Lesson 8 SAFE Midsize Network Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.18-1

Midsize Network Design Overview © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.18-2

© 2005 Cisco Systems, Inc. All rights reserved. CSI v ISP Edge Midsize Network or Branch Campus SAFE SMR Design for Midsize Network Midsize Network or Branch Edge Corporate Internet Module WAN Module PSTN Module ISP Edge Module Frame or ATM Module Campus Module Corporate Users Management Server Corporate Servers Public Services FR/ATM Internet PSTN

Midsize Network Corporate Internet Module © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.18-4

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Midsize Network Corporate Internet Module Key Devices The following are key devices: Servers –Dial-in –SMTP –DNS –FTP or HTTP Firewall Layer 2 switch NIDS appliance VPN 3000 Series Concentrator Edge router Public Services PSTN Internet

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Expected Threat The following threats can be expected: Unauthorized access Application-layer attacks Virus and Trojan horse attacks Password attacks DoS attacks

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Expected Threats (Cont.) IP spoofing Packet sniffers Network reconnaissance Trust exploitation Port redirection

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Midsize Network Attack Mitigation Roles for Corporate Internet Module: Overview PSTN Internet SMTP content inspection HIDS or HIPS for local attack mitigation Focused Layers 4 through 7 analysis Spoof mitigation and rate limiting Spoof mitigation and basic filtering PVLANs User authentication analog dial termination User authentication and IPSec termination Stateful packet filtering, basic Layer 7 filtering, host DoS mitigation, remote-site authentication and IPSec termination Focused Layers 4 through 7 analysis

Midsize Network Corporate Internet Module Design Guidelines © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.18-9

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines for the ISP Router The following are the primary functions of the ISP router: Provides Internet connectivity Rate-limits nonessential traffic Provides RFC 1918 and RFC 2827 filtering Public Services PSTN Internet Spoof mitigation and rate limiting

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines for the Edge Router The edge router establishes a demarcation point. Filtering on the edge router should be configured to allow only expected traffic to expected destinations. RFC 1918 and RFC 2827 filtering should be enabled on the edge router. The edge router should be configured to drop most fragmented packets. Public Services PSTN Internet Spoof mitigation and basic filtering

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines for a Firewall The primary functions of a firewall include the following: Provides connection-state enforcement Terminates site-to-site IPSec VPNs Provides DMZs Stateful packet filtering, basic Layer 7 filtering, host DoS mitigation, remote-site authentication, and IPSec termination Public Services PSTN Internet

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines for Intrusion Detection The following are the primary functions of an NIDS: Detects attacks on ports that the firewall permits Provides final analysis of attacks Provides TCP shunning or resets Focused Layers 4 through 7 analysis Public Services PSTN Internet

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines for the Remote-Access VPN Concentrator The VPN Concentrator provides the following: Secure connectivity Authentication of users User Authentication and IPSec termination Public Services PSTN Internet

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines for Dial-In Access Users Traditional dial-in users are terminated on an access router with built-in modems. CHAP is used to authenticate the user, along with the AAA server. Public Services PSTN Internet User Authentication and analog dial termination

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines for the Inside Router The primary function of the inside router is to provide Layer 3 separation and routing between the corporate Internet module and the campus module. The inside router functions strictly as a router, with no ACLs restricting traffic across either interface. Demarcation Public Services PSTN Internet

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Alternatives Design alternatives include the following: A stateful firewall on an edge router An NIDS on the outside firewall Elimination of the inside router A URL-filtering server Public Services PSTN Internet Elimination of inside router NIDS and URL filtering Additional stateful firewall

