-user authentication, and IPSec termination

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco IOS Firewall: Implementation Commands The following are necessary mitigation roles and implementation commands for the Cisco IOS Firewall: Stateful packet filtering: Part of CBAC on Cisco IOS routers Spoof mitigation and RFC filtering –access-list –access-group Host DoS mitigation and basic Layer 7 filtering –ip inspect Authenticate remote site, users, and login –aaa new-model –tacacs-server –aaa authentication login –aaa authorization exec –aaa accounting exec –login authentication

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco IOS Firewall: Implementation Commands (Cont.) IPSec commands provide for IPSec tunnel termination: –crypto isakmp policy –encryption –authentication –group –crypto isakmp key –crypto ipsec transform-set –crypto map –set peer –set tranform-set –match address

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Spoof Mitigation and RFC Filtering: ACLs The access-list command enables you to specify whether an IP address is permitted or denied access to a port or protocol. router(config)# access-list 101 deny ip any log The access-group command binds an ACL to an interface. router(config-if)# ip access-group 101 in

© 2005 Cisco Systems, Inc. All rights reserved. CSI v access-list 101 permit any access-list 101 deny ip any any ISP Network Customer Network: /16 Spoof Mitigation Example: RFC 2827 Filtering Egress packets cannot be from and to customers. Ingress packets must be valid. Ingress packets must be from customer addresses. interface Ethernet e0/1 ip access-group 120 in ip access-group 130 out ! access-list 120 deny ip any access-list 120 permit ip any any ! access-list 130 permit any access-list 130 deny ip any any Egress from Internet Ingress to Internet

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Unauthorized Access: Cisco IOS Firewall Intrusion Detection The following are the Cisco IOS Firewall intrusion detection features: Acts as an in-line intrusion detection sensor When a packet or packets match a signature, it can perform any of the following configurable actions: –Alarm: Sends an alarm to a Cisco Intrusion Detection Director or syslog server –Drop: Drops the packet –Reset: Sends TCP resets to terminate the session Detects, reports, and acts upon many common attacks TCP UDP

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Cisco IOS Firewall Intrusion Detection Router (config)# ip audit name branchids attack action alarm drop Creates audit rules for information and attack signature types Router (config)# ip audit attack action alarm drop Specifies the default actions for attack signatures

© 2005 Cisco Systems, Inc. All rights reserved. CSI v router(config)# ip audit notify log Specifies the method of event notification Router (config)# ip audit po max-events 100 Specifies the maximum number of event notifications that are placed in the routers event queue Implementation Commands: Cisco IOS Firewall Intrusion Detection (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Stateful Packet Filtering: Cisco IOS Firewall CBAC Cisco IOS Firewall CBAC performs the following: Inspects packets entering the firewall if they are not specifically denied by an ACL Permits or denies specified TCP and UDP traffic through the firewall Maintains state table with session information Dynamically creates and deletes ACLs Protects against DoS attacks Protects against unauthorized access TCP UDP

© 2005 Cisco Systems, Inc. All rights reserved. CSI v DoS Mitigation: General Rules for Applying Inspection Rules and ACLs The following rules should be followed whenever possible: On the interface where traffic initiates: –Apply an ACL on the inward direction that permits only wanted traffic. –Apply a rule on the inward direction that inspects wanted traffic. On all other interfaces, apply an ACL on the inward direction that denies all traffic except traffic (such as ICMP) not inspected by CBAC.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Basic Layer 7 Filtering: Inspection Rules for Application Protocols Defines the application protocols to inspect Will be applied to an interface –Available protocols: TCP, UDP, CUseeMe, FTP, HTTP, H.323, NetShow, rcmd, RealAudio, RPC, SMTP, SQL*Net, StreamWorks, TFTP, and VDOLive –alert, audit-trail, and timeout commands are configurable per protocol and override global settings router(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300 router(config)# ip inspect name FWRULE ftp alert on audit-trail on timeout 300

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Apply an Inspection Rule to an Interface Applies the named inspection rule to an interface Applies the inspection rule to interface e0/0 on inward direction router(config)# interface e0/0 router(config-if)# ip inspect FWRULE in

© 2005 Cisco Systems, Inc. All rights reserved. CSI v router(config)# ip inspect name FWRULE http java-list 10 alert on audit-trail on timeout 300 router(config)# ip access-list 10 deny router(config)# ip access-list 10 permit Example Inspection Rule for Java Controls Java blocking with a standard ACL

© 2005 Cisco Systems, Inc. All rights reserved. CSI v router(config)# ip inspect name FWRULE rpc program-number wait-time 0 alert off audit-trail on Example Inspection Rule for RPC Applications Allows given RPC program numberswait-time keeps the connection open for a specified number of minutes

