Mitigating Technologies

Previous page
Table of content
Next page

Known threats can usually be mitigated by security equipment and sound security policies.

The following sections cover the most pervasive mitigation techniques, which are grouped in these four major categories:

  • Threat defense

    - Virus protection

    - Traffic filtering

    - Intrusion detection and prevention

    - Content filtering

  • Secure communication

    - Encrypted Virtual Private Network (VPN)

    - Secure Socket Layer (SSL)

    - File encryption

  • Trust and identity

    - Authentication, authorization, and accounting (AAA)

    - Network Admission Control (NAC)

    - Public key infrastructure (PKI)

  • Network security best practices

    - Network management

    - Assessment and audits

    - Policies

Threat Defense

Threat defense refers to the activities that are necessary to guard against known and unknown attacks, specifically by doing the following:

  • Defending the edge

  • Protecting the interior

  • Guarding the end points

To do so, the campus design should include the following:

  • Virus protection

  • Traffic filtering

  • Intrusion detection and prevention

  • Content filtering

Virus protection

Probably the easiest and most cost-effective way to start protecting an organization is through up-to-date virus protection.

Virus scanning can be performed at the following levels on a network:

  • Hosts Workstations and servers.

  • E-mail servers Incoming messages are scanned prior to being passed to the recipient.

  • Network An intrusion detection system (IDS) or intrusion prevention system (IPS), covered in the section "Intrusion Detection and Prevention," later in this chapter, can report to the IT manager that a virus signature was detected.

Practitioners recommend that IT departments implement different brands of virus protection at different junctions and functions of the network, thus benefiting from multiple comprehensive virus-signature databases and hopefully enlarging the spectrum of the virus dragnet.

Traffic Filtering

Traffic filtering can be achieved at many layers of the OSI model. It can be done at the data link layer using the Media Access Control (MAC) address but is most commonly done at the network layer through packet filtering. Packet filtering is further divided into the following areas:

  • Static packet filtering

  • Dynamic packet filtering

Static Packet Filtering

Static packet filtering is also referred to as stateless packet filtering or stateless firewalling. It is often performed at the perimeter router, which acts as the logical point of demarcation between the ISP and the corporate network. With stateless firewalling, the router does not track the state of packets and does not know whether a packet is part of the SYN process, the actual transmission, or the FIN process. A stateless firewall typically tracks only IP addresses and therefore can be tricked by a hacker who spoofs IP addresses.

Dynamic Packet Filtering

Dynamic packet filtering is also referred to as stateful firewalling. It is usually done by a firewall, which is a dedicated appliance that performs packet scans. Stateful firewalling capabilities are also built into some routers.

The default behavior of a firewall is that outgoing traffictraffic that flows from the inside network to the outside networkis allowed to leave and its reply traffic is allowed back in. However, traffic that originates from the outside network and attempts to come to the inside network is automatically denied. This is possible because the firewall meticulously tracks connections and records the following connection-state information in a table:

  • Source IP address

  • Destination IP address

  • Source port

  • Destination port

  • Connection TCP flags

  • Randomized TCP sequence number

This default behavior of a firewall is sometimes changed to accommodate the presence of a corporate server to which outside users need access. This "public" server is usually located in the demilitarized zone (DMZ) of a corporate network. A rule can be configured in the firewall to stipulate which outside traffic is permitted to enter for the purpose of visiting the web server, as shown in Figure 4-4.

Figure 4-4. DMZ and Firewall[3]


Firewalling is evolving. For example, Cisco offers, on some switch models, a stateful firewall at the port level, thus providing tighter security inside the network, not just at the perimeter. The Cisco Catalyst 6500 Firewall Services Module provides a real-time, hardened and embedded security system.

Intrusion Detection and Prevention

IDSs and IPSs are part of the design solution for protecting primarily the perimeter, extranet, and increasingly internal network. The purpose of IDSs and IPSs is to monitor network traffic by analyzing each packet that enters the network.

Intrusion Detection Systems

As previously explained, an IDS scans network traffic for malicious activity. A management server, located on the inside network, logs the alerts of suspicious activities that are sent by the IDS.

