Axioms are general truths accepted on their intrinsic merit. They are used as the underlying principles to prove other, less obvious truths. The SAFE Blueprint includes a number of axioms, and you should know what they are. Routers Are TargetsThis is the first axiom . Routers are the traffic cops of the network, determining what traffic is allowed and what is denied , and what those on the other side of a connection know about what is on this side (advertisement). Another view of routers is that they are the gatekeepers of a network. Whichever view you prefer, their role makes them a high-priority target for anyone trying to enter or misuse any information asset on the network. Control of a router makes traffic redirection or illegal entry possible. Routers should be protected by the following:
These methods are discussed in more detail in Chapter 9, "Products in the Edge." Remember, of course, that the router you are protecting is not an isolated element, but is one element of a larger network design. That design can help protect the router; for instance, an external firewall can help limit the potential threats that can reach the router. Likewise, you can always take measures that are not listed in this part of the SAFE Blueprint or in the IOS Security Configuration Guide, such as logging activities that might have security impactsand reviewing those logs. Switches Are TargetsPerversely, there is less readily available information on securing switches than there is on securing routers, yet switches touch more resources directlyespecially the high-value resources, such as serversthan routers do. The recommendations for routers certainly apply (with the possible exception of the last item, depending on whether the switch also operates at Layer 3). However, because they access so many devices via so many ports, and because they operate primarily at Layer 2, where filtering and traffic control is more difficult, they require extra precautions :
These methods are discussed in more detail in Chapter 8, "Products in the Campus."
Hosts Are TargetsHosts are the most difficult asset to protect because the network administrator cannot entirely prevent users from modifying configurations or adding unauthorized software and services. Plus, of course, there are so many of them: There are generally far more hosts than there are any other class of asset. Hosts are often a mix of hardware and software sets, reflecting generations of the organization's acquisitions. Adding to the difficulty, hosts are more than workstations; hosts include servers, including the public- facing servers, which are frequent attack targets. Securing hosts is a matter of staying on top of the security status of every componenthardware as well as softwarefor patches and upgrades. When it comes to this work, smart administrators prioritize their efforts, protecting the most valuable and/or the most vulnerable first. However, as you have seen with recent worm attacks, all hosts are targets and must be securedone bad apple can indeed spoil the barrel, not to mention your entire day. Networks Are TargetsUp to now, we've looked at targeting specific devices, but it pays to remember that the entire system can be a target as well. Network attacks often take advantage of weaknesses in the networking protocols themselves . Network attacks can use Layer 2 or Layer 3 protocols (ARP-and MAC-based attacks, IP spoofing, and so on). The worst attack, though, is the one you cannot stop. If you can't stop it, how can you begin to recover? These are often DoS or DDoS attacks, and the only way to counter them is with help from upstreamyour carrier or service provider must rate limit your incoming traffic. But to get effective help, you must be able to characterize the traffic to be throttled, which means that you will be examining your logs for sources, protocols, ports, and so on to specify as tightly as possible the traffic to deny so that legitimate traffic (hopefully) still gets through. Some techniques to help you minimize the likelihood of such attacks are described in Chapter 9, when we look at the Edge module. Applications Are TargetsWe all know that some applications are easier to attack than others. Those are (hopefully) the applications that you patch the most; of course, they could also be applications for which patches have not been prepared. Applications, like operating systems, have become bloated as vendors have offered more options and features. With software code running to hundreds of thousands and (too often) millions of lines, human error alone will introduce vulnerabilities. If the software also suffers from design flaws, the vulnerabilities could be more pervasive or more severe. However, that leads us to the next axiom . Intrusion-Detection Systems HelpIntrusion-detection systems (IDS) can run on individual hosts (host IDS, or HIDS) or on a networking device (network IDS, or NIDS), monitoring a given traffic flow. The goal is to protect the applications that are being targeted for exploitation. IDSs operate on the same principle as antivirus packages: They have a data set of known characteristics of attacks. When a traffic flow occurs matching the (known) characteristics, an alarm can be generated, the traffic can be dropped, or a combination of actions can be taken. HIDSs monitor specific traffic typesto