Designing Secure Networks


Security has certainly become a critical issue in recent years for networks. Increasing the interconnection of enterprise networks with both public and private external networks, along with other growth issues, has turned network security into a career instead of just a skill set! Indeed, a quick look at Cisco’s (and other) certifications reveals multiple recent security certifications, including a CCIE in security. While we cannot cover this immense topic in half a chapter, this chapter will introduce the topic of network security and its relevance in the network design process.

Note

Todd Lammle highly recommends the CCSP: Securing Cisco IOS Networks Study Guide, also by Sybex, for a fuller discussion of Cisco security strategies and technologies.

Traditional Three-Part Firewall

Security is a top concern of network designers today. However, many designers may not be aware that security can actually be engineered into the network topology at design time, or perhaps more accurately, the network topology can be designed to be readily secured. Designing secure networks from the inside out and using a layered-defense approach is the best plan.

A firewall is really just a filter between your network and another and is placed in the Enterprise Edge functional area of a SAFE security architecture design. The firewall can be configured by the network administrator to protect sensitive resources on the internal network while still providing communication with the larger internetwork.

In the example shown in Figure 13.1, the internal network is connected via a router to the external network. The logical place for firewall placement is at the router, which places it between the internal network and the external, untrusted internetwork. However, what if there are resources on the internal network that the external internetwork requires access to, perhaps a DNS or WWW server? Access to those machines would have to be provided through the firewall. Now, what if one of the available services on those machines is hacked? That’s certainly a problem, because that machine is part of your internal network and behind your firewall. Now the hackers have not only penetrated the firewall, but they have accessed your internal network!

click to expand
Figure 13.1: Firewall placement

start sidebar
Real World Scenario—A Defense-in-Depth Approach to Network Security

Securing today’s networks requires much more than a firewall. A combination of router access lists, multi-part firewall designs, intrusion detection systems (IDSs), and anti-virus products, to name a few, provide for a defense- in-depth strategy. Many network administrators still believe what they were sold several years ago by the firewall vendors: a firewall will protect your network from the Internet. Today’s network designs must include all of the aforementioned items, along with well-written and enforced security policies with designer, administrator, and user compliance. There are many vendor-neutral recommendations for creating the baselines of security in your network.

For Cisco Internet-facing routers, the NSA (National Security Agency) has published a detailed guide available for free download from www.nsa.gov. You can also download the two-page executive summary, which includes many to-the-point configuration settings and access lists that must be implemented today.

The Cisco PIX firewall can be used to create the multi-part design with its multi-port options. The 506 and 515 PIX offer a minimum of three ports for internal, DMZ, and external connections to your network. You could also stack two firewalls back to back, with a DMZ in the middle for added protection. In addition, Cisco offers intrusion detection systems for your routers, switches, network, hosts, and firewall. However, your IDS doesn’t always have to be vendor-specific. Anti-virus products come in many flavors and from many vendors. Your best bet when shopping for an anti-virus solution is to ask around or read the reviews in the popular network trade magazines for the right solution at the right price.

end sidebar

In those situations where internal networks must be protected yet resources must be made available, a three-part firewall system is the most suited to the task. Consider Figure 13.2. Rather than having a single router between the internal network and the untrusted external internetwork, two routers are placed in the path. The segment between these two routers becomes what is called the DMZ (de-militarized zone), or the isolation LAN. It is physically a buffer or protection between the internal and external networks! On this segment you can place servers that the external internetwork needs to access. These servers might include

  • WWW servers

  • FTP servers

  • SMTP (e-mail) servers

  • DNS servers

These are all examples of servers that untrusted hosts from the external internetwork could appropriately access. This allows external users to view your web pages, exchange e-mail with the local network, etc. However, unlike the topology in Figure 13.1, in Figure 13.2, servers are not located on the internal network but on the isolation LAN, which is a completely different network segment. Therefore, if the web server is somehow compromised, the hacker has not penetrated the firewall, as he or she would have in the network in Figure 13.1.

click to expand
Figure 13.2: A three-part firewall system

There are many techniques in the three-part firewall to ensure that the internal network is protected. Access lists are used to ensure that inappropriate access is not permitted. In Figure 13.2, the external router has an access list that permits access to certain ports on specific servers in the DMZ, thus allowing web and e-mail traffic to flow. That access list can also include a line to permit only established TCP sessions to the internal network and then to deny all other traffic. In addition, the internal router can be configured to permit only established TCP connections to the internal network. At this point, workstations on the internal network can initiate TCP sessions with devices on the external internetwork, but external devices are not permitted to initiate TCP connections with hosts on the internal network.

If you need to take this a step further, you can install application proxies in the DMZ and configure all workstations on the internal network to use the proxies whenever they communicate with the external internetwork. At this point, the external router only needs to advertise the address of the DMZ LAN out to the external internetwork. As a result, on the external internetwork, routers do not even have routing table entries for the internal network’s address!

Network Security: The Targets

Modern networks are, well, target rich to would-be hackers. Increasing complexity, increased interconnectivity, the gravitation of many applications towards a common protocol (IP), the complexity of systems, and other factors make network security a never-ending challenge. At a high level, you are concerned with three factors:

Data integrity Data integrity can include verification that the data received was the data transmitted and might also include controls on changing data.

Data confidentiality Only those who are authorized to access the data should be able to see it. This may include encrypting data to prevent third-party interception.

Data and system availability Systems need to be “hardened” so that a would-be hacker cannot disrupt vital services.

The first two factors deal with protecting data. The third factor considers the problem that sometimes the objective is not to steal or alter, but simply to deny or break.

With this high-level view, let’s look at some of the specific components on your network and their particular vulnerabilities.

Routers and Switch Security

Router security is a critical element in any security design. By their nature, routers pass all internetwork traffic. An attack on a router can be an attack on data integrity and certainly can affect network and application availability. It is essential to secure routers to reduce the likelihood that they can be compromised. Many documents provide details on the following router security topics:

  • Locking down Telnet access to a router

  • Locking down Simple Network Management Protocol (SNMP) access to a router

  • Controlling access to a router through the use of Terminal Access Controller Access Control System Plus (TACACS+)

  • Turning off unneeded services

  • Logging at appropriate levels as well as at a Syslog server

  • Secure routing protocols

    Note

    The most current Cisco document on router security is available at http://www.cisco.com/warp/public/707/21.html. Additional security guides are available from the National Security Agency at http://www.nsa.gov/snac/cisco/index.html.

Switches have their own set of security considerations. As Layer 2 devices, switches are a logical target to intercept data and can also be targets to disrupt services. There are several tactics that can harden these devices. Ports without any need to trunk should have any trunk settings set to off, as opposed to auto. This setup prevents a host from becoming a trunk port and receiving all traffic that normally resides on a trunk port. Disable all unused ports; this prevents hackers from plugging in to unused ports and communicating with the rest of the network. You may want to consider enabling port security for added protection.

Network Security

Networks in general can be targets of attacks. There are several areas of exposure to networks beyond those risks to their individual components:

Reconnaissance attacks Reconnaissance attacks attempt to gather information about devices on a network that can be used in further attacks. The mapping of particular system weaknesses, taking inventory of devices and operating systems, and taking inventory of available services (port scanning) are all examples of reconnaissance attacks.

Traffic attacks Traffic attacks involve intercepting data as it traverses network segments. This can be for the purpose of eavesdropping, or perhaps to change data en route.

Denial-of-service attacks Just as the name indicates, denial-of-service (DoS) attacks are an attempt to deny access to services on the network. They can include sending a malformed packet to a particular host, which causes the host to become unstable and halt. It can also include brute traffic generation, essentially monopolizing available network resources with irrelevant “noise” and thereby preventing legitimate network traffic access.

start sidebar
Real World Scenario—Distributed Denial-of-Service Attacks (DDoS)

The worst type of attack is the one that is extremely difficult to stop. When performed properly, a distributed denial-of-service (DDoS) attack is just such an attack. DDoS works by causing tens or hundreds of machines to simultaneously send spurious data to a single destination IP address. The goal of such an attack is generally not to shut down a particular host, but rather to make the entire network unresponsive. For example, consider an organization with a T1 (1.5Mbps) connection to the Internet that provides e-commerce services to its web site users. Such a site is very security conscious and has intrusion detection, firewalls, logging, and active monitoring. Unfortunately, none of these security devices helps when a hacker launches a successful DDoS attack.

Consider 100 devices around the world, each with DSL (500Kbps) connections to the Internet. By programming these distributed systems to flood the e-commerce organization’s Internet connection, they can overwhelm the T1. Even if each host generates only 100Kbps of traffic, this amount is still almost 10 times the amount of traffic that the e-commerce site can handle. As a result, legitimate web requests are discarded, and the site appears to be down for most users.

Only through cooperation with the ISP can this fictitious e-commerce company hope to thwart such an attack. One approach to limiting this sort of attack is to follow filtering guidelines for networks outlined in RFC 1918 and RFC 2827.