An IDS watches for the following:

  • Attack signatures, such as DoS and virus patterns

  • Traffic anomalies, such as the same source sending countless requests to SYN on a specific target

  • Protocol anomalies, such as a malformed packet

An IDS can be one of the following:

  • Network-based IDS (NIDS) A dedicated appliance installed on the network

  • Host-based IDS (HIDS) Integrated software on a mission-critical system, such as a web server

Network-Based IDSs

NIDSs are efficient and don't introduce latency in a network because they perform their analysis on "copies" of the data, not on the packets themselves, as shown in Figure 4-5. When designing a campus network, set up the NIDS to have its reporting interface on the inside network and its stealth interface on the outside network. A stealth interface is physically present on a network but has no IP address. Without an IP address, the hacker cannot address and therefore hack through that stealth interface.

Figure 4-5. Stealth Operation of an IDS[4]


As an alternative to buying a dedicated IDS appliance, your network design might harness the basic IDS capabilities that are built into Cisco PIX Firewalls and specific Cisco router IOS versions.

Host-Based IDSs

HIDSs are typically installed on mission-critical devices, such as web servers and e-mail servers, but can also be installed on desktop and laptop PCs. Cisco offers an HIDS solution called the Cisco Secure Agent (CSA).

CSA closely monitors the behavior of codes that are coming to the end point and prevents attacks while reporting the incident to the management server.

Intrusion Prevention Systems

IPSs have naturally evolved from IDSs. An IPS has the extra capabilities of taking remedial actions when it confirms suspicious activities. Upon discovering malicious activity, the IPS can take at least one of the following actions:

  • Alert the management console server

  • Send a TCP reset (RST) to the source

  • Shun the source of the attack by sending a command to the firewall requesting it to temporarily block the suspect IP address

Currently, only subtle differences exist between IDSs and IPSs; therefore, many vendors interchange the terms.

Target-Based Intrusion Detection Systems

A significant issue with IDSs is the number of alarms that they generate. The number of alarms generated by the sensor can be reduced by locating the monitoring interface on the inside link of a firewall, instead of the outside link. If you put your IDS monitoring connection before the firewall (the outside interface), you will get alarms for traffic that would be stopped by the firewall anyway; however, if you put the IDS monitoring interface on the inside interface, it will only catch, and therefore generate alarms about, malicious traffic that has passed through the firewall. Another significant issue with IDSs/IPSs are false positives. False positives are alerts triggered by legitimate activities, in which case no alarm should have been raised.

A target-based IDS, such as Cisco Threat Response, tries to address this problem by investigating in-depth and relative to the target an alert received by the network management console. The target-based IDS does the following:

  • Compares the kind of attack reported to the device targeted

  • Evaluates whether the target is truly at risk by comparing the threats to the vulnerabilities of the operating system of the target

  • Compares the threat with the patch history of the targeted system

Content Filtering

In addition to controlling outbound traffic through filtering configured in the perimeter router or Internet firewall, the network design might also include the following:

  • Uniform resource locator (URL) filtering

  • E-mail filtering

URL Filtering

Corporations use content filtering to enforce their Internet usage policies, hoping to protect themselves from possible legal implications should their employees visit objectionable websites.

With content filtering, outbound user traffic that is looking for a specific URL is checked by the firewall against the content-filtering server that is installed on the corporate network. The firewall is provided by the content-filtering server with a permit or deny for the website requested by the user. The sophisticated content-filtering software installed on a corporate server can have over 5 million websites in its database. The network administrator sets the policies to allow or deny access to groups and individual websites. The permissions can also be based on daily usage or time of day. As an example, a system administrator could set a rule that allows users to visit online banking sites only during the lunch hour.

E-mail Filtering

When designing your corporate e-mail services, consider including an e-mail filtering service. That service, installed on the same network segment as your mail server (usually in a DMZ), sanitizes the e-mail from malware and some executable attachments prior to delivery of the messages to the end user.

Secure Communication

Encryption addresses the need for data confidentiality, which often finds itself in the forefront of network design. Confidentiality of data refers to the inability for wandering eyes to see and/or decipher a message sent from one party to another.

Encryption is a significant topic and can easily fill books by itself. Therefore, this section provides only enough information to assist you in network design. Should you be interested in a detailed book on encryption, read The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, by Simon Singh (ISBN 0-385-49532-3, Anchor, 2000). Some basic principles of encryption are presented in this section.

