Lesson 2 SAFE Blueprint Overview © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.12-1

SAFE Blueprint Overview © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.12-2

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE Provides best-practice information for securing the following networks: –SMR –Enterprise –IP telephony –Wireless LAN Provides a defense-in- depth approach that focuses on the expected threats and their mitigation.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Key Components of a SAFE Network Authentication, digital certificates ACLs, firewalls VPN tunneling, encryption Intrusion detection, scanning Policy management, device management, directory services Identity Perimeter Security Secure Connectivity Security Monitoring Security Management Internet SAFE

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE Principles SAFE SMR uses the same principles as SAFE Enterprise except that they are scaled for smaller networks. The SAFE principles deal with threat mitigation that is independent of specific devices used. All SAFE white papers are available at

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE Assumptions SAFE assumes the following: A security policy is already in place. A secure environment is not guaranteed. The application and operating system are secure. SP Edge Midsize Network and Branch Campus Midsize Network/Branch Edge Corporate Internet Module WAN Module PSTN Module Frame or ATM Module Campus Module Corporate Users Management Server Corporate Servers Public Services PSTN Internet FR or ATM ISP Edge Module

Design Fundamentals © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.12-7

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE Environment SAFE adheres to the following design principles: Security and attack mitigation is based on a security policy. Security implementation must be throughout the infrastructure (not just on specialized security devices). Deployment must be cost-effective. Management and reporting must be secure. Users and administrators of critical network resources must be authenticated and authorized. Intrusion detection and prevention must be used for critical resources and subnets.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Router Wireless Threat Internal IP Threat Critical Resources First Line of Defense Second Line of Defense SAFE: A Security Blueprint The following guidelines were used in developing the security blueprint: If the first line of defense is compromised, the attack must be detected and contained by the second line of defense. Proper security and good network functionality must be balanced. External Dial-in Threat IDS Sensors HIDS or HIPS on PCs Personal Firewall HIDS or HIPS WAN Internet

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE Resiliency SAFE SMR is designed without resiliency; SAFE Enterprise covers resiliency. Example of SAFE Enterprise with Resiliency Remote Access VPN PSTN Traditional Dial Access Servers Site-to-Site VPN

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE Integrated Functionality General advantages of integrated functionality –Can be implemented on existing equipment –Better interoperability –Can reduce overall cost General advantages of standalone appliances –Have increased depth of functionality –Offer increased performance Software Access Option ISP Edge Module VPN Software Client with Personal Firewall Example of SAFE SMR Integrated Functionality ISP Authenticate remote site, terminate IPSec, and use personal firewall and virus scanning for local attack mitigation

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE Module Concept SAFE uses a green field, or from scratch, module approach, which has the following advantages: The SAFE Blueprint addresses security relationships between the various functional blocks of the network. Security can be implemented on a module- by-module basis instead of the entire SAFE Blueprint having to be implemented in a single phase. Modules can and should be combined to achieve desired functionality. Examples of Modules in a SAFE Midsize Network Corporate Internet Module WAN Module PSTN Module Frame or ATM Module Campus Module Corporate Users Management Server Corporate Servers Public Services PSTN Internet FR or ATM ISP Edge Module

SAFE Axioms © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v A Target-Rich Environment SAFE is based on the following axioms: Routers are targets: Routers control access from every network to every network. Switches are targets: Like routers, switches (both Layer 2 and Layer 3) have their own set of security considerations. Hosts are targets: Host are the most likely target during an attack. Networks are targets: Network attacks are among the most difficult attacks to deal with. Applications are targets: Applications are coded primarily by human beings and are therefore subject to numerous errors and vulnerabilities. IDSs: IDSs act as alarm systems in the physical world. Secure management and reporting: If you are going to log it, read it.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module WAN Module PSTN Module Frame or ATM Module Campus Module Corporate Users Management Server Corporate Servers Public Services PSTN Internet FR or ATM ISP Edge Module Routers Are Targets Router security is a critical element in any security deployment: Routers advertise networks and filter who can use them. Routers are potentially a hackers best friend. Routers provide access, therefore, you should secure them to reduce the likelihood that they can be directly compromised. Routers Are Targets Router locations in a Sample SAFE SMR Network

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module WAN Module Public Services General Guidelines for Securing Routers When securing routers: Lock down Telnet access. Lock down SNMP access. Control access through the use of TACACS+. Turn off unneeded services. Log at appropriate levels. Authenticate routing updates.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module WAN Module PSTN Module Frame or ATM Module Campus Module Corporate Users Management Server Corporate Servers Public Services PSTN Internet FR or ATM ISP Edge Module Switches Are Targets Most of the security concerns and mitigation techniques that apply to routers also apply to switches. Switches Are Targets Switch Locations in a Sample SAFE SMR Network

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module WAN Module Public Services General Guidelines for Securing Switches The following are in addition to the general guidelines for routers, which also apply to switches: Ports without any need to trunk should have any trunk settings set to Off. If you are using older versions of software for your Ethernet switch, make sure that trunk ports use a VLAN number that is not used anywhere else in the switch. Disable all unused ports on a switch. Avoid using VLANs as the sole method of securing access between two subnets. Private VLANs (not available on most low- end switches) provide specific network applications with some added security.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module WAN Module PSTN Module Frame or ATM Module Campus Module Corporate Users Management Server Corporate Servers Public Services PSTN Internet FR or ATM ISP Edge Module Hosts Are Targets The host presents some of the most difficult security challenges: There are numerous hardware platforms, operating systems, and applications, all of which have updates, patches, and fixes available at different times. Hosts are extremely visible within the network. Hosts are the most successfully compromised devices. As the complexity of a host system increases, so does the likelihood of a security breach. Hosts Are Targets Host Location In a Sample SAFE SMR Network

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module Public Services Maintaining a Secure Environment for Hosts The following are general guidelines: Pay careful attention to each of the components within the system. Keep all systems up-to-date with the latest security patches and updates. Pay attention to whether these patches affect the operation of other system components. Evaluate all updates on test systems before you implement them in a production environment. Implement anti-virus and either an HIDS or an HIPS on the hosts. WAN Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module WAN Module PSTN Module Frame or ATM Module Campus Module Corporate Users Management Server Corporate Servers Public Services PSTN Internet FR or ATM ISP Edge Module Networks Are Targets Network attacks typically take advantage of an intrinsic characteristic in the way your network operates. These attacks include the following: ARP MAC-based Layer 2 attacks Packet sniffers/call interception DDoS attacks Interference and jamming Toll fraud Rogue devices Networks Are Targets Network Locations in a Sample SAFE SMR Network

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module WAN Module Public Services Maintaining a Secure Environment for Networks The following are general guidelines: Have the ISP configure rate limiting on the outbound interface of the companys site. Follow filter guidelines outlined in RFC 1918 and Control the voice-to-data segment. Authenticate users and devices.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module WAN Module PSTN Module Frame or ATM Module Campus Module Corporate Users Management Server Corporate Servers Public Services PSTN Internet FR or ATM ISP Edge Module Applications Are Targets Applications can be subject to numerous problems. Errors can be benign or malignant. Security issues involve the following: –How an application makes calls to other applications and to the operating system –The privilege level at which the application runs –The degree of trust that the application has for the surrounding systems –The method that the application uses to transport data across the network Applications Are Targets Application Locations in a Sample SAFE SMR Network

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module Public Services Applications Are Targets: General Guidelines for Mitigating The following are general guidelines: Ensure that commercial and public domain applications are up-to-date with the latest security fixes. Complete code reviews to ensure that the applications are not introducing any security risks caused by poor programming. Implement antivirus, protection and either an HIDS or an HIPS on the hosts.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module WAN Module PSTN Module Frame or ATM Module Campus Module Corporate Users Management Server Corporate Servers Public Services PSTN Internet FR or ATM ISP Edge Module IDSs An IDS can respond to an attack in two ways: –Take corrective action itself –Notify a management system for actions by the administrator There are two types of IDSs: –Host-based (HIDS or HIPS): Often better at preventing specific attacks –Network-based (NIDS): Allows a perspective of the overall network NIDSHIDS or HIPS IDS Locations in a Sample SAFE SMR Network

