CISCO HIERARCHICAL DESIGN AND NETWORK SECURITY

The Core Layer

Crackers dream about "getting enable" (full administrative control) on a high-speed backbone router or switch. Once this is accomplished, the opportunities for traffic sniffing, manipulation, redirection, and, of course, DoS/DDoS flood attacks are incredible. Thus, the backbone security is by no means limited to the redundancy issues, and the main security task at the core layer is to ensure that all forms of access to this layer's routers and switches are as restricted as they can be.

Another very important task is to oversee the security of BGP implementation if this path -vector protocol is used on the backbone under your control (which is very likely the case). Any interference with the normal BGP operationintentional or notspells doom for the interconnected networks, and more. Refer to the discussion of BGP attacks and countermeasures in Chapter 14 for more details.

As for the notion that security safeguards such as IDS sensors, firewalls, and VPN modules should not be deployed at the core layer for sake of speed and availability, this idea simply doesn't stand the test of time. Multiple network security devices and modules currently produced by Cisco are capable of performing their function while preserving a gigabit speed of the pipe on which they are deployed. These devices include

• Cisco Traffic Anomaly Detectors XT 5600 and 5700

• Cisco Guard XT 5650

• Cisco PIX 535 firewall

• Cisco Firewall Services Module (FWSM) for Cisco 7600 routers and Catalyst 6500 switches

• Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM-2)

• Cisco IDS 4250-XL Sensor

• Cisco 7600/Catalyst 6500 IPSec VPN Services Module (VPNSM)

The throughput capabilities of some of these hardware engineering wonders are truly impressive. For example, the VPNSM can deliver up to 1.9 Gbps (gigabits per second) of Triple Data Encryption Standard (3DES) traffic terminating up to 8000 IPSec connections simultaneously . The FWSM offers 5 Gbps traffic throughput, up to 100,000 new connections per second, and support for 1 million concurrent connections. Up to four FWSMs can be installed in a single chassis, offering 20 Gbps firewall scalability.

There are no technical reasons why you should not incorporate these powerful safeguards into your core layer architecture to ensure the ISP-level or large corporation entry point security. In fact, Cisco Traffic Anomaly Detectors XT 5600 and 5700 as well as Cisco Guard XT 5650 were specifically designed to be deployed at the network backbone to detect and handle massive DDoS attacks. Since the current level and sophistication of DDoS floods have gone much farther than the days of Mafiaboi vs. CNN and eBay , employing these rather costly anti-DDoS solutions can prove to be cost-saving after all. For high political profile or government organizations and businesses earning millions via mission-critical e-commerce operations, XT 5600/5700 and XT 5650 are a must.

The Distribution Layer

The distribution layer is a part of the network where the traffic is distributed between the end-user LANs or separate stations and the network backbone. The links and devices between organizational departments and branches belong to the distribution layer realm. Many factors define distribution layer security needs, including the following:

• Whether the core layer belongs to an ISP or the same organization

• The need for strict security separation among the organization's departments, groups, and branches

• The presence of remote branch or telecommuter connections terminating at the distribution layer

• The levels of trust assigned to users or user groups

Typical deployment of Cisco network devices at the distribution layer includes midrange routers and Catalyst switches such as Cisco 3600 and 3700 series routers or Catalyst 5000. The distribution layer is where you are most likely to encounter PIX firewalls (apart from the SOHO PIX 501), Cisco 3000 VPN concentrators, and Cisco IDS 4200 sensors, but this does not mean that all or even major network security policy enforcement is done here. The area of traffic distribution is very important for its monitoring, filtering, and encryption, but the origination of traffic arriving at the distribution layer is also important.

The following important functions have to be performed at the distribution layer:

• Centralized logging and log storage from multiple sources, including access layer LANs and, in some cases, the backbone

• Route filtering via distribution lists, passive interfaces, and policy routing

• Centralized security policy and device management

To provide centralized security policy and device management, Cisco has developed a variety of products, including enhancements to its popular CiscoWorks management center such as CiscoWorks VPN/Security Management Solution, CiscoWorks Security Information Management Solution, Cisco Router and Security Device Manager, and Cisco PIX Device Manager. The complete Cisco IP Solution Center is scaled to manage MPLS or IPSec VPNs and requires deployment of a specific Cisco CNS Intelligence Engine 2100 (IE2100) hardware platform as well as Solaris management and database stations. If you have a sizable Cisco-based network to manage, these products can make your life much easier, but be aware of the additional security risks that a user-friendly and efficient management solution might bring. Nothing is sadder than a firewall owned by employing a read-write (RW) SNMP community string sniffed out of the security management softwaregenerated traffic!

The Access Layer

The access layer is the point at which the end users enter the network. Thus, the main component of the access layer security is the Authentication, Authorization, and Accounting (AAA) services represented by RADIUS/TACACS+ Cisco Secure Access Control Servers on the server and Cisco Secure/Cisco Trust Authentication Agents on the client sides. Mentioned previously, a Cisco IBNS technology is a relatively new but very important player in the AAA field. The 802.1x network access control standard used by the IBNS is immensely flexible and powerful; employ it when and where you can. Out of the Extensible Authentication Protocol (EAP) types supported by 802.1x on Cisco devices, select EAP-PEAP, EAP-TTLS, or, in purely Cisco environments, novel EAP-FAST. Steer clear from the original Cisco EAP-LEAP (the methodologies of its abuse are covered in Chapter 12). These recommendations are particularly valuable when selecting user access control methods for Cisco wireless networks.

Of course, access layer security also includes protecting end-user desktops and laptops as well as local network servers. Have you been thinking that Cisco security is all about routers, switches, and various security hardware devices? Enter Cisco Trust and Cisco Security Agents, the recent Cisco advancements in the field of endpoint protection. Cisco Security Agent (CSA) is a host-based intrusion prevention system that works by applying security policy to system behavior via intercepting and analyzing system calls. The CSA networking model consists of three components :

• Cisco Security Agent Management Center (CSAMC)

• The administration workstation

• The CSA software installed on the protected hosts

The CSAMC allows centralized remote management of multiple CSAs that includes dividing secured hosts into groups with different security policy requirements as well as maintaining security violation logs and sending alerts via pager or e-mail. The administration workstation connects to the CSAMC via a Secure Sockets Layer (SSL)protected web interface. As to the CSA itself, it is available for Windows, Linux, and Solaris and consists of four interceptor modules. The file system interceptor checks all file read-and-write requests against the defined security policy. The network interceptor module controls changes of Network Driver Interface Specification (NDIS) and can also limit the number of connections or filter them on the IP: port basis. The configuration interceptor checks read/write requests to the Windows registry or UNIX rc initialization scripts. Finally, the execution space interceptor maintains the integrity of each program's dynamic run-time environment. The requests to write into memory not owned by the requesting process are detected and blocked by default. Classical stack buffer overflow attacks and attempts to inject shared or dynamic link libraries (DLLs) are also detected and blocked. Thus, the integrity of memory and network I/O addressing is protected.

When a suspicious system call is detected, CSA can perform the following actions:

• Block the call.

• Pass an error message to the call-initiating program.

• Generate an alert message that is sent to the CSAMC.

By the nature of its operation, CSA is a host-based intrusion prevention system that does not depend on attack signature database and its updates.

Cisco Trust Agent (CTA) is a free Windows application available directly from Cisco and bundled with the CSA or on its own. CTA reports the CSA version, Windows OS version, and current patch status as well as antivirus presence and version installed. More importantly, CTA serves as an 802.1x supplicant supplying the authentication credentials to NAS devices via Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP). At the moment of writing, CTA interoperates with McAfee VirusScan 7.x and 8.0i, Symantec AntiVirus 9.0 and Symantec Client Security 2.0 (EDAP only), and Trend Micro OfficeScan Corporate Edition 6.5, and it can be run on Windows NT 4.0, Windows 2000 Professional and Server (up to Service Pack 4), and Windows XP Professional (up to Service Pack 1).