As shown in Figure 4-6, the following two components are essential to encryption:

  • Encryption algorithm

  • Encryption keys

Figure 4-6. Encryption Operation[5]


Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) are all common encryption algorithms used in IP security (IPsec). IPsec is discussed in the next section of this chapter. The algorithm can be seen as the engine of encryptionthe morphing device through which the data goes. The "pattern" of morphing is provided by the "key." An encryption key is a code that enciphers and deciphers a stream of data. Encryption keys must be well guarded and shared only between the two parties requiring securing communications. The following are the two types of encryption keys:

  • Symmetrical keys The same key encrypts and decrypts a message.

  • Asymmetrical keys A different key decrypts a message from the key that encrypted the message. This is the case with public and private keys.

A key becomes vulnerable when it has been in service for a long period because the hacker has had time to attempt to break it. A key is also vulnerable if a large quantity of data is encrypted with it: The hacker would then have a large sample of cipher text to try deciphering. Therefore, when designing a network, you should consider having keys that expire frequently and when large amounts of data have been encrypted through that key.

As part of network design activities, you might consider using one of the following common encryption scenarios:

  • Encrypted VPN

  • SSL

  • File encryption

Encrypted VPN

An encrypted VPN consists of a tunnel in which data transiting through it is encrypted, as shown in Figure 4-7. The tunnel can originate from a VPN-enabled device or from a remote user running VPN software on his computer.

Figure 4-7. Encrypted Tunnels[6]


The most common standard for encrypted VPN is IPsec. IPsec provides three optional mechanisms, as explained in Table 4-1.

Table 4-1. IPsec Mechanisms

IPsec Option

Description

Authenticity

Only a legitimate sender and receiver would successfully encrypt and decrypt a message, thus providing proof of authenticity of the message.

Confidentiality

The message is encrypted and therefore illegible to onlookers. Only those in possession of the legitimate key can decipher the message.

Integrity

A hash is appended to the message, confirming its integrity. See the following sidebar for more about hashing.


Hashing

Hashing is a process that uses an algorithm to convert data into a fixed-length result, called a message digest. (Regardless of whether the data is a short e-mail or thousands of pages of text, a hash is always the same length.) The message digest is then usually appended to the transmission and is checked by the receiver to ensure the integrity of the message. Both the sender and the receiver share a predetermined special key, or shared secret, that they include in the hashing process in addition to the clear text itself. This ensures that only the sender and the receiver can replicate the exact message digest.

The process of hashing can be thought of as a butcher grinding a solid piece of meat. When the butcher has turned the solid meat into ground beef, which would be the equivalent of a message digest, any attempt to reverse-engineer the grinding proves fruitlessit is a one-way function. There is no secret key available for reversal of the hashing process; a message digest cannot be deciphered; it can only be replicated.


VPN-enabled devices that might be included in the design of a network are as follows:

  • VPN concentrator Dedicated appliance that is optimized to manage multiple encrypted tunnels and profiles.

  • Router IPsec technology is available on specific versions of Cisco IOS.

  • Firewall IPsec technology is available on PIX Firewalls.

  • IPsec client Mobile workers can harness the potential of IPsec by installing VPN connectivity software, thus creating a tunnel from their laptop up to the VPN-enabled device such as a VPN concentrator, router, or firewall.

SSL

SSL provides encryption of data to and from a web browser and could be included in a network design if a point-to-point encryption is needed for a service. It is commonly seen for online banking or shopping transactions and web mail operations. It is also popular for organizations that do not want to install VPN-client software on remote hosts.

File Encryption

In the case where a document requires confidentiality but the communication might be in clear text, a person can use file-encryption software such as Pretty Good Privacy (PGP) to encrypt the file. The encrypted file must be unencrypted by the reader after it is received.

Trust and Identity

Trust and identity management includes the following:

  • Authentication, authorization, and accounting capabilities

  • Network Admission Control

Authentication, Authorization, and Accounting

AAA is a crucial aspect of network security and should be considered during the network design. This can be accomplished through a AAA server, which handles the following:

  • Authentication Who? Checks the identity of the user, typically through a username and password combination.

  • Authorization What? After the user is validated, the AAA server dictates what activity the user is allowed to perform on the network.