When implemented at the ISP, this filtering prevents DDoS attack packets that use these addresses as sources from crossing the WAN link, potentially saving bandwidth during the attack. Implementation of the guidelines described in RFC 2827 by ISPs worldwide greatly reduces source address spoofing. Although this strategy does not directly prevent DDoS attacks, it does prevent such attacks from masking their source, making traceback to the attacking networks much easier.

end sidebar

Hosts and Application Security

The most likely target during an attack, the host presents some of the most difficult challenges from a security perspective. There are numerous hardware platforms, operating systems, and applications, all of which have updates, patches, and fixes available at different times. Because of these security challenges, hosts are also the most successfully compromised devices. For example, a given web server on the Internet might run a hardware platform from one vendor, a network card from another, an operating system from still another vendor, and a web server from yet another vendor. Additionally, the same web server might run applications that are freely distributed, and thus well known, via the Internet.

Applications coded by human beings are subject to errors. These errors can be benign—for example, an error that causes your document to print incorrectly. Or, they can be more serious errors that make credit card numbers on your database server available to unauthorized persons or services. Ensuring that both commercial and public domain applications are up-to-date with the latest security fixes is essential.

Components of Network Security

Every security plan should proceed from an enterprise security policy. Whether this is provided by the customer or created by the customer and network designer, this document guides the security decisions that must be made as part of the design process.

This section will examine some of the components that can be used as part of the network design. Selection and provisioning of these components should be based on the enterprise security policy.

Physical Security

Physical security is frequently overlooked, yet it can be one of the easiest ways to compromise a network. Consider for a moment just what physical access to a device means. Can you break it? Of course. Can you plug into a console port or perhaps into an open switch port? Of course. Can you listen to a wire that you can touch? Of course.

There are solutions to these issues. Good old-fashioned locks can do a lot; access methods that are logged are even better. Console ports can require TACACS+, and data can be encrypted should it be intercepted on physical devices beyond your control.

Access Control

Cisco devices using AAA (Authentication, Authorization, and Accounting) give you the capability to tightly control access. You can control who gets access to the devices, what they can do to the device once they have access, and keep logs of everything they do while logged into the device. This is done through the use of a centralized security server, and it allows enterprise-wide policy changes or security modifications at a single point. Have you ever had an engineer leave and had to change hundreds (or more) of passwords by hand? If so, AAA is for you.

Intrusion Detection Systems

An intrusion detection system (IDS) acts like an alarm system. When an IDS detects something that it considers a host or network attack, it can either take corrective action itself or notify a management system for actions by the administrator. Some systems are equipped to recognize and respond to specific attacks. Host-based intrusion detection systems work by intercepting operating system and application calls on an individual host. They can also operate by after-the-fact analysis through log files. The former approach allows better attack prevention, whereas the latter approach dictates a more passive response role. Host-based IDS (HIDS) systems are often better at preventing specific attacks than network IDS (NIDS) systems, which usually issue only an alert upon discovery of an attack. Ideally, a combination of the two systems would be deployed: HIDS on critical hosts and NIDS watching over the entire network.

Secure Device Management

In the out-of-band (OOB) environment, each network device and host has its own dedicated management interface, which is connected to a separate, private management network. This setup mitigates the risk of passing management protocols such as Telnet, TFTP, SNMP, and Syslog over the production network. In the SAFE architecture, management traffic flows (in-band) and becomes as secure as possible using tunneling protocols and secure variants to insecure management protocols. For example, use Secure Shell Protocol (SSH) whenever possible instead of Telnet.

Device Reporting

Most networking devices can send Syslog data to a centralized server. Sending this data to your Syslog analysis host from devices whose logs you wish to view is an effective reporting method. The data can be viewed in real time or via on-demand and scheduled reports. You can choose various logging levels to ensure that the Syslog messages are relevant but do not become overly verbose. To ensure that log messages are time-synchronized to one another, clocks on the hosts and on the network devices must be in sync. For devices that support it, Network Time Protocol (NTP) provides a way to ensure accurate time-keeping on all devices.

The Cisco SAFE Blueprint

Cisco’s SAFE (Security Blueprint for Enterprise Networks) model addresses a defense-in-depth approach to secure network design. SAFE serves as a guide to network designers to meet the security requirements and threats of their network. It is built on top of the Enterprise Composite Networking Modules; that is, it takes a modular approach to security. One central concept of SAFE is defense in depth, that is, a multi-layered approach to security. With defense in depth, failure or breach of security on one device in a network does not lead to failure or breach of security on successive devices.

Today’s network designers who understand these threats can better decide where and how to deploy secure technologies. Without a full understanding of the threats involved in network security, there is a tendency to incorrectly configure deployments. Also, network designers focus on security appliances or lack threat response options. By taking a threat-mitigation approach, network designers, armed with this information, can make sound network security choices.

