The concept of network security may seem somewhat of a moving target-or several moving targets. When we talk about "security," we know what we want, but describing it and making it happen can be different matters altogether. Network security has a natural conflict with network connectivity. The more an autonomous system opens itself up, the more risk it takes on. This, in turn, requires that more effort be applied to security enforcement tasks.
On top of that, add departmental budget constraints (and the personnel cuts that many companies have seen in recent years), and even reasonable security solutions might seem impossible to attain. Three trends have increased the bite that security takes out of the IT department's overall budget:
Internetworks are getting bigger and more complicated.
New threats are always emerging.
The typical network security system is usually not a system at all, but is a patchwork of vendor-specific tools (sound familiar?).
Network security is so pervasive a consideration that even network management consoles raise concerns. Some, for good reason, worried about whether the SNMP infrastructure itself is secure enough. After all, stealing the right SNMP community string would give a hacker a road map to an entire internetwork's configuration, and unless you've been living in a cave, you know about computer viruses spreading in various forms: e-mail bombs, Trojan horse Java applets, Denial-of-Service (DoS) attacks, and other worrisome new threats to computer security. Suffice it to say that a lot of time, money, and effort go into network security.
SNMP stands for Simple Network Management Protocol and, as you have probably deduced, it is used for network management as a means for gathering information from various devices on a network. There are three versions, aptly named SNMPv1, v2, and v3. Versions 1 and 2 used community strings, a "secret" name that was used to allow or deny access to SNMP information. This was sent in the clear and was easily compromised. SNMPv3 finally provided an authentication mechanism along with the ability to encrypt SNMP information so that the information cannot be read in transmission.
In Chapter 7, we'll talk about Cisco's Internet access and security products. Just as a head's up, the focus will be mainly on how firewalls-and even routers-monitor internetwork traffic at the packet level to provide security. This type of "network-layer" security operates at the OSI layer people associate with IP addresses.
But a second kind of security operates at the people level. This kind of security, called user-based security, employs passwords and other login controls to authenticate users' identities before they are permitted access. There are two basic types of userbased security:
End-user remote access to servers, in which employees dial into their enterprise internetworks and subscribers dial into their Internet service providers (ISPs)
Network administrator access to network devices, in which technicians log into IOS on various kinds of network devices in order to work on them
Security is the third major control system in internetworking, along with network management systems and routing protocols. Although the three control systems have distinct missions, you'll see a familiar pattern:
Embedded commands Application commands built directly into IOS that are used to configure individual devices to participate in a larger network control system
Dedicated control protocol A communications protocol that coordinates the exchange of messages needed to perform the network control system's tasks
Server and console A server to store the messages and a workstation to provide the human interface through which the network control system is operated
Figure 6-1 illustrates the common architecture shared by network control systems. Looking at the figure, you see two new names listed next to SNMP-TACACS and RADIUS. These are the protocols used for security, not management, as is SNMP, but they'regenerally similar in how they operate in that they are protocols used to communicate information across a network. In the case of SNMP, data is gathered from network devices and stored in a central database, and a console is used to configure devices from a central management workstation. Network management and security systems differ in what they do, but are similar in how they use a network to communicate.
Figure 6-1: Internetwork control systems, including security, share certain features
The third internetwork control system, routing protocols, differs sharply. Routing protocols don't use servers because the information-route tables-is transient and doesn't need to be stored on disk. Additionally, they don't use consoles because they are largely self-operating.