© 2005 Cisco Systems, Inc. All rights reserved. CSI v router(config)# ip inspect name FWRULE smtp Example Inspection Rule for SMTP Applications Accepts only the following commands as legal in SMTP applications: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY. If disabled, all SMTP commands are allowed through the firewall and potential mail server vulnerabilities are exposed.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v router(config)# ip inspect name FWRULE fragment max 254 timeout 4 Example Inspection Rule for IP Packet Fragmentation Protects hosts from certain DoS attacks involving fragmented IP packets –max = number of unassembled fragmented IP packets –timeout = number of seconds after which the unassembled fragmented IP packets begin to be discarded

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Authenticate Remote Site Enables the AAA access control model router(config)# aaa new-model Specifies a TACACS+ host These commands enable AAA authentication at login, restrict network access to a user, and define the authentication method used. router(config)# tacacs-server host single-connection key ciscosafe

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Authenticate Remote Site (Cont.) Examples of the AAA commands router(config)# aaa authentication login default group tacacs+ local enable router(config)# aaa authentication login no_tacacs line router(config)# aaa authorization exec default group tacacs+ router(config)# aaa accounting exec default start- stop group tacacs+ router(config-line)# login authentication no_tacacs

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Authentication: Cisco IOS Firewall Authentication Proxy The Cisco IOS Firewall authentication proxy provides the following: HTTP-based authentication Dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols

Implementation: PIX Security Appliances © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco PIX Security Appliances: Implementation Commands The following are the necessary mitigation roles and implementation commands for the Cisco PIX Security Appliances: Stateful packet filteringthe default for the PIX Security Appliances Host DoS mitigation commands –ip verify reverse-path interface –icmp –attack guard commands are on by defaultexcept for frag guard –static Spoof mitigation and RFC filtering commands –access-list –access-group Public Services To Campus ISP Stateful packet filtering, basic Layer 7 filtering, host DoS mitigation, spoof mitigation, remote-site authentication, remote-user authentication, and IPSec termination

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco PIX Security Appliances: Implementation Commands (Cont.) The following are the necessary commands: Authenticate remote site (and logging) commands –aaa-server –aaa authentication –logging on Terminate IPSec commands –sysopt connection permit-ipsec –isakmp enable –isakmp key –isakmp policy –crypto ipsec transform-set –crypto map Public Services To Campus ISP Stateful packet filtering, basic Layer 7 filtering, host DoS mitigation, remote-site authentication, and IPSec termination

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Access Through the PIX Security Appliances PIX Security Appliances e0 Outside Security Level 0 Internet e1 Inside Security Level 100 nat and global static and access list

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Host DoS Mitigation Protects an individual interface against IP spoofing by enabling both ingress and egress filtering to verify addressing and route integrity pixfirewall(config)# ip verify reverse-path interface outside Permits or denies the ability to ping a PIX Security Appliances interface pixfirewall(config)# icmp deny any outside

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Host DoS Mitigation (Cont.) pixfirewall(config)# sysopt security fragguard Enables the IP Frag Guard feature. The sysopt command enables you to tune various PIX Security Appliances security and configuration features.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Host DoS Mitigation (Cont.) The static command creates a persistent, one-to-one address translation rule (called a static translation slot or an xlate). This translation can be between a local IP address and a global IP address (static NAT) or between ports (static PAT). The embryonic connection limit [em_limit] prevents attack by a flood of embryonic connections. An embryonic connection is one that has started but not yet completed. The default is 0, which means unlimited connections. pixfirewall(config)# static (pss,outside) P.11 www-private netmask

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Spoof Mitigation and RFC Filtering: ACL The following are ACL features: An ACL enables you to determine which traffic will be allowed or denied through the PIX Security Appliances. ACLs are applied per interface (traffic that is inbound is analyzed relative to an interface). The access-list and access-group commands are used to create an ACL. The access-list and access-group commands are alternatives for the conduit and outbound commands.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Spoof Mitigation and RFC Filtering The access-list command enables you to specify whether an IP address is permitted or denied access to a port or protocol. pixfirewall(config)# access-list INBOUND deny ip any The access-group command binds an ACL to an interface. pixfirewall(config)# access-group INBOUND in interface outside

© 2005 Cisco Systems, Inc. All rights reserved. CSI v ISP Network Customer Network Ingress to Internet Spoof Mitigation: RFC 1918 Filtering interface Serial n ip access-group 101 in ! access-list 101 deny ip any access-list 101 deny ip any access-list 101 deny ip any access-list 101 permit ip any any

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Authenticate Remote Site These commands specify a AAA server. The PIX Security Appliances enables you to define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic. pixfirewall(config)# aaa-server mytacacs protocol tacacs+ pixfirewall(config)# aaa-server mytacacs (inside) host ciscosafe

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Authenticate Remote Site (Cont.) Defines the AAA authentication method that is used pixfirewall(config)# aaa authentication telnet console mykey Specifies a syslog server that will receive the messages that are sent from the PIX Security Appliances pixfirewall(config)# logging 10.0.P.3

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Basic Layer 7 Filtering: Java Applet Filtering Java applet filtering enables an administrator to prevent the downloading of Java applets by an inside system. Java programs can provide a vehicle through which an inside system can be invaded. Java applets are executable programs that are banned within some security policies.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Java Applet Filtering Example ISP Network Customer Network Egress from Internet Ingress to Internet ! filter java The filter java command filters out Java applets that return to the PIX Security Appliances from an outbound connection. Filters Java Applets on port 80 for internal subnets on all outbound connections.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v ActiveX Blocking ActiveX blocking filters out ActiveX usage from outbound packets. ActiveX controls are applets that can be inserted in web pages or other applications. ActiveX controls can provide a way for someone to attack servers. The PIX Security Appliances can be used to block ActiveX controls.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Filter ActiveX Example TACACS+ server RADIUS server ExecutiveEngineering Marketing Internet DMZ pixfirewall(config)# filter activex Specifies that the ActiveX blocking applies to web traffic on port 80 from any local host and for connections to any foreign host

Implementation: CSA © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v CSA MC Menu Bar

© 2005 Cisco Systems, Inc. All rights reserved. CSI v CSA MC Building Blocks Hosts Policies Rules Actions Variables Application Classes Agent Kits Groups Network Shim Group

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Variables Data sets: Data strings (*]*, *.conf, *.htr*) File sets: Directories and files Network address sets: IP address range Network services sets: Protocol/port combinations (TCP/21, UDP/161) Registry sets: Registry keys and values COM component sets: Program identifiers and class identifiers

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Application Classes Web Browsers application class iexplore.exe netscape.exe Processes created by allowed applications ?

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Rule Basics File access control rulesAllow or deny based upon the following: –The action that you are allowing or denying –The application that is attempting to access the file –The operation (read, write) that is attempting to act on the file Network access rulescontrol access based upon the following: –The action that you are allowing or denying –The application that is attempting access –The direction (client, server) of the communication –The service that a system is attempting to use –The address that a system is attempting to communicate with

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Rule Basics (Cont.) Registry access control rulesallow or deny according to the following: –The action that you are allowing or denying –The application that is attempting to write to the registry keys and values COM component rulesallow or deny based upon the following: –The action that you are allowing or denying –The application that is accessing the COM component

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Rule Processing Order Priority 1: Add process to application class Priority 2: High-priority deny Priority 3: Allow Priority 4: Query user (default allow) Priority 5: Query user (default deny) Priority 6: Deny Priority 7: Default action (allow)

© 2005 Cisco Systems, Inc. All rights reserved. CSI v CSA Rules Agent service control Application control Connection rate limit Data access control File access control File monitor Network access control COM component access control (Windows only) File version control (Windows only) Kernel protection (Windows only) NT event log (Windows only) Registry access control (Windows only) Service restart (Windows only) Sniffer and protocol detection (Windows only) Network interface control (UNIX only) Resource access control (UNIX only) Rootkit/kernel protection (UNIX only) Syslog control (UNIX only)

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Finance GroupAccounting Group All Group A Host Inherits the Policies of Its Groups

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Configuring Groups Desktops Group Web Servers Group Mail Servers Group Desktops Group Policies Mail Servers Group Policies Web Servers Group Policies

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Event Log

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Configuring Alerts

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Basics of Profiler Analysis Job Configuration Logged Data Policy and Report CSA MCProfiler Host

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary The SAFE SMR small network design has two modules: –Corporate Internet module –Campus module The corporate Internet module can use either a Cisco PIX Security Appliance or a Cisco IOS Firewall. The small network campus module contains all users and intranet servers. The mitigation roles identified for each threat in SAFE SMR are integral to a successful implementation. The Cisco IOS Firewall can be implemented to perform as a firewall, an IDS, and an authentication proxy. The Cisco PIX Security Appliances can be used to secure the internal network as well as allow for the addition of a DMZ. The Cisco Security Agent can be used to protect hosts.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v e0/1 PSS WWW FTP P.0/24 Lab Visual Objective e0/ P.0 /24 Pod P (1–10) P.0/24.1 e2 pP.4 pub cP P.0/24 sensorP DMZ Super Server WWW FTP priv.5.2 e P.0/24.1 e4.1 e /24 rP RTS RBB VPN Client brP Branch 10.2.P.0/24.10P e0/ e0/ P P Branch 10.0.P.11 Student PC