SAFE is a security architecture, and it prevents most attacks from successfully affecting network resources. SAFE must accurately detect the attacks that succeed in penetrating the first line of defense. Additionally, these attacks must be quickly contained to minimize their effect on the rest of the network. However, in being secure, the network must continue to provide critical services that users expect. It is essential to provide network security and network functionality at the same time.

At many points in the network design process, designers need to choose between using integrated functionality in a network device versus using a specialized functional appliance. The integrated functionality is often attractive because designers can implement it on existing equipment, or because the features can interoperate with the rest of the device to provide a functional solution. Appliances are often used when the depth of functionality required is very advanced or when needs require using specialized hardware. Designers should make decisions based on the capacity and functionality of the appliance versus the integration advantage of the device. For example, sometimes designers choose an integrated, higher capacity router with IOS firewall software as opposed to a smaller IOS router with a separate firewall such as the Cisco PIX. When the design requirements do not dictate a specific choice, the designer can opt for integrated functionality in order to reduce the overall cost of the solution.

In the following sections, I’ll define the aspects of a SAFE architecture– designed network and explain securing specific device types. I’ll also discuss security tools for management.

Module Concept

Cisco’s Enterprise Composite Network Modules (ECNM) are the building blocks of Cisco’s SAFE architecture design model, and they offer two main advantages: First, ECNM allows the architecture to address the security relationship between the various modular blocks of the network. Second, it permits the designer to evaluate and implement security on a module-by-module basis, instead of attempting the complete architecture in a single phase.

For the most part, dissecting a network into clear-cut modules is not an easy task. However, this approach provides a guide for implementing different security functions throughout the network. Figure 13.3 shows how the modules of SAFE create a modular approach to a secure network design.

click to expand
Figure 13.3: Modules of a SAFE network design

The Service Provider Edge functional area is not usually under the control of the private network administrators. Usually, the ISP secures it with a security agreement provided to administrators. The Corporate Internet module provides internal users with connectivity to Internet services and Internet users with access to information on public servers. Also, remote locations and telecommuters receive VPN access. The Service Provider Edge functional area does not serve e-commerce–type applications.

The Campus functional area contains end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 infrastructure required to support the devices. In this small network design, a single switch controls this Layer 2 functionality.

SAFE is well documented by Cisco via white papers and other content. It does not apply in all network situations and is not necessarily the best or easiest solution to apply to given situations. Let’s look at SAFE and how it applies to some of the ECNM modules.

Internet Connectivity module The Internet Connectivity module is where the enterprise network touches the Internet. This module has traditionally received the most attention in security. A common problem is to be strong on security here and weak elsewhere. There are many threats at the Internet Connectivity module: DoS attacks, reconnaissance, and compromised hosts attempting to penetrate deeper into the enterprise network. Countermeasures such as IDS, host hardening, DMZ networks, and firewall deployment all help to secure this most vulnerable point.

E-Commerce module Common threats at the E-Commerce module include compromised hosts and/or applications and DoS attacks. Many of the same countermeasures of the Internet Connectivity module listed previously also apply here; host hardening, IDS, DMZ networks, firewalls, and access controls all are effective tools.

Remote Access and VPN module By definition, the Remote Access and VPN modules are the places where you securely enter the enterprise network. Risks in this module include spoofing (stealing or lying) identity and gaining access to a remote access point or VPN connection. Also at risk are the legitimate clients that access these services. “If I can hack your laptop, I don’t need to attack your VPN; the laptop has legitimate access through the VPN.” Countermeasures include strong authentication, cryptography, and personal firewalls on remote clients.

WAN module Security threats in the WAN module include the potential for data transmission to be intercepted (since you cannot control physical access to media) and the potential for service-provider error. What would happen if your telecommunications provider accidentally mapped one of your PVCs to another enterprise customer, one running the same routing protocol as you? Security countermeasures include data encryption and peer authentication across the WAN.

Network Management module Potential security issues in the Network Management module include the manipulation of management protocols, host compromise, and device misconfiguration (accidental or otherwise). Countermeasures include using secure network management protocols (TACACS+, SNMP v3), AAA (Authentication, Authorization, and Accounting), and firewalls to protect network management hosts.

Server Farm module Security risks in the Server Farm module include compromised hosts and applications. Host hardening, IDS, and firewalls may all be appropriate here.

As previously mentioned, further documentation on the SAFE blueprint is available directly from Cisco. We’ve only scratched the surface of network security here, yet that completes our whirlwind introduction to network security and SAFE. Our next topic is IP telephony and the network design issues associated with that technology.




CCDA. Cisco Certified Design Associate Study Guide
CCDA: Cisco Certified Design Associate Study Guide, 2nd Edition (640-861)
ISBN: 0782142001
EAN: 2147483647
Year: 2002
Pages: 201

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net