Midsize Network Campus Module © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Midsize Network Campus Module Key Devices The following are key devices: Layer 3 switch Layer 2 switch Corporate servers –SMTP or POP3 –File and print User workstations NIDS appliance Management hosts –SNMP –Syslog –TACACS+ or RADIUS –NIDS host Corporate Users Management Server Corporate Servers To the Corporate Internet Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Expected Threats and Mitigation Roles The following are expected threats to the SAFE midsize network campus module and their mitigation: Packet sniffers: Switched infrastructure Virus and Trojan horse applications: Host virus scanning Unauthorized access: HIDS and ACL Password attacks: Strong, two-factor authentication with ACS Application-layer attacks: Latest security fixes and HIDS or HIPS IP spoofing: RFC 2827 filtering Trust exploitation: PVLANs Port redirection: HIDS or HIPS

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Midsize Network Attack Mitigation Roles for the Campus Module Focused Layers 4 through 7 analysis Layer 3 and Layer 4 filtering of management traffic, PVLANs, and RFC filtering Host virus scanning HIDS or HIPS for local attack mitigation Corporate Users Management Server Corporate Servers To the Corporate Internet Module

Midsize Network Campus Module Design Guidelines © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines for the Core Switch The following are the primary functions of the core switch: Provides routing and switching for internal traffic Provides separate VLANs and PVLANs Implements internal access control Uses RFC 2827 filtering Layer 3 and 4 filtering of management traffic, private VLANs, and RFC 2827 filtering Corporate Users Management Server Corporate Servers To the Corporate Internet Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines for Intrusion Detection Intrusion detection should monitor internal traffic for suspicious activity. Very few attacks should be detected. Focused Layers 4 through 7 analysis Corporate Users Management Server Corporate Servers To the Corporate Internet Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Alternatives The following design alternatives are available: If the network is small enough, incorporate Layer 2 switch functionality into the core switch. Separate the router and Layer 2 switch instead of the core switch. Replace the NIDS appliance with the IDS module in the core switch. Integrated IDS module in the core switch Integrated switch functionality Separate router and Layer 2 switch Corporate Users Management Server Corporate Servers To the Corporate Internet Module

Midsize Network WAN Module © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Midsize Network WAN Module Key Devices and Expected Threats Note the following about the WAN module: –The WAN module is included only when connections to remote locations over a private network are required. –The only key device is the Cisco IOS router. The following are expected threats: –IP spoofing –Unauthorized access To the Campus Module FR/ATM

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Guidelines and Alternatives Use IPSec for additional privacy. Run a firewall on the WAN router. To the Campus Module IPSec Tunnel FR/ATM VPN Tunnel Cisco IOS router with a firewall

Implementation: ISP Router and Edge Router © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v ISP Router: Implementation Commands Summary The following are necessary commands for the ISP router: Spoof mitigation and RFC filtering –access-list –access-group DDoS rate limiting –rate-limit Spoof mitigation and DDoS rate limiting Public Services PSTN Internet

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Edge Router: Implementation Commands The following are necessary commands for the Cisco edge router: access-list access-group Midsize Network or Branch Edge Corporate Internet Module Public Services PSTN Internet Spoof mitigation and basic filtering

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Spoof Mitigation and RFC Filtering The access-list command enables you to specify whether an IP address is permitted or denied access to a port or protocol. router(config)# access-list 101 deny ip any log The access-group command binds an ACL to an interface. router(config-if)# ip access-group 101 in

Implementation: Network IPS Sensor © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Sensor Interface Overview Command and Control Interface Monitoring Interface 4215 Sensor int0int2 int1 The figure illustrates the following Sensor interface characteristics: There is only one command and control interface per Sensor. You can configure up to five monitoring interfaces depending on the type of Sensor. Multiple monitoring interfaces enable simultaneous protection of up to five different network subnets. All monitoring interfaces use the same configuration.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IDS Implementation: Signature Engine Overview A Cisco IDS signature is a set of rules that your Sensor uses to detect typical intrusive activity. The Sensor supports the following types of signatures: Built-in signatures: Known signature attacks that are included in the Sensor software and are enabled by default Tuned signatures: Built-in signatures that you modify Custom signatures: New signatures you create