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Corporate Internet Module WAN Module Public Services Guidelines for Using IDSs to Prevent Attacks The following are general guidelines: Tune the implementation to decrease false positives. Generally use shunning only on TCP traffic, as it is more difficult to spoof than UDP. Keep the shun length short. Because TCP traffic is more difficult to spoof, consider using TCP resets more often than shunning. Consider outsourcing your IDS management to a third party because of the need for constant monitoring.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Secure Management and Reporting: General Guidelines The following are out-of-band management guidelines: –It should provide the highest level of security mitigating the risk of passing insecure management protocols over the production network. –It should keep clocks synchronized on hosts and network device. –It should record changes and archive configurations. The following are in-band management guidelines: –Decide if the device really needs to be managed or monitored. –Use SSH Protocol instead of Telnet and SSL instead of HTTP. –Use IPSec when possible. –Decide if the management channel needs to be open at all times. –Keep clocks synchronized on hosts and network devices. –Record changes and archive configurations.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Secure Management and Reporting Logging and reading information from many devices can be very challenging. The following issues must be considered: Identify which logs are most important. Separate important messages from notifications. Ensure that logs are not tampered with in transit. Ensure that time stamps match each other when multiple devices report the same alarm. Identify which information is needed if log data is required for a criminal investigation. Identify how to deal with the volume of messages that can be generated when a system is under attack.

Network Admission Control © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Overview of Cisco NAC The Cisco NAC solution leverages the network to intelligently enforce access privileges based on endpoint security posture. Validates all hosts Is a ubiquitous solution for all connection methods Supports multiple antivirus vendors and Cisco Security Agent Leverages customer investments in Cisco network and antivirus solutions Instructs applications to gather and assess credentials and remediation services NAC Characteristics Provides visibility and forces authentication, and isolation services

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Components of NAC Cisco NAC has the following components: Cisco Trust Agent NADs Policy server Management system Cisco Security Agent Cisco Trust Agent Security Credential Checking Antivirus Vendor Application Policy Server Cisco Policy Server Cisco Network Access Device Host Attempting Network Access Security Policy Enforcement Security Policy Creation Antivirus Credential Evaluation

© 2005 Cisco Systems, Inc. All rights reserved. CSI v How NAC Works NAC implementation combines a number of existing protocols and Cisco products with some new products and features, including the following: Cisco Trust Agent and plugins Cisco IOS NAD EAP Cisco Secure ACS, a RADIUS server Posture validation and remediation server

© 2005 Cisco Systems, Inc. All rights reserved. CSI v How NAC Works (Cont.) Network Cisco Trust Agent and Plugins EAP O UDP Cisco IOS NAD Access Control Server HTTPS Posture Validation and Remediation Server EAP O UDP IP

© 2005 Cisco Systems, Inc. All rights reserved. CSI v NAC Deployment Cisco NAC deployment examples include: Branch office compliance Remote-access security Wireless campus protection Campus access and data center protection Extranet compliance

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Benefits of NAC Benefits of NAC are as follows: Improved security Use of network and antivirus investment Deployment scalability Increased resilience and availability

Self-Defending Network © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Building a Self-Defending Network The Cisco Self- Defending Network strategy describes the Cisco vision for security systems. The foundation for a self-defending network is integrated security. A security-ecosystem includes elements of security products, technologies, and services.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Critical Elements of Network Security Cisco Integrated Network Security solutions incorporate the following three elements that are critical to effective network security: Threat defense system Secure connectivity system Trust and identity management system

Summary © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary SAFE is a design blueprint for implementing security on a network. SAFE serves as a guide to network designers who are considering the security requirements of their network. Routers, switches, hosts, networks, and applications are attack targets that are identified in SAFE. Each target that is identified in SAFE should be hardened using the guidelines provided. Host-based intrusion detection, intrusion prevention, security management, and reporting tools are critical to SAFE networks. Cisco NAC is the first step of the multiphase Cisco Self-Defending Network initiatives to identify, prevent, and adapt to security threats. The Self-Defending Network initiative describes the Cisco vision to provide integrated security.