Designing Security Services © 2004 Cisco Systems, Inc. All rights reserved. Reviewing Cisco Security Solutions ARCH v1.26-1

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Cisco Security Solutions IdentitySecure Connectivity Perimeter Security Intrusion Protection Security Management

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: Packet Sniffers Packet sniffers capture all network packets. Mitigation can include: –Authentication –Switched infrastructure –Anti-sniffer tools –Cryptography

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: IP Spoofing IP spoofing is when a hacker pretends to be a trusted computer. Mitigation can include: –Access control –Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing (RFC 2827 filtering) –Authentication

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: Denial of Service Denial of service makes a service unavailable for normal use. Mitigation can include: –Anti-spoof features –Anti-denial-of-service features –Traffic-rate limiting

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: Password Attacks Password attacks are repeated attempts to identify a user account and/or password. Mitigation can include: –One Time Password –Cryptographic authentication –Careful password selection

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: Man-in-the-Middle Attacks Man-in-the-middle attacks are the interception of packets that come across a network. The only mitigation method is cryptography.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: Application Layer Attacks Application layer attacks exploit well-known and newly discovered weaknesses in software commonly found on servers. Mitigations can include: –Proper system administration –Maintaining latest software versions and patches –Intrusion detection systems

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: Network Reconnaissance Network reconnaissance refers to learning information about a target network by using publicly available information and applications. Mitigation can include: –Port scans –Intrusion detection systems

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: Trust Exploitation Trust exploitation occurs when an individual takes advantage of a trust relationship within a network. Mitigated by tight constraints on trust levels within a network: –Systems outside the firewall are never absolutely trusted by systems inside firewall. –Trust is limited to specific protocols. –Authentication occurs by other than IP address.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: Port Redirection Port redirection is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall. Mitigation can include: –Proper trust models –Host intrusion protection systems

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: Unauthorized Access Unauthorized access includes the majority of attacks executed in networks today. Unauthorized access is mitigated by limiting access to ports, as with firewalls.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Security Attacks: Virus and Trojan Horse Virus and Trojan horse applications are the primary vulnerabilities for end-user workstations. Use of anti-virus software to mitigate virus and Trojan horse attacks.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Firewall Design Decisions Business decisions: Will the firewall explicitly deny all services except those critical to the mission of connecting to the Internet? Will the firewall provide a metered and audited method of queuing access in a nonthreatening manner? What level of monitoring, redundancy, and control is needed? Technical decisions: Is the service implemented at an IP level, or at an application level via proxy gateways and services? Is the firewall set up as a screening router to filter, permitting communication with internal machines? Is the firewall a dedicated appliance or a software implementation?

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Implementing a Perimeter LAN

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Firewall Filtering Rules Allow all outgoing TCP connections. Allow incoming SMTP and DNS to mailhost. Allow incoming FTP data connections to high TCP ports (over port 1024). Try to protect services that use high port numbers.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Perimeter Security: PIX Firewall Features: Used for site-to-site VPNs Offers limited IDS Provides dedicated hardware appliance Enforces organizations security policy Restricts access to network resources Determines whether traffic crossing in either direction is authorized Has little or no impact on network performance

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Perimeter Security: IOS Firewall Features: Used for site-to-site VPNs Integrated software solution offered as an add-on module to Cisco IOS software Offers limited IDS Protects intranets Offers CBAC Offers proxy services Appropriate for a personal firewall

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Intrusion Detection Systems

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Intrusion Detection System Design Considerations Tune to make information useful and meaningful. Reduce false positives. Consider an event correlation engine. Avoid sensor overruns. Place at critical assets. Consider issues with asymmetric routing.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Intrusion Detection Deployment Scenarios

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v AAA: RADIUS Distributed client/server system that secures networks against unauthorized access Clients on Cisco routers send authentication requests to a central RADIUS server

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v AAA: TACACS+ Security application that provides centralized validation of users attempting to gain access to a router or network access server Services maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v AAA: Kerberos Secret-key network authentication protocol that uses the DES for encryption and authentication Designed to authenticate requests for network resources

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v AAA: PKI System of digital certificates, certification authorities, and other registration authorities Protects privacy by ensuring that electronic communications are not intercepted and read by unauthorized persons Assures the integrity of electronic communications by ensuring that they are not altered during transmission Verifies the identity of the parties involved in an electronic transmission Ensures that no party involved in an electronic transaction can deny their involvement in the transaction

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v IP Security

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v IP Security: IKE Using public and private key pairs, IKE derives a symmetric, data encryption session key using the Diffie-Hellman Key Exchange Protocol. IKE negotiates session-specific IKE and IPSec protocol usage.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v IP Security: Authentication Header Security protocol that provides authentication and optional replay-detection services Embedded in the data to be protected (a full IP datagram, for example)

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v IP Security: Encapsulating Security Payload Security protocol that provides data confidentiality and protection with optional authentication and replay-detection services Completely encapsulates user data

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Device Security: Routers Lock down Telnet access. Lock down SNMP access. Use TACACS+. Turn off unneeded services. Log at appropriate levels. Authenticate routing updates. Deploy secure commands and control.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Device Security: Switches Use the same options as for routers. Remove user ports from auto-trunking. Keep all trunk ports in an unused VLAN. Disable all unused ports. Ensure VLAN separation where appropriate.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Device Security: Hosts Keep any systems up to date with the latest patches and fixes. Pay attention to how the patches affect other system components. Evaluate all updates on test systems.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Device Security: Network-Wide Configure rate limiting on the outbound interface site. Correctly flag traffic as undesirable. Follow filter guidelines outlined in RFC 1918 and 2827.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Device Security: Applications Ensure that commercial and public domain applications have the latest security fixes. Review applications to ensure they do not introduce security risks.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Summary An effective security solution includes secure connectivity, perimeter security, intrusion protection, identity, and security management. Attacks against network security come in many forms. Each has corresponding actions that you can take to prevent or mitigate the consequences of an attack. Dedicated firewalls provide perimeter security by preventing unauthorized access to the internal network. Identifying the type of traffic that is not allowed to pass the firewall and how such traffic will be prevented are the primary decisions about a firewall implementation. An IDS detects and responds to attacks. Host intrusion protection systems protect individual hosts, while network IDSs protect the overall network.

© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Summary (Cont.) AAA is a software mechanism that enhances network security by providing authentication services. IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices. To secure a network, the individual components that make up the network must be secure. You can take actions to ensure security specific to routers, switches, hosts, applications, and the network as a whole.