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Engine Usage Engine CategoryUsage AtomicUsed for single packet conditions FloodUsed to detect attempts to cause a DoS ServiceUsed when services with Layers 5, 6, and 7 require protocol analysis State.String Used for state-based, regular expression-based pattern inspection and alarming functionality for TCP streams String Used for regular expression-based pattern inspection and alarm functionality for multiple transport protocols SweepUsed to detect network reconnaissance TrafficUsed to detect traffic irregularities TrojanUsed to target nonstandard protocols OTHERUsed to group generic signatures

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Signature Responses Cisco IDS signatures can take one or all of the following actions when triggered: Terminate the TCP session between the source of an attack and the target host Log subsequent IP packets from the source of an attack Initiate the blocking of the IP traffic from the source of an attack

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Alarm Overview The Cisco IDS Sensor generates an alarm when a signature is triggered. The alarm event is stored on the Sensor and can be pulled to a host running IEV or CiscoWorks Monitoring Center for Security. The alarm severity level is determined by the level assigned to the Cisco IDS signature. Cisco IDS signatures have defined severity levels: –Informational –Low –Medium –High

© 2005 Cisco Systems, Inc. All rights reserved. CSI v False Alarms False positive: A situation in which normal traffic or a benign action causes the signature to fire False negative: A situation in which a signature is not fired when offending traffic is detected and an actual attack is not detected

© 2005 Cisco Systems, Inc. All rights reserved. CSI v True Alarms True positive: A situation in which a signature is fired properly when the offending traffic is detected and an attack is detected as expected True negative: A situation in which a signature is not fired when nonoffending traffic is detected and normal traffic or a benign action does not cause an alarm

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Sensor Initialization: Tasks The following are the tasks that are required to initialize the Sensor: Assign a name to the Sensor. Assign an IP address and netmask to the Sensor command and control interface. Assign a default gateway. Enable or disable the Telnet server. Specify the web server port. Create network ACLs. Set the date and time.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Sensor Initialization: setup Command

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Sensor Management and Monitoring: IDS Device Manager Web-based device configuration tool Software installed on the Sensor by default For small-scale Sensor deployments

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IDS Device Manager Interface Path bar Table of contents Area bar Subarea bar Toolbar Content area Information window

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IEV Windows NT or Windows 2000 Download from Cisco.com Provides event monitoring for up to five Sensors

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IEV: Getting Started Complete the following tasks to start using the IEV: 1. Download the IEV software from Cisco.com. 2. Install the IEV software on the host. 3. Reboot the IEV host to start the IDS services. 4. Add the IDS devices that the IEV will monitor.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise IDS Management: IDS MC The IDS MC is a web-based application that centralizes and accelerates the deployment and management of multiple IDS Sensors or Cisco IDS Modules. IDS MC PC Laptop SSL SSH Sensor

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Understanding the IDS MC Interface Instructions Page Path bar Object bar Object Selector handle TOCOption barTabs

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise IDS Monitoring and Reporting: Security Monitor The Security Monitor provides event collection, viewing, and reporting capability for network devices.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Understanding the Security Monitor Interface Path bar TOC Option barTabs Instructions Page Tools Action buttons

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Security Monitor Configuration Security Monitor configuration operations are: Adding devicesSecurity Monitor monitors the following types of devices: –RDEP IDS –PostOffice IDS –Cisco IOS IDS –Host IDS –Pix Security Appliances Monitoring devicesinformation that is monitored falls into the following three categories: –Connections –Statistics –Events Event notificationtasks that are involved in configuring notification are as follows: –Adding event rules –Activating event rules

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IDS Implementation: Blocking Configuration Terms Blocking: A Cisco IPS Sensor feature Device management: The ability of a Sensor to interact with a Cisco device and to dynamically reconfigure the Cisco device to stop an attack Logical device: Logical settings to be applied to blocking devices Managed device: The device that is to block the attack, also referred to as a blocking device Blocking Sensor: The Cisco IPS Sensor configured to control the managed device Interface/direction: The combination of a device interface and a direction, in or out Managed interface/VLAN: The interface or VLAN on the managed device where the Cisco IPS Sensor applies the ACL Active ACL or VACL: The ACL or VACL that the Sensor creates and applies to the managed interfaces or VLANs