  • Accounting When? The AAA server can record the length of the session, the services accessed during the session, and so forth.

AAA can be managed by a Cisco Secure Access Control Server (ACS).

The principles of strong authentication should be included in the user authentication.

Key Point

Strong authentication refers to the two-factor authentication method. The users are authenticated using two of the following factors:

  • Something you know Such as a password or personal identification number (PIN)

  • Something you have Such as an access card, bank card, or token[*]

    [*] Tokens are key-chain-size devices that show, one at a time, in a predefined order, a one-time password (OTP). The OTP is displayed on the token's small LCD, typically for 1 minute, before the next password in the sequence appears. The token is synchronized with a token server, which has the same predefined list of passcodes for that one user. Therefore, at any given time, only one valid password exists between the server and a token.

  • Something you are For example, some biometrics, such as a retina print or a fingerprint

  • Something you do Such as your handwriting, including the style, pressure applied, and so forth

As an example, when accessing an automated teller machine, strong authentication is enforced because a bank card (something you have) and a PIN (something you know) are used.


Network Admission Control

NAC, the latest feature in Cisco's security portfolio, should be considered in the design of your network. NAC ensures that users and their computers comply with corporate network policies.

On a corporate network with NAC, a network access device (NAD)for example, a routerintercepts attempts to connect from local or remote users. As shown in Figure 4-8, the Cisco trust agent, residing on the end point (for example, a user's laptop), provides the NAD with pertinent information, such as the version of antivirus software and the patch level of the connecting laptop. The NAD passes the end-point security credentials to a policy server, which decides whether access will be granted to the end point. Noncompliant end points are quarantined until they meet NAC standards.

Figure 4-8. Network Admission Control


Public Key Infrastructure

PKI is a set of technologies and procedures that authenticate users. It addresses the issue of key distribution by using private keys and public keys. These are asymmetrical keys, and the public keys usually reside on a central repository called a certification authority (CA). The private keys are usually stored locally on devices. PKI operations are shown in Figure 4-9.

Figure 4-9. Private and Public Key Operations[7]


Each unique pair of public and private keys is related, but not identical. Data encrypted with a public key can be deciphered only with the corresponding private key, while data encrypted with a private key can be deciphered only with its corresponding public key.

PKI is usually considered in the design of complex enterprise networks where it is too cumber-some for each party to locally keep the public key of every other party that he or she wants to communicate with using encryption. In a PKI environment, the public keys are kept centrally, thus simplifying the distribution and management of those keys.

Network Security Best Practices

As in any field, network security also possesses a set of best practices. Best practices are the recommendation of due care that subject-matter experts have agreed upon for a particular field.

Network security includes many well-known practices presented in the following sections.

Network Management

Most security appliances, such as firewalls, routers, and IDSs, can send syslog security triggers to a central repository such as a syslog server. There is a saying in network security: "If you log it, read it." This is to say that it's futile to just log information if you never analyze the logs. To help the network administrator sort and extract meaningful information from the large quantity of syslog data received, security event management software should be used. Should a significant anomaly be discovered, the software can notify the network administrator through e-mail, pager, or text messaging. In addition, correlation tool modules can be added to assist the network administrator in seeing security anomaly patterns from what would otherwise appear to be random activity taking place.

Assessment and Audits

Prior to designing your network, you should conduct a security assessment to uncover potential vulnerabilities and therefore target your security efforts where they are the most effective.

Subsequently, when your network security systems are in full production, it can be beneficial to hire a security audit company that can perform penetration testing and report on the corporate network security position.

Policies

Sophisticated security equipment is no match for sloppy user behavior. Organizations must develop basic network policies, disseminate them, and enforce them. Examples of network security policies are as follows:

  • Internet usage policy

  • E-mail usage policy

  • Remote-access policy

  • Password-handling policy

  • Software and hardware installation policy

  • Physical security policy

  • Business continuity policy



Previous page
Table of content
Next page
Campus Network Design Fundamentals
Campus Network Design Fundamentals
ISBN: 1587052229
EAN: 2147483647
Year: 2005
Pages: 156
Authors: Diane Teare, Catherine Paquet
BUY ON AMAZON
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Twisted Network Programming Essentials
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Junos Cookbook (Cookbooks (OReilly))
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy