Understanding Defense in Depth

Previous page
Table of content
Next page

Defense in depth is the key to stopping most network and computer-related attacks. It's a concept of deploying several layers of defense that mitigate security threats. As discussed in Chapter 1, "Internet Security 101," many hackers look for what is called "low-hanging fruit" (that is, easy targets to attack). With defense applied, attackers usually either become frustrated and move on to the next target or stop the attacks altogether, deterred by the security you've put in place.

Stopping a Computer Attack

Although security experts debate the different methods to deploy defense in depth, each method involves the same technologies. The deployment of defense in depth used throughout this book involves four main layers of defense and some device-hardening best practices. You use the ASA/PIX Security Appliance and ASDM to address the first three layers, and host intrusion prevention addresses the fourth layer. The layers are as follows:

  • Authentication layer

  • Perimeter layer

  • Network intrusion prevention layer

  • Host intrusion prevention layer

  • Security best practices

Authentication Layer

Authentication validates username and password credentials before allowing a user or a device to access your network or devices in your network. Authentication is only possible if a protocol is designed to accept and track usernames or passwords. Protocols that can be authenticated include File Transfer Protocol (FTP), e-mail protocols, Hypertext Transfer Protocol (HTTP), IPSec VPN access, Telnet, Secure Shell (SSH) access, and Secure Sockets Layer (SSL) (Hypertext Transfer Protocol Secure, HTTPS).

In this book, the authentication example you use protects access to the ASA/PIX Security Appliance at the edge of the network. You also use the local username and password database on the security appliance to authenticate the following network and remote-access protocols:

  • IPSec For remote network and remote management access

  • SSH For remote management access

  • HTTPS For remote management access

  • HTTP For inbound and outbound web connections

IPSec, HTTPS, and SSH encrypt traffic, including passwords. This encryption mitigates against attackers who might be sniffing your network to glean these important bits of information.

A network deployment with a small number of users could use passwords that are stored locally on the ASA/PIX Security Appliance. A larger user base would deploy a central authentication server, such as the Cisco Secure Access Control Server (Cisco Secure ACS), so that authentication can be done using Active Directory, the user domain database, TACACS+, and RADIUS. In addition, Cisco Secure ACS facilitates easy password maintenance, user maintenance, password timeouts, password expirations, and auditing from a single location.

Perimeter Layer

After users have been authenticated (or not authenticated as is the case for most web traffic), the next step is to determine what these users can or cannot do after they access the network.

The perimeter layer has two main functions:

  • Traffic filtering

  • Network perimeter attack protection

The first function, traffic filtering, enforces rules that define what traffic is allowed into the network as defined by your security policy. This ensures that outside users have access only to devices and services that you have defined.

The second function, network perimeter attack protection, provides protection against attacks on the perimeter of your network, such as the following:

  • Denial-of-service attacks

  • Session hijacking

  • Unauthorized perimeter device access

You can configure the ASA/PIX Security Appliance to lock down access to the inside network as well as defend against traditional perimeter attacks. In this book, you will complete exercises enforcing user access and defending against perimeter attacks.

Network Intrusion Prevention

Up to this point, with the first two layers (authentication, perimeter) of defense in depth, you have effectively

  • Granted access only to desired users

  • Enforced rules specifying what those users can do

  • Provided protection for perimeter attacks

The next step is to deploy network intrusion prevention systems (NIPSs). The purpose of this layer is to look inside the traffic that you have allowed into the network and determine whether that traffic is valid or whether the traffic might be a network or host attack. The ASA/PIX Security Appliance operating system relies on attack signatures to recognize an attack in progress.

NOTE

A signature is a definition of a sequence of data that might indicate an attack.


If an attack is identified by the ASA/PIX Security Appliance, you can configure the security appliance to either drop the packets to protect the inside resource or report the possible attack to an event logger. Users who elect to drop the packet must make sure that they are not dropping valid packets; therefore, the signatures shipped with the security appliance are well-known attacks and leave little chance of valid traffic being dropped.

The main problem with signature-based network intrusion prevention is that it's only as good as the last attack. That means that signatures can stop only known attacks. Day-zero attacks, or new attacks, pose the greatest threat to network and host security. Because of this, the ASA/PIX version 7 operating system has some new features called service policy rules that analyze the behavior of network traffic based on protocol rules and custom rules configured by you, the network, or security administrator. This layer of protection goes a long way toward providing day-zero protection.

Host Intrusion Prevention Layer

Even though the ASA/PIX Security Appliance has deployed signature-based and some behavior-based protection, there is still the possibility that attack traffic not matching these signatures or behavior can be passing through to the inside of the network. Because of this, host intrusion prevention is required as a final layer of defense in depth.

CAUTION

Required is a key word. Day-zero attacks are among the most costly and difficult attacks to defend against. If you deploy host intrusion prevention, the impact of these attacks is a nonissue.


By the time traffic reaches this layer, the data has been authenticated, perimeter attacks have been mitigated, traffic has been filtered, and intrusion prevention has used signatures and protocol-based rules to block any known attacks. The purpose of host intrusion prevention is to stop any remaining threats, such as the following:

  • Any attack that doesn't traverse the security appliance, such as those sourced by inside users

  • Any attack that was sourced from the outside of the security appliance but wasn't stopped by the security appliance filters or the application firewall

The Cisco solution for host intrusion prevention is a product called the Cisco Security Agent (CSA). CSA triggers on the behavior of the host or server to decide whether an attack is in progress. If it detects an attack in progress, it stops the attack by killing the infected process running on the host or by stopping the malicious behavior. Because CSA doesn't rely on attack signatures, updates are not required when new attacks (day-zero attacks) circulate on the Internet.