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Managed Devices Cisco routers Pix Security Appliances Catalyst 6000 Series switches

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Blocking Guidelines Implement anti-spoofing mechanisms. Identify hosts that are to be excluded from blocking. Identify network entry points that will participate in blocking. Assign the block reaction to signatures that are deemed to be an immediate threat. Determine the appropriate blocking duration.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Blocking Process The following explains the blocking process: An event or action occurs that has a block action associated with it. The sensor pushes a new set of configurations or ACLs, one for each interface direction, to each managed device. An alarm is sent to the Event Store at the same time that the Sensor initiates the block. When the block expires, all configurations or ACLs are updated to remove the block.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Blocking Configuration Tasks Complete the following tasks to configure a Sensor for blocking: Assign the block reaction to a signature. Assign the global blocking properties of the Sensor. Define the properties of the logical device. Define the properties of the managed device. For Cisco IOS or Catalyst 6000 devices, assign the properties of the managed interface. (Optional) Assign the list of devices that are never blocked. (Optional) Define a Master Blocking Sensor.

Implementation: VPN 3000 Series Concentrator © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v VPN 3000 Series Concentrator Implementation The following are some of the items that must be configured for the VPN 3000 Series Concentrator: IKE proposals used Group configuration –Identity –General –IPSec Authenticate users and terminate IPSec Public Services PSTN Internet

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Activate IKE Proposal 3002/Cisco VPN Client 2.5 Client Certicom Client

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Group Configuration: Identity Base Training Service

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Group Configuration: General Access Rights and Privileges Tunneling Protocol DNS and WINS

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Group IPSec IPSec User authentication NT domain server Internet

Implementation: Layer 3 Switch © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Layer 3 Switch: Implementation Commands Cisco Layer 3 filtering methods and associated commands: Layer 3 and Layer 4 filtering and RFC filtering –access-list command –access-group command Trust exploitation –set vlan command (configures PVLANs, if practical) CAM table flooding and ARP spoofing attacks –set port security command –show port command Corporate Users Management Server Corporate Servers To the Corporate Internet Module Layer 3 and Layer 4 filtering of management traffic, PVLANs, and RFC 2827 filtering

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Layer 3, Layer 4, and RFC Filtering The access-list command enables you to specify if an IP address is permitted or denied access to a port or protocol. router(config)# access-list 101 deny ip any log The access-group command binds an ACL to an interface. router(config-if)# ip access-group 101 in

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: Trust Exploitation Mitigation Configures a VLAN as a PVLAN. Console> (enable) set vlan 7 pvlan-type primary

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Implementation Commands: CAM Table Flooding and ARP Spoofing Attack Mitigation Use the set port security command to configure port security on a port or range of ports. Port 2/1 port security enabled with the learned MAC address. Console> (enable) set port security 2/1 enable Verifies the configuration. Console> (enable) show port 2/1

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary The SAFE SMR midsize network consists of three modules, each of which contains key devices essential to that module: –Corporate Internet module ISP router Edge router Firewall NIDS VPN 3000 Series Concentrator Dial-in access router Inside router

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary (Cont.) –Campus module Layer 3 switch Layer 2 switch Corporate servers User workstations NIDS Management hosts –WAN module WAN router

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary (Cont.) The mitigation roles that are identified for each threat in SAFE SMR are integral to a successful implementation. Specific configurations and commands are used to apply the mitigation roles that are identified for each threat. Alternative devices and configurations can be used in order to provide existing device integration, ease of implementation, and cost-effectiveness.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v e0/1 PSS WWW FTP P.0/24 Lab Visual Objective e0/ P.0 /24 Pod P (1–10) P.0/24.1 e2 pP.4 pub cP P.0/24 sensorP DMZ Super Server WWW FTP priv.5.2 e P.0/24.1 e4.1 e /24 rP RTS RBB VPN Client brP Branch 10.2.P.0/24.10P e0/ e0/ P P Branch 10.0.P.11 Student