a mail server, for instancefor which compromise is a known high-risk event. Therefore, HIDSs are often set to automatically drop suspicious traffic (a better-safe-than-sorry approach). However, HIDS sees only a subset of the traffic, so NIDS is needed as well. Because NIDS sees so much more traffic, it is often set only to alarm rather than to presumptively drop traffic. This is one of those trade-offs to be taken with careful thought, depending on what traffic should reasonably flow on the segment being monitored , as well as the nature and value of the assets on the segment being protected. As you will see in Chapters 8 and 9, in high-value segments of the network, you might need both HIDS and NIDS deployed to maximize your ability to find problems before they become too big and much too expensive. Having made IDSs sound like your best friend, some caution is in order: You must expect to take some time to " settle in" your IDS implementation. There will be false positives, instances in which IDS falsely categorizes traffic as an attack. You will find these when legitimate traffic does not get through and people complain. Unfortunately, false negatives are a problem, too, but you learn of them when the IDS did not catch a real problem (its negative reading was false) and the problem becomes your network problem to solve. Likewise, the IDS can detect only what it knows about: You must depend on the vendor to update the attack signature profile promptly. If you are the lucky first network to suffer from a new attack, the IDS cannot help you until your vendor can characterize the attack and add the relevant data to the profile. When IDS blocks traffic, it can use what is called "shunning" the traffic: dynamically adding entries to access lists and filters to drop the offending traffic. Typically, the traffic is blocked for a short period of time, long enough for the network administrator to determine whether there is a real problem (a true or false positive). Alternatively, if the traffic uses TCP, the IDS can send a TCP Reset (the RST flag in the TCP header is set). A reset prevents whatever action is ongoing between the attacking host and its target on your network from continuing; as with shunning, however, it is likely to continue only long enough to give network monitorshumans watching the systemtime to do something in response to the attack. IDSs will help, but they are not a miracle cure. Secure Management and ReportingThe last axiom in the Enterprise SAFE Blueprint is that you must read your logs for them to do you any good. This is hardly a surprise; in fact, you already know that there are many logs, and they each contain many messages, only some of which are truly important. But those two characteristics of system logs too often lead to spot checks (at best). Even if you do read the logs religiously , you have to wonder how confident you can be of their contentafter all, hackers know that logs can reveal what they did, so they target logging. That is the point of this axiom: You must secure your network-management and reporting system for it to be reliable. Then you can confidently use one of the many utilities to parse and analyze those logs, creating reports that direct your attention to suspected problems. This discussion revolves around one direction of traffic: severs and networking devices reporting to you. However, the other direction is just as important. You must have a secure means of sending your management traffic to the important devices. As a solution to both sides of this problem, the SAFE Blueprint recommends that you establish a separate network for your network-management needs, preferably with direct connections to the networking devices. This network means that you will exercise management out-of- band (OOB) with respect to the regular traffic. In fact, this separate network carries no production traffic; however, the syslog hosts are on this network (not the production network). Establishing a separate network requires a few more ports and a separate logical network. This level of structure usually is justifiable only with a large, enterprise-level network or one on which network control and management have exceptional value (perhaps protecting particularly high-value content). If OOB is not practical or perhaps not desirable, there are alternatives.
If you are managing your devices in-band, you want to be sure that only youdefinitely not anyone elsemake configuration changes (and especially any change to loggingwith that changed, you might not know that something else was changed). You have two acceptable choices for secure in-band device management:
Unfortunately, there is no secure substitute for TFTP (or FTP), but you can sharply limit the addresses allowed to run either or both of them with an access list. Likewise, you can limit the acceptable addresses for SNMP, but consider whether you really must use that for management or whether you can work with it only for reporting (if so, use a read-only community). You should also consider using only SNMPv3 and taking advantage of its improved security features. Finally, the SAFE Blueprint reminds you to manage configurations carefully and archive them to a safe place via TFTP or FTPyou might need to recover a copy, and copying in an archive is better than rebuilding the configuration. |