All attacks must display some common behaviors to exploit a host. CSA knows what those behaviors are and stops an attack before it can damage a machine. It's imperative that antivirus software be run in conjunction with CSA. Antivirus software cleans up damage caused by the attacks (as well as stopping known attacks), which provides an addition layer of host defense.

Security Best Practices

Even if defense in depth has been applied in your network, you should still follow certain network, host, and server security best practices to ensure additional protection. By implem-enting the technology previously described in this chapter, you can build the foundation for defense in depth. Be aware, however, that there is more to it than just putting a few building blocks into place and then walking away. As a business owner, administrator, or security engineer, you need to always ensure that you have made it as difficult as possible for someone to get into your hosts as well as any device on the network. In many cases, people secure hosts and servers but ignore network devices. This security posture has inherent risks: If attackers compromise a network device, they might find it relatively easy to build back doors or exploit access lists or routing protocols to give them unlimited access to your network. Security best practices are discussed here at an overview level only because a detailed discussion of such is beyond the scope of this book.

NOTE

For a detailed discussion on network device best practices, refer to the "SAFE Enterprise Architecture" white paper on the Cisco website at http://www.cisco.com/go/safe.


As a matter of common security practice, you should harden every device on your network. The devices that you should harden include the following:

  • Firewalls (ASA/PIX Security Appliance)

  • Switches

  • Routers

  • Hosts

  • Servers

Hardening includes tasks to secure devices, such as the following:

  • Applying current operating system patches

  • Applying current host and server hot fixes

  • Applying current application patches

  • Enforcing secure usernames and passwords

  • Deploying configuration best practices as recommended by the vendor

  • Deploying current antivirus or intrusion prevention system signatures

CAUTION

Operating system upgrades and patches must be considered for all network devices, including routers, switches, and firewall security appliances, not just hosts and servers.


Cisco Network Device Hardening

Network device hardening is important and should not be overlooked. Because this book focuses on the ASA/PIX Security Appliance, however, the discussion on network device hardening is kept to a minimum here.

Cisco Router Hardening

You need to effectively lock down Cisco routers in your network. Cisco Router and Security Device Manager (SDM) is a tool to help you with this process. SDM has an easy-to-use GUI that enables you to connect to a router and run a wizard that will

  • Log on to the router

  • Analyze the configuration

  • Look for vulnerable services enabled in the configuration

  • Reconfigure the router to eliminate those vulnerabilities

NOTE

You can find extensive information about SDM on the Cisco website at http://www.cisco.com/go/sdm.


SDM identifies running processes that that hackers might exploit. It also analyzes passwords to makes sure that they are not easily cracked by guessing or dictionary attacks.

Cisco Switch Hardening

If you are using switches in your network infrastructure, you risk the launching of many possible serious attacks. Examples of such attacks are ettercap and dsniff (discussed in Chapter 1). These tools are easy-to-acquire, easy-to-use, man-in-the-middle attacks that can steal clear text and SSL-encrypted usernames and passwords. How to mitigate these attacks is beyond the scope of this book, but you should deploy the recommendations found in the white paper titled "SAFE L2 Application Note" on the Cisco SAFE website at http://www.cisco.com/go/safe.

ASA/PIX Security Appliance Hardening

The hardening of the ASA/PIX Security Appliance discussed in this book includes the following:

  • Turning off clear text management services to the security appliance

  • Correctly applying access control lists limiting connectivity to the inside of your network

  • Turning on auditing functions

  • Auditing passwords

Hardening Hosts and Servers

Because hosts and servers are usually the focus of attacks, they are the last line of defense. It's especially critical to harden these devices. Six major recommendations apply to hardening your hosts and servers, as follows:

  • Install the current operating system and application security patches.

  • Enforce difficult-to-guess username and password schemes.

  • Deploy administrative rights only on a required basis.

  • Apply registry and file-sharing security as recommended by the operating system vendor.

  • Install antivirus software from a leading vendor.

  • Install Cisco Security Agent.

Recommended practice is that you install current operating system and application patches. By doing so, you keep your operating system security posture at it highest possible level.

Cisco Security Agent (CSA) is a host intrusion prevention system that stops unknown attacks. This means that on the first day an attack comes out, even though a signature has not yet been defined, CSA will stop it. CSA also performs operating system hardening upon installation. It modifies system registries to turn off unneeded services and ensures that basic administration functions are operative.

CAUTION

Defense in depth is a layered defense system. Security appliance alone or security appliance in conjunction with network intrusion prevention will not stop all computer attacks. This point cannot be stressed enough: Host prevention must be applied to deploy a fully functional security system.



Previous page
Table of content
Next page
Securing Your Business with Cisco ASA and PIX Firewalls
Securing Your Business with Cisco ASA and PIX Firewalls
ISBN: 1587052148
EAN: 2147483647
Year: 2006
Pages: 120
Authors: Greg Abelar
BUY ON AMAZON
Strategies for Information Technology Governance
Java How to Program (6th Edition) (How to Program (Deitel))
Sap Bw: a Step By Step Guide for Bw 2.0
.NET System Management Services
Cultural Imperative: Global Trends in the 